An analysis of data leaks in Kosovo's Universities - Kastriot Fetahaj

[Applause] um maybe I've seen the players when my original speech has different name and different topic maybe all of you but what happened really I found a major vulnerability in one of the fintech companies and we report like three months ago and after that I started my presentation that I'm gonna present here I meant to present it to present it here and say we are good to go but phone certainly on Friday I receive email and can say we cannot show it we cannot show it because there's gonna damage our reputation as a company and my affect our clients so we decide to switch the Swizzle topic and I hope all of you will like this

this one since we are in University I have been studying in this University too I decided to do something related to data lease and University so I hope you will like this okay uh just a short introduction I understand that I am cyber student engineer a doorman career I've been working as a cyber security engineer software developer and quality assurance engineer uh I have been working in cyber security industry since I was 12 so most of the guys who are here as a presenter or as a attendees start working cyber security when they are young like sales or teens so it's been like 20 years working on it and during my uh experience in my career have been

participating in a lot of competitions and here are some of them live I won and probably a person don't like them because I used to beat their students okay but we all sorted like most of you students I'm here this is a picture of me at 2011 with the process and some of my colleagues like most of you in a university we all start with the Russell bearing but participate in conferences this is the conference from 2011 it's a Microsoft conference and after that the moving career like developing and evolving we decide okay what what this uh presentation will contain uh we will talk about data leaks and data data Bridges we will talk the

tools that I've been using to make an analysis about that collection about the university we will talk the how I managed to make samples of emails and testing them we will talk about the analogy reports impact of that and we have some conclusion and Q a session inland so for for you all uh that are not very familiar with data leaks data leaks is uh sending or showing commercial data to a third party without authorization for example if you are a company who shared data to a third party without authorization or clients data without our authorization this is known as a data leak one of the biggest data leaks is known or commercial analytica maybe

you know Trump can campaign when they use the Facebook data to to make advertisements and there are some other stuff that Facebook actually have killed and data breach is uh incident confirming accident that a company confirmed that sensitive data have been leaked at our public or maybe non-public but they are in Internet that people can buy or find in a way someone with data leaks during the ages or Myspace is one of the first ones LinkedIn Yahoo Adobe Facebook had had big data League about four numbers and all stuffs in the in the previous or so a lot a lot of big companies have faced this kind of Excellence foreign [Applause] and for you folks in Universe to have

shown is the service that you can check your email if it's leaked in a any data Bridges or not and the other one is combo list it's a a combo this is a combination on a username of password of many data leaks that have been data regions that have been linked during the years and it has like 3.8 billion combination of usernames and password for for analyzing the emails I've been using this service to see if you emails have been leaked but for analyzing password patterns and other stuff I've been using this combo list I will show in details in the next slides so just a deeper explanation uh how I've been Pawn is a website that is uh

developed by Troy Hunt is a Australian researcher and you know what can do what you can do there you can put your email and see the result if you have been leading in any data Bridges and currently it sounds like the 12.5 billion credentials on his database for example if you put my mail you can see my email have at least in a 17 data breaches so most of us who have been using the email for a long period of time probably they may have been leaked for all of us but it depends how we handle that and that the uh this presentation is about how we should handle the leaks because sometimes you cannot start Facebook from leaking your

data or or other big companies uh uh comma combo box is like this it's a huge like 100 gigabytes of combination username and password and even the people who made it that have made even a shell script who is a lit indexed uh files who can help you uh to search faster so for example you just put emails and uh you will see your email and the password for that or in this database search example for example if you put email here's email here's a password they are just a random picture not a real data that I have done during the this uh uh analyzing so uh the analyzing was about University first of all I thought to do is were

governments but governments was very sensitive uh uh institution and might have problems with them so I did with universities and they are the the emails that I I did I did for three universities a b uh ubt and public university and here are the the samples I managed to find this kind of emails uh in the public internet using a technique called email harvesting so I didn't get the list of emails from the universities that say here's the emails you can test again and provide us report but I use email harvesting that is a it's a technique of finding public emails using Google or other uh uh search genes and you can see there are some a b stuff Wireless

because University of pristine and ubt use the same domain for uh staffs and and students but they be have different domains so I managed to to divide into two categories of stuffs and uh and the shooters so there are the steps that I actually like conduct to make this analyze uh one of them is to analyze email if they are part of uh leaks and have I been pawned after that check the credential stuff in in a combo list analyze Puzzler patterns uh showing the results based on that and if the result are not enough for universities I contact them and say if you want to see a real impact you have to give me permission to show your

real impact and one of the universe they actually accept this tutorial pattern after that we did password spraying techniques that is technical brute portion all the emails and passwords and after that we show the impact that you will see in a upcoming slides so the first concept is to grab every mail and try if they mail is lit or not and the response to that will show you a result like this for example my email has been lifting as 17 Bridges and here are some of them but doing this manually for more than 3000 ml is probably going to be gonna be uh hard repeatable this job and it's not fun so what what the

have I been Pawn provide they provide the paid API so you can just write a python script or anything you want and you can automate it and save the result in any type you want like database or any filo so I did what I did I write a python script try all emails the result I saved in the database and after that and I analyze them and this is a general report from uh 2 900 emails like almost 49 of them has been leaked so the the percentage of them is 50 50 almost 50 there and here you can check comparison between the universities can you see the university a B has more than 50

the ubt has more than 60 percent and you uh the public university had like uh 42 percent of leaks the column red colonists image that can be leaked green or not leaked so and even the staff of a b like is like more than 80 percent of them and I'm talking uh here we have to to know I'm talking for for the emails I had probably the university might have like two uh 20 000 emails and maybe some of them are lease or not but I have only some amount of mail for analyzing because I didn't get officially from the from the University and they are the sources that you can believe for example uh when analyze

where the sources what are the sources that the data has been leaked I find out that most of the universities share like common sources for example one of them is Nitro uh June bash they are PDF readers and other stuff and we're going to go is one uh one by one uh most of the emails was leaked like you can see here four uh 441 emails in Nitra Nitro is a PDF reader that actually have been breached in 2020 and they have been like 77 million emails and and credential leaks and one of the data that had been linked there are email uh names and password very important passwords uh the second one is Doom bash that is

visual messaging services similar to the first one has believed in 2018 and he had Elite like uh 161 million data you can see the data here one of them is a password and email address too very important for our for our analyzing and for our password spraying technique uh similar to neutral and all application is a lonely PDF that because most of the students and professors based on the results we can see they use three PDF readers and they have probably download this application and this application probably has required a user to download them and here are the data that has been linked email and passwords including two is a kind of a more older or older

application is is Facebook application maybe on I don't know if you're familiar with a Facebook application it's application based on Facebook and it was a this kind of application that you decide with with what famous person you are look like or something like that maybe you saw that silly old application 2016 and there are a lot of females uh lifting this application too uh this is another PDL it's another combo list that that include a lot of emails and is leading in 2019 and it has emails and uh and uh but no password here so uh what the app is another application that has been literally are 72 emails leaked here from all the universities uh

Lincoln strapper is not a data Breeze but it was scrapping technique that you that someone has does scrap all the users and they are this amount of data that can be leaked here but even this league doesn't include password it's not very very danger but of course there are some other personal data too and melway is a math oriented application that probably students has been using to solve the problems the challenge in University and they are like uh 63 events leaked in in this uh platform too canva is a designing tool maybe the designers and Architects that use and it's recently in 2019 and from our samples of emails there have been 61 emails leaking list too and house is a

designing house this is more about the architect things and they are 49 emails leaked in this uh data source uh two this okay this remote is not working very well so I have to click a couple of times so uh you can see for a b they are top 10 sources that being leaked similar to a b the ubt have similar things so maybe the first or second place are swapping but pretty much our same same things and same for uh uh a public university and for the professors and staff senior a b was different because uh they believed in not in a this kind of application than public students have handled leaks so it was but was what was

one was this MyFitnessPal it looks like some of the staffs are doing diets in a b so and this is the most common password that I have been analyzing on that so the common password probably are similar to most of the common passwords that are using in different categories for people not the students and professors one two three one two three password one to nine phone number phone number I have put in a brackets because different formats or phone number including prefix with dashes with lines with spaces uh birthdays first and last name combination of them like a capital first name lower so this kind of and there are two passwords that actually break the

algorithm kind of this uh list two in the lab all right because emails that they have been leaked and that probably have been leaked in many stores like 100 sources and if a guy had the email and all the passwords have the same and have lived in the 100 sources it kind of a kind of a master data because if you have like 10 students that have been deleting two sources and have different puzzle but you have a student that have been leaking 100 sources that has always a similar this kind of passwords showing top 10 because is one person but in in many leaks and after that I decide okay this all the result I will email the universities

the department of I.T that all the university has and show the emails uh show the leaks and tell them to inform students and and professors to change the password to see if they still have this kind of creditors and all that stuff but I I got this funny response yeah thank you for reporting that but I don't see impact on that okay I say do you want to see impact I asked them do you want to see impact and one of the University a b said yes we want to see impact okay what I did I did password spring so I get all the emails from AV and all the password from a b and did

The Brute Force like like uh all uh all the password for all the emails like you're shown in diagram for example the password is one two three other five with all the emails a next buzzword for all their emails and the impact was like this if it doesn't look fun this is this is an all Impact this is a professor and this is a model when the professors put Grace for students for exams of course we report them all of them are fixed and probably for now they are safe but they have we have some conclusions uh that uh we produce from from researchers like 49 of emails that we analyze for University have been leaked

at least in one source uh universities do not do cyber security trainings not only for students or or or cyber security awarenesses not only for students but even for our staffs because uh when we reason with the email exam and said okay this is saying these are the leaks and you have to inform them to say there is no impact only when we show the impact they say oh this is a real deal now we have to do something and the third conclusion is that universities do not do data Lake monitoring that most of banks around another governments should do so they don't do data leaks monitoring and probably if some of the credentials have been leaked in the uh

dark internet or public internet they are not aware of that so this is all if anyone have a question feel free to ask thank you that was great does anybody has any questions yeah of course person because I have to do with your universities thank you very much for your presentation and for your talk really inspiring see all this work that you have done uh just I think my students know you all ready because we are using your let's say results from your Bachelor thesis uh Castro did an awesome work on his Bachelor thesis just focusing on University of Pristina and of course his Bachelor thesis is closed it's not for public we have sent all the

recommendation that been outcome from his thesis to the information center Universal Pristina they have taken someone accounts I think some of them already patched some of them are still not but they are still there uh regarding the question I think you concretely stopped to the impact and this is important because it doesn't make sense researching something without impact uh coming back to the impact you said that you done the impact only for a b what is the impact for other universities because leaking so much information and as we know many users tend to have the same email address and probably the same password in many sites many accounts that's a huge impact can you maybe share something what about

other institution about the impact yes I know I'm aware of sharing some more information not only for a viewers University but for the banks do actually I did this kind of analyze analytics for for banks two and one of my reporters report that I've done like a previous year uh for rafaction Bank in Kosovo and the impact was this this kind of lease and that to full compromising of internal internal uh uh infrastructure so the impact doesn't mean to be just a male of students that way someone can access and can see the result of him doing studies but impact it can very depends on what what system does the universities use and other stuff but the worst thing in

this this thing is because most of the institution nothing not only universities but even governments and some uh private companies do not like to see and just accept that as a risk so we have a kind of a very formal famous school to say there are two type of peoples people who have been hacked and people who have been hacked that don't know that they have been nice so most of the time you cannot stop big companies from leaking your information because you you cannot do anything but what you can do is Monitor them and take a take action based on the potential impact can can be only okay let me go to spend he has another

question for you because thank you for the presentation um did I understand it correctly that you used passwords from breaches to to do the password spring is that correct well I can't hear you very well can you repeat please did you use passwords from the breaches to do password spraying yes because we as I mentioned during presentation I use the password because we kind of have a deal from the one of the universities do you want to see a real impact can we we did the SLA well done can we do it because if you use password and you manage to to authenticate let's say illegal activity so you have to have the uh so the first

part of analyzing the emails and leaks is aware of public data there is no harm on it and you can show us a result but if you use a credentices to log in on them and brute force on the account this activity that actually if you don't have it does it doesn't if you don't have a permission to do it it's a illegal activity and no one should do it so thank you so the actual question is um how did you get those passwords I got the password from the combination uh combo list that I show in the first presentation is like 3.8 million combination of of the username and password that is lit in 2021 that combo

I have that Converse about uh 100 gigabytes of them and I just for every mail I search on it and grab the password saving database and after that I make a combination between the emails and password and try and issue them a support Force attack so the so the passwords from the breaches were I assume hashed insulted no uh actually what is a combo list is plant tax companies it's not hashes so what people have done during the a during the time they for example if they have a gallon database of the uh Nitro most of the passwords that are hashed but they have uh tried using rainbow tables to dehash them and after that

some organizations or companies have collected uh unhashed password from this database and listen listen this and make a huge list it's a similar what uh rock you rock you um award list about cracking things but this is about Campbell is that include emails and passwords does anybody else has any question

okay uh I think that's just stressed out very good but I won't put this very clearly if you log into a system we thought you don't have permission this is illegal activity in Kosovo you can go to jail you can go in jail yes you can go in jail so be careful on this castroot is one of the ethical hackers in Kosovo and in any conference more than decade we are raising this issue to the governments and I think now by the new low this you can get some uh Bounty or you can get some uh let's say fee on that but till now this is illegal activity so if you have a user username

and password and you have allowance to do enter it if you're doing this you're doing illegal activity in Kosovo so be aware of this what the professor is saying uh testing platforms public platforms is a illegal activity by the law in Kosovo so you can you are able to test only if you have the SLA before starting the testing and us as a cyber security committee we find very difficult to find to find to make a uh this kind of agreements for testing especially with government but since our community we have some friends and most of the reports and Agreements are more like a friendly agreements than like uh when I reported that University I know I

knew the who's the head of the idea that uh Public University I know who's had the right thing to others University I cannot do this kind of testing for uh universities or organizations that you have no relation with them we're probably going to sue you and probably gonna end up in prison so it's very important to know that