BsidesLV 2024 - PasswordsCon - Wednesday

BSides Las Vegas8:48:28367 viewsPublished 2024-08Watch on YouTube ↗

Show transcript [en]

[Music]

[Music] [Music]

[Music] [Applause] [Music] oh [Music]

[Music]

[Music] [Music]

[Music]

a [Music] [Applause] [Music]

[Music]

[Music] he

[Music] [Applause] [Music] he [Applause] [Music] [Applause] [Music] he [Music]

[Music]

[Music] e TR [Music] hey [Music] [Applause] [Music]

hey hey hey hey hey hey [Music]

[Music]

[Music] [Applause] [Music]

[Music] [Music] [Music]

he [Music]

[Music] [Applause] [Music] he oh [Music]

[Music]

he oh

[Music] h

[Music]

[Music] [Applause] [Music] [Applause] [Music] yeah oh [Music] [Applause] [Music] I'm [Music] just I'm just tring give you [Music] something I'm just tring give you something I'm just TR to you something [Music] C [Music] oh [Applause] [Music] [Music]

[Music] [Music] I'm just I'm just TR to [Music] something I'm just trying to give you something I do I'm just trying to give you something [Music] o [Music] w

[Music]

[Music] [Music]

[Music]

[Music] is [Applause]

oh [Music]

[Music] [Music]

[Applause]

[Music]

n [Music] a [Music] oh [Music]

[Music]

[Music] [Music]

[Music] [Applause] [Music]

[Music]

[Music] [Music]

[Music] [Applause] [Music]

[Music]

[Applause] hey he hey hey hey he [Music] [Applause] [Music] [Applause] [Music]

[Music]

hey

[Music]

[Music] h [Music]

[Music] TR [Music] hey hey hey [Applause] [Music]

hey hey hey hey hey hey [Applause] [Music]

[Music]

[Music] [Applause] [Music]

[Music]

yeah there we are okay so we'll take the risk of starting now I've already sent message on slack to the organizers that okay can start there's something fun with this [Music] audio Yeah so password walks into a theot says I've seen you before I need another one uh my name is p welcome to Pas P contract uh we are starting uh day two uh I'm really happy to have phip here Cloud attack deserting attack path pass with gra mode thank you can you hear me good wow still out okay nice so first of all it's a pleasure to be here thank you for the staff team for this opportunity and um yeah let's talk about this uh topic that

I like a lot and uh I was watching yest yesterday some talks here you know uh the people talk about you know the passwords secrets and something like this and today my idea during this morning is to share more I will divide this presentations in two part actually the first part is more let's say [ __ ] part it's a theoric part I I know that you don't like this but it's necessary you know and the second part is more you know the technical part and practical is more sexy part I know that is okay let me introduce myself again so I'm working working now creating this uh business unit I'm director of the Trad

research and Advocate at s seura s seur it's kind of different name because it's a Brazilian name and by the way I'm Brazilian but I live in Portugal and I hope in the next few months to move to live here in us and but s seura is it means password safe you know so makes sense with the with the the track here but they are this compan is responsible for providing some identity solution and stuff like that but my idea is not to talk about this comp company is talk about some uh research okay and I'm very active in different communities as you can see here so you know I'm speaking red team Village adversary Village Cloud

Village and I'm sneak Ambassador the open source part of course not the Enterprise and I'm one of the advocate of the hack is not a crime someone or here heard about the hack is not a crime or one person so that's the idea behind of this project is to spread a message about the hacking because when you talk about you know the the hacking is not really a bad guy or a thread actor because when we see them on TV newspaper you see something related to a bad guy but the hacker is when you're using your creative mind you discover something and you helped some companies you know that's the idea behind of this concept

that's the idea and I'm instructor write and review this those those three magazine Europe so if You' like to share some you know article probably you review this and that's me good pi for my mother okay anyway so that's the idea to create the identity threat Labs so to discover new uh how the the attackers are using identity to explore vulnerability you know to investigate how they using tokens Secrets how the M works and how they are using this secrets to explore vulnerability if you think about the for example the attacks that happen for the last few years you cannot see nothing about the zero day usually it's about the third party that someone explored or you know know

library in the code or even misconfiguration you know so that's the idea to establish this idea to understand how to create it this A Research Center so if you have some you know content about that so I would like to talk with you understand more how you do your research and learn with you about that okay so nice let's talk about our main topic if you are you know uh an expert if you are a principal sorry but I need to put every people on the same page so I will talk about something Bas and after that we go for some terms what is thread simple like this is not my definition Accord is ISO is a potential

incident that cause something in your organization or system so we need to understand about the threats okay so it's a software attack theft of intellectual property or even identity T so we are talking about you know password Secrets token and Identity or human identity so we need to understand those difference okay but when you talk about the identity death is a kind of thread sabotage and information Distortion Like A Ramon it's a kind of threats so this is one term very simple probably you already heard about that it's your first time here so this is means threat okay the other term is high value Target this is interesting because probably if you more um if you have more

experience in the Cyber secur field you know how this terms works when you talk about the domain controller usually when you think about the high value Target in this scenario you understand that the the domain controller is the high value Target but what is exactly high value Target it's coming to the military terminology when you know to need to Define when specifically person research that any command is required to complete a specifically Mission okay so when you think about organizations so we need to think who is the person that can be my my high value Target but when you talk about the cloud remember the title of this conversation is cloud remember so it's not exactly one single identity but

you have many possibilities in the cloud so if this identity was exposed what is the impact so think about that okay so when you talk about the high value Target in the in the in our field we can think it maybe is a a g Su or more board member or executive but on the other hand if you see here it's a kind of uh people that has elevated privilege so if you think about the cloud so if you divide this room in two parts here so we have here one group and this another one another side another group so here we have many identity many permissions many rules and maybe each person here is inside of the group

permission right and they can be Associated to another group they have a kind of relationship this important to understand okay so that's thing when you talk about the cloud we have one single identity this identity has a permissions both this we have a group you have a rule and you have many people you know connected between each identity so in this case so when you talk about the cloud everyone can be a high value Target why because the identity access management the permissions in the cloud can give the access and specifically resource in the cloud are we explain more so this another term attack Vector attack path so attack Vector B basically is the method using for the Cyber

attackers or attackers or thread actors not a hacker okay so that using to compromise specifically systems okay so it's very common talk about mare you know hands fishing is a kind of you know strategy that you're using so if you think about cyber chain but when you talk about the human aors you can see weak credentials we talk about passwords and tokens and whatever poor encryption md5 Shia one and misconfiguration that's the main point here in our conversation today okay and of course all those things allow people to access Sensi sensitive data in the cloud another term is attack path basically is the graph graph mode remember the title is the way the visualization that

attacking using in this specific environment so this is a very interesting picture from oasp explain in this case more security risk but you can see here for example the thread agent the attack Vector you can use it for example misconfiguration or even if you explore some vulnerability like in any specific application when this thing happen is because for example the application is vulnerable or or they have some file up load vulnerability or some you know attack path um traversal path director path or anything like this you can use it for a command injection whatever vulnerability but you gain the access usually in the web you know user you need to scalate privilege in the cloud so you when you explore some

weakness when you gain the access you have the control of this kind of system you can you know impact a specifically function you gain the access uh or you can impact the business in this organization okay now okay sorry this is the bushed part I know but now we talk about more sexy part okay so who works with AWS here in this room okay I don't need to talk more sorry no sorry I'm joking so but that's the point here so if you don't work with AWS or if you work for example gcp Azure or even oci or or other another cloud provider the concept behind of these ideas is quite the same of course when

you talk about for example Azure they have a subscription it's quite different gcp you you need to understand if you using for example gcp workspace or Google workspace or something like this but for example is quite similar to AWS uh and other Cloud providers is a good opportunity to make the research with me okay so nice just to putting every people in the same page so again AWS am basically is the services responsible for managing the ident in the cloud uh talking talk about the AWS specifically so they will centralize the the different permissions and how you can provide the access in this research who is can you know who uh is responsible for authenticating this in this case or

he uh or who is authorized to go inside of the service remember when you talk about the cloud is different about the virtualization okay so I like to explain this because in the past we have a virtualization so when you talk about the cloud we have Services connected like a puzzle so for this puzzle works in the right way you need to have this we need to configure this basically the I am so the IM IM is will be responsible for give the access or not the or not the access okay so when you enable some ec2 instance for example you need to attach some storage behind of the2 works it's different when you configure some

VM or because of or virtual machine let's say uh when you configure some for example virtual machine you just set you know CPU memory and dis but when you configure Some Cloud we need to connect those uh resource there those service and for those service works you need to configure this [ __ ] service I don't know I I cannot use it [ __ ] not polite right okay sorry I can use here and besides I can use thank you sir I'm relaxed now good good good good okay so this is the version this is the some um how the AWS work when you talk about permissions okay how you create in specifically policy because it's when

you if you work with a cloud mainly AWS you are security guy you need to configure something you should you should actually we should looking for on the AWS well architecture right who knows this well architecture framework man it's so bad because when I ask who works with AWS I think 93% of this room you know hands up when I ask about the AWS a architector I just see three people so we have a problem here because we architecture is a kind of guidance to implement security stuffs in the cloud focus in AWS so if you don't know we have a problem here Houston you know that's the big problem that's the key because here is how the permission

works okay we have a kind of statement you know is a kind of part of the information that you can put inside of this element this is the St statement of the permission in AWS so for this attack happen basically you need to look in front this effective it means allow or deny and the action is a bunch of list of action that this policy that you will create allow or deny okay because again is this is the simple if you see here this a simple e read the only access this is this permission is defa is standard from AWS as you can see when you configure something in AWS you just go to the permission and you have a

possibility to using those standard you know policies like administrator access uh IM IM R only access you know whatever you know Buck ch3 permissions whatever you have many different standard permissions from thews but the key is here effect is allow take a look at this action it just list and get those informations about the am so in the research if you see here the asterisk is safe yeah yeah that's that's a good point because I should when you enable this usually the AWS give you some warning because you should you know uh specify the the r the AWS research name responsible for receive this permission so that's the key but for the SEC security or for the management it's more

easier to put why the asterisk it's enough okay but take a look this so my I have a question to you this is just read the only access so this permission is safe or not why not I cannot write

nothing other so what do you think good I don't understand man's explanation because I cannot hear you but I agree with both with everyone probably those three people explain the same thing we can read because you can list you know let's say Pi information right so you can list users you can list groups you can list policies so for the attacker perspective if they gain the access because basically the only information the attacker needs to have in this case is one secret and one key and after that it can connect it to the AWS console CLI in this case console command line interface they can connect in this account because this is the two main requirements the others you can

just click and enter because it's defa okay like a region and time zone and another don't remember but the only information to go inside of the AWS is secret and key remember that okay so after that if you have this permission you can list everything it's maybe not to dangers because you cannot write in the cloud but for the you know for the compliance or stuff like that is is is complicated because you can list part you can you can do the enumeration okay in the cloud that's the key just but if you see we just can see here only two actions remember that okay so let's think about some this is kind of challenge that we have in our day

developer team access many application devop team access many systems database team Cloud teams this guy like to us in the uh you know Cloud I don't know why but they like they like to have a permission I don't know why but they like okay so in the past we have a admin guy but nowadays everyone access the cloud even the market team no one's no one here works with market right it's good you know someone works with Market marketing sorry but now actually they need to use it sometimes because they need to create some you know advertisement it's [ __ ] advertisement okay and they request the developer to create an specifically Ling page and they request for the developer

creating this the developer do what they create a Luma service okay they run the code and after the advertisement campaign they delete the code everything is safe but now because the user to work this they should be you know a service account User it's continue to be there because they don't delete the user they just delete the code because you know the user when they create an AM they don't need to pay for it that's the key yeah so because of that so s level access the cloud so I don't want ask if there are some C Level here because can be I like everyone by the way okay so we have remote workers uh this is now nowadays is quite you

know hybrid but some companies continue to be you know remote workers and inside their [ __ ] threads okay they you know gain the access inside of the environment and that's a interesting point when you talk about inside their threat because sometimes some people you know imagine that inside there is the guy that work in the darkness you know but no it's someone that's a neighbor specifically misc configuration pay attention on that the marketing guy oh yes the marketing guy that's it it's the movie guy exactly the no one marketing here right just C know okay so that's the key is the marketing guy so the move but nowadays they're using some they don't disable all policies they just set

some misconfiguration you know oh this a kind of error here that's the insided thread works and what is the impact if someone is attacked just think about that okay let's talk about the other sex part so to happen this to do this attack actually we need to again have the access key and the secret or the key and secret to connect remember when I mention it so let's suppose that I gain the access and this is specifically AWS console so I try to use in this list user as I asked you before remember so just uh this guy don't have a for example read only aess because the axess denied so good point for you know for the secur

team I try to list some Poli and access deny and I try list groups deny okay the security team works good here in this case for the specifically secret and token that I had so let's suppose now if I have new or I would like to show you the impact about one single action so I create here I will create an specifically policy and take a look this I just put into specifically policy here not policy two actions if you see here one is inside of this permission management so AWS basically has a three groups one is write another read and another is permission management and inside of each group we have a bunch of

actions so when you enable some standard permissions in the cloud remember standard policy in AWS there are a bunch of actions inside of this policy so because of that it's important to look inside of each action why Phil because I will explain Now what is the impact okay so I putting asterisk here take a look the color you know this color is quite what you know I don't know orange yellow I don't know whatever but it's a warning okay okay take a look this I call attack module and I using the custom manager it means I create my own police okay and if you see here actually I just enable one single action create policy version you

see then resarch I create for all policy here the aster risk is a this is a kind of you know remember the statement that I mentioned it so what is the effect allow in the action create policy version so let's see the impact uh by the way I I wrote an article and I'm publishing in the in pest magazine I think this article in my my uh LinkedIn as well so I explained these attacks in details but to gain this information I just type in the Google how I can create the full AES in AWS using CLI and they suggest me this code if I am you know newbie so I just copy and paste this

code if you see here the actions is a so asterisk so I can access everything and let's suppose you know I'm I don't have any knowledgement about the cloud so they should ask me some organization stuffs here so if you don't know organization is is the main account not main account but when sometimes the company has an organization in behind of this organization they have they can have more than 50 100 accounts if the compan is too large usually they use a different account in you know um uh behind of this specific organization so remember I just type in on Google and ask how I can access how I can have the full access in AWS and they

suggest me here but on the other hand if I don't know how I can type in CLI you can ask ask to Google how I can create a policy version and they suggest you the AWS code well actually they had AWS common so in the article I put how I discovered this information basically if you see AWS aam the service create policy version because I will create a new policy I need to set here the reen the attack the pock attack module and I can set the policy document as you can see here and this is the document attack exploitation remember the file that I created here this is the document here attack exploitation and I set here and if you

see here I putting set as a default what happened in this case bam I had this permission only one single action but after that I can escalate privilege and I can have not only the one account remember so I have one single account so now I have an access to organization level I like the expression oh man yeah that's it you know this the point here is the misconfiguration this case but it's not Mis is misconfiguration but the you know the security guy should look from each action inside of the am server but it's too much flip I know in AWS you have more than 6,000 permissions it's a good challenge but you know that's the key so here the

attacker can escalate privilege just because you set in the end set as a default so after that you can list you can do many things just a simple example how works okay how I can see how I can uh you know not only investigate this but how I can mitigate this or if I'm if I work with a offensive side for example how I can how I can explore this so this is one of the tool that I would like to share with you is an open source tool called it um cograph basically uh if you see here this is the graph okay they use a neo4j it's very known when you talk about the graphs uh the graphs mode you

have here for example this in in blue color we have a policy you have here the principle and or even a statement in this case and here you can see the AWS groups and here you can see the users so basically this this uh Cipher query you can match the AWS principle it's a kind of high value Target that the two use they will set or call actually the policy they will you know search for inside of the policy statement remember the statement and they will try to find where create policy create policy is another action create policy version is one action and create policy version is another action but if you say set the

flag set as a default you can again do the same attack that's the key because you set as a default the only Point here to not uh give the success in this case and if you have more than five polic in this custom policy because AWS just allow five Thea policies okay then that's the key and after that we return this information in the graph mode in other hands we have another tool called AWS PX and I like this picture because you can see how complex is to work with Cloud because if you see here how many actions you have here I have here by the way I think the here I have AWS SPX so we can set

from any place for example you can set here the effective ad it's a kind of high value Target they use here it's very similar when you think about who knows uh um Blood Hound here in this room okay it's very similar the graph mode how you can use and how you can set how you can see sems basically so if you see here so we have some users those users here work with cyber secur let's suppose I think no not suppos because this guy this guy here at our C Level this room and uh they have administrator access this is the standard policy you know from AWS by the way I didn't I I don't do nothing here in this case it's

just administrator access standard from thews and here I create another permission Thor lab and I create another group level here the user default that we have here T James and Bill just names okay and if you see here this is the path and take a look this one here I would like to see for example like a Thor here the name Thor so in B the actions so we can see here where's the Thor here it's no not hard I like this one an oh Jesus where are you Anna by the way Anna is the name of my wife she will kill me because I using her name to oh yeah on top yeah take a look this one here so

let's see this actions let's see the impact that she has my wife definitely she will kill me okay take a look this lady so we have here create login oh we have a change Pol password here why she needs to have this action but Philip is Thea for for administrator access that's the key you know this is is the impact so we have this one and this is the explanation using the tool you know grants permission for a am user to change their own password so imagine if this this AWS key or secret was exposed the attacker can change the password and they user is is done is gone basically okay um nice so how we can

helping the community how my company again can help the the the community here I would like to share with you some Community product okay that you can see in the graph modes it's the same case okay and how you can use in this this to free charge it's Community version I will do a demo here if the Lords of demo help me but I will try with this internet connection problem let's see what happened but I will try but I have here the the demo as well recorded okay basically let me go to the demo so you can access here after you do the the registration in this uh web page you have here the access the cloud

entitlements is a community here it's just free you can integrate with three different uh uh you know Cloud providers again um you just the mainly when you connect here you can see some recommendations about the you know the identities how you can manage it for example how you can change in the administrator access how you can change the MFA some recommendation based on those actions okay so we talk about the graphs so I developing this to the attack path mode here so I just show you the example so here this user can have this attack attack path based on the attach polic this is another action so if you have this action enable for each

or whatever user that you have in your organization this user it's possible to attach another policy so if they have some you know no high access no sensitive you know permissions in the cloud but if they have some attached Poli they can attach another policy or rulle here is the basically if you see here the description of the how that we can use it this is the requirements that you need to have and this is the impact privilege escalation credential compromis and operational interference basically you can see here and you can use in this again it's totally free community and um we we are developing this tool and not only this but basically the people are using if you

see here sendbox mode you see here in the in the orange color so you don't need integrate anything okay you just when you receive the access you have many datas populate there is a fake data of course but if you'd like to use in your lab your environment whatever you want you just disable that flag here and you can integrate your environment like this one here I have my own lab let's see our my lady my wife in this case internet problem and uh you can see here you can do the integration but just again the idea here is to you know spread the message about the identity security and how you can using this

product it's again it's totally community and one of the things that we created this for the Improvement for the future is to work with AI ji here in this case if you see so we should enable for many users to change these actions about MFA so we have here this SEC intelligence you just click here and they suggesting the code as you can you know see you can use it so how I can change this action in my environment just that you generate in cloud formation or tea form for example and after that you just copy this content create a file and that's it okay it's not enabl now but the future of this project is to have this apply

remediation it's a kind of automations process okay so we have here seven uh fix and if you apply remediation they will start to connect to in the cloud and works and they will remediation this environment okay so you can see for the attacker perspective if you work with offensive security you can using you know how many users you have in your environment with this policies you can see how we can explore those guys and if you work with defensive site you can see this big big picture you can watch in this again it's free and how you can help in the community because we receive a lot of things from the community basically okay I recorded if I have some

problem but it's not necessary and I finish here the presentation uh I think 10 minutes before so I don't know if someone have a questions not difficult questions not difficult questions sir go ahead so there are one question no difficult questions sir

please y you know it's difficult the mic doesn't

Works uh let me talk with every people Everyone yeah one second yeah the question is about attack path is is related to the am how it is connected about that right yes the attack path basically is the how the attacker can see uh who is you know vulnerable to um attack the environment so for example if you gain the access in the environment uh we have two two visions here we have for example the defensive side and the offensive side so the attack path is totally related to the actions because to give you this in graph mode I need to have the you know the identities I need to have the user but for each user when I do the rediscovery

we need to see how many each user has each actions for example the attach po they need to have three actions mainly okay the attach rule attach attach group and R user so we have in this moment this project has for example uh four attack attack module but I will create more attack module for example so there are specifically uh actions for the buck just tree for example like a puty object inside of the buck tree so I can create an attack specifically focus on bucket tree another service that the user need to have for example a bunch of actions but specifically this action put object in bucket stre so when I do the discovery when we find for example 10

users I saw okay I see this 10 users can suffer in this attack path because this attack module actually so the graph mode is just to facilitate the vision you know but the characteris here is how the action is connected to the the identities you know I answer yeah I think we have more one more question here or there

thank you uh so I I um I love this talk and I love how uh you talked about AWS gcp um Azure um I think those other two Cloud platforms don't get a lot of love when we talk about Cloud security um to that point and this is a little bit of moving the goalpost but I I kind of wanted to hear your thoughts on this um there are even more Cloud environments that we kind of have to worry about when it comes to permissions I'll give you an example Cloud flare I consider that a cloud environment and that's something I actively worry about access um one I would ask what are the tools that you

would point me to to start doing this kind of analysis in those kinds of environments and uh to how would you kind of um hypothetically even if there isn't a tool um where would you start uh good question I I thank you for asking actually uh when you talk about that you mentioned more than Cloud providers you mentioned other platforms and I have a one of my challenge here in this identity threat Labs is to understand how the attack are using for example G hubby actions or GE Hub or G lab so you can see think with me imagine for Imagine for the defensive perspective so if you I can just run I disc discovering my environment and I

can see the whole path comes to you know GitHub and after that they go the ACC based on cicd the GitHub actions based on this integration they are inside of the kubernetes these kubernetes are inside of the AWS because of the permission in the AWS you can map the whole things that's the idea for the future of this specifically project that working there are another open source project called uh star base from juniper if I remember correctly uh this specifically project the this project is not um focused on security but they are a data Source data resource actually so we can integrate with many uh providers like not only Cloud but for example sometimes as a kind of you know uh secured

solution like you know TR micro or CR strike C strike is not so good mention that okay anyway uh that's the point so when you have the big picture that's the good you know delivery for the the companies that's the the idea I have some research uh I I I did some research focus on OCTA because his identity provider so how they connect with the AWS in other Service uh in the my previous company I created another attack module when the attacker when do you integrate for example the uh active directory with Azure not Azure ID but enter ID I don't know if Microsoft changed the name again but anyway uh you know when you integrate this active

directory with ENT ID so you need to install the agent this agent will be responsible for integrating ENT ID and the point is these user need to have the the domain controller permissions from the activ the activ director and they create a Microsoft online services inside of the the the the domain controller and this account will be responsible for connect with entry ID so when and this Services is ENT ID is the high uh the high level permissions I don't remember the name of the high level permission no but the not the owner but whatever it's the high permission so if you gain the access inside of enter ID here you can escalate privilege from the enter ID just if you

discover the Microsoft online account because they use when you install you don't usually the administrator didn't change they no he it doesn't change the the standard name of the integration they use a Microsoft online [ __ ] name or whatever they don't change because it's it's the standard you know and if you discover if you go inside of the active directory and you discover how many Microsoft online you have you can see how many connect accounts in this specific domain controller you have connected with ENT ID so you can escalate privilege of course you need to you know escalate privilege privilege you need to broke this user is quite it's not too simple to gain the access

but you can see the way you know like this syn or whatever other attack but that's a super nice we have many things to research when you talk this topic thank you more questions I think no because feedack no more questions okay thank you Philippi thank you guys appreciate have a nice day for everyone and we will be back with more abs [Music] [Music] [Music]

[Music] [Applause] [Music] w [Music]

[Music] a w [Music] a [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just tring give something okay I do I'm just tring give you [Music] something I'm just TR to something I I'm just TR to give you something [Music] m [Music] w

[Music]

[Music] [Music] I'm just I'm just dring in [Music] something I'm just dring in something I do I'm just trying to give you something [Music] oh [Music] w

[Music]

[Music] [Music]

[Music]

[Music] [Applause]

oh [Music]

[Music] [Music]

[Music] all

[Music]

[Music] h

la [Music]

[Music] [Music] [Music] oh [Music]

[Music]

[Music] [Music] a [Music] [Applause] [Music]

[Music]

w [Music]

[Music] a [Music]

[Applause] [Music] hey [Applause] [Music] [Applause] [Music] he [Music]

he he [Music]

[Music]

[Music] thank you

all right so I asked chat GPT why did the attackers Target do well they wanted to brew up some trouble and leave everyone hopping mad with that thank you B zel for the opportunity to present today uh I'll share approaches for implementing authentication for internal applications uh specifically targeting small and medium Enterprises uh using AWS and z trust principles the slide deck is on the QR code so please feel free to scan it download it I'll give you 5

Seconds all right here's our agenda for the do today I also want to disclaim that any of this work is not affiliated with my current or previous employers uh it's a result of my work that I've done since beginning of this year with small smaller companies as a consultant adviser with over 16 years of experience in security industry I've had privilege to work with large Enterprises like PayPal and Robin Hood um however my recent focus on solving security challenges for small and small and medium businesses has parked this new passion of researching scalable cost cost effective and time efficient Solutions while we did not know what happened with all the breaches that we saw in the

first slide I didn't go into every detail of the breach because I don't know all the details um I hope you you got draw some commonalities uh the data that was breached is obviously I can bet on it it was not publicly available there wasn't not expected to be publicly available um it meant that attackers could probably have hijacked the private Networks or/ vpns in some cases or they have they may have a malware on the device from where the users were trying to access the data or there are a lot of different ways of of attacking the uh the scenarios one clear thing is that the protections provided by traditional vpns are no longer sufficient due to the

use of cloud on top of that we have vulnerabilities in the VPN software itself that are worth noting so what's zero trust do we have a solve here let's see zerust is a framework for performing continuous authentication and authorization of actors based on different signals as you see in this diagram you have device signals from where the what's a device and what's the posture of the device you have Network signals geography region IPS um you have actor authentication which is either password based Au MFA enabled or not you have permission signals of the authenticated user what permissions they have to access the resource or not and depending on all of that there's this Central thing allowed

to access enforcement Point says whether I can access the resource or not and that it happens on a continuous basis that's the framework's guideline and depending on the criticality of the resource the policy can be tned and configured it sounds great from security perspective that we are doing this continuous Au and an OD Z but implementing it could require a lot much lot of work for the company and specifically we're talking about small and medium businesses here the question is how do they prioritize security over business goal of survival I had an opportunity early this year to work with a company that a smaller company that had team members in us and India the staff members were

encouraged to buy their own laptops use it for work the the company also employed Consultants um they can work from their personal laptops no no restrictions whatsoever as a malicious actor my motivations to to compromise a smaller company could be that I want to attack abuse their infrastructure and use it for my own gain that is pay my bills on the company's dime let the company pay my bills lock their into intellectual property and hold it for ransom uh get hands on the sensitive data that the company has and use it use it for my financial gains if an attacker locks down a database of a company and the company is large enough they can always negotiate

or pay the ransom so a smaller company like mine that I interacted with uh it could be catastrophic it it could simply just shatter their business in this particular case our company's infrastructure isol in AWS which is a good thing uh I'll tell you why I'm simplifying the setup here there's a Dev account uh Dev AWS account and then there's a produ production AWS account we have a VPC that has public subnet and private subnets the public subnets holds a web server which host a web web application uh private subnet has application servers databases and things of that nature but when we talk about a malicious actor I have multiple entry points into the company the multiple entry points are it

could be application vulnerabilities on the VPN servers or the app servers uh or on the right on the left side of this you have long live credentials SSH keys username and passwords for internal apps uh VPN configs that don't really change the private keys on don't really change uh and that's a lot I can I as an attacker can abuse that and use it for my advantage uh I'll talk in the next slide I'll talk about approaches how to minimize the need of these static credentials and use zero trust principles I'd like to touch upon a capability from AWS called AWS systems manager I'm I'm hoping some of you have already heard about it uh this capability when

clubbed with uh components like IM identity Center permission sets IM policies session manager can actually provide AAL access to the infrastructure to private resources without the need of a VPN the sample policy on the right that we see here uh it just says that an actor who's assigned this policy can access resources tagged as development using eeral access what that means to our diagram here from an attacker perspective now the yellow the red box is turned into yellow which means that there's only limited period of limited window of time where these credentials are valid when an attacker can actually use it but only for use it for limited time we certainly have vulnerabilities or possibilities on

the public subnet of production hosts but that's going to be the case um let's jump into a demo into how that actually looks in

action all right as I go into the IM identity Center okay hopefully this works okay um and I authenticate using my IDP credentials and MFA I go land into the AWS console and from there I I can get temporary credentials to log onto AWS and these temporary credentials I use an environment variable to just do my job I have rapper scripts here which are which are basically s into instance using um SSM and as a developer I'm just going in SSH and do my job what I need to do uh on the host itself the second example that's going to come here next is how to access the internal web server itself um that's a port forwarding capability

of SSM that allows us to uh forward a port local port on the Local Host to a remote port and that that's how you can just simply access the web server uh through port forwarding so it's just going to come here access the web server using Local Host engine server up but when I terminate the connection uh the tunnel is down I can no longer access the web server third uh example is accessing the RDS database or my SQL database using SSM I have a private database I want to access it do my job run some commands how do I do it um and that uses the remote board forwarding capability of SSM that was recent uh that was released

in I believe 2022 um I just connect you the tunnel and that using the tunnel I open a tunnel terminal use my SQL uh command line utility and then boom I can actually access uh the database directly what what do I have to

do so once the ter once session is terminated I can no longer access the

database all right so we saw what SSM can do but there are needs in an application or in an Enterprise where these web applications cruising port forwarding is is considered a friction um and accessing across multiple applications users may be tricky that's where AWS verified access uh comes in handy aw verified access is a zero trust implementation by AWS to access internal web apps without a VPN the components here are listed here let's just talk about how do the overlay with a previous architecture with the previous framework that we talked about the the user trust providers listed here are the ones that are going to be enforcing authentication strong authentication and authorization the device trust providers give us device

signals U and then we have verified Network signals and permissions assigned to the individuals uh are grouped here as verified access groups and they can be configured using Cedar policy Cedar is a policy definition Language by AWS uh verified access point is the actual public endpoint through which the resource is exposed and verified access instances are just an aggregation of all these different components together let's jump right into a demo the beauty of AWS verified access is that you would access the resource as if you accessing the resource directly on the internet here I am accessing the resource I'm redirected automatically to the uh I am ident Center the web application that you saw is didn't have

any authentication I authenticate using my MFA and once authenticated the it runs the aw verified access runs a policy check to allow access to the app or

not how does it work in in function uh how is configured behind the scenes so we saw here that the the domain application engine. sb. today is actually mapped to an EC to instant Port 80 which is an insecure Port as security professional we would not want anything to be rning on Port 80 but in our cases it's possible because it's all it's all in the public private subnet um and it's all behind the security group that allows uh Port 8 to be exposed only to this particular service here and then we have verified access group that is allowing a policy saying that anybody who has email address like SBD today can access the resource Source or once they

authenticated you can have much more complex policies based on principle actor and resource here the policy is being referenced as this is the trust provider that we talked about user trust provider it's being referenced by a name called Dev blog instance okay before I come there uh while all that sounds fantastic there are some practical considerations we need to be aware of um one of the things that I specifically ver verified access is a relatively costly service and why is it costly what what the cost implications are it's actually AWS charges it by every endpoint or every app exposed per app hour um there are charges of amount of data that is being transferred back

and forth using the endpoint take a look at the monthly and yearly costs of if you have one 10 and 50 applications exposed using verified access it's worth noting that it's not a pay as you use model from a a user interaction standpoint but pay as active ST cost model um the following two slides discuss on different approaches on how we can minimize the cost while keeping Security in Balance um one particular approach that I can think of about and and we used is we can put similar trust level applications behind an application load balancer and then ALB is the one that is in is front ended by uh verified access endpoint this is good from a cost

optimization point of view but it also limits our policy rules that the policy rules cannot be differentiated based on app one or app two resource access the policy will only know the ALB end point other approach is is to terminate the verified access end point when not in used this can be achieved by implementing um bring up and bring down kind of architectures uh using automation uh in this example we just talk about the endpoint verified access endpoint coming up at the beginning of the day um and when when the work is done when we are sleeping when the workforce is sleeping just turn destroy this infrastructure it takes around 10 to 15 minutes so if your threshold of bringing

up and bringing down is okay with 10 minutes then you you can implement this strategy and reduce the cost by uh potentially around 50% this concludes my presentation let's here a quick recap um in my opinion very uh zero trust principles are must have for even smaller companies um AWS SSM is a good capability to explore and keep in mind without incurring any cost if you can um if you have a smaller team and limited resources uh verified access is a great mechanism however the cost is a limiting factor for smaller companies um AWS someday will hope I hope that will minimize that cost and we can make it more much more uh useful if you can remember just one

thing and only one thing from this presentation I urge you to take this implementing good security controls is not about money and time it's about intent however we also need to make sure our industry keeps that in mind and makes security controls accessible to companies of all sizes thank you so much for listening to my presentation here are the code references for the de uh for the code demo that was presented earlier you're also welcome to join the slack Community if you want to discuss about how to help smaller companies in making them more secure uh that's all I had open to questions if we can have some time questions raise your hand go

ahead hi thanks um I didn't understand how the access changed once you had like the verified like cuz you were like sshing into the database or into the on the on the virtual Network then you showed that then you had the verified access and then you logged in like through the UI and the policy was applied and then how did you get access to how could you run your database commands I didn't understand that how that works yeah that's a great question verified access actually works with only HTTP and https endpoints and not with your database access um so when you want to access the databases SSM is the best bet to go forward with uh n SSH into the

containers SM is the right solution to go forward verified access will not help verified access is is to solve for situations where you have a Dev web server Dev application running and you want to test it out or you have a Jenkins instance that is hosted in the internal Network then you want to test it out uh Without Really adding a lot of authentication capabilities on the on the app itself any more questions I have honestly to you know I need to be honest with you I never worked with AWS so I can't really think of any questions for you on this one so thank you again for being here and doing your talk thank

you and we'll start again at 12: with Norwegian [Music] he hey hey hey [Applause] [Music]

hey hey hey hey hey hey [Music]

[Music]

[Music] [Applause] [Music]

[Music] [Music]

[Music]

[Music] [Applause] [Music]

[Music] w w

[Music]

[Music] oh

[Music] a [Music] [Applause] [Music] [Applause] [Music] oh [Music] [Applause] [Music] I'm just something I'm just [Music] something I'm just I do I'm just to give you something [Music] he [Music] w

[Music]

[Music] [Music] I'm just I'm just TR to give you [Music] something I'm just try to give you something I do I'm just trying to give you [Music] something o [Music]

[Music]

one minute seconds okay anyone question

[Music]

simp EAS

so with that I'm really happy to introduce my friend something something that's not my name thank [Applause] you is this thing on yeah

so F first a little backstory about this talk after receiving yet another marketing email butchering my name uh during Christmas I posted this text on Facebook inspired by a song by The Ting Tings let's see if I I don't know if I have Network so

yeah that's

enough um my name is Bor I also go go by Bard Brad Bard and so on online my identity is elap I'm a platform engineer at DNB uh the largest bank in Norway I am an Evidence supporter of uh the free and open source software movement [Music] and and have been organizing meetings for a Bergen Linux user group for more than 10 years I have three kids and a wonderful geeky wife and I am a geek to me that means that I like to go deep into things and figure out how they work are ready to do that together with me today Geeks sometimes measure their geek Power by showing off their understanding on how systems work kind of like I'm

going to do with you today one common way to do this uh uh uh is to show that you can write something in binary I I have not memorized my how to encode my name in ASI mostly because it cannot be done aski does not have or as a kid I did actually try to uh find out how to uh uh my name was encoded in binary this exposed me to the weird world of character encoding there's not one way to encode characters there's an infinite number of ways to encode characters some make sense some maybe not so much most modern uh character encodings use ussi as a base and builds onto it which is why you all uh the problems

usually just uh uh usually occur when you go outside the US s space when talking about encoding we don't usually use the binary codes we usually use the Hax codes which is easily converted to and from binary and is easier to relate to and takes up less less space but for the explanation sake both kind of matters in this talk now let's go into it what is character encoding simply put characters uh character encodings are mappings between numbers and characters we as humans like to work with text graphics and sound while for the computer this is all sequences of

numbers but we encoded text long before we had computers though think of mors language as a text encoding it's even in binary aski also predates computers even numbers need to be represented as character Co points back in the days operating system vendors came up with their own uh encodings for various regions and this was mostly okay because computers rarely process documents from other regions or even from other operating systems Microsoft dominated the market and uh if you're using a different operating system it was mostly up to you on to you to find the right encoding uh so you could communicate with others furthermore no one really expected it to be simp be easy then the worldwide web come come

came around and we all started connecting to the internet suddenly it suddenly became very common to communicate over large distances unless instructed otherwise browsers still expected all Doc doents you encountered to have the same encoding as you were using locally even though unic code was invented roughly at the same time as the worldwide web and utf8 came around in uh 1993 we started using HTML entities to make sure that uh text was correctly displayed in 2003 we are still using HML entities 10 years of the utf8 to make sure that the skin and naian characters were correctly represented HTML entities is yet another uh layer of encoding on top of ESI imagine how many times I've received

emails greeting me like this it is disappointing when my name cannot be shown correctly I mostly find it entertaining but there is no doubt that other people are more seriously affected names are no laughing matter today uni code has one and we have an agreed upon way of referencing every character Under the Sun and then some you would think encoding issues were something of the past Unicode has its own sets of problems but we still struggle with the sins of our past utf8 were supposed to fix everything and to lar degree it did but we are a huge amount of data already encoded in uh with the old encodings and a huge amount of computer

systems expecting and producing the old encodings we started a transition a transition that we might never complete Ayana the internet assigned numbers Authority currently uh recognizes 259 uh standardized character sets to this day Asher devops the Asher devops front page greets me like

this a couple of weeks ago I had a kebab at my favorite Kebab Place notice notice how they omitted the umlout over the in D um and how it's Norwegian is displayed I have not been able to find out how this uh how or become came these symbols yet but I bet it started with a wrong assumption about the input encoding I have lost count of the number of receipts email and emails I get greeting me with B A with a Tilda Yan sign Rd this is by far the most common Mis decoding in Norway based on my empirical observations it's of course similar errors with uh and a this happens as a result of

interpreting utf8 as if it was ISO 8859-1 or ISO Latin one or Windows code page 1252 at es bankim we use used a deployment tool called octopus they keep sending me emails like this any guesses what happened here this is most likely the result of assuming your UTF en uh coded input is Macintosh encoded also called Mac Roman mechos cic would also produce the same result and this is the EM iot from bsides I'm not sure if this was a joke cuz the first few emails were correct and then the last email was like

this we Works address me like this in emails I'm not sure what happened here or even how to pronounce this if you know I would like to know so please tell me perhaps it's the same error as with the Kebab receipts and then there's this a local company in Bergen used to send me emails where they wrote my name like this is this kind of threat or something this symbol is called a dagger I looked into this and concluded that they most must have stored my name somewhere using Code page 850 also called dos Latin one and then and then they have interpreted that as if it was Windows Cod page 1252 which is usually referred to being

the same as ISO 8859-1 but in the range from 80 to 9f ISO 8859-1 is undefined this is to allow for control characters and other uh adaptations this is where we in Windows code page 1252 find the dagger symbol at the in the same position the web hypotext application technology working group decided uh in the HML 5 five standard that whenever you specify ISO 8859-1 as encoding on a web page C code page 1252 should be used instead although this technically makes sense it adds adds uh it adds more confusion you get access to way more symbols with code page 1252 and windows user users probably already expected all those characters to be there at AWS reinvents I talked to some

sales representative for Kong and let them scan my badge they sent me this this email and now we're going to see how that happened I have a fairly good idea what's going on here most likely it started like with octopus interpreting my name given to them in glorious U utf8 as if it was Mac Roman or maxic and encoded the result um as utf8 then they have read that encoded uh utf8 encoded string as if it was Windows code page 1252 or or less likely Windows code page 1254 many computer systems are um configured to take the local uh vendor uh specific encoding as input and storing the data as utf8 and if they then read the data

again and stores it again they will encode it once more for every system your text passes through there is a new opportunity to uh make an encoding error in the previous example um it uh has been misinterpreted at Le at least least twice it could have been Mis misinterpreted more more times but accidentally or purposefully rep appeared even text that is correctly represented may have been encoded wrong somewhere along the line because sometimes we developers fix problems in one system that was caused by another system can you imagine what happens when the original system then gets fixed yes yet another missing coding here's another example of interpreting uh an encoding wrong twice it's amazing that this shipment actually

arrived so let's see this is the result of uh first interpreting utf8 as ISO 885 5-1 or 15 or Windows code page 1252 encoding the result um as utf8 then reading it again as Windows code page 1252

um another uh interesting uh thing you can see from these examples is how one character becomes two this is because while ISO 8851 uh and other traditional encodings uh uses one bite uh for every character in its character table utf8 makes use of a dynamic dynamic number of bites to represent each character giving them more than enough room for all the known alphabets in the world living or dead yeah uh This Is How They found room for the Beloved pile of feces emo emoji and all the other emojis new emojis are uh are introduced all the time in utf8 the Scandinavian characters are represented with two bytes or are they take the letter o or is

the7th co character in the Unicode character table in utf8 this becomes c385 this is two bytes but it's could also have been encoded as a composition of capital letter a and combining ring above a is one by for one and um combining ring above is two bytes cc8 a together they make three bytes it's also it's also optional in which order these car uh uh B bite comes so it could also be uh not only 41 c8a but also cc8 a41 to make uh matters even worse Unicode also defines an additional character that looks exactly like the Norwegian character or if you encounter this it's most like uh your uh most most likely a uh physicist or you're dealing

with um uh text that comes from some kind of optical character cognition system or you're just a geek or the angstrom sign is a unit of length named after the Swedish physicist andas yunas with an or not anstrom and is encoded as e285 84 a Ab one enstrom is 0.1 nanometers in case you wondered encountering this character is is apparently so rare that many applications will convert an angstrom to an or behind the scenes this is also the in line with the current recommendations from the Unicode foundation in fact this also usually happens if you try to use the combining r above but not always plain text is not simple it's just unstructured there's nothing in

plain a plain text file telling you what encoding is in you barely have an optional file extension that tells you that it is plain text if you receive text from an input field or the clipboard you don't even have that image formats and other formats we deal with usually have a header that tells you what format it is but with text we often just have the encoded text in itself in UTF 16 there was an attempt to creating such a header UTF 16 had two different modes little andian and big andian this controls uh the order of multii characters um if the first two bites are F FF the text coding was little Indian and if it was F

ffe it's big and in this is called the UTF 16 byte order Mark or bomb for short this required all software dealing with text to inject the bomb when you cut and remove it when you paste with lots of Legacy software it didn't work so well you might have encod countered the bomb if you opened a plan text plane text file in notepad and the first character is a black Square while the rest of the uh file looks fine however it might also just be a y with a hat in ISO 8859-1 14 I have compiled a list of resources uh uh on it's a GitHub gist so if you scan the QR code you can find

that um and uh otherwise I'm done with the talk and uh if you have questions yes s microphone great talk do you think in 20 years years from now Elon musk's son will be having the same problem as you do cuz he also has a Norwegian letter its name it's probably already happening I also I also told B before he started his talk that you know you need to ask the audience have anybody else in the audience uh should I say non-english characters in the name that are causing problems yeah so more questions for B have you encountered have you encountered problems with passwords where you use those characters uh not me but uh P told me

about a situation uh where uh yeah I can do that one the Ukraine you it it's no no not that one okay uh but where it's uh it's about these uh uh combining characters uh where uh on iOS devices they are combined to one character while on uh PCS they are uh separate symbols and uh someone created a password for their Bank idea bank ID in Norway I have not confirmed that this is the case but it's most likely the case since she were able to log on to her bank ID from her phone but not from any other device yeah I remember way back in 2007 was my first time visiting Kev in Ukraine the capital uh visiting

colleagues there back then and out of curiosity of course I asked them uh have you ever considered doing passwords in using kilic uh characters and they they just laughed at me and like you have no world you know no idea of what kind of World of Pain you're going to be in if you do that first of all if we travel to the West you don't have you know uh a keyboard layout with with kill characters on it but the second one is like and I'm sorry for saying this but most of you people in the west you have no idea there exists more letters in the world than a to c anyway so they were

just like that is the most stupid thing you can do and I've talked to people from all over the world and still asked this question have you ever tried to do this in Greek uh in Arabic in Chinese in Japanese and usually the answer is no I wouldn't dare try doing that at all because course it's just going to make a lot of problems for me uh perhaps some more security related question but did you ever encounter any potential attack scenarios I can imagine if your name gets converted to something with an m per that could be seen as an extra parameter somewhere or uh for example maybe a normalization attack in an email address that could I don't know

lead to another user being updated stuff like that maybe accidentially did you ever see any of that uh as a life experienc guy well this example with uh

uh this imagine this being impended to to a URL so yeah uh that can happen and there is also these cases where uh oh wow there's a lot of echo where uh you have have uh uh there's more symbols that look look the same in uni in Unicode uh like the youngstrom sign and or uh so you can register domain using uh uh a different uh character set and uh and in that way make it looks look like it's the same domain as your as your bank for instance so a is famous because you have a symbol uh cilic symbol that looks exactly the same or or in in many fonts it's actually quite a little bit different

different but it's similar enough that people don't react to it yeah more questions yep in the back and and we are already into lunchtime so those who wants lunch uh leave and those who wants to discuss this more stay to for the presentation bra um sorry calling Bard B um wondering about this why do you think even Norwegian companies Norwegian bank statements Norwegian uh sing was showing your name why do you believe this is still happening inside Norway not really only related to International Communication where where uh character conversion could be explainable but why why are we still still facing that thank you so as as I uh uh touched on to uh there is nothing

in indicating what encoding a text is in so this is all with all of this is with text uh with character stats that already accept the Norwegian character and uh but you don't just don't know which which encoding it is when it when it comes over over the wire um and most of these issues is exactly when a system tries to fix uh the encoding they get something in as as uh utf8 and they assume it's it's the old encoding and they try to fix it by making it utf8 and then you get another uh Miss encoding more questions for

B not a question but I noticed the you the characters on your header on the slide change from side to side nice touch yeah okay then no more questions for B we'll cut off for lunch thank you B for coming and doing your [Applause] talk and we will get started again at 2:00 with Ron

[Music]

[Music] [Music]

n [Music]

[Music]

[Music] be [Applause]

[Music] [Applause]

[Music]

[Applause]

[Music]

[Music] e [Music] oh [Music] back the [Music] oh [Music] oh

[Music]

[Music] [Music] [Music] oh [Music]

[Music]

[Music] [Music] [Music]

a [Music]

[Music]

[Music] [Music] he

[Applause] [Music] he [Applause] [Music]

[Applause] [Music] he [Music]

[Music]

[Music] e TR [Music] hey [Music] [Applause] [Music]

hey hey hey hey hey hey [Applause] [Music] [Music]

[Music]

[Music] [Applause] [Music]

[Music] [Music]

[Music] [Applause] [Music] he [Music]

[Music] oh

[Music]

[Music] w [Music] [Applause] [Music] [Applause] [Music] oh [Music] [Applause] [Music] I'm just I'm just TR to give you [Music] something I'm just tring to give you something I do I'm just something [Music] m [Music] [Applause] [Music] [Music]

[Music] [Music] I'm just TR to give you something I do I'm just tring to give you [Music] something I'm just try to give you something I do I'm just trying to give you something [Music] m [Music] w

[Music]

[Music] [Music]

[Music]

[Music] [Applause]

oh [Music]

[Music]

a [Music]

[Music] he n [Music] the [Music]

[Music]

[Music] [Music] [Music]

[Music]

[Music] [Music] [Music]

[Music]

[Music] [Music]

[Applause] [Music] he hey hey hey he [Music] [Applause] [Music]

[Music]

he he

[Music]

[Music] track [Music] hey hey hey [Applause] [Music]

hey hey hey hey hey hey he [Music] [Music]

[Music]

[Music] [Applause] [Music]

[Music] [Music]

[Music] [Applause] [Music]

[Music]

[Music] h

[Music]

[Music] oh [Music] [Applause] w [Music] [Applause] [Music] I'm something I'm just TR to give you [Music] something I'm just I do I'm just tring to give you something [Music] w

[Music]

[Music] [Music] I'm just trying to I'm just trying to give you [Music] something I'm just trying to give you something sming I do you I'm just trying to give you something [Music] he [Music]

oh [Music]

[Music]

[Music] oh [Music] [Music]

[Music]

[Music] he

[Music]

[Applause]

[Music]

[Music] e [Music]

the [Music]

[Music]

[Music] [Music]

[Music] [Applause] [Music]

[Music]

[Music] [Music]

[Music] a [Music]

[Music]

[Music] [Applause] [Music] hey he he he he hey [Music] [Applause] [Music] [Applause] [Music] he [Music]

[Music]

[Music] stack [Music] hey hey hey hey [Applause] [Music] hey hey hey hey hey [Music]

[Music]

he [Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Music] [Music]

[Music]

[Music] [Applause] [Music] he [Music]

[Music]

[Music] h a [Music]

oh [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] oh I'm just okay I do you I'm just TR to give you [Music] something I'm just TR to give you something I I'm just TR to give you something [Music] oh [Music] [Applause] [Music] [Music]

[Music] [Music] I'm just trying to get I'm just TR to give you [Music] something I'm just trying to give you something I do I'm just trying to give you something [Music] w [Music] w

[Music]

[Music] [Music]

[Music]

[Music] he [Music] [Applause]

[Music]

[Music] [Music]

[Applause]

[Music]

[Music] I

[Music] the

[Music]

[Music] a [Music]

[Music] [Applause] [Music] oh [Music]

[Music]

[Music] [Music]

[Music] [Applause] [Music]

[Music]

[Music] [Applause] [Music] he hey hey he hey [Music] [Applause] [Music] [Applause] [Music]

[Music] he a [Music]

[Music] f [Music]

[Music] TR [Music] hey hey hey [Applause] [Music]

hey hey hey hey hey hey [Music]

[Music]

[Music] [Applause] [Music]

[Music] [Music] [Music]

[Music]

[Music] [Applause] [Music] he a [Music]

[Music]

one

[Music] h

[Music]

[Music] now [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just I'm just TR to give you [Music] something I'm just try to give you something I do I'm just try to give you something [Music] a [Music] oh [Music] [Applause]

[Music]

[Music] [Music] I'm just I'm just [Music] something I'm just [Music] something I'm just try to give you something [Music] h [Music] w

[Music]

[Music] [Music]

[Music] time access so please welcome him with a little round of applause [Applause] thank you a lot for having me uh as stated I am not a professional as doing the stocks but I will do my best uh so short introduction uh nice meeting you all I am a and I'm the co-founder and C of entitle and and entitle we are doing just in time access for cloud resources and yeah recently we got acquired by beond trust so my boss is sitting over here um so before we kill something let's maybe first Define what is Pam and frankly to be acquired by a Pam product uh as we saw at that time pam pam products are doing the

provisioning depr provisioning and session audit for privileged permissions uh and uh in the old times uh those uh sensitive permissions were for old systems some uh database that were on and as we will see throughout the stock things have changed in the cloud so according to a lot of marketing stuff uh a lot of people have a lot of permissions and most of them are not used at all like uh we will see shortly that uh most of the common Brides nowadays are revolving identities and over permission over permissive permissions and even though we have so many admin accounts in the world most of them are not used at all not throughout time but even uh in general people and people and

by people I say develops Personnel in it rather give uh over permissive permissions instead of fine-tuning that because they're just flooded with tickets um yeah so many of the recent uh brides are identity related one example will be the OCTA bridge and in the OCTA Bridge we can state that uh support engineer had basically admin rights to all environments of many customers and he had a lot of other problems as you can see didn't had MFA etc etc but uh with one identity we were able to uh compromise the whole company win minutes and this is the screenshots of uh lpus group that they showed how they compromised many companies so now that we know what is

the problem what we can do about it uh there are when H Ron and I founded the company we interviewed a lot of I am Personnel security people and we wanted to know how they deal with this problem so we find out that the security is doing like Audits and don't trust the it and devops to do those uh TI tightening permissions so they do quarterly access review or just investigate who is accessed to what and on the other this is the governance part on on the other hand the way that uh permission were gave to the employee from the begin with were really really manual we we saw and still see a lot of

uh slack teams and even emails from employees saying hey I need access to that and that resource and can you please give me give it to to me and we can see it uh when the when we try to have another meeting with the with a customer then we see they have older calendar is full of please remove David permissions from production um so before that so basically this is what our company does uh we created a One-Stop shop where you can request permissions for cloud cloud assets and because we solve the the provisioning part the governance part is a by byproduct of that so that there were as stated before most of the bridges nowadays are

identity related and many many companies and many uh vendors try to tackle those problems from uh from many angles doing like a ubaa for those identities the odd stuff but we say we can do that even a way simpler way so the common stack for uh companies nowadays uh the mature companies if you're like a 20 people startup you usually don't have this but is it's a it's an IDP a Pam product and in IG sometimes you don't have uh one of the or Pam or IG products and for for the most common uh on pram examp or like large company example it will be active director OCTA and Beyond trust is a Pam and a sale point is a um but

throughout the stock we will maybe talk about why we see that Pam and IG are converging so um at the beginning of the talk we talked about that the Legacy P products are doing the authentication and also the the part of getting into the resource sometime the resource is sitting in a private Network and you need to tunnel to it etc etc and some of those problem are not present in like in the modern cloud

yeah so this is exactly the point um if you want to connect to old old Mainframe uh application then you must use something like a jump server or a pump solution in order to do that um but as we can see in the cloud most of those systems have uh the authentications built into them and also the auor ation they have really fine grain access Management Solutions inside those Solutions so you don't need to like reuse the same password and put a jump host uh between the users and those applications and authorization is still a problem this is why we we founded the company and actually the the session audit was a a killer feature for many of those

system because again everybody used the same user so we needed to audit who did what in those systems but when every individual user has their own permissions then th those audit Trails can be part of the third party system itself you don't need to to audit that with a jump server or something like that take a

sip so at the beginning when uh we started our journey we created a a platform that basically gives users a self-service approach to access management and we thought that's this is going to be it and our customers shifted us and saying okay now that everybody can get access really easily we can just remove their access and there will be zero standing privilege for those accounts and when they will need that that access they can easily elevate it whenever they need and so a lot of companies like today are saying that you you don't need to have your full admin all the time and an OCTA Bridge an event like an OCTA Bridge can have been

eliminated if uh they had some Justus in time solution in place

so yeah as as we said um our solution provides a self-service approach we we have our own web UI but we found out that uh companies don't want to put another portal for their employees so they rather have the years of experience through slack or through teams and G G service now are are now coming and most of the engineers and the cloud native World they they like really hate to have another Port I assume this is also right for larger companies so another thing that we find out is because of IG and Pam products what happened is that companies centralized all the access request for the it and devops and then we created a a

distinction between who knows the asset best which is the the business itself and who has access to it the devops and it and what is happening is that an employee ask request for something and it gets routed to the devops and the it and they have no idea who is that person and what asset he is requesting access for so they start their due diligence process and this is not fun for any of the sites so what we're uh trying to solve with our solution is in order to centralize that into devops and it we make access management uh democracy and we we assign asset owners and application owners to those uh privileged permissions and that way the

the routing is is being done to the relevant person and of course you have like a small context who who is the requestor so if someone from HR is requesting access to gcp production that's is something odd um yeah that's exactly it because we we saw basically what we saw when we interviewed uh the the people that were provisioning those permissions there were like rubber stamps in some cases they didn't have no idea who that person and why they need that access and giving them the context and like um reinforce them with a decision of what is this asset providing as many as much data on that asset as possible and of course on on the user

itself makes that decision so so much easier here especially when you can request this permission for a a specific TTL and you don't need to remember when to revoke it you just like you when you approve the permissions you can uh select for how long it will be the user can also specify that as well and you can also bind it to a third- party uh ticketing system let's say as long as you're on call or if you're signed a support ticket then those permissions will be part of your identities and if not it will be automatically revoked yeah so as I stated earlier um the the part of the democracy and also the asset ownership part took uh Place

really hard in our workflows where companies really wanted us to make fine grain workflows for the approvals not just like um have a approval group but rather have the manager approval and some peer approval and Etc things that are related only to the user itself not only to the assets because the business themselves know best we like cannot force them to have a dedicated workflow in mind that we can predict for them yeah so as we saw that like we created this uh just in time access product and people asked us so wait where should I put it should I do Justus in time access for everything or should I put it on the most sensitive

asset that we own and naturally for uh for permissions like the I don't know the the the general Confluence page everybody should have access to that you should not jet that and and this this permission can be standing all the time but all the the the privileged ones you should uh it depends of course on your uh risk appetite you should be uh time bombing that as much as possible so you can choose more Lan uh workflows for those sensitive assets and for the less sensitive assets you can just have them automatically approved or uh manager approval can be sufficient so this is like uh to wrap things up and basically the term Justus in time

access is something that uh our marketing team invented but we are really proud of it uh is a way to to combat other permissions and try to get to zero stand privilege as much as possible thank [Applause]

you okay any questions raise your hand nod your head

okay hello this really good stuff so at my company we've implemented just in time access for some of these critical systems like this and we've run into some pain points and I'm I'm curious if you've also experience these with your customers one of them is that for critical systems right we'll say you know production high level debug right something's I need root right now so I can go in and pull some blackbox information right um sometimes it's hard to get a hold of people to actually do the approval and even if you have a group of people right it takes so long to communicate the context of what's going on right like we I have an active

incident okay I want to look at it right I need the number I'm not just going to approve this right people get very tightfisted about it so I guess my first question is have have you seen that you know with customers where when you move to just in time it actually gets slower and more friction because when people need things they can't get it right now because you need to wait for a human and then you know this stuff stalls out yeah so great question so first of all we we have some product uh things I think it's Echo can you maybe turn off the okay so first of all in our product you can have like multiple approvals you can

also like uh ping it to to an admin to approve it if not like the the relevant approver is not awake or for any other reason but actually exactly feedback like this uh we created the way that you can create a generic workflow for a specific asset let's say it's production and if you are on call and you're requesting access for production for Less Than 3 hours then it can be automatically approved and if you're not on call then it will go through this uh tedious workflow that you actually need to pull someone by the shirt to get access so this is a what's one of the most common workflows we have today production if you're on call you get it

automatically if you're not on call read access can be approved and right access goes through security and Dev

I'm sorry if I missed this in your talk but the actual access management system is it in the cloud or can can it be an on Prem device or system or is it all in the cloud so at the moment we you can host it yourself it's a it's a do it's a kubernetes deployment but at the moment we are mainly offering a um a full Cloud solution but of course this qu we prer the yeah yeah I know a lot of folks prefer on Prem but before they jump into this uh on Prem party we offering a hybrid deployment where you can have all the secrets stored at your end we call it uh we just put the

connector at your side and that way that the privilege permission that is used to change the permissions are not leaving your VPC and we can only like send commands of gring people's permission can you elaborate on that a little bit sorry sure can you elaborate on that a little please sure about the second part so for the hybrid deployment we have the our control plane which is in the cloud and we have a connector that's sitting inside your environment it's like doesn't need to have uh access to the web it's doing like a reverse N I don't know what's the the name for it and uh it's pulling for for uh tasks and that way the the permission

the the sensitive credentials are sitting inside your your tenant so we cannot like let's say those permissions can read data but because of our connector is not he's not able to read it he can only like list who has access and Grant those permissions then we can cannot read your data it's basically uh the only the data layer is sitting it to your side we can only like see the metadata of what are the names of the assets more questions

okay hi thanks for for the talk uh could you expand on what IGA is and how it fits in with what you're doing yeah so an IGA it's a general term for identity governance and administration and those like uh I'm not sure if you're familiar with heavy heavy duty IG Solutions they're mainly doing uh segregation of duties

products where where are where they are doing the authorization and authentication to privilege permissions okay then once again thank you for coming round of applause for that uh we are quite early so uh next talk is at 3:00 we have a 40 minutes next talk is breaking historical C attacks with modern means and that is one of the one of the many talks talks that I've been looking forward so I'll see you back here at 3:00

[Music]

[Music] be [Applause]

[Music] [Applause]

[Music] [Music]

[Applause] [Music]

[Music]

[Music] e [Music] this n [Music] oh [Music] oh

[Music]

[Music] [Music] [Music] is

[Music] n [Music]

[Music]

a [Music] [Music] [Music]

n [Music]

[Music]

[Music] [Music]

[Applause] [Music] he [Applause] [Music] [Applause] [Music] he [Music]

[Music]

e track [Music] hey [Music] [Applause] [Music]

hey hey hey hey hey hey [Applause] [Music] he [Music]

[Music]

[Music] [Applause] [Music]

[Music] [Music]

[Music] [Applause] [Music] he he [Music]

[Music]

[Music] h [Music]

[Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just I'm just dring [Music] something I'm just dring something I do I'm just to give something [Music] m [Music] [Applause]

[Music]

[Music] [Music] just TR to give you something I'm just TR to give you [Music] something I'm just trying to I I'm just trying to give you something [Music] h he [Music]

[Music]

[Music] [Music] sh

[Music] is

[Music]

[Music] [Applause]

oh [Music] [Applause]

[Music]

[Applause]

[Music]

n [Music] the [Music]

[Music] a [Music] [Music] [Music]

[Music]

[Music] n [Music]

[Music] [Music] [Music]

[Music] oh [Music]

[Music] [Music]

[Applause] [Music] he he [Music] [Applause] [Music]

[Music]

he he

[Music]

[Music] track [Music] hey hey hey [Applause] [Music]

hey hey hey hey hey hey [Applause] [Music] [Music]

[Music]

[Music] he [Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] he [Music]

[Music] [Applause] [Music] he [Music]

[Music]

uh we've had a break now it's time for our next talk uh absolutely talk that I've been looking forward to uh I've been interested in cryptography and so so on for many many years but I failed at math like really easy math in in uh in school never recovered from that but I'm fascinated about uh ancient Cipher Texs and the uh um Secrets they might reveal uh so I've been looking forward to this talk all the way since it arrived in my mailbox so we have elonka and klous and please welcome [Applause] them thank you thank you so uh breaking historical Cipher texts with modern means and uh my name is elanka I am a

game developer and a a crypto Authority and a book author my website is elan.com and hello I'm CLA schme I'm a German computer scientist crypto specialist and I'm interested in the history of cryptography and uh together with Elona we've written a couple books such as this one codebreaking a practical guide so uh introducing this there are many many thousands of old Cipher for texts some have been broken and some have not and the question is can they be broken with modern means so here's an example of one this is an encrypted text by Emperor Ferdinand III from the 17th century and here is one from North America this is also from the 17th century here is the oldest encrypted

thing we know about uh this is from 1300 BC it's encrypted uniform uh someone was uh encrypting the recipe for a die okay so we are talking about cryptanalysis today and I'm sure that at least some of you are familiar with Crypt analysis and maybe you you even have some expertise in the field of breaking modern algorithms such as RSA or AES or Dees and things like that but cryptoanalysis of modern algorithms is completely different from what we are covering today because today we are talking about classical ciphers so let's look at some of the differences now for

examp uh okay yeah uh yes what okay well if you look at um modern crypto analysis usually the algorithm is known the goal is to determine the key we are dealing with sophisticated ciphers the pl text is known or can even be chosen uh we have an infinite amount of Cipher text and the cipher text can be easily read well all this uh happens when you are dealing with modern Crypton analysis but today we're talking about the classical case and here everything is different usually the algorithm is not known and the goal is not to determine the key but the plain text and so on so we have a completely different situation or to summarize this uh table

modern crypto analysis and historical codebreaking are two very different things so when we're talking about uh Crypt analysis or cryp analysis of old ciphers let's start with the most simple case the monoalphabetic substitution Cipher um monoalphabetic substitution simply means that you replace every letter of the alphabet with something else so we have a stable table like you can see here and the most simple case is that you not even have an alphabet change so every letter of the alphabet is replaced with another letter of the alphabet and this is how the encryption works there's also the slightly more complicated case when the alphabet changes so again every letter of the alphabet is replaced with a

symbol but in this case the symbol might be something that is not an ordinary letter not an ordinary number or can be even something you have never seen before but it's still some kind of symbol or some kind of cliff and from a code break H sorry I think I always click on the wrong button I I think it should work uh from a code breaker view uh there's no big difference between these two cases because of course you can always replace the symbols you don't know with a symbol you know and this doesn't change the encryption as [Music] such okay here we have a Freemason document from from the 19th century in this case we have no alphabet change

because as you see here these are all ordinary letters so it's a monoalphabetic substitution without alphabet change on the next slide we see another Freeman document also from the 19th century but this uh this time we have an alphabet change because as you see here we have all these strange symbols uh it's a so-called Freemason SI and these Freemason Cipher letters look different from the letters we know but as I said it's a substitution in both cases so from a Cod breaker's view it's not much of a difference and now the question is how can we break such a simple monoalphabetic substitution Cipher most of you certainly know how it works so of course there are several

methods but the most obvious one is frequency analysis is so if you know the language that was used you know the letter frequencies for example in English as you can see here the E is the most uh frequent letter it has a frequency of almost 13% followed by the e t a o and so on and this helps when we want to break a message I can show you an example here uh this is um encrypted text from the 17th century the so-called wind drop cryptogram it was created by an alchemist so uh it certainly makes sense to break it because maybe it will tell us how to make gold but um before that we need to know how to break it well

let's start with uh frequency analysis and then we see that uh this letter that looks a bit little bit like an eight is the most frequent one so could be an e the second most frequent one is this one that looks a little bit like a j and so on and if we use the frequencies and do some trial and error we can pretty soon solve this mystery and it turns out that uh this letter that looks like an eight is an e and the second most frequent one is in this case an i this is not always the case so as I said it requires some trial and error but um within uh 15 minutes or

so it's usually possible to break such a system without computer support and now let's look uh what is written in here well it's an alchemical text take excellently well purified Bas hold dissolve or molded and so on well usually uh the content of such a message is is not really interesting for the code Breakers so the code break is interested in how the encryption works and not in what is encryption in in what is encrypted and I'm pretty sure that it will won't help us to produce gold okay now as I mentioned something like this can be done by hand but um of course today it makes sense to use a computer program for this purpose and in

fact a frequency analysis uh with a computer is not very difficult because there are quite a few programs around for example multi deck by Christen Bowman from Austria or R the ramkin cipher tools by Tyler Akins all this is available for free on the internet and uh just like crypto crack created by an anonymous uh developer group so in in my view the best tool for Crypt analysis and for Crypt analysis of old ciphers is this one here cryp tool it's an open source software creaded in Germany uh it has been around for 25 years and um meanwhile it's a very good tool with a a lot of crypto and cryptoanalysis functions and I use it a lot when I want

to do codebreaking work a cryp tool was developed by a team of over 15 50 people some of these are very active in the seam so I I know them well and as I said it's a tool I use quite often so let's now uh look at another example of a monoalphabetic substitution Cipher this one is the so-called bearing gold cryptogram because a British man named saine bearing gold in the 19th century created this uh wrote a book and in this book um a cipher text is contained and this Cipher text is usually referred to as the bearing gold cryptogram this is how it looks like it's pretty short only only two lines and now let's try to break it well first

of all you see that we have an alphabet change here because all these are symbols or numbers and not ordinary letters so the first step is usually to create a transcript a transcript simply May means we replace every symbol from the cipher text with an uh letter from the ordinary alphabet how this is done uh doesn't matter it just needs to be consistent for example uh you can see here there are two fors in uh in this picture and both of them should be replaced by the same letter of course otherwise you get in trouble if you do text statistics but in this case we use a c to replace the four then we go on

there are two hes again no sorry there are two plus signs again we should use the same symbol to replace these the H in this case and so on and uh what we have now is the so-called transcript so it's the same encrypted text but now instead of an alphabet change we have orinary letters now we could do a frequency analysis but this probably won't help because the text is too short so we need to do we need to apply apply another method and today this is no problem anymore because today in the age of computers we have a very good method named hill climbing well said so now that we've converted it into letters which is something that our

brain can more easily Munch uh we do the system where we uh we're going to generate a random key and that generates a substitution table and then we're going to decrypt it even though it's going to come out somewhat random and then we're going to rate the correctness now I'll come back to that later now we're going to create a new key that is slightly changed again random but we're going to keep the copy of the old key now we're going to decrypt with the new key and again we're going to rate the correctness and again I'll come back to that and we're going to see has the correctness increased if so then we're going to keep the new

key and get rid of the old key if not then we restore the old key and then we rep repeat the steps and so what we're going to get here is we're going to climb a hill where we're steadily looking for better

correctness and often when we get to the top the best correctness we will have the solution not always sometimes we get to something called a a local maximum where it looks like we've gotten to the top but we haven't gotten to the top top and and so this is called a local maximum and there are ways of dealing with this there is a system that's called simulated analing analing is a term for metal allg Y where they will heat metal and then they'll kind of heat it and then cool it and what they're trying to do is affect the uh the properties of the metal and with simulat kneeling you have a program where you're adjusting What's called the

Heat and maybe you're going to have a a fast or a heavy heat or maybe you're going to make it cooler and what you're trying to do is you're trying to get it off of that local maximum and all the way to the real top and we could talk a lot longer in simulated kneeling but kind of outside of the scope of this so correctness how are we rating the correctness well in this particular case with we're going to check on the letter frequencies and we're going to look at the candidate we remember we said we had that random candidate and we're going to look at what kind of letters are in it and if it

has frequent letters in English that are frequent in the candidate then that would be a high score whereas if rare letters are rare in the candidate that's also a high score right but if we're getting the plain Tex candidate and we're getting the rare letters are being common and the common letters are being rare then that would be a low score okay so looking at the bearing gold cryptogram let's say okay this is one step and so we're going to have our substitution table our plain text candidate the result that a score and the step we're only looking at successful steps in this case all right and then we go to the next step and so forth all

right so here at the uh penultimate step we have have a plain text candidate of a MD in the hand is worth two in the mush which our brain probably you know a human brain kind of jumps on that but the computer hasn't quite gotten it and then it'll get to the next step a bird in the hand is worth two in the bush which is the correct plain text for this particular cryptogram so many other monoalphabetic substitutions and more complex sub stitutions as well all right now we're going to go to a different system yes now let's look at the socalled Turning Grill encryption I think most of you have seen this before these are original turning

grills from the 19th or even the 18th century I can show on this slide how this kind of encryption works first of all we need a plain text to be or not to be and because this one is too short I have added three X's for padding and now we need to write this PL text into this stencil starting with the first four then we turn the stencil by 90° and then the next four letters are inserted and yes well this I think this is a well-known kind of encryption and it's a a transposition encryption that means nothing is replaced only the order of the letters is changed and now um what you can see here is uh the

plain uh sorry the cipher text I hope you can see it even from the row behind well this kind of encryption was quite popular especially in the 19th century or even before here you see a few examples from the Netherlands or from England from Italy and of course well now the question is can an encryption of this kind be broken and uh the answer is yes there are manual methods to break such an encryption so already in the 19th century it was possible to break this kind of encryption but it's very laborious and so now the question is can we use a computer-based method for this task and the answer is yes we can use hill

climbing again well um it's clear that H climbing can be used but it's not really clear how well this works or at least it wasn't clear until 2017 or at least I didn't find anything in the literature so what I did is I created a challenge and published it on my blog so I took um a text encrypted it with um with with a turning Grill and a pretty large one 20 by 20 and I published it on my website and I uh told people to solve it and so I was quite excited to know how long this would last and the answer is um it was pretty fast So aling Co a German Cod

breaker only needed a few hours to break this encryption with hill climbing so apparently if you have the right tools it's quite easy to break it and of course if you're as good a code breaker as arm me uh the the algorithm here is exactly the same as the one Elona explained the only difference is uh we need a different scoring function because letter frequencies are not helpful here because as I said we are dealing with a transposition cipher the the the order of the letter changes but nothing else so the frequency of the letters stays the same so we need something else but uh what we can use is we can use letter pairs or so called

diagraphs because the diagraphs change of course and uh the diagraphs are characteristic of of every language for example in the English language something like TH or n or e r is quite uh quite frequent while rare letter pairs are things like QR or CX or PF so if you have a frequent letter pair it gets a high score otherwise a low score and this is exactly how Armen Co this German code breaker broke this uh turning Grill challenge as I said took him only a few hours including doing all the programming and this is the solution well the solution or the plain text is not relevant here because it was a challenge and the the bottom line here is that

even messages encrypted with a very large turning Grill can be broken with hill climbing today so it's certainly not a good idea to use this um message for this this method for messages that should be secure and there are better methods available today anyway okay so much about um turning Grill encryption the next chapter is covered by elonka again hey nomenclator so also I wanted to say I appreciate that everyone is in here because I know how hot it is in here and especially with uh the masks and I see the sweat and it's like everyone's kind of melting out of their chair uh so thank you for sticking with this um so nomenclator uh Claus and I actually had

uh quite the argument in for our book on whether to include nomenclator uh uh he convinced me I have religion now so um what's a nomenclator it's it's sort of a monoalphabetic substitution that also includes complete words they're often proper names and the term nomenclator is comes from from the person who would be say at an event who would call out the name of people as they were arriving and uh it's been around a long time so here is an example not an actual nclor say we're going to encrypt the phrase will come from London to Berlin and we're going to use this table on the left hand side some of the words were just going to uh encrypt letter by

letter and sometimes times for example for the word from we're just going to put two digits because that's from the table right and then London same thing two we're going to do letter by letter and Berlin just two digits now here's an actual nomenclator table from the 17th century and there's several different parts of it parts of it are just letters and you can see there's actually three different choices for each letter in this table so it's also got what's called a homophonic option and there's also these places where you could take each letter and followed by each of the possible vowels and then that could be one of a couple different numbers and then you have the actual names in this

table which are there and then you've got three digits so how do you solve a nomenclator message well the simplest method is you find the table however that's not always possible so um there's a different ways of doing it you can uh derive the table from other messages maybe that have been solved um so I'm going to talk very briefly about the Zodiac Killer the U this is a a serial killer in in Northern California and he had sent uh encrypted messages to the press and saying if you can solve these it'll give you information about who I am and one of the messages was solved very quickly by a husband and wife team Donald and Betty Harden uh he had had

interested in ciphers but she was more uh I think the the Intuit of the two and and between the two of them they they' solved one of the messages called the uh the z408 we call that because there was 408 symbols in it and and then there were other messages that were sent as well and you can see here from the 408 that it was also what we call homophonic because each uh letter could potentially have multiple different symbols then there was a z340 and this became one of the most famous unsolved codes in the world and it remained unsolved for over 50 years and then it was finally solved by a three-man team using modern means computers including

hill climbing and then they published their solution in December 2020 and it was really interesting because they were on different continents one from the United States one from Australia and one from Belgium uh y vanike I actually just met him a few weeks ago and Claus and I refer to this as one of the greatest successes in the history of n military Crypt analysis um so I'm going to talk very briefly about how the the 340 came apart if you take the first 20 letters of it and then you come down diagonally sort of like a a night move in chess right and uh and then you make a substitution table again the homophonic table and the plain text in this is I

hope you are having a lot and I'm not going to read you the whole plain text cuz this uh this guy was was not all there obviously but they did clearly solve the message and then that leaves two messages the z32 and the z13 which are not solved yet some people say they will never be solved because they're too short others say well maybe it's going to include some combination of systems from the others so and some say that you know maybe the z13 the potential solution is Alfred E Newman who if you're a fan of Mad Magazine you'll know that character so let's go over to a few other unsolved Cipher Texs yes so um this

is this is the most um or the the best known unored Cipher Tex at all it's the so-called voage manuscript uh you might have heard of it it's an encrypted book from the 15th century it's a handw written and a hand drawn and uh it has never been solved so it's not possible to read it the it's written in a script that is otherwise unknown and there are many pictures in it and the pictures can usually can't be identified so there are a lot of plants in it and it's not really clear what what kind of plant this is supposed to depict and this is clearly one or maybe in my view it's the most important unsolved cry crypto

mystery in the world but there are others and there's especially one uh Elona is an expert in give me microphone so so my favorite is one that's called cryptos This is at the center of CIA headquarters Langley Virginia and um I I've been uh kind of toying with this one for for decades at this point and uh some people say that this is one of the most famous unsolved codes in the world uh and I'm not going to go into a great deal on it but if you look at the uh the plates that are on it we have the ciphers that we call one two three and four um and then there's four which is still unsolved and it's 97

characters there at the very bottom now the artist has actually given us some Clues towards solving part four uh this is Jim Sor and uh so in 2010 he said okay well at this location at the 64th character we have the word plain text Berlin and then he gave us the word right after it this was four years later uh the word clock and then uh in January 2020 he gave us the word Northeast and then the pandemic hit and so he kind of wanted to stir things up and so he gave us another clue which is the word East so here we have a sizable chunk of the plain text from K4 and we still don't

know what the whole thing says so there's a lot of theories on K4 all right and let's see then we've got another another thing that we've been working on this is an encrypted postcard from 1873 this was sent to us by a man who found it in his family uh documents he said this was from his great great grandfather uh George Furlong uh he was the owner of a of a soccer of a of a football team uh a club football club in Luton and it was a postcard that he sent to his sister so we figure that it it can't be that difficult and we have these things that are underlined and but it's again it's something that we've

never been able to solve and there are many many more unsolved Cipher Texs out there so a lot of computer systems have been uh used on these but they remain unsolved so research is ongoing uh so conclusion very briefly here um breaking historical Cipher Texs is an active field of research uh it's different from cryptanalysis of of modern methods uh because like we don't have an infinite amount of Cipher text that we can work with and then try and figure out the algorithm um but the hottest technique that's out there right now is definitely hill climbing and uh there are still many old Cipher Texs left to solve so any questions yeah how about um all right he's going to hand the

microphone right there I saw hand go up yeah I was going to ask if hill climbing uh works if like multiple rounds of encryption have occurred uh okay so you're talking about super encryption where you've got uh Will hill climbing work uh it it can what have you heard yes well uh something like this happens for example when one tries to break Enigma messages uh so if if you if we're talking about an enigma it has a plugboard and then it has the rotors and uh doing hill climbing on the whole system usually doesn't work because the there too many variants but uh something you can do is uh do two hill climbing steps so first

of all do hill climbing for uh the the rotors and then the second time for the plugboard and uh this works uh the difficulty in here is the scoring function so it's if you have two different encryption steps you need to uh tell if a text is good or bad based on an encrypted text and uh this is really difficult but uh depending on the system you're working on uh it works or at least there have been examples where this worked quite well uh another way that super encryption and hill climbing might go together is you might have something that doesn't have a typical uh graph a frequency analysis graph for a language and so you're going to go through hill

climbing and you're trying to find something that matches that graph where you've got a a peak and lows instead of everything just kind of even yeah good question more

questions are the techniques still effectiv uh if the languages have changed over time so like frequency analysis on Old English for example sorry I didn't yeah a little louder please are the techniques such as frequency analysis still effective for old language take the mask off just just yeah okay are the techniques still effective such as frequency analysis on Old English for example yeah uh yeah doing frequency and I mean it helps if you know which language that you're dealing with like if you know you're dealing with English or French or German or Latin um and and so sometimes again you've got that uh kind of trial and error you're looking for which kind of a pattern what about

languages that you don't know what the plain text uh frequency H languages where you don't know the frequency analysis that would be really hard you have to make one yourself yeah yeah you're you're building it as you go I love curiosity from from from my perspective uh if you want to learn more about this you know how do you get the interest into uh doing this kind of work you know and it's suggestions on where to ask where to start on this any YouTube videos any websites any blogs or you know how do you start and there's a book up front there by Ala and GL yeah so that's a way into crypto analysis any more questions uh

Simon Singh also wrote a wonderful book called the code book um there is a website called mystery twister uh where people will upload uh either classical ciphers or ciphers they've created on their own and you can look and see each one how many people have solved it so if you want something easy go to something that's got thousands of solves and if you want a challenge you want zero solves or one solve yeah mystery twister yeah yeah more questions do you know of any initiatives using uh generative AI to uh help on solving some of those okay has AI been able to help solve these large language uh models in my opinion no uh when uh uh

when uh open AI came out and chat GPT and I'm like oh okay part four of cryptos I know it's 97 letters I know we've got Berlin at the 64th character and what I rapidly found out is that chat GPT cannot count and people say oh that's not true like yeah yeah it is true I said just give me a sentence that's 97 letters long it can't do it you ask it five times you'll get five different sentences of different lengths so um not yet I I think is my answer so far maybe I can add something uh the answer is completely correct not yet but I know of research project that try to change this well at least in uh in

theory it is very well possible to do all this frequency analysis and all these other statistical tests with artificial intelligence I guess uh this will work well in a couple of years because that's usually the first step you perform frequency analysis and a few other statistical tests and then you draw conclusions so it could be a substitution Cipher or could be a transposition cipher and this is certainly work that can be done by artificial intelligence so does any of these techniques you've been mentioning work on onetime pad ciphers um well if a onetime pad is used properly no method at all helps because it can't be broken it's 100% secure um usually or one time

pads have been broken before if the uh the random sequence that is used is not not really random for example if it's repeated and I guess that things like these can be done or can be solved with a computer it's probably difficult to do it with um uh with the methods we introduce such as simulated analing or hill climbing because you don't really know what you're searching for so that's basically the problem maybe AI could help here because you could analyze a stream and then conclusions hill climbing probably not would be my guess or or perhaps maybe just the xkcd strip of the uh uh the famous XKCD strip where you have uh two people saying one PE person say says to

the other that blasted they are using a 4,096 bits key we screwed and then on on the next picture it says well we'll just use this $5 wrench and punch somebody in the head and then we'll get then we will get the one time P that's uh also kind of CP analysis not not the one we cover in our talk oh you oh yeah you don't have anything about fysical violence in your book um yes may maybe we should include that in the next Edition it's called rubber hose cryptography yeah or or just interogation techniques they are very efficient sometimes any more questions none okay yeah uh do you know if any of your methods to do a cryptoanalysis have been

used to actually understand some of the languages all languages that are not necessarily encrypted but uh but we don't know the answer is are like helping like my her Graphics that have been solved already but some of the others well I have to admit that I don't know much about old languages I know that there are certain relations between uh cryptanalysis and uh trying to read old languages but I don't know anything about it I I'm a computer scientist is not a linguist so I'm afraid I can't say much about this uh the main thing is that with modern means we have the computers that can do the large databases and sharing this information around multiple continents and and

that's definitely helpful um in terms of uh hill climbing uh I haven't heard of anything but um for example with uh nomenclator tables often we have an encrypted message message so someone's gone into an archive they have found encrypted message we don't know what system it is we don't know it's a nomenclator or what and and so then the next steps are well what do we do well we look at other messages near it right okay so those are no encls maybe this is a no inator does this one use the tables that these other ones did maybe maybe not uh there was a uh big Discovery uh recently about messages uh written by Mary Queen of Scots where uh the table

they didn't have but they derived it from the messages that they had okay well thank you lka and Claus for coming along to Pastor con and thank you to you and there are a couple of books up here for those interested I'm pretty sure you can ask about them and we'll back at 5:00 with Dwayne Dwayne McDaniel doing the talk live long live short live credentials autorotating Secrets at scale so see you back at five thank you and anyone that's going to Defcon we'll have two talks there as well

[Music] h

[Music]

[Music] [Applause] [Music] [Applause] [Music] h

[Music] I'm just to something I I'm just to [Music] something I'm just TR something I do I'm just TR to give you something [Music] a [Music] w

[Music]

[Music] [Music] I'm just I'm just dring in [Music] something I'm just dring in [Music] something I'm just trying to give you something [Music] m [Music] o [Music]

[Music]

[Music] [Music]

[Music]

[Music] [Applause]

oh [Music]

[Music] [Music]

[Applause]

[Music]

oh [Music] oh [Music]

[Music]

[Music] a [Music] [Music]

[Music] [Applause] [Music]

[Music]

a [Music]

[Music] [Music]

[Music] [Applause] [Music]

[Music] a [Music]

[Music]

[Applause] [Music] [Applause] hey he he [Music] [Applause] [Music] [Applause] [Music]

he [Music]

[Music]

[Music] St [Music] hey hey hey [Applause]

hey hey hey hey hey hey [Applause] [Music]

[Music]

[Music] [Applause] [Music]

[Music] [Music] [Music]

[Music]

[Music] [Applause] [Music] n [Music]

[Music]

[Music] [Applause] w w [Music] [Applause] [Music]

[Music] I'm I'm just dring give you [Music] something I'm just dring give you something I do you I'm just tring to give you something he [Music] [Applause]

[Music]

[Music] oh [Music] I'm just something I'm just to [Music] something I'm just string something I I'm just trying to give you something [Music] w

[Music]

[Music] [Music]

[Music]

[Music] [Applause] oh

[Music]

[Music] [Music]

[Applause]

[Music]

[Music] h [Music]

[Music] oh [Music]

[Music]

[Music] [Music] [Music] [Applause] [Music]

[Music]

[Music] [Music] [Music] [Applause] [Music]

[Music]

[Applause] [Music] hey hey hey [Music] [Applause] [Music] he hey

[Music]

[Music] TR [Music] shck hey hey hey hey [Applause] [Music]

hey hey hey hey hey [Applause] [Music]

[Music]

[Music] [Applause] [Music]

[Music] [Music] [Music]

[Music] he [Music] [Applause] [Music]

[Music] d [Music]

[Music]

[Music] h

w [Music]

[Music] w [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] I'm just something okay I I'm just TR to give you something [Music] I'm just trying to something I do I'm just TR to give you something [Music] ready [Music] [Applause] [Music] [Music]

[Music] [Music] I'm just try to get this have to f I'm just dring in [Music] something I'm just dring in something do you I'm just trying to give you something [Music] oh [Music]

[Music]

[Music] [Music]

[Music]

[Music] be [Applause]

[Music]

[Applause]

[Music] oh

[Music]

[Music] e [Music]

n [Music] h

[Music] oh [Music]

[Music]

[Music] [Music]

[Music] [Applause] [Music]

[Music]

[Music] [Music] [Music] [Applause] [Music]

[Music]

[Music] oh

[Music] he

[Applause] [Music] he [Applause] [Music] [Applause] [Music] he [Music] a [Music]

[Music]

[Music] back track [Music] hey hey hey [Applause] [Music]

hey hey hey hey hey hey [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Music] [Music]

he [Music] [Applause] [Music] he

[Music]

[Music] h

[Music]

[Music] [Applause] [Music] [Applause] [Music] yeah oh [Music] [Applause] [Music] I'm [Music] just I'm just trying to give you [Music] something I'm just trying to give you something I do I'm just TR to something [Music] oh [Music] [Applause] [Music] [Music]

[Music] [Music] I'm just trying to something I I'm just TR to give you [Music] something I'm just trying to give you something I do I'm just trying to give you something [Music] m [Music] w

[Music]

[Music] [Music] that's

[Music]

St [Music]

[Music] [Applause]

oh [Music]

[Music] [Music]

[Applause]

[Music]

n [Music] the [Music] oh [Music]

[Music] I [Music] [Music] [Music] talk is just I try my best to promote them as a band because they're that good welcome back Dwayne Long Live short live credentials autorotating Secrets at scale D thank you for that brief but wonderful introduction um let me start my stopwatch here and we'll begin if you want the slides that's the tiny URL it's not that tiny but I love tiny URL shout out to them for always giving me free eternally living short URLs because this is a Google slide deck and I'm not giving you that entire thing you can have it but I'm not putting on screen all right oh sorry I'll give you one two three four that's it all right so who in

this room considers himself working in the world of devops awesome thank you for all of your work who in this room Works in security I originally had security te team here but uh I think we should all be on the security team and we all technically work in security so everybody saying should go up that was a trick question all right who's on call right now really when I ask I did the same talk in bsides SF s Francisco and like five hands shot up like I am so sorry for you being on call right now uh but if you ever been on call if you ever had to incident respond um who has ever

rotated multiple Secrets because of an incident like at the same time was that fun no um here's an example of somebody that had a really really bad day rotating secrets and the thing to pay attention to is this number um because of the OCTA breach which I think I'm from this crowd I'm going to skim over it uh attacker gets into OCTA OCTA uh they steal har files har files contain credentials for customers again super oversimplifying um used those credentials to get into Cloud flare stuff cloudflare said hey we got this settled don't worry but they still got into jir which then got into Confluence which then got into bit bucket and they're like oh no oh no we

missed one key maybe two we'll still never know uh anybody from cloud Flair here that knows the exact story in chain convenant let me know um but 5,000 Keys one day that sucks oh yeah I didn't introduce myself I'm Dwayne I live in Chicago I've been doing developer advocacy stuff since 2016 been in devop space since 2014 in security for just about two years now and I love security space it's so much to learn I love you all um I co-host a repo uh a podcast called the security repo podcast we have everyone from Jason hadex Jason E Street and a lot of other people not named Jason uh come on and be guests uh you should check it out the

Link's there but just Google it we're the only thing called that um oh yeah very briefly I work for a company called GG Guardian uh we have stickers up here if you want stickers that's it uh up later very very sorry this is not your fault because you didn't ask for this but your esteemed track chairs both made outrageous speaker requests okay and I need just two minutes of your time if you don't mind to to deliver that to them uh so is Sicily here ah okay so you uh I know kind of first you just said no chicken in your speaker request uh this is not chicken so technically I'm require I'm fulfilling that request but I received

an unofficial request verbally afterwards that you could change that to be uh a cat named after you so I have here a Kitty a cat themed uh sort of uh Wan uh excuse me Wi-Fi uh War driving device that you can assemble and I have named this one seek lean after sisily man hold it up could you hold it up for her I can hold so some assembly required but there are instructions online I can help you find them if you need thank you very much okay and then you you sir I I want to read specifically from the text because you c i i i i was uh uh you wrote and I quote

surprise me I know how this works you cannot offend me okay so I think I'm absolved to whatever comes after this is that do you agree all right still friends no matter what still friends no matter what okay your speaker

request run [ __ ] run [Laughter] I won't make you put it on anyway did I succeed yeah okay undefeated all right I'm very sorry thank you for the time you again sorry okay I mean you all can literally just go watch this on the uh bside San Francisco so if you'd prefer that and go do whatever you're doing now sorry uh all right I love how I didn't get anything but another speaker did um just pointing that out just point that out for next year feedback it's critical all right the good news oh yeah yeah so this happened just for remind you if you haven't paying attention 5,000 Keys need to be rotate in bed a day uh oh yeah get

Guardian uh we do secret stuff that I'll come up later I'll explain it that we also do SCA uh Source composition analysis but or again that doesn't really come up here all right we know how attackers behave in fact we know how they behave so much that we wrote it down and we wrote it down in such a way that attackers read this and they know how to behave which is kind of a weird Paradox we live in it's like when the lapsis group not lap yeah when lapsis like some somebody said hey this is the lapsis Playbook guess what we just made a bunch of copycats that now know the lapsis Playbook so Vishing is only going to go

through the roof thanks everybody doing security research and being very public about it but also the security research out there I'm sorry dude so this one's on you so you put in a request for an outrageous request please accept this talk so we have for the very first time in security bides history accepted a talk purely because the speaker asked us to accept the talk was pretty outrageous now uh this is the first and only presenter ever invited uh because of his outrageous speaker request uh hopefully the talk is decent because we sure didn't read the abstract or anything so actually that's all Bs it's a great talk we just there you go there's your certificate oh thank

you very much I do actually appreciate that that does make me feel better about good Hack That loophole has been closed now by the way so you all right I'm going leave that there for pictures later I'll pose with it $5 a picture I'll go on the strip and do it there uh okay point being uh thank you security researchers who do tell us this stuff I love sofos so much I don't use any of their products but I read the reports every time they publish anything um last year there was an interesting fact that popped up across all these reports that said uh the number number one root cause of all of our breaches

are credentials exposed leaked stolen that's for the first time ever that the majority and that wasn't just sofos that said that IBM says this Verizon dbr said that actually ver said 49% but close enough uh cisa said it's 54 um interesting enough they said uh sofo said 17% are because of vulnerabilities theoretically we're getting better at patching or we're getting a lot worse at the credential thing so attackers depend on multiple things in the miter framework our attack framework uh of your credentials working when they find them if they find a bunch of garbage they can do a lot of things with that but they're expecting them to work when they use them otherwise why

would they try so told you to come back I work for this company called G guardian and for the first prize of the day you didn't know there' be prizes but for the first prize of the day which is a surprise uh who knows how many secrets we discovered on GitHub public last year and if you ever read this report please let other people guess uh and this is Price is Right rules closest without going over wins uh we can look up the exact number if we get down to that um who knows how many secrets we found on GitHub public last year that were added just in the year 2023 just to get help public and by

secret I mean an API key something that grants access to some other system what 10,000 10,000 another 2 million 2 million 100 million other 10 million one $1 Bob 50,000 50,000 50,000 million one what million one million one 475k 475k 42 42 I love that answer that's a perfect answer for a lot of things but that wasn't it uh I think 10 was the I'm just going to cut it off there uh 10 was the closest because it was 12.77% you win a please pass that to her uh you win an octopus that I crociate on the plane out here uh I like octopuses uh yeah this is a shockingly disturbing number to me anyway uh but the biggest problem is

this keeps going up not down in 2020 when they first published this report which is a long story another story I'll share with you over a drink uh that's how I ended up working here is because of that report um we found 3 million and then they found 6 million the next year and then 10 million that's not cumulative that's just added per year how we write this report is we're one of the companies that looks at every single new commit and every new is public event that hits at the API uh it's a 1 Point roughly one billion things actions last year that we ingested and we look for Secrets uh we send out pro bono alerts

to all the committers if it's a working email if they're not on a ban list to say hey you did this you should fix this and we're trying to be good about it we found the research last year that we started looking for validation repeatedly so the ones we could validate out of the uh ones we did find that were valid um were still valid 5 days after they had been leaked 90% of those we're talking Millions um you can go read the full report to figure out the whole breakdown the it's free no sign up required you can do it through Anonymous window and tour or whatever so how did we get here I ask myself this

a lot whenever I'm looking at a problem like why did we do this because I believe behind every good problem there's an engineer who had really good intentions all you need to do is look at the UI on your phone and know that developer spent a lot of time thinking about how their life could be better if they didn't have to program it and then that [ __ ] just to a designer who messed it all up um but how did we get to the situation we're in today I think it started here uh we had these things called univac and these giant machines that spread across rooms and literal bugs were literal bugs uh and

how did we guard this well the Navy was involved thanks Grace Hopper um and we locked the door we put a guard out front to shoot anybody that's trying to steal our secrets uh and if they then they can't steal our P paper punch cards that have all our data uh and they can't mess with the hardware to sabotage us it's literally the beginning of the Warfare that we're still experiencing today this is why there's no difference between the civilian and National Security sector in my opinion is because it's the same game we've been playing it the whole time let's move forward in time a little bit to more modern era I just discovered this uh the other day that Steven Bourne

who wrote sh um his password was born that blows my mind that the father of my favorite interactive thing used his own last name for a password anyway but okay we need to lock the door still can't mess with the hardware because these are all stupid terminals that are connect to a main frame somewhere or a big um Unix box but the main use case we're trying to solve is stop users from playing zoric on company time um because that's expensive and sending emails from accounts don't know that was a big problem at Stanford in the early days like you could just guess someone's super simple password and then hack your friends and have fun uh and then the

Cuckoo's egg happened and it kind of got very serious very fast raise your hand if you've never read the cuckoo egg that is your homework assignment from me I have several but that is your homework go read it it's a fun read Clifford's a great weirdo uh but he's a great writer um and then jump forward to the modern era quote unquote and we got this thing where any server in the world can be any machine in the world and it runs these things called websites and we have applications now that run on the web that anyone can access all you need is an address and a browser so hey TTL or TLS SSL great idea stops the person in

the middle attack or the uh attacker in the middle tack um and passwords still work right hey that's how I get in that's how I admin still works and then we get to this madness thanks click it I met these guys and told them I Us in the slide and they've never heard of me before so I was very happy that I got to use their stuff um we get to this world of very complex interconnected systems and what did we do we threw passwords at it but in the form of API keys and SSH keys and certificate authorities at best who works at a company that has dedicated pki team good I'm guessing it's a Fortune

100 uh that's what the numbers where cesos say um this prevents unauthorized access to your machine resources and this is good this is the what the goal is to um stop people from getting for your edmin all right next prize guess according to current research how outnumbered we are humans to machine identities very quickly a human identity is a human who has to do something to interact with the system a machine identity is not a human who needs to interact with another system to do something that's the definition I'm using all right any any guesses how what dead what what do you get I I I can't understand what you're saying sorry the mask the I've never

heard of no all right so U I'm looking for a number because this a for a prize million to one million to one 100 to one how much 10 to one 10 to one 10 10,000 to one 50 to 5050 to1 who said 10 to one for oh go there okay who said 10 to one first you said it first yes uh you won the other octopus that's much smaller because I ran out of yarn plast that back to her please um and the correct answer if we believe my good friends at Cyber Arc and I love cyber arch for a number of reasons they'll come up later too it's 45:1 I think it's actually 46:1

according to the next update which means for every thousand people that you need to identify within your system there's 46,000 machine identities running around and there this is kubernetes work Lo s this is anything requesting a thing from another thing that's not a human that's what that looks like just to put it in Blunt terms this is the problem we're dealing with today we've heard a lot in this password con and I love that we're talking about it like how do we secure this person over here I think there's some good paths there I do cracking aside in all the te ways you can mean that uh this is the problem set and I think what got us to where we are

today isn't the way forward we can't just keep doing this over and over again otherwise there's no future to look forward to it's just pure hell we're walking into slowly so what do we do first I think there's these two things uh eliminate all credentials where possible for some things that's entirely possible there's a way to do that through I IM rules depend on your system depending on how your setup I'm not telling you what they are but there are ways to accomplish that you can March down that path but you'll always have the problem that eventually you need two systems to talk to each other that you can't just give a rule to think

Salesforce versus Google Cloud yes you have to interact with those things sometimes uh when humans are involved there's these things called fishing res resistant MFA paths UB key Biometrics UB key plus Biometrics the most expensive of the UB keys but they work awesome uh I love my computer because it's an M2 that I could have a fingerprint and it opens things and with one pass uh I can do all sorts of crazy things with just my fingerprint and the last one if you do have to use credentials let's rotate them very very very very fast I got quoted in CSO online a few weeks ago on an off-handed comment I made to the reporter it's like humans hate changing

their passwords but machines don't care so we should be changing them a lot faster he left off the last part so it's just machines don't care and I'm like okay um that's what I think and this is my opinion from here on out on on this point of view and you're welcome to argue with me out in the hall but I think we have a clear path for humans overall and it's called MFA it's called Uh ID verification first talk of yesterday talked about that deeply for machines it's a big old question mark sitting out there right now so instead of going down and talking about all the question marks and the ways we can solve

this I'll get to that later I promise uh I'm going to talk about what we do in the meantime and that's the auto rotation because that's something achievable that's something people grasp that's something other people in this room have given talks about thank goodness other people are talking about this out loud and I think it boils down to just do these two things you just gather all your secrets into one Secrets manager and then you set an autorotation policy and I realized that's like telling you how to fly just don't fall down ay think thanks to chat GPT for making this really stupid weird image the longer you look at it the weirder it gets um like what

are those birds are those what is that what is that anyway um so word a caution before we go any further because I've had somebody at another talk say hey I want to go do this and that's like my full-time job now I'm like no no it shouldn't be uh don't boil the ocean with this you're going to have to go step at a time in fact I think you should go Bird by bird uh again if you've never read this book read it nothing to do with our field but oh it's such a great book if you're going to write a book about birds how do you do it you go Bird by bird it's that simple

uh so you go Secret by secret so you got to make a plan and that plan is going to involve multiple things and this is what I think you should be asking the first is who owns this approach uh for the third prize which is not hand crocheted I promise it's something cool um who knows at what Revenue level your average company has a full-time I am person like that is their job is we handle I am for the corporation I'll Enterprise I'll use the word Enterprise not Corporation for the Enterprise I have a dedicated full-time I report straight to the ceso and this is what I do we make I am happen what's the what's the revenue line 100 Mil what

100 Mil 100 Mil other guesses Double Down Double Down Saloon that's not a number but okay 50 50 mil 40 with what 1 million billion one billion uh what that's the last one back there 250 milon 250 million I'm going to give it close without going over I don't have it on the slide but this is I research uh from RSA it's $5 billion before a company's big enough so I'm going to not throw this because I will come up and give this later this is a a frisbee I'm going to hurt somebody this is hard plastic this will hurt somebody so come up later get that it's yours um so you got to have somebody that owns

the approach and it can't we we can't wait till $5 billion we have to get this now we have to get a jump on it right now but someone has to own this and spearhead this and be like this is the thing and be the voice in the desert saying this is got to get done this is what we got to do we're going to Shepherd this through this is the vision we're selling it we're doing it we're loving it could be your ceso could be your CEO I hope it's your CEO I would love to meet that CEO though um second you need to ask if your company is your organization is mature enough to do this

if you were two people that just started on a prototype last week maybe not uh if you are a team of 50 that have a product out the market for two years you're late to the game that's what I think but I think there's a map for this that's what I get the talk I gave last year and that's what that link goes to is that talk um uh not that talk the research is based on the secret management maturity model something we came up with with a GG Guardian to try to evaluate how people are going from all my secrets are just everywhere willy-nilly to oh this is how professional Enterprises with 20 30,000

developers deal with this dayto day and we help people figure out their place in that map um will your doves go along with it this is a question you have to ask and if the answer is no maybe need another company cuz you that's a culture thing I don't know how to fix this is dor metrics 101 stuff this is like I don't know I don't know that one but there has to be a path for them and I'll talk about the path I think is is appropriate and then you got to ask where are our secrets the first rule of API security is knowing you have API that that's it that's the first rule

um if you don't know how many apis you have and how many endpoints you have you'll never be able to secure it all right so this make a plan the only actionable one on this list I'm going to talk about is the last one because that's assuming got all the Buy in let's assume you figure out the path we'll talk about three a little bit but let's just figure out that we got we got answers to that we we got a path we got a vision first is we're going to gather all our secrets into one manager this is an oversimplification and the full extent of my artistic ability uh explaining what a Secrets manager is uh developer instead of

writing their secrets to uh the specific thing they're writing they write it to a Secrets manager and then call that secr SEC manager programmatically from the thing they're writing that's that's it whether it's to get data whether it's you know whatever they're doing but that's how it authenticates that's how it do auen Au Z with it um sorry wrong way uh so the basics needs for a secret manager in my opinion and the research in the the industry right now is it encrypts data encrypts your secrets at rest and in transit very important if you can't do it over mtls don't do it I guess you could do it whatever you want to but as

long as it's encrypted in trans um it's available across all environments this is hard this is one of the hardest things on this list three centralized reporting might be the most important one on this list if you can't keep track of it you don't really got a vault on your hands you have a list that you lost track of um and it's got to be easy enough again for developers to say oh I can do that that's pretty straightforward in fact that's easier than what I've been doing good news if you're all in on a cloud provider like you are 100% aw there's a great solution for you it's called AWS manager if you are 100% on

Azure it's called key vault which has great documentation I'm going to give them credit where it's to do Secret manager from Google Cloud you're going to have your own exp experiences with but it's still there it's still good if you're 100% in it to win it and this is all you do this is your answer if you're in multicloud that's where hash Court Vault comes in uh this where cyber art comes in they make a thing called conjure among other things they make Aus I love those people Doppler from Down Under uh they're from Australia they are wonderful company to work with if you see them go up to their booth and they're great people if you

ever at an event with they there so that's the secret manager I'm talking about so how do you use these if you've never used a vault before has anybody in this room never touched a vault before okay I can skip this part um you basically give a path to programmatically call something out of the Vault there's you put it in the vault programmatically there's keys I'm not going to explain all the encryption here I don't have that much time but uh you basically put a secret in it you call it out programmatically so instead of writing the hard-coded secret you write this and you pull the secret out it loads it in the environment at runtime

and you're good to go so which Secrets do you put in again we're going to go Bird by bird which do you focus on new secrets are an obvious win hey we got a brand new project great Green Field is the best place to do anything but all reality we don't work in Green Fields most of the time so what's your crown jewels what when what are you the hardest if it goes down where do you lose the most money that's how I think crown jewels uh walmart.com uh support portal for customer service can go down for several days and they'll be fine um uh but if their actual payment Gateway goes down then that's bad um that was a joke on

Walmart's part uh anyway Legacy Secrets should go next and then zombie secrets are last what are zombie secrets you ask how many people know all the secrets that you have have all the passwords for your entire company and for every system you've ever turned on how many know how many systems are even running in your environment yeah those are zombie secrets um so how do you find your secrets you write an email you're all company and you say you list all your passwords and plain text in an email obviously don't do that that's stupid um so how do you actually do this well there are tools for this I'm work at one of the companies that founded this

industry and built this stuff uh get Guardian um but trule Hogs open source they are awesome they also have an Enterprise product uh G leaks the person who invented G leaks now works for Shuffle hog so is it still maintained that's a question um but awesome products again I'm not going to never not I'm never going to say anything bad about open source because they're doing awesome stuff in the open source world there's other companies like Ping safe and there's other people that do this uh but ping safe is just the first one that came up on who competes with these two all right so we scan and we find all the secrets put in one place I'm not

going to sell you on the virtues of one approach or the other but eventually they're in one place um a platform a list somewhere okay we got them all we found them all now this set an auto rotation policy the script logic needs to work simply like this you need to create a new secret for the one that's in play test that new secret will actually work through some kind of method that's optional but highly recommended swap it in for the new secret make sure that nothing broke and then clean up from the internal CLE from the up basically blue green deployment hey there's the blue one green one's right here in case you got to roll back Pat Court Vault has

this as a built-in button we got to roll back bam we're done in fact yesterday there was a whole talk about this exact thing that you can go find online right now that will talk way more about the details and the specifics of how to do this properly than I can possibly get into from this higher level talk so perfect thank you so much for giving this talk uh yesterday Ken um and go ask him you have specific questions about implementing has cour Vault not me um set up for Success all right so if you're all on a cloud provider this is actually really easy to do in fact where I got this list from was reading all the scripts from

AWS and how they do it this is their this is their formula but all the formulas is the same it's the same cake you're baking order of operation where the testing goes a b c like whatever you're labeling them that's going to vary but again if you're all in 100% there's a path for you it's pretty straight in fact they wrote it for you you don't have to do anything you just like go pull this throw it in the right field and you're done you got to name some things but obviously it's you're not 100% done you're 80% done um hooray if you just want to go see how this works again all open source you can just go

look at this all day and study how they did it multicloud is going to be a little bit rougher because now you have to figure out if there's a way to update or request a new secret or even interact with the secrets from the apis for most systems for most modern systems there better be and if there's not you call them and say you give me this or I'm going to your competitor that has it because this is mandatory for the future um and then you have your Vault system interact with that system this is why I like cyber Arch because conjure does this they have a way a path to call external apis to trigger this uh Circle

C eyes looks like that slack look like that doesn't matter how you call it these are just trial examples the idea is the more important thing here and then I think there's a world where we can tie all of this stuff together really well um and that is we use the secret detection tools we already have and that's how we found them in the first place to further automate the process so upon Discovery because you should be constantly scanning for Secrets it's not a oneandone thing it's not SAS where you're I'm scanning for vulnerabilities right now in this version and we're good because because we won't add any more problems right uh no this is every new time you touch the

code we got to remake sure that no one put a PL Tech secret here or did something that will expose a secret so let's find any secrets and then let's go check if they in the vault might be hopefully they are if they're not in the vault let's put it in the vault and here's the part that's a little bit tricky but why I think it will work with the developer so let's go ahead and change the code let's go ahead with scripting logic to say if we're calling a password to this system here's the exact call that would look like if we were calling it in Vault and this's is go ahead and make

the pr that's a lot of logic that's a lot of steps I over oversimplified there and I'm realizing now that should be three slides but again when you write your talk three minutes before you get on stage you forget things and then eventually you rotate the secret but this is possible there's a great language called bash based on this thing called sh which a guy used his own last name as a password in which is weird but it still works bash is universal it's true python works too I guess if you like python um but if it's true that you found the secret and it's already in the vault well you still need to make the pr to replace that line of

code but now all you got to do is update the secret you don't need to put it in the vault you just like oh this is probably already accounted for somewhere let's just call it hooray we rotate we win and if you're thinking right now who on Earth would do this we did this uh minus the auto PR step but again that's a scripting lines you can you need to modify based on your specific setup and needs right yourself but we got the rest of the scripting and Logic for you it's called Brimstone is the thing we ended up calling it uh the actual GitHub repo which is linked if you click that is a really long name

that cyber Arch came up with um but ultimately Brimstone was the name we all settled on um uh Brimstone and I forget the name of the thing it's built on um but basically brimstone's the last thing um yeah it does this Auto find with us communicate with cyber Arch a lot of steps in here and right now you probably are thinking like I was thinking when I saw this oh and there's a full demo of this this is again this isn't vaporware you can go do this right now but you can also watch the videos of how we did this and it's all open source like Brimstone itself is open source you can dig through and see exactly how the calls

are made and how we're accounting for the fact that we can't communicate or shouldn't communicate a plain Tech secret Over The Wire between two systems we've already thought of that don't worry um this involves hashing and fingerprints and a lot of back flips but if you're like me and you think this is a whole new level of middleware I got to run wow that's brittle who's going to maintain that I don't disagree with you this is possible though this is this current where we go next but it's not where we're going eventually it's how es bombs are a step in the right direction but they're not the final point this is our next logical I can't

possibly do the thing you're about to talk about next but I can do this and we can get here and we get here we can get there I think because I think instead of all this and hear me out PW KH um we just accept that credentials the way we've been doing them are a terrible way to approach machine identities just fundamentally we made a mistake 40 years ago 30 years ago when we start having two servers talk to each other and need to identify ify that adding a password in the mix was especially a Long Live password that never rotates was a terrible idea so what do we do instead welcome to the world of spiffy I

love the cloud native security Cloud native security Foundation I love open ssf I just spoke at Cloud native security con like three weeks ago or very end of June so wow we're already in August the very end of of June and back in Seattle and there's so much excitement and wonderful motion happening around this world I'm going to dumb oversimplify it because again I'm almost out of time but imagine a world where everything just gets a name space that can be checked by a Federated certificate Authority system universally that says yeah you're you here is a CT that lasts just as long as your request oh you can't do it a 509 sht here's a jot not as good but here it

works hey you can have the request as soon as the request is finished bam it's vishes it never existed anybody finds it it's useless all you know is what search look like and what a jot looks like and when it expired I guess spiffy is secure prote uh production identity framework for everyone invented for kubernetes by people that built kubernetes and expand it out to the whole rest of the world Spire is the implementation so if we think of ooth as the set of ideals that we should be chasing and why it's not in a proper framework you can think of um open connect ID as the the thing that you implemented Spire is the thing you

implement they're both open source ideas uh I didn't put them on the slides but uh there's companies doing this now as a service ISO is one of the tons that jumps to mind there's others they're just first one I'm going to name sake of time let's move on oh yeah so this is what it basically does uh yeah again I'm just reading a website to you at this point um but the important thing is that you can have one Central certificate Authority that might go down might be unreachable or you Federate this across everything and you sidecar this in the world and this just becomes how we think about this from a developer standpoint this is one extra

line of code they need to throw in and never have to think about a password ever again it just magically works that's a promise that I've seen fulfilled on stage I watched someone Implement mtls by hand on a talk that's online from cloud native security con uh imple Implement mtls by hand over the course of about 10 minutes painfully and account for on all the clients and then she did this and three lines of code later magically mtls for every communication there is a much much much better talk than what I just gave about it from cloud native security con this year that's the link to it highly recommend you watch it this is the most

entertaining talk I've seen in years about the story of crush and how he identified and how we talked to the postris squid and like all they they used under the sea whole thing it's beautiful but it explains the concept brilliantly in the future the problem I think with it and this isn't really a criticism is that they live 3 years to 5 years in the future the people building this they kind of do I love them and they're going the right direction and they're telling us where we can go next but I don't know a lot of companies that can jump to this right now small companies new projects absolutely this instead of building the other thing I

talked about you're an Enterprise this is where you're eventually going to be headed search for everything PE Ki everywhere I am run by a team that's not security cuz it's I am so in conclusion this is where I want to be at 300 in the morning I want to sleep there I want to be not worried about someone breaking into my stuff or that a password got stolen or that someone got in because of a password all we got to do is gather all your secrets into one place and set an auto rotation policy it's all we got to do I know that's that's all we got to do that's all we got to do I know it's like

saying just don't fall down just don't fall down but we can do this if we don't try to boil an ocean we can just do it Bird by bird and think how am I going to deal with this secret and make sure this one doesn't leak and if you only do one secret a week that's 52 secrets you do in a whole year maybe 50 with vacations that is so much better than where we're are going right now it doesn't keep up with it so hopefully you'll go a lot faster once you figure out how to automate things but start small and it get leads to very large things eventually this is where I think

we're going but we can't jump here I think for the most part because the way Enterprises work today and the fact that not all services agree on this and not all services not all Cloud providers agree on this but conjure and cyber Vault uh and hash Corps Vault both do you can use that as a springboard to get here I left that part out earlier sorry I got a little out of order anyway I'm a Dwayne I live in Cho check out the security repo podcast we have all sorts of great guests and uh if you weren't I Loved karaoke I did karaoke last night if anybody wants to do karaoke tonight we'll make it happen and with that uh

yeah I'll open up for any questions and that's where you can get the slides

questions um I'm sitting here and going back 20 years of domain Administration and going okay that's nice in the sense of getting to one but realistically when you're talking about passwords from everything from routers to switches to laptops to lapse all the domain admin crap that you need to deal with and the Legacy crap that's still in all of our environments how do you handle that to one or do you go to two or three what what's the theory on that one two three what meaning I like if I stand up and okay here's my experience new organizations startup Born Into the cloud opsis from the beginning totally perfect 100% organizations's been around for more than 20 years they have a

legacy ad architecture that may be halfway split into uh Azure ad but you still have got think think of what happened with crowd strike yeah the local password was the issue from people being able to get into that machine and you use something like laps to constantly rotate that but that's not centralized into the Azure uh ad or the secrets manager within the cloud it's actually still a one-off credential that is out there so I can use one for my cloud environment but for the rest of this how do we handle that well that's where Enterprise vaults like really come in um and something that somebody at Cyber Arch I forget his name Evan I

can't remember his last name uh cyberark said in an interview I did once um I'm not telling everybody to put everything in cyber and we are the be allend all but you can coordinate through us to have a view into everything and if if you can get to there where you know about everything and everything is centrally accounted for that should be where we're marching to next like that that's why that's first is let's figure out what we have so it's hard so one of the problems with spiffy right now and Spire the way it exists right now is postris can't account for for it you can give it a jot but that's janky at best but it's

postris we're talking about like how much of the internet is postris right now um so this isn't a solvable problem like I have a simple Pat solution for you unfortunately but those are the conversations that are driving right now and like we're trying to solve I'm not trying to solve them but the the people that are building the stuff are trying to solve it um there's not a great answer for that other than if your Vault systems can't account for on PR cloud and all your endpoint devices you need to have a conversation with somebody that builds vaults like that makes those like hash Corp would love to have that conversation with you I'm on the other end of it I'll help you

find your secrets wherever they are you got a log I can find it any more questions for Dwayne sir so I'm going to ask you a question that we had to deal with on our side right as as evangelists this and I have a solution that I don't know how well I like so I'm curious what what yours is so no matter once you collect all of your secrets right you're going to find some stuff that is just for crap applications that never thought anyone would ever want to rotate it using an API right so the only way for you to get in and like change it is log in as a human and do a two-factor push and click

through five shiny uis and eventually you press a button that regenerates something and you got to copy that out how do you deal with that or or credentials of that type that are just not suited to automation when collecting them in a vault and trying to rotate him I wish there's a good answer to that other than business uh business case if it's a crappy service that's not being used or being used in one place that's a bad business case for using a tool if there is a clear cloud provider solution that is modern that you can hit with an API endpoint and or hit an API end point and do everything you need to

do that is comparable in price what's the refactor cost at some point and this is the truth every business needs to roll the dice and say if somebody took this over we would lose $5 I'm okay with that if someone takes breaks in and steals our crown jewels our company goes away and we all lose our jobs those are the very end extremes the other example I like to use on the the low end is a a picture uh folder full of cap photos sure I want everyone on the internet to see that I don't care what the password is I don't care if I can rotate the credential I don't care and that's it you have to care and I

don't know what your business cares about so that's that's why it's hard question to answer um but you're describing a world with click Ops and you we got to get away from click Ops but that's a whole other discussion in doops Click Ops is dead it died years ago it just keeps lingering and Microsoft Community keeps it alive okay question no no questions one last one one last one out of time yep and I'm sorry it's not a question it's more of a Jeopardy answer okay Clifford stole the author of The Cuckoo egg yeah now runs this topological business out of San Francisco Klein flasks I didn't even get to do oh I'm sorry I broke for you oh yeah CL

Clifford stole uh out of work astronomer who got a job and tried to track down 75 cents in discrep at a time when it was $300 an hour to rent the machines uh it's an amazing book don't amazing book his current current business is selling Klein flask his largest collection of Klein flask in the world they're one-sided objects they're amazing it's like aens yeah it'ses I've never bought one I'm going to buy one today I'm buying one today I brought uh oh my god oh I want to see this I can probably find it online but I I I'm going to I'm support Clifford sto other than just read his book it's freaking amazing and also if if you're like I do

not want to read a whole book want to read the book but two there is a Nova special from 1990 starring Clifford stall called the KGB the computer and me it's free on YouTube uh and it's all the people the actors like every actor actually person they could get from The Real World that experienced this that's in the book they got to be in the Nova documentary so you're like getting to watch like real history unfold it's amazing and do you also know that in Germany they made a movie about that thing from seen from the hackers perspective they make movies outside of the US that does exist yep I'm an American I ever heard the

phrase torrent you might be able to find it pirate base shut down man I say that on YouTube oh [ __ ] okay yeah well okay so anyway thank you much yep enjoy the rest of your [Applause] bides and the last talk for

[Music]

[Music] [Music] n [Music] [Applause] [Music]

[Music] oh [Music]

[Music]

[Applause] [Music] hey hey hey he [Music] [Applause] [Music] [Applause] [Music]

he [Music]

you [Music]

[Music]

[Music] track [Music] hey [Music] [Applause]

hey hey hey hey hey hey [Applause] [Music]

[Music]

[Music] [Applause] [Music] he [Music] [Applause] [Music]

[Music] [Applause] [Music]

[Music] [Music] [Music]

[Music] [Applause] [Music] he

[Music]

[Music] h [Music]

[Music] [Applause] w w [Music] [Applause] [Music]

[Music] I'm I'm just trying to give you [Music] something I'm just trying to something I'm just I'm to give get something [Music] oh

[Music]

[Music] [Music] I'm just trying to give you something I do for I'm just trying to give you [Music] something I'm just dring [Music] he's a friend he's a former colleague of mine and uh he's also a u co-conspirator in crime maybe we have been doing a couple of projects together and he's just freaking amazing pentester and I'm looking forward to his talk so no pressure John and take it away please welcome him with another round of applause [Applause] thank you thank you let maybe I get need to get a little bit closer welcome to my talk I'm glad and surprised so many showed up especially since the last one on this track uh this is my first talk in us

first talk in English so please bear with me this talk is named all your B belong to us and my name is John Andre bori I'm Norwegian working as a penetration tester for a Norwegian company called net security I'm originally educated as a Electronic Engineer with specialization in Wireless Systems and telecommunication but it's much more fun to break stuff than building stuff therefore I do penetration testing instead of engineering been doing penetration testing for 16 years focusing on everything from internal testing web apps physical testing soltion engineering and so on small disclaimer um most of the stuff in this uh presentation is not new most of it is already known but it's so stupid and everyone should know

therefore I'm giving this talk nothing of what I say represent my company it is my meanings and feelings PX Pacs does anyone know what that acronym stands for No One access system close proximity access control system um most I hope have seen readers like this and have cards like this if you haven't seen anything like this before it's you should go out from the rock you're hiding under uh I made this sketch to try to explain how uh access control system is built starting on the uh right for you uh you have the token the badge which communicates with a reader either uh on HF 30 1.56 MHz or 125 khz LF um when you take your card against

the reader there is a RF signal uh charging a capacitor in the uh in the token acting like a battery uh giving power to the microcontroller which again makes the communication between the reader and the uh token possible the reader communicates either Wireless or wired through protocols like vegan or osdp to a controller the controller has the entire used database and the controller is the one doing the authentication uh the controller also communicates with the door and open the doors if the token is valid the controller talks to a server which has the US user interface the US user database and the configuration the server also in many cases acts like a client it's where the

software is installed and uh all the users added to the system in many cases this is a standalone system not connected to the local network it's not connected to anything in many cases except maybe internet because the vendor need to have access via team viewer to do configuration uh in some other cases you might have the same over here but the server and you have several clients with the application running running on it and the server and the clients might be joined to a domain so if an adversary is able to compromise the domain he also have compromised the entire access control system which I have done in several penetration tests we were able to dump the entire database and create

our own cards um I mentioned earlier that you have HF and LF uh tokens high frequency and low frequency so I made this slide uh trying to explain the different Technologies used and also saying which of the Tok are possible to clone easy and which is considered secure my classic I guess many of you have heard about Myer classic tokens and Myer classic cards uh n tag h i class I class iclass Elite is really easy to copy to clone Myer ultralight Myer desire ev1 is considered also possible to clone but it's a bit harder and the green green ones this far ev2 and EV3 is considered uh quite secure EV3 is what is recommended if you're going to have a

Myer classic a Myer installation and the uh low frequency cards you have like H proc em Avid inale EO proc EMR in Viking and a bunch of others they have no security there is a few exceptions someone has tried to make make some password thing there but no one is using it so if you have any LF cards it's really easy to clone them um Myer classic a little bit more details on them uh and P you asked us to have some some uh kittens if there are some uh slides with just information someone might know so I included some chat GPT generated kittens um the M classic is an invention from the mid 90s so it's not so old well

maybe it's getting old but yeah it was originally Phillips the Dutch company who made Myer classic Myer was later turned into I moved over to company called nxp semiconductors in 2006 it was a proprietary encryption so it should be really secure or maybe not uh in 2007 2008 Kash n a really famous uh security researcher from uh Netherlands together with some other people were able to crack the Myer classic uh algorithm in 2011 there was a update with backw compability that was cracked in 2015 in 2015 nxp also recommends that no one should use Myer classic afterwards the picture you can see here uh I took during a penetration test last year and that was a system installed in

G last year using WI classic which was recommended in 2015 never to be used anymore so you should use more secure cards like for example desire EV3 and this installation also uses only the uid on the card which I will come back to you later more details on the my classic the data on those cards are divided into 16 sectors there's four blocks on each each sector and the first block or the first sector has the uid and some other information hardcoded so it's not possible to change the uid on a regular card and all sectors has its own encryption Keys two keys uh to one a and one b key both of them are 6 byte

long uh if one of these keys are known there are some attacks called nested and hard nested attack which makes it possible to get all the other keys on the uh card and on many many many systems there is at least one default Keys which in many cases is FF FF f f f FF which is a default encryption keys so if for example one only one sector is used and its password protected but all the other uh sector has uh the default FF uh it is possible using nested or hard nested attack to crack it default keys um no one uses default keys or default passwords anymore P nobody no absolutely nobody yeah that's good to hear uh in

2014 I worked for a company in Norway I got my access card to the to the to the office I had a reader ACR 122 if anyone has a reader like that really good reader um I cracked the keys on my card because I was curious uh I hadn't done any work with uh um RFID before so I just wanted to try it out Crack the keys put those keys into my Android phone with the app my fa classic tool and just to show my colleagues so easy to copy the cards maybe we should talk to the uh the people who owns the building and maybe make them change the system or something um but a couple of weeks later I was

doing an internal penetration test for a customer or uh on mine and during lunch it just I saw that he had this card hanging around his neck and I we started to talk about access control and I was just curious can I just try to read your card to see if what kind of technology is used and to my surprise I was able to dump his card and I didn't understand why until I saw that I ACD accidentally chose the dictionary with the keys from where I worked so it turned out that I was able to dump his card from totally different company totally different building using the keys from uh my office so I started to do some research

talk to people I knew uh found some people who had the same access control system we tried to dump those cards too and we found out that all cards were using the same uh Keys all the systems had the same a andd key and I talked to the uh vendor and they said yeah they use the default keys for all installations it's uh easy and uh they system came hardcoded with them uh and it was impossible to have control of different keys for all their customers therefore they use the default keys and now in 2024 I still see these Keys used on new systems and the funny thing is that if you take that key and

decode it as aski it is the name of the vendor what's the window's name will this be on YouTube actually I I had the name of the vendor here but uh when I realized that this was going on YouTube I removed it yeah but here I have a vendor um the only reason I have the vendor here is that this is a screenshot taken from The prox Mark default dictionary uh Salto is a company who makes access control system of course and I use both on offices on uh hotels and all over and they actually they have two different systems for hotels and uh like regular Office Buildings but they uses the same keys on everything so if

you're able if you stay at a hotel having a system from Salto you can take the keys from that system uh and you can use the same keys at the office building and it's only the this is the a key and that's the be key found in the default dictionary so it's really easy to dump and in Norway at least I've seen this it might be one of the most used uh Access Control Systems and uh interesting thing that when the customer buys an access control system it gets the documentation the encryption Keys is not mentioned in the documentation and it is for sure not mentioned that it is a default keys that is used so it should be easy to change

these Keys um as I said earlier the vendor said like how should we store the different keys for all customers it shouldn't it it's not possible for them apparently but there exist some databases for Security Storage password managers you could have used something as as simple as bit warden for saving the the keys for different companies yeah you should never use default Keys you should never use the same keys on other customers um two weeks ago approximately on the 25th of June July per sent me this article in ARS Technica about the default keys and there was an article about secure B boot using default keys on a lot many many many models from the

large uh vendors of laptops and computers like Lenovo HP Dell and so on and in this article there was uh the um guy who was interviewed tried to make a metaphor and compare the secure boot to a door lock system to make it more understandable I guess but that quote actually fits quite well with what I'm describing in this uh presentation imagine all the people in an apartment building have the same front door lock uh and key if anyone loses the key it could be a problem for the entire building but what if things are even worse and other buildings have the same lock in the keys that's what we have when we have these default keys and the

same Keys used uh all over from um for the Access Control Systems so Story Time as I said I'm doing penetration testing I'm doing a lot of physical penetration testing so here's a story about one physical pent test I did a while back for a large Power Company in Scandinavia it was a physical penetration test and the goal was getting physical access to the headquarter to prove that we could access the network show access to sensitive areas and place a dummy bomb on a central location so everything from my proving that we had network access to showing that we could blown up the building so um we'll skip all the Recon and the S engineering part but basically

we were able to tailgate into a temporary office building next to the headquarter it was some Barracks that was uh temporary installed there we found two access cards just laying around on a desk uh very shiny and new and it turned out that they didn't work because the employees hadn't started yet uh when we tested the cards in front of some readers it only blinked red so they didn't have access but we found out that these cards were using Myer classic ev1 and several of the sectors and had the encryption Keys FFF F FFF never mind how many fffs which is a default Keys as mentioned before uh using the nested attack we were able to

crack all the other Keys it turned out there were one sector uh on the card that had data the data looked like this turn out this is asky uh we decoded it asasi and we got this string for one card and this string for another card well we didn't get the x's and the Y's though the X's turn out to be the site ID and the Y turn out to be the user ID and at the end you had a checkon at in the beginning you have some sort of ID um we not say so much more about that ID that might be possible to know the vendor from that string so don't Google it uh and you have this semicolon which

is interesting because uh on Old magnetic cards or magnetic stripe cards semicolon was um um was used to divide the fields there was a separator so it it looks like this Myer classic classic card is actually emulating a magnetic card which was interesting and this was a rather old system uh but it's still used on a lot of places I've seen those readers many many places uh they had both old readers and new readers for backward compatiability um yeah as mentioned this was the data this is someo ID X's are site ID y's user ID and the zzz at the end is the checkm so just what happens if we take those user IDs and you try to increment

them and decrement them and see do we get any Val other valid cards so we tried to change the ID to something else swipe the card didn't work uh then we started to think about the what if we actually have a valid ID but the CRC or check some thingy at the end is not valid so we tried to find a method to calculate the CRC um a colleague of mine was sitting with that just hammering away with h cyberchef and different methods for trying to find that CC but I didn't have have the patience uh it shouldn't be that difficult we can't sit here all day in the car trying to find what CRC

method is use so I'm a big fan of kiss like keep it simple stupid so the different between those two cards that we had was only half a bite so I changed the ID started checkum zero and incremented on the second try I got I got a green light on the reader the card was valid but I was asked for a pin so we used some hours on this we were able to make valid cards but that company used PIN all day which not many uses but so this is valuable information if we uh are able to if you're doing a test for a customer having the same system which do not use pin so instead of coping the card and

walking in with that we had just tailgate in instead and got access to some very critical areas in that uh building but it was a very interesting case and we learned a lot from it so a little bit more about Myer classic and Myer whoa time um in EU there's a lot of asao wing cards that's my for ultral light if you have the old firmware on the readers there is no password you can just dump the card using for example a flipper flipper zero which everyone knows what is I guess uh if you have a new firmware on the readers there's a password so you have to dump the parts of the cards that you can dump without

the password then you have to go to the reader to get the uh password and then you can dump the rest we also have some Myer classic as mentioned before before with the Salto uh but here in the US this summer I had a road trip from uh New York to LA I stayed at nine hotels across us all had my Myer classic and out of those nine eight of them I was able to crack the uh and dump the cards using my flipper or my prox mark with theault dictionaries and then nested attack so just in case someone hasn't seen a hotel card being uh copied with a flipper everyone has seen that on

YouTube now I guess but just in case this is the my hotel here in uh Vegas now just take two seconds to copy the card emulate it on the on the uh door and I'm in but that's another video but uh as I said I'm doing a lot of physical testing um much I'm very eager in doing other things than copying the cards because it's much more easy to just attack physically on the doors in many cases like for example this that's a hotel in Norway so why bother with all the uh technology when you can just use a simple shim to open the door so but um encrypted data I mentioned earlier that some systems only

uses the uid uh when the uid only is used there is no encrypted data uh both on Wier classic and Wier desire and of course the LF cards the uid can be sniffed super fast and you can use like equipment in a l larger antennas so you can read it for like a meter maybe more if you have some really specialized equipment there's a large number of vendors and a large number of installations that have only the uid and there's a lot of vendors that support everything else it support encrypted data it support desire it support a lot of secular uh Technologies but they only use the uid and I think that's the reason for that is that it's easy to

configure for them they have don't have to manage those uh keys they just use the uid and this is a screenshot for the application for a large vendor of um access control system used a lot in Scandinavia and as you can see this is the default types of cards that you can use nonone here mentioned encrypted sectors here we have a CSN card serial number H proc that's only the ID 125 khz card procs digits em only uid that's far CSN yeah and most installations I see from this vendor has only the uid I will not say the name but ask me afterwards One More Story this was a large International research uh organization uh again the uh we had a

physical penetration test and the goal was to get get in and get access to most areas uh we went in at the end of the day when someone was going out we just went in and started to check all the available spaces in the building and we found the actually we found the ad genitor office unlocked in an uh hallway that we were able to access in that office we found a locked cabinet uh when we looked at the cabinet it was locked turned around we found this a box with a lot of old keys and old locks started to dig around in that and we found the key for the cabinet within the cabinet there was a shitload

of keys and cards s including ID cards for security Personnel uh but the most interesting card that we found was the card for the son of the janitor because apparently had he had some summer job or something there so he copied that card together with some other ones started to go around the building but yeah they need a PIN at night so we were not able to get into any SP any into any areas but we came back the day after um we were two I only had one card with me one blank card so I copied the um uh data onto that card gave it to my colleague he went in but after it had

been in for a while I was getting restless in my car sitting outside I wanted to go in too it was boring just to sit there this was in the middle of winter in Norway and it was cold so I just took my Flipper emulating the card walking by the security guard like almost like this on the picture here with my flipper in hand uh I'm sure the guard had seen it but it didn't react and I was in but why why is so much crap still used can anyone answer to that yep yep it's cheap uh there exist billions of badges already and the vendors are lazy why should they learn anything new and they can just earn the

same amount of money or even more doing what they have done for a lot of years uh and in many cases I think that the security requirements are not specified good enough in the request for proposal there's much price on the much focus on the price and the customers of they trust the sellers they're stupid as they are they trust the salesperson who say that this is a secure system uh I once asked uh uh installation company why they still use these cards why do you still use this uh all protocols why do you still use only the uid and uh his answer was we just install it and make it work we don't know anything about the

protocols that was kind of scary so um can you upgrade uh access control system if it's old enough you have to replace all the readers the controller the server everything it will be really expensive maybe like 100 Cas several hundred Cas depending on the size of the company of course if it's relatively new the hardware in many cases support new technologies um but as I mentioned before the uh people installing it they use the old Technologies because that's what they know uh if it's relatively new it is possible to only the re replace the um replace the badges and re or recode the B Badges and do some configuration changes on the system uh the badges are

often quite expensive they shouldn't be because they're really cheap to produce but the providers takes a lot for them anyway um just I found a video on YouTube from hid the large American manufacturer Access Control Systems uh showing how they could re program like how they could upgrade the firmware on a reader so they had uh I think in this process they had five different cards containing the firmware for the reader and had to set the reader in a special upgrade mode and it took like five minutes to upgrade one reader it placed one card on the reader uh rebooted the reader when it started to Blink the correct sequence of color replace it put

in a new card it's like you're installing a game with fluffy in 95 so the 5 minutes plus for one reader uh it actually it is possible to upgrade some of the readers using a mobile app but it also takes take many minutes so if you have a large installation with like several hundred readers it will take a lot of time to upgrade the software but it's a fun little clip if anyone just Google hid uh reader upgrade or something so uh the cards are in many cases very easy to clone so use pin all day on all places that's the point from all the slides I had before roles um in most cases not all cards have the

same axis of course uh how can that be misused for example some in many cases you have a master card a card that have access to everything for example the janitor has cards like that uh in many places and some places I've seen that uh you have seen key boxes like this I guess how easy is it to open a box like this have you have anyone tried I was able to teach my daughter in 5 minutes she was 11 years old she used five minutes to learn how to open boxes like this and inside these boxes you can find access cards with the master roll without pin because in emergency you don't uh need want to use the pin

because it takes more time so uh that's kind of scary and guest cards they can be upgraded in many cases for example if you remember back when I was talking about this going from invalid to a valid card we just changed the ID so if you have a guest card you can try to increment or decrement from the ID on the card and maybe get more access than you should so cards in the same numbers here we have more access and what about PIN codes um what do you think is the most used PIN code in this place one what digit is that that what about that yeah 2580 um I we were doing another

penetration test physical test and I saw this outside took a photo of it thought it was kind of funny and later we were able to get inside um getting some cards from uh some drawers in there and we tried those cards on some internal doors and we ask for a pin and like hm what can the pin be and I remember this and 2580 yeah turned out that was the pin code on all the cards for every employee on that facility uh more about PIN codes uh one large vendor I asked them how do you store your uh PIN codes in a database they were encrypted but they wouldn't say how they were not allowed

to say how this is a dump from the database this is the encrypted uh the encrypted coded or some they're obscured in some way so if anyone wants to try to help it find out how these are obscured please shout out um there's another system when you do an export of the entire database the PIN code is in clear text pin pin in clear text another large render another one um here I actually I I mentioned the name um this was during a penetration test we were able to compromise the uh database server on this um uh access control system because I found the server it had lenel in its name um and I found the actually a

couple of weeks before I read the technical manual for that exact system just out of random and remember hm there's a default password here now I found that uh manual again and then just they can't be using the same default password everywhere but uh just wanted to try with the password security with a one instead of I and um hash at the end and I was able to get system on that box because of course the database was running as system starting to browse around the system dumping the database I found out that the um the PIN code was actually encrypted in the database but on another part of the disk we found on export a CSV file with all the card

numbers the names the roll the PIN codes and clear text and everything so we could just and they only use the uid of course which was in that CSV file so we can just create our own cards and we need the PIN code for everyone so here a try you want to see so much here uh I try to analize I'll Scrabble most of it but it's a pin code at the end the dump was how much did I say four or 5,000 users replay attacks has anyone heard anything about replay attacks on Access Control Systems um so I start off if you remember the sketch I had uh the cards at the right The Next Step was the

controller and between the controller and the now between the reader and the controller there is some protocols called vegan and OSP and so on many of those is possible to replay wegan you have some of even use RS 23 through or some other serial protocols OSP uh the reader communicates with the controller and the controller opens the door if it's a valid the card as I mentioned earlier but what if you're able to connect something here and when the card is swiped you able to record that data and afterwards you can replay it because these these are not encrypted so uh but how how how do you get access to that cable here's some read card readers that I've seen on some

tests this is one from solid card or ASO and on the bottom you have this tubular key is anyone into lock picking is it hard to open locks like this uh it's possible to open them with just a piece of paper or a big pen and this one is even easier you can just screw it up with a Philips screwdriver uh when inside there in many cases there is a temper switch but we have removed several of these uh I'll open many of these but never gotten any alarm of some reason and in some cases you don't even need to open the reader don't need to trigger a Tampa switch because the cables are available on other

places uh ESP key anyone heard about that uh that's a device based on esp32 which you can connect and do the replay attack uh Red Team Tools by dant Olaf and uh babak and guys you might have known from from Defcon they sell this at their store uh it is also open source you so is possible to be build it yourself it's quite complicated but you can just a short demo see if this works I made made a kit to try to show how it's done so then I swiped on invalid card it was red valid card and then you can connect to that ESB key with your phone and you can replay and as you can

see lights up green um so if anyone wants to build that kit like the ones shown in the movie on the video um I put it up on GitHub the schematics for it but I think that the ESP key is really good but it's expensive it cost $79 and it's very complicated to make yourself even if you have access to the schematics uh and also it uses um to connect to it you video phone U it has an AP access point so you can connect to it via Wi-Fi but if you use for example an iPhone connect to it via Wi-Fi the phone often get screwed up because it doesn't have internet access and it got

confused because it's connected to a Wi-Fi but doesn't have internet access so I didn't like that so I just I made my own project just to simplify everything um this is the entire schematics it has code name Blas Key by the moment at the moment because it's instead of Wi-Fi it connects via Bluetooth low energy and it has really uh few parts just one esp32 dcdc converter couple of resistors a couple of transistors and a prototype board and you can build it um if anyone wants to help me finish the code please shout out shout out the hardware design is finished but uh the code need some tuning I'm no coder at the moment it looks like

this um if you want to do some re research on RFID and Access Control Systems there's some tools that you need prox Mark Mark 3 I guess many of you have heard about that this is a prox Mark 3 with a blue shark Bluetooth uh module on top with a battery everyone that do uh RFID oh need uh proxmark um if you have an Android phone you can install the application Mar for classic toolkit which is also very very handy to have and some China stuff uh this this is a really cheap China card cloner I think it cost like1 $15 it also have options to uh crack encrypted cards but then you need to

connect to it to connect uh the PC to it and you need to install some shady Chinese software so I never tried it but it's really easy to use to copy the uh the ID on all sorts of cards Kon Ultra is really good yeah so if you need some tips on what equipment you need just shout out and of course everyone knows this how many does have a flipper here that's good to see and for the rest of you buy one it's fun a couple of links to where you can buy some stuff lab 401 is really good if especially if you live in Europe Red Team Tools yeah m m tool SEC but did you think it was bad until

now let's make it a bit more bit more verse let's see um your access control system you will never expose that on internet will you do you think anyone will uh during uh during the making of this presentation I just found thought it would be fun to just check out sh shoden to see if I found some Access Control Systems there and um actually I found three different vendors which I knew very well from Norway um and I found several hundred Access Control Systems only from those three vendors exposed to internet so vendor number one zto um I found you can see in the uh in the banner information is it blurry ah it's Salto Salto and here's a RDP session in

yeah um for a Salto server and also there are some uh some web interface log on to the Salto access control system another one lenel which I talked about earlier actually I have found several in the US um access to the to the management interface which might have default password I don't know and some of them are running the database to which I mentioned earlier with a default password so maybe some of the ones you ca

BsidesLV 2024 - PasswordsCon - Wednesday

Related talks