Minimizing AWS S3 bucket attack vectors at scale

so we've had some schedule changes but right now we have Damien Burks to talk about some Cloud security stuff we're absolutely thrilled to have him and I want you all to give him a round of applause give him a warm DFW welcome here's Damien

so how's everybody doing today so far so good yeah good good all right cool cool well um uh let's just go ahead and get right into it uh so what I'm going to talk to you guys about today is called minimizing AWS S3 attack vectors at scale and I'm pretty sure you're probably going to be wondering like what does it mean to uh to try to minimize those attack vectors at scale considering that most organizations have multiple AWS accounts so before I get into it just a little bit about me so um short Bayou somewhat so I'm currently a cloud security engineer at Citibank uh and I'm also presuming a master's degree in cyber security and I'm almost done so

yay next year finally right life happens um I'm AWS certified four times so I have a range of AWS certifications uh and I'm also open source contributor for this tool that I developed called datacop also um if you're familiar with open policy agent or Opa I also write a little bit of code for them from time to time as well uh devsecops Advocate and Mentor meant to have a couple of mentees and I'm also a father of two kittens not children um as you can see in the picture right there so uh those are my babies and uh some activities are hobbies for fun that I like to do I like to play video games

if there's any games in our room just come follow chat with me afterwards uh anime and cars um I know got everything right here you got the infinity so we got to talk but aside from that it's just a little bit about who I am and let's just go ahead and get right into it so the first thing is s Street attack vectors explained so we know for a fact that um buckets have been exposed quite frequently within the past couple of years right since people have started moving and migrating all their data to the cloud primarily to S3 buckets some of those common attack vectors that you that we've seen for example have been

data exfiltration so if you take a look at the right side of the screen that's a very small snapshot of some database credentials that were exposed from Netflix's S3 bucket that was publicly exposed to the internet which is bizarre but okay and then you also have some ransomware and malware that people try to deploy because in what I'm talking to you about this in a little bit is people usually read and write to S3 buckets from their ec2 instances and other services in AWS so having that with that being stated like those malware and that ransomware would be loaded into that ec2 instance if they're not careful right uh so with data exploration some common things that have

been exposed is pii I've personally identifiable information so you got credit card numbers SSN numbers uh so on and so forth credentials and tokens again database credentials and tokens and so on and so forth so many different things that have been exposed with ransomware and malware depending on the intent of the malicious app or the file the impacts may vary um and you there's not really I haven't necessarily identified any research as far as like what examples I can give y'all but I know for a fact that we all know we're all Security Professionals that the impact does vary so how does that really happen right when you have these S3 buckets that have been deployed

and you have all these files that are located Nails S3 buckets how do or how is data exploitation happening or how do these you know ransomware and malware applications get inside of that street bucket one of the common causes is the lack of Access Control right so people don't necessarily have uh roles and whatnot attached to the S3 buckets to be able to prevent people from uploading those documents as well as blocking those you know Public Access you have lack of monitoring meaning that there is no or usually I'm not going to say no but most companies don't monitor what's going in or out of their S3 bucket so when people upload something it's like okay it's

there but we don't necessarily know what's there right so you just know that it just has these objects or these files but you don't know what is inside of those files you don't know the contents you just don't know and then the last thing which kind of wraps everything up is lack of access to control and lack of monitoring is all part of misconfiguration right and the reason why is because well it's it's not properly config so with that being stated let's go ahead and get into the scenario so I have this example organization I created so hopefully no one has named their organization generics but if you did I do apologize because I'm yeah so in this

example it's basically a mid-sized gaming Mobile gaming company that caches their survey and user data within several S3 buckets and on-prem but the key thing about it is that the company operates out of a single account and they utilize like all these different AWS services such as like ec2 and Lambda and coconut so they're pretty much all in the cloud all in right for the most part So within the past year they sold over a thousand copies of their hit mobile game called Angry Dolphins I don't know why dolphins will be angry but they're angry so after that debut of their mobile their hit mobile game the organization was hacked how well somehow the hackers

gained access to and I have this in red the ec2 instance that was storing and retrieving personal identifiable information and PCI Data from a single SG bucket that was public now why was the S3 bucket public we don't know but um we had or the security Engineers had deployed this tool called Cloud one um that basically observed or observed the malicious files within that S3 bucket and it basically uh highlighted that there was this malicious Excel workbook or worksheet that was loaded onto the web server and then it created a back door for those um hackers to Association to the instance so A lot's going on there and I know that there's a lot of words so let's look at a picture

this is my favorite so in this architecture diagram you see we have a bad actor and you see you have this report called customer report um whatever bad dot XLS worksheet and that bad actor somehow uses the AWS CLI to upload this document to this public S3 bucket that contains PCI and pii data right from that S3 bucket you see there's this ec2 instance called the payments processing and that payments processor has a role that's attached to it that is called the ec2 to S3 row so in short with that ec2 instance is doing is that it's assuming this role this role has permissions to be able to read and write to that S3 bucket

and that's basically how they're able to get all the information that's in that street bucket right so the first thing that we're going to do is once they've read and loaded everything onto this web server that's how that attacker was able to compromise that system based on it reading into uh reading those Excel workbooks and decompressing that information and so on and so forth right so how do we necessarily know aside from a malicious file how do we know what type of data we have in that bucket as far as the pii and PCI how do we classify that well we're going to move over to AWS Macy so if you're not familiar with AWS Macy

it's basically this uh data private security and privacy service that is created by AWS that leverages machine learning and pattern recognition to be able to uh discover the sensitive data that you have in AWS particularly in S3 buckets and with those you uh with those it has a oh wait Macy has a couple of capabilities the first thing is um it automatically provides a inventory list of all the S3 buckets that you have within that particular account it goes in there and inspects all the data and all the files or objects and it classifies them based on specified criticality right uh where there's high medium and low which we'll talk about in a second and then also if you're you

know an organization that has uh you know data that's supposed to be compliant it also helps those organizations meet data compliance regulations such as gdpr HIPAA and so on and so forth so a couple of pros and cons of Macy is that um so it's fully managed data type so the thing with that is if you take a look on the right um all of the rules and policies that they create is fully managed by them so they have uh policies and rules for Social Security numbers in the US or uh tax identification numbers um and it doesn't just uh is not restricted to just the United States but it's also globally so they have things

from China so on and so forth so it's fully managed by them you don't have to worry about that uh it seamlessly integrates with all the AWS services such as eventbridge car watch and stuff functions which is super important and and I'm gonna tell you all about that in just a second um and why it's important it you can customize the data types meaning like if you have like custom let's say custom customized data that's proprietary to the business and you want to create regular expression rules or patterns for that to be able to detect that you can do that with Mason you can add that information in there and then it also create you can create an automated data

Discovery job that runs on a specific basis so if you want to run in Daily weekly monthly you can do that it's perfectly up to you but the cons of course is that when you get into when you get into um doing this with Macy anything with machine learning or AI you gonna know you're gonna pay that money right so it's going to be very expensive um not only that but when you get this information when it is returned to you based on how many data or how much data you have or how many roles that it detects it's going to give you this bloated Json file and it's not feasible for somebody to read through 50 000 lines of Json just

to figure out what Macy has found right and even in the UI it can look a little complex for whatever reason and then the last part is there is no type of feature available for audio remediation of the bucket so let's say if you do find something and let's say that uh the organization you're they have a compliance rule that you're not supposed to store Social Security numbers or any kind of PCI Data in the cloud but Macy finds that it's just like okay hey we found it but we're not going to do anything about it that's on you what type of I mean excuse my language bro what well why would you why would you even do that you

know so there's no type of way for you to Auto remediate those buckets so that's pretty much like the downside of Macy and that's where datacop comes into play but before we even get into datacop and what it does let's get into this next thing that I mentioned earlier which was Cloud one so uh Drew Michael Cloud ones file storage uh security so it's this cool cool cool cool cool times 20 application that Trend Michael developed um and it's basically a security solution for S3 buckets and file systems in AWS um so it basically provides malware and ransomware scanning on those files in those in multiple Cloud environments not just restricted to AWS but it could be

like gcp or Azure so many other things so it can detect like several different types of malware if you have them so well you don't want to have them but if you do they would detect viruses Trojans spyware the list goes on but those are like the three main ones that I picked out and then it also supports the scanning of different types of file types so you got Ben exe PDF zip XLS you know Excel Works work uh workbooks you guys see see csvs so many different things that it does so with that being said how does it work so let's just dive into this just a little bit so let's say we have a file right and we

upload that file to whatever the cloud storage containers is whether it's s Street for example um somehow in some way they have a magic wand that subscribes to this little bucket and it will scan the scan is going to be triggered for that particular file automatically and what's going to happen is that that file is then going to be sent to whatever repo repository that they have all the data in the contents and they're going to inspect it and do some magic on their end and determine whether or not it's malware it's malicious or not and if it is it's going to tell you what type of file or malicious file it is uh so you have that's pretty much how FSS

works from a high level and let's go ahead and just get some pros and cons of what FSS what it is so a couple of Pros um so if you have massive files it supports scanning of massive files five gigs or more which is fantastic um it's extremely fast so if you upload a file even if it's a massive file it'll literally scan it in about three to five seconds um and it will return that report back to you very quickly it is concurrent is able to scan like multiple files so you don't necessarily um let's say if you have like 10 files and you upload them all at once it's going to scan all 10 of those files at

once and report it all back to you and then uh it's easy to deploy and it's and it's extensible meaning that if you wanted to add some custom data or custom logic to it you can very easy to do so it's an open source project so they can just you can just go ahead and add that information in there but with it also being open source the problem is it's not free so is it really open source not really but there's a part of it that's open source which is the logical part but you have to pay for the service so um that's actually the downside to it but you know I got free AWS credit so

I'm not worried about that uh so that's that's the only thing that we can have so let's just wrap this up and let's move on to some more diagrams so I can show you give you a scenario of uh generics with Macy so let's say for instance now we know the organization was compromised and the security Engineers are like okay let first before we even get to any type of remediation or mitigation let's understand what type of data we have in our bucket so in this case they uh the security engineer logs into the AWS console and they navigate to the Macy dashboard and they trigger a job right and they trigger that job to scan all of

the contents in the PCI and PC uh in that S3 bucket that contains PCI and pii data so if you take a look on the right these are just some mock findings but you can see that the security engineer found like 58 000 uh records of sensitive information so you got like credit card numbers and Social Security numbers and so many different things and what Macy automatically does is by default they classify any type of sensitive data that you find or that it finds as high right so they realize that hey these are you know we have a whole bunch of Records here nine times out of ten somebody may have stolen something because of the bucket itself is publicly

accessible which is horrible so with that being stated now we'll move on to Cloud one uh file storage security so it's a bit different in a way where uh Trend Micro has their own dashboard uh so instead the security engineer is say if they do want to log into that information to see if the type of malicious file that was um you know caught what they'll do is that they'll log into this Trend Micro dashboard and you see that we have not just one account but two accounts we have this account with the question marks there which means that this is Trend micros like home account where they basically um well all the data that it scans or S3

objects that is scanned all that information is sent back to them their repository is deployed in this malicious account and then there's just like interaction between this account and their account so he's going to log in he's gonna you look into that UI the UI is going to pull all the results from their malware repository where they store all of your information about your objects and then you can see on the third thing uh Trend Micro is pointing to that S3 bucket which means that they have something there that is subscribed to that S3 bucket so it's event driven completely so if something happens to that S3 bucket it's just going to trigger events in that back Upstream to Trend Micro in

their Repository so we'll get into the mitigation strategy without automation so let's say we got to do all this manually right uh manual Auto mitigation For the Win not um so I condense the action steps for this because nine times out of ten you're dealing with at this point two different attack factors you're dealing with one for data exploration you did on another one for this malware file that's somehow miraculously is uploaded or appears in this S3 bucket so the first thing we got to do is or else disable the public access for that history bucket why do you have it publicly accessible in the first place I don't know we don't want that anyway

right and then what happens after you disable that you don't necessarily know at this point in time since it was public access what type of roles are associated with this bucket so now that it's publicly accessible now you have sometimes your roles may have been compromised because now they have information on the roles and nine times out of ten I don't know about you guys and your organizations but my organization typically or may may not use roles right and use the same row share Rose okay um but you have that information they they can use those roles for pivoting into other things right and then you attach a bucket policy that denies all access to those resources and services

so uh that bucket policy is basically going to deny all access for all roles and from any service so no services will be able to access that SG bucket right um You Want to inspect each object and file and identify what the issue could be so now we got to go through each file we got to determine whether or not it has or contains pii and PCI Data and then move it to the on-prem server or file system and delete it right and if not if it doesn't contain any information now we got to move on to figuring out whether or not it's a malicious file and if it's a malicious file then we need to delete it and then

figure out the impact so you got all of these things if it's this then do this if it's this then do this how long will it take it might take you a week might take you a day we don't know right because we need to measure the impact so that is where the problem is going to come from and that's why we have automation so now we'll get into Datacom which is supposed to come and save the day not really but um so data cop is the art this is a framework that I that I wrote um it's open source but it's basically an AWS framework that mitigates the potential of vulnerable S3 buckets um and what that happens is that it

leverages may see results that you get to be able to automatically block those S3 buckets and contain that pii or any classified information and also uh relies on now Cloud one results as well to be able to make that determination so some features is that it automatically Provisions infrastructure to bridge the gap between Macy and S3 with AWS cdk and python um there's also some configurable settings for bucket blocking so you can do it yourself or you can configure it the way you want to and it's event driven meaning that it ties into some of the AWS services so you don't necessarily have to trigger it it does it automatically and it's easy to extend

for other AWS security Frameworks such as Cloud one and so on and so forth so some considerations with this is that there are quite a few IM permissions and policies that you need to create in order to use the following Services because data cop relies on eventbridge Lambda Cloud watch SNS step function and S3 so a little bit about each of those Services eventbridge is basically uh it's configured rules for detecting events to the Macy's result bucket you got Lambda which is serverless component to execute code cloudwatch is where all the logs will be the SNS is a simple notification service so it's basically where um it's sending those emails to the end users when something happens you got

step function which is a it's like a visual workflow service that relies on the Lambda to execute any kind of blocking actions that we have in a specific order and then I am which we all know Adam I am identity access management so roles permissions Etc et cetera so the beautiful thing about datacop is that it creates all the roles and permissions that it needs to operate and function properly the only thing that it doesn't modify is scps which stands for service control policies and service control policies operate at the organizational level so that pretty much is like you once once you modify the SCP uh policies and roles that's God level status it pretty much replicates and uh

on towards like any of the item rolls and so on and so forth and the last thing is that um let's say if you wanted to quarantine any kind of files that you find uh they'll create an S3 bucket for quarantining uh those you know an S3 bucket for quarantining files so now we get into more architecture diagrams which in this case will explain datacop and Macy and then we'll move on to datacop and Macy architecture walkthrough and so on and so forth so let's say the security engineer log into the AWS Management console and they execute this Macy job against this SG bucket the key question is that information is going to be sent to the datacop

framework but what does datacop do exactly for that right so what happens is that um this data is going to go straight to datacop and if you take a look you'll see that on uh um on the Second Step there's a results logs S3 bucket so data cop will subscribe to that bucket so every time Macy publishes the results it's going to pull those results from that bucket and then it's going to go ahead and execute this step function and this step function is going to contain this all of the steps that it needs to be able to perform blocking activity or actions on that S3 bucket right so and that step function is going to interact

with that Lambda multiple times and then once it's done blocking whatever it is or whatever S3 bucket then it's going to go ahead and send in an email to any type of subscribed uh stakeholders that you have so incident responders or security Engineers whoever subscribes to is going to get that email right and then the logs all the logs regardless whether it's from Step function or from the Lambda is going to be logged in a cloud Watch Law Group which is again automatically created by datacop don't have to worry about that so you hear this word blocking you hear this word step functions um what exactly happens so this is a picture of the step function of the

state machine for Macy and these are some of the steps so there's a total of seven steps that we have and the first step is going to be when it figures out or it gets that information from Macy their logs it's going to parse that log it's going to determine the severity of the law so the severity also is determined by the user but let's say for example if there's a severity of the bucket or severity of the fine exists high for the bucket is going to determine whether or not we should block the bucket and if we do it's going to check the bucket status to ensure that it hasn't already been blocked or that that there is no kind of

policy that's attached to it right such as like if uh security engineer automatically goes in there and he adds a manual policy then it won't block the bucket because it's going to consider it as blocked already so if not then it's going to go ahead and block that bucket and what blocking is going to do is it's going to attach two things it's going to the statute now policy and it's going to revoke the public access to that bucket now that denial policy is going to have an exception and that exception is for a specific role that you share for example for a security engineer to be able to just go into that account so nobody is

going to have access to that account except for the security engineer or an authorized Personnel right and once it's done with all that it's going to send a nice report and say hey this book has been blocked and continue on right so once we finish with that we get through let's go over the uh Cloud one uh file system security and data cop together right so in this particular case or use an example where the malicious threat actor or the bad actor uploads this file into the S3 bucket the thing is it's different because there is no manual interaction with your micro because it's already subscribed to the bucket so it's gonna automatically trigger that information and it's going

to send the it's going to activate the scanning and it's going to send those results um whatever it finds to the malware file repository in the other account and then all that information while it's doing that once it comes back it's going to go straight to data cop now the question is in this case what does data cop do do you guys think it does the same thing or is it going to do something different let's find out right so in this case I've expanded on the architecture for the um for FSS a little bit so we'll start from we already know the bag adapter has uploaded that information to that street bucket now the key thing is that with FSA the FSS

it is there's a Lambda and there's a role that's associated with it so that file is going to go straight to that Lambda is going to start parsing through it and it's going to interact with that malware repository right with that role because that role is a cross account role between that that enables the Lambda function to be able to communicate with the malware repository right so once it's done that and it continues to um parse through that file is going to go straight to and interact with the data cop Lambda if the file itself is malicious and if so then that's when it's going to start and it's going to execute this other step

function for FSS and then that step function is then going to interact with the Lambda again to do to you know do all the blocking capabilities and whatnot and so on and so forth so and then in the end they still get a nice little email because they have the SNS topic and all the logs again are going to be uh subscribed or sent to the cloud Watch Law Group for this particular stuff function so the state machine itself again there are seven State uh way more than seven I'm sorry it's typo but there are quite a few States in this one and the reason why is because we are not only um blocking the extra bucket but we're

also copying data or object from that S3 bucket and moving it into the quarantine industry bucket and getting rid of the bad file that's in the uh original S3 bucket so the first step is we copy the object to the quarantine bucket so um that's where we're gonna basically find a malicious object from the original bucket copy that to the quarantine bucket then we're going to remove that object that we just copied from the parent bucket we're going to check the parent bucket status to see if it's been blocked and if it hasn't then we're going to go ahead and block it and then send a report so we're moving that information to a different bucket for

analysis and then we're going to go ahead and block that parent bucket that we already have so what it looks like when it's fully automated is and this is a big one so the security engineer is going to execute that Macy's job and they're going to upload those result logs to uh Macy's going to upload the logs to a result bucket and then is going to trigger that information uh I'm sorry once that information is uploaded to the uh the result bucket then datacop is then going to be triggered and it's going to start to uh see if that bucket has been blocked and start blocking the bucket based on the results from Macy itself so if it has

any pii or PCI Data it's going to block that bucket right then from another side or another Vector we have Trend Micro so if the attacker uploads that information which most likely has already done so what's going to happen is Trend Micro is then going to activate and it's going to do its thing it's going to inspect the files in there and if it is malicious then it's going to trigger data cop and datacop is then going to go back over it and do a little bit of analysis as you can see on right by step two you'll see that we have that report is being moved from one bucket to the next bucket and that quarantine

bucket you'll see that it's black and another one is blue I mean not blue but green and so on and so forth so at this point you're coming from two different angles you have uh some analysis from one part where we're checking to see if the file is malicious or it's malware because if it is then it's going to block the bucket and if it contains any bad data or data that we're not supposed to have in the cloud it's going to block that bucket now there's not going to be any type of um how to say we're not going to copy the PCI pii Data we're just going to leave it there but if it's malicious

we're going to copy that to a different bucket right so that's pretty much what's going to happen and as you can see there's like a pretty little email at the bottom it lets them know how many buckets have been blocked or what bucket has been blocked and it gives them some type of hash that is proprietary to the step function because the step function is going to have a history of all the actions that were taken on those buckets and so on and so forth so I say all that to say to conclude right when you incorporate Trend Micro you incorporate Macy and data cop all together you minimize at least two different attack vectors one you stop

data for exfiltration from happening because you block the bucket and you stop it from being publicly exposed and you cut off all the access to the roles on top of that you're also stopping ransomware from being uploaded or malware from being uploaded and then traversed or moved into different types of ec2 instances or exposing of different Services right there's also a quick response time to any kind of malicious files that you may have so if you have malware Trojan it's going to respond to that very quickly it's completely scalable meaning that you can deploy into multiple accounts so we all know most organizations have not just one but like thousands or hundreds you can easily deploy this into multiple

accounts and kind of have everything securing from just each account and also from a manual standpoint you save a ton of time on manual labor and Analysis by eliminating the complexity of all those repetitive and mundane tasks about for Block industry buckets and analyzing files and Performing forensics so on and so forth so you just kind of eliminate all of the manual stuff and only focusing on for example uh doing a reconnaissance on the bucket and then also analyzing any malicious files that you have and with that being stated um thank you all so much for listening to me speak and ramble [Applause] and um you scan a QR code there's a link to the

um the code um and GitHub and a couple of other links as well um and I'm not open for any questions if you have any oh yeah I got a couples all right so I think you raise your hand first and then it's you guys yeah

uh so the question was how careful do you need to be about buckets false positives causing buckets to be quarantined is that that's the way you phrase it you know something that has something that books like a social security number but it's actually and then take the entire bucket and move it over to a quarantine it break some process uh okay so here's the thing um that's that's that's actually a really good question because it is entirely dependent on uh Macy so the results that come directly from Macy if someone uploads like let's say an email address or email content that has Mock ssns and it gets blocked um then there's not really much that we

can do unless there is like um uh an example or like a regex that we put in there uh to kind of you know templatize or minus the uh false positive that you have um but it's still going to block the bucket if it detects the social security number it's not smart enough to detect or to discern rather um if the email itself is malicious or not or contains you see what I mean so yeah no worries yeah so have you ever founded that the data flow for um for data has gotten messed up messed up which is the bucket before Trend Micro can get into it and I've reviewed the volition um yes I did and that is where

um I made an exception for the return micros role um into the deny all bucket policy so you just simply just say like okay well we know that this role needs access to this bucket in order to inspect it so just give that bucket get that roll into like the whitelisted list of policies that can access this role so yeah I did run into it and I was like oh yeah yeah so uh yeah you got it I think oh whichever one yeah okay he's looking you're closest okay

nope no so s Street does not care what kind of foul it is it's just there for you to it's it's just storing files they don't have a way to discern what type audit that this like built into Estrella to discern it yeah no you have to like either get a third party service for it or you have to use Macy but Macy is only limited to inspecting the file it doesn't discern what type of follow it is whether it's malicious or not so then you have to get another third power surgeries to do it or you have to build something on your own to discern it yeah share responsibility model not too shared yeah any other questions oh yeah

uh yeah it is because I haven't necessarily found a way to develop uh or I would say like there is a open source website that you can use to like upload files to it the problem is is that um I don't know if you guys are familiar with virustotal yeah so like you can upload your file there and you know it'll tell you whenever it can you know that hey this file is maybe 80 malicious uh I was gonna go that route but then I found out that there is no type of waiter or limit so I literally have to poll and check like every five minutes to see if they scanned it yet hey did you scan it yet

did you scan it yet so yeah no it realized

scoring system to say like this is absolutely bad or this is a learner whatever if they could make a different decision it sounds like but along those lines kind of the same pii social whatever do you have a way to turn the knob and say okay like how many pieces of is lesser more acceptable or lesser more risk to make uh I did add a bit of code into that to kind of help uh discern or like skew the results a bit because it it's completely relied on um one for the Macy scan results it relies on uh whatever type of severity you set in Macy you can set it in datacop but to follow up with your

question all of that that you just said can be configured in Macy within itself so you can go into the console and make up your own little rules and change it a bit to um escalate or de-escalate or declassify certain things if that makes sense any other questions

I I would say the only reason why I'm relying on it well it was a side project and two um it's much easier to scale and it's more supported with other AWS services so it makes it a bit easier to leverage Macy but you I have um plans to kind of add what I call third-party extensions to it to allow people to kind of like you know leverage other things or other resources but right now it's definitely Macy just because it's AWS and it's easily supported yeah no worries any other questions if not you guys can pull me to the side and talk if you don't want to ask anything else all right sweet thank you

thank you hey uh now we're all seven steps closer to becoming Cloud security Architects so thank you Damien all right I've got the uh the next talks uh we have had a bit of a change let me go ahead and share what's going on with y'all track one over there uh right in about uh at 3 30 we've got Peter luo with the Journey of security automation uh after that we have Jason Kohler with visual badge forgery at 4 30. here the next talks at 3 30