2017 - Repairing The Internet With Responsible Disclosures by Victor Gevers

so this talk is about fixing games and out with responsible disclosures in mice prime Masuku the research in my spare time during the mind with normal day job I'm an innovation manager for the Dutch government so that means that I investigate all kind of new things that we can use to make you know that our Dutch government operate more efficient so I research technology and I debunk hyped innovations so in the end the day we get and we pick the right thing to put our Arizona I come from a radio background so I like to go with my heart we're outside not connected to the Internet just listen to radio waves I've been doing that for like 15 years and

still go like to go out sometimes in the field to see what I can hear and pick up in the past they also flow drones to capture radio waves but in Europe is almost impossible to fly drones in the city or near to an F Airport to capture radio signals because people get a bit nervous on that but it's still possible to wire your lock with with extra sniffing equipment so my sniffer has a sniffer I'm a hacker I'm a hacker all my life so before we start I would like to debunk some myths about hackers we do wear hoodies but we wear them back so reverse because that's the best way to store your popcorn in to keep your hands-free

and eating a pizza with a ski mask is nearly impossible I couldn't find any nice image on Google so as I say my man hacker I'm also all hacker so i'm member of a group called the guilt of the grumpy old hackers what we do is we keep an eye on the internet and when we see young hackers announcing they're going to release a data breach or they going to dump some data then we are the first ones to say wait a minute maybe you don't want to do that maybe you want to you know talk with us first because we have a little bit with experience with with reporting nasty things and get you

a nice feedback for it so two years ago I started with a colleague of mine GDI foundation this is Vincent he couldn't be here today we start a DI foundation just to get a better way to report run abilities as a hacker if you want to report vulnerabilities to companies or especially countries or organizations that's very difficult if you use your hacker mind all the time so any name that shows a little bit trust and is understandable for mere mortals so we choose for GDI foundation and if you want to know what this organization is doing I suggest you can google us in a new section and you see a little bit we've been doing last year's last year we run

project 366 which is a very uncommon project for us because we spend it's 15 hours per day free for 366 days to find as many vulnerabilities as humanly possible and report them which resulted in a nice in a nice yeah a nice result we could at least it dedicate 700 very critical of anybody this worldwide in instigating a loss between of faults or in infrastructure and online services and the best way we thought doing that was using the responsible disclosure this is the original responsible disclosure policy from the Dutch government as the Dutch government seized here and this is what we added extra for our people that helped us to give it a little bit of

guideline how responsible disclosure actually worked because it has nowadays a nice framework but I think in this case take a nice and loyal and just politeness get you very far in this world so responsible disclosure is not new it's about already 15 years old and its origins from the sober industry and has a nice Wikipedia page this describes very basically what it does but nowadays it was also known as coordinated to vulnerability disclosure and it has its own ISO standards actually to one the defender with the disclosure framework and it has also a framework for handling disk VIN abilities which helps organizations to deal with people who report stuff and actually then the most nice part will happen was that in

July the US Department of Justice has released their own vulnerability disclosure framework for their government systems and this is very important because this is based on the NIST standards so this frameworks deployed once and as NIST is being updated under beneath the framework will always be apply with the latest security standards I also two weeks ago the Senate and got a new bill that helps researchers to report systems that are vulnerable and the most important paragraph is that in good faith engage researching the cybersecurity of interconnected devices classic model you're not going to be liable anymore for reporting it so that's a very big step forward and it makes this first security researchers also much safer if this bill will pass

well responsible disclosure has become in the last years pretty mainstream also known as coordinated for the very disclosure and there are already many big bounty programs making this possible so if you want to start researching online services you can first check out these platforms and they will see if that if there's a responsible disclosure or bug bounty program in place so that you can start legally start investigating and reporting the problem is that these big bounty programs are only limited to what the organization wants you to test but the internet is much bigger than that so we tried talking to the police the politicians in Europe and explained that responsible disclosure should be for everything also for companies and

organizations that have no responsible disclosure policy in place and we've been pushing that for the last two years and we are almost at the point that we go to get a general responsible disclosure or coordinators inability disclosure a framework for Europe so why we do this so this this is a chicken picture is how the internet looks to us it's just a big mess and we just like to dig into it to see what was what's running at them and so under the hood and actually that's not so pretty because most nice new things like innovations are actually based on things that shouldn't actually not be online or just meant as a joke or started very small as a proof of concept

and certainly grow very big the biggest example is Instagram that started with three people or three persons and one database that was just an experiment and in the end it became a very big service and was actually the end of Co Iraq and Afghan photograph film so going back to project 56 we mean around the globe and what we try to do is to find a way how countries or organizations respond to responsibles closures because you have to deal with many different cultures time zones and also there are always things going on in the country that are not in the mainstream media but can have effect on the way that things are being taken care

of and the most funny part is that after a little bit pushing China is the most quick in accepting venerable teefin abilities and fixing them compared with my own country in the Netherlands so in the lens we take about eight days and China only takes four point nine days so they're actually doing a better than Europe and we want to know why that is and the differences between between all these continents is culture it is never a technical problem that that says ok this vulnerability takes more time to fix at them than here or the infrastructure behind it is always a cultural thing so especially what we notice in East Europe if you want to

report Arizona bility you will never get a feedback and probably they will not even accept it and why because they don't know you didn't shake hands in China the biggest problem was they didn't know us we had to drink tea first with them after drinking tea they make it much easier so if you look at the internet now we see it as a threat landscape and this landscape is still littered with vulnerabilities like HAARP leaf which is a very old vulnerability from 2014 silly venom of the village like poodle padlock shell-shocked and dirty cow which for people that are not very well known in the info security third term ability this can be a little confusing

but the biggest risk factor we see here our users for entrepreneurs that want to build a new service quickly put it on the internet put it to test and actually that is the reason why we have so many so many websites that can be hacked easy why it's so easy to deploy malware and why is so easy to build a control and that works for for bad things we use as GI we use a lot of open source information like OSINT most of them because they are free and freely available to everyone so especially github is a very nice place to start to look for private keys passwords and other things because this is where products are still in the

development phase and this is also a good place to start for detecting early on vulnerabilities but I should probably also saw in the morning session I think morning about O's in shodhan and elastic certain senses are great places to start if you want to start finding vulnerabilities on the internet I suggest you start here so because we started our project focusing on the Netherlands we wanted to know how many Dutch domain names that were so we asked the Dutch register caters how much what Dutch websites are because we want to know if we want to scan them to see you they're vulnerable can you give us that the information well that's not possible so we had to

start scanning the entire internet looking for certificates ourself and then from those certificates get the number names that were in those certificates the funny part is if you start scaring names and that your eyes bill will start receiving a lot of angry you've emails so this is also bypassing your fair use policy on Gmail services so that's a longer interesting challenge so and the moment that you start scanning the internet you're going to store IP addresses well European law doesn't help us with this because according to the European law a dynamic IP address is now suddenly personal data and if we store personal data in a database and we're not taking care of that we'd share too much we can

get in trouble but it will be the law so scanning is illegal in our country but it's not storing this the IP data secure can can be a risk so what we did actually is build a dashboard build stone on elasticsearch we have a github repository where this that's what is on and how you connect all these open sources and you create a very quick dashboard and that indicates hacked servers and device that are vulnerable and especially data leaks because we're interested in opens open servers that are not supposed to be open database servers file servers are duped cluster servers and in the end to get all these servers fixed it this is the end goal we want to get the

internet cleaned and save them more structured again so I was talking about harmony if you now Google for hardly this morning you will see the heartbeat is a vulnerability from 2014 but it's still very active in India so this is still recurring so this is strange and if you start looking in census for hardly you find these systems everywhere in the world or you say who cares there you know there are probably webcams or not nothing important but actually if you take that query a typing bank you will find all the banks in the world that still have web facing devices that are available for hardly well okay you can laugh because you see here Greece

well greased banks are empty anyway so Russia who cares but there are also other banks you can find there and when the moment you send a bank email hey your server portal service is invisible in senses and has horribly plus this is the ssl scan that proves it then sometimes a bank has to shut down just for a while because they cannot anymore confirm that their transactions from the last few years were safe so because of time knots kidneys so one of the other databases that that were very popular in the last year this movie tube a movie TV has been shipping for years with an unsafe default setting so when you install MongoDB and you don't change any

security settings your database will be open to the Internet and that helped because at some point in time there was always about 45 or 40 thousand databases over to the Internet and of course we keep reporting these to the owners be careful people are going to distill your data they're going to destroy it and actually that actually happened in January in January we saw a new form of attacks on these systems someone wrote a very simple Python script that crawled all these databases they deleted everything and just left a ransom note yeah from pay me once a 1/2 Bitcoin and you'll get your data back the problem behind this is that these people never exited a dialog they just deleted

everything engine even note and this this is a it was the first disrupting and another way of operating in this field so and why we're always going behind is moving to the database because most hospitals are using mobile databases because they can just easily connect every registration system to it so 10 minutes the most most known case with MongoDB is probably cloud paths for the cloud that database was a very and interesting responsible disclosure because we reported the to the company be careful you the database is open and it's linking millions of other messages from children to their parents but the company never reacted to we tried email which I LinkedIn and Facebook and then

another researcher founded Brian Krebs and he made a public so at that point I was was no reason to keep I didn't the most interesting part is that they still till the day to now they deny that I ever had got an email from us which it doesn't matter what the good thing is that in California now there's a new goal for making if you make this kind of toys you need to have some security standards applied so that was a good lesson well this is done the examples of the the Ransom databases the database that were open again ransom with messages like this and in the end there even starts sending the the hacking kits

for it for a few hundred dollar and after this thing went life we saw more and more systems getting compromised by people to just buy the script and just run it for fun so as you know we've been monitoring all these systems couch Hadoop elastic and writers are very no new systems that are if you google for them or you shown you will find them open still open on the internet of course which one this one is the most interesting because if this is running maybe cabañas also running and Cabana with ELQ stock is mostly used in security operation centers for keeping your network secure so if these systems are still open and you're leaking a lot

of information so we wrote generic security warnings with a little guide how to fix them and we send them to all go search in the world to have them distributed like that work pretty well coming back to MongoDB when did when the attack started we needed to inform the world that we saw these attacks and where these attacks were coming from and we wanted to share all indications of compromised in an easy way well if you're running this organization with free man then you need a way to do it and we found actually the Google the Google slides disorder spreadsheet you can switch it to public and there anyone that Google's for a Bitcoin address or

for an IP address or for the Bitcoin for the ransom message they will instantly find us first result in Google so that was a very effective way for us for sharing this data and still the city is still up and running every week we get a new request for a new entry to add so these attacks are still going on and people who still are willing to add their compromised data let me see this is a nice one my daughter likes to play computer games and she likes to play big titles and after she finished the game she starts using mods Nexus mods a Nexus mode allows you to go into the game data and

add extra things or change things in your script the funny part is no one probably ever managed to start looking for in the configuration files for Commons or for IP addresses so I was going through with her to you know to set them to get some new settings for her to make the game more nice and suddenly we find an ipv6 address as booted out by the developer from please leave this server open because for getting research files and the fun part was that that ipv6 address was indeed resolvable to a group a diverse system which is not very readable on the screen and let me see how much it was 750 terabytes of data this was actually the

the backup or production server for that company for hosting all the DLCs and everything else so we check that server again for IP 4 and for IP 4 it wasn't beautifully firewall so what what was the problem here well the problem was is that the server was behind the firewall all these years and was IP physicals only available for inside the office for the developers but at some point the ISP for the good idea oh it's ipv6 launch day click let's put it open on ipv6 for to the Internet so the funny part is every time we when we import about these attacks and vulnerabilities we have these very sharp discussions on Twitter about whose fault it is when they get

hacked and it's still name for security we like to say if people get owned because they left our systems open on our patch it's their own fault well yes this may be their fault but someone needs to help me we've been dealing with with victims from those ransomware campaigns like you have to tell Google researcher that they just lost years of research on leukemia and that's that's another way then you cannot say it's your own fault no then you have to look for a solution saying how can we dis prevent from ever happening again oh we're going to skip this because I think this has been in the news enough the fun part is that in January when

when shadow brokers released their their package from here you can buy our package these are different abilities that we have we already knew that you had to start blocking in sports because there was a zero day out there that could you know hit the services especially when they're accessible through the internet so when wanna cry hit in May we start getting help requests from all over the world just imagine your Twitter DM following with the international organization help I mean hacked and I don't dare to go to my government because I'm scared for legal things can you please help us so yeah we try to help as many many organizations as possible but in the end I mean anyhow

but was it was not to be able to be stopped anymore the only thing that we could do was like look at the network and then say okay you have segmented here you have the sacrament here patches oh and look and showing and these are your servers on the outside why are they still vulnerable the same of course would not patch up this is now known as one of the biggest cost factors of this attacker and why these effects are possible is because that vulnerability eternal blue with speaker next to me will start talking about it's still out there so that's the reason why we scan the internet and why we keep reporting these vulnerabilities because these

things need to be clean up and this is an example how we didn't we just created a database with all the the Dutch IP addresses that were vulnerable with city and is be next to them so let me contact the ISP say this is the list with all the hosts they're vulnerable forty no blue please help fix help fixing this so we make a generic responsible slower email phone this is your server it's writable you need to batch it or put it behind a firewall game please help us with the distribution and within one week we were able to get down from 15,000 vulnerable house to like 300 and those 300 are because they are not owned by a Dutch

company by but a hosting company from outside the Netherlands who doesn't want to cooperate with security researchers so and after that we started focusing on Germany Ireland and England and actually it was possible to bring down the amount of vulnerable hosts within a week from thousand stitches of a couple you know couple hundred so combining social media and oceans information and just a helpful hand to get the system back in time before they get hat is very good doable and I'm doing this for 19 years so the last thing I want to say is that voting machines are now getting more and more media attention if we look at 40 machines like DEFCON how is it they can

be hacked is one of the reasons we need to keep more investigating in devices that are rarely used but very important and share this information in the Netherlands we did the same and that was for us when we tested the device it was the deal advice go back to to paper and pencil because this is not going to fly how much time I have left one minute okay so this is the amount of slides I will show to people that just in InfoSec or an interesting manager and they want to understand why why it is so important that we patch all the easy things to start to start to become a cyber criminal you don't need much tools you

can just simply go to get up and get a nice read software to get you started but actually if that's too difficult for you you can find open-source ransomware with a nice video instruction how to get through it but still you have to be able to use in a keyboard and you have to type some commands that are not so easy to remember maybe you have to build probably a web server but nowadays of course on Dartmouth case you can buy the best ransomware available that will pass any any security and the good thing is that is it become a service because you just pay five thousand dollars or your pages fifty two thirty doors if you help

spreading the malware on two hundred computers but how are you going to do that because you're not a hacker you can just enter Windows systems right that's impossible well you can buy just a list with C&C servers Windows computers with running finishing with no password where you can just drag and drop your malware on but still then you have to invest like $50 for the mix so if you just go to Shonen and type has screenshot through you can find about more than a million systems online that has been C running with no password because otherwise they couldn't make the screenshot even at if you say well show them that's where everyone goes that's not so fun there's also a

nice website called the world of V and C and you can just browse through all kind of systems that are open with IP address and you'll find systems online like both systems so if you drop a piece of malware here ransomware and you don't ask too much money the guarantee will be paid because these systems are just drag-and-drop you find Windows 10 system that are fully patched and was running antivirus there are open you find banking systems don't work these samples are all taken offline so not getting infinite days but also airports and in luggage and of course Dutch entrepreneurs who are working their bookkeeping systems online so the last thing that I want to give for you is

that there's there's new ransomware coming when somewhere that will abuse the human e the most famous example that we've seen out in a while is called popcorn it will encrypt your files you can pay one Bitcoin to get your files back it has a nice story set story why it's doing and doing it because it needs money but there's a way to get your files back the nasty way you just have to infect a few friends of you or enemies by just setting the link and when they get in successfully infected you get your files back for free and this is the kind of innovation we will go to see and

yeah yeah immediately well I always try to explain to young people is like you're going to have a conversation a very intimate conversation you know and you want to be as polite as possible if you come away with a mechanism that puts pressure to your conversation that doesn't make it that doesn't make it a friendly conversation so and I've been doing it for 19 years I can show you a some examples off screen our evils are very polite and very helpful and it works as also within those 30 days we never have things nope not fixed within 40 days unless the problem is so complex that it takes a little bit longer but you can you can do

you come to reports without applying the pressure immediately I will do that in a later stage in the status when normal communications doesn't work anymore

had we have these kind of organization [Music]

exactly yeah so our experience with with when we send the report we always send the reason why we report you know your system is vulnerable that's how you fix it but this is the risk that we predicted and we had a very well predicted that at some point a piece of ransomware or another form of attack will abuse these systems and then later these companies will contact you right you already predicted this a year because that's what we would do if I was an evil hacker or hacker bit about intent that's the thing i will do i will go from behind these systems first because i want to get a foothold as soon as possible and

as quiet as possible and the biggest reason why we're pushing so much is that if you now start looking in 2017 for Vinoba systems it doesn't take you long to find one there's more actually which ones can i pick and that's our biggest worry this is a free book about dutch hacking as written by someone who interviewed many Dutch hackers so if you like to read in the past nine backstory