BsidesSLC Friday
Show transcript [en]
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e
e e
test can you guys hear me
okay cool
thanks
for
e
e
e
e for
all right can everyone hear me okay cool all right thank you guys for coming out to this kickoff of the bside Sal Lake City virtual conference quarantine Edition uh I'm Bryce Coons I'm the president of the nonprofit 501c3 that uh that runs the bide Salt Lake City Event uh so you know as you guys are all aware right the uh c19 uh it's uh spreading throughout the globe so we kind of had to change the format of our
of our conference a bit so thank you guys for all you know sticking with us and uh and yeah can tuning in today um today you know there's already been 80 firm cases in Utah uh so uh you know it is spreading across the US so we're just trying to you know help be a part of the solution of slowing that down at least so and um see CDC has issued uh that you know there's not to be any large meetups which um you know we generally have over 250 people every year so um yeah so it's nice we still get to do it virtually and um and hopefully yeah you guys will be able to
interact with slack and the CTF and all that so I think it's already off to a good start all right so the plan because I know there's a lot of questions about this I've posted a lot of answers in Slack so hopefully if you've been in slack you've seen some of those but uh you know the the plan really is a virtual event today and tomorrow I mean originally we're just going to have talks on Saturday but now we're having talks both days um all the talks are 25 minute format so like in 30 minute blocks uh so they're quicker um so hopefully you know if you just have a few minutes on Saturday or Friday today
you'll be able to tune in to the ones you're you're most interested to or just kind of leave it running in the background um the schedule is up on the website there's a link when you click on the schedule to the Google Doc and the Google Doc is the latest information although some of the information looks prettier on the website really appreciate all the speakers coming together um you know yeah kind of Chang this to a virtual format pretty quickly uh and all all the speakers were great and uh you know we still pretty much have those access same lineup that we had originally so so that's that's great and then I just wanted to
reemphasize um a big shout out to uh the the CTF and Laura so from uh secure code Warriors for putting that on for us uh we do have some prizes like Nintendo switches that we're going to mail out to the top four performers there um so you know if you're interested in in learning more about how to secure code definitely jump on there and work on that um that's something you can work on today and tomorrow it will be open until 3M tomorrow I believe and if you have any questions jump in the CTF channel on slack and Laura yeah she'll give back to you so right so um tenative plan right now is we want to do a hang out later in the
year if it's safe to do so um you know obviously uh CDC and others will have to declare it safe um and then at that time anybody who's bought a ticket will give you your electronic badge if you purchase that and then we do have like hats and other stuff um so we'll give that stuff away at that time as well um you know we may have a CTF and kind of it hat at ad hoc talking uh like lightning sessions at that but um really that's more of a hangout just to give out the schwag so anybody you can't make it to this hangout um if you email info@ besides. solic city.gov with copy of
your QR code or your receipt um we'll make an effort a best effort to mail you your your electronic badge and all that so so I'm I'm doing our best we're doing our best to try and you know get you guys uh the stuff that we were originally planning to give you and then um I don't know if you guys ever seen that movie Pineapple Express but uh if this thing starts lingering around right so uh we can't really hold event this year then um we will honor all the 2020 tickets at the at a 2021 in real life event so um if you sponsored or you purchase a ticket um and we're unable to do that in real life hangout
then you won't have to uh yeah you won't have to buy a ticket to the to the next event so so hold on to your QR codes all right and then huge shout out to the sponsors really the event would not happen at all without the sponsors uh the bulk of the revenue for the event um to hold it comes from the sponsors so I just really uh really want to say thank you to them and for their patience uh through this really unusual time um did you sir RSA Adobe stage two security mcast corite Red Canary salt stack St con no starch press and red Point Security uh they all significantly helped provide this event
for you today so please please go check out their website and check out what uh um you know what what type of offerings they have that might be able to help you guys so um you know if the um you know if you if you want stuff mailed to you or anything like that like if we're unable to hold it in real life hang out this year uh just shoot an email to info@ bidol city.org and and we'll get back to you so so I really don't want to have a bunch of Swag sitting at my house so um I'm going to do everything in my power to get that out to you guys so but obviously I just
don't want to you know spread the virus or something weird so all right so um yeah yeah and just really appreciate everyone's patience as we're going through this all right so I just wanted to talk for a minute about the future um yeah um so kind of in an unusual time right now where things in society may be changing um you know kind of on the level of like I don't know a uh a 9911 type event or the financial crisis type event that uh that we had previously and um it is info bid salake city.org uh right the same is the website right so sorry if I misstated that previous um so so it's uh you know it's
an interesting time to be alive and uh you know I really think if we you know collectively put our brain power together that we're going to make through this and you know society as a whole is going to be going to be better better off right so I think the big thing is trying to band together against uh you know Common enemy right um you know I'm not a s like a a doctor or a virologist or um a subject matter expert I mean I am you know a subject matter expert in the cyber security field space um so I'm just kind of looking at what's happening in the world and applying it to the
cyber security field space here in this presentation so uh so don't take this as like you know medical advice and whatnot I'm not I'm not qualified to provide that to you right so history of pandemics um so you know most get the answer to that on most recently uh we had the Spanish Flu about 100 years ago right so um you know human history does have a trend of these these epidemics happening and you know large Sloss of of deaths occurring um when when these potentially outbreaks occur so um you know that's it's pretty interesting but uh what what I think makes this interesting in the cyber security space is just how now that we
have uh you know more technology than we did in the 1900s how how that's going to really shift our society and how things are going to change going
forward right so what what change is going on right now and so as you guys are probably aware or maybe not uh the states of California and New York have um signed laws or executive orders to basically enforce that people stay home right so they're trying to trying not trying to slow the spread so that our hospitals and other medical facilities aren't overwhelmed uh as people get sick so so here yeah we see the a tweet from the governor of New York and a picture of the governor of California and uh you know New York's saying that they're going to enforce this right they're basically they're going to find anybody who comes outside of their home unless you know they're in
the pharmaceutical or grocery or or other um you know needed industry right now so that kind of reminded me of that classic movie Judge Dread uh you know just kind of a futuristic type Society so you know what's the future going to be like it's going to be like a dystopia type Mad Max scenario I mean probably not right but I mean it is going to be a you know at least for the near term it's going to be a lot more isolated right and really right now I don't think you know anybody knows how long this is going to last so so there's some predictions out there on it but uh you know it could be longer or shorter than
what people are thinking right now all right so right now social distancing I'm sure you've all heard about that in the media right um you know what does that really mean you know it be means like virtual meetings like this and remote work that all starts to become the new Norm right um instead of you being that weird person who works remote at a company where everybody else is at the corporate headquarters now nobody's going to come nobody's coming to the whole corporate headquarters because um because of the spread right so and uh I uh you know and so I just feel like companies uh maybe if you work in the tech industry you know remote
work was already common place for your company or your industry but you know there's a lot of other Industries where I mean they may didn't even have VPN Solutions or other ways of uh doing secure remote access until recently right so um you know there's a lot of you know Industries have been around a lot longer that uh that uh are going to have to adopt to this type of model at least for the near term right so so and instead of just some employees being remote it's pretty much everyone's remote right I mean I've personally been on so many conference calls this last week and uh because schools are closed pretty much Across the Nation uh you
know it's just the norm like everyone's kids are jumping up in the background and waving and uh and uh you know when you're in like pretty serious business calls right so it's just uh you know something that I think you know we'll probably you know we'll get used to more and you know families will try you know adopt to the scenario more so yeah so yeah and I agree man I I I definitely you know like my space like I have like the Bryce bubble right I don't like people coming too close to me I'm not really like a huge hugger if some of you know me or seen me at conferences before yeah so you know it's not it's not too
bad for me but um you know for most people I think this is pretty um pretty inconvenient for them at this point all right so how does this whole like scenario apply to cyber security right like we can talk all day about the current state you know I mean just kind of telling you what I've seen in the news and what I've researched every day I look on my phone for articles about you know c19 and how it's affecting Society just because more I want to like see where the trends are going and it seems like speculations are pretty wide right between like people saying oh this is going to blow over in a couple weeks
to other people saying like this is going to be like a year and a half thing right so um so it'll it'll be interesting but regardless I mean for the now where people can't even go to work I mean they're going to need some way to securely do remote work right so you know that could be something as simple as like you know vpns deployed at their work with their machines still running so they can you know hit the VPN and then RDP into their boxes or to something much more advanced right so so I think you know this this type services are definitely going to go up right and so security around remote access and
whatnot like as security cyber Security Professionals or people who are interested in the industry in general you know we're going to have to uh you know put more scrutiny here not that not that there hasn't been a lot of scr here in the past right because um you know if you had remote access you wanted to make it sure it's secure because generally you know you have this nice hard shell on the outside of your corporation and your protected networks and the way to get through that is the VPN but then once you get through there you have that nice delicious inside it's like like an &em right hard hard candy outside with like delicious soft chocolate on the
inside so if an attacker can get a footo hold on the inside a lot of times they could just move un unrestricted across of it right um I don't know how many environments that I've personally pent tested where I've seen basically a flat Network design right where all systems workstations production everything are just all inside the corporate Network and obviously that's not recommended um but uh you know companies that are startups or are really focused on growth or haven't really had an IT background or cyber security background um you know maybe you know they just had a friend start their it systems and they really didn't design it from the ground up the way they should have
so so you know what's going to happen right if people aren't coming into offices then means they're not inside that hard perimeter right but you know they still got data and they still got to do work right and you know businesses are going to fight to stay alive right businesses don't want to they don't want to go out of business I mean people have sunk a lot of time and money into uh into these entities and they want them to continue to thrive right so they're just going to get work done any way they can and I think that's going to be a lot more of work occurring on like not corporate owned devices or a lot more
work occurring just on whatever you can get your hands on right which means uh you know there's G to be more and more breaches outside of this perimeter and if we don't come up with a good way to get visibility into those end points or U protections around like bring your own device and other typ policies uh you know that's going to be a huge problem and it'll be interesting to see how this plays out I mean know obviously companies could still you know mail equipment to employees but you know if you're trying to make a decision between buying new laptops and making payroll like obviously you're gonna do payroll and tell people to use their own
computers right so so I mean businesses I mean they a lot of businesses especially small businesses are going to be really hurt by the the market downturn right so so you know personally I think zero trust I mean this is this is going to be the way of the future man I mean a lot of companies have already started implementing this and you know implementations vers versus different companies widely vary right so just saying because you do zero trust that may that may be great or it may be useless right depending on your implementation so so I think you know the real thing here is with zero trust design you're basically you know you're going to authenticate who the user is
that's sitting at the device and then you're also going to authenticate the device say like hey does this device good to uh like access our corporate resources and uh you know that could be like you know is this device owned by us or that could be like does this device just like mean our requirements like does it have antivirus on it you know has it been patched things like that you know and if you haven't met those requirements you you can't verify who you are or the device doesn't meet the corporate policies then um then zero trust just basically says like hey you can't you can't talk to anything in our Enterprise right um but if you do then
the zero Trust Systems will enable you to talk just to the systems that you're allowed to talk to the systems that are inside your kind of like group right so and then another nice thing about this is uh you kind of have these Central points where you can audit who who's accessing what systems from which devices so um you know that's a lot lot better than a flat Network for multiple reasons right um you know if one workstation gets compromised in a flat Network generally attackers will try and move laterally onto you know other workstations right until they find a workstation that has you know someone doing admin tasks inside the network um right in a zero trust Network you can
really only talk to the applications that you're allowed to talk to which means you can't really talk to any other um workstations ideally and if you can't talk to other work ations then that makes attacker's life a lot lot more difficult because they have to find a vulnerability in the applications you're talking to and then wait for other loser users to log into those applications and they have to have a capability then to move Downstream from those compromise applications to other workstations and then kind of like move up and down um that's that's a lot more complex right so and and and a lot a lot of attackers are not trained on that um you don't see
you know a lot of uh hacking groups or even red teams or pentesters um really taking the time or effort to go through that work um you know you might see it in limited scenarios um but uh you know that might be something also to watch it's just kind of the way that attackers are going to try and move through the networks more and more in the future right and you could definitely you know get a zero trust type uh system going low cost you know by implementing uh well you get some of the features by implementing host based firewalls across your Enterprise you know just even something as simple as you know making sure that uh hosts can't talk to other
hosts's smv services on like you know Port 445 um then uh know that can be quite effective where you have maybe like a a cider block that can talk out where the admins reside and um and everybody else can't talk to each other um because that just makes lateral movement that much harder on the on the attacker side so um yeah I um yeah so I mean zero trust is a big thing it was really I I think pioneered at uh Google they have a big write up on it and now there's several vendors that have taken it and commod commod commoditized it so to make it easier to implement at your organization I you know I don't have a specific
vendor recommendation but uh I definitely think you know as more people turn to remote work and just honestly this is something that we should we should have been doing a long time ago to make the inside of the Eminem a lot a lot harder right so um in addition right you know if you're not really going to the office anymore you're probably not going to really care if your servers are at the office right so I I feel like and this is already kind of a trend you know there's going to be more and more focus on cloud security um the border that used to exist because people were going into office spaces and you could have
sight to sight vpns between offices and all that Stu stuff you know that's that's really going to diminish even more now that people more people are doing remote work and whatnot make sure you can force everyone to VPN into to the corporate land and things like that but um but uh seems far more effective to have your systems built around a cloud security model I mean there there's some pros to the cloud security model um one of them that I like is things are a lot more audable like there's an API you can call to find out what where how many servers you have right um or you know how many files you have in S3 buckets and things like that
things that are typically quite hard to figure out in a in a traditional data center model where people install devices in data centers uh they're supposed to be tracked in some type of asset tracking system and everyone who's in this industry and does it long enough knows for the most part those asset tracking systems are are pretty inaccurate right so um you know people try and create like a m cmdb of their uh their assets and their Enterprise but uh I feel like that's still executed very very poorly um you know one of the downsides of cloud accounts is just if there's Cloud accounts sitting out there that you don't know about obviously you don't
know about them you can't monitor them you can't enable auditing and logging and all that um and uh another another downfall of cloud is a lot of people think like I'm going to push all my resources to Cloud so I don't got to worry about that that's uh that's Microsoft's problem or that's Amazon problem and in reality the bulk of the security work still sits sits on your shoulders right so the way that you configure the policies and roles and permissions in your Cloud PR providers is Mission critical I mean I don't know if you guys have looked for uh you know cloud storage breaches on on Google search or like S3 storage bucket breaches but feels like every month
there's like a major breach right like like Time Warner Cable DG I the Army a centure I mean they all left tons of files and uh in storage accounts on these Cloud providers that were just open to anybody on the internet anybody on the internet could have gone and downloaded them um there is a project it's uh called gray hat Warfare where he's this guy has actually gone and indexed all the files which he can find in public uh storage accounts on Amazon so you can search them in real time so it's kind of like a showan but even more intrusive because you're like searching people's files or file names and then you could go pull the contents right so
I that's like kind of questionable ethics right I don't know where that lies I mean definitely when you start accessing someone else's data you don't have authorization to act even if there's no restrictions placed on it I feel like that's illegal but I'm not an attorney so don't take legal advice from me um so uh you know it's it's pretty crazy right but this is the new new right I mean I mean data centers are pretty expensive to run um and uh you know it made some sense when you already have the connections and Facilities set up but as more and more these office spaces if they go away or uh you know we move more
remote work definitely these cloud services are just going to become very standard in air industry all right so you know here's the other thing that I was kind of thinking when I was like thinking up like hey if like everyone moves to remote work and we stay away from each other all the time which sounds fabulous to me uh like uh let's uh you know what what are attackers going to do how are they going to change how they're going to come after our infrastructure and uh you know one thing that I think is going to get even more prevalent I mean this is already popular now among attackers but uh you know if I'm pushing all my
stuff to cloud and I have zero trust um you know going after your corporate land and all that that's going to be hard man I mean going to be I it's not like it's not possible in a zero trust model but it's just it's a pain so an easier way would be hey if you as a company trust another company because almost every company out there has vendors they need they need something to do their job right and then a lot of those vendors have have higher privilege access inside of their environments because they need to be able to talk to their other systems and they need to be able to put orders in or um make requests things
like that um so you know I think we're going to see more and more actors Target these thirdparty vendors even though they don't maybe don't care about those vendors they really want who those vendors provide services to um there's been a lot of reports lately about um msps uh like managed service providers being compromised and allegedly by you know nation state governments and then they're using that as initial access into the msp's clients right like the msps that they're monitoring for either availability or security concerns have an agent and then that the third party MSP provider is able to Monitor and fix problems on those endpoints and so the attackers go after the MSP because once
they get access to one MSP they can access a multitude of Target environments and maybe they don't care about all those but maybe they care about one or two and so for them that's good value so I'm just calling this Deep Fishing right because uh trying to come up with a term right and uh you know this this is not like a theoretical right this is this has been done right and it's probably being done right as we speak so uh for example the the whole Target scenario right the way that they got a foothold into Target systems is that they went after basically a vendor or supplier for Target right they fished onto that guy's laptop they got his
creds and they used his creds as as initial access point to start talking to Target systems directly and then they were able to you know gain access to those systems by chaining together a series of vulnerabilities which then allowed them to Pivot around the network and eventually get to the point of sell terminals where they started stealing credit card numbers numbers at all Targets locations um you know and they Exel the data and the credit card numbers and all that stuff right so so I mean you know this is not might happen this is is happening and will probably dramatically go up if things continue down the same path so I think you know one thing that
we're probably already experiencing right now is as we're sitting at home because we're forced to be home we're just we're going to start using internet more right I mean if your boss or cooworker isn't sitting right next to you I mean there's a lot of employees that are going to just open up Netflix or whatever and start watching stuff from their house while they're working and not saying anything bad about that just saying you know that that's more bandwidth right and uh you know the more we're forced to be at home the more we're forced to use the internet to interact with each other and the more we use the internet um yeah the the more
traffic that goes across it um large tech companies Facebook Google Microsoft AWS azure they've they've they've already invested heavily in these unders cables right these fiber optic cables to connect their data centers around the globe so they can provide the the best experience to the users on their platforms um so I think you know we're going to see significant more um internet infrastructure go down in the next few years just due to demand uh for remote work and and bandwidth requirements um you know it would be interesting to see whether the last mile like the internet providers to us actually step up or not you know but you know these major tech companies they they need these type of services to
continue to provide uh you know continue to be competitive in space so so I think that's cool I mean that you know that's that's a better internet ecosystem for all of us right um but you know with that I I really think that there's going to be even more of a push for end to-end encryption right I mean the more cables that go down um the harder is to monitor the cables to uh know what's going on at all your different locations and you know companies like in the tech industry like Facebook have have been preaching for a while now that you know you basically you need to do endend encryption everywhere like even inside
of your private networks in your data centers from application to application inside your own data centers you need to be encrypting it and that and that is what as far as my understanding my knowledge Bas is what Facebook does right now is they encrypt all the Transmissions even inside their data centers so even if someone were to compromise one of these fiber optic cables they were to compromise a switch or a router in a data center um they theoretically would be unable to read the communications because they're encrypted even inside their own private networks so I think that's pretty cool and also think the push to cloud is really enabling this I mean the cloud
providers basically enable TLS automatically because they assume that you're going to access them over the Internet which is not trusted but you don't have to I mean there's ways to set up AWS accounts that are completely private so that none of the services that you're using can ever talk to the internet um you can drop endpoints inside of virtual private U networks in AWS and uh you yeah you can set up a lot of those Services now so they never talk out to the internet right but you still I mean that's inside aws's data center so you still want what if a router switch is compromised in their data center right you want that to still be
encrypted and a lot of those service providers are now doing that by default so I think you'll see more and more push for this uh you know I know some of the major tech companies are doing this now but not all big tech companies are doing it um just really the ones that uh are trying to be a little more proactive so hopefully you know everybody just does this by default going forward so or everyone gets on the cloud providers and the cloud providers are just kind of doing that transparently um underneath right for you all right so uh yeah def fakes def fakes are scary man right because you know at least right now or
previously you know if something was a fake um you know journalists would would really be to be all over that I mean up until lately we've still had press conferences with the president and journalists were invited to be there um you know we're kind of going into a an at least for me an unknown territory here um the the you know if we can't meet with people in real life um there's really no journalist or anyone to fact check that someone said or did something right and uh if somebody's able to create videos and to the point in which we can't detect that they're faked I mean you know they could potentially shape um world events so for
example I mean it's widely considered to be a fact now that you know foreign governments were meddling in our pre election right and I mean my understanding of reading the unclassified reports about this is that you know Russia basically wanted to sway the public and so they used the ad networks and fake accounts on providers like Facebook and Twitter and things like that to try and push certain narratives and they thought the net effect of pushing those narratives would be that you know you would vote more for one candidate versus another candidate so thinking about this again we've got an election theoretically coming up in in 2020 if it doesn't get postponed or whatever they're going to do right and
um you know what if Russia produ deep fake videos that we can't using Technologies we can't verify our fake uh and then just starts releasing those on social media um which starts swaying the public one way or another right I mean that's a pretty um you know maybe we have the technology to detect those fakes now but you know um technology has a way of of of leap frogging to uh in a way that uh you know improving in leaps right so so you know it's possible is it probable I don't know but uh but you know without people being at press conferences or being able to to fact check with people in real life I mean
that definitely makes you know trying to manipulate public opinion like a whole new level um so uh yeah it'll be interesting see what happens here I mean there's definitely you know incentive right for foreign governments to meddle with other government elections right so all right um okay great so you know I I think one thing that might be positive is you know I I don't know how many of you have VR sets virtual reality sets right uh but uh you know if people start to lack the human interactions right I mean this is an alternative that they could go to uh with little risk right uh without the risk of catching the virus or anything like that you know as long
as they're not sharing headsets or something with people unknown people but uh but uh you know this could be a real boom to this industry I mean the VR industry is in my opinion pretty cool uh it's uh but you know it's still you know pretty enthusi Enthusiast space right like people who want to be into it are into it you know that you know we could see like a much wider especially if like the virus were to linger for like a year and a half or something like some people are predicting I mean you can see a much you could see a boom in VR I mean right now you know you could go get theoretically
like an Oculus Quest and you do need a computer to hook it up and uh you can do room space based VR uh so uh so uh you know you don't even need a good computer right to run it it's all self-contained in the headset and uh you don't even need sensors on the walls or anything fancy you just plop this thing on pick up the controllers and you're good to go so I mean we could see that stuff start to boom right and you know I know there's some like applications on the platforms right now to do social interaction I've looked at them quite a bit um you know I'd still say they're pretty basic right um you know there's
some VR chat room like experiences that are uh um you know people like but you know they're still pretty in my opinion rudement so you could see a lot more appdev uh time being put on those to provide people with a much better like experience right um so instead of this just going from an Enthusiast Market that people think is gonna be a thing in the future you know it could be a thing almost now right so um right so then I was thinking like VR takes off right theoretically because people can't go outside for like a year or something like that I mean that's you know probably a worst case scenario but I was just you know to go with that
scenario so so I was trying to think like hey what's the implementations here right and like the the thing that I you know you're gonna have all these guys developing VR apps right for this platform if it takes off and um you know historically uh I think that's going to be a lot of the same resources that have done video game programming in the past and um you know video game programming in the past is not um it's been very emphasis on features and performance and uh there hasn't been a like a huge emphasis on security right um so as least from my perspective there has not so like for example um you know uh yeah
I mean several vulnerabilities have been discovered in video games like a lot of the games on Steam that are produced by Val that used to use or still use the source engine like csgo uses it and I believe Team Fortress 2 uses it and all that and uh you know I think there was a period of time where um for like I don't like let's see you know like for about five years where um there was a a particular spray you know in those games you go around and tag the walls right and if you tag the walls uh you know you can have your team's logo and stuff like that on the walls right
so you know you could kind of use that to mock the other team as you're winning whatever but for the period of five years there was actually a vulnerability where if you built a very like a malicious spray you could spray the walls and basically crash everybody's clients except for your teams if your team's clients don't crash and everybody else's does you can go around and frag them and eventually a German researcher reported this vulnerability to uh to valve and and they fixed it across the platform but uh you know I mean I don't I mean there's things like that that I feel like the gaming indust has not really put a lot of uh time and effort
on the security end so so uh you know what what could this future look like if if they're going to crank out a bunch of code they're going to crank it out fast and they haven't really been focused on security in the past what what's that going to look like in in the future uh you know and and one thing that I just kind of thought of was you know this this could literally be um you know a whole new market right so I don't know if you guys are aware or not but you know there's companies out there right now now and all they do is they buy zero day vulnerabilities or zero day
exploits right and what what is a zero day exploit it's a it's an exploit that takes advantage of a vulnerability and a piece of software that uh it's it's uh that's not known by most people right it's known by you but not really known by anybody else so then you can sell that exploit to somebody else and and that usually gives them some type of capability like let's them bypass authentic on an application or gives them uh remote code execution which means they can execute whatever code they want on your system and if they can execute whatever code they want in your system they can steal your files or they can you know use your system to
Pivot to other systems or they can um you know I you know just generally do anything that you could do do on the system right so right now you know it's pretty baby Town Frolic if you want to develop exploits on gaming platforms uh so it's it's not that hard um but you know if everyone starts using VR and VR is using a lot of the same codebase that gaming software is using today um you know the value of these exploits for the VR platforms could could go high right and now you know one possible use case for this is I don't know if you guys have ever seen uh Ghost in the Shell before or not but there's a there's a
hacker in here called The Laughing Man and uh basically when you're when you're everyone in this basically futuristic Society has enhancements right like some part of your body is enhanced with technology and so so he is such a good hacker that he's able to exploit weaknesses in in those enhancements so that no one could ever see his face so every time everyone tries to see his face they just see this laughy man logo because he basically has OD days for their their enhancements right um so you know you could see something like that occur so that people could stay Anonymous on those platforms um you know I mean if everything's throwing flowing through the internet and everybody's on
you know one to two to three major chat platforms on VR you know chances are high you know criminals and others are going to jump on there which means law enforcement's going to jump on there and start monitoring it right and you know there's always a subd demographic that wants to stay Anonymous on a platform so um you know that's that's one use case you know another use case is you know if people are actually able to develop exploits for those platforms maybe they can even get remote code execution on your laptop or something like that so it's like hey man let's meet up on VR and chat and when they do you take advantage of vulnerability in the
software and you're able to take control of their laptop without them knowing so uh you know it's it's it's pretty interesting um just how a remote work shift and how getting rid of a lot of uh this old um you know hard outside soft Insight type mentality would uh you know would change us but in the cyber security space I I feel like you know a lot of parts of society is maybe not for the better right but in the cyber security space I feel like there's a lot of stuff that we should already be doing today so even if like we all wake up tomorrow and like cdc's like pandemics over like we're all good everybody go
outside I still feel like a lot of these recommendations here in these presentations are things we should doing like zero zero zero trust Cloud security right those those type things uh end to end encryption I mean those are things regardless of what the future holds I mean we should really be pushing organizations towards those type of solutions and and this cyber Security Professionals uh you know if if we uh we should be making these things dead easy for for corporations to implement right I mean one thing that is really annoying to me is just you know like a company their their goal is to um stay in business right it's to like Drive value to basically you know their clients and
their shareholders and and all that right and I feel like historically a lot of cyber Security Professionals they're they're the no guy right they're kind of like the mom that goes around the organization is like no you can't do that you can't do that you can't do that and and really as an industry we need to shift from no you can't do that to yeah you can totally do that and here's how we do it in a way that is you know well organized for you and well organized for us as Security Professionals um so you know we don't want to be the guys that are just telling people no u i I do believe the push to cloud is is from you
know for most commercial is inevitable right it's do do the cost savings um and uh but uh the you know as Security Professionals it's it's on us to go learn those platforms right we can't just be like hey I know firewalls I know vpns I've been dealing this stuff for like the last decade I'm not I'm not going to learn cloud like that's like I don't need to know how rols or access control works in cloud like that's it's not it's not going to be a viable strategy in my opinion for the next 20 years right so um as as on-prem and data centers start to dwindle um that stuff's all going to get migrated to Cloud as
you know startups most of the startups are turning into Cloud infrastructure which is due their um they need to start cheap and small and then scale up rapidly with their platforms and um you know I I do think the serverless platforms that are on cloud right now are are are okay for basic tasks like scripts that you want to automate but you know they're pretty hard for advanced applications because it's it's hard to debug the code in serverless environments especially if you have like multiple serverless components all talking to each other it's hard to know uh where things are failing um at least from for me when I when I'm developing things in Lambda and
and those platforms so I mean I do think that there still needs to be a little more Innovation and and ease of use in the in the serverless space but I I do think that's coming as well right so so containers are kind of the new new and orchestration of them kubernetes is clearly the winner of that right now um which you know a lot of the cloud providers have very slick managed service for right now but uh you know after that push is over then I think a lot of people are going to turn to the server lless and hopefully it'll be mature enough by then that people actually be able to debug complex
applications in in those ecosystems um so yeah so I think as Security Professionals we just really need to get ahead of the curve right we can't you know just keep saying no for forever uh we we got to be the guys that know the cloud we got to know AWS Azure gcp we got to know zero trust right we got to know how to take these old aacy lands and and easily get them into a more secure State and then we got to be innovating right like it's not good enough for us to just say like like hey you know yeah everyone just gets pwned by fishing you know and it's not good enough for us to say like you know we
just need to do more user training and awareness like that's that's not a real solution right like we need an actual solution that we can provide to the masses and be like hey we know you guys get fished install this solution and you know that mitigates 90% of the risk or something like that right and you know a lot of that work is still to to be done so that's that's the great part about cyber security as a profession in my personal opinion is just that me it's still a little whyw Westy right there's still a lot of opportunity out there and you know while it's horrible that we're all F focused to stay inside I mean some
people think that right uh um I mean this is a real opportunity for us as cybercity professionals to try and try and push forward the industry and um yeah and and try and make this just a little bit better of a world than it was yesterday so so I I just leave that with you guys at at this time and uh we will uh I think that's the last slide oh thanks again on the sponsors really appreciate it especially uh diger is so helpful every year and RSA and Adobe um and uh you know minecast and corite came through this year and uh Red Canary and Sal stack and even St con and uh no Star
Press and red Point Security pitched in as well so I I really appreciate all them um and and all they're doing for this event so so um with that and I will post the slides that I just uh that I just had on to Twitter my Twitter name is tweak Fox and I'll put it in this chat um also uh also uh I will um these are being recorded and they should be up on YouTube um relatively quickly after the event so um big thanks to once again to Pope uh with Pope Tech uh the really this event would not be happening without Pope and and and the team right and his uh media team so I I
really want to thank them again um they you know in a matter of basically a week put this entire thing together from a tech stock and um you know hopefully we won't have any issues with recording and all that and everything will be up pretty rapidly so all right we will have the next session at uh 2m it'll begin uh and uh you know I'm just going to answer these random questions in the channel uh for a minute while we're waiting on that so why is it called bsides my my understanding of why it's called bsides is because if you guys remember tape deex um they're uh they they had two sides right so the primary side when you when
you had a tape and you put it in the tape deck to play music would be the a side but then a lot of artists realize uh they could record Another stream on the tape deck on the backside and they call that the BS side um so that's kind of where the name came from and I think the implementation there is really um you know black hat in Las Vegas is is I don't have anything bad to say about it I think it's a great event but uh it's also very expensive right I mean tickets are basically $2,000 a pop which makes the event very inaccessible inaccessible to a lot of audiences right I mean unless you have a corporate
sponser you're probably not going to pay $22,000 to go to black hat and so um you know some of the original organizers where bides started in besides Las Vegas um they they were just kind of like hey we need an alternative here that's low cost that everybody can go to um and so they created bides um LV or Las Vegas and uh you know that you know comes from the reference to the tape deck right so you know a the a sides may be black hat and then the BS side is their conference the alternative that everybody can go to so um yeah so um that's kind of where the term comes from and then they kind of put
together like a like an ethos right of like what is a bsides and then the organizers in bsid San Francisco which which is one of the larger bsides events uh bsides Las Vegas and bsides San Francisco are pretty large um they uh you know got a trademark around the term and kind of put some legal framework in there but every bides is its own legal entity uh so like we are in some of them go through the process of becoming a nonprofit so besides Las Vegas or no besides Salt Lake City we've we've gone through the process of becoming a nonprofit we're a 501c3 that's really thanks to the work of one of the board
members um Ryan Simpkins uh he he basically single-handedly did that for us which I completely uh I I I my hats off to him I owe him and uh you know he helps us make sure we're compliant with State and um federal laws with with the charity every year so just know when you buy a ticket or um you know you sponsor the conference or anything that your money is going to the nonprofit um you know I don't you know no no one who spends their time and effort on the event makes money off the event and then the only thing we do with the the leftover funds is we use that to seed the next year's event so um so you
know my goal really is to make this a self-sustaining event right where we have enough money to keep growing it every year um you know I I could Envision a future where you know you know there's thousands of people at a bide Salt Lake City Event right I mean at a $20 price point I don't think that's unreasonable at all um but uh you know I I think there's something to be said about making this making the event the way it's been which is more small and intimate um which you know we're trying really hard to stay true to our values when we originally created this and really if you haven't heard my I think my speech is recorded on YouTube
on the channel from two years ago about like why we're doing this but um the real the reason that we're doing this is you know I don't know if you've seen in some of my emails but the slogans by the people for the people I mean my goal really here is for uh number one to get more people into cyber security I really like to get more college kids coming out to the events and um up to speed and you know just even if they like have a little interest but they're not certain uh give them a platform to to make some more Connections in the community and and kind of build their social network a
bit more and then two if you're already in the community and your cyber security platform uh professional this gives you a platform to give back to the community so I really encourage people that are professionals like to submit for the workshops and The Villages and the cof papers next year especially if you're in Utah um because like I I just want you know more of the college kids to see and get to know um you know Professionals in the industry and you know kind of have uh more of a vision like hey I if I work hard I could be like this guy or I could be like that guy um you know I could you
know um I could be you know and in the process have fun like I can do some like RFID hacking or I can learn a bunch of cool content at these talks and then um and then um hopefully Inspire them to you know go down become cyber Security Professionals themselves so uh and then hopefully you know that grows the whole Community across you know the world right so so you know even if they don't stay in Utah if they move to DC or anywhere else um then you know we're still doing our part to kind of at least help meet the cyber security Gap a bit more and and also you know one of the primary things here is
is give back right so I think a lot of us we in cyber security now and have you know the things that we have in life um we got here because somebody was will to take the time out of their day to uh you know to talk to us right I mean I know personally when I was growing up uh I used to meet up with a bunch of hackers at at a round table pizza like every week and we just talk about computer stuff and uh you know that that was pretty much the Catalyst that gave me the the ability to get into this industry and to uh you know hopefully make a positive impact so so all right
so uh I'm going to hand it off to the next speaker who will start in five four minutes now um thank you guys if you want to chat more I am on slack I'm Bryce Coons on uh the bsides and um if you guys need anything feel free to email info@ bidol city.org and someone on the team will get back to you thanks thanks
guys
e
e
e for
hey guys can I get a confirmation if uh my screen's visible and uh that I am audible yeah your screen is visible and you are audible you're good to go awesome
awesome sounds good so uh welcome everybody to my talk I am happy to meet you guys virtually uh welcome to my talk where's my do a look at web scamming attacks on e-commerce websites so before I get started I want to give you a brief uh introduction about myself I'm a senior product security engineer at uh Salesforce uh I specifically work on the Commerce Cloud product for Salesforce uh prior to Salesforce I used used to do uh a lot of pen testing threat modeling and code review uh and I was in Consulting part of aspect security and eyi uh I go by the clumsy coder on Twitter so I'm available on the interwebs uh if you ever want to catch
up to me the agenda of this talk is uh to give you a brief overview of web schimmers what they are uh the information they are after uh e-commerce sites they have manifested in uh known hacker groups that's magecart U some web schimmer characteristics uh such as uh how do they detect payment forms how do they exfiltrate data uh some of the anti-analysis features uh we've seen manifested in these skimmers uh and then dive into a little bit of the mitigation uh strategies uh that we want to enforce uh to avoid uh web schimmers from doing what they do today so before we jump into it I want to talk about uh what we're what we're
looking at in this talk we're looking at the e-commerce platform and uh just to give you a lay of the land uh an e-commerce platform is uh something that's providing uh the infrastructure and a reference architecture for merchants uh to build their storefronts on uh kind of build their uh website website on and then you have Partners uh that collaborate with the e-commerce platform to write uh plugins and extensions uh over your e-commerce platform that your Merchants can use uh for example order management plugins uh checkout plugin and so on so let's look at typical online shopping process and how a web scamming attack works in the context of a online shopping process so a user visits a
website an e-commerce website enters their credentials to log in uh the user likes a product so they they move that product onto a shopping cart immediately they move to a checkout page uh where they get to fill in their credit card information and in that checkout page uh unknowing to The Shopper a malicious scripts executes their uh collects the uh the credit card information and manages to exfiltrate that information before the order is placed now sometimes uh this is of course uh unknown to the user sometimes it is also undetected uh by website maintainers or site administrators as well let's dive into some of the uh how web skimming actually started and some of the origins of web skimming it
started in early 2004 14 and uh in 2015 when a bunch of hackers started attacking Magento based uh e-commerce websites uh they were specifically looking for admin consoles that were exposed uh or arbitrary file upload vulnerabilities uh through like cesu uh and they targeted these admins uh to upload these webcamming codes specifically uh in locations or in in in pages that were involved with the shopping cart and as you can see uh these were all under the Mage uh folder and that's why uh threat intelligent teams that were tracking these hacker groups uh started calling it Mage card and that's that's where the name stands today so how were these hackers getting in uh they were they were relying on
underlying vulnerabilities in operating systems expose services like FTP SSH uh applications admin consoles uh vulnerabilities in web application code uh third party libraries hosted on the sites infrastructure thirdparty libraries hosted on CDN and also third party plugins or extensions uh that are part of the e-commerce uh yeah e-commerce ecosystem uh fast forward to 2020 we've all seen in the news uh big incidents related to web webcamming attacks uh namely Ticket Master which was a huge supply chain attack uh where the uh Mage cart managed to compromise a third party service called inenta uh British Airways uh where they managed to compromise the web server itself and host their malicious script uh they hosted it in uh a script that
would look very uh common to any any web application that would rely on like modernizer GS uh New Egg where they again hosted a malicious script directly uh on the checkout page and then they have and then you had Macy's uh where the malicious script was added to the payment and the account profile Pages as well let's look at an example of the skimmer that that was manifested in the British a in the British Airways situation you can see it's a simple and elegant web schimmer code of Just 22 lines of code here you see uh that it is that there is an event uh of mouse up and touch end that is binded to the submit
button of the checkout page so here with just the mouse up and touch end You observe that this was not just targeted for like a web based application or a shopper going to a browser but also the touch end indicates that it was also targeted uh to Shoppers that are shopping using the mobile app as well so uh this was a very well-crafted attack by magecart and they knew exactly what uh endpoints the application is calling and they had done a lot of Recon before they actually targeted British Airways uh the other the other thing that I want you to make note of here is that the exfiltration URL the exfiltration is happening via an ajx call and it's
happening to b.com now another thing to call out here is that uh they have spun up an infrastructure that mimics the infrastructure of British Airways so anyone auditing the traffic would assume that ba is part of the British Airways infrastructure as well does uh they get to be persistant uh on the server and exfiltrate as much as uh credit card informations they want as long as uh a site administrator manages to call that out similarly uh we see what happened in the case of New Egg St new eggs as well uh where an elegant just 15 lines of web skimmer code was added here we're able to see that it is the same group of magecart because they
look they Ed the mouse up and touch end technique uh targeting not just web browsers but also mobile apps and again they are using uh the infrastructure that mimics uh new new egg uh and up a whole new infrastructure that is uh that is very similar to New Egg to to kind of get all that data off uh from their servers to uh their C2 domains now based on uh the targets that these hacker groups attack based on the volume of credit cards they get based on the skimmer characteristics and the infrastructure setup threat Intel groups have managed to profile them into seven groups uh groups one two and three relatively go for small small size to
mediumsized storefronts uh and compromising anywhere between uh two to 2,000 to 800,000 victims uh they use the same domain that hosts the script that is also used to Exel the data now whereas group four to group seven starts getting a little more advanced group four goes after high value targets uh they usually go for thousands and thousands of credit cards uh they also their skimmers also have a self cleaning ability or anti- analysis features to them uh we will walk through one of such examples as well they also have complex infrastructure uh and they are exfiltration uh or c2s look more like ad domains CDN and analytics that you would be used to seeing group five
comprises of uh of groups that go again at high value targets uh they go for again thousands of credit cards in bulk and they also look at third party uh third party domains that uh the target domain relies on uh to compromise that third party does get a foothold into the major or the exact target they are after uh group six is the one that I showed an example of a skimmer in the previous slide uh these These are the groups that go again for high value targets like British Airways and newc they directly inject the skimmer into the payment and checkout Pages uh they write very simple uh skimmers uh usually between 10 to 20
lines and compatible with both mobile and web as well uh the seventh one is also very notorious uh because they use proxy exfiltration domains uh and these domain means actually belong to legitimate uh organizations so it gets even more harder to kind of take down these domains as well so let's look at some of the web schimmer characteristics over the years these hackers uh this hacker group has matured and they are getting very sophisticated in their skimming uh technology and more often than not it is now starting to look like banking malware uh where it has has a layer of ausc it has some kind of page or form detection it has information collection and storage mechanisms wherein a multi a
multi-page checkout uh the skimmer manages to detect that and then store uh the user information in the local storage of the browser uh data exportation techniques they manage to mimic the infrastructure of the Target they manage to exfiltrate data using a get image which we will defin we will be walking through and then also a lot of anti-analysis technique where uh they detect whether some whether an auditor is actually looking at the source code detecting whether it whether the user is in debug mode and does self cleaning or erasing their schimmer code so web schimmer officiation techniques right so the the main purpose of officiation is the action of making something less clear and less easy to
understand especially intentionally so uh the ausc that You' commonly see uh when it comes to this groups these groups is name based officiation uh code flow aisc dead code insertions string encryption minifics and compressions so everything to make it difficult for anyone auditing the code to see what's happening let's look at group 7's schimmer characteristics specifically so group 7's schimmers are highly configurable they not just allow you to just set the target domain name but also uh let you configure the exfiltration uh or the proxy domains that you want uh to send the exfiltrated data tool so that's what uh you see here and these two uh these two parameters or these two attributes here or variables here uh
this is the skimmer code uh and it's relatively simple to go through uh the skimmer is simple in that it will check if a certain element ID uh check step review uh is displayed ensuring the victim has reviewed the products they are paying for reviewed the shipping details and finally filled out the payment information if the form is active and populated the skimmer will go through the individual form fields to grab the information at the end all the stolen data is concatenated into one string with each data separated with a pipe symbol encoded into Bas 64 and prepare for URL encoding now after the data is encoded uh the sorry after the data is extracted and turned into a large data
blob the exfiltration starts the exfiltration of the data is done in the form of a get request instead of a post request the skimmer creates two image elements uh yeah and and which then get their Source URLs set to the compromised websites used for proxy the encoded stolen data is appended to the URL along with the host name of the store of the store the data actually came from so you can see that here so some of the schimmers also have anti- analysis techniques uh and in this example we see that it is using the debugger keyword and if there is anyone auditing a checkout page that actually has the skimmer embedded in it uh they
would actually end up opening the uh the browser's uh developer tools and if the developer tools encounters the debugger keyword the execution of that page would actually stop and it would expect the user would actually resume the the control flow of the program now what the schimmer does here is it it makes note of the date and it makes note of the times and calculates the the difference in the time if it is greater than an predefined offset it sets the is debugging true and this informs the skimmer to kind of delete itself from that Dom or from that page so these are some of the techniques uh that these groups are now starting to
use to kind of evade uh detection and being audited as well there are also tonography based schimmers so how often do we go to a web uh to a Ecommerce site and we see uh a label like this on a checkout page right uh there are ways in which the the hackers have managed to even uh embed the hackers have managed to embed uh skimmer code in these images as well so if I were to run strings on this image we'd see that this image starts off with a regular gpeg or JPG file and then at one location it starts actually uh with ja JavaScript code and you now ask how this JavaScript code is actually
executed in the context of uh the checkout page and turns out uh there is u a JavaScript API call uh especially slice it's called slice where it extracts that extracts the code from that position and invokes it as a function and thus running the skimmer on that page and allowing it to get do what the schimmer does and exfiltrate uh credit card information websockets uh this is one thing that we've never thought of that could be used for web skimming but turns out uh the hackers have managed to even use websockets as well so if we are if anyone's using websockets and we want to audit and see uh how this websocket was actually initiated we' actually
try to search for a websocket initialization in that page but this is a very nice uh nicely obfuscated officiation technique that the hackers have used here they have managed to cleverly hide the skimmer loader uh by using a CSS class to construct the websocket URL and that's what you see here uh this is the origin websocket call that uh this this is the actual code that creates and reaches out to the server using websockets and this is uh the actual routine that uses the CSS uh to kind of construct the websocket URL once the websocket uh URL is created it reaches out to the uh attacker uh domain and the attacker domain keeps sending some benign responses until it
sees the checkout in the URL once it sees uh the checkout keyword in the URL it actually sends the main uh web skimming data back to the checkout page which executes in the context of the Dom and does everything the skimmer would do to exfiltrate data uh from their from the target domain so now that we know what we're against what can we do to protect uh especially from an e-commerce standpoint an e-commerce uh platform manages hundreds to thousands of storefronts so what can an e-commerce platform provide to the merchants uh to make their storefronts more secure so and there is no Silver Bullet here the the the solution is going to lie between uh the
collab on the collaboration of the merchants the e-commerce platforms and the partners combined so so let's walk through some of the mitigation strategies that an e-commerce platform can provide to begin with e-commerce platform can enforce two-factor authentication across all Merchant site administrators and developers Harden server operating systems reduce the attack Surface by minimizing the exposure of services like SFTP and SSH uh provide secure by default configurations so uh if the if the merchant spins up a new storefront uh we need the e-commerce platform should always provide it over https and provide configurations uh to to communicate over uh secure ciphers for for example uh update developer documentations uh to reflect security best practices for uh reference
architectures uh for the merchant so that they always start with a secure State when they when they use a default spun up storefront provided by uh the e-commerce platform uh perform secure code reviews of partner code uh extensions because we're seeing a lot of uh these hacker groups now Target partner code vulnerabilities in the partner code uh to kind of compromise the merchant storefronts so perform secure code reviews uh of of all of those extensions that uh the e-commerce platform maintains in their Marketplace uh sub resource Integrity uh this is uh this is a very very common uh approach to uh kind of stopping uh execution of malicious scripts in in your website or your
domain so say you have uh the my shop.com and it requests a site uh and the site loads uh a JavaScript from some cdn.com uh having a copy or the integrity uh using the Integrity attribute in the client site would be very beneficial because the browser would already have the hash or the message digest of the script that was requested once the script is downloaded onto the client the browser now calculates the message digest and Compares it with the message digest that was already in the client if it matches it executes uh the script or else it will not allow script to be executed so what happens if a web schimmer is actually present in a in a script from
some CDN in this case uh the the hashes would not match and the browser would not allow uh the skimmer to be executed and thus uh the data might will will definitely not be exfiltrated uh to the attackers domain so sub resource Integrity is uh is a very good friend uh for for for when it comes to uh checking the Integrity of the scripts that we run in our domains uh and this is the general error message that you would see on your browser uh when a Sub sub resource Integrity check fails some SRI considerations it is a trust but verify approach well-known CDN support this today and they provide you a hash with corresponding version values
of each script that you want to use in your domain uh update the sub resource Integrity attributes when scripts are updated it's very important to do that or else it might break functionalities in your website Integrity attributes can also be applied to CSS so you might want to consider something like that uh and partners that develop extensions for e-commerce platforms must also now include sris and this is something that uh an Commerce platform can start uh holding to Partners to to start enforcing sris in every script in their C in their extensions as well and partners must also now maintain and make available the extension versions and the corresponding hashes as they maintain uh their third party code and provide them
for merchants to integrate in their storefronts again sub resource Integrity uh is uh all almost supported by Hall browsers today it's been there and it's very reliable the next one is content security policy and this has traditionally being used to mitigate cross-side scripting vulnerability attacks or cross-side scripting attacks by whitelisting uh sources of script style and other resources and this is exactly what a typical cross content security policy would look like uh for a site so default it would allow any resource to load in that domain uh script Source can be anything that is listed here so it would be some cdn.com uh font Source will be from the domain that it lists similarly style and
connect to only domains uh that is specified and connect Source applies to event sources uh xhr request and also uh if I am not mistaken websockets as well so let's see how uh this is going to help from an e-commerce standpoint and how it can protect a storefront in an e-commerce platform as well so that comes back to my question right how is is this is CSP going to be good for an e-commerce platform uh and from a platform's perspective that manages 100 to thousands of storefront how can we scale this solution for our Merchant on our platform uh how can we detect in advance of a sub resource compromise and inform our Merchants uh
how can we allow our Merchants to decide what resources they should be loading in their storefronts and how do we allow our Merchants to profile the known good resources versus the known bad or even worse unknown domains as well so there are a lot of problems and we want to see if CSP can actually help us solve these problems and turns out uh there is the CSP simulation mode and specifically the content security policy report only so this response header instructs the browser to report any violations related to loading content to report violations here in the report URI section and that is an endo on your server in this case the browser is going to send a Json formated violation report
to our endpoint and and note that with this configuration CSP does not enforce any restriction for loading contents but only reports the violations and for merchants that heavily rely on third party resources it makes sense to evaluate the current state of your application before rolling out a Draconian policy to your users and as a stepping stone to complete deployment you can ask the browser to monitor a policy report violations but not enforce restrictions now the next step is crafting a policy for your storefront by evaluating the resources you're actually loading once you think you have a handle on how things are put together in your storefront set up a policy based on those requirements crafting your policy
is the first is first analyzing your resource dependency that gives you a great way to ensure your storefront functions flawlessly for your Shoppers and mitigates the risk of web schemer injections through compromised domain s and this is one of the major advantages of You' get to know the known good resources for your starfront thus we reach to the Final Phase of policy enforcement and alerting as well so csp's ability to block untrusted resources client side is a huge fin for our merchin but it would be helpful to have some sort of notification sent back to the server so that you can ident ify and squash any bugs that allow malicious injections in the first place so by combining the
content security policy with the report URI you can do exactly that the CSP violation report now act as a good resource for investigating Mage card type attacks this report contains a good chunk of information that will help you track down the specific cause of the violation including the page on which the violation occurred the page is referrer the resource that violated the PO the policy and specific directives it violated and it also provides a copy of the complete policy as well so this allows e-commerce platforms to build intelligence of known good versus known bad domains allows deployment at scale across our storefronts now zero customizations are required it's only at a configuration level all pages on the browser can can
be monitored including payments and payment Pages as as well and now we have the ability to alert Merchants about compromised domains across the e-commerce platform again these are very well-known uh policies or headers that are used and supported across browsers today coming to the last mitigation is using of iframes uh iframes uh now again CSP directives as a binary approach either the resource is allowed or denied uh so what happens to content that you kind of trush but not completely trush this is something that probably beautifies your page or something that way if if frames can provide part of the solution like by providing a separation between the application and the content that you load so let's look at what protections
iframe provides out of the box so the content that is loaded is limited to the outline of just start if frame when an external resource is loaded in an iframe the browser cross origin policies kicking so no no access to the parent Dom no access to local storage index TV or cookies sounds good but I don't think it's good enough for the following reasons cross domain iframes will still allow embedded resources to trigger alerts and popups it can even invoke browser plugins it can autoplay videos present submittable forms thus giving a segue to fishing and in some cases when you iframe uh the same origin as the parents iframe it may get access to the
window top location window window top object as well so which makes it kind of scary in comes the iframe sandboxing now this further locks down the resource that you embed in your domain uh because it does not allow access to Doms to the parent Dom or index DB it does not allow access to the same origin forget same origin not even its own origin access to render forms access to render the pointer locks access to execute any JavaScript may it be uh event handlers JavaScript URLs or even no scripts and also does not allow access to run plugins in any which way now that is uh but how how useful can it just be to lock down all of those
right what happens if uh we want to give certain permissions and and lock down the rest so in such situations there are granular flags that let us do that that let us maintain a whit list approach so we can provide the ability of for that sandbox resource to uh to provide form permissions to allow popups to allow pointer locks that's Mouse movements to allow access to their own origin to allow scripts to be executed in within their uh execution environment and allow access to top navigation as well so by adopting a whit list approach in which we only Grant permissions to capabilities that are required we reduced the risk of embedding the resource in our storefront with no ill
effects so it's a win win-win situation for everyone concern can I use it is uh widely supported in all browsers today as well this brings me to the end of uh my talk I am as uh mentioned before available on the interwebs and uh if I do not have the time to field questions I'm definitely available uh on the slack Channel as well thank
you e
okay I think I am good to go here so this is Oran Zang uh let me bring up my uh presentation and we'll get started let me know if you have any trouble hearing me we can hear you and we can see your screen you're good awesome okay let me try to put this in presentation mode can you still see it in presentation mod um we can still see your screen but it does not appear we still see your slide decks on the left one through 16 but yeah
how about now that's great full screen good job cool all right so quick and show so my name is uran I'm the founder of jupter one and the ciso of lifeomic uh so I I actually did a similar talk last year at besides solic City in 2019 that talks about how we internally build our security operations on a a graph database a graph based cmdb uh this is an extension to that and uh you know actually jupit one is the product that we built um that supports that but uh I'm going to talk about this in more General kind of concepts of the graph cmdb and and using some the examples of our own product to to highlight that um
and just just so you know I'll be sharing some code examples um and this is doable yourself with um with any graph datase like new forj and other things as well so um a little bit of the recap from uh last year so for folks who has not seen my talk last year here's here's a link to it and I'll go through a couple of the Recaps so people have some um kind of Shar shared background and common background so um it's not kind of so abrupt when I jump into the use case uh I I'll go through this very quickly and there's Links at here and at the end you can kind of get more details about
this graph DB itself now first of all the reason that we buil a graph based cmdb or a oper new model building on on a graph is because of this and because we want to analyze not just the resources and their configurations as a TR traditional cmdb or configuration management database we do but what we like to do is to to be able to analyze the relationships and the contexts uh that are derived in from these relationships because as this statement says Defenders thinking lists and attackers think in graphs and that's why attackers win and we don't want them to win right we want to win instead so uh a few things that we can
do with the with the graph and first of all this is the data that we collect into a graph data model or graph database and it's not just the typical it asset that people think about and we actually have the graph um objects represents anything that we can think of that's related to our security operations to our compliance programs and um and just overall our digital operations we are very much Cloud native and digital so this is relatively straightforward for us to do there's a lot of apis that we can leverage to build this and anything that's not you know API driven we can still U manually using a script to create these in the
graph database so like like you see here it covers anything on this list from policies to risks to organization users accounts even vendors and vulnerability findings uh endpoint resources network resources agents on those hosts and servers and of course as well as our resources in the cloud in the AWS infrastructure so what can you do with this graph right so once you have this graph there's so much that you can do that we find that we end up doing with this graph now this becomes our uh core and our almost our operating system for uh for our security analysis and the compliance program so here are some use cases I'm going to focus on on one in in
my example in a little bit that has to do with access review U but these are some of the use cases that can be realized with this data in the graph and the the pattern it really is U pretty straightforward and we have one single pattern which is you know doing security as code and in an engineering pattern where we can use apis to collect data and then use Query to analyze and get insight from that data for any of these use cases now let me describe a little bit more what this graph looks like so uh a graph for this particular use case for GRC you know policies controls and just overall program management may look like
this so you got an organization that has polic policies uh which you have procedures and and controls that implements policies and then you have various compliance standards that you have to meet and the there each standard has a requirement and the procedures and the controls Implement those requirements and so on so forth right so this is a high level view of the what the graph data model looks like for uh for this area of things and you can see the the gray boxes where uh from here it connects to other subgraphs and there's a graph for user management account management and vendor management and here are some of the inter relationships of how the organization owns the account and which
account has what service and has what user or user groups and so on so forth now this ties into the previous TRC data model and it also ties into the vulnerability management data model which is presented here uh that everything in here surrounds with the vulnerability findings which can impact a variety of different resources like a host or application or Cod repo um and this graph like on here for example right allows us to answer questions like what's the pattern in these findings right so which uh which weakness is probably the most predominant in our environment uh in other words right so if we have a 100 findings that that's all exploiting us a same weakness so we
know that is a weak point in our ecosystem so that's what Des graph represents and then we have a graph that represents Network and Endor infrastructure of different hosts and resources and um different entities in I in the AWS uh infrastructure and and so on so forth now I'm going to use a specific example when you see you know what questions can the graph answer here's some example questions specific to AWS and I'm going to um ask this particular somewhat complex questions and how we answer this with the graph query and the the question here is are there internet facing ec2 instances that are allowed access to non-public S3 buckets now uh it's a long
question and and in order to answer this question it actually has seven different criteria um that it has to meet and these are the seven things that we have to check for in order to answer precisely without noise or without false positives the answer to this question so first instances are active they are life there are security groups in those instances allowing you know two or from the internet and instances are publicly routable um and then there's Network and you know VPC access allowing the uh the network access to the internet and Security Group rules and IM policies and IM rowes and so on so forth but you can read this in the slide so all of these
conditions has to meet uh in order for for this particular um for this particular uh question to be answered right so this is what this looks like with a graph query so imagine that if you are to try to answer this across oops multiple environments uh at the same time if you have maybe 50 or even 100 or more AWS accounts and uh you have thousands of instances and you know hundreds and thousands of IM polic and rows and the equal amount of uh S3 buckets so this this becomes a classic security problem where you're trying to find the needle in the ha stock now with a graph right so assuming that we have this data
collected and we have mapped out this relationships and how things are related to each other so we can run a query like this right basically Traverse the graph and starting from the internet and you know looking for um connections to security groups and then looking for connections to um I AWS ec2 instances and here's a cluster of them and then looking at the IM rows assigned to these instances and then the policies assigned to this rows and their access to the S3 buckets and if they are um labeled or classified as public or not so this particular example right so showcases you know how you can use a graph query to do a um graph traversal and do this
type of threat and risk analysis or configuration auditing or whatever you call it so this is a bit of a recap of um you know why we build the graph cmdb and you know how we're using it internally to identify risks now uh I'm going to move on to a particular uh use case that we've just recently did for for our user access review so the question is is really this uh is you know how do we get cross environment context out of the graph right so it's not just within the AWS environment itself right how do we connect the the dots across multiple environments so from you know one user from user accounts from one environment to another
one so let me describe this use cases um for you a little bit and a a an article from Microsoft that um that you saw here below actually was from their RSA presentation just a month or so ago and they've um put out this report that says 99.9% of the compromised accounts did not use MFA and only 11% of all the Enterprise accounts that they have visibility to actually have an MFA solution overall so for us internally this the natural question is uh are MFA enable for all of our user accounts right now with the graph uh this can be answered pretty easily well so first we thought that uh we have all the user right so we collected all the
user informations from the different accounts you know we have accounts um in bitbucket and GitHub and octad and so on so forth right we have all of those aggregated into the graph so we can easily run a quy and something like this that says you know find user with MFA enabled not equals to True uh that has not been assigned or is not using or does not have an MFA device so this Corea have two conditions and one of them is saying that uh if the user itself doesn't have the MFA enabled flag as we've analyzed the configuration from a provider and additionally uh if that's the case and and also the user does not
have a sep MFA device that we know of attached to the user account that's you know configured this way so this checks for for both of those conditions well the result of that query when we first ran it um says you know 569 user accounts with no no MFA enabled but that can be right we have uh actually we're a small organization we have less than 100 employees and you know cross multiple environments you know maybe we have have a thousand or so user accounts right assuming that each person have 10 accounts and that's roughly a thousand accounts so more than half of those had no no MFA enabled and that that just that can be right because
I know that we we that's not the case for us so what what was happening why were there so many false positives exactly because of single signo so these users they never log in directly to the provider instead they log in we use OCTA right so via single sign off so as you can see here that these provider user accounts right as we call the provider apis to get information about those users uh and the provider is going to say yep they don't have MFA enabled so if we ask GitHub and you know give me the list of users or ask Jura or Google or Office 365 or no before and these these environments they're all
going to return and say yep here's the list of your your users they don't have MFA enabled now in reality they actually do go through MFA because the login flow is via OCTA single sign on using Samo so here here's an example in this example I I run a quy uh just for my own user and uh if you look at the Cory itself I said you know give me the bit Buck the user with uh with my name as user a and that has an account which is this B bucket account that connects an OCTA application which is this adashin Jura application and that is assigned an OCTA user which is my OCTA user right here and show me if my
OCTA user has assigned or is using an MFA device Well turns out I have four MFA device configured so what this Cory is showing you is that I am actually logging in through OCTA and into bit bucket and I am you know using MFA for my octad account but um B bucket doesn't know that right so and uh the B bucket user doesn't have that property for MFA so what we end up doing is well we know we have this information in the graph you know we just want to enrich this bit bucket user entity uh to have that property to have to know that I am an a single sign on user and I have MFA
enabled if this graph condition is met so here's here's what we did um but we also don't want to assume right so we don't want to assume that's always true so we only want to do this uh type of connection or we only want to update my bitbucket user entity only if this condition is met so we we don't want to make the assumption that because we're using OCTA that all of our users are going through this flow so what we have to do for uh accuracy and a level of assurance is to do some correlation using the graph so for each user we have to run that query essentially is to say I have to
correlate for each user that is not an OCTA user um then application is assigned in Octa and the user uh has a matching have a matching user by email or whatever case that might be uh that is assigned to this octad application the single sign on application and then my my OCTA user has the MFA device configured or assigned so that's the condition now how do how do we do this we can do this with Cory and with code so the first for the first condition um so this is the query we ran right you say you know find a user with the unique identifier the unique key as the first user that has this account that connects
to whatever account that might be or it could be an A J account it could be a g account or no before account whatever case that might be so these are generic um representations of user and account now we say we want to find that that account that specifically connects to a corresponding J uh octat application and I want to find the users that are assigned to uh the octat application then the user must be active and then I'm going to compare this first user and the second user and if their username or email or some other condition is met then then I can know with some level of assurance that this first user right
here is actually a single sign on user so if that is met then we set the single sign on user SSO user flag on the on user a to true and then secondly now as you can see here right so we added a condition and say for that same user um if that is a single sign on user I'm going to run a second query and to look for any of the MFA device assigned to that OCTA user if this is found then we're going to set a MFA enabled flag to true on that original user so what this should allow us to do is to filter out all the noise and uh it turned out that actually worked so after
we rent that uh script so this is the same example for my user so my bit bucket user now has a MFA enabled flag and a single signo user flag both set to true and that's what we use graph context right so this is just one uh example use case of how we use the graph context and use code and use Query uh to enable and reduce the noise in our uh security operations anding our threat analysis and in this case for Access reviews uh and when we run this quy again this is the exact same Corey that we we run again we identified instead of 569 so now we actually have 47 user accounts with no MFA and we've went
through these the results of those 47 and that is actually correct and uh remember previously we said we don't want to make any assumptions right so and this actually caught a bunch of system accounts uh that these system accounts were not SSO users and they should not have MFA enable flag um set to true as intended and then they don't and we also in the process actually identified a handful of user accounts that actually need remediation so that's the uh the end result um and I want to share with you some of the resources so this the code that we did for this particular exercise is available in our graph enrichment example repo uh we also have I I've done
a number of different seops automation examp post that's in a different repo that you can check it out uh and of course you know check out some some of my other talks at this is the last year's talk at bides and then there's a talk that goes a little bit more deeper into the vulnerability management use case of using a graph database at RSA uh this this talk right here was actually uh joined by the ciso of Reddit so this might be interesting for some of you so I went through this very quickly I want to leave you with this right is that um the the reason we built everything into the graph database is
because we are consolidating our data into a knowledge base and this knowledge base allow us to be able to quy things and be able to take action with confidence faster using code and using quy and using automation built from that uh I I think I went through everything very quickly and I want to give it a few minutes to kind of go through any Q&A if there is any
all right how do we do Q&A here um they can post it in Q&A and it'll pop up in the bottom of your controls as Q&A questions okay all right I don't see I I don't see any in there right now all right then well thank you very much and that's the end of my presentation thank you
don't we did see a hand pop up if you have a question for him slack is a great median for a lot of us that hanging gather um I also see another question popped up but feel free to send that to him in slack while we get set up for Renee to start
here and Renee we are seeing your screen it is coming in good um you're still muted though I don't you can wait five more minutes or if you want to check your mic perfect can you hear me now you are coming through just fine so if you want to start early but this is published so maybe you want to wait till on time in case somebody is expecting to join you right at 3 so it's your call we're good either way yeah let's wait for a few minutes if you're H good at beatboxing or anything like that feel free to throw some of that
I can say that uh I'm on the fourth day of uh the SE shelter in place ordinance here in California and I already feel a little bit like
this so um yeah I was looking forward to meeting everyone in person but I appreciate the online opportunity as well I think we all feel a little bit disconnected so this is a great opportunity to stay connected and learn something hopefully yeah big thank you to you as a speaker and all the rest of our speakers who are willing to Pivot last second I mean just like the whole con everything definitely different times than anything I've had in my life
I'll start right at
three
e
e
e e
okay let's get started can you still hear me yep you're good to go excellent excellent well uh my name is Sir Rene kga and I have always dreamed of speaking at besides as C so um this is dream come true really appreciate the organizers and the sponsors for to for putting this together uh topic of the day I think it's a pretty hot uh topic ransomware we even though Believe It or Not Ransom started back in the 80s but um three four decades later we still for some reason seem to be unable to tackle that problem and that's exactly what my present presentation today is about um quickly about myself Rene I've been in security for quite some time uh worked
for companies like alterus semantic Citrix and a number of startups mostly in the areas of antimalware encryption and Insider threat so today's talk is um uh is about uh uh ransomware and why we can't seem to be able to tackle this problem uh I will very brief briefly talk about how ransomware works then I'll spend some time going over four uh typical methods uh that the cyber security industry and endpoint security products attempt to detect and stop ransomware with all of their pros and cons then I'll talk about how things can get even worse and talk about one of the evasion techniques that ransomware can potentially leverage to be even more deadly and finally show a couple of live
examples of um ransomware that's bypassing two major npoint security products so let's get going I've already showed this and shared my uh my desire for for Connection in these strange times so again appreciate that the organizers uh decided to continue with the event even in this online form okay so let's get down to business how um what's the typical ransomware workflow I'm not going to talk about how ransomware gets in whether it's fishing insecure RDP or something like that right that's irrelevant we all know that the bad guys will find a way but what happens then uh obviously ransomware tries to find your valuable files your office data maybe a database maybe pictures uh it tries to uh it will uh
keep the system files um in place because it wants the OS to be still bootable so it can display the message and and ask you for some Bitcoins so it uh reads those files that it wants to encrypt it encrypts the content in memory and then it has a choice of what to do how to uh get rid of the original unencrypted files and it can choose to do one of the following things and and there are other ways as well I'm just listing three here one option is to uh uh save the new encrypted file on disk uh and then use a delete file operation to get rid of the original file another option pretty devious one is to write
the encrypted data straight back into the same file into the original file and maybe even keep the same file name and that may um make the restoration even more difficult and then another option is to uh create a new file on the disk and then replace the original file using rename operation so these are just um a few ways um ransomware can get rid of the original uh data and that's pretty important to understand um if you want to stop ransomware right so now let's look at the various detection methods that the industry has been putting forth to try to detect and stop ransomware and as we all see from the news obviously those attempts so far has has not been
very successful unfortunately I'll describe and explain exactly why so let's start with one of the more basic methods the static file analysis this is um um this is a generic approach that antivirus and antimalware and anti-ransomware products leverage to stop uh any virus including ransomware so it's not specifically designed to ransomware per se um but so this is where um an antivirus or similar product looks for some signature right it can be sequence of terms words and things like that and what are the pros well um false positive rate FPU rate is pretty low it's very rare when an antivirus product says that and this binary is malicious while it actually isn't so that's that's obviously a plus
because we're already as Security Professionals we are overwhelmed with those alerts and false positives H it's um what else another good the last bullet point here is is pretty important actually it stops attack before any files are encrypted so it does not sacrifice any files before it triggers the defenses so that's great um what what are the conss well obviously we all know signature based um tools are pretty easy to bypass even if they leverage an machine learning or AI based signature so it's it's pretty easy to bypass so hence false negative rate is pretty high and how the bad guys um how how do the bad guys bypass those defenses well they use Cryptor Packers
and various ways of ofus skating and changing those those signatures for every attack they launch okay so let's move on to another technique another pretty basic even surprising technique I would say is a common file EXT extension Blacklist based approach where um a security product will look for well-known ransomware extensions and say oh look if a file is being created with this file extension you do something then it must be ransomware so we are going to stop it and what are the pros well pretty low FP rate um uh and um again the no damage is done or maybe one file sacrificed to ransomware but then uh defenses kick in and ransomware stop well obviously I I
don't need to explain probably that it is very trivial for uh for attackers for ransom wire Riders to bypass unfortunately the only thing they need to do is to use um you know random file extension or or change a file file extension or not rename files at all right keep the same file name with the same extension after they encrypt the data and if you don't believe that these uh these tools are actually the this technique is actually being used in some of the leading security products I've obfuscated the the the logo of the product here but um you can see uh this one of the radio buttons file encryption a process that created a
file with a known ransomware extension was terminated and then there is even a separate setting specifically for Loy ransomware so believe it or not that method is actually being used uh next deception right this is where um a security product would create a set of files kind of bait files and if any of those files are touched then uh then we can commit the process that that touched those files as ransomware so it has a benefit that it can detect ransomware that other methods may not be able to detect stop like static file analysis first method we looked at uh what are the CLS well obviously there is very high chance for FPS here false
positives because um typically well because one the user can touch those files or or a program can touch those files and hence trigger those defensive mechanisms um and then um of course the bad guys know about all these methods so uh as these bait files or or Honeypot files tend to be created as hidden uh files or folders ransomware can just bypass and Skip those uh those hidden all hidden files and folders and hence not trigger this particular method okay moving on to a little bit more more Advanced Techniques uh one being the mass file operation what is ransomware no what is ransomware typically known to be doing right it will do a lot of reads and
writes and probably delete or rename operations well what if we Define some kind of a threshold a limit like if we see so many uh of of these file operations within a certain period of time then it seems like this is ransomware so again that it's it's a little bit more sophisticated so hence it can detect some of the ransomware that other methods may not be able to detect but um obviously there is a concern about false positives here as well because you as a user may be legitimately just moving one folder to another right and that would potentially trigger this threshold uh and then um some files will likely get encrypted they will get sacrificed before this
threshold is met and finally the the attackers how attackers bypass the these methods they they either uh slow down the encryption process so potentially spawn multiple uh processes for uh for different files that they encrypting um I believe that the the infamous locer googa um ransomware uh actually was launching a separate thread for each file it wanted to encrypt and hence the encryption itself was actually super slow uh but maybe that's why um Locker googa was able to bypass even so-called Next Generation antivirus products uh and cause significant damage and finally um kind of variation on the previous method is the measure method that measures the change within the the data itself within the files it's not just looking at the mass
file operations but actually looking at the content of the data and measure the randomness for example of the data uh using an entropy calculation for example um again um there there are pluses like with all methods and it will have fewer FPS than the previously described method uh because this is more sophisticated it's not just looking at the mass file operation like moving a folder from one drive to another uh um however in even in this method some files will likely get sacrificed and then attackers can uh only encrypt maybe parts of the files or random sections of files uh or or encrypt in chunks and thus potentially bypass these uh these detection methods okay so this is kind of my very
non-scientific rating of the effectiveness of uh the five methods I I just described from one to five as you can see none of them are at at level five or even four so so that's one that's why we still see uh ransomware headlines in the news almost almost every week um and that's why most um endpoint security products actually combine multiple if not all of these techniques and their products in the attempt to increase the overall efficacy but as as we all know unfortunately the efficacy is still far far from where it needs to be okay so let's uh switch gears a little bit no ransomware presentation is complete without mentioning Wan cry right this is probably the most
well-known ransomware that affected over 150 countries billions and billions of economic loss uh surgeries had to be cancelled etc etc right and that's everyone remembers about that but what um some people actually don't remember um I think is that wry was actually completely stoppable completely preventable right because Microsoft actually released a patch for an underlying uh uh vulnerability almost full two months prior to the W cry attack happened so the only thing you had to do to be fully protected from one cry was to leisurely within two months apply a Microsoft security patch you didn't even have you didn't need a firewall you didn't need an antivirus you didn't need any other fancy products to be fully protected from one um and
still the damage was substantial as just described on the previous slide so um so what if um what if there was a a method that we actually don't have good defenses against and that's um that's um uh and there are many I'm sure this is just one interesting evasion technique that our research team discovered last year and I'm GNA give you a little bit of details on about this technique called replay it's stands for rest in peace and replace at the same time and so this is an interesting technique why is it interesting is because it's not just an evasion technique that allows you to bypass your antivirus or anti-ransomware products but it also is a is a blinding
technique in the sense that it leaves no traces in tools like EDR or endpoint detection and response that are meant to provide that kind of a recording of all the events that happen on the on your laptops desktops and serers so that if attack happened and the damage was done you can so to speak rewind the tape and and and investigate this incident and and see how did the bad guys get in when what did they take and and hence kind of you'll be able to the idea is you'll be able to fortify your defenses so those uh a similar attack in the future would not be successful so the replace of agent technique actually not only
bypasses the defenses but also leaves no Trace in those tools and that's what makes it quite interesting so what is U replace exactly if you remember one of the first slides I showed you how ransomware works and specifically how it get gets rid of the original unencrypted file well uh replace is a variation of this fourth of the third method that rename operation and what um exactly happens here it actually leverages um pretty obscure uh function called Define dos device what is Define do devices basically allows you to instead of pointing to a file directly use a SIM link or or symbolic link to point to it right it's kind of a shortcut right so
so instead of pointing and you can create a a Sim link for a drive for a folder or you know my secret cheesecake recipe right um so what happens here is that if um if uh you pass a Sim link to to a function that a security products typically hook in order to uh uh evaluate whether this file system operation is legitimate or or not whether it's done by you know the virus or or ransomware H if you pass instead of a full path you pass a Sim link using Define do device the operation the the driver actually receives an error code while the operation succeeds so what happens here is that as the security
products filter driver receives this error code 33 three it assumes that the operation failed and hence it skips all the detection you know malicious activity detection logic completely while the operation actually succeeds so I know I'm going a little bit um technical here and you can read much more details in in our report about exactly how it works and we have a sample code PC code posted on our GitHub uh repo as well but um I think most interesting thing is to actually see a demo of this of how this technique can bypass some of the leading security uh products so I hope um you can still see my screen I have a VM running here and
what I have on this VM I have some um some data in the in the documents folder some let's imagine there's some sensitive data here and um uh I also have a proc one running to see the the results of the operation and uh in this demo I'm showing I'm using um Windows 10 built-in anti-ransomware feature called a CFA or controlled folder access um and it's as you can see it's enabled um it's the folder I'm showing the data in is part of the default configuration as part of the protected folders so this CFA technique is meant to uh specifically protect your data uh and resist ransomware so let's um now run a simulated ransomware and see what
happens okay I'm running a simulated ransomware here and if you look at the procmon results see the process ransomware that exe it attempted to um replace or encrypt these four files that we just looked at and it got access denied so CFA worked as expected right it prevented ransomware from uh tampering with this data so we can double check that the data is indeed intact so now let's use the same ransomware but that leverages now this evasion technique this replace evasion technique that I just describe so now let's run replace and something interesting has happened one we see that replace all four operations received the result success we don't see any any folder or path or a file name anything right so it
it did something to nothing but now let's look at the data itself and as you'll see that actually the files were encrypted the files are gone now and um and CFA did nothing right so so that that was interesting so let me um roll back to another snapshot of uh this this demo and show you an example of different endpoint security product and this time it's not going to be Microsoft CFA it's going to be a leading endpoint security product by by semantic semantic endpoint protection or set so um here is setup is is similar we have uh our proon uh we have sensitive data this time it's not um it's not files or or
images this time it's um it's a host file right that's a pretty important file to protect um and we can see the file is just fine right now and sep sematic endpoint protection actually has lots of different uh modules it has the exploit mitigation and an unknown threat detection and and a variety of other techniques everything is enabled everything default configuration um and one of the interesting capabilities that se has it specifically has a protection against tampering with host file DNS change and host file detection as you can see those set to to prompt if anyone attempts to to tamper with these particular files and as you can see of course the sap is complaining here is
actually I didn't update the definitions at all but I believe me if I had then the result would be exactly the same so that's uh that does not really matter uh so let's now run a simulated malware that or or ransomware that attempts to encrypt that host file that se protects and let's see what happens looks like like SE works exactly as as designed right it says someone is trying to to Tamper or or modify host file and you want to block or allow this well obviously we want to block this so if we look at the proon you can see malware attempted to uh tamper with this particular file and it received access deny so let's double check that the file
is fine okay and so now I'm sure you already know where I'm going with this H now I'll attempt to do the same exact operation but now leveraging this evasion technique called replace and let's see what happens well as as expected you can see replace. exe received success in doing nothing there's no file path nothing thing so you you won't be able to really investigate this if if this happened and now let's look at the host file itself what happened there well not surprisingly host file is now encrypted so that's a kind of a quick demo and and again replace is just one of dozens if not hundreds of different techniques that the the bad guys can can
leverage to to buy pass your defenses if those defenses leverage a blacklisting approach there's just no way to stay ahead of the attackers 100% of the time if all you do is attempt to uh you attempt to investigate and stop their new new methods so this um Discovery received quite a bit of coverage and the likes of bleeping computer um but um what can be useful for the audience potentially is that um there is this very simple tool that we post on our website that you can test your uh endpoint security product against this uh for susceptibility to this replace technique um it just attempts to encrypt one file on your desktop that you pointed to it just leverages sore
encryption so obviously you can just rerun it and get that file decrypted again if your security tool was not able to stop it so some of you may may ask that well why um if this technique could be so potentially dangerous and damaging uh why release details about it right well obviously we followed the responsible disclosure process and typically responsible disclosure is U three months right we actually gave the industry about nine months um we we out to Microsoft we reached out to dozens of security vendors with the details about this evasion technique H and uh we we got some response and there were a handful of vendors that actually addressed this issue in their antivirus
and endpoint security products because it's actually fairly easy for security vendors to detect and and properly handle rather this evasion technique but unfortunately from the most of the vendors we heard exactly nothing so at some point you you need to release this to to the public uh and and hope to put pressure on the rest of the industry to uh to address this issue uh to keep our environments um secure that's uh all um I had to share with you so happy to to connect um um happy to connect uh with anyone LinkedIn is probably the best way to connect with me um and uh yeah hopefully you enjoy this thank you very
much
e e
all right good afternoon everyone uh my name is David French and thanks for attending my talk today and this is a chain is no stronger than its weakest link um so today I'm going to be talking about the ways in which adversaries abuse Windows shortcut files and how Defenders can hunt for and detect this Behavior both statically and dynamically and I'll also be talking about a model that Bobby Filer and I worked on to classify shortcut files as malicious or benign um so just a briefly a bit about me before we get started um so I'm a security research engineer on elastic Securities protections team I work on analyzing adversary tradecraft and developing detections and hunts and I
enjoy increasing the cost of an attack for adversaries and finding ways to help Defenders get the upper hand um I'm a contributor to Problem Child which is a graph-based framework used to discover anomalous patterns based on process relationships and I used to lead hunt strategy at a large financial institution and I'm a coauthor of the elastic Guides of threat hunting which is a free book just to help practitioners get started with threat hunting so let's just take a minute to go over the agenda for this talk um so I'll be talking about some of the reasons why I think attackers are abusing link files and I've done so for several years now um for those who are
not familiar with analyzing link files I can go over the file structure and the properties that practitioners need to know about when they're either analyzing or detecting malicious links and then I'll walk through some examples of how attackers are abusing link files in the wild to help them achieve their objectives and then I'll call out the interesting features of those files along the way that make them stand out as suspicious and then I'll talk about how we built a model to classify link files using machine learning and I'm going to be walking through this process to show how security practitioners can apply their domain knowledge to extract features from samples and then apply data science techniques to try and solve
a security problem and then we'll wrap up by talking about some possible next steps for the research and then share some useful resources with people who want to learn more so before we cover link file anatomy and how attackers are abusing them um let's go ahead and talk about some of the reasons why I think they've abusing this F they've been abusing this file type for some time um so here are some of the reasons why I think um they've been abusing them for several years now against their targets um so firstly crafting malicious links um or modifying existing ones to include a back door is super easy um the barriers to entry are really low uh due
to the availability of just off-the-shelf open- Source offensive security tools and if you're interest in those I've included a few examples on this slide um so although some people get frustrated over free and open- source security tools um or offensive security tools I think they really provide blue teams with the opportunity to simulate adversary activity pretty easily test their defenses and then understand their organization's ability to detect or prevent that activity um so I think traditional AV software has typically had poor detection rates for malicious links from what I've observed many of the scanners on virus total Miss U malicious link on day one but then detection rates seem to move towards um 20% or greater within a
few days of the file being submitted so I think um couple of reasons these low detection rates um might be a thing is due to the fact that there are just so many different combinations of values that can exist in link files um I think AV companies might be concerned about making mistakes or quarantining or deleting the wrong files and then disrupting a user's workflow and then we've got um an easy delivery it's really easy to get weaponize link files into a victim's environment so most email gateways proxies firewalls they're not configured to inspect or block this file type um because of its legit use cases and then finally I think uh lack of user or practitioner awareness might
be a contributing factor to why attackers often evade our detection when using a technique um so users are probably not aware of the dangers of shortcut files and security analysts might not be familiar with the ways they can be abused and how they can analyze detect or hunt for them so just to sum up this slide really um I think once we can reliably detect and prevent a technique um it's only then that attackers will be forced to go through the expensive timec consuming process of changing their behavior um and this will increase the cost of an attack for them and then tip the scales to give Defenders the advantage so as you can see from some of the
examples I've included on this slide um attackers have been abusing link files for over 10 years uh the use of this technique is still prevalent and successful for them so if you look in the M attack knowledge base of adversary behavior um there are about 30 references there and all of them link to a report with details of a successful intrusion against an organization that that use this so I won't read off all these examples for you but um you can see that attackers have used link files to do things like maintain persistance in their victim's environment steal credentials obtain initial access and execute
ransomware so for those of you who are not familiar um let's move on to talk about the structure of a link file so this is going to show you the minimum amount of information that you as practitioners need to know in order to be successful in either detecting or abusing link files depending on what your your goal and your day job is so when I think about the minimum amount of information that Defenders and attackers need to know I think that blue teams must know the basic anatomy of Link files and how to analyze them in order to identify one as malicious or benign and then attackers must know how link files can be abused and what
Defenders are looking for in order to evade detection so in a nutshell a link file is just a convenient pointer to another file um the target of the link file like you can see at the bottom right hand of this slide um it's not the only interesting information so there's a bit more to link files than what you can see when you just right click one and select properties so in these next few slides I'll I'll go through the structure and properties of a link file that you need to know about about um so Microsoft specification for this file type is about 50 pages um I'll save you some time and just call out the highlights so
here are the values of the file signature or the magic number and the class identifier that enable us and the windows OS to identify link files in if the file extension is not link um so you've got several open source link file passes available um I like to use Eric Zimmerman's Le command um it's fast it's reliable and you can as an option to pass link files in b um so I'm going to be using Le command in the examples that I'll be work walking through in this presentation so here's an example output from Le command after a benign Internet Explorer shortcut has passed just as an example um I'll call out the properties that you need to be aware of so first
and foremost um the target of the link file is stored in a list format in the file structure um ell command just goes ahead and passes that out for us and conveniently displays the full path for us and then you've got the file size property um this is the file size of the link files Target not the link file itself so something to be aware of if you're doing forensics um also just above the file size you can see the modified accessed and created timestamps uh these are super useful during digital forensics investigations like when you're producing a timeline of an intrusion or maybe an inside threats activity um but these are going to be out of scope for
this talk so we're talking about how link files are abused and then how to tell when that's happening and then you've got the 32 link Flags um these specify which structures are present in the rest of the link file so some of them are reserved or unused um as a couple of examples the has arguments flag means that the link is saved with command line arguments and has icon location means that a path is specified to display an icon for the link file and then you've got the drive type property so this specifies the type of drive that the link file is stored on um so for example it could be stored on a fixed Drive removable Media or a network
drive um this value is another one that's useful in forensic investigations to verify what files were accessed by a user or an attacker and then here's some information that's useful if you're interested in tracking adversaries and relationships between link files and intrusion campaigns um so when an attacker creates a malicious link file in their environment in preparation of delivering it to their victim the volume serial number net bios name and Mac address of their computer is included in the link file um so some attackers are either unaware that this happens or they forget to wipe one or more of these values um so this data can be used for tracking campaigns or adversaries on services like virus total um another one
to watch out for is the user Sid so that's not shown in this example but that can give you information about the network computer and user account that was used to create the link file in the attackers environment and then we've got the show command so um this specifies the state of the target applications window after the link file was executed um so keep an eye out for the show Min no active value this means that the application window is going to be hidden from the the user or the victim um when they click the link file and this could be an indication of the attacker trying to hide their code execution from the from
the victim and then finally here are a couple of additional properties to be aware of that weren't shown in the example that we just walked through um so the icon location value specifies the path where the link files icon is stored um and the command line arguments they're executed with the link files Target when the link is clicked so in this example we can see um the link files Target is Powershell and then we can see a script in the command line arguments being executed so the script um Imports the bits transfer module and then reaches out to a a URI to download a file called 7z doping um so this one looks really suspicious at first
glance so in this next section we'll review some of the ways that attackers use malicious link files to achieve their objectives um I'll walk through an analysis of some malicious examples and then point out the features that make them stand out as suspicious along the way so um what I'm going to give you here is some information that you can use in your detection or threat hunting efforts so weaponized link files are commonly used to obtain initial access or to maintain persistance in a victim's environment um to gain initial access to a Target environment attackers will often craft a link file to execute execute a malicious one liner or a script and that will usually leverage living off the land
binary like Powell or um the command prompt um a common example would be a PO shell oneliner to download some malware and then link files during this phase usually delivered via email or in a compressed archive file to the victim um they could be embedded in an office document or they'll include a URL for the victim to download and execute the file and then for persistence um attackers will often place a link file in a location where their oneliner or malware will execute every time they use the logs on or when the computer starts up um or they'll modify an existing shortcut file to include a back door so each time the shortcut is executed the
original application will load and then the malicious code will execute in the background as well um and then another persistence technique is to craft a link file that forces user authentication so this can allow the attacker to harvest the users password hashes and then they can try and crack those to obtain the clear text password or they can use those in a pass the hash attack so let's um analyze some malicious links and then identify what features can help us identify them as suspicious and then we can use those features for detection hunting or to build our own classifier that we'll talk about in a bit so here's an example of a malicious link that was used in an intrusion campaign
um to gain access to several organizations um firey attributed this particular example to apt29 and the attackers sent a fishing email to their targets that included URL to download a zip file from um a one Drive account and then that zip archive file contained a malicious link and then when that malicious link was executed um a PO shell script was executed which extracted a decoy document for the user to view to distract them and then in the background a Cobalt Cobalt strike Beacon dlll was extracted and then that was executed um and that dlll provided a connection back to the attacker so when a link file is executed the the new process is spawned as a
child process of explorer.exe um that can make Dynamic detection a bit of a challenge but there are other ways to identify malicious link files um and we can walk through those examples so let's examine this link file that was used in this campaign and understand what makes it look suspicious so when we pass this malicious link file and start to look at its properties some things immediately stand out as suspicious um so this link files Target is powershell.exe which is um a commonly abused binary used to execute malicious code or script and then it's got long command line argument that usually indicates the presence of um an encoded command or a script and we can see in
this example what looks to be a base 64 blob of encoded data and then we've got the parameters non- interactive to prevent an interactive prompt from being displayed to the victim and then um execution policy bypass to bypass any default Powershell kind of execution policy that's configured so something that's important to note with regards to the command line arguments um when you look at the properties of a link file in the windows UI the files Target and command line arguments will be truncated after 260 characters so in an attempt to evade detection um attackers have been known to craft malicious links with a benign Target and then include some padding like whites space before the command
line and then that will hide the full value from the windows UI and sometimes evade detection or um kind of a human analyzing the link file and here are some additional features that help us identify this this link file as suspicious so um I mentioned earlier that the show command if that's set to showman no active that will mean that the application window of the new process will be minimized and not immediately visible to the victim who clicks and then um this is a good one so link files are usually between 4 kilobytes and 20 kilobytes this one is 400 kilobytes whenever I see a large link file like this one um it leads me
to believe that the file contains other embedded content like files or scripts um this one is if you recall from earlier it contains a malicious dll and a decoy PDF document um which accounts for the larger file size and then the Zone identifier is a good one to look out for as well so um depending on the internet browser or the application that was used to download the file um as ID alternate data stream will be added to the file to indicate it was downloaded from outside the host Network so aone ID on a file greater than one typically means that it came from outside of the network um another interesting feature is the entropy or randomness of these
link file so the top screenshot shows the entropy of the malicious link um that we've been talking about and the bottom one shows the entropy of just a benign Google Chrome shortcut file so a link with high entropy can be indicator that the file contains compressed through encrypted content um so for this example the the number of suspicious features have really added up so um let's move on to look at another couple of examples so another technique that attackers can use to is to uh modify an existing link file to include a back door so each time the user clicks on the link file um say it was Google Chrome just as a to see this example on this
slide um Google Chrome will still execute so the original binary is executed but the back door is also executed in the background um away from the user so po Shield Empire's got a pretty good module that enables attackers to carry out this technique easily um invoke backd door link just lets you specify link file to include a Parell Stager so I remember working at a company where a red teamer did this um and it was a bit tricky to figure out exactly how the poell Stager was um being executed so poell was shown as the child of explorer.exe um it's not something that blue teams are typically monitoring for um because that behavior looks pretty normal and happens all the
time but the red team are backo um Windows Server manager on several servers so whenever a system administrator logged on the Stag are executed and then a new C2 channel will be established
um so another technique available to attackers is to include an IP address or URI in the icon path of a link file um so when Windows renders the link file and Explorer it forces SMB authentication from the victim host to the attacker's IP address um so one way to reduce the effectiveness of this one is to block eress SMB traffic from your network and that will stop them from capturing the hashes and trying to crack them or using them in a pass the hash attack um but still if the attack is already in the network and they place a link file on a heavily used Network share it could still be quite effective at capturing hashes from thousands of
users inside your network um and here's an example of that technique being used for your reference um so offensive tools like link up make it easy to craft one of these link files to carry out the technique and then you can use the SMB authentication capture metasport module and you can collect the password ashes um so given this presentation is only 30 minutes I don't I don't have enough time to go into detail about the behavior-based detections for malicious links um elastic is open sourced event query language which is uh um originally created for security detection and threat hunting use cases and it's currently being integrated with the elastic stack um it's easy to learn and
read and write queries um you can query on sequences of events for different vent types um and in the appendix of these slides for your reference I've I've included um some behavior-based detections for malicious links and you can check out the equal analytics Library if you're interested in free detections um there're about 133 analytics for detection and they're all mapped to the my attack Matrix so with regards to hunting for malicious link files in your environment um here's a crude but effective method that can produce a big win for your team um so it's amazing how many threat groups try and evade our defenses but then they risk giving themselves Away by creating a link file in the use a
startup folder to maintain persistance and then that link file will execute every time the the victim logs on um so it's one of the oldest tricks in the book but it still goes undetected in a lot of environments um because Defenders aren't looking so a quick hunt would be um to use Le command to pass the link files in commonly abused locations on your endpoints and then you could index that data in a central repository or Sim and then you can query and visualize that data to surface normally so a simple but effective method is you can sort the results in ascending order by the link files Target or command line arguments and then once you've learned
what's normal in your environment this should be a low effort hunt to either automate or just complete periodically um so one way to approach the problem of identifying link files as malicious or benign is um to call it a classification problem um so while examining several link files and then identifying the features that make them stand out was suspicious uh we tried to build our own classifier to um classify them using data science techniques so the next few slides show a practitioners attempt to use machine learning to classify link files and explain the process from start to finish so my goal is that this shows practitioners how accessible um data science techniques are and that machine learning can be
effective at solving the problem most of the time but it's not a silver ballet so early on in talk when we were passing link files and then identifying the important features to help us understand if they're malicious or benign we were doing feature extraction um we're essentially Transforming Our domain knowledge into features and then we can apply machine learning or other data science techniques to try and solve the problem so I analyzed lots of malicious and benign link files um and start building out a data set um so when we decided to build a a model um I had to normalize that data before I could run it through any algorithms and then try and predict
whether a file is malicious Orin iron so um how do we go from thousands of Link file reports like the one shown on this slide to something like this um which is an array that represents the features of the past link file shown on the left hand side um so the model that we want to run our data through needs to be needs to see data in this kind of numeric format so um some features of a link file um like file size or entry they're already in a numeric format so those are easy to handle um but how do you present represent features like command line arguments as as a number um so this is
what's called um feature engineering so um we were asking questions of the link file data so um we separated file sizes into bins um larger link files would be in a bin with a higher number um and for values like the show command um we can just use the pandas uh libraries factorized function that gives a numerical representation of these values and then for the remaining examples on this slide um we just created features in a binary like true or false one or zero method by checking each link file for certain values so there a link file have long command line arguments true or false does it have high entropy that kind of thing so end result was just
this normalized data set of malicious and benign kind of labeled link files so then after preparing a data set um I started looking at possible methods to classify link files so one option was a decision tree um very simple example shown on this slide so decision trees answer sequential questions and then operate in a if this then that method and then they lead us to the answer so is the file malicious or benign um advantages of decision trees are that they're fast they don't need a lot of data they're easy to interpret um disadvantages that that they're slow to train and then uh different difficult to tune so then we decided to try and use a
random Forest classifier so this classifier essentially takes a set of decision trees from a randomly selected subset of the data and then what you end up with is multiple trees with different portions of data um each tree gets a vote on what the answer should be and then those votes from the individual trees are aggregated to decide if the final class of the link file is malicious or benign so um the good thing about this type of classifier is even if a few individual decision trees are prone to noise the overall result once all the votes of the decision trees uh aggregated um or considered should be correct um so here's some information about the experiment that we set up
using the data set and training a random Forest classifier to try and identify the links as malicious Aline um so the data set consisted of around 2500 benign and 30,000 past and AED um malicious link files so this is um quite an imbalance but this is um a common challenge when attempting to solve security problems using data science um but the extracted features should be descriptive enough to separate malicious from benign samples um so let's move on to talk about how we train the classifier and then what the results look
like so the next few slides show what we did with the data set of Link files and the random Forest classifier so at this point every link file in the data set was passed and um normalized into an array what you see on this slide so the data was set into two data sets um it was kind of an 80% 20% split so we had the training data set to train the classifier and then the 20% left in the test data set for the classifier to try and classify those link files as malicious Bel V and then we can kind of um analyze those results so um we use the training data set to train the classifier on what a
malicious versus benign link file looks like and then the link files in the test data set were reserved so once classifier was trained um we had it classify the link files in the test data set and then the output from that was an array of uh labels for the link files to tell us the classifier thought they were malicious of anine and then for the results um we decided to use a confusion Matrix to analyze the uh model's accuracy so this Matrix shows the count of true negatives false positives false negatives true positives um so in general we want to keep the false positives and false negatives quite low um and then to put these results in simple terms 32 files
were classified incorrectly out of almost 7,000 um and then the vast majority of files were classified correctly so I would say um before this model is production ready though I'd like to increase the number of benign samples in the data set so observe how this accuracy changes and I like to obviously also ensure that there isn't a a huge increase in force positives um so we'll just spend a minute talking about what the classifier didn't do well on um like I said machine learning can work a lot of the time but it's not 100% accurate um Force positives consisted of Link files that utilize commonly abused binaries like um cmd.exe to execute on liners um to add
software um link files from software like pep archiva PDF creator and some PC Optimizer software and then some of the link files that kind of slip by the classifier completely were pretty interesting so um couple of back link files internet browser shortcuts that would communicate with the attacker when they're executed and then um a couple of LOL bins using to to execute things like malicious dlls so um when to think about what we could do better um we could look at using something like tfidf that can determine the importance of each word in the command line arguments um and as I mentioned earlier we could continue building the data set to kind of balance the number of mili
malicious and benign files out um so just to wrap up really really quick um as I said earlier I think attackers will continue abusing link files while the detection rates are still quite low um once Defenders can reliably detect and disrupt the effectiveness of this attack is when the attackers will be forced to abandon this technique in favor of something else um so hopefully I've shown you that there are several opportunities to detect or hunt for malicious links and when we consider applying machine learning to try and solve classification problems uh the domain knowledge of practitioners is really valuable for doing things like feature extraction and um data science techniques are accessible to practitioners but if you're able to work
with an experienced data scientist on a problem um they can help you avoid common pitfalls like interpreting results incorrectly or maybe choosing the wrong algorithm or classifier to use and then um it's just important to note that this research doesn't solve the problem entirely um I'd like to continue building the the data set of Link files and extracting additional features for the classifier and I'm looking to see if we can build a machine learning job um in elastic security to detect malicious link files uh so I think I'm at the 30 minute Mark um you can reach out to me on Twitter or I'm on the bsides um slack workpace so you can reach out to me
there but um yeah thanks for attending thanks DAV David that was awesome uh up next we got Jason burtman he's going to be talking to us a little bit about Wi-Fi pineapple Act of detection bya Raspberry Pi zero so uh whenever you're ready Jason feel free to jump on and get started awesome thank you I uh it says I cannot start my video because the host has not stopped it
H I'm just going to try sharing and see what happens a good start how's that can you see the presentation all right yep it popped up and you're loud and clear awesome thank you all right so my name is Jason Burton I work at stage two um today I'm going to be talking to you guys about um detecting uh pineapples via raspberry PT a small um piece of Hardware that we built um that kind of functions as a physical security token it's more so just a research project so so kind of detail um if if you haven't had experience with pineapples exactly what pineapples are um how they function what um things they take advantage of and how
we can sort of counteract that um most of my days I'm taking advantage of those things on the red team side but uh this was more of a blue team sort of research so hopefully you guys get something out of this um this will will be a pretty quick presentation probably 20 to 25 minutes so definitely feel free to leave any questions you want in the Q&A section or in the chat but um I'm glad that we could at least put together this virtual presentation for everyone uh so just to kind of begin very quickly um going to kind of go over exactly what a pineapple is and how it works um some of the hardware alternatives for pineapples
um not everyone has access to a pineapple um some people find that the4 to $120 price price range is a little too steep for them um so I'll kind of go go over um how I approached things um before Bryce decided to send me a pineapple via the K the glet ar-150 I'm do very very quick Hardware tear Downs on both just to to ensure that they're using the same chips set um the attacks that pineapple uses the karma and Mana attacks that are still used to this day um so how we go about detecting those things in the field uh and then of course the actual Hardware itself and then we'll all just kind of bow our
heads and pray to the demo God and hope that our demo works out all right um so firstly of course what is a Wi-Fi pineapple I find that some most people don't have exposure to some of the internals at least from the software perspective of what a what a pineapple actually does we'll kind of very lightly go over those things like I said this is a pretty paired down presentation to fit in our 30 minute time slot here U so in short uh it is essentially man man inthe middle Made Easy um for uh Wi-Fi in some cases especially with the Tetra and with homemade solutions you can use up to three radios without any sort of
lag um you need one for monitoring one for stations for people to connect and one for clients to give any of your victims uh that internet access to ensure that devices connect successfully and that they don't know that they're actually being attacked uh in the last decade or so I mean there's been there's been six generations of pineapple we on generation six now um the current view that you see in the bottom in the right hand side of your screens are uh the current generation of software um for the people that have been around a while you might remember the sort of like green and black and red um sort of hacker view that pineapple used to be um
and it was you know you felt cool using it but it was a real pain to use um things have definitely gotten much much better the module system is is actually um I wouldn't say a pleasure but pretty easy to use um so if you are looking into uh utilizing the pineapple some of your operations um I would I'm not going to hardly endorse it but uh the modules are very easy to use um so there's definitely some cool things that you can do that'll not a lot of teams are doing out there um so like I said when I started I didn't actually have access to a pineapple I knew I wanted to build this
detector um so it actually turns out that there's a pretty wide Community uh for building the pineapple um using off-the-shelf Hardware that's much much cheaper um so I kind of started my research here on hack five's official hardw page where they they mentioned their AOS AR Maggi 331 chipset which is a relatively common chip chipset especially in embedded devices a Theos is all over the place but we can see here they use that system on chip so of course we we use this as our juming off point and we see where else uh this chip is in use and of course I mentioned the uh the glim at ar150 like I said this is a pretty popular option it's very
inexpensive and you'll see when I do a quick tear down on this it's really just one chip it's really not a complex system um like I said it's $25 or under um sometimes you can find them used for 15 so if you're really looking for just some simple research of easy way to build a pineapple Nano is to Simply buy one of these and Flash uh the pineapple firmware onto it um as I mentioned you can see on their page this uh page on the right there is directly from GL Net's page they say that they use the atheris 9331 so um so as far as we know they use the same chipset and ready to
go um there's also a USB port on the back that you can plug a hub into um and uh connect all the devices you would like that being said um it really only supports two additional devices along with the internal chip um and even then it's pretty slow but it does it does work pretty well um especially for the secondary and tertiary radios um so just a very very like I said very quick tear down here um it has an SEC ID on the back there obviously you know it's it's an approved device so um we could do the tear down that way but it's only a single chip so you'll see in the next slide here that we just
decided to tear it out and just kind of see um you know how it worked uh that chip in the center there that that little black guy is a NS 9331 um it does it does have two ethernet ports uh with a way and a lane were actually reversed in software um there would if you do end up doing this on your own and um of course these slides will be shared out to you guys uh you'll notice that there are some quirks with the software um if you are to to install the newest firmware there are some software changes you have to make and I go through how to build the firmware just a little bit here um you
also need power and reset buttons during setup um so those are also included on the glim app which made things very very useful uh so these are the internal uh chip photographs you can see here uh on the right side is the SEC ID for the pineapple Nano um and you can see you probably can't read it there but it is ANS I promise ANS AR 9331 and we see the same ch on the left so as far as we know um at least the wireless Hardware is compatible um and everything else is sort of we figure it out as we go um the good thing to note here is that the glet ar150 uh comes with openwrt preloaded um
which is a huge help to us researchers because open wrt is open source and you know we can build basically anything on top of it um to that end that link in the center there for GitHub the open WT CC from the Domino team um they have a repost specifically for the GL ar-150 that builds um any open wrt image directly for it and if you want to do this yourself you can go directly to the hack five firmware page pull the latest firmware um and extract it with firmware modkit and then essentially just copy those files into the open w CC files directory um update install make the menu config and you're good to go you're
ready to flash with that with image that's been built um there are like I said there are a few software quirks especially in the later versions you kind of have to make sure that it's it's all PHP so it's relatively straightforward um there's a lot of documentation online um so feel free to Google around if you have questions of course feel free to reach out um but so what happens once we build it um like I said it's running open wrt so if we go to upgrade the firmware directly from glet Administration panel we can literally just drag our builts firmware onto their install and Flash it on um which again is just a researcher dream um it's been very very
easy to research with this device um and there is of course pineapple running on our new quiet ar-150 um if you'll note I mean pineapple has been around for a long time uh it's gotten more and more difficult to exploit new client devices uh clients have gotten smarter and smarter over the years um so in our case we needed to apply both secondary and tertiary radios connected to a legitimate wireless access network to ensure that clients will go to connect to us um directly and uh a lot of new clients will check to ensure that they have internet access um so we need to provide that internet access to make sure that those clients will
complete their association with our evil access point so this is my actual installation that's on my desk next to me over here um it has on the left side you see the glet ar-150 on the right is USB hub with a spare Amax uh little USB Wi-Fi card that I had and of course on the on the South Side there you see the very popular Alpha in um Wireless that's used for the injection phase of our of our attack here so all in all there's internal radio it's acting as our station uh the USB um the small USB there on the right the edx acting as our Monitor and then the alpha acting as our
client so very very quickly here I'll just kind of go over the karma and Mana attacks that pineapple the hack five pineapple uses um or has used in the past uh to exploit clients uh a long while ago um some some researchers came up with an attack called karma um and it used to be that devices would broadcast prer Quest frames uh that contained what's called a p&l and those pnls had a list of networks that it uh wanted to connect to or preferred to connect to so what Karma did was it would clone one of those ESS IDs um and then start of a custom Network stack that would just let people connect to it um and of course on
the clients they don't mind when a single bssid has multiple IDs that's obviously no issue it's still not an issue today but in this case Karma again this was back in 204 uh it was basically an automated evil twin attack uh so very quickly I want to say in just a few short years um this attack was outmoded in favor of Mana which was the upd version of this attack which still works on devices today as long as um the internet is available to that client um so nowadays devices probe for networks much less frequently uh but they do probe for networks um you notice when you come home from a long day at work your phone
connects to your Wi-Fi so it has to probe for that Network and your uh access point will respond with a directed probe response so your device is uh broadcasting to the s Sid and bssid um with all Fs in in in HEX looking for anyone to respond to that uh so what Mana will do is essentially respond to anyone um that asks for an access point with its Mac address with with its own destination Mac so if you probe for a random essid it will also respond to that as long as the software allows it to and again these are some very simple custom Network Stacks that some researchers came up with um very very simple kernel uh driver
modifications that resulted in some pretty major damage um around the globe uh so like I said maned uh responds with directed probe responses and we have ways that we can take advantage of that which I'll uh kind of talk about here in a second uh two uh stipulations here for our detection of the pineapples attacks is that the pineapple filters by U by default used to be that they were open um now when set up it asks you if you want your filters to be open or closed um you can still uh of course use the Mac SS and SSID behaviors and that's more of a passive detection I include a link later on from a repo called piense
um from some some researchers that have done some work in the last few years uh that do some passive detection of the Wi-Fi pineapple um but of course we're after this active detection so in order to do that active detection our pineapple has to accept our appre request which which of course means um it has to has to go through the filter of course with the Advent of Mac randomization um a lot of red teamers and operators in the field tend to open up those filters a little bit more which allow us to uh kind of get around those filters in a lot of ways uh so you might have wondered what drain actually stands
for a drain stands for didn't realize all insecurities needed naming um I I really hate acronyms and so this was my my acronym for them um so that's uh how how do we go about attacking specifically Mana karma is not really in use anymore so uh two assumptions that we make when we uh go about our detection methodology one is that the beacon response is enabled um this is by default and this is pretty much expected with most if not all uh Wi-Fi operations Beacon response lets an arbitrary um let's you respond respond to arbitrary clients so when a a beacon request comes to you you respond to that beac with your uh with your Mac address and of
course like I mentioned the filters must not exclude our detector it is possible that filters aren't there um but in that case uh you're probably safe to be on that Wi-Fi network anyway um Wi-Fi is a pretty old protocol with wpa3 coming around we might things might change a little bit here um but you know the coffee shop attack is still something that happens on a daily basis um so like I said drain only covers active detection and there's that link right there if you want to check out Pense uh wipy Hunter has a several repositories that cover passive detection um some of the code keys will updating uh as as of 2020 but most things still work so
definitely give that um give that a shot if you feel like if you have a pineapple home or if you build one out of the glet ar150 how do we go about uh detecting this in real time um so our projector which we built on a Raspberry pi0w um firstly just sweeps the the active stations in the area um this is a pretty common thing that happens um you know on a second Toc basis on millisecond millisecond basis by most client devices in our case we're simply going to note all of the Mac addresses in the area that respond to our sweep um and then we send probe requests for a random string um to the broadcast bssid
so basically we're saying I'm looking for this remembered network does anyone in my current area have that Network and then simultaneously we listen for Beacon response uh so we have two things that we're looking out for uh one that uh a response station ID matches the pr request so that's that random string that goes out if we get a response to a random string that is very very suspicious there is not a lot that should be responding uh to to a uh to a random string and then of course our second confirmation is um that one of those bssids was in our initial Recon so that means it's an active station that's listening uh for connections and it has
responded to a random string for Association um so both of those together means that more likely than not we have a pineapple or potentially a different malicious device um one other assumption that we'll make here is that an attacker uh has changed the sort of default Mac addresses to ensure that none of this stuff is um you know easily passively detectable obviously there are lots of other things you can do again look at ents for some examples um so you know it's it's a we we need to make sure that uh we're only detecting the the active detection the active pineapple itself um so onto building our detector how do we build our detector it's a very
very simple it's almost um entirely in software we use a modified kernel that comes with the uh Cali net Hunter repo um that you do monitor mode um in in our case we actually don't need it too much and we can actually use some simple built-in iws and IW scan commands um that come with the kernel by default uh it actually turns out if you don't know that if you provide a specific name to iwlist scan it will actually send a probe request to that name uh so we we can sort of scrape the output and use that um with a default device we actually need this modified kernel which is again great news for um sort of mass
producing this if someone were to mass-produce it um is that you you don't need a secondary radio to make this work like I said we using the raspberry pi 0w um it has 2.4 BGN it doesn't support five obviously for now to cut down on costs uh so you know that might be a vector you might want to think about um you can obviously load the software onto anything that supports the same code um it just has a standard maale 2 X20 G gpio you can sort of see the 1x8 LED Matrix that takes up that 2x20 it's the PIN blink it's a great piece of uh little software it comes with a very easy to use Library so if you haven't
used anything from Pimon before highly recommend it uh a little bit on the higher end of price but very very easy to use and the libraries are are really well done um so in that in that way we've uh built this small piece of Hardware that's uh kind of giving us a visual indicator if there's a pineapple in the area and that case is just a p a Pio 0w case very very cool looking case so this is something that you just keep next to your laptop of course you could also implement this fully in software for various operating systems as well but that way you don't get to have a cool little lightup device next to you
which is obviously the goal here um so with that uh with 20 minutes in um it's demo time uh so again we we bow our heads uh in honor of the demo Gods I'm just going to reshare my screen to ensure uh that I can give you guys my console output hopefully I haven't lost too
many all right hopefully you guys can uh you guys can see this okay um so I'm connected to that Raspberry Pi on the left and on the right side um is just our live pineapple detector there we are um so I'm just going to start up the uh the scanner here which is again our drain attack and you can see hopefully you can see it's not too much lag that every few seconds our Raspberry Pi is simply scanning um for any potential open networks in the area here it's just got some nice solid green lights and you know looks all cool so I'm just gonna just gonna scroll G come back here and just plug in
this pineapple um and it's gonna boot up here in a
second the glory is of virtual conferencing so now um our Pine has been plugged in and it takes about 30 to 45 seconds to start up um so right now our our pineapple detector is just sweeping the network looking for open networks and that's it and it just does it in a loop until it finds any open networks that are potentially in use by Raspberry Pi I'm Sorry by quiet pineapple once it finds an a potential open network a potential Target it will Target those in a next phase and it will send those directed probe requests and uh see if it can detect that specific bssid as a pineapple so hopefully here in a few
seconds we'll uh we'll see this pineapple start up
okay we can see it found a hidden network with the bssid Bobo dead beef which if you're familiar with that is not a normal Mac address so this next phase here after the three the third time the third scan it will go and try to prob that one so it says it's found a pineapple and now our pineapple detector is flashing red meaning there's an evil device in the area and that we should discontinue our wireless access immediately uh this is the string that of course generated um for the probe request um and then we can see that we got the uh the SSID back to us from that probe request and that it was the same Bobo dead beef Mac address
we got directly back um that was in the initial Recon phase so this is an evil device um we should obviously not be using Wi-Fi in this area it's very evil um and that is about it um if I just go just head back to my presentation here just go to this questions page um that's the my email address um if you weren't aware I work for stage two security um you can feel free to send me an email or or uh you know I'll be on the bside slack um for the you know the majority of the year uh if you have any questions um if not then uh thank you for watching I appreciate
it there is one question in the QA for you oh sure I'm clicking on QA but it's not actually doing anything the question says what would it happen if there were multiple pineapples in one area gotcha so uh in our case it actually that phase two portion um actually does individual probes for each one that it finds um so our code specifically will just probe for both of those individually um but uh you know obviously if someone has more than one station um you probably have a a bigger issue on your hands um but our code uh we'll just simply probe those individually um yeah that's that's about it wondering why I can't view these
questions oh there we
go awesome well thank you guys really appreciate it um this code will uh will go up um on probably GitHub if not the stage sh security gitlab or something similar um pretty soon here um if anyone's interested and of course um feel free to hit me up with any
questions okay thanks Jason uh yeah cool demo that was pretty cool okay so up next we got Eddie Eddie are are you on the zoom at the this point I you are yes yes I am okay great you hear me yes I can hear you so I'm going to head off to Eddie now to present he's got a really cool talk lined up about code signing I believe and um yeah feel free to start whenever you're
ready hi everyone uh can you see my slide now before I get started slid in and you're sounding great okay perfect hey it's great to be here thank you and I've got a lot that I want to cover in the next 25 minutes so I'm going to just get started so a few years ago this company was in the news marisk they're the world's largest shipping conglomerate uh as you can see here very very large and and they're responsible for about a fifth of the world shipping capacity and they had a really bad day on June 27 2017 and uh not sure if if any of you remember what happened then but this is what their employees
experienced their computer started to display a screen like this and what had happened is that not Peta malware uh struck uh marisk and it infected 4,000 of their servers 45,000 PCS basically destroying all the data that they had so it took them multiple weeks to to re uh restart and restore from backups but this impacted their entire operation uh their their Voiceover IP phone stopped working uh their ships were that were out in the ocean stopped moving because the navigations went down Port Terminal Gates stopped going up and down so so customers couldn't deliver their goods or get their goods from their their ports and it disrupted customers all around the globe uh it took them about 10 days to
start to bring things back up they had to do it from backups and uh their internal their accountants uh basically arrived at a $300 million cost to them but most external experts uh believe that it was much much higher than 300 million for this much downtime for this company so huge situation for them but it didn't affect just marisk it affected these other companies my brother works for mer MC Pharmaceuticals and at the same time I remember hearing that he couldn't go to work because their computer systems were down and impacting um uh physical security systems and and the computers and and all of that so uh it impacted a subsidiary of FedEx in the
in Europe and some of these other well-known International companies all in all it was about 10 billion dollars of estimated damages around the world so huge situation and how did it happen so after investigation basically this problem got um linked back to a small Ukrainian business as a familyowned business called link and they basically provide Turbo Tax like software but for Ukrainian uh for Ukrainian businesses so every business that every company that does business in the Ukraine they needed to use this particular softfur package and we all know what's been going on politically between uh the Ukraine and Russia and what had happened is Russian hikers had uh infected link with not no Peta and that in
infected all of these companies and it was a very U virulent um piece of malware and that's why it it impacted so many companies and it impacted them extremely quickly uh there was an account for for marisk that they were literally trying to go around every every office and unplug their computers and they still you know couldn't couldn't stop it so you have to ask how do how did this happen and you know if if if link OS was using Code signing if Maris was vetting the software that that was being installed on their servers they should have been using Code signing and so obviously there there's a failure of some sort and it it had1 billion dollar
worth of consequences around the world so we got to think about the risk and and I'm always one who who likes to think about the risk and there there are basically two sides of the same coin and you know as as a group of of infos professionals it's you know which of these are more um would be more urgent for your business you know is your business more like link OS and you're providing software to customers and so you're therefore concerned about the risk of what happened to link OS impacting your business and you infecting your customers I mean that that would be really bad especially if you're uh a tech software Tech kind of
company or are you more concerned about the risk that you might have that meis CAD where they had a disruption of their business operations again if that happened and your business was down for 10 days uh it it's going to be extremely disruptive and extremely costly and and frankly I'm concerned about both and I talk to customers and obviously you they they'll depending on their business they might be more concerned about one or the other but it's a lot here for you to think about and and I know code signing doesn't always come to top of mind when you're thinking about the risk that you have to uh contend with on a daily basis but this is a great example where it
it's done some it did some tremendous damage and this leads us to a to a simple fact today software Supply chains are more more vulnerable than ever and and why is that and first is is that we're all experiencing digital transformation so our businesses are relying on software more than they ever have our employees are downloading software from the internet uh sometimes we know about it sometimes we don't and every time they download it we run a risk of of infecting our systems with malware uh our software infrastructure comes from many different suppliers I mean at the company that I work for it's a fairly small company but we probably we have between 100 and 150 different
software suppliers uh in terms of the applications that we use for our business operations as well as open- Source libraries that we use in our product and uh other libraries and software that we use in our product and then finally we we get the issue where cyber criminals are now more active and creative than they've ever been and that's really what the the the rest of this talk is about is is how are they doing it and what can we do to to stop that and and M was just one example I mean this has been going on for a while just last year uh the Taiwanese computer manufacturer Asus had a a situation where uh hackers discovered some of
their private code signing certificates uh they inserted malware into legitimate um Asus software updates and then resigned it with asus's private code signing keys and this got pushed out and I'm going to talk about that particular incident in in more detail in just a few minutes but you know we think back a few years even before that there was issues around stuck net and what happened in Iran and and their um their uh nuclear uh processing uh equipment and if you look on on the dark web code signing certificates and and keys are a hot commodity that especially if they come from a trusted brand name so you know if you're if you work for a company where
the brand is is highly recognizable and someone gets a hold of your C signing certificates basically anything can be signed and uh cyber criminals know that and they sell them uh on on the dark web uh maafi did a uh research project a few years ago and at that point in time so I think this was 19 200 18 they've discovered 22 and a half million pieces of malware that that had been signed with either stolen or forged Cod signing certificates and credentials that's a lot of malware out there that's being signed from uh using legitimate uh cosigning credentials so I started this off with a story because I really wanted you guys to to take notice that this is a a big
big concern for us all of us in infosec that we we have to care about this and uh what we see frequently when we talk to our customers is it's not always a high priority issue so the rest of the the time that I have I'm going to um just give a really quick refresher of what code signing is what challenge is we see and we hear about from our customers when they try to do code signing and and protect those those credentials and then I have some some tips for how you can do that uh movement forward and then finally I'll give give us some time to uh for me to answer some questions if I
can so what is code signing really simply it's just a digital certific a digital signature that we use to sign computer executables and a computer executable can be anything like an application a mobile app uh a dis image uh drivers firmware if it runs on a Computing device it's considered code and then that code can be signed and and it does two things one is it verifies or it's supposed to verify the author's identity so if I work for company XYZ and I sign a piece of code with companies XYZ cosigning certificate everyone out in the world needs to be able to trust that really did come from from company XYZ and furthermore it ensures that that piece of code doesn't
get modified in route between when we release it and when someone actually downloads it and installs it so it's it's basically meant to uh protect from a malware from being inserted into a legitimate uh piece of software so that's what uh Cod signing is in a nutshell and you can kind of think of it as a birth certificate for the software so you know we spend months and months uh developing software and at some point we want to release it it's like the birth of it and then the cosigning certificate is is like the birth certificate saying yes you can trust it it comes from us and it hasn't been modified by anyone else and then we think about okay an
organization who's responsible for for code signing uh and and this varies widely some some companies they leave it up to their software developers because they're developing so much software so quickly they have uh really really uh aggressive schedules and it just uh there's not no visibility to the infosec team that code signing is going on and if the infos team did it they may not be able to keep up um if it's done by the development side of the house they're probably using either build Engineers to run a codes signing script or they're actually doing it as part of their build infrastructure so I'm guessing a lot of you probably have companies that are embracing Dev Ops and and that's all
driven through automation so it's those scripts that are actually doing doing the code signing but then there are are some some companies who take a different approach and they basically want to centralized code signing because they understand the risk of those keys becoming um uh getting into the wild so they have either their pki team or their infos team be responsible for all code signing operations and and life like in life everything's a balance between uh positives and cons for for these ways of doing it in general if if developers are are are signing code they're going to be doing it on either their their own personal workstation or laptop they're G to be do doing it on a
web server uh a build server or maybe even in the cloud and then obviously if the pki teams uh signing code it's it's done in a Secure Vault we have one customer that uh this secure lab isn't even connected to the their internal Network it's completely isolated and they actually have to take physical media into this locked room to do the code signing operations and obviously if uh they do that it can't be very fast so when we look at the pros and cons if it's done by the software developers it's going to be extremely fast it's going to meet the demands of business but it's likely to be very insecure because um most software Dev
developers do not appreciate the risk around code signing and especially if it's not protected so they'll do what's convenient for them they'll they'll choose to do things that makes their job go faster and for them to be able to put out software faster on the other hand if you you know have the infosec team doing it it's going to be highly secure they understand the risk they want to protect it uh protect those credentials but it's going to be extremely slow you know it's going to you know someone's going to have to take a a USB flash stick and run from the development side of the the building to the infos room uh so extremely slow and both of these you
have pretty serious and significant disadvantages and and that's really what as we think about the right solution we we have to be able to balance balance both so let's talk about some of the challenges and the risk that organizations have I'm going to point out this particular piece of uh literature it's it's a paper from the Sans Institute and it is really enlightening um it's a great great read it's very short but basically what it outlines is that yes code signing is so effective that now cyber criminals are attacking the code signing infrastructure so they're looking for those private keys and once they have that they're able to Pivot and then actually attack the code signing system
itself so this is bad they can either steal those keys or they can compromise those code signing servers and in this quote uh I found really powerful it's not an exaggeration to consider private code signing Keys as the keys to the business's Kingdom now think about that and and let me explain why I think this is so profound um a when you sign a piece of code as long as it was signed with a ballot certificate at the time that it was signed and it points to a timestamp server that that has a valid timestamp that piece of code is going to be installable for all time so think about this if if a a hacker signs a piece of
malware with one of your ballot Cod signing certificates even if you revoke that it's still going to be installable and it's still going to look like it comes from your organization and unlike you know what we might find with TLS or SSL certificates and you know they expire after a certain period of time so it it kind of minimizes the damage done and then it's also only good for a particular IP address um Cod signing Keys any piece of software could be signed with that if uh the hacker has the the private code signing key so let's talk about the the some specific challenges the biggest one is private key sprawl unprotected private keys and when I say that what I mean is
that it's that scenario where developers have access to the private keys and they decide to put them wherever it's convenient to them on their laptop on a sticky note and in in their desk uh on a build server web server you name it uh if once you hand out a private code signing key it's out there for pretty much forever uh usable for pretty much forever so let's uh look at this in a little bit more detail obviously if keys are not protected they're going to be prone to theft or misuse and uh really is as I've said it's there Unbound risk around this is that you just don't know where they're stored you don't know who
has access to them who's made copies who's Reus them things like that and there's a great example and this is the example with the Asus computers and I wanted to walk through how this happen uh because I think it it might be enlightening uh for you to understand uh the severity of of what happens when you you do have private Keys sprawl and um the private Keys end up in places where they're not supposed to so with with Asus like with most computer manufacturers they produce drivers and they produced updates to drivers that they would push out automatically to all of their customers after all that's the security conscious thing to always uh plug security gaps with updates to to
software and they did that it was done automatically most people have their systems configured to where as long as it has a valid code signing signature it's their operating system is going to install it but one of the things that Asus did that was really unusual and again an a great example of private key spraw is that they had private code signing keys on this update server and uh that is extremely poor bad practice they should not be doing that but they did it at least two keys were found hackers were able to break into the system and it was not too hard because it is you know it's it's connected to the internet because it's
uh their web update server they browsed around to see what they could find they found these two private code signing keys and then what did they do they inserted malware into asus's update so it's a legitimate update they added their malware to it if they didn't have access to those private Keys nothing would have happened their customers computers would have rejected it because it would have been an unsigned U executable or it would have been a signed executable but with with a valid uh invalid signature but they found these keys so they were able to sign their uh malware and the the infected update and then that got pushed out and it infected asus's customers and it was an estimate of of
about a million computers were impacted so again if you're in the business to where you're delivering software to your customers you have to think about what would this mean to your business if you infected millions or a million customers with with malware U and the scary thing is that Asus didn't know about this for months they didn't realize that this had happened and it was only after uh uh malware company I I think it was um kasperski discovered this and uh then reported it to Asus but I bet you uh there were some serious consequences that that company for allowing private code signing keys to be on their their update server so when does this mean from their
from a business standpoint and I know a lot of us you know you aren't really thinking about things in terms of you know this is what my company's revenue is but it impacted their stock price it impacted their revenue impacted their market share and it it it made their customers trust them less and uh perhaps there's some liability issues there where you know customers were asking for for money in Return of being being uh infected and depending on the the segments so the market they work at there could have been regulatory fin as well so pretty serious consequences so that's private key sprawl another challenge that many companies have today with code signing is is lack of policy enforcement so you
know I'm sure we we all know what's the right thing to do uh in terms of policy well don't keep those don't let the private code signing keys outside of a secure location uh require some level of approval before they get used um things like that a certain encryption strength and uh I talk frequently with many customers and they do have those policies defined they have them written down you know great little manual sitting on their desk but if there's no way to enforce that then people are are finding ways to bypass that policy so if you don't have the ability to enforce policy and when I say the ability to enforce it it's it's an
automation around being able to enforce it people are going to figure out ways to bypass what you have in place because it's less convenient for them and then you'll end up with code sign signing challenges there's also the issue of lack of glob Global visibility so if you're on an infosec team for even a large company with thousands of employees you're probably your group is not that large maybe 10 15 maybe 50 people at the most but if you think about how many people in your organization is actually writing code and then that codee's getting signed it's it's happening all around the globe and uh you probably don't have visibility into everything that's going on but if there is a breach of some sort
like with what happened with Asus or um or with marisk who's what's going to happen they're going to come to your team and say how did you let this happen so it's really imperative that that we do get Global visibility we need to understand things like what code signing certificates are being used what uh pieces of software use those code signing certificates when they got signed uh who did a code signing operation things like that so without that Global visibility it's really hard for you to even gauge the uh magnitude of the risk that that your organization has and then we also have to deal with Rogue development teams I'm an a old software developer that that's my
background and really you know we software developers they have so much pressure to get out new features and get out new features faster than ever before and they're focused on testing and Integrations and things like that security usually Falls pretty low on their list of priorities and if if as a as a infosec team we're trying to to put process on them and say well you can't do things this way you got to go through this set of manual steps development teams are going to find workarounds and we see this all the time with with our customers is that they find workarounds they go Rogue and then they put the company at risk because uh they just
need to be able to to move fast with their software releases and they'll code sign in any way that they can so just to to finish up here um I wanted to to leave you guys with some tips that that we have on on how you can make this better for your organization and walk through each of these in just a little bit of detail but before I do that I want us to think about code signing a little bit differently than we think about other kinds of pki information Cod signing is really a process it's a pro and I say it's a process because it involves people so these are the people that are actually
doing the Cod signing operation it involves things like the C Cod signing certificate or the keys and it involves activities so it's actually you know the the exercise of actually running that code signing command to assigned the to create the digital signature for that piece of code and if there is a failure in any of these areas so if if if there's if this is insecure if we can't control who has access if we can't control the actual keys if we can't control what gets signed that means the entire thing's going to fail and there's going to be a vulnerability across the board so as we think about protecting code signing we have to think about how do we do that uh
in terms of securing the entire process and that's what these best practices are centered around is is how can we secure that process so first one I want to talk about is really uh it's should be obvious to all of us it's it's to secure those private keys and to secure those private keys we're either going to put them into an HSM and and keep them there or into some other kind of encrypted storage to where we limit the access of who who can get to those and um um the thing is with Secure Storage is that if that key needs to come out of the Secure Storage in order to do a Cod signing operation it's immediately not
secure anymore because someone can easily make a copy of it and then at that point you know that code signing key is is is not secured and uh we're back at at square one so secured storage means they're in a safe location and that we they never leave that location once the key gets created uh for any reason so the next next best practice is uh to provide your teams with Enterprise visibility so even if you have development teams around the world you want to be sure that you know everything that's going on around code signing because it's an important part of of um securing the business you need to know who has signed what pieces of code when
do they get signed what build servers or what servers were used to do the signing operations what code signing tools were used uh what time a day what days of the week all that is really important information for you to have because it helps you to build risk Trends and and um and be able to identify um uh patterns that might indicate that that a a code signing credential is being misused next step is you need to to control the process so you need to be able to say okay only these select people can access the key and when I say that I don't mean they actually have the key they just can they can access it for
a Cod signing operation you need to be able to specify who should approve the use of that because that is a a very important control mechanism that if I'm a developer I shouldn't be able to use that key whenever I want to I you know there should be some approval process uh in order for me to use it because that's how critical these are so we need to be able to say you know this person this person this person has the authority to approve the use of that par particular key if um there are requirements around encryption strength or which certificate authorities are used or which H HSM should be used that should all be defined and you
should be able to have a way to automate that that uh control and then we need to think about an automation process that's convenient for developers again I go back to that whole notion of Rogue development teams and and they go Rogue just because it's easier for them so it really becomes important for us to find a solution that is going to make their life easier and it's going to make them want to use the solution in place and that usually means don't make me learn something new and don't slow me down from what I normally do and allow me to work with the tools that I already use so those all are really important to to keep those
development teams happy and then finally you need to be able to have intelligence around around what's going on within your your organization on COD signing you need to in some cases you need to show compliance that yes you your policies are being followed you do know you have visibility into every codes signning operation that occurred uh you know who's access what certificates and and be able to identify risk trends that that might indicate a problem and then again you know this has to be developer friendly and I I'm I'm saying this twice because it's that important uh we have so many customers that that we work with that they have tried their best to create an
infrastructure that secures code signing but it's inconvenient for their developers and so their developers will Grumble for a while and then eventually they just stop using it and um uh when that happens they're back to square one of of having an insecure process and finally I just want to leave you with this uh white paper it's it's really really useful uh a lot of what I covered in the best practices comes directly from this it's a nist paper that talks about what security considerations your organization should should put into place to protect code signing so with that I'd like to thank you for your time and uh wish you all a a great weekend and I'm happy to to
answer any
questions okay Eddie I think there's one question for you in the Q&A it's about revoking code signing keys so you can revoke the certificate but the problem is is that if that certificate has been used to sign a piece of code and that and a timestamp was used then even though you've revoked it it's still going to be a valid piece of code that's going to be have that's going to have a valid signature that's the whole reason why this is so scary for me at least that um you know you don't take all the precautions and then your key gets out your private key gets out someone signs some malware with it there's really nothing you can do at
that point okay cool um well thanks so much Eddie for presenting appreciate it I think that's the only question in the queue um I really appreciate everybody coming out today and jumping on the zoom and for all the questions in chat um just as a reminder uh the CTF which if you join the bside slack um and then via the link or button on the website besid Sal Lake city.org uh you can join the hash CF room and get the details for the CTF and that's going to be open till 3M tomorrow so really appreciate secure C code Warriors for putting that CTF on also really appreciate all the work that all the speakers put into their
presentations today um in addition to um all the work that Pope and team did on the media and recording and streaming to YouTube um that's amazing they they're able to get this all working and you know basically a week and um you know also just another shout out and thank you to the sponsors um really appreciate um your support and and for all of you um coming out and and listening uh I am we are going to email out a link tonight another email which will have the zoom information for tomorrow morning just to reate reiterate we will open up the zoom at 9:00 a.m. tomorrow morning mountain time and then at 10:00 a.m. uh the
conference will start uh whan is up first first and he will be speaking about um electronic badge he designed and um and the schedule is up on the bsides website if anyone is interested in uh checking it out if you have questions uh for the speakers or for myself uh feel free to jump on the bside slack I think most of the spe speakers are on there at this point um and yeah thanks everyone for coming out we'll see you again tomorrow at uh 10: a.m. when waying kicks off the talk
thanks e
Related talks
56:25
28:38
41:28
1:00:45
55:42
53:47