Tales (Fails) From The Trenches

all right next up where's my notes yeah is Edwin Fernando Telecom Evelyn he's not here yet but he will be soon he was going to talk about yeah basically all Phil's a name for sex so I hope you will enjoy it give him a warm round of applause and have a lot of fun take it away [Applause] [Music] hello thank you thank you for the introduction right awesome you are all here let's have a bit of fun but first some seriousness have you heard this story it's a Dutch guy he did a lot of info security stuff he helped a lot of researches be secure and he helped a lot of press be secure he's missing he went

on a holiday in Norway and he's missing now for over a month so if you have any friends in Norway or whatever please inform and try if we can find him because it's very horrible for us because we were on stage a lot and for his family so serious things there as always warning I fly too much so if I cuff I mean yeah I'm sorry when you're flying you get a call to keep having colds everybody knows who does this work so excuse me in front oh yeah the audio guys I really loved how he was near the blue points so I took a little further he's called Sam but let's now call him

Mickey and Cooper as always thanks for all the video work and of course all the awesome besides guys you're perfect anybody on the 15 no is it legal no it's not legal okay some slides are a bit scary but you could use it as always I'm giving away some matter I know you can get it in for free but I do it anyway so if you anybody never drank my tea by the way yeah would you like to try it's really awesome it tastes like cigar makes my friends tease yeah is really cool right do you know what this is by the way the picture no give it guys the guy in the back yeah this is

the Internet 1973 somewhat so you want a bottle congratulations you can get it here or over there whatever ah leave it leave it it's just for the idea alright Who am I I'm Edwin and some of you may know me from last year I pushed a lot of buttons when I was younger played with the old modems anybody remember the modems yeah for sure yeah awesome times right for the people who don't you downloaded Ferdie floppies in that floppy 29 you might have picked up the phone and everything was gone that's the area where from it was horrible and now what I'm doing now is basically building a company with all my heck of friends that's the idea I

mean there's so much brilliant minds even in this room and why not drive in washing machines cars or whatever and you can build and you can hack them and everybody knows what the firm abilities are and that's what we're doing at the moment we're running researcher program we do a lot of coordinate vulnerability disclosure for clients and we run scanners so that's the the business part but basically what I'm doing and as I'm doing now is just this you know I fly around the world can hack attacker conferences have a lot of friends it's really awesome that's one of my best buddies and I'm still yeah pretty amazed that the suit is in this size but he

made it so please happy free time I'm doing this the guilt of the grumpy old hackers or in touch with some notes cup from the hekawis hackers try that if you're any listen what we do is we help younger kids who try to do things yeah like hacking and finding databases and not knowing what to do with him and going to the criminal site we try to get them back as a lot of older hackers and it works it works we work with government Justice Department etc and it's awesome and I'm doing the cavalry I think a lot of you know I am the cavalry some okay what what we do there is we try to educate car manufacturers medical

manufacturers and stuff just to make things more secure which is really needed because a couple of years ago we had a talk with a car manufacturer and we say the device in your car we can take it over and we can dear the car and it's broken and he said yeah we know we were like but if you know why don't you fix it and they say well there's no law and that I need to fix it and my competition doesn't have to fix it and I if I fix it it cost me a lot of money and then we say what if we kill somebody with your car and you say are we just gonna pay the people's

family that's it and those conversations for us are really hard but we're not here for that we're here for a little bit fun so I thought let's talk about experts you know the idea of experts the experts idea is that you get some hex somewhere or some problem with him for security and people asked experts for television programs it's really awesome to see in the Netherlands we had a couple of this year sorry earlier this year we had this Dutch banks are targeted by DDoS attacks and it impacted people because they couldn't get their money out so then it's national news so every news station was asking for experts and yeah I suddenly have to say

I was one as well but luckily they had beer so I have fun this was one show and and of course we talked about the contents but on our national television there was this lady Rihanna from Rye Brook and Riaan phone right was sitting there and she was talking for an hour on Dutch primetime television about the DDoS attacks which is good but our phone started ringing while we were at the other show and we thought what's the problem the problem was this lady had written a book together with a politician who was known to write books with experts and she was world's best hacker for over 40 years that's cool but a bit weird that nobody

in the hacking community had ever heard of this lady so we were a bit skeptical she talked about security and how she broke things in her life and one time she mentioned this so can you guess what she was telling no it's like we call it latest in the Netherlands combine the two things what do you see on the left sorry yeah but what's what's deploying in his face basically yeah and this one is what is it it's a network so she was talking about airbag networks I think Siemens air gap networks but huh everybody took it for granted so that was a little indication that she might be a little off then she was

talking about she had an app on her phone where she could walk to an ATM and get all the money out I think you still need a drill for that it's true but then yet in the end the most brilliant solution for all of our hacking problems and that one is still a big hit with the hacking community in the Netherlands because she said that every hacking problem could be solved by putting your stuff in the smart blockchain I'm not sure I don't know what smart blockchain is and the problem is nobody knows what smart blockchain is but see that after this he got two states presents assists and then they found out the book was

copied from a lot of different sources and she is now gone and nobody knows where she is oh yeah Kaspersky also sued her because he said she broke into Kaspersky Wow brilliant all right so you reminded me a little bit of this guy do you know this guy you guys know this one right guy Gama awesome good for the people who down now he got interviewed by BBC for a job I'm not sure what data scientists or whatever and I put him on the show because somebody has to tell something about iPhone security and he had no [ __ ] clue it's a really awesome video if you look at it different problem we have is focus in the Netherlands we have

a major hotel chain and they had a new thing namely that they had an app and with the app you get your room keys on your mobile you walk through your door and you open the door with your mobile awesome service but to launch this stuff they invited hackers because when they fought what better a commercial failure can we give this if we invite Equis put it on the television and let's see how safe our APIs so they invited me as well which she was a bit of a stupid idea and they I came there and and they showed me the look and they showed me the app and I said what do you want us to do and they

said well we made a beautiful app and we a solve it and now you can see if you can break it I said but what's the point of this exercise and they were like what do you mean and they were all in suits you know the bow tie and I said I think the essence for me is to get into the room right yes that's the idea you have to get into the room I said cool I calculated that in our broader 80 pounds fishing magnet put it on the lock did this and the lock was open and then the whole board was like no that's not what we mean it's about focus people if you hire your hackers they are not

going to break an app for three days if they can walk in by an open door what should we we are lazy that's what we do we think completely different who of us Tesla no one I look under your seats you never know okay you know Tesla's the the self-driving mode right and you have to every 10 minutes you have to grab the steering wheel just to make sure you're still awake you don't need to if you have an orange [Music] this [ __ ] works works you have to do this though but if you look and think about how this works then this stuff scares me I'm not sure if you're aware of it but there are some acyl standards

which indicates the you had the need for safety in the car so if it is D is very very needed and I think a is not so much and if you look at how this works in for instance with the Tesla self-steering is D so it's very very important but sensor data sensor feedback incorrect Rebecca's just to be how are you gonna match that if your car as sensor feedback which is not right and you do self steering I mean I know a guy who has Tesla and they told him that if you put it on outer steering but you near a traffic light you have to put it manually off because it doesn't recognize traffic lights I can get it I

don't get that stuff and I think a lot of people don't get it and yeah even people there was talk about people already but this stuff have you seen it Strava yeah military bases were completely mapped because of all the fitbit's everybody wears even into which barrack they go and you know outside on the table you've seen this so for you it's not a big question I think was this the training padlock Falak picking you want a bottle have fun with it geez and cigars but this thing shouldn't be I think on an RAF base what what is there I don't know I'm sorry talking about Breaking and Entering which if you smoke still here nobody

yeah it's a guy yeah you but it's a dying dying thing and I mean it used to be so much fun for us to walk in with the smoking people but it's difficult for us now we have to do dumpster diving to get all the passwords and the broken keys we found a lot of RFID cards for entrance cut through half doesn't make any sense because there's this little sensor area which we you can still clung so it's really awesome and what also is really fun for us is their first aid for four companies what we do is we look at a company and we see who are responsible for first day we get to people in

supposably when one of those guys is on holiday and we say yeah this is an unannounced drill from the guy who was in holiday and he did it because he is on holiday so nobody will expect it at your offices and one guy has a burn here and we say he had had an accident in the server room and nine out of ten times we are walked into the server room we can put some USB in we lay down somebody comes give us a bandage and we walk out it's that easy to get into a building and the finger almost surprises me if we are in buildings is this if you are in the security mindset and this is

not a trick question which lock would you pick which a big lock number one to the left or lock them - to the right - right everybody chooses - then why are all the keys still behind one if we are in availing the most easy heck of a lock is the lock for all the keys that we are it's stupid and you've got all these stacks right you're a very secure but you have people sitting like this in toilets and then it's so easy for us to clone keys and if we have a lot of money we buy stuff like this the bus clone or kit do you know it it's really awesome you get a bag with a

big antenna and ten carts and different frequencies and app on your mobile and I stand within about I think it's 40 feet here or sorry three feet and I can just say clone and it clones all the cards it can see I can take it out of my bag again it's fun to do that but it's expensive so we have also stuff like this and I brought this one with me this is $19 $19 and you can have so much fun with it I will put it on it is from China so don't plug it in and it has a warning you know it's it just says if you're going to use this for illegal

purposes press cancel so I vote L key and I will try if it works this time and the button beneath this is right so with empty cars you can have a lot of fun for just $19 we and the office just got this an espresso machine for coffee and you get a card with it with 300 credits on it we are a hacking company let's see how long this takes well we just cloned this one on that one and we ordered one cup of coffee and we looked at the differences wow it's just four bytes difference so now everybody in the office is 999 cups of coffee and we tried of course SP like hello and

stuff like that but then the machine died so don't do it but I think if this works let's see yeah this is me trying with the white card yeah awesome really cool stuff but elderly people don't get this you know and and everybody says the older we get the better and it was so good in the old days and what I see now is is criminals even thinking this way because last year in the Netherlands and you don't believe it this came via mill by someone regular meal and it states dear blah blah blah at week 29 a DDoS attack will take place on your business and you can prevent it if you pay and there was a Bitcoin

address underneath and they cut it out of papers and send it via most really awesome really awesome people don't get it I mean the set of slide I have is coming up now are you ready so said she does this every day it's so sad she has no clue that we are building harpoons stuff in cables you know you cannot trust any cable and even the Chinese now have upgraded this there's a version with a cell element in it so you can see remote what kind of data travels through a cable this came out I think two weeks ago researchers can now spy on your laptop via the sound of your USB or your microphone of your

camera they hear pixels change and they've made a system that maps out the pixel noises to data they have and they can predict what's on your screen Wow I mean this stuff awesome have you seen this blue spoof it was on DEFCON I think last year this guy for that next right part is basically sound so we recorded max stripes on it on this laptop made web files out of it and played it back to a Bluetooth speaker where he replaced the speaker with a coil and this works this gets you free drinks if you replay your web files via this speaker it's really cool we should do more and this I mean although people don't get it but

but just imagine that you do you know what this is by the way a Furby yeah without the skin they're better without the skin if we just imagine that it's Christmas and you just gave your four-year-old needs this Furby and she's playing near the fireplace near the window right and we'll see how this works now is audio coming up do you hear something yeah [Music]

[Music]

you can just write everything to move to sex Oh your little meat is now scared yeah this is it this is what I did a couple of days ago because I had to write this talk but I'm easily distracted I know if you guys know that but I was yeah waiting and trying and I was a bit bored so what I did is I thought what if I make a Twitter search based on cards and info and see TV and stuff like that so I just resolves quitters Twitter scraper and search for card and number and is and I thought this will not get much right okay so what I got back was a little bit

scary for instance this one I love this one there's a something about a nectar card I'm not sure if it's something maybe yeah you know what it is okay is it something a loyalty card okay but I like it and they said give this please in a DM well what's DM anyway it's my card number ok but this is pretty normal so this one also don't think that DM is an issue please DM your number and Raymond says well my ID number is this I'm a customer number says I'm a car normal is this it's easy it's just Twitter here's the bank who was a bit more loyal I think because this lady wanted a waiver on 40k

and spell interracial statements this microRNA Moe blah blah blah and then the back said please delete this tweet wow that's nice surface of the bank you know we have to see more stuff like this and this area cannot show this one yeah this one was also there sir no no idea why I can read this I think it's mostly yeah people are a bit like this most of the time all right um I work at zero copter above manatee platform yeah come on is also coming to tell something yeah soon yeah like one friends on the other side of the of the big blue ocean let's put it that way and also by the way there's there's a

gentleman in the back I have to do this I'm sorry man he's head of security of a very big firm and he's still laughing it's awesome I never meet security guys who are still having so much fun so absolument awesome why bug bounties why pentest well basically this is one for me in apparently people have lots more fun and lots more time to find stuff i mean we still have a lot of companies that say yeah i do a pen test once a year out at school and what's your development cycle every two months we release a new tool that doesn't mess you know you have to make sure that you have something matching Burkman these are

great cvd is great but we get a lot of questions from companies who are a little bit scared and one of the questions is always are they qualified well i don't know if you can see the lady's hand see is not that qualified but yes they're qualified they don't do anything else there are a bug when tiaras making more than a million a year with with finding stuff and keeping company safe to sure they're qualified and then the next question is yeah but are they from the netherlands no of course they're not from the netherlands we are very small country we don't have that many acres we have a lot but not enough so basically

this is our researcher location map we have 60 percent the mayor 20 percent in america etc etc then the big question how do you check those guys and that's the question what we in our platform say is we check everybody who is a member of our platform so we do ID checks background checks etc this guy checks a lot of I'm not it this is also not me do you know lick build I advise no it's awesome I do another CCC conference in Germany yeah go there and then for 10 euro she get one of those house Weiss's and it says Leif build housewives with whatever you want on it and from the back it's

also just an ID card and a lot of companies public buildings government's accept this because they have no [ __ ] clue what it is it is really awesome it looks so legit they look like yeah okay looks like an ID welcome really cool we even had the reporter in the Netherlands try this to get into the home of the Queen and it works it's really really scary so buy this [ __ ] but we check them and and once they did yeah bad stuff on the net we don't let them in and then the final question which always pops up is they are hackers you cannot trust them and then I always tried to counter

but if you go to a hospital and there's doctors wearing [ __ ] masks yeah do you think that if you have an operation they will steal your kidney why would they do it it's the same with our guys and of course there are some stupid guys doing web bounties and that's always there but if we have to just work around it I mean this is what we see a lot I want to warn you you have tcp 3-1 to 804 a bottle of matter what is it no it's not remote desktop and next one squid yeah your local proxy or those people are hacking their own networks awesome and we get still a lot of people doing

[ __ ] like this this one is also great the guy warning a company which our friends with us that there was a login page somewhere and if an attacker could guess user name and password they would get in how is this in the first place a security vulnerability and they have even didn't look because there was also two-factor authentication on the page but don't bother to do stuff like that we get a little bit more scared with when we see stuff like this I want to warn here you are vulnerable to CVD blah blah blah now we're interested but then you look at it and it's a PHP mailer remote code execution while we are running a Ruby on Rails

framework it's sometimes gets you in the walls you know so yeah this is not a really nice picture but I love it this one heck own props due to improper configuration the following directories open and the files are listed okay that could be scary but it's basically a remote distribution of deviance so have you had the time to consider whether this might be intentionally left like this people are still reporting [ __ ] like this and if you want more of this go to book Monte dot fill by Melvin he has a lot of bug bounties which were opened where you can laugh your asses off if you are if you are in mood also

responses is always a problem and yeah last year I think I did this as well so I will go pretty quickly through this but this one brilliant who were closing a report on Echo one and this guy says you beeping beeping beeping beeping I know this is out of scope and your team member Bella bloody BBB taxi driver you don't say taxi driver to River that doesn't work you don't get a lot of creds but also the replies from the other side suck this cross-site scripting you know what it is the best response ever came from a guy I think whose name is Kevin who told the people it looks like you are trying to add

javascript in the gallery which isn't possible you should need to add letters and numbers only do you get this it means that even the guys who build stuff like that thing that if you can put code in your fields that is not an issue and you shouldn't just put code in the field because it's not intended to put code in the field that's what we live for you know get off my lawn and this is also a big problem we run for a lot of big companies we do a lot of CVD scored on either fun or ability disclosures what means that a company says if you have anything to submit or if you find a security issue

on my site or my product please report it we triage it for them and then it goes to the client but then when somebody reports something in the end when it's off they want to brag about it you know if you find something really cool at a big site you want to write something about it and still that's a big issue with a lot of our clients because they don't want the publicity even after it's fixed that they had a problem so we have this guy in the Netherlands Jonathan Bauman I promised to put his name and his stuff on it just because yeah I borrow his stuff now and he had a problem with one company

can you guess which one yes okay it's a little bit Swedish but let's go what he did as most of those guys do is he scoured for interesting domain names and he found a lot of them and he was interested by one which was the bathroom planner and in the bathroom planner you can plan your bathroom and you can later build it which is really awesome if you are done with selecting all the stuff you have an option together PDF out of it how to generate a PDF that's pretty cool so what he did he he looked at the county put burp suite or whatever in between and he found an interesting string which he decoded and

there was a lot of stuff going on with getting the images from the server so he thought what if I just put my own stuff in it and asked for etc' password would this work and he tried and he failed which is good of course but then he looked something further and he found out that the library they used wasn't up to date completely so there was another option with an annotation file so he put in this code in his replay attack it's a password content etc and it's write it and voila in his new PDF wasn't annotation with the passwords of the IKEA server that's cool so he reported this but whatever we tried he could not get the allowance to

publish this so in the end we basically put IKEA people together with him he explained it we tried to help them and now he finally has made this beautiful stuff so you can look it up and it's really awesome but I think if you do bug money's if you do responsible disclosures of course you can pay directly you can give him shirts but also let them please tell everybody what they found because it will help awful lot of other companies who have the same problem so try to do stuff like this hug them like you mean it yeah teams after this conference you see but what's in it okay now I'm gonna piss some people off is there tell us people

in the room no no okay now I'm not gonna piss you off of course not but sometimes I wonder because if you see this Siemens was act foreign the Giga bytes of information on SCADA systems is out there I'm not sure if they found it yet but it's pretty scary because it runs a lot of factories waterways etc etc etc but they say indictments for ft3 and I always get worried I mean I saw the keynote this morning I saw it a little bit and they were also doing what I'm going to do now but they say it works the Internet is pretty big it isn't one country we have in the Netherlands by the way one politician

who says we have to border and caption the Internet so that there will be internet only in the Netherlands and not connected to other parts of the world wow I'm really looking forward to that one this one we have seen it of course one a cry and what they say as well this was North Korea and the other guy said it as well and they do it because of this type of stuff you know I used to write an assembler so I noticed they say if you're matching code lines then it's probably the same as I can cut and paste some code lines in it how am I sure that this is the issue I mean if I was North

Korea I would be laughing and we have a picture of them laughing their asses off on this news this one also yeah now we also know it because we hacked into North Korean networks and we saw them type it well if you hacked into somebody's computer and saw them type it can't you just type it yourself on their computer I'm just wondering you know I'm not saying it is true or whatever but I'm just wondering this also US official say Russian digital fingerprints on election X and why because somebody used a keyboard with Cyrillic characters I have one wanna borrow it you know now a Russian criminal awesome this is stupid you know people still

don't understand you can help and you can use different countries to get in and out and you can use tor to do all the stuff you want people don't know and we have to educate them we have to know how it works and I think there's only one only one who has it right all the time when it goes to this sort of stuff I want to see it um yeah but what's

right again you know why because it's a looping gif yeah I'm going to the end because we're always running out of time so I'll make this quick I have a dream and I'd shared this last year with you as well but I would still want to share it if you look at all the ecers we have about five to seven percent does it for good just want to help don't want anything in return maybe about me or whatever you still have 30 percent of companies looking into other companies espionage will still be the same 50 percent anonymous and people like that perfect ten percent basically script Cadiz and then 40 percent people go in the criminal way well in the Netherlands

we find that going the criminal might means mostly that people are 14 15 16 years working in there there are small rooms upstairs finding a database with weird accordion for knowing they cannot use it but shouting about it to their friends then the criminal says for 10,000 euro I'd buy their database of you what do you do when you're 14 years old you get ten thousand euros for database you can't use yourself you do it but they don't think about the fact that after a month the criminals are coming back and saying give me another one give me another one give me another one or I will do this or that or this or that what if and we can

help those kids and we can make sure that they connect on platforms like hacker one on platforms like dike what will zero copter for instance and get them money for hacking you know let them do what they like and just make money out of it and help the world get more secure if the 10% of script code is we have why don't we educate them why don't we take them in and our security firms and learn they want to learn how to act why don't we help them we are doing it in the Netherlands even with government people who are mildly punished for stuff that they do we take them in and we let them see what security is and how it

works and what we can do with it if that will work in an ideal world 55% of all the hackers would be on the good side now then we will have a safer internet and I'm sure it's it's utopia but the more we can build to it the better and the safer we will be so I will go to my last and final slide as always I hope you had a bit of fun you can forget everything I always tell you doesn't matter as long as you remember the right part of the last slide ready there you go hackers are sweet people hackers can help you yourself might be a could just spread the words and make sure that

everybody uses everything here thank you very much

other questions no questions no time okay see you guys later bye