BSides Prishtina 2023 - Live
Show transcript [en]
foreign
good morning messages
I'm going to switch to English given that we have in audience and speakers who do not speak Albanian so first and foremost good morning everyone and welcome to the second edition of uh besides Christina my name is and I'm truly honored to be your host for the next two days we have incredible lineup of speakers and also some amazing workshops and today and also tomorrow but first and foremost I would like to express our gratitude to organizers Mustafa and flask flask is a local NGO who have put a countless hours and effort in organizing this event for the second time I would also like to express our appreciation to University of Pristina for hosting this year event thank you it's great to
be back here last time that I was here was probably in 1997 1998. foreign of course uh I would like to thank our sponsors as well uh without their support we want to be here today but most importantly I would like to thank our esteemed speakers some of which flew from different parts of Europe and some of them also like flew from across Atlantic and we are looking forward to your speeches to learn from your experiences and so on last but not least I would like to thank each and every one of you for those that are for the first time welcome to besides for those that are for the second time returning thanks for
attending this event before we dive in just some housekeeping rules please take a moment to turn your mobiles into a silent mode please we kindly ask you to maintain a quiet atmosphere so we don't deserve our speakers and also your your fault uh colleagues as well and in order to minimize disruptions during the presentation as you can see there's only one entrance going in and out if you need to move if you can wait during the breaks that would be great so and then lastly some logical details emergency exits or only through this door there's no emergency exit up there if you need to use your restrooms just across the door there's another door and
then the restrooms are to your left and then last but not least there's a Wi-Fi access I believe it's a free use it at your own risk so without further Ado it goes without saying that this is a fantastic opportunity to meet like-minded colleagues professionals so I encourage you to network during breaks and then at the end we will have a network session so once again welcome to besides Pristina let's get started and have an amazing day I'm gonna pass the floor to Professor Razer of University of Christina as well for this yours thank you [Applause] dear vice Dean Professor krasniche dear colleagues as team guests uh dear students it's my real pleasure to welcome you all to the information
security conference besides Christina 2023 as faculty of electrical and computer engineering part of the University of Pristina we are hosting this very important event which brings together professionals experts enthusiasts students related to the information security uh in today's world in today's world in the interconnected World information security is becoming very important it's becoming a concern not only for individuals organization but also for Nations and therefore taking measures at tackling this issue is becoming more and more important at our University at our faculty of electrical and computer engineering we offer several courses related to information security and Bachelor master and PhD level preparing the next generation of professionals tackling the challenges of information security uh I think besides Christina 2023 will be a
great event bringing together experts and sharing is going to be a point to sharing our knowledge our approach to information security we will have inspiring talks and will bring together and have a partnership with industry Academia and so on last but not least on behalf of the dean of the faculty Professor Shabani I would like to thanks organizers especially dardan and his team all guests coming from different parts of the world and making this happen and I wish you all a fruitful and enjoyable conference thank you foreign I just want to thank you everyone for showing up and some people are still sleeping so they will show up later and most likely and uh I would like to thank
valmir and Japan for really helping out a lot with the organization of well this event and uh without forgetting our sponsors so I would like to thank bonka economica omotza or AMC the the ones that have built up the leading system and then uh and they have uh well uh Intrigue Jonathan cran so he's uh supporting us for the second year and then we have Salinas again supporting besides Christina for second year without forgetting Sentry they are back again and uh lost but not least permisso so it's a new company we have blown here that started working there and we have our dear friend Daniel Bohannon that couldn't join us this year and uh I
would also like to thank pentaster lab for offering vouchers for the CTF tomorrow and uh hack the box or hdb which also offered several vouchers so I would like to well to announce it again that tomorrow from 9am until 5 PM we have the CTF or the capture the flag going on we already have plenty of teams registered so if you haven't and you want to win some amazing prizes like flippers are zeros vouchers for pentaster lab and uh Hagler books just do it and well win and uh we also have a little surprise so we have our raffle game so basically you need to go to the registration desk and get a number and at the end of the day
today and tomorrow we will uh randomly pick winners so we have probably about 14 prizes in the raffle raffle game so seven will be announced today at the end of day and then the other September so thank you again and uh yeah have fun and yeah never stop hiking [Applause] okay with that being said thanks Jordan uh thanks Professor Reza uh or keynote speaker it's Mr Yasin a book here he's a white hacker and principal security consultant coming all the way from France after each speech there's gonna be a five minute q a session so I encourage you to engage and to learn and to make questions Yasin the floor is yours [Applause]
test test sorry change batteries okay
so test test yeah it's working
man it's working yeah hello everyone uh thank you so much for being here uh thank you for showing up and thanks for the b-sides organizing theme for organizing everything making sure everything is working and running smoothly uh [Music] perfect thank you uh so basically this is my second time here in Pristina I was here in 2019 for a different conference so it's always uh great to be back here and just uh enjoy the city uh so basically uh to today we're gonna talk about a topic that is very dear to me that some industry that I've been involved for a decade uh we're gonna talk in a we're gonna be talking about like bounties uh and I'm gonna share
with you some insights that are and lessons that I've learned from my experience doing backbone is as a hacker hacking different companies like high profile companies say Facebook Google Apple Etc so I'm gonna be sharing some lessons some insights that I've learned from that experience and I'm also going to be sharing the lessons that I learned actually managing those back money programs for some of the biggest companies uh so but before we start I just want to have an idea how many of you here are familiar with the concept of back bounties can you raise your hands uh all right that's good how many of you have earned a back boundary before a boundary payment
all right I think this is a good start all right so we're gonna we're gonna talk about it but before we dive into the topic I just want to introduce myself uh so my name is Yasin abukir I'm originally from Morocco I'm currently based in France uh so I hold two Master degrees uh both of them are in management and business basically which is very irrelevant to what I'm doing now as a career it just goes to say that it doesn't really matter what you studied before as long as you have the passion to pursue what you really like and what you're really passionate about so right now I'm doing cyber security apparently uh I do application security Consulting
so basically I work with companies to provide them with uh consultant Services say penetration distance security assessments and whatever uh from 2017 to 2019 I worked as a security analyst for a company called hacker one it's a back mounting platform I worked as uh through Azure so basically I tried for back money programs belonging to some of the biggest companies where so I'm going to share that experience later on the on the presentation uh currently this year I actually joined the hacker one hacker Advisory board so basically my role is just to ensure that the hacker Community is well represented and that the hacker feedback is Incorporated in their products and services and I've been
doing back bounties since 2013 so basically it's been a decade 10 years and I am one of the hacker one top 20 hackers all-time top 20 hackers and last year I actually won one of the live hacking competitions back in Denver as you can see in the picture I'm holding the image belt I look like a UFC fighter I know uh so I won the first place we which was quite an achievement because like it was very competitive so yeah that's it but so now we're gonna start by just like for the people who are not very familiar with the what the concept of the bounty program so a bank money program is basically when a company uh
seeks the help of the security and research community help so basically see a company like Facebook Google they want the help of ethical hackers to find security vulnerabilities on their services and products so they set up uh what we call a backbonnet program which has all the kind of roles uh that you should know before participating and once someone like a hacker an ethical hacker or a security researcher finds a security vulnerability they get paid what we call a bounty which is a monetary payment as you can see in this screenshot here this is an example of PayPal backbone program which is hosted on the hacker one platform so this is basically how it looks like and every
back Bounty program has a set of roles or sections uh so a background program they have what we call a bounty table as you can see here in this screenshot there's a bounty table so what is a boundary table is just like how the the monetary reward that you can expect when you find the security vulnerabilities security vulnerability on their product so if it's like a low severity bug you can expect this much if it's like a high severity bug you can expect like 10K uh US dollars or if it's a critical this is how much you're gonna expect uh and every program has an in-scope vulnerabilities these are the security bugs that the company is interested in
they want to hear they want to hear about they want you to find those so they have a list of those in-scope bugs and just like in scope there are out of scope bugs like the company has a list of bugs that they're not really interested in either because they are informative or they are low severity or it's just basically they are false positives so as a hacker you don't want to look for those bugs you just want to avoid them because they're going to be a waste of time and every program has Rules of Engagement it's like roles that you should abide by if you're gonna start hacking on PayPal these are some of the rules that you should respect
some of the rules for example is just like to avoid heavy automation just do not run heavy automation on the on the on their products because you're just gonna bring it down these kind of rules that you have to respect and then there is this service level agreement the the acla is just like the times that you're gonna expect like time to acknowledge your report or your bug how much time are you gonna have to wait to get paid and how much time are you gonna wait to have the bug get fixed or resolved and there is a safe harbor close which is optional which is started recently talking about it the Safe Harbor Clause
is basically a legal Clause that the company is basically stating that as long as you act in good faith like you have good faith and you we're not gonna prosecute you we're not going to pursue any illegal action against you as long as you act in good Faith which is very important because uh a lot could go wrong so as you can see I'm pretty sure you guys are very familiar with these logos these are the companies some of the Fortune 500 companies that are running their back money program so these companies they're basically working with ethical hackers to find all those security vulnerabilities that may be affecting their own products so basically we have sales for Snapchat
slack Facebook Apple Google so all these companies they have what we call a pack money program so if you have the skill set that it requires and you can find security vulnerabilities on their products you could get paid a bounty in exchange so how I got into background is just want to share with you in my story how I started doing back bounties so basically before uh when I was in my teenage years uh uh I was very passionate about hacking I loved finding security bugs in random software so basically I just go on the internet find the random software and just poking around and find bugs on that software I I was just doing it for
free because I liked it I enjoyed it but uh what I what I did is that when I find a bug I just basically write the details and I publish it online without even coordinating with the vendor without notif notifying them to get it fixed or anything uh as you can see here it was back in 2011 2014 2013 these are some of the bugs that I posted on the exploit databases uh if you if you guys are familiar with millworm for example the exploit DB so I find a bug and I just post it online without even getting fixed which is which is bad because this is not how responsible disclosure works you have to record in it with the vendor
to like responsibly modify them of the bug so that they can get it fixed and then you can publish your your bug publicly but I was doing it the wrong way which I call the Aries irresponsible disclosure phase as opposed to responsible disclosure so because if you're a familiar we when we're doing back bounties or just vulnerability disclosure in general we have what we call in 90 days rule so basically when you find a bug you have to report it to the vendor you have to report it to the company so they can get it fixed and the company has 90 days to get it fixed if they don't get it fixed in 90 days then
and then you can actually publish it with the security communities you can make them aware uh if they get it fixed in a timely manner then you can share the details but you you're not really allowed to share the details publicly before it's fixed otherwise it's an Uday it's going to be exploited nauseously uh so fast forward to 2013 I was just scrolling uh some art reading about some news articles and I uh I stumbled upon an article that is about a platform called hacker one and that now you can actually work with companies you can hack companies legally and actually get paid for it because I was doing it for free back then so that was an intriguing
idea and I I just went straight on hackeron platform and I signed up in 2013. so I started poking around and what I found is they have uh a lot of Open Source projects like python Django rubion reels so basically they want you to find bugs on those projects but back then I don't have I didn't have really the right skill set I did not have much code review skill sets so I couldn't find anything in 2013 I was just poking around but no luck at all uh so fast forward to 2014 like one year later I found my first bug my first bug and I earned my first Bounty it was the dumbest bug I ever found honestly so it
was a it was on Yahoo and what I found it on Yahoo uh so basically the bug was just like resetting the vote so Yahoo they have this board this suggestion board where users they can post suggestions on other users they can upvote and downvote the suggestion so I was just poking around and I when you upvote the suggestion there is a parameter called vote value it just increments by one right so this is like thinking what what can I do here and I change the value of the vote value to 1600 which is a long number and I just clicked on upvote and what happened next is just I reset the votes to zero if you
can see here it was like 300 350 57 and then zero this is the dumbest plug I ever found it was a low bug bot fortunately I got paid for it I submitted it to Yahoo was back in 2014 and I got my very first boundary which was like 400 bucks and always let's I did not believe delivery because I I was doing this this for free and now I get paid for it and I can do it legally I can hack a company and get paid for it which is which is awesome and I I couldn't really believe you so I was like is this real and I was still in University and the next summer I just
spinach is looking for bugs I spent the whole summer just hacking companies because I this is this is too real for me to so let's talk about some common bug hunting mythologies like when you're approaching a Target what can you do like how can you approach a Target like from my experiences from talking with other bug hunters from with other hackers there are busy I I realized that there are basically four methodologies when you're hacking there are some people when they're looking for bugs when they're looking for security vulnerabilities they automate everything they basically automate everything they don't do anything manual like they've built their automation that they deploy to servers and the automation just continuously
looking for bugs and they don't do any manual work which is awesome but there are other people they do full manual the full manual methodology is when you're actually going deep on the on the application and you're doing the manual hacking without any automation without any tools apart from some necessary tools like a whip proxy for example uh so there are some people who likes to who like to do full manual hacking which is cool and there are some other people who do what I called 50 50. this is my methodology which is basically the the first phase of hacking you do with with Auto with automation I mean you use a lot of tools to collect data like do
some reconnaissance fight some sub-domains DNS data fingerprinting all that stuff and then once you click that data then you can do the manual uh hacking then you can use that data to actually start manually hacking and looking for security vulnerabilities on that data so this is my methodology and there are some people they do what I call the zero day all the things so basically these people they they go and look for bugs on software there that are widely used by the the companies for example WordPress they go and look for a bug on WordPress a zero day and then once they find this bug on WordPress they look for all the companies that use
WordPress and then they submit those reports to them so they basically do security research and they find zero days and then they find all the companies that use that vulnerable software or technology
sorry guys
perfect I don't know what happened there uh so the question here is which one of these mythologies actually best that is the natural question which one should you go for actually uh the thing is that all these methodologies are have proven to be effective they have proven to be successful as you can see here on each category there is a successful Bug Hunter who have made Millions just using that methodology for example the full automated we have Eric today is new he's one of the best hackers he he's a very successful in the million dollar Bounty he doesn't do any manual hacking he basically built an automation machine that is continuously working and looking for bugs on a daily basis like oh it's
just working when he's not he's not doing any manual manual work and then the full manual we have Ron he's a very successful Bug Hunter as well Ron just doesn't do any automation as opposed to Eric he just likes to do manual hacking just go deep on the application understand it and just find logical bugs and the 50 50 we have the legendary France Rosen one of the best hackers and we have shops for the zero day all the things shops he is one of the co-founder acid note if you go to acidnote.com they have so many uh blog posts about zero day vulnerabilities that they found on on software uh on popular software so
basically he finds out days and he just submit those arrays to bugmonic programs and it works it works for him so they made good money out of it and they're very successful that means that all the mythologies actually work I mean depends on you but if each methodology can come at a cost for example the full automated one it might be very costly because you're running a lot of servers so it might be very costly to run those Cloud servers uh the full manual you might just be manually hacking and then you might not find any bug at all so there is a cost for each of these methodologies uh so go big or go home like like these
successful back hundreds these successful hackers one of the things one of the things that I noticed is that they all try to focus on high severity security vulnerabilities uh High severe High severity security vulnerabilities like P1 which is critical vulnerabilities these are usually server-side bugs uh could be an rce SQL injection ssrf or P2 uh High severity bugs or stored exercises and account takeover authentication Bay pass so all these bug Hunters I noticed I observed that they are actually focusing on P1 P2 which which makes sense why because first of all they're avoiding duplicates and related frustrations because in Black Bounty you have to be the first one to find the bug to actually get paid
if you find the bug but someone found it like before you're not gonna get paid it's gonna be going to be a duplicate but when you're focused on P1 P2 not a lot of people are actually focusing on that kind of vulnerabilities and they're not easy to be down as well so you're avoiding the duplicate frustration also when you send a high severity back to a company they quickly fix it they have to quickly react otherwise it's going to be exploited maliciously so they quickly get it triaged and fixed which is good and then you have high monetary rewards so basically when you're focusing in P1 and P2 you're gonna earn a lot more than
actually focusing on low severity and medium bugs I'm not seeing by any chance that you should avoid looking for low severity or medium bugs it's just that you're you have to shift your focus to looking for P1 and P2 box if you've got the right skill set and then when you're doing bug hunting you want to focus on healthy and high p and big money programs there is a lot of frustration that can originate from doing back Bounty there are so many companies running a big Bounty but they're not all great because like sometimes you submit a report to a company and you have to wait months before they even respond to you or you
have to wait months before you get paid so you want to be picky when you choose which company you want to hack on these are two companies for example which are amazing the first one is gitlab if you're familiar with it and the second one is Shopify gitlab for example for a critical they pay up to 35k which is great it's a it's a good return on investment uh and Shopify can even pay 200k for a critical vulnerability that's why I'm saying you have to focus on P1 and P2 because there is a high monetary reward out of it and these companies are very healthy they have a great security team very reactive all that stuff uh and before you start
before you choose a program if you for example are using the hackeron platform you can on the program you can see these statistics these are very important before you start hacking our program you see the average time to First Response is how much time it's gonna take for the company to acknowledge your report to get back to you how much time average time to Bounty how much time until you get paid which is important you just want to get paid so it's important to cut it short and how much time to get your bike fixed also you you can see how much this is a PayPal background program this is how much people paid over the
years they paid 8 million uh Bounties in total and you can see the average Bounty that they paid for hackers the average is usually 2K to four 4K and sorry the top Bounty is uh is they paid 52 as a top Bounty as you can see there are all the stats you can check before you start hacking our program before you decide which company you want to hack on for example PayPal people here they have appealing numbers which is good but for also for a regular Bug Hunter when they see the number the total of bugs that were resolved you see like it's it's 1470 which is a lot of bugs and then as a regular Bug Hunter mindset was like
there is no way I'm gonna find a security vulnerability after P after like 700 people found over a thousand bucks this is a regular Bug Hunter mindset which is really bad because like the best hackers they don't really care about those numbers because they know regardless of how many bugs other people found there will always there will always be other security vulnerabilities why because companies they're pushing code they're making changes on a daily basis so they're always like features new features that are being developed so there are always new bugs that are being introduced same there are always like regressions like they might fix a bug today but there might like there might be a code change and so the the bug
might happen might show up again so that wiggle that are regression so it doesn't matter how many bucks that program fixed you can always find bugs on these programs and these are the the best programs that you want to focus on these are the the the the the oh it's gone again so these are like the the the the the the the big programs like PayPal they pay really good they have a great security team so yeah I'm sorry about this sorry oh no it's actually charged anything in charge it's okay what is it
foreign
all right so I was talking about healthy programs the programs that pay really good so these are some of the example of the programs that are really good that you want to work with so if you ever decide to hack on some of the programs some of the companies I suggest you hack on Tech talk find security vulnerables on Tech talk Dropbox epic games GitHub Uber stripe these are amazing I had good experience with them all right so let's talk about application based Recon and testing so every time I talk to a Bug Hunter a hacker they're they're just like they're like obsessed with automation a lot of them is just like I I tried this tool
and that tool I'm working on building this Automation and that so everyone is just like really distracted from actually what the in-depth testing and the creative aspect of hacking hacking is actually is more fun actually when you're doing it like you're actually going deep on an application you're using the creative aspect of it so a lot of people are just obsessed with automation I mean it's not really bad but also not the the it's not very effective so a lot of people in the hacker Community they they ignore the core application a lot of these companies like Tech talk uh stripe Shopify they really care about the core application they want you to find bug on
the product itself the core application as you can see here for example Dropbox they have a separate Bounty table and separate Bounty amounts just for the core application because they want people to focus on finding bugs on the core app not just going out of scope or like looking for subdomains and those old outdated assets they want you to find bugs on the core app which would pay a lot more than actually finding security bugs on some like outdated subdomain or whatever so you want to focus on the core app which usually has more important and priority as well as great compensation uh also when you talk about reconnaissance reconnaissance is a very trendy word in the hacking Community
nowadays when you ask someone about reconnaissance or Recon as we call it they just start talking about finding subdomains so basically reconnaissance has been associated with finding subdomains uh whereas reconnaissance actually goes Way Beyond just finding sub domains just above like doing Danish Recon you find Danish data you find you do some fingerprinting there there is a lot you can do with reconnaissance and also reconnaissance is just not about finding sub domains we can also talk about the application based reconnaissance which is actually which is the best Recon that has paid off very well for me the app based reconnaissance is when you actually try to get to know the application you try to fast the
application you use it as a regular user and just like click every form click every button fill out every form and just use it as a regular user and just intercept all the HTTP request so you get familiar with it you can also use the burp Suite burp Suite proxy spy drain functionality so you can have a better visualization of how the app looks like as you can see in the screenshot this is a a visual visualization of the zoom API and core application so this is the kind of or reconnaissance that actually paid off very well for me instead of just doing some sub domains reconnaissance because you want to really get to get to know
the app and really understand it deeply and go in depth uh also I want to talk about functionality or feature oriented security testing some people when they start hacking on an app they they good assumption hey I'm going to focus on finding excesses so basically they only look for accesses whereas some other people well they use a a better strategy a way more effective strategy which is like uh which is like when you when you're testing functionalities you wanna you wanna think which class of vulnerability would actually apply to this functionality uh for example if you're if you're hacking on an image uploader you're going to think which which class of vulnerability would actually apply to this image uploader
what kind of bugs do you think will be there instead of actually going with assumption hey I'm just going to look for accesses and spend all the time just looking for one single class of vulnerability uh so basically you want to think what kind of bugs will apply to this functionality that I'm testing uh also focused manual testing requires deep understanding of the inner workings of AI when you're hacking on the app you want to understand how it works a lot of people they start hacking for example on Tech talk Zoom or they don't even understand the app they don't they don't know how it works they don't know what it does they don't know how the logic is
so they're just blindly testing and it's a waste of time when you're starting hacking on an app you want to understand how it works you want to write down every thing you want to sketch down everything and just understand how everything is interconnected especially if it's a complex application like Shopify for example so that that way you're going to find more logical bugs you have more chances of finding security vulnerabilities instead of just blindly testing whatever without even understanding what it does and also what makes the difference between a regular Bug Hunter and successful one is the successful bug Hunters they are ready to go the distance what I mean by that is that when you're hacking on an app and
there is like some features you have to pay them you have to pay the features to get access to it some bug Hunters they don't they wouldn't pay that because they it's a waste of money but successful bug Hunters they will pay for the Pro Plan so they get access to those features behind the paywall because not everyone has tested those features and which is uh which will give you a competitive advantage it will come back so another thing is that you have you have to be
so another thing is that you have to be willing to go the distance for example what I mean is that there are some apps uh that requires you to complete a setup uh there is like a complex setup some people are very lazy to complete this setup uh but successful but Hunters they take their time to to configure everything and just set it up because that will that will make the difference or if the company has a hardware device you want to order it because you have more chances of finding bugs on that device or just like if there there's a documentation make sure you read the whole documentation so that you understand everything and that you will
have more chances of finding more security vulnerabilities so always be ready to go the distance uh okay this is a in related to what I'm just saying this is a vulnerability that I found last year in a live hacking competition with a friend of mine Andre uh so basically this application this was supposed to be a very secure messaging app that I used by governments uh I'm not allowed to disclose the name of the company because it's private but what I'm saying is that this this com the this company they have first they have the SSO which is a feature which is a pro feature you have to pay to get access to it uh we pay to get access to
that feature and I'm pretty sure a lot of the hackers that were with me in the live hacking event they did not pay for it that made the difference that's how we found this spot so we paid the for to access the we paid the Pro Plan taxes the SSO feature and also setting up the SSO took a lot of time and I'm pretty sure a lot of hackers would have just skipped it because it takes so much time but we took our time to set up everything and basically this was an account takeover we could like take over hack any account without with zero interaction so what was happening is that uh when we set up our SSO uh we
used OCTA for example and in our OCTA instance we can add the the user our Target our victim's email that is on the vulnerable app so we add it to our OCTA which is which you can do uh and then what we try to do next is we try to to SSO to the vulnerable applications so when we reach the octal login page we're logged into our email the victim's email that we added to our octane instance and then what happened is that there was uh an improper validation and then we would be able to log into any user's email so basically we could just we just need the victims email we added to our OCTA
instance we initiate the SSO login and then we would log into their account so basically this was very simple bug but very impactful because we could hack any account without any user interaction and it was you it got paid as a critical it was got the highest Bounty amount uh this is a second example this is another bug that we found last year was in a different live hacking competition uh this is an ssrf server-side request forgery uh so basically this company they have an EPI and I was just browsing the documentation so what made the difference here is the documentation I had the I read the documentation I took my time to read the documentation
whereas some people did not do that so that made that made the difference so basically I was just reading the API documentation and I I noticed this request and what the first thing that uh that caught my attention was the URL parameter so basically when you see a URL parameter the first thing that comes to mind is to test it against Asus RF which is a server-side bug it's very critical so uh but when I try to replicate the HTTP request it did not work why because uh first of all reading the documentation I realized that I need to set up a separate user account and for that user account I need to explicitly granted the Epi permissions
and even after granted API for Missions I need to generate valid API credentials for that separate user account just so I could reproduce this this API request so the first thing I did was to point the URL to uh to the local localhost look back the localhost address so I can reach the organization internal Network when I did that it did not work uh I got uh I basically I got unauthorized I don't have the the response here but when I tried the typical payload The Local Host API did not work so I tried a bunch of Bay passes and the one that actually worked was using the epv6 format as you can see there I used the apv6 format and
it worked and I got the response as you can see here I got access to their localhost internal network uh so basically this one got paid as a critical I just want to demonstrate that what made the difference here is just I I took the time to read the documentation uh some people may have read it but they did not did not completely understand it from my from talking to them so that's what makes the difference just like going the distance all right so another thing that I recommend is just like fuzzing all the things fuzzing is very powerful literally Falls everything there are so many tool that allows you to do fuzzing especially when you're hacking from a
black box approach uh fuzz the end points you can fast the parameters you can pause the directories everything and even when fuzzing a lot of people a lot of people do is just they use generic word list they use a word list for everything but what I do recommend is that you use a what we call a context based word list for example if you're fuzzing a WordPress uh installation you want to use a word list that is adapted to the WordPress uh installation if you're fuzzing let's say an ESP uh Target you want to use an Adaptive word list and for that I recommend for example asset node they have a different so many
different word sets based on what kind of Technology do you want to start fuzzing fuzzing is very powerful we're going to find all kind of stuff doing it this is another simple bug just doing fuzzing what I found it last year so I found this uh which allowed me to access the admin panel or of a company it was an internal support panel so what I did so basically doing some recall I found an internal admin portal it was like admin.redacted.com because it's a private company I don't want to disclose the name so it's like admin.redacted.com account but I just ran fav uh which is very profit is an amazing tool that you can use for fuzzing uh it's it's built
in gulang It's relatively fast uh so we just used fav to Brute Force the directories like from account brute force and trickster is and what I found is account slash register very easy very stupid uh register and that means that I could register my own account and become an admin of that pan of the portal panel so basically I can I was able to register an account as an admin and what is funny is that I could explicitly give myself as many permissions as I want as you can see all the permissions there uh the the register input shouldn't have been public it should not have been public uh because it's an internal panel so now everyone can just register an
admin account and I got access to their internal panel so fuzzing is very important it's very powerful especially if you're doing Black Box uh hacking you don't have much information about the target uh another thing is Javascript jaw I love JavaScript I found so many bugs just reading JavaScript files because JavaScript a lot all the modern applications they use JavaScript to load different things like endpoints parameters and all that stuff so when I'm hacking on an app I I literally first thing I do is just I gather all the JavaScript files that are being featured or loaded by the that app because I know in those JavaScript I can find endpoints I can find parameters I
can find hard-coded hard-coded credentials API Keys everything so reading and inspecting JavaScript files is very important it's it's one I've got a friend of mine he got like probably 80 percent of his bugs are post message bugs from JavaScript files so I highly recommend that you reach JavaScript when I I'm hacking on an app I use burp Suite so basically I just filter by GS I buy JavaScript files and I copy all the JavaScript links and then those links I feed them to the link finder Pi which is a tool that you can use to automate the JavaScript files inspection and it gives you all the end points that extracts from those JavaScript files and those
endpoints might be might be new features might be invisible not used in the main app so it will give you a competitive advantage okay this is a this is another vulnerability that I found last year again in a live hacking event so uh I I'm pretty sure a lot of people missed it because they haven't they haven't thoroughly read those JavaScript files so what happened here is that I was able to take over uh any account on three uh three multiple three different services for this company uh so basically I was just looking at the JavaScript files and I found this endpoint the first one partner connect so I found this endpoint uh there is the path parameter so when
you navigate to that endpoint you are actually being redirected to their entertainment service it's the so basically they're using that this endpoint for authentication uh so basically the path parameter was intriguing so I was like okay let's try an open redirect on this path parameter so I tried the most typical payload which was just using the DOT example.com so basically the the the the the the the companies domain will become a sub-domain and then the PA I realized that the path parameter was was uh vulnerable to an open redirect vulnerability and what is intriguing here is that we in the redirection happens it actually leaks the user access token and I can use that access
token to take over to uh interact with to interact with the user with the victims account so basically here the what I'm just gonna what I'm just saying is that I found it because I read the JavaScript that's how I found that endpoint and that's how I found those parameters and constructed them and this allowed me to take uh over their entertain the user entertainment account as you can see in the use case parameter it holds entertainment there was also a dining one there is another service called uh travel so basically I can take over three uh three services and it was paid as a high severity but all right so we're just talking about
JavaScript files and how important they are because they have so many juicy stuff in there but one one other thing that you can actually do is that you monitor the changes because like in those javascripts uh a lot of developers as I said earlier they are always pushing new code they are always building new features they're building new stuff so so they're always changing these JavaScript files what you want to do is you monitor them you monitor them so they when they change something in that JavaScript you get a notification and you are the first one to check it so what I recommend that if you want to monitor these JavaScript this is a this
is a tool that I recommend I I contributed to building it it is called jsmon so basically you give it the JavaScript links and it just monitors them on a daily basis and then when is when there is a change on that Javascript file you just get a notification and this will give you a competitive Advantage because you're going to be the first one to check for the new changes maybe you'll find uh something vulnerable uh similarly I I mentioned earlier that you should be fuzzing in points parameters everything uh one way you can do that is one of my favorite extensions is it is called param Miner paraminer basically allows you to uh enumerate
parameters when you have an HTTP request uh and then you don't have much information about that HTTP request you might use paraminer so you can actually enumerate hidden parameters you can enumerate uh headers uh and and a lot of stuff that you can enumerate with paraminer it has a huge word list so it actually works very well I've had really good success with it and I highly recommend it uh there were there were times when I found like a hidden hitter that was vulnerable to a SQL injection uh there was a time when I found a hidden parameter called URL which was also vulnerable to an easy srf vulnerability so there is so much you can do with
paraminer and just talking about the application Level uh application based reconnaissance here we are just talking about application-based reconnaissance we're not talking about enumerating subdomains or whatever because this is way more important actually and one way to actually enumerate endpoints is to use the the tool that I call go this is the best tool ever and props to carbon who built this tool so basically this one when you give it the the the asset the Target that you want it just uh gives you all the end points that were previously indexed in like the internet archive or index somewhere else so basically you have uh you have an access to a whole lot of endpoints that you can
start hacking on so this this tool is really amazing great success with it as well so highly recommend it all right scope is negotiable uh basically when you're hacking on a program there's like there is an in-scope assets the company tells you you only hack on these assets these domain names don't hack on these dominance no we call it disco so basically when you're hacking on an app sometimes you're limited sometimes the app is very limited you don't have much access what I what I suggest is that you expand the scope how you check if the company has so basically if you're hacking the website their website check if the if the company has a mobile app
check maybe they have a browser extension or maybe they have desktop app or just some other kind of app when when they have these you can just decompile them not necessarily to hack on them but just decompile them to gather all the leads and insights in inside those apps maybe you'll find hard-coded in points you'll find juicy hard-coded uh credentials so this is the way to expand the scope this is basically may sound like going out of scope but as long as you're not necessarily mainly hacking on that app you're gonna be fine so as yeah I mentioned it they're never hack never hack or out of scope assets but only use it to click insights on that
list this is this an example another vulnerability so basically I was hacking on this company I've been hacking on it for like two years and at one point I couldn't find anything anymore uh the scope just seems very limiting but this company they had an extension a browser extension the browser extension was not part of the scope but uh I I needed I needed some further leads that can help me to hack on the mean scope so what I did I downloaded the extension I decompiled it which is pretty easy uh I decompiled the the browser extension and yeah so it had three million installs which is pretty pretty high so I decompiled it the first thing I did I
reviewed the manifest.json file because when you decompile a Chrome extension for example there is always a manifest Json that has some definitions so what I noticed is that they have some white listed domain names this one I call it evm-target.com so this one was white listed there and what I noticed is that this domain name it was whitelisted but it was expired I mean I could buy it I could purchase that domain name for 12 euros but I I was like looking for what can I use this domain name for even if I purchase it what can I what can I use it for is there something I can do with it so I I do I mean I do die I dived into
the the good analysis and what I found in the the code is that there is a rejects validation that it it was chicken for white listed domain names it was chicken if those that domain name is whitelisted or not if it's whitelisted if it's white listed then the extension will push a header will a pin the header the user request with the as you can see below xwb session with the user session so basically if I purchase that domain name right and there is a victim that is using the Chrome extension and then they visit that domain name their their HTTP request will contain their decision so I can I can I can freely extract it
because they're visiting my own website so that's what I basically did I just purchased that domain name I set up my P you see so basically when I send the victim when I send the website to the victim and they access it I can extract the recession from the header because it because my domain name that I purchased was white listed so that was a that was an account takeover again it was a it was a high severity bug as I said just uh expand the scope if you're limited try to explore other things that the company might have on the side yeah exactly so uh as I was mentioning uh I bought the dummy name when the user
accesses my domain name there is a session token that is appended to their header I can I can extract it and I can show it there as you can see the from the POC all right uh just talking about uh understanding the app this is a vulnerability that I found uh that really required a deep understanding of the application so basically this is a company that I've been hacking for three years and I haven't found this one until until last year because it really required deep understanding of the app and because it is a bit complicated so it wasn't an account takeover due to Broken authentication so what what's happened is that when the user
tries to log into the developer portal there when they navigate to the sign in page there is an awful that is being initiated and the oauth flow as you can see here I noticed there's a correlation ID parameter I did not know what it what it what what it was doing but I was it was very intriguing so when the user uh enters their email address and password then they log in what happens next is that the the user is redirected to a login callback with the correlation ID that is being authenticated so the correlation ID is being taken and then sent to an auth callback which then Returns the authorization code so basically it's the user navigates the
sign-in page there's an old flow that is being initiated with a correlation ID when the user logs into the page there is the correlation ID is being sent to the login callback and then there is the authorization code that is being returned so it's like I was like thinking how can I hack this one what can I want to what can I do here so what I found is that actually I can generate my own login login link with my own correlation ID because basically if you know the user's correlation ID you can generate their authorization code so basically I generated my own login link with my own correlation ID as you can see there then I send it to the victim
so basically when the victim looks they log into their account the correlation ID has become authenticated so basically I have the correlation ID so I can send the correlation ID to an oauth endpoint so I can exchange it with an authorization token but the catch here is that I have to beat the user I have to be the first one to exchange the correlation ID into into an oauth authorization account so in this step I had I had to automate it so basically when the user logs in I quickly exchange the correlation ID into an authorization code and that was an account Takeover in that one and I haven't found it until like three years later because I I it
really required understanding the app let's talk about automation I've mentioned automation quite a few times but let's talk about it so when we talk about automation there are there are different uh aspects of automation that we talk about the first one is automating Recon and content Discovery by this I mean just like automating the data collection it could be collecting subdomains DNS records which is sports scanning directory and file enumerations and there are so many tools to achieve this this is one of part of the automation we also talk about automating automating vulnerability Discovery uh it's basically automating vulnerability Discovery could be active or passive vulnerability scanning so basically you're automating the scanning instead of doing the manual thing also we talk
about automating change changes monitoring as I mentioned earlier you can automate monitoring JavaScript files so you have to check on the JavaScript every once in a while you can just automate that we'll also talk about automating repetitive tasks some boring tasks that you always do manually you can automate yeah you can just write a script to just automate it so you don't have to do the boring task and for these categories for each category we have a bunch of tools that you can use for the recall for example there is Ms hackroll or https DNS X there's so many tools that you can use for automation you don't even need to build your own tools
anymore there's so many open open source tools that you can use for for the vulnerability the automated vulnerability Discovery there is a nuclear I'm sure a lot of you are very familiar with nuclear as well sorry uh and for the changes you can use Ms sub Lord is my tool to to monitor the subdomain enumeration and then we have other tools for repetitive tasks so when we talk about automation this is a simple flow that you can build your own yourself if you want to build your own automation so this is uh this is a this is a simple reconnaissance flow it starts from the first step which is loading the scope loading basically you go to uh hacker
like a back body platform and you extract all the assets that are in scope that the companies are interested in so you extract everything you can use BB scope tool which allows you to extract everything all in an automatic way and the step the second way the second thing you want to do when you have the assets you want to hack is to run sub domain enumerations or enumeration on those assets so you can find subdomains you can see some tools that you can use I use EMS and then you can use pure mutation technique this is an amazing technique that I really recommend permutation is basically when you find a subdomain say for example admin dot
example.com you can you can try permutation which is like admin Dash test or admin Dash prod this is this is what we call permutation you're primitive different words so you can find so you can find more subtle means and after you do permutation you can run DNS resolution so you can find the the subdomains they're actually they're actually resolving and then you can do DNS enumeration Port scanning within map and then the last step is vulnerability disclosure once you have all that data you're going to run vulnerability scanning on it you can find bugs so this is a simple flow if you want to build your own automation this is a this is a project of mine that
I've been working on with a friend of mine maluk last year uh so we've been working on building our own uh our own automation this is how it looks like so we basically build it with python on top of Django framework we use Luigi for tasks or orchestration bootstrap for the for the interface and we used postgrades for the database for the open for the tools that we use we basically used in map which is a classic we used amass for subdomains enumeration we used a bunch of Port Discovery uh projects like httpx and nuclei for vulnerability scanning so this is how it looks like we can add assets we can edit assets uh this is the
this is the modifications we would get when there is a when the automation finds vulnerability when we find the uh an account sub domain takeover for example uh this is our dashboard the total we were monitoring 84 uh how much is that 8 million assets we will continuously monitoring 8 million assets we've got like 55 000 vulnerabilities a lot of them are actually informative because we did not filter filter it out so if you want to build the automation it's it's as easy as that as I showed you earlier but but one thing that you know is that there is there are so many open source projects as I mentioned there are so many open
source tools you don't even need to build your own tools you can just use those open source in your automation uh also one thing is that automation should be complementary what I mean by that is that you should be focusing on manual hacking automation you just use it to find some bugs that uh like for example low hanging fruits you want to focus on high severity bugs and then use automation to find some low hanging throws some easy box on this side but you always want to focus on manual hacking also efficient automation should give you actionable actionable box if your automation is just finding false positives like informative bugs something that is not actionable then
it's just wasting your time so you want to make sure that your automation is actually finding security bugs uh the challenge is Task orchestration a lot of people they build their automation but it's just using a bunch of bash scripts and if you want script uh breaks down the whole automation breaks down so you want to use some tools for task orchestration we used Luigi which was built by Spotify and then you want to do load distribution across multiple servers because when you're doing automation you're you're monitoring so many assets you cannot do that on one server you need so many different servers so you need to uh balance the load across multiple Services you can
use kubernetes for example or you can use Fleet and Axiom which is very compatible with back bounty hunting uh also most value automation they catch low hanging fruit and as I mentioned the the low severity and medium severity bugs they're usually just gonna result in me in duplicates which is frustrating and as I mentioned there are so many automation Frameworks that you can just install you don't have to build your own there is Recon for the win osmeters three engine Axiom Etc also one of the most powerful tools that just uh being developed is nuclei which is a vulnerability scanner basically a lot of bug Hunters they're using it blindly so basically they just use nuclear with the
existing templates which is which is which is not an effective approach because other other countries they're doing exactly the same so when you're not doing anything different so basically you're just gonna get so many duplicates if you're using the nuclear tool there below you want to do your own security research and build your own templates and feed them to the tool yeah exactly as I mentioned here so basically we were always taught like when I started hacking I did not know how to code so basically I started hacking without even any coding knowledge and I did I did fine honestly I did really fine but just like uh over the years you realize that actually
coding is very important coding on reading code is going to give you a competitive Advantage so you you can actually start hacking without any code knowledge you can do it from a black box approach but at one point if you want to step up your game if you want to be a good hacker you want to learn how to code you want to learn to read the code because it's very necessary and will give you a very competitive Advantage uh as I said Black Box testing is fun but when you can actually read the code you're going to find way more bugs uh even even some bugs like the accesses the client-side bugs like just a Dom
based excessive it requires a certain understanding of JavaScript to find it so at one point it's very important to learn how to code also you can use that skill to find zero day vulnerabilities in software you can find zero the vulnerabilities for example in WordPress you can read the code find a bug and then you can check and find all the companies that use WordPress and then you're going to get boundaries from there so basically you can use it for Uday research and also when you're doing security research I recommend you look for pre-auto indicated or unauthenticated vulnerabilities because like when you're participating in back Bounty you cannot just tell the organization hey you need
to log into your account so then you can upload this web shell so basically you wanna you are you should be interested in finding unauthenticated vulnerabilities if you're if you want to do backgrounds so another thing that I recommend is monitoring for new cves so when there is a a new vulnerability that was found it's usually being assigned a CVA for tracking for tracking purposes and what I personally do is I track I monitor the CV the new cves so when there is a new CV that is being pushed I get notified I know there is a new vulnerability that was being found so I can actually go and look for it on other companies so you want to Monitor
cves and I highly recommend you check attacker KB which is a basically kind of a forum where other security researchers they discuss new vulnerabilities you can find pocs you can find exploits there that you can basically use in your back hunting or hacking also if you want to get into security research uh these are some of the uh references some of the sources that I highly recommend so there is this article by James Kettle very very good researchers if you want to get into security researching there is the asset Note Block you can find so many uh bugs that are being explained in a very good way with the technical details and and the exploit as well the WASP code review
guide the pen tester lab code review exercises there's some amazing exercises if you guys want to get into uh into uh code analysis and there is the our certificate if you guys if there are some of you are interested in certificates I recommend the advanced whip attacks and the explosions third it's a very good one uh has good reputation and off six sorts have good reputation reputation as well all right so let's talk about security impact so basically when you're hacking uh when you're doing back bounties it's not like doing a penetration testing you have to show impact when you find a bug if it doesn't have a security impact then it's not really a bug so
when you're doing back Mondays you have to demonstrate for the organization that your bug actually has an actual security impact for example here uh if you find an exorcist and then you just tell the organization hey I found this pop-up I can just do this JavaScript or you can actually show them that you can use the excesses to hijack the user session token which one do you think would get paid more the simple pop-up below or the the one where the the attacker has demonstrated they can use the excesses for session exfiltration I'm pretty sure the first one will get paid a lot more than the first example it's it's one bug but you have to
demonstrate what you can do with it because this is not a pain test and you if you're doing back bounties it's not a penetration testing where you can just like report the bug you have to show actual impact you have to show the organization what you can do with it uh yeah as I mentioned background is not a traditional pintus so you have to demonstrate security impact which is very important uh always ask this question if you find a bug what is the worst thing I can do with this vulnerability so always you want to always maximize the impact always the escalate uh and also most companies the pay bound is based on CVSs CVSs is a
standard there is a standard that we use in the industry to assess the severity of a vulnerability when you find a bug it's either a low severity medium severity high or critical so when you have an understanding of the CVS as you want to double down on each component of the services you want to make sure to demonstrate that you can affect confidentiality with deer bug you want to make sure you demonstrate that you can affect availability and integrity Etc so understanding Services is important also uh think out of the box when you get a bug uh you don't know what to do with it just think out other books think out of the box think of
creative ideas there are always some ideas there are always some change that you can you can you you can use with your bug exactly so when you find a low hanging fruit bugs like a simple bag of low bug for example an open redirect usually when you submit an open lyrics for a company it gets paid like 100 bucks 200 bucks depends on the program but what I personally do I don't submit that that bug for the organization I keep it for myself and I wait for the opportunity to use it with another vulnerability so I can chain it and maximize my impact same thing goes for open redirect cooking injection for example if you find an exorcist without
any security impact don't submit it to the program keep it for yourself because at one point if you keep hacking on that company you're probably gonna use that exercise along with another bug to maximize your impact also always make sure you abide by the program rules sometimes you you find a bug and you want to maximize your impact you want to access their internal Network you want to extract internal data you have to be careful what kind of data you're extracting from the company because some some some people they find an ssrf and they start they start pivoting in the internal network of the company which is bad or sometimes when you're testing uh when you're extracting user data always
use your own account use two accounts do not extract other users data that will violate the company's rules and I'm pretty sure you're not going to get paid for your work so always abide by the program rules and be careful what you what you do when you're trying to maximize impact all right when we talk about bounties nowadays we started talking about collaboration uh as I mentioned earlier some of my bugs I found them in collaboration with some friends collaboration is very powerful why because like everyone when you're working with someone else everyone brings a different skill set to the table maybe I'm good at web hacking and the other guy is good at mobile hacking
and we when we combine that it's it's a powerful collaboration from from just from my experience some of the most impactful of vulnerabilities that I've seen myself were were a result of collaboration between a team or just two people so if you're doing back bounties you want to get to know other people you want to start collaborating with them so you can join forces uh as I said everyone brings a different skill set uh even back money platforms like hacker one they recognize that collaboration is powerful so what they started doing is they started building features to support collaboration now in hacker one you can add someone as a collaborator to your report you can even split Bounty
automatically so they're just keep adding in features to support collaboration also if you're stuck somewhere there are so many uh communities out there online there is like a hacker one Discord where you can find so many Hunters so if you're stuck someone you can just shoot them your question I'm pretty sure everyone will be happy to answer it there is the namsik Discord Community the back boundary World slack if you just Google those I'm pretty sure you're gonna find the link to access those communities so this is one way to collaborate with other people because uh because trust me collaboration is very powerful and I've seen a lot of people make great progress just collaborating with other people but
when you're collaborating when you're working with someone you have to be very you have to be very uh to have to agree upfront on on some terms for example if you find a bug together how much is going to be displayed is are you going to split the Bounty 50 50 because I've seen a lot of conflicts arise because of that like they find a bug and this one wants 30 the other guy wants 50 so you have before you even start collaborating you have to agree on the Bounty split and also you have to uh make sure uh that if it's a unique security research the other partner is not gonna leak it because some people they do security
research and get leaks to the public so you want to be very upfront on that regard okay just talking about collaboration this is a Twitter DM I received from a guy so basically he found an Asus RF which is a low severity ssrf it's a it's a it's a known CV so this guy he was like hey bro uh I know you're very good at ssrf and I got this is this ssrf which is low severity he wants to maximize the impact because he has a low would he would get paid 100 bucks so if he managed to maximize the impact he will be worth a lot more so what I like about this guys is actually he's very uh
like from Advance he's like I will share it's going to be like a 50 50 Bounty spot as I mentioned earlier you should agree upfront about the bound display so he gave me the details so this guy basically uh this is a canful ones uh instance he managed to uh send an external I mean to hit external websites with the with this ssrf like heading external websites is not there's there's much impact there uh so as you can see the URL parameter is the one vulnerable we pointed it to the burps with collab collaborator and we can see the response so it's a an SSR for the response which is a good start but this this is low
right so I tried to point it to the localhost uh address and I managed to to hit the internal network of the company and as I received welcome to nginx which means uh I access the internal network but there's much you can do with this I mean I managed to access the internet work but there is not much there's much impact here so I wanted to escalate the impact furthermore now because this would have been just a P2 like a maybe a medium severity about so I want to escalate the impact so I noticed that the the the company or the instance was hosted on ews and Amazon web services so what I thought about next is maybe I will try to hit
the metadata into point if you guys are familiar with the cloud AWS metadata endpoint which has security credentials stored there so I basically pointed the URL parameter there in the request I pointed it to the metadata address but unfortunately I got 401 which is unauthorized which is where normally when you send a requested admitted data endpoint you get you get a response so I couldn't understand what was happening so I kept searching and looking and reading documentations and I came to realize that the company here they're using a different version of the metadata endpoint so in in the past days there was there was the ec2 the MTS the version one so basically if you just send a get request
to the metadata endpoint you're gonna get a response back but the new version which is way more secure it actually requires you to send a put request to with with the with a special header to the metadata endpoint and you get a token and a session token and then with that token you can send an authenticated request to the metadata endpoint and then you can extract the the security credentials this is a long process I I I thought maybe this is a dead end I couldn't I don't think how I would be able to escalate this further more but I keep reading and what I realized is that the Confluence installation here actually uses the Google gadgets API
which is defined by open source specification and what I realized is that this endpoint it takes the HTTP method parameter the post data diameter and the headers parameter which means I can control the the HTTP request method I can control the post data and the header which is all I need to make the attack scenario a success so what I did next is I sent a put request to the metadata to extract the decision token when I got the decision token uh I used that session token to send another request another post request to the metadata the security the security credential endpoint with the with this decision token in the header as you can see there and finally I managed to
extract the the security credentials and this is Maximum Impact because this is a critical so basically because of collaboration that guy reached out to me on Twitter we managed to escalate as a low severity bug to a critical bug and it got paid the maximum so this is why I'm saying collaboration is very powerful if you're stuck somewhere you know someone with the right skills say just reach out to them I'm pretty sure they're going to help and they will be happy especially especially if you're gonna split the bounty so I'm just going to talk about my experience managing back money programs I'm oh yeah all right all right yeah last words uh so basically black
hunting is is not a race it's not a race to Marathon so it requires to be consistent it requires you to be persistent and have patience it really requires patience because sometimes uh it takes so long to find a bug or it takes so long to get paid so you have to have patience take as many notes as you can a lot of people they start hacking and then they close everything down without taking a notes a lot of my amazing bugs is because of the notes that I've taken over the year so take as many notes as you can and also keep learning don't don't stagnate keep learning because there's there are always new technologies new techniques
new security research so if you want to stay ahead of the game if you want to be one of the top back bounty hunters you have to keep learning every day and also bug hunting can be can drain your mental health you can hit burnouts very easily because it's not easy so you want to do a lot of other activities on this side and just just really have fun it's supposed to be fun that's it thank you so much appreciate it thank you [Applause] thanks very much for your presentation it was very informative thank you we learned a lot at least for myself I know that like going extra mile being consistent out of the box all those
things I appreciate some of the people here who are more technical or for sure gonna go and look this presentation because we are streaming it online and look at all those resources with that being said we are a little bit over time uh I know that right now that lunch is being served outside and then we will be back here at 1 30. please try to be on time at the same time I want to inform you that we have the workshop in the hall so whoever wants to join the workshop there they can go there only those who are registered I'm sorry uh let me maybe give you an opportunity if if somebody has any question feel
free to grab me a scene during the network session during the break yeah if you have any questions you can come talk to me
foreign [Music]
foreign
[Music]
[Music] thank you [Music]
foreign
have a blue one two one two no one two yeah I think it works yeah
thank you
important
questions
hi everyone welcome back I hope you enjoyed the lunch or next speaker it's Rio Sherry and he's going to be talking about hacking the hackers so with that floor is yours thank you okay so hi everyone so today's talk is going to be hacking the hackers uh the analysis of a cobal strike remote common execution vulnerability so before we begin I want to give a brief introduction of myself so my name is serious Sherry I currently work at IBM adversary Services team where we run adversary simulation for a big number of clients including public and private sector I'm also the founder and organizer of besides Tirana we also have the call for papers open so if you want
to participate scan the QR code here and you can submit your talks and I'll be really uh it will be really great to see you there unless you're probably aware of I'm passionate about offensive security and I mainly focus on adversary simulation Windows internals reverse engineering malware development and also exploitation which has resulted in me discovering some vulnerabilities in several well-known products like Google Chrome Spotify Microsoft Edge Etc if you want to see some of my other work I'm not sure if it's readable here but my handle is 0x09al and you can find me on Twitter on GitHub to see some of my work so uh before going into details about the research I just wanted to give a brief
introduction of why we actually started doing this research so in our day-to-day job we use Global strike quite a lot because it's one of the most common uh used adversary simulation Frameworks and while we're in a project we receive an out of bound update for cobblestrike and usually an out of bond update is usually bad news because it's either like a vulnerability that needs to be patched immediately or there is some bug that may make the software unusable so we take we have to take a quick look and see what was happening so as you can see from the image here this is actually just a screenshot of just a screenshot of the release notes
from cobblestrike so basically there was a new cve and they said it was an exercise vulnerability which at the beginning we kind of let's say downplayed it a little bit because usually when you have a CV an exercise vulnerability it's usually not really useful uh when it's a client-side program because we we initially thought it was some sort of self-existence which is not really useful from exploitation perspective but then when we're reading uh the real is not in details the the blog post actually mentioned that this exercise vulnerability could lead to potentially rce and it was like a really interesting uh thing and we decided to actually take a look and because this is one of the
tools we use for our internal Services we need to make sure that the tools that we used and provide services to clients need to be safe and started to digging deeper into the cobblestrike and then we discovered that this patch actually was not sufficient and that's what this talk is going to be about so uh before diving in I'm just going to give just a quick introduction of global strike so for those who are not aware cobblestrike is just like a software and it allows adversary simulation teams like the team I work with to provide these services essentially it allows you to have to manage and deploy malware remotely and also at the same time manage a large
number of systems it was originally created by raffle Munch and now I think it's part of forta also for those that are a little bit old school you probably remember the original Armitage which was similar to the UI of cobblestrike so cobblestrike was just let's say the pro version that was not using Metasploit anymore so just a brief introduction on the architecture as well because we need to to be aware of how the the software is the architecture of the software is before like understanding the vulnerabilities so we have three main components we have the team server so the team server is actually the the core of global strike is the back-end server that handles
everything that happens in combo strike including the C2 profiles the generation of the payloads and the create the creation the handling of the https request Etc and then we have the client which is the second component and the client is actually this interface as you see here it allows The Operators to actually interact with the team server and manage all the compromise systems that you have and also provides you with some attack methods that you can use to generate new payloads or like host payloads Etc the other component is the beacon so the beacon is actually the malware that is deployed on the systems and that is the one that's actually connects back to the
team servers retrieves any commands that the operator sent to the team server and then executes and gives back the output and as I mentioned earlier is actually one of the most used C2 Frameworks in the industry and this is by Red teams but also at the same time by a lot of threat actors so it was a really interesting Target to work on and try to understand try to reproduce the vulnerability so for those who do vulnerability research the first thing that you probably do it's the same the steps that we follow here so we got the latest version of Google strike and the previous one that was vulnerable and we decompiled them using a Java decompiler
and tried to find uh what were the differences between these two programs the first thing that we actually saw there was a function within the beacon C2 class that actually was changed and it had a new flag um unfortunately it's not readable in the screen but essentially the flag checked if there was a xss mitigations flag set in the teamserver.prop file which wasn't there before and another thing interesting thing was that the beacon entry class had some checks so for example it was checking the not sure if like the username the computer name the process name it was checking these labels for specific characters that contain an exercise string and they had two functions that they did this the
first one the was the potential xss and the other one was username potential xss so that was what we needed to understand how these checks are done so as you as you can see here these two functions were implemented in the common HTML utils class so we have the first potential exercise function which takes us a parameter string and then we have the potential username xss so if you take a look and if you actually understood the like how exercise vulnerabilities happen like you can see that they're checking for some special characters and it's not the most ideal patch although it's effective and it works like they didn't have to do that and it it shows that
whoever created this patch is probably not let's say the most aware software developer about xss vulnerabilities because you could make the patch way more effective and just use one function and as soon as we saw this we understood that there was definitely something wrong happening because this quad quality was not something that you would expect to be in a software that is used by a lot of red teams so we found out that actually the patch was only checking for specific labels that I mentioned earlier go back so basically it was checking only these labels if they contained any xss um strings but every other label within the framework was not actually getting checked so that meant that
if we somehow could manipulate any of the labels we could actually inject HTML objects um we found out that a lot of the labels essentially all of them apart from the ones that they were checking could were still injectable with HTML objects like the notes one the HD HTTP listener names so now we had reproduced let's say a new vulnerability similar to the previous one but at the same time we only had we only believed it would be an xss so we need to dig a little bit deeper to actually find out how we can turn that to RCA so before going back I'm going forward sorry I'm going to go through a little bit of java because
this talk will be heavily oriented in Java and if someone actually likes Java fair play to you but it's not my favorite language so for those that are not aware of java is a high level object oriented programming language and it's used in almost every device unfortunately and hence the famous installation installation program from java which says like it runs in three billion devices it's probably more now so the thing is that cobblestrike is built in Java so the team server and every component is built in Java and the one that we are interested in the cobblestrike UI which is the user interface and which was the vulnerable component is built on in Java using the
Java Swing Library so going forward if you have good knowledge of java objects Etc I think it'll be a really interesting talk I try to make all the information processible by everyone even if you don't know Java but if you know Java is going to be way easier so like as I mentioned earlier Global strike was using the Java Swing Library so the Java Swing live framework is a framework that allows you to build the graphical user interfaces for Java programs and I'm pretty sure if you did Java school that's probably one of the first things you actually did and we found out actually that or at least I found out that uh like Java
Swing elements actually support HTML which I didn't know before so basically if you could if you could start a specific label or let's say a button with a HTML tag it will actually parse that as HTML which was really crazy for me I'm not sure why they did that but at the end of the day is Java so everything is expected so before so now we have let's say on cobblestrike we had some fields that we could inject HTML to and we could like try and test the different HTML injection techniques that we could do but unfortunately uh we don't know like how cobblestrike may uh process that information or or how it's going to change it so for this
reason to make it everything easier I actually just decided to write a simple program I'm not going to go through it but I'm just going to say uh so basically the idea is we just create a new frame and then if you see here we have a HTML in the description of the label so just hello and then H1 which is header from jlabel and then as you can see from the results it actually after compiling it or running it like the hello is actually just like the normal one and then from uh the from J level it's actually parsys HTML as you can see here so that was a good point we could actually reproduce the HTML so
I needed to find a way to actually make this HTML injection useful because at at this moment it was like not useful at all because we could only inject like like headers and nothing so so basically uh the the uh the release note said it was an xss but and I've been mentioning this like like an exercise vulnerability so an exercise vulnerability for those who don't know stands for cross-site scripting vulnerability which allows you to actually insert some JavaScript code somewhere but this was not an exercise at best you could call this HTML injection because there was no possibility for actually injecting JavaScript so from an exploitment perspective this was useless because we couldn't do anything interesting I
mean we could insert like images and maybe like insert some memes to The Operators without them actually expecting them but it wasn't really useful but what I found out was because knowing Java and it's low for object the serialization vulnerabilities I just tried the object tag which is really an old tag and it's not used a lot anymore and then I see this interesting Behavior I have this two question marks in red and I was really suspicious because like there's something happening right because when we included like different tags like it was nothing was happening and then the object tag we get that those question marks so there was something interesting and was definitely not what we expected
so we decided to dig deeper and then decided to take a look at the object tag for Java Swing and to my surprise not really but to everyone's surprise the object tag in Java Swing actually allows specific objects to be included which was again surprising so if you see here it says that this view will try to load the class specified by the class ID attribute and then it reloads the document Etc so essentially if you see here a simple example HTML invocation you can see that it creates a new object with the class ID the name of Java x dot swing.j label and then we have the parameter text and the value sample text so that this means that we
can actually create specific Java objects so in my test program I go back there and just created a simple HTML tag in this case the object class ID and try to create a Java X-Wing J button which is a class for creating buttons and as you can see here the button was actually created within the J label so okay we can create arbitrary objects and probably everyone that's familiar with Java exploitation when you can create arbitrary objects you can do a lot of stuff and uh that's what I thought so I was really happy because finally I could create some objects and I was thinking of just like okay so we can create arbitrary objects we just call uh
initialize a new instance of travel length.frontime.exec which is a class in Java and then we'll be able to just get remote command execution right so it's just simple easy so try it to initialize it nothing was happening we just got the question marks again which was frustrating and this this is actually me when I tried it and then we attempted to initialize other classes without success and they were not working so we had to actually study what was happening and dig a little bit deeper so I started analyzing how the the HTML parsing was actually happening and how the tags each text was getting processed so if you see here this is from the the
Java Swing framework so basically it has some specific tags and the tag that we're interested in this case is the object tag and the object tag uses the object view object view class for it shows that the object view class is actually responsible for handling the object tag so uh then we decided to actually analyze uh this this new class so as you can see here the create component function I'm not sure if it's readable but I'll try to explain it a little bit so basically if you read the code the create component function is actually the one that let's say creates the the the the element that you defined in the object tag so if you see here the first thing it
does it gets all the attributes in an attribute set which is the specific variable and then it gets the class name from the class ID so after it does that it creates a new instance of the of this class like it does some Java magic which I'm not going to go deep into it because it will probably be another talk but essentially it creates a new instance of this object and then it will check if this instance is and is a child of component so the component class let me just try to get back yeah so if you see here the component class it's actually I don't think it's visible but the component class it's actually uh the
parent for the J component and the J component is apparent for all the the different elements that Java Swing framework has like the gem menu J table J label J button Etc so it checks if that's part of the component if it's a child of component and then if it is it will call the set parameters function with component uh with the new newly created class and the attribute that you got earlier and then if it's not an instance of component or that uh there is some error it will call the get unloadable representation which if you read the function it actually creates a new label with two question marks and makes them red which was the
initial behavior that we were seeing so that means that previously when we tried to load those specific classes here like here for example if we try to load specific class this was actually what was happening and that's why we're getting the red question marks uh but what if we find something that's part of that's an instance of component and uh we we started to analyze what was happening with the set parameters function so the set parameters function uh it's not a really complex function essentially it does what it does is it checks if any of the parameters uh that we were specified in the attributes of the HTML element uh for each of them it will check if there
is a Setter method or I call it a write method or a function essentially what the setter method is is if you have a class you have a certain variable for example employee and then you have employee name you have you would call the setter method a function that would change the value of the employee name for example and then if this method actually exists or this function it will call the appropriate function with a specif specified value that we provided earlier on the so just to make it a little bit easier because I know it's a little bit complex so basically if we provide the following HTML to the library itself to Java Swing what it will do is it will
first create an instance of this object the Hello by name object and then it will check if this object is actually a subclass or a child of java.awt.component and then if it's a child of that class it will actually call the setter method for the my name parameter and set the value to real so I I know it's a little bit complex and I'll be talking Java for a long time but I I wanted to kind of explain all the requirements and all the steps that we follow because if you don't understand all the steps that went to it you probably won't understand the vulnerability itself so basically at this moment we can we can initialize some objects but we
have some very specific needs so for example if we want to actually achieve command execution what we have to do is we have to find the class it's actually a subclass of java.awt dot component and this class should have a Setter method and this Setter method should only have a single parameter of type string and when we call this method we can sum we should be able to somehow manipulate to achieve government execution or some other thing but like going through the entire source code of cobblestrike not source code the decompiled version of Google strike is not really easy so um with we didn't want to manually analyze all of it right so what what can we do
about it because it's like searching a needle in haystack so for this reason we decided to use Derby so for those who are not aware of this tool is actually really awesome which probably uh have it in Your Arsenal uh uh so top is an open source code analysis tool for Java it's it's mainly used to actually discover the serialization gadgets but you can use it for like other code analysis uh to code analysis techniques that you want so basically in the background what it does it has the neo4j database and you can import different types of java programs like draw files and essentially any like common-known files for Java compiled programs as well and what it will do is
like analyze these files and create graphs based on these functions on the functions that that are within these programs so for this reason uh we loaded the cobblestrike draft file into tubby analyzed it with a database and then we just wrote a custom Cipher query so Cipher query is kind of similar to SQL but it's for um it's for neo4j databases so for example what I told the program here which is not readable is I told it like give me all the classes that are subclasses of java.aw component and that have a method that starts with set and has one specific parameter of type string and that it's not some specific values that I excluded
from it so in total I think we got I think around 48 I'm not sure uh so 48 functions to analyze is not a big job manually so we decided to take a look at all the functions so all the 48 methods or functions that we discovered weren't really interesting they were like mainly to just change a text label or maybe like update something but nothing was like really useful from an exploit exploitation perspective so out of these 48 discovered methods we found out that the set URI method in the jsvg canvas class was interesting because it's uh it matched all our requirements so it started with set and it was for the URI element it had a single
parameter which was tough type string in this case you know URI and then using this uh this variable it's actually called another function which was load SVG document and this fulfilled all our requirements and if if you're if you actually so discovered like an access vulnerability uh you probably know that SVG files allow you to include xss so at this point I was pretty certain that this was the vulnerability itself so I have an SVG file I'll just included script alert one which is the most common scripting uh payload that probably most people use so I thought okay so the previous one was an uh what's the next success but was was not a real xss so at this time we have the
SVG file so it's probably an xss and we can exploit it right well no so basically uh what I did was I hosted the SVG file in a remote location and injected the following HTML in the notes field so basically as I mentioned earlier just the object class that we wanted and we have the parameter URI and this is the URL and we're I was expecting it to actually uh give me the the alert one but even though the dsvg file was actually loaded we got an exception so now the SVG file was parsed but then this filed through an exception because it tried to load the class which did not find and it was org dot Mozilla
the JavaScript are scriptable and at this point I was like okay so this SVG file is somehow now loading a new class that is not finding it so can we somehow manipulate this to to actually load the class of our liking and yes we can so basically we found out that jsvg canvas class was actually part of the Apache batik Library and we research the documentation in details and was reading it for probably like way too longer than we should have and then we found out this uh this entry so basically it says referencing Java code from a document from an SVG document and everyone who's in security probably knows that's not the best idea
so it had some specific requirements so the first one is it should have been a script element which we used before and then in order for this to actually work correctly it should be an application Java archive so the the script element type should have been like that and then the the link of the jar file it should have been in x-link href so essentially at this moment we understood that we have this this SVG file then some with this SVG file we can reference external jar files and actually execute code and uh I was feeling a little bit like excited but uh all the other attempts that failed I was like still suspicious if it will work or
not so as an exploitation plan so we have everything to potentially kind of to actually execute code so we have the HTML injection we have the object reaction Etc so basically the next step was to actually build an SVG file that references the malicious jar package so you can see it here like following the documentation we just like linked a jar file which we create which I'll talk to you later on and then just leave the SVG like that and then we create the malicious jar file so we had to do some specific so for example here we had to manually modify the Manifest file to include the class that we actually want to call and
then we implemented the class and within the class you have to actually Implement another event listener and the event listener will essentially just call runtime dot get runtime exec with a calculator and it will will execute the calculator so we created the SVG and the jar file we hosted them remotely we injected the malicious HTML in the vulnerable field that we were testing in this case notes and after injecting this in the node field we can see here that we got some requests first we get the SVG file and then the jar files and then we can see here the nodes actually is getting rendered and just executing the calculator so this was like a success because we
finally managed to prove that it was still possible to actually execute code and calculator probably it's not the easiest way to start the calculator but I think it's one of the coolest one but this is all good right uh but the problem with with this vulnerability is because it's triggered in the node field so the note field is only accessible by an operator so for example I can only change that if I actually have credentials to the team server and it's not really useful although you can actually compromise other operators your colleagues it's I don't think it's something that uh has an impact in the real world so we decided to actually see how we can
exploit this from another perspective so basically if if you recall earlier I explained the architecture of global strike and we were trying to actually exploit this vulnerability from the beacon itself because the beacon is actually the malware that's deployed in several systems and once you deploy the malware in the system that means that someone that you have compromised can actually hack you back and like compromise your your system essentially where you're running Google strike so this was the main focus and some of the fears that we found out were still vulnerable from a beacon perspective the first one was the process browser UI which is uh here on the right it's essentially just like a
user interface that you can see uh the remote processes that are ran on a Target so for example you have the process name PID the architecture Etc and then you have the the other field fields which is the file browser UI which is here so the process browser UI is not really used because Google strike has also uh a console command which it's probably that's the best way to actually use and in my day-to-day operations I rarely use the process browser UI but on the other hand the file browser UI is something really useful and I use it quite heavily because it's really difficult to actually browse the file system without using a a user
interface so this was essentially the file browser was essentially a better Target uh yeah so if you if you wanted to use the process browser we could still do that but it was not really useful so we decided to focus on the file browser so the first thing that we actually needed to do to actually exploit this from the beacon perspective was try to see which function was responsible for the beacon to find or listing the files so for example we have here the function find next file a which like after reversing the beacon uh we found out it was the function that was using to find the files and list the files and you have two parameters the first
one is just a handle uh to a folder and then you have I think a file or folder it doesn't matter but just the handle and then you have another parameter which is the long pointer to a win32 find data structure so basically the structure definition is here essentially it has all the details for the files so you have like the file name the alternative name the file type Creator type Etc so everything so basically if you see here the file name is actually uh V charge so basically it's just a string sorry and so basically like the file name that we have here it's basically just a string so if we can somehow modify the response to this
function and modify the file name we can include our HTML or injection object and then perform remote command execution on the UI from the beacon how can we do that so we we decided to just like hook the function so basically for those who don't know what hooking is essentially is the process of intercepting a function call by or in a program by redirecting it and so how it works is you have the function and then you rewrite the function to uh you rewrite the function code to actually jump to another location and then you can do whatever you want with that function so there are several methods to actually perform it there is a
Microsoft detours there is free dust scripts Etc uh just to make things easier I use the fermion which is the tool uh develop one or by one of my colleagues and essentially just like a cross-platform framework that allows you to use free dust scripts and easily develop them so basically the plan was develop a 3D script that somehow will redirect the will modify the response of the finex file a function so we can see here uh on the right it's just a simple function essentially we have the intercepted data touch which will find the pointer to that function and then it will modify so if you see here on leave it says it will modify when the function returns rather
than when it starts so if you see here we just replay uh replace the the string or the file name itself with our exploitation string which is the malicious HTML as you can see up so basically sorry so basically the plan was to actually inject this one to the beacon and change the return value and fortunately for me after several failed attempts it actually worked so basically when the operator uh opens the file browser and tries to interact with a beacon the beacon will receive the commands and Define next file a will be modified by our malicious script and then it will return the malicious co uh the malicious HTML object which will indeed execute
the SVG file the jar file and then the calculator and yes that's me uh after getting it after two weeks of actually probably not sleeping a lot so I'm just going to show a quick demo should be open here okay Yeah so basically we have the global strike interface UI and this was the latest version at that time and then we have the victim PC where we execute the beacon the beacon is the malware that I mentioned earlier and then we see I just run the command task list to actually get uh the bit of the beacon and if is as you see there it's probably not visible we inject the free dust script to that to that process and everything
is working fine so now from the operator perspective the operator after getting access to your system will try okay so I want to see uh the file bro like what files this user has and we're just going to take a little bit because I think the sleep time was one minute Yeah so basically this is just waiting because the cobal strike UI has a sleep time of one uh one minute so basically as soon as everything loads uh you can see that several calculators poked up and we can see that the injection uh on the right was actually successful so that's that's how we finally managed to execute uh remotely execute code in the cobblestrike UI from the beacon
perspective so before like finishing off with the presentation as I mentioned earlier uh this my work wouldn't be possible without the amazing resources that I've listed here so if you want to take a read I highly recommend it uh so yeah there was my talk thank you everyone if you have any questions [Music] real thank you very much it was great presentation does anybody has any question even if you don't want to make them public feel free to reach out later on so thank you very much thank you and may I ask you once again please uh if you need to move around just be careful with the chairs or do so during the breaks it's just disturbing speakers
and also us who are attending so please try to to minimize the moves during the speech time thank you
president
foreign
except for nothing
thank you
description
foreign
foreign
foreign
okay one two three okay
is it is it okay like this hello because if you need to talk to the person at the end of the room okay okay yes trying to stay okay but I have to change the slide so okay great is that projecting over there yeah um the screen on camera is very Blinky okay okay you can move around freely because the lady over there will make sure okay thank you yes
foreign
data protection specialist from Pro credit bank she's going to be talking about privacy and risk-based authentication gracer floor is yours hello everyone so uh welcome to this much needed security conference which is building and promoting the information security community in the western Balkans region this session is about privacy and risk-based authentication and ironically I will start by presenting some data personal data with you so as you heard my name is Grace up and I'm an experienced data protection specialist at procredit bank Kosovo I have a background in cyber security I'm a graduate from a computer engineering and currently I'm pursuing my Master's studies in the International University of applied sciences before this hands-on experience on implementing gdpr in the
banking sector I used to work with some of the most famous ISO standards in information security cyber security and risk management one of the most frequent questions I get asked is why data protection so that you have a legal background to exercise that and I assume many of you were thinking the same well data security and data privacy are the two basic elements of a cyber security as nearly every organization today that exists relies on data the loss of data or misuse of one can cause tremendous consequences for an organization however impairing security does not only affect the organization itself because it can cause impairable unimparable damages to individuals to whom the data belongs as well that is why a protection
of personal data in particular has become more and more important we as data protection Specialists cooperate closely with software development teams and information security teams for two reasons to protect and secure the data but also to comply with the principles of privacy by Design and privacy by default this principle require every organization to consider data protection and privacy at every step and every project and activity that processes personal data nearly all key processes and activities that we use in an organization today process personal data and that is why having an understanding of I.T security I.T management and I.T configuration is a basic skill to succeed in a data protection role uh this session today comprises three main
pillars I will introduce the risk-based authentication and how it works to continue with the privacy and risk-based authentication and to conclude with key privacy threats and mitigations create strong passwords this is a very common advice for many security specialists even Microsoft itself states that one of the most important ways to ensure that your online accounts are safe and secure is to protect your passwords but is it because a study shows that on average a user has 16 online identities what this means is that we as users tend to choose simple and easy to guess passwords but also tend to reuse the same passwords across services that is why in practice passwords have many security flaws
one of them is that users are prone to disclosing passwords to attacks such as phishing but we also reuse the same passwords across Services what this means is that a compromise of accounts on one service leads to a compromise of accounts on many other services and last but not least today modern password cracking tools exist and the latest studies studies show that a password cracking tool can find up to 2.7 billion passwords according to a research released by skycloud researchers discovered that 700 million so we are talking about 700 million exposed credentials only in the last year and to make the matters worse 72 percent of users guess what still use the same passwords so no surprise that
major online services are doing something on this one of the most proposed measures is a two-factor authentication in a two-factor authentication a user confirms possession of another credential linked to the account typically by a hardware token an authentication app a mobile phone or or an email address however as two-factor authentication is an opt-in process so it requires user intervention the user acceptance is very low for instance Google Google has offered two-factor authentication since 2011. however only 10 percent of users so 10 percent of users were actively using it in 2018. what can be done to protect against two-factor authentication to make it more usable implicit authentication is one of the answers so if we classify the logging data as
suspicious or normal attempts then we can differentiate these attempts by other parameters and define whether it is suspicious implicit authentication is practical because it is employed in the background without user intervention and it is secure as it is a continuous process a risk-based authentication that I will elaborate more during today is a two-factor is an implicit authentication form RBA or risk-based authentication is recommended by the National Institute of Standards and technology and the national cyber security Center of United States to protect users against password spraying and credential scripting RBA has an increased password authentication security because uh it leaves the usability in act commercial sales of RBA Solutions are currently increasing and expect to do so
supporting the demand of strong authentication methods however currently the use of RBA is limited to a number of major service providers like Amazon Facebook Google and Linkedin but how does RBA work RPA monitors contextual features that can range from a network features such as an IP address to client behavioral information such as logging time and based on these parameters it calculates a risk score so when we as users submit our logging form the risk based on uh the risk-based authentication calculates the risk score which is typically classified into three main categories low medium and high if the user behavior is as always then the access is granted and the user is not bothered by another form of
authentication whereas if the risk score is medium or high then depending on the RBA implementation the system requires more information as a proof If no proof is given then access is denied so far so good RBA is offering high security is leaving the user ability inept so why we should consider privacy well don't forget that RBA offers security and usability but all at the cost of processing our data a data that may have a potential reference to our personal data and in case an RBA database is forwarded or breached then we are at a higher risk than usual because not only the traditional username is explo is exploited in addition security is not enough to
meet privacy regulations and we all agree that security and privacy have in common and focused on protection of data however there is a difference security protects confidentiality integrity and availability of information and privacy on the other hand is more granular on privacy rights with respect to personal data and privacy will always Prevail when there is personal data processing whereas Security will continue to focus on the information protection of information assets considering this I will elaborate why the integration of RBA systems should consider data protection laws and regulations but what is personal data personal data is a term used in gdpr the famous General data protection regulation as other terms used instead of personal data are personal information and pii
the personally identifiable information as used in ISO standards the definitions however are very similar so personal data is any information relating to an identifiable natural person which can be directly or indirectly identified I know very theoretical so let's focus on the key information and map them to the RBA context data used by RBA certainly Falls within the personal data definition two main reasons the RBA works by implement the implementation of RBA Works relying on feature values these feature values are unique identifiers by themselves for instance IP address on the other hand the risk core the risk score is classified as a unique identifier itself because indirectly identifies us and our interaction with the system introduction of data privacy regulations
and laws has dramatically changed the way the online services are processing and collecting our personal data for instance the gdpr and the Californian consumer Privacy Act from formally losing recommendations on how to handle data we now have clear and binding data protection principles these principles of processing personal data are namely the lawfulness fairness and transparency the purpose limitation data minimization accuracy storage limitation integrity and confidentiality in the following slides I will outline the requirements of each principle and how the RBA system should Implement them to process personal data we must have a lawful basis for processing but we also should be fair and transparent with the user what this means in the RBA context is that the design of RBA should be with
consent in mind why to provide users with clear and easy to use easy to understand explanations the second principle is purpose limitation personal data should be collected for specific explicit and legitimate purposes and no further processing is incompatible with the first purpose is allowed what this means in the RBA context is that the future values can only be used to calculate the risk score itself
okay
so the next principle is data minimization what this principle states is that personal data shall be adequate relevant and limited to what is necessary in the relation to the purposes of processing personal data in the RBA context this means that feature values should be reviewed for suitability and redundant data should be deleted however in practice it's not this simple because providers of RBA systems should consider that data minimization can impact the risk or reliability another principle which is straightforward is accuracy accuracy means that personal data should be accurate and up to date however in the RBA context this is crucial why if we have an incorrect feature value then the risk score is or medium or high what
this means is that the user is prompt with another factor to be authenticated and what we are doing we are converting the RBA to a second Factor authentication if you remember from the slides before I stated that second Factor authentication has a very low acceptance user acceptance so we do not want to end there
okay
storage limitation storage limitation I think it's too far away is it good stories limitation this principle states that personal data shall be kept in a form which permits identification of data subjects only for what is necessary and how long is necessary for the purpose of processing what this means in the RBA context is that if data or no user used or no longer used then they should be securely destroyed or anonymized for the time being it's important to know that anonymized data is no personal data because I will cover anonymization in the following slides that is why as a provider of RBA if we anonymize data we can continue to use this data for testing purposes
the last principle is integrity and confidentiality personal data shall be processed in a manner that ensures appropriate security and protects against unauthorized access damage or destruction some of the proposed measures are pseudonymization masking and encryption I talked about two terms maybe it's the first time that you heard maybe you use them in your everyday life at work pseudonymization and anonymization reach they Fame one gdpr was introduced people not knowing security and data protection tend to use them interchangeably please don't do that there is a big difference pseudonymization is the process of replacing personal identifiers with the pseudonym if you can see from the picture we are replacing the name with a bunch of numbers but for the time being we cannot
re-identify if the individuals if we don't have the key that is why pseudonymized data Falls within the scope of personal data however fewer processing restrictions apply anonymization on the other hand is the process of removing elements from personal data so the process is irreversibly this does not uh as such Anonymous data is excluded from the scope of personal data and is not subject to privacy and gdpr laws coming to the last part I will present the Privacy threats and mitigations two common threads that we see related to the RBA context are data misuse and data breach a misuse of RBA feature values is that is when we use the feature values for other purposes rather than
calculating the risk score typically for user tracking profiling or advertising no wonder it is a threat because we have seen happen before where a phone number stored for second Factor authentication were used for tracking and advertising to users we as users should trust our online service providers to not misuse our data however a responsible service provider should take precautions to minimize the misuse of scenarios or unintended processing data breach on the other hand is when an unauthorized person processes personal data or has access to this data a data breach is an attack on confidentiality as such it allows attackers to use the feature values to link profiles at different online services even if we use other
credentials they can find Who We Are depending on the service this could result in negative social or legal consequences for the individuals and enable account takeover attack on a larger scale but how can we mitigate them two methods aggregation and logging history minimization we can aggregate the feature values in the logging history so we can only reveal how often a feature value occurs instead of its chronological order by aggregation we mitigate the re-identification in logging sequences on the other hand by limiting the logging history in terms of the number of features and entries we mitigate tracking users for an extended period of time this has already been proved because the study shows that few entries are sufficient to achieve a
high RBA protection this was privacy and risk-based authentication what I talked about was that risk-based authentication is an implicit authentication form which offers high security and usability but please don't forget at the cost of processing our personal data that is why design of RBA systems must balance security and privacy I want to conclude by quoting Steve Jobs he once stated that privacy means people know what they're signing up for so fairness in plain language and repeatedly we should provide update the Privacy notice I believe people are smart but some people want to share more than other people do we just have to ask them so obtain their consent however I encourage you to think whether this
quote really stands or not thank you thank you grissa does anybody have any question thanks again it was great presentation thank you [Applause]
thank you
dardan foreign
foreign
okay welcome back uh our next speaker it's Mr gregorch torik I hope I'm pronouncing your first name correct perfect perfect he is a security researcher from Poland so gregoch the floor is yours hello welcome everyone I'm dragos and uh you are pronouncing my name really really properly if you really prefer I may be Greg for you I'm doing mostly research around windows I'm working every day in a large organization trying to implement a blocker so I started to dig into a blocker finding a lot of interesting things when it comes to a poker uh water blocker is kind of a short introduction for you it is one of three ways we have within windows for
application-wide listing because the typical approach we have built into Windows systems we are using everyday on our desktops just by default it is we have kind of an anti-malware antivirus however we call it trying to block malicious actions especially trying to block you from running well-known malware so if you download the malware to your machine try to run it probably something will pop up saying it is not allowed to be run it is a typical black listing approach telling you it is not allowed because we know it is bad whitelisting approach is totally different it is different Paradigm telling you you can run only what you have allowed previously and in Windows we have three ways of doing this the
very first historically saying is SRP software restriction policies being built into Windows XP SRP is not the smartest thing because it relies on the Explorer and the Explorer is your process so you can manipulate the process trying to enforce you from running an unwanted processes so it is not that effective in practice is easily hacked by the way one of the most known applications being used for bypassing SRP is a tiny program called GP disable written by Mark russinovich after Mark russinovich joined Microsoft this program magically disappeared from the internet you cannot find it anyway right now we have two possibilities it is applocker being built into Windows starting from Windows 7 if I'm right and
we have Windows Defender application control they're working I can say in parallel on different levels a blocker is definitely more user friendly when you have to manage it WDC is protecting you better but the overall landscape is not only about the technical possibilities of the solution but about friendliness the knowledge of Administrators and so on the whole landscape I'm more Pro applocker I would say even if WDC is better when it comes to the pure technology when it comes to a blocker uh we have a couple of components working within a blocker so we have a Management console absolutely absent in WDC by the way we have graphical interface I will show you in a moment we
have some Powershell we have some special service the service must be run to have your white listing working which is up by dsvc we have some kernel driver doing some magic with tokens for example and we have a login component and right now I can show you a couple of things in this counter blocker not yet about the hash but we are going closer here I can see the app locker lock I can see couple of entries being I will return to them in a moment when it comes to the management there is a sec paul.msc console when you can Define under security setting application control policies and a blocker for the app Locker you define
what you are trying to do on different level else because you can perform my testing on executable files on Windows installer MSI files scripts and appx files actually dot exe typical executables are the most common and resemble it would be great to include dlls here as well you have to enable it on this page to enforce the dlls as well for every single single category you have a possibility to pick the right way of protecting your machines we can because we can work into modes in the audit mode and the enforcement mode in the enforcement mode if something is not allowed it will simply not run that there will be a default kind of a
message telling your user it is not allowed your user when we work in the audit only mode and everything is allowed to be run but we can see what we see over here for example for this working warning if I see it I can see there was something in temp this host some automated stuff being done within Windows not being whitelisted and I have warning because it was allowed to be run but if we play seriously it would be blocked okay so I have two rules defined over here um just for demonstration purposes the first rule is based on the path if something is within C program files then it's allowed to be run the second rule
is if something is within C Windows it is allowed to be run because a regular user cannot drop in most cases let's say an executable file there so if a file is within one of those paths it means an admin did it so it is legitimate by by the location I would say automatically because it stays here so I do not have to manage hundreds or even thousands of different executable files because I have created those two rules for paths and it is perfectly enough so if I run something let's say from my from my desktop okay it's wrong console this is the right one here I have an application called Write IAA writing 108 letters you will show in a
moment why this application is run from my desktop which is obviously not program files and not windows so if I do F5 I can see a warning it would be blocked if you play seriously a blocker detected in and warned us okay and so you can see a blocker is trying to register every single executable file being run but there are some interesting cases over here because I have written a timing dll file actually dll files can contain the same type of executable code as we have within.exe files but we have no dll rules being defined here so I will load my dll there you can see there is my dll called ignoreapplooker.dll and I will load it
use it using run the editor 2.
dll and then method is called do it C windows system assumed it easy and the new CMD appeared it is very special CMD because if I do who am I slash all I will see I'm acting here as a system actually this dll is stealing that token from one of the services and is launching a new process I have specified in the buff over here on the stolen token so I have a stone token from system and what is most important over here and the tokens stolen from the service contains within its data a very special seed telling clearly it is a service it is a seed s156 if a blocker sees such seed in the token
it totally ignores such process so I run around the ll32 as a regular user CMD was launched as a my special service user on the special stolen token who am i.exe also an application was launched on this token as well if I launch something from a desktop which is clearly not allowed let's go here and I will pick one of the applications right a is not a bad example shift right click shift right click copy as path now I can paste Ctrl V it was run not a big surprise I am here in the audit mode but when I look into the event log I can see the last thing here is run dll was
allowed to be run this is right IAA but from the my previous run this one is the freshest one it is 306 this it is the moment I have run dll running everything happening next from my second window was totally absent in the applocker lock it was totally it would be totally absent if applocker really enforces me and trying to block some application so if s156 appears within the process token such token such process is totally ignored by a blocker there is one thing more but it is documented so it's not that funny because if you have a API function create restriction token under parameters you have a Sandbox inert parameter saying clearly control scroll
saying clearly it will be ignored by a blocker this flag disables checks for a blocker but it's not that funny because it's documented and the previous one is not documented at all so we can bypass a blocker by manipulating the token it is the first case okay when you create your rules for a blocker you have actually three possibilities I will go here this is the console I need create a new rule and you have three possibilities for creating a rule first through the wizard you have to specify this alert or or didn't I please do not create the deny rules applocker is about allowing so deny rules are pointless and here we can specify a user which is a great
advantage of applocker over wdac because we can specify the special group this group is allowed to run everything and if we pick if we put a user into the group this user magically can run anything if you remove a user from this group of course after creating new token which requires log off logon and so on but we can manage easily who can run everything anyway when you create a rule you have three possibilities we can rely on digital signatures uh publisher here we can rely on path it is what I did for program files and windows and we can rely on a file hash for a file hash I will browse files I will pick my right
IAA my simple application right IAA open create and now I have a rule based on the hash of this write AAA file so if the hash of the file matches executable file is allowed to be run if it does not match it will be not allowed at least not by by this row if I right now I will close this console of this as this one is ignored anyway if right now I will run right again within the event log not the big surprise I will see right IA was allowed to be run due to have a rule specifying its harsh so what I'm I will do right now I cannot easily plug in and plug
plug out an external drive into my virtual machine but I can create a vhd file and detach and attach it allowing me to manipulate the data on that drive in a physical way so I will attach a vhd file to my VM C temp X vhdx X Drive will appear I will copy copy write IAA into X drive I will run it X right IAA it will run as everything runs here in the event log not the big surprise X right IAA was allowed to run as the hash is the hash perfect URL out by the a blocker so what I will do right now I will detach the drive detail vhd yep I want to detach it I will open it
with hex editor which I have on the desktop which is yet an another one applications to be allowed by the way I will open it X vhdx Ctrl f AAA does not matter there but you can see it it is here this is probably at least some of you did in the past hacking applications to display your name instead of the legitimate developer name if you run an application it's exactly the same level of advanced as I'm doing here I will replace couple of a letters with dots now I will save it I will close it and I will attach it again action attach vhd see temp x v h d x the X Drive appeared
I'm here X right IA not the big surprise you can see those dots I have manipulated on the physical level on the drive but was it allowed to be run or not from the security perspective the answer should be really simple it should be never allowed to be run F5 from the applocker perspective it was allowed to be run this warning is about my hex editor just to let you know but the right AAA the manipulated one one was perfectly well allowed so let's try to figure out what is going over here so I will run Powershell power shell Double L will work better get get file hash for my right eye on the desktop it is d355 at
the beginning schwa256 I get file hash X right AAA totally different not the big surprise I have manipulated the file so it must be different but a blocker allowed it so what is the applocker policy get a blocker a policy local I will put it this way and that to XML this is the applocker policy and here you can see the information within the app Locker policy the rule and as you can hopefully see the hash is yet another different it's not this one not this one all those three are try to five six but there are totally different ones so what is going on here the very first thing when it comes to hashes is applocker is saying it's Shrek
256 but it's lying it is not strato56 it is not clearly documented what a blocker is using here but if we dig deeper we can realize the harsh matches so-called authentic code hash there is a well-documented algorithm invented probably by Microsoft if I'm right for creating hashes for executable files it is commonly used for digital signatures in practice and a blocker is using it here not telling you it is using it it is lying it is strato56 which is not the truth at all there is an undocumented algorithm here you can specify schwa256 flat as an algorithm there is no single dimension in the documentation about this and then you can use strato56 the real throttle five six anyway
a broker is telling you something else about hushes but still the hash for this file I have manipulated must be different so again what is going on here I will use I will launch console as an admin and I will use a built-in FS util um command fsutil is one of my favorite commands in Windows it is a command being constantly managed and updated by the team responsible for the file system for the ntfast file system so if you can do some magic with NTFS file system fsutil probably is the right tool FSU till file a query AA is querying for extended attributes files within NTFS file system can have so-called extended attributes you can think about extended
attributes like if you are familiar with altered data streams extended attributes are kind of like alternate data streams on steroids they are slightly different but the purpose is somehow similar so there is kind of a metadata you can attach to any single file within device system it may be it may have some name it may be different length it is just a metadata kind of an attribute to a file called AA which means extended attribute if I display the extended attribute for my right IAA file I can see those are extended attributes of my right AAA and here the the last one is the long one is not that interesting in this case but this one
is very interesting it is called dollar kernel Purge app ID hash info and you can see if you look close this 6E 38 and so on and so on is exactly here it is the same piece of the data it is the hash of the file the applocker version of the hash being stored as a external attribute extended attribute of a file and how a blocker Works a plucker does not calculate the hash every single file run it would be time consuming it would be too expensive in terms of computation storage operation etc etc so at the first run this extended attribute is created it contains the applocker hash of the file and during next runs only
the cached hash is being verified what does it mean if I manipulate the file on the hardware level which I did using hex editor on my vhdx file the hash is not being updated and a Blocker still relies on the hash even if the hash does not actually match the file so I can manipulate The Flash and applocker believes it's cash instead of real file content when it comes to such extended attributes again some documentation exists it is here about kernel extended attributes about two interesting things here I will scroll a bit to find the information which I want to show you is about dollar kernel.part actually if the uh extended attribute name starts with the
dollar kernel it is a kind of a flag for the NTFS driver only kernel code can create such extended attribute so I cannot create a dollar kernel something something on my own if my code is running in the user mode and not in the kernel mode dot per means if the file is being touched exactly saying any of those operations is being performed then an entire attribute must be removed automatically by NTFS driver it is why the hash is good enough if I manipulate the file the typical the standard way but if I manipulate the drive which is plugged off of my machine there is no way NTFS driver will realize what I'm actually doing
so it is how it is working so a blocker relies on this hash and if we are smart enough digging deeply enough in the structure we can manipulate the data without being noticed by the ntfs.driver so the the attribute is not being automatically removed if I edit this file traditionally of course this extended attribute will disappear and during next run a blocker will recalculate the hash from the new file maybe the same one but it will recalculated and it will put it into the extended attribute there is interesting thing over here because there is a clear proof that a blocker trying to allow or disallow a DOT exit file from being run relies on its cache
being on its hash being cached but we have also a special command called tester blocker policy which is a command LED in the Powershell asking a blocker what a blocker would said say about this file if we try it to run uh so I will put this XML file into a file and let's call it xml.txt out file um out file xml.txt so now I have my applocker policy saved into a txt file because the next command and the command test applocker policy requires a file to be specified test applocker policy requires XML policy um to be specified so it is test XML txt thank you and it requires another parameter which is path let's
say it is about right IAA here and on the legitimate file it will say it is allowed it is policy decision allowed because we have a matching rule called Write a this is the name of the rule as well so it is saying based on this rule we will allow this file to be run if I do the same on the X drive and my manipulated content you will see it will be denied by default because a blocker relies on the cache and test a blocker policy command relies on their real file content just to make it consistent and look more Microsoft this way um so Please be aware that such manipulations are possible only if you have a physical
access to the drive because it's not something end user can do it can do easily even attaching detaching vhd file is not something allowed for the end user easily because it requires some privileges a typical user does not have but when it comes to the USB drive being plugged out and plugged in then we are on the good side and we can try to manipulate it maybe hashes and such manipulations are not that common but we are still on the right by uh right path I would say instead of manipulating the file content which has a very limited practical applications but clearly proving my idea we can write an attribute to an existing file so
I will exit from Powershell I will run my pounding applications it is working if I go for a blocker policy F5 you can see this application was detected as unwanted right now it is allowed to be run but if you play seriously it would not so if I know I have some Hash Hash based rule I can try to play with this as well so I will copy it to the X drive as manipulation of the on the X Drive I easier copy um my X Drive X Panic application or surround but it would not be allowed to run if we play seriously which is clearly stated xpwn was allowed but would have been prevented from running
and I know I have my hash being prepared and within my policy I will copy the hash from here it is the easiest place to take the hash in its uh at the perform I can try to create an extended attribute on a file which already exists my xpwm I cannot create what Microsoft documentation says I cannot create dollar kernel something something but I will do a dirty trick over here I will create an attribute called hash kernel something something and then I will rename it offline which will be easier so here I have my set a blocker hashcash applications it requires a file name and the hash so it is setup Locker X pwn and the hash I have just copied
it ah it on my X drive it already has so I will X pwn and I will call P pwn from the desktop the X drive my application is protecting is uh not allowing you to create a hash the extender through which already exists to the X drive right now it does not have the uh extended attribute I can clearly proof it by FSU till file query a a x pwn no extended attributes so I will do a command line magic watch carefully F7 and I will use a history and now it was planted over here with the name dollar kernel which I need to change hash kernel I need to change the dollar kernel I will do this offline by
um detaching VC Drive yes by running my hex editor again on the same file Ctrl H Ctrl H or Ctrl R control R search for dollar kernel dot Purge dot into the hash sorry for hash changing to Dollar kernel dot Purge dot replace all couple of occurrences will be replaced okay safe and close and attach a file again action at Advanced
but the first one was hash kernel the second one was dollar kernel um C temp x v h d x will be attached and right now if I do the same command I use a moment ago for displaying we had no extended attributes after fsutil file Courier a we had no extended attributes right now F7 and FSU till and so on I have it added by an application and then renamed to Dollar kernel project by the hash info by my physical Drive data manipulation by raw disk access so if I run xpwn right now it is running but the true will stick out out from the event lock it was allowed to be run as
applocker relies on it on it has so I can plant a hash a cache of the hash on an existing file if I want however I cannot directly name it dollar kernel that is not allowed by user mode and I I'm running my applications from the user mode obviously
when I when I have a possibility to manipulate on the offline Drive probably yes
you can create the uh if I'm creating an extended attribute using ntfs.sys driver dollar kernel prefix is not allowed if I'm manipulating the data offline under ntfs.driver there is no such restriction I hope it answers your question so I can plant a fake cash information on an existing file I have also a copy I can also copy and um existing set of extended attributes from one file to another one I have a tiny application uh copy AAS I can specify source file and the destination file and I will simply copy everything so I can plant a hash cache or I can copy everything because if yeah if I do let's see CMD should be great
example FSU till um file query a a c Windows Cemetery tool cmd.exe you can see this is a different one I will show it on the right IAA as my write a application is digitally signed I'm used to sign my applications so the same comment but not on the SC Windows which is a slightly different way management when it comes to the signatures right AAA you can see there is a lot of information the first one Aid one is about the um the second one here it is called clearly called signer info it is identified by aid3 and it is a cached information of the digital signature being planned on this file so theoretically you can also play with
digital signatures uh hash as digital signature is not verify every single file run it is also being used from the cache so we have some possibility to manipulate this um typically I hear two very common questions to the reasonable questions when it comes to such directly plays with a blocker hash cache the first one can we manipulate it the same way not on the file image but on the CD image the answer is no because on the CD image we have cdfs file system and not NTFS file system it is totally different file system so we cannot do this which is great news for Defenders as a regular user cannot Mount the HD file can plug
in the physical drive if it's allowed by policies but typical user can amount.iso file with the CD image but it will not work for the isofits another question I hear sometimes is about WDC Windows Defender application control what about WDC and the answer is wdac relies on such a cache as well of course those attributes are named slightly differently but at the same time wdac does not want to use cash from the external drives it relies only on the cached information from the system Drive so you cannot plug in the falsified drive you have to plug out the C drive manipulate it offline or by running from some uh bootable USB whatever and then WDC will rely on this information
properly so it is theoretically possible at the same time if you can manipulate the drive content offline for the C drive you own this system anyway you can do anything you want so manipulating the the cache for the something something to have one application allowed to be run is definitely Overkill if you can do anything if you have and offline access okay when it comes to shift five resources I used to share my source code for those applications my research Etc this QR code if you really want is just the set of links being provided in the form you can use on your phone on your device instead of typing in especially the last link is
Type in Friendly so you have them handy if you want you can also scan my screen later on um when it comes to a blocker I try to show you its imperfections and it is how I call it it's about imperfections it's applocker worth using yes definitely yes it really Rises the bar for bad guys even if it's not 100 effective it is still Rising the bar so you have a huge advantage using it the good news and it is a kind of fresh news is like two months old so comparing to the history of applocker is really new applocker starting this February is allowed to be run on Windows 10 Pro previously it was allowed to be run only
on Windows 10 Enterprise and on servers which clearly limits its potential in Practical scenarios right now you can launch and manage a Blocker in Windows Pro as well when it comes to Performance well you will clearly see it is not affecting performance if you run it in the audit mode so you can turn audit mode literally audit mode literally today and observe what will happen in your log for the applocker and then try to narrow down rules to allow what you want to allow and then switch it to them and form enforcement mode and raise the bar for bad guys and make your systems better protected that's basically it thank you very much thank you Greg that was awesome
great presentation thank you thank you does anybody have any question comments remarks that they would like to make
okay so since the user can can mount an ISO image you can theoretically do the same thing to the iso image right I saw image uses different file systems using cdfs which does not have extended attributes okay so it is impossible to be done with ISO image is this possible using say uh and USB yes yes when you format USB to ndfs and manipulate it this way it is possible for USB yet another reason to block unwanted USB devices so so you can still send them if you have the harsh you can send them USB they will run it from the USB and they will be able to to bypass the app Locker right theoretically
yep I can imagine this okay okay thanks welcome any other question going once going twice okay great speech uh I have just a quick question most of us it security guys know that app Locker can be run as a local user so what are the exceptions in this case if we have configured app locker from the admin permissions or admin sites so what can be done using local user permission in this case well if you are a local user uh by passing that Locker a blocker will be not that easy if system is up to date and fully parched in the past we had like a Sandbox einert flag which could be used by an end user in the past but
right now you cannot seal the token from the service which I did it requires admin permissions particularly as a debug privilege on the uh within the token of the attacker so you must be an admin already and for end user you can try to download potentially malicious dll if dlls are not white listed because dll can contain the same maliciousness of the code AS executable file and trust me even if companies are implementing but a bit like a blocker they are leaving dll whitelisting for the next stage in the future this is how they do this so if you are a bad guy put your stuff into dll and then run your dll using kind of a site loader for data
starting from ndl Level 32 which is perfectly we're allowed like SRV or some other system applications loading arbitrary dlls and put your code into dll it is what I what advice to bad guys but well if You observe this closely probably you will realize something wrong is going on and at the same time still it is well worth implementing a blocker because you're raising the bar even if it's not 100 successful thank you
any other question Gregory thank you we're going to take a quick break and then we have two more great speakers so please stick around uh once we come out out there to invite you to come in please do so in timely manner so we don't interrupt the next speaker yes four o'clock I guess we are back here at four o'clock thank you
foreign
face okay guys welcome back we're supposed to start like 10 minutes ago uh so without any further Ado we're going to introduce our next speaker she's originally from Kosovo she currently works for meta a parent company of Facebook she's a security engineer so Zona floor is yours thank you so much thank you for sticking around to those of you that this afternoon uh my name is exona I'm really excited to be here this is my first time in kind of a security community in Kosovo um thank you to the organizer stolen speakers I really enjoyed the talks throughout the day so I I will be talking about how we're using automation to scale threat detection and response
um this is kind of a rough agenda I'm going to talk a little bit about who I am and what I do uh we're going to go through a review of what detection and response really is I haven't heard so much about it today more so on the application side of vulnerability side so uh we'll go through a short overview and what that looks like then we're going to talk about why we even care about automation why does it matter um and then how we might be able to apply to different environments what that looks like the trade-offs around it and then some use case examples to kind of be more of a practical guide and how
you might be able to incorporate it into your environment so as mentioned before I'm a security engineer at meta or formerly known as Facebook I've been there for about five years I studied computer science at California State University East Bay so I've lived in the San Francisco Bay area for a while and then moved to London more recently and been living there I'm really passionate about diversity and specifically women representation and infosec I've always been outnumbered and I'd like to change that and help as I can um I am involved in like women in cyber security organization or internally at the company and initiatives to build a community within that representation if I'm not working or in front of a
computer I really enjoy being outside traveling spending time with my family I'm really passionate about well-being and health and like cooking healthy meals and things like that so now you know a little bit about me so let's talk about detection and response so basically what I do is I'm part of a team that responds to any malicious Insider or external threats to company data infrastructure Assets in general and what that looks like in terms of what we do specifically is kind of this life cycle so in order to find any Badness in an environment we basically have to get Telemetry or we have to ingest necessary data this might be I don't know network connections like the NS logs it might be
things on the host like maybe you want to have EDR uh endpoint detection system that monitors and Aggregates data for you so in order to do any kind of uh hunting or detecting or responding you want to make sure you have data that's actually reliably ingested you're not missing logs and stuff like that the next step is hunting around that data so basically you want to be proactive and not just wait for maybe a partner team to reach out and say oh there's a vulnerability and people are exploiting it you know nothing about and you actually have those kinds of servers and they're on patch and blah blah blah so you want to be proactive about
identifying uh some ttps which stands for techniques tactics and procedures so basically open source or certain threat intelligence in general about threat actors and or indicators of compromise that you might look for or just in general understanding your environment so what kind of machines you have running what types of servers what might anomalous look like in that environment and that can get really detailed and in depth but this is just in general what we identify as hunting once you have actually understood what your environment looks like what Badness looks like maybe you're feeding in threat intelligence and you're able to look against that we go to detection where you basically have some sort of detection engineering framework or
whatever your company has to actually write a query or run some type of syntax logic to identify that event when it happens and trigger an alert for review for someone um at that stage you would be in the response team and so in this part of the life cycle is basically where you grab that alert most likely someone an investigator or analyst is going to grab it and look at it and try to identify is it actually Badness indeed or maybe something happen and it's actually a false positive so a lot of manual analysis um and investigations to try and correlate information understand what actually happened because the event that was flagged is quite limiting you can't
really make a lot of sense out of just maybe a single line of you know a log detail like a file event or something so this might look different depending on the organization like if you're a very small uh company you might Outsource some of this like maybe you you have a sock or like you hand off actually investigating the alerts and you only get reached out to if if they determine that it's something bad or maybe you know you have like I just want to point out that this might look different I'm this is just what I'm used to working at a bigger company so if we incorporate automation this is what it might look like
and as mentioned before it's not like conclusive this is just my Approach um so after you detect basically and if an event is flagged that uh something bad happened maybe you have a compromise hose I don't know uh this is the point where ideally you should have uh some type of automation framework Incorporated that picks up that alert and tries to do things automatically before it's even up for manual review for an investigator and engineer so this might be data aggregation uh checks against Intel or performing common steps that are manual otherwise and those can either be generated through uh kind of retroactive analysis of your investigations in the past so you can see that a lot of people are performing
exactivity or like uh action and you're able to actually automate that the last step here that I edit I just want to point out that uh ideally you have a feedback loop for all of the other components of your cycle and the post-mortem phase is kind of where you should be able to go back to your Automation and say actually you could have done better than you did and that's what we want we want to be able to Once something is uh stood up for manual review for an investigator engineer they're able to then have some sort of feedback loop that either goes to detection or automation depending on like what the limitations were so the next step is kind of why should I
invest in automation during my time so far in my career I have gotten the chance to focus on different sub areas of detection and response and I have focused on automation a lot and I have had the opportunity to think about trade-offs here one of the things sometimes my job is really exciting other times it's a bit boring and basically I want to be able to automate more of the boring stuff so I can do more exciting stuff and so if I have to investigate an alert over and over again uh I don't really want to do it and so if it's a boring task and it's kind of mundane and I don't want to do it then
I'd rather have automation do it manual work is not really efficient so over time you're not going to be able to scale maybe I don't know hundreds of alerts per day um so having to manually go through queries it's uh it's quite inefficient with that comes load management so for example you're gonna have to hire more people to review things manually rather than investing maybe an engineer so automate some of those things away The Next Step directly related is indirect false negative reduction just because with a lot of uh a lot of manual review of the same things a lot of people run into what it's called alert fatigue and basically you're looking at things all day uh and maybe you're so
used to seeing this always is ah this is always a false positive and you close it out but it was actually a true positive and thus has led to a false negative which means it was malicious and missed which happens all the time and also can lead to bigger scale incidents for a company a smaller margin of human error basically what I mean by this is if you as a person go and run I don't know SQL or whatever wherever however you do your investigations and run analysis you as a human are more prone to maybe missing uppercase lowercase or like missing I don't know uh the extension or whatever it may be and so if you're proactive
about having automatic queries run then a person can just click and it's going to run for you you're going to reduce you know the margin of error there over time because you've invested proactively in automation you're going to be able to see impact that will allow you to actually invest resources and other maybe high priority things such as onboarding maybe new signal into a new infrastructure of the company that you haven't really touched before so with that with less of the mundane and kind of boring tasks because truthfully there isn't always just exciting things to do sometimes you're going to have to deal with like low Fidelity low Fidelity rules that are very false positive prone
and last but not least and this is not an exhaustive list this is just things that you know I think are quite common uh is detection limitations so sometimes actually during the detection phase that I talked about in life cycle it's limiting you're not able to correlate a lot of events to actually identify if something bad happened so for example a parent process maybe you know three steps down spawn the process it's quite unusual you're not able to upfront maybe because limitations of most detection engineering Frameworks uh have kind of limitations in how how much how dense of a logic you can run and so you can use automation to actually you know uh sift through things easier once an alert
is escalated from like a basic heuristic basically so how do I incorporate Automation in my life cycle as I mentioned uh I'm used to kind of a bigger Scale Company where things are made custom to the environment more often than not so I'm not really familiar with a lot of tools out there but I know that for example Jupiter notebooks are quite commonly used in the industry for this type of purpose commercial commercial tooling are also available so a lot of times if you buy EDR or you have a seam or something like that they will have a company tooling or like things you can add on to fit your needs in terms of this concept
and then also like if you can influence for example partner team themes or being able to hire maybe more of the software engineering background folks to actually build these tools on top of things that's also possible and that's what I'm used to most of the time even though I talked a lot about all the good things about automation because I'm a fan of it there are trade-offs to consider and it's not always the answer so you have to think about what works for you so if you're kind of more on like the starting to build your program and you don't have a lot of resources and you likely want to invest you know your costs and capacity into actually
having data and aggregating logs and you know maybe a formatted way and clean way that's probably where you should invest your resources however I think if you are more on like balancing out uh how how all all the things work out and you're at a place where you know you have the capacity to onboard new technology then I would vouch for it you should think about frequency of you know actions performed like you don't really want to automate something that you run maybe or do once a month and it only takes 10 minutes because the reward is not that great so the impact is not that great so having these considerations over like ahead of time there will be some
maintenance overhead you know the code that actually automation runs on needs to be maintained and things like that so just uh wanted to call out that there is also negative things that we should consider about it with that we're at the use case examples um I wanted to talk about phishing because it's one of the most uh you know talked about prevalent things that happen in the real world and we know that it's kind of very it's one of the most common infection initial infection vectors used even by threat actors and but they are very false positive prone and it's really difficult to like for them to be you know meaningful sometimes and can get boring so uh in
this case what we want to do basically think of the Playbook basically documentation you have for an engineer or like a Playbook on like this is how you should investigate this how can you write that into code basically how can you script that and think about things that you very likely will need in in order to investigate this type of alert so for example highly likely that you're going to need the email contents the email headers send their information if it contained kind of interactive content such as maybe URLs or attachments or other things um if it's not so much like social engineering type fishing where they want you to call them back and whatnot but
more so like a malicious email with content you're probably likely going to want to prefetch kind of information that shows if a user interacted with it do they click those links can you see that in your uh Network logs was anything downloaded what happened things like that and then probably likely if you have an infection is ways to remediate that inbox or the user and so the way I have listed these things is that for example you you can very likely automate the highly likely stuff you can prefetch all that information for someone to review and in case instead of them going to run these queries manually they will already be there and probably will take them to the three minutes to
actually analyze that if there's anything that stands out in email headers security professional you're probably going to see that right away instead of spending time to actually go do that if you're unable to automate the rest of the process so actually determining if it's bad but basically pre-fetching information so in this case I just wanted to show a case that might be fully automated um there are other things that you might check but this is just some of the checks you might do so basically you want to check if an email is indeed malicious I don't know if I can use this oh
okay so you want to check if the email is indeed malicious and maybe some of the checks you would do is check if the email is unexpected unexpected the sender is uncommon headers look off like maybe you know send their addresses don't match SPF is off whatever it's trying to impersonate someone maybe uh that you actually communicate with but this looks slightly different the the email has interactive content and maybe you have kind of automated analysis in place so oftentimes companies will have Dynamic analysis available and you can submit something for it to be run in a sandbox or something like that and if you're able to automate that step basically it will come back with
something saying whether it was credential harvesting or not or otherwise interesting um the other step is around if actually someone interacted with it because let's say we have a malicious email but nobody did anything with it we don't really care other than maybe adding those iocs to some sort of tracking if you do that or some sort of block listing or otherwise known to the blacklisting uh if you do that so in the end if you have for example it looks suspicious something is off with the email are automated analysis shows that it's actually bad and no one interacted with it and then we can just run mediation and remediations actions such as for example deleting the email
adding iocs so for example domains uh to block listing or tracking or if you do thread Intel tracking of some sort and then close the case as true positive because it was indeed malicious even though it did not lead to compromise the other case I wanted to talk about is malware because it's also very prevalent like if you work in an inside of in any type of cert team and you're responsible for a company's assets such as user laptops you're probably going to run into a lot of commodity malware adware and general unwanted software like pubs um it's gonna get quite quickly depending on the size of your company a big volume of alerts and basically in
this case you again want to think about how you can codify your workflow or the Playbook that you work with so being able to flag any type of event proactively at before the time of of alert is raised for manual review and this might include how prevalent is this event in your environment what does anomalous look like more on the host than maybe the network depending on you know your environment you might want to grab suspicious events during the time that are related to downloads or network connections again maybe you have Dynamic analysis for binaries in place and you can leverage that or maybe you can vouch for that to be implemented in the future
maybe you know you're flagging against hash hashes matched with you know things marked bad in VT but it's actually outdated indicators and you want to improve that but you don't necessarily want to put it in your thread Intel uh place where maybe you're gonna get a big pile of indicators you can't really manage to update regularly so you might be able to use automation that gets more reviewed and tested over time to allow this to some extent so there is a lot of um things you could do this is just kind of some things to think about and then in case of a true positive maybe instead of because not everything is automatable and we don't necessarily
want to automate things because you need to scope an incident out you can't just oh remove that binary and close it out instead maybe you can leverage automation to pre-fetch this information so point an analyst or investigator in the right way to like okay you actually need to contain this incident what does that look like maybe you want to isolate the host maybe you want to quarantine the file only whatever so leveraging that in any way to save time basically so the recap to everything I talked about is that in my opinion automation is quite crucial especially to scale uh an environment at least you should try to incorporate it as you're building out your program uh and whatever however
your environment looks like uh there are pros and cons to consider and there's not everything will be automatable so there is still a lot of Need for human expertise when doing it especially incident response or once something is bad and figuring out to what extent and like how to remediate and contain that and with that thank you so much for listening I know it's quite late thank you that was great thanks so much does anybody have any question
but real
I mean first of all thank you so it was really interesting talk especially seeing it from my other perspective basically I just wanted to ask because you mentioned automation a lot is there like any cases where like automation has actually like fired back because for example like you automated something and um like it happened that actually this was not a false positive for example or something similar yeah
where uh just going back to the fishing and like maybe the limitations with that you you could have automation check whether there was any interactive content in the email or if it was just uh kind of like plain text not really interesting it was more of the social engineering side and then our automation thought okay it's fine the person didn't respond so we can just close it out and there wasn't anything flag malicious so we didn't delete it but then the users saw it later and responded and then fell for a social engineering attempt so there is clearly limitations but there is a lot of benefit in terms of time saved that that leads to other impact
you're welcome I have another question sure uh is it automation done like and like is it centralized or you as a responders when you like see something that is occurring quite often then you try to automate it and the reason why I'm asking is that if you're like playing this like a firefighter if I can say while you're responding to something then at the same time you want to see like do I want to automate this so is it like centralized that you have a special team who looks at the data and you see okay I'm getting this reoccurring so I want to automate this well this is mostly like when you come across something that is often then you flag it
like to automate it I have been in both situations and I would personally vouch more for the there is a separate team just because you can I think the Retro analysis aspect of it is quite valuable trying to use metrics to actually determine the impact of an action performed and then pushing for that project for example automation for a specific set of issues or like specific set of threats so let's say like network based detections and you want to implement automation but you want to be proactive about identifying what's actually helpful rather than oh you see an alert and you're like oh I seem to be doing this every other day I'm just going to automate it and that's not
really scalable in a good way over time in my opinion it makes sense thanks thank you so much I think I have another question up there so let me just get the last question and then we can move to our last talk and then at 5 30 we're gonna have the raffle so stick around please
thank you for your presentation um I just wanted to ask uh do you guys prefer to use automated tools that you guys develop like such as incorporating Yara rules with iocs or do you guys would rather use third-party applications such as PF sounds with elastic elasticsearch or kibana so if you if you could tell me more about your approach combination of
both but it depends kind of per use case basis for example we do use vendor EDR in combination with like in-house tooling so it all kind of depends thank you like someone
[Applause]
foreign just to let you know there is no break in between we're gonna go ahead and we're gonna continue with the last speaker right after this so please stick around
I'm good to go as well okay last but not least we have Dylan do beef I hope I'm pronouncing that correctly uh senior cyber security consultant from Bishop Fox and he's gonna talk about blockchain security Dylan floors is yours thank you so hello everyone and welcome to my blockchain security talk before we start just a quick introduction so I'm a French Wonder manager I'm doing uh hacking since a while now since I'm getting older every years like everyone most of my friends know me from my world project uh just like doing a screen injection by your voice recognition or implementing Eber text coffee pod control protocol to make a remote if you still have to work to grab your
coffee useless but fun I'm also doing some more serious stuff mostly with Bishop Fox since two years this is a nice job with very cool people of course uh the best of them are here today so let's talk with us if you want a special thanks to Darden for the conference and to the world beside the team and if you want to reach out after the talk here is my Twitter and Linkedin before we really start talking about blockchain just a few disclaimers we are just talking about what we are not talking about so we are not talking about tokens value because it doesn't matter we are not talking about investment because I have no idea or to invest so
if you want to be rich don't listen to me uh all the what are supposed to be digital art or these nft things with a dirty monkey we are not talking about that Nifty technology was not made for that at first and if we think about scam bump into and fishing it's only interesting when you are doing investigation so we are not talking about that what we will discuss is uh or the secure aspect of a blockchain and a blockchain application and the main purpose of this talk is to bring the interest in offensive consultant and every curious people to the blockchain site so maybe we will have more people to work with even if
that made less volunteers so now let's enter the main question because on the internet you can read a lot of things about blockchain but most of the people talking and writing a book blockchain just count answer this question so let's not solve this question very quickly before we start talking about Security even if a blockchain is all about security sub blockchain is just a distributed database with a specific functionality it solves trust issues the issues solved by the blockchain exist since a while more than 40 years it was presented in in the 18th uh mostly known as the Byzantine engine Awards problem to make it short the general business program is about sending transmitting information when
you know some of your assets some of your node or some of your general are copernized and not and can't be interest Ing and generous problem the story is if you have an army with General and you want to attack your target you need to use your general to to send the same order to your world Army so if you say to your general to attack your opponent and one of your general decide to call for retweet you will just lots of butter this is the trust issues solved by blockchain and other consensus Bitcoin was one of the first implementation of the business infiltrations of the results engine Awards program called as a result inflictorians solution
the first proposal of a solution a solution was mostly mathematical to reach our consensus that allow you to [Music] to keep your system working even with interested assets you you need 3n with one um trusted asset with an AR compromise asset uh with Bitcoin uh this is um not a visiting for tolerance implementation as it was present at this time it was reworked it was improved so we reached our consensus of 41 percent that mean you need one n plus one trusted asset process node to reach the consensus and be safe when you are transmitting information um it wasn't solving all the issues uh Bitcoin involve all the issues like the ashtray power the electricity etc etc
so other people try to develop new consensus and here comes the proof of Stack etc etc the problem the issues is proof of Stack at proof of work don't serve any issues so people continue to work on other questions so today we are here this is not only resulting for torrent this is not only proof of work it is not only proper stack this is a bunch of consensus and algorithms that solve the trust issues in different situations for instance the proof of work a week writer token to reward people providing their harsh red power but you can face a Byzantine problem without [Music] um having to provide a token or anything there is tokenless blockchain that don't
involve token money or this thing you have activity proof of capacity and even a mix of a few of them so this is a more complex subject and this is not about what you can see on the internet on non-technical paper this is about algorithm data transmission trust and cryptography so for this torque we are not talking about all the consensus because we query don't have time to talk about all of them we are we will cover all the aspects of the production but this expression we answer one question if in your system you don't need to solve a Byzantine problem you just don't need a blockchain at all so if in your daily life you speak with
people you want a blockchain in their product for any observation you just have to ask them do you need to solve the tourist issues pictures by the visiting problem if not they don't need a blockchain at all and even less a cryptocurrency well no we have a solution a consensus to serve trust issues but that's not uh enough to provide a real technology we need a decentralized application so after a few years we started to see some new blockchain that become application hosts with the smart complex technology so before we start about vulnerabilities and other stuff we need to understand the what is a smart contract basically a production is just as I say a super cheap database
stored in a multi node with the same state the blockchain is other name explained action of block with data if you can store data you can store source code of code or IC or any kind of code so if you are [Music] a code store on a blockchain powered by a node why not just call node randomly to execute code and let the console switches this side of answers all the trust issues and this is all we got the first uh blockchain with smart contracts with decentralized application when the user only had to call some nodes randomly because the console series solves the trust issues and were able to execute code and do some do some stuff
but at this point at this point we still have an issues that looks pretty obvious at this point we have no ethernet interface so for the first blockchain it was just some developer with blockchain smart Concord knowledge interacting with the blockchain doing some stuff but it was pretty Limited so they find a kind of a solution and here is how we come to our controversial world world so web3 or when I prefer to call the web 2 plus one layer because this is absolute absolutely not an improvement here is a schema of the reality you have the blockchain with your node your data your code and some dirty website in front to create your web tool plus one
of course you have the legit website mostly made by developer who publish the smartphone right but you have also a lot of other not so legit website and here we come with the website problem first all the trust issues serve as a blockchain is just destroyed by the website because the user will just connect to our website as Central realized every website controlled by just one person or a team of developer but with the website we will interact with you with the blockchain execute the smart contract that you have no ID of what is inside your your website so all the work made around the consensus and solving the byzantines problem are just useless when you are using a single
website to interact with your production and this is not the only issues this is the biggest one because the blockchain just become absolutely useless with a website but issues with you if the company shoe you have with a website like vulnerability will impact your users because if our website is compromised because of Any usual vulnerabilities users connected to the website are likely to lose their private keys are likely to accept transaction they are no clue they have no information about so now you have the console system liabilities you have the smart contract vulnerabilities all issues solved by the consensus are destroyed by the website but you also have the website issues unpacking your environment and with all the people building R1
blockchain without worry knowing what is a blockchain you can find some web stuff like some private key unique privacy we will own by one person running a world project with a lot of money inside stored in clear text in summer S3 packets VPS or other dirty server so what was a strange at first uh like the smart portal allow everyone to build our own because the decentralized application made by the smart contract allow people to answer every people to interact with the smart contract so everyone can be learned become a threat because even if anyone can build it's clear that anyone shouldn't build around and most of security consultant and better sir no wire so
let's see a real use case of what a web 3 vulnerability can look like last year I was looking around doing some research because I was tired of all these defy things or all these things about finance and money so I was looking for some new project more real use case so I was trying to find some interesting game using blockchain why game because in my port of view game blockchain can mix it can make sense for a game if there is gamer here you will probably know why especially if you are into RPG or solid strategy game a decentralized application can be interesting when it's come about Community when it come about in-game markets when it comes about competitive
game or a lot of things and you guys you can use a blockchain to run um gaming ecosystem without involving a single cryptocurrency blockchain is not about money so you can use uh for instance any gaming company social Blizzard or anything or have online for for the people who know this game can have a private blockchain with public node with [Music] um used by your just player to continue to build around the game and make the with the Game grow with the community that's why I'll stop looking for a game I was quickly disappointed because I didn't find any interesting game but in our security point of view I found some the first game I did this was a Flappy
Bird like it was on a web app a mobile app with just the usual Factory Bird game old world was a Nifty with some characteristic to deal with score with exchange competition Etc not very interesting so industrial point is the team start to make some contests with real money involved in price Sports so if you know there is a game published with a a daily contest with money involved what Google could go wrong of course it will be attacked because every day you can earn money spoiler on the story The Smart contact was not the issues so what was this game as every competitive game mostly when it's it's involving a price pool with money
you will attract boots to cheat and go to competitive game and be ranked uh without doing anything if you want to know more about voting game you have the perfect work tomorrow for the game every day you had five thousand dollar in price pool every day eighty percent of this happened was distributed on the top five players so it was an easy way to make a decent daily amount of money and as a Target outside of a smart contract we had a JavaScript web app a mobile app for Android and iOS the fact the reality of this game is after only two days of launch uh uh dedicated team from sankapur already finished to build about to
attack the game the team will build this game was only focused on the Smart Control acts of the was only focused on the smart controller the cryptocurrency ETC so when they publish the first version of the game there's a gaming didn't had any um anti-bought anti-cheat Solutions uh inside the source code so it was an easy win first day they published the game I did some communication people start to play with the second day it become popular the third day the full top five was owned by the Sangha party and ultimately got grabbed by support team so they tried to click to quickly answer the problem and develop some antibod solution that developing antibod solution is a real
world works you can improvise so the next coming days was mostly the team updating the project pushing some antibods called direct chain projection to stop the the building and on the other side the Singapore team updating their bot to bypass the patch so the team got only started to ban all the birds buzz on know your metrics they were just like I I'm sure this guy is cheating so let's burn the birds um at the Romans we have like twenty thousand dollars of damage with all the users that got buying for no reason it was a complete for people who was crying opening on the community it was kinda fine for my from my point of view at this point I was
just curious I started to infiltrate both the bot team and the project team I was at a point I had an account on Discord on the both team getting access to some of the code of the Bots and those are sides they got me moderation permission from the team and the Discord to manage water the the bot was so I was just in the middle of everything looking with a I wasn't robbery that was just having fun for me so I spent few days get information okay that's the code from the boat located solution proposed by the project team and I didn't find any solution so before leaving this story I am just ID to do something just for fun it was kick
so both team from the top five find a way to be first and just uh beat the boat so as every pentester I'm start I start looking at every piece of the project developing a boat was not my plan because first I'm too lazy to build a boat for this kind of game secondly it was JavaScript I can do JavaScript but I don't like it so I'm not gonna develop a boat in JavaScript so I start to look at the Smart contract I didn't find any common vulnerability both on the NFL contact or all the contact undering the tokens the money it was pretty safe they had um what we call a code wallet this is a smart
contract earning order token and who are doing only one action so it was kind of a security by Simplicity oriented but I didn't find any way to get anything from the contract in the same way I didn't fire the private key it's a properly store it in a secure way then financing so I start testing the Android on Android app because I like Android didn't test the IOS app at all because I don't even have an iPhone so after doing some tests I found the app has no root detection so you can root your app doing some analysis they don't care no certificate pinning so you can intercept every request between the phone and the game
but I don't find any interesting that I have stored on the phone except your own wallet but anyway I don't want to put my wallet on my phone or do this kind of stuff so I started to look for those away and that's why I didn't spoke about the web app yet so I did what I'm doing almost every week I launch burp start to intercept all the requests between my browser and the game and I quickly found that there is not that much request see I found one interesting request when you launched the game there is some call to check your wallet check your build ID and stores the data inside your JavaScript and after that even with the
interception on you can play the game without being interrupted and when you complete the game when you lose you up a final request this request it was very simple you have no authentication at all the first request getting your build ID information from your wallet was provide underwater with the score no authentication no permission control nothing just calling what they call an API I'm not even sure we can call that an API this is just a post request sending your board ID and the score so if you want to be first what should I do just simply send a request every day one second before the end of the contest just getting the top payer score and
adding adding one and sending the request and that's it you win so just with this request the both team was out of the top one I just
thank you so um yeah so I did the test once uh wasn't very interested by doing this every day and storing the money I was just curious and trying to to beat the bad team so it was pretty successful um so at this point the result was also security was on the smart contract side the game was just a client-side JavaScript with no authentication at all it was Bare via game um the both team did lost a lot of time because I still I'm still trying to figure out why they did so much development to have about when they you just have to send a request to win the game and that's it there is a lot of work to
do for having a VR game in my point of view this is not even a bit ad game in beta test this is just a proof of concept or oh you can make a game with the blockchain using real money for this is is a is a shame wait yeah perfect um so the point of this story was just to show you uh that even if you don't know uh Auto Pro to develop smart contract you can still be involved in blockchain security because a lot of people are directly doing dirty things around the blockchain so you can have fun you can find some interesting stuff if you have a junior open tester this is also a
good way because you are going to find some vulnerabilities we didn't find since 20 years so this is heaven this is like doing some training in some challenge website uh you have the people doing smartphone tire then the build uh some up of this Smartphone right um this is also a good way to stop to learn smart contract because when you are going to analyze all these projects are working just you will start to understand uh all the technology bi uh the smart contract used by this project Etc so it's a good way to start if you want to learn or to do some pen test or backbending but at the point you will you will you are
going to want to to test the smart contracts you are going to do some bugmentation and there is platform for bug Bounty for smart contract and the Ubuntu are pretty juicy because with a critical appointee you can earn like Alpha million for a single critical Bundy so can be presented interesting but before you you launch yourself on the smartphone these things you need to know few things smart portraits are public and at the moment you publish your code is it's at risk everyone can read the code if the code is not easily readable you still have the Hope code so there is always a way to understand what the Smart Control is doing everyone can interact with everything so
it's like been attacked at every second and um even if you shouldn't test in production most of the bug Bounty Target magnet the main net is equivalent of a prediction so this is a everything you are going to do we will have an effect and with blockchain and smart contract all the things you are going to do can be undone when you launch your attack when you try something since you launch our attack it's too late to go back and here we go to what I call the devops 199 technology methodology a few years ago a very big project with uh 300 millions of dollars inside had an open issues on GitHub a user just come open initial
and GitHub and tell anyone can kill your contract when you kill a contract you don't destroy the data when your data is on the blockchain it's in the blockchain but if you kill the contract it will lock the call to act everything will be terminated nobody will be able to interact with it everything will be locked so this guy the verbs 199 open issue heading to the this big project that anyone is able to kill the product while waiting foreign [Music] and just a few after publishing this issue he published an update to the issue I accidentally killed the contract the contract so the guy was just doing some tests he opened the issue because he was worried
and while testing he accidentally triggered the function to kill the contract and then the contact got locked and all the money got lost so just because I don't know he forgot to comment online [Music] on the the smart contract or on the exploit it just locked 300 millions of dollars you know I guess you can understand why the name on GitHub is Ghost and not devops for people who don't know August is the name you got on GitHub when you delete your account
as well after that
this is the kind of Horror Story We Tell to new tester to African because we don't want this thing to happen again and I don't want to be responsible of this kind of thing I don't want to be cover uh because of a mistake became the most hated man of the world so I start to draw a checklist of things I should do to avoid these kinds of issues first protect yourself you need to use dedicated wallet or smart contracts because when you interact with a contrast you are going to to send some authorization to give some permission to interact with the contract so there is malicious contract you have honeypots when you send a notarization
to this cortex you can have some little piece of card hidden that will install everything from you if you interact with the contract so don't do testing because the projects are verified but if you are doing it while testing just looking at contract and trying to do some tests use that educated wallet so you are you will not lost anything on your car you or you will always need to double check the addresses I will explain you why in a in a few you also need to add the authorization control and withdraw and transfer function to avoid to lock your phone because if you manage to exploit a vulnerability to store the token for good purpose like a good white art and
you plan to send the money back it's not a good idea to store the money in a more vulnerable contract than the previous one so you you will have to be careful of the way you are doing your test to be honest I did make I did made some mistake when testing fortunately it was only on training labs and test environment so I didn't attack anyone but I have some surprise and this is scary long ago I was training on a damn vulnerability fire this is a lab you can use to learn or to pair or to exploit vulnerable smart contracts so I was working on it just to learn a new way to to export smart contracts because there
is a lot of different vulnerability it takes a lot of time to understand or to to to just to make a lot of time to learn all these vulnerabilities so I was dealing with one of the challenge this is a simple contract this is a vulnerable one you have three function one to deposit token one to withdraw token and one to do flash loan a flash loan is a function that allows you to borrow tokens perform operation you can execute and do anything you want with the token as long as you send back the same amount of token at the end of your operation so you have to borrow the token do all the operation you want and
send the exact amount back in one cycle but this contact was vulnerable to expand the vulnerability quickly on the flashlight function you have [Music] a variable at the beginning that store the balance of the contract before the loan then uh you can borrow the token and execute anything you want and at the end you have a require this is a condition check that will control if the balance of the contract after your passion is equal or above the balance before annabity is here because there is some a subtlety in the deposit function when you deposit token you still have the ownership of the token so the contracts the loan function is checking the balance of the contract and
not the ownership of the token so to perform your attack you just have to call the flashlight function will trigger your execute function on this execute function you have one thing to do just deposit the token you just borrow so you ask the contract to give you some token and in your execute function you deposit the token and you stop your execute function when your git function end you trigger the condition check so the contract will check his own balance since you deposit the token the condition there are met and everything can be run as expected but it is not because you close your execute function that you are stuck in your action after closing your executive
function and deposit the token your attack function can withdraw the token you just deposit because you still have the ownership since it's a deposit so the condition is met but you can withdraw the token it is this is a way to drain all the token from a flash clone smart contract so you just have to follow this this workflow withdraw that they can send the token back to you and you have ordered okay so I develop a smart contract to perform the exploit I launch my exploit and I got a surprise I had some debug on my code because I was learning so before launching my exploits I was checking the balance of my target I was checking my own balance
then I launch exploit and I check again both balance so I can see that after my export the smartcontroid don't have any token anymore so my export is working so token are not here the problem is my balance didn't change at all so I stole the token but I have no idea where is the token at this point I was just like why is that okay where's the money I mean my spot did work because it's a contract with the vulnerable contract don't have any token anymore but sorry oh uh I'm going to tell you it was a lab so unfortunately nobody got any any loss so I double check my exports my smart contract once twice
and I didn't find the reason it wa
Related talks
39:40
1:09:05
39:04
23:08
41:40
45:11