Build Hybrid Mobile Apps Like a Security Pro

move it up

[Music]

[Music]

thank you

[Music] thank you [Music]

[Music] foreign [Music]

foreign [Music]

[Music] oh yeah [Music] foreign [Music] foreign [Music] thank you

[Music] thank you [Music] foreign [Music] thanks [Music]

foreign

[Music]

[Music] foreign [Music] thank you [Music] anything [Music] else

[Music] foreign

[Music] another question [Music] foreign [Music] foreign [Music] thank you [Music]

[Music]

[Music] foreign foreign [Music]

[Music] thank you [Music]

[Music] foreign [Music] thank you [Music]

[Music]

[Music] thank you [Music] foreign [Music] foreign [Music] thank you [Music] thanks [Music]

[Music] [Applause]

[Music] thank you [Music] thank you [Music] [Applause]

[Music] thank you foreign [Music]

[Music]

[Music] oh [Music] I don't wanna jinx it baby [Music]

[Music] baby you'll kill me giving me Wind and Rain some kind of butterfly baby [Music] [Music] but I don't wanna miss you baby [Music]

[Music]

maybe you'll give me [Music] fly [Music] baby [Music]

[Music] baby you'll get me appetite [Music]

[Music] oh oh [Music] foreign [Music]

[Music] foreign [Music] foreign [Music]

[Music]

move it up

moving up and welcome to besides Las Vegas this talk builds hybrid mobile application like a security pro is given by vanida a security researcher from synopsis a few announced announcements before we begin we would like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsors Prisma Cloud Sam grab blue cut Plex track Toyota conductor one it's their support along with our other sponsors donors and volunteers that make this event possible we have policies about cell phones and these talks are being streamed live except in the underground as a courtesy to our speakers and audio audience we ask that you check to make sure your cell phones are set to silent please if you have a question use the

audience microphone right there to ask or you can check with me or any other person if you want to use it or ask questions you may be asked to make announcements so as a reminder the B-side Las Vegas photo policy prohibit taking pictures without the explicit permission of everyone in the frame these stalls have been also being recorded except in on the ground and will be available on YouTube in the future please move over to this side of the room and enjoy your talk thank you and welcome Vanita [Applause] hey thank you my name is welcome to my session build hybrid mobile apps like a security pro I also go by the name Vinnie like my

cousin Winnie in case that name is too hard uh so let's get started so a little bit about me I am a security researcher at synopsis and my job involves evaluating Frameworks and new languages and all of this research goes into static analysis tools that will help catch instances where those libraries are implemented in securely before this I was actually in the Consulting working in the field doing pen tests and source code reviews of mobile apps and web applications so uh most of my clients were in the financial or healthcare industry I live in the Indianapolis area and when I'm not working I like to do things that keep me off screens like learning new dance forms I learned a bit

of violin and I also like to be outdoorsy and go on Hikes however my current obsession is all about growing some vegetables in my apartment patio and I'm here for 10 days I'm pretty sure they'll be dead when I go back home all right so in today's session we're first going to set the foundation and talk about some basic concepts about mobile applications like their characteristics what they're made of uh what that threat model is like how it's different from that of a web application and then we'll go over some basic concepts about mobile apps as well and then we'll go over certain principles of application security and see how you can use them to build hybrid

mobile apps securely you can build them really fast but it's also important to build them securely and we'll use those principles to understand how to do that at the end of the session I have a fun little interactive exercise plan for you all where I'll show you some insecure pieces of code and if you correctly identify the insecure line of code I have some goodies to give away so uh we'll then wrap it up and summarize everything we've learned today and open it up to questions so Going Back to Basics how many of you here have built mobile apps before okay how many of you have been on the other end of the spectrum and hacked or

broke in mobile apps before okay I've got more hackers here okay great okay so just really click some one-on-one for mobile apps uh initially mobile apps were just for productivity right like to check your calendar your email your planner if you remember Blackberry was one of the first ones who made this available to use on the go but now mobile apps are not for productivity I think they're for everything else they're for uh calling a cab ordering food looking at the sky and identifying stars and I hear there's a mobile app too hunt down ghosts I really hope that doesn't work and uh 99 of these mobile applications uh cater towards two main operating systems apples IOS and Android

which is owned by Google um all of these mobile applications are built using software development kits or sdks and typically there is there is one SDK per platform which means there is one for Android usually based on on Java and kotlin and there's another for iOS and it's usually based on Swift and Objective C so when you have a SDK per platform what's the biggest downside to that does anybody know

correct yes so to repeat that answer the downside is that you have to start building uh the code from scratch again when you start uh supporting new platforms which is a lot of duplication of effort and that is where hybrid applications came into being where you can just pick a framework like react native or xamarin Cordova what have you and you code just once you test just once and then you build it based on the platform that you want to support which means your developers have now saved a lot of time these applications are came to be known as cross-platform apps or hybrid applications and they tend to have a lot of web components in them for the rest

of this talk we'll try to use the word hybrid apps to refer to cross-platform apps as well as hybrid apps um some characteristics about mobile applications every mobile app on your phone is running on its own isolated environment what that means is that that application process only has access to the data in its own isolated environment this environment is usually referred to as a container or a Sandbox and to talk to other applications on the device or access data in a different sandbox it would need the right permissions and it has to leverage inter-process communication fun fact about why it's called a sandbox imagine a bunch of kids playing in a big sandbox now I don't have kids but I've

been told that's a recipe for disaster because kids don't want to share and it will lead to fights so what do you do you split them up and put them in their own sandbox and everything's Jolly so apparently that's how the term sandbox came into being in the mobile world anyway so mobile applications tend to have a lot of code and a lot of data on the device because it cannot bother the server every time it wants to access some data that you as a user frequently request for example your display picture your username your email address it tends to store this data on the device so that it can quickly grab it and render it in your mobile application

because you probably open your mobile app more often than you do web apps so mobile apps tend to do that and in terms of how it would communicate with the server it's not very different from that of a web application it would typically make calls to the server using rest or soap API calls authentication is something interesting in mobile apps because in web apps you would probably use username and passwords to log in every single time I'll try to stay here uh you probably are going to use usernames and passwords every single time you want to log in but mobile apps make this easy they make re-authentication easy because mobile apps can Leverage The biometric

authentication and the passcode that you already have on your device which means mobile apps could save some session information or username and passwords or GWT tokens they tend to save them on the device now everything we've discussed so far is what the uh what the mobile OS provides by default in terms of security context but this is your device you probably want to tweak it and customize it for your own like liking imagine you had a laptop and you did not have root access or admin access on it you wouldn't be cool with that similarly some users like to have the ability to really own that device and make it work for them and not

have to work within boundaries so such users could jailbreak or root their phone which from a higher level means you're just disabling all of these security features and isolation but hey you can download that cute little emoji keyboard right so going over the threat model of mobile applications in my opinion one of the biggest Assets in mobile apps is data now in web apps 2 Data is an asset but in web apps most of the data tends to be on the server side in a database or on the cloud but in mobile applications like we discussed before a lot of sensitive data could be stored on the device so it's a very big asset similarly the code of a mobile

application could be on the device which means that it's not just UI code there could actually be some validation code there could be something more interesting than just like low impact UI code so that is also a very big asset and we discussed about how user credentials or session information could also be stored on the device so threat agents to all these assets could be other malicious apps on the device or it could be someone who has stolen your phone especially if it's jailbroken maybe it's easier to access that data and users are also threat agents because at the end of the day an attacker is a user and they're trying to understand your app to understand how to break it

but in general the likelihood of a successful attack on your mobile application is considered low because first of all the attacker has to stay up to date with all of the security updates that these os's are making very frequently number two the attacker may need an already compromised environment or has to chain a bunch of vulnerabilities to get a to get a high impact vulnerability so that is why in general it's mobile application exploits are considered to have low likelihood okay so now let's get into hybrid mobile applications which is why you're here so like we discussed before what is a hybrid mobile application it is something that you just code and build once and you can

release it for multiple platforms and it's not just for mobile Oasis it could also be for Linux or Mac OS or even on web browsers so it's it's gotten really really easy to build hybrid mobile applications thanks to these platforms thanks to these Frameworks and um and these Frameworks tend to be Cordoba or ionic flutter react native and because these Frameworks have made it so easy hybrid applications are on the rise in fact according to recent statistic uh a lot of the retail applications in the market right now are built through one of these Frameworks so just a fun fact so how would you go about building these hybrid mobile applications it's just like any other mobile app you start by

creating your widgets your UI except in hybrid mobile applications a lot of this is already done for you a lot of this is already pre-built and tested and made available to you through libraries and when I talk about libraries I like to use this example I think uh uh consider you're trying to make a big bowl of chili for a barbecue you're probably not going to go and get all of the individual ingredients and cut it up and chop it up and add it to your chili you're probably going to get canned beans and canned corn and add it and save time so similarly with hybrid mobile applications a lot of the functionalities not just for UI whether

you want to implement data storage or talking to the server or trying to implement biometric authentication all of this code is already tested for multiple platforms and made available on package managers like npm or pub.dev depending on the framework and you can just like grab that library and plug it into your code and you just have that functionality like that this is another reason why hybrid mobile applications are really easy and very popular because it's so easy to create these libraries are usually maintained through open source or through the community of that framework and currently here are some numbers flutter has 36 000 libraries and react native has 46 000 libraries and that number is

just growing it's just making it easier and easier to plug in and play your hybrid mobile applications here are some examples of hybrid mobile applications in the market right now some really famous ones BMW Skype Walmart so many of them here's an example of what a library would typically look like here on the right side you can see that the library's name is local auth it's a flutter Library it's maintained by the package manager pub.dev you can see that it supports three platforms Android iOS and windows it seems quite popular 99 popularity and it's maintained by the verified publisher flutter now if you're a developer you would probably stop at this page of the library documentation

or maybe you would go to the installing page or look at an example see how you can implement it but how many of us really go deeper and understand how these apis work do we really look at it from a security perspective I don't know so we learn how to do that in this talk so here's an example sample code of how you would use this Library so you would add this Library as a dependency you would import it into your project and then it's as simple as calling the authenticate API to implement biometric authentication for your user if you didn't have this Library you probably will have I don't know three times as many lines

of code to implement this so libraries really make it easy now uh I saw that there are a lot of hackers here can anyone recognize what's wrong with this code is there anything insecure

so if you're a pen tester and you've hacked mobile applications before you will see that this API returns a Boolean value and if you've hacked mobile apps before you know that it's extremely trivial to flip the switch on a false Boolean to a true Boolean and trick the app into thinking that authentication actually passed but it would have failed so such kind of validation is considered insecure it's called event-based validation and we will talk about that more in a future slide Okay so we've talked about hybrid mobile apps we talked about the fact that you may be building these hybrid apps through a bunch of libraries from the open source it's third party so I

researched this I researched such things in my job so why don't I just give you a list of secure libraries for every framework for every functionality I could do that but what if the library gets outdated or what if there's a cve in the future or it gets associated with a supply chain issue what would you do then so let's take an alternate approach and go buy this if you recognize what this means it translates to if you give a person a fish they'll just eat once but if you give if you teach that man how to fish they will eat forever so we'll take a similar approach today and see how we can evaluate libraries on our own and to

do that we will take the help of five principles of application Security today and see how you can comply by them use them when you're picking libraries or when you're writing your hybrid mobile application from scratch it doesn't matter these these principles will really help you okay so the first principle I have is called the principle of least privilege and what it means is that less is more or that you need to have a granular permission model when you're building a application web or mobile it doesn't matter you need to work on the least number of privileged privileges that you can get by with so mobile applications need the user's permission to access a lot of features

on the device like Bluetooth or location or Apple pay a lot of things or photos so user has to explicitly Grant permission to the user to do this uh but your application shouldn't ask for permissions it doesn't really need like you may not want to think that oh maybe I'll need it in a future release I'll just ask the permission it doesn't work like that users will get suspicious and you may also violate some data privacy laws depending on where you're using that application so let's take an example to understand this principle assume that there is a music streaming app like Spotify and that app asks permissions for your devices Bluetooth it's fine it probably wants to connect

to a speaker but what if it asks permission to your camera or microphone probably doesn't need that permission it is suspicious it's violating this principle let's take another example a food delivery app can someone name a suspicious permission it can ask yes correct yes that is the correct answer so when you're building your mobile application you probably want to make sure can I throw it to you I will try okay thank you okay great so when you're building a mobile application you probably want to work on the minimum set of permissions and when we talk about hybrid mobile applications uh you may be using a lot of libraries for different functionalities like data storage or uh

biometric authentication or web views so you want to make sure that the library is not asking for permissions that you don't really need and even if it does you want to make sure that they're configurable that you're able to turn them off and they're not and the library is not forcing an insecure default on you you may also be using libraries that help you handle these permissions like checking if the user already granted a permission or maybe you could it it helps you ask the user for permission at runtime so in either case it's important to again have a known set of permissions you want to allow and make sure that you're explaining to the user why you need that

permission so that they can make an informed decision applications also tend to expose some of their functionalities in the form of say intents or Universal links and you may want to put some restrictions there too and not expose it to all applications on the device you can make use of app groups make the app belong to a certain group of applications so that you expose your functionalities only there or you could even make use of what the native OS provides like one-time access or signature based permissions you can leverage all of that which libraries may not provide the next principle I have for you is called security by obscurity and yes that is my cat hiding behind my plants

and she thinks she's obscure but she's not so what this principle means is that if the inner workings of your application are completely hidden you're safe that doesn't sound right does it and you would be correct that is a myth and that has long been debunked but let's think about this principle from a mobile application perspective we discussed how mobile applications are very client heavy which means a lot of the code and data is actually present on the device so maybe this principle can be helpful assume that you released your application without any obscurity or obfuscation and an attacker can download this application they don't even need an account on your application they can just decompile unpack your application

understand what's going on understand the different methods and classes and they can use that information to perform targeted attacks at your users or at your server so you want to make this really hard for the attacker and how you can do that is make your code really hard to understand now if you're a bad coder like me then you're probably already there it's already obfuscated no one can understand it but if you want to do it the right way make sure that in your hybrid application any framework that you pick any library that you pick make sure that the obfuscation options it provides work for all the platforms platforms you want to support and that

these options work for all the languages in your source code and not just the code that it comes with all of these Frameworks come with their own languages like react native comes with JavaScript flutter comes with dart and sometimes this code obfuscation options could only work for those languages but you don't want that you want to have coverage for everything in your Repository some other ways that you can obfuscate your data is by using Code splitting which is exactly as it sounds it's breaking up your code into multiple pieces so that it's harder for an attacker to put two and two together so moving on to data in your application you know all the data that's on the

client side you want it hidden you want it obscured from an attacker's malicious process or hands so how do you do that one way obviously is to encrypt any sensitive data that you're storing on such an exposed client-side environment so when you're using libraries in your hybrid mobile application to handle data like fetching data from a location or writing data to a location or sending data to the network in all of these cases make sure that you're encrypting sensitive data make sure that the library actually supports safe encryption and please don't use in-house crypto you probably want to make good choices when it comes to encryption algorithms key generation algorithms hashing algorithms and even the key size

you want to make good options there because the library is going to give you a lot of algorithms that you can pick from so it's up to you to make the safe Choice there now an interesting challenge you'll come across when you go to implement encryption in your mobile app which is where will you store the encryption key it's the client side does anyone have an answer yes yes correct yeah you can do that any other answers yes yes correct yes so a lot of options here one answer was do PB pbkdf2 derivation one was using the secure Enclave all these are correct answers so you can always save encryption keys that in a location that is backed by OS security

for example a keychain this is backed by uh the security that secure enclaves provide so that's a great option you also want to make sure that you're obfuscating any data that you're displaying to the user especially sensitive data like passwords and Social Security numbers especially if they're going to come to Defcon and other conferences you don't want them to enter payment information in such a public area so make sure that when you go to build uh display forms or forms that take in user input sensitive user input make sure that the library supports masking of sensitive data moving on to the next principle it's called minimize the attack surface and what this means is that what exactly is

an attack surface it's all of the end entry points into your application that an attacker can leverage and launch exploit through now if you want a secure app you probably want to keep the number of such entry points to the absolute minimum and uh in mobile applications there are a lot of ways through which data can enter your application a lot of untrusted data can enter your application and in my opinion in hybrid mobile applications the biggest culprit to open up your app and take in a untrusted input are web views a webview is like having a tiny little web browser in your mobile application that that hosts or loads an external web page now

you may be trusting this web page but if you think back you're again violating to some extent the least privileged principle because you're trusting something external and loading it in the context of your application so when we talk about web views obviously there are web elements like HTML and JavaScript and when I talk about JavaScript we have to mention the vulnerability anybody knows JavaScript exercise yes correct yes so exercise is scary sorry I get it here so exercise is scary but it's especially scary in mobile applications because this script this untrusted script could actually have access to the sandbox in your of your application or maybe your application has permissions to other components in your device like contacts

or Bluetooth and the script could actually have permissions to all these applications because of your app so you want to make sure that when you build web views I'm sorry the mic is just echoing a lot here okay that's better so when you're building web views just make sure that uh you're validating any inputs that are coming in through untrusted sources and it's not just user input some other untrusted sources could be the clipboard or the system keyboard because everything on the device has access to them so you want to make sure that anything coming in to your hybrid mobile application is getting validated and sanitized and when you pick a library to handle all of this user input for you to

create forms for example make sure that the library supports you in performing such validations uh when we talk about attack surfaces it's also important to mention deep links and Android intents and what that means is that you are exposing certain functionalities to some other applications through something like a URL and this URL can actually have query parameters and these query parameters can enter your application and corrupt what's in your sandbox so again you want to make sure that you thoroughly validate them and it's always best to keep it to the absolute minimum and not accept untrusted data unless absolutely necessary you want to limit such functionalities here is some sample code about an insecure webview as you can see

you have created a web View and then you are injecting at runtime some JavaScript that will take user input and manipulate the inner HTML of that web page so this is really bad and it will open up your application to a lot of injection attacks so we've talked about how untrusted input could enter your application and cause trouble but there are also other ways where you increase your attack surface and one of that is uh writing data or leaking data onto untrusted locations on your device so you want to make sure that when you pick libraries for your hybrid mobile application you want to make sure that it does not do any excessive logging you

want to make sure that you follow good practices and not log a sensitive data or save user data on a location that's outside your control like external storage you want to make sure that you keep it locked down and Leverage What the native OS provides to keep everything secure and isolated all right the next principle I have is called a principle of client trust and what this essentially means is that you shouldn't trust the user using your device and you shouldn't trust the environment in which your application is running I like to use the phrase trusted on busted what that what that means is that trusted code is running on a busted environment and you want to make sure

that your application stays resilient and protects the user even in such a compromised environment so let's break this down and see what it means what trust means in each of these components let's talk about libraries first we talked about how hybrid mobile applications are probably going to be built with libraries and these libraries are third parties so obviously third-party risks are inherent you cannot avoid that but you could have some practices to make sure that you are mitigating the risk that comes from these third-party libraries which involves performing a periodic software composition analysis so that you have an idea of all of your dependencies and what that opens you up to and you want to make sure that the libraries from a

verified publisher you want to make sure that there are no cves and you also want to make sure that all of the security controls the library provides Works work all across the platforms that you want to support now let's talk about the network how does the client know that it's talking to this right server counterpart does anyone know how do mobile apps do that yeah yeah correct yeah so the answer is certificate pinning yeah so the answer is certificate pinning and uh in your hybrid mobile application you may be using a library to do this for you again it's important to understand how that certificate pinning API Works make sure that it doesn't return a Boolean value it's not

event based because we saw how easy it is for an attacker to flip that switch and trick the app into believing that it is talking to the right server where it may not be doing that and the native OS also provides a lot of good network configuration controls to make sure that uh the app is talking to the right server in apple the option you have is to use application transport security settings it's usually just a configuration file a plist file where you can specify a lot of Network Security Options like forward secrecy or enforcing https communication with the server a lot of those options moving on to the user why shouldn't you trust the user because

at the end of the day a user could be a hacker again who's trying to break your application or there are two other kinds of users they're extremely tech savvy one who probably Jay broke their phone and has some suspicious apps on their phone or the extremely non-tech Savvy user like my grandmother who probably has clicked all links and installed all kinds of malware so you want to be you want to make sure that your app actually is safeguarded even in such an environment you want to help the user make good choices you also want to protect the user from themselves how do you do that let's take an example say that your user has downloaded a

third-party keyboard and they're using this keyboard to even enter sensitive data in your application that's a great way to for attackers to harvest credentials of your application so as an app developer what you could do is you could enforce the system keyboard for such sensitive fields which means you have to force the user to only use the system keyboard and disallow any other third-party keywords from being used especially when it comes to such sensitive areas in your application so when you pick a library to handle user input in your hybrid mobile application make sure that it supports such kind of enforcement of keyboards you want to make sure that you help the user this way and help them make good choices

um you also want to make sure that when you're using uh the keyboard you want to make sure that the user is not able to bypass that enforcement that you have there are some ways where again it's event based so it will be bypassable so I want to make sure again that it's not event based the next principle I have the last one is called defense in depth and uh this is what this essentially means is that you should strive for holistic security you want to make sure that you have multiple controls in place so that if one fails you have others protecting you from chaining of vulnerabilities and hence avoiding a domino effect um there are different defense in-depth

strategies you can take in mobile applications one of which is uh ensuring that your application does not run in a jailbroken environment so does anyone know how you could do this without using Library how do you detect that a user's device is jbroken yeah this is a hard question yeah

yes correct so the answer that came from the audience is that you want to ensure that you're not able to Fork a process you're not able to run certain processes or open certain files I think that's what you said so yeah I'm going to try to do this see if I heard someone please don't sue me oh thank you sorry about that okay great so uh yes that is the correct answer if you were implementing jailbreak detection uh in the native code you probably have like several different checks you can bundle together and ensure that it's not it's not jbroken but see in hybrid mobile applications you're probably going to use a library to do Jailbreak

detection for you and what these libraries will do is that it will bundle all of these multiple checks into one single API call so that you can just call that API and depend on that API to check for J break and now this API will again return a Boolean value which is again very easy to bypass so what can we do what should you look for you still probably want to use such apis but you want to use it securely so when you pick such Daybreak detection libraries make sure that it is result based and not event based result based means that it doesn't return a Boolean it returns like a type so it's harder for attackers to

uh to spoof that and some other defense in-depth strategies would be making sure that it is running on the latest OS version of that platform because typically the latest OS versions have all of the security updates in place and hence it is harder to bypass it and you also want to have some anti-reverse engineering uh controls in place not allow any debuggers to be attached to your application process you also want to make sure there's no debug code or development code left over in your source code there are some Frameworks where there could be some debug or development code in your repository and it doesn't get stripped when you get it ready for the release so you want to

watch out for such things and in general you want to make sure that the library is clean not associated with any supply chain risks no cves is being kept up to date it's actively maintained you also want to make sure that there are no deprecated methods that's a big one a lot of the libraries have a lot of deprecated methods that that a native voice probably cannot understand so it might malfunction and open it up to security issues so you want to watch out for that so that was the last principle I had so now we can play that exercise that I said so I'm going to show you some Library documentation I've got three

libraries that I'm going to show you so I have three chances and if you correctly identify what is an insecure option or an insecure line of code in that Library documentation I'll give you that little orange ball so the first Library I have is something that you can use to Hash data and it lets you pick some hashing algorithms to Hash that data so here's that API and here are some options can someone recognize what's bad here yes yes correct yes yeah any other yeah yeah I'll give you another one forever yes that is correct I think I already gave you one right no here sorry all right so the next one I have is a

library that does search pinning but you don't need to know what is third pinning it's that obvious what is insecure any any guesses yeah the this one yes correct so if you can see this Library lets you disable all security which means you can disable search pinning for that for that application thank you so much I appreciate it it's a good idea no I was going to get ready too but there's so many obstacles on your way I'll hit someone in the head so yeah so disable all security is an option that this Library provides thankfully it's not set to True by default so this is a option that you can use to disable cert pinning for a specific URL

so the next option the next Library I have is something to launch a webview in your hybrid app and these are all the options you can configure the webview with slash Library this one is a little controversial but I'll wait till you guess it

okay I'll give you a hint it's something to do with Boolean foreign yes yes correct yes I am so happy that that was the last question this is my last one okay great so uh yes that is correct which JavaScript is set to true you probably don't want to create web views with JavaScript running by default you want to turn it on on an as needed basis because we talked about it earlier it's just increasing your attack surface it's not a good defensive strategy to keep it on by default that's an insecure default okay so let's summarize I think yes I think we're on time so to summarize hybrid applications are really really easy to build they're really really easy

to just plug in and play and support multiple platforms multiple users at once so you want to make sure that when you build one you're building it securely and if you're not a developer here you're someone who manages some developers who help who support the security aspect of application development in your company you can support them by maybe having them take a course on uh the security aspect of the framework that they decide on during the design phase of the sdlc process so maybe that is something you can do if you're a developer and if you're trying to pick libraries to implement different functionalities when you go to code this hybrid mobile app make sure that you

really scrutinize this library and understand what the API does go past the example page in the documentation go deeper into the API documentation and make sure that it does not have some insecure defaults is not using event based on authentication or event-based valuation and you want to make sure it does not it's not have cves and if they are it's patched you keep the library up to date all of these great great controls and do not forget that the uh that the native OS actually is trying to help you it has a lot of controls that you can also leverage so make sure that you complement your security controls with the OSS controls okay so real quick here are some

resources that you can use when you are more interested in this topic uh I like I like the mastg guide by ovasp it's not necessarily for building apps but it's more for getting a perspective from the from the attacker's perspective to understand how a mobile application could be broken there is the ovas mobile top 10 [Music] um it gives you the top 10 vulnerabilities right now for mobile applications and right now they just came out with their initial release for 2023 if you're interested uh there is the nist document for mobile device security this is not really for mobile apps but more in general how mobile devices are used and what osis could provide and lastly

there's the OS cheat sheet Series where uh it's a quick reference for developers in case they want to refer to some security controls per category or per Concept in your mobile application I would also like to mention that it's not a bad idea to read the security context documentation that OS is released it's really not technical jargon it's actually very easy to read I've read the Apple's IOS security context document it's it's really not bad it's not like a user agreement so it's not boring so I would really recommend reading that too because then you'll understand how the native OS works and how it tightly integrates the security apis so that you can leverage them and you go to build

your hybrid mobile app with that I will thank you all first of all for coming thank you for besides and any questions I'm here if you don't catch me here I'll be outside so thank you everyone for coming [Applause] please if you have questions you will come over here to ask thank you

okay I guess no questions that's uh okay there you are thanks one of the big things that I like to do when what I'm implementing stuff is put checks in like the continuous integration environment do you have any like ideas or recommendations about like static analysis tools that you can use as a part of because it's easy to check once but like I may not remember you know six months from now whether or not that library is still maintained or whether it's you know on the latest version of the mobile operating system is that something that you have any recommendations on uh yes so there are a lot of static code analysis tools there are free versions and paid versions but

all of them have all of these rules that you can use to identify such insecure implementation of libraries now I'm from synopsis synopsis has a great static code analysis tool that you can use as an IDE plugin so that developers can catch it even before it hits the pipeline you can put pre-commit Hooks and what have you uh and uh yeah I think does that answer your question I'm not supposed to mention tools I signed an agreement okay all right any other questions okay well uh thank you all for coming have a great conference [Applause] thank you

[Music] everybody [Music] thank you [Music] foreign [Music] thank you [Music]

[Music]

[Music] thank you

foreign [Music] hahaha [Music] [Music] foreign [Music] foreign [Music]

[Music]

[Music] foreign [Music] thank you [Music]

[Music] foreign [Music] foreign [Music] thank you [Music] [Applause]

[Music] thank you thank you [Music]

foreign [Music]

[Music]

[Music] baby you give me appetite don't leave me alone [Music]

[Music] I overthink it baby [Music] baby you'll kill me giving me some kind of butterfly baby [Music] [Music] but I don't wanna miss you baby [Music]

[Music] oh [Music]

foreign [Music]

apply [Music] baby

[Music]

[Music] oh [Music] oh [Music] foreign [Music] [Music]

[Music] this talk is lies telephony and hacking history given by Matt who is a security researcher a few announcements before we begin we would like to thank our sponsors especially our Diamond sponsored Adobe and our goal sponsors Prisma same grip and blue cut and many others it's their support along with our other sponsors donors and volunteers that make this event possible we have few rules here so these talks are being streamed live we have someone behind there except in the on the ground and as a courtesy of to our speakers and audience we ask you to check and make sure your phone is on silent mode if you have a question you can use the

mic there to ask and we we have a photo policy here so uh beside Las Vegas prohibits taking pictures without explicit permission from people in the frame uh thank you for coming and uh Welcome Matt [Applause] thank you everybody we're fish supposed to officially start here at 11 30 so just a couple minutes early so I want to start off saying he wouldn't be known uh by folks here in the information security Community however I lost the family member recently and just want to say Andrew stocksdale I want to dedicate this talk to you in your memory so we'll give it beginning here in just a couple minutes uh for anybody who wants to get a copy of the slide deck

feel free to visit slides.dfirmatt.com that will forward you to my GitHub repo and you can download a copy of the slide deck today

so hopefully we're gonna have fun today I brought some cool uh old tech gadgets to do some show and Telecom as I like to say it so this is going to be fun and I hope everybody here enjoys it I want to thank everybody who's still pouring in the door for uh coming out and checking out the talk

all right 11 30 by my clock so go ahead and get started thank you everybody for coming out to uh check out my talk lies telephony and hacking history uh for those who don't know me my name is Matt sheer uh here all the way today from Cincinnati Ohio and again if you want to copy the slide deck go to slides.dfirmat.com that will take you out to my GitHub repo let's begin so quickly about me I work for a big well-known organization I am a VP of computer security and instant response and I have a lot of experience doing digital forensics and incident response so that's kind of my background uh it's been in dust bin for a long time

hopefully resurrect it soon the threat real podcast if you're not connected to me on LinkedIn feel free to reach out uh or uh whatever it's called These Days c3rkah formerly Twitter I guess it's called X now where I volunteer I'm an official hacking is not a crime Advocate that just means I agree with their mission statement I'm not a spokesperson for them but it's a good organization I'm also a wampsa which is the women's security Alliance technical Mentor a great organization encourage folks to get involved they're always looking for mentors and mentees quick disclaimer is that yes I do have a day job but the opinions expressed are based solely on my own independent security research do not express or

reflect the views or opinions of my employer so the organ origins of social engineering some believe social engineering dates all the way back to the Garden of Eden but whatever you believe deception and trickery have likely been with us all for a very long time social injury and Technology I want to talk about where these two things intertwined and really it started with phone freaking which is a lot of the inspiration for this talk so the telephone system blossomed in the world's first interconnectable Global Network and it was built by the telephone companies or telcos for short phone freaking we're gonna dive into that topic uh here momentarily a quick note about Telecom history these may be

somewhat fluid timelines telcos were often slow to replace or upgrade otherwise adequately functioning equipment I can tell you my father was an accountant for the phone company and they didn't replace anything until it absolutely had to be replaced or the operating and maintenance costs exceeded uh what it cost to continue operating it so different geographic regions essentially had different timelines when equipment was uh you know replaced or came into Vogue that being said this talk I've talked to at least five different former Telco employees I've tried to get it right so if you notice any horrible things wrong here let me know I have done a good bit of research some of this stuff is before my time

some of it is not which is remarkable because I insist that I am 21 until I die uh local communities telecommunications stack vary greatly really based on market conditions and in other conditions as I mentioned so 19th century and onward telephone companies hired switchboard operators to assist customers in routing calls and they handled the call routing by plugging physical cables into switchboard Jacks many early phone subscribers communicated over shared party lines there was no real Assurance of privacy so what would happen is if you were part of a party line block and they said okay you're five rings and that's how you know it's for you but there is nothing to prevent somebody else ring number

seven from picking up an eavesdropping on those conversations people didn't really have those private Communications going one to one electromechanical switches really started in the late 19th century and early 20th century the Stroger step-by-step or sxs switches they continue growing a footprint during the early 20th century this was the beginning of Automation in the burgeoning Telecommunications industry 1940s to the 1950s a t developed automation using audible tones for long distance call routing multi-frequency signals were assigned to telephone number digits and Signal frequency tones were used for a line status signaling these advancements paved the way for phone freaking we're going to talk about blue boxes here in a little bit in the future the 1950s and 1960s beginning around the

middle of the 20th century telephone companies began more widely deploying Advanced circuit switching Technologies such as panel and crossbar these switches along with reliable transistors paved the way for viable dual tone and multi-frequency or DTMF support often referred to as touch tones on phones now I brought some relics with me because I I promised doing some show and Telecom today and I intend to do that I'm pretty sure that some people in the audience have never seen used or touched one of these this is a touch tone telephone and what's interesting is there were no modular jacks on this these were usually telephone company owned equipment that customers leased so technically the phone company owned these and since

everything was hardwired if one of these cords got caught up in the vacuum sweeper and completely shredded that was a service call to the phone company to get somebody to come out and fix it later on phone companies decided hey we should start putting module or jacks on these things it's a lot easier than sending our fueled Engineers out to replace cords and so forth so this was a little bit of work if I wanted to dial the 555 prefix this is essentially the dial and these have numbered holes in them so if I wanted to dial the 555 prefix for example I put my finger in the number five hole I spin it to the

metal stop and I let it go I put my finger back into the five hole spin it back to the metal stop and I let it go now I put my finger back into the five hole spin it back to the metal stop and let it go again and you can see it was effort took a long time and uh when touchstones came out so what's interesting is this is an old school style Touchstone phone again typically doled out by the phone companies these had modular Jacks so you could replace the line cords yourself and uh you know these had the buttons not every Community got essentially touchstones right away so there's a tone or pulse switch and pulse

would essentially emulate the rotary telephone for systems that didn't support that and it's definitely you know advancements in technology that you know paved the way to make these things better uh more convenient but still progress was pretty slow the 1970s to present electromechanical switches were slowly being phased out in favor of newer digital switches electronic switching systems or ESS the migration digital switching was the beginning of phasing out of analog telephony in favor of digital telephony nowadays voice over Internet Protocol technology is largely displacing Electronic Phone switches something I want to talk about here on the next slide is we're going to spend a bit of time talking about phone freaks so who were or are the phone freaks these were

people who enjoyed exploring phone systems uh and they enjoyed experimenting with telephony and Technology some were obsessed with learning the science and technology behind telephones and phone networks and phone freaking often became a Gateway or Bridge towards becoming a computer hacker or vice versa somebody might aspire to start off as a hacker and then by extension get into phone freaking so some cross-pollination there vice versa for those of you who have never seen one of these before there were internal modems there were external modems before that you had this it's called an acoustic coupler and the way this worked is you see it's a phone cradle handset and what somebody would do to essentially dial a computer is they

would take their phone handset put it in the cradle and so you have your res receive and your transmit and it's a pretty tight seal on this and so people could use the acoustic coupler to establish modem connections uh before there were dedicated external modems which came about later and also if anybody wants to see me afterwards it's kind of a big group uh you know feel free to come up to me afterwards and I'll be more than happy to let you touch this stuff see it that sort of thing and so you know those when those things intertwined uh people got into war dialing where they would essentially dial series of numbers to find other

modems that might be listening in and uh back in the early days have you ever seen the movie War Games I'll talk about momentarily uh you've sort of seen what that looks like the objectives of phone freaking some phone freaker motivations included learning which was really just a thirst for knowledge uh meeting and talking with other phone freaks uh pranks and Mischief cannot be understated people love messing with their friends uh love messing with people they didn't get along with right and making free phone calls to anyone anywhere that might seem trivial now it's sort of one of these funny things because of course nowadays I've got a flat rate phone plan I can pretty much call just about anybody

anywhere in the world and doesn't cost me anything extra no matter how much or how little I use this but back in the day phone companies would charge potentially upwards of over a dollar a minute to make phone calls and Let Me Tell You Folks something if you ran up a 400 phone bill in 20th century money in your parents saw that phone bill you were going to be in bigger trouble than that time my boss yelled at me and grounded me for an entire month when I tried to file an expense report for this outfit so it seems trivial now but there was high motivation to figure out how to get free phone service and also not be

grounded by your parents so phone freaking in film this is not an all-inclusive list but uh just some highlights here so three days of the Condor uh was actually very inspirational to uh Kevin mitnick uh it was released in 1975 Stars Robert Redford there is a scene in there where he actually socially Engineers the phone company in getting them to act on his behalf and again it's that inner 20 of technology telephony and social engineering war games which is my own personal favorite on this list released in 1983. we talked about war dialing you can see a lot of that there uh very inspirational movie probably for a lot of folks in this room the movie hackers

released in 1995 actually has some interesting Red Box stuff we'll we'll talk about red boxing in a moment uh this movie has actually inspired some interesting folks in the industry today that got inspired by watching that uh Pirates of Silicon Valley talks about the early beginnings of Apple computer or now commonly Apple they started off as making blue boxes before they started building computers and essentially selling those so people could make those free phone calls we'll talk about blue boxes here in a moment but classic phone freak tools included musical instruments and whistles freaker boxes uh there's a bunch of these I'm just going to highlight a few of them blue boxes beige boxes red boxes but

again there were a whole lot more and some people would combine the different functions of these boxes into what they would call Rainbow boxes because they would do multiple purposes we're going to talk about pay phones if anybody here remembers those knows about those so yeah that should be fun and tapered quarters and scanners and radios so phone switching and tones early phone systems use Audible control tones some musical instruments could pass as recognizable telephone switch tones and in fact some people would have to play the two musical notes together to get that multi-frequency that was used in a lot of telephony and then whistles and whistling so Captain Crunch breakfast cereal once included a free whistle as

an inbox toy giveaway capable of producing a perfect 2600 Hertz tone that folks would use to seize a trunk and I've got a replica here it's kind of hard to get it right but if I cover the middle hole that would produce a 2600 Hertz tone that people could use again sees that trunk and a lot of early phone freaks were visually impaired so a lot of folks would actually learn to be able to whistle the tones uh themselves right directly into the phone so we'll talk about blue boxes I don't have one to bring with me but these generated 2600 Hertz tones among others it was used for controlling phone switches and it gave again phone freaks

the ability to place free phone calls beige boxes were simply a lineman's handset and there's all manner of these I have in my possession a real deal lyman's handset this is like official at T equipment and these tend to be kind of expensive you can still buy official alignments handset these had very tight tolerances they wouldn't really mess with systems they have these Jagged alligator clips and so people if they had a punch down block they could clip into the punch down block they could also pierce the cables with the alligator clips to tap into the phone without actually disrupting the line and you know again these were official Real Deal very hard to come by back in the

early days I would never have endorsed it but I'm sure some people probably found an unlocked van or two and found these some people these are very durable but if some people did have a few broken ones they might be able to assemble a working model so this is an official real deal for those for those that didn't have that luxury you could do a home brew variety which you take a standard telephone handset and essentially Lop off the cable and solder on your own alligator clips so that you could do the same thing for a whole lot less because any common phone and this is kind of uh representative of the ideal one because the Cradle if you

will was just a punk of plastic it didn't have any Electronics in it the switch Hook is actually on the hand held so this was ideal and again you got the uh you know the tone pulse switches those sort of things so you could always do home brew and make your own interestingly enough you can now through a large online retailer order essentially a very cheap test phone and what's cool about this less than twenty dollars delivered to your door this actually has a modular Jack on it so if you found an unattended phone jack you could plug in and test it out if you don't have that it's got alligator clips as well this is sort of

Genius I looked at that and thought why didn't I think of doing that but uh yeah it's cool and it's uh pretty inexpensive to do so you know again different varieties of lineman's handsets and those were your beige boxes now if you did find a uh you know like a punch down block you could use one of these punch down tools and this particular one has the 110 block as well as the 66 block uh punch down and so these would just you know essentially punch in and connect the wire to the block you have to be careful with the 110 because the blade is built into it and if you're doing this and you accidentally cut the

wrong end of the cable not the excess slack end it would just fall off the blocking it feel kind of stupid might have some first-hand experience with that not admitting to anything but uh yeah and then for the 66 there's inside here a blade that you could use to uh again cut off the cable and try to get the right end because if you get the wrong one you're redoing it so pay phones were once very commonplace these provided a physical layer of separation from home which offered a level of anonymity to their users uh in some level of deniability for collars if you were on the receiving end of a pay phone because you could actually call pay

phones and you could actually pick up so if you coordinated a time or whatever you might be able to say look I was just in the vicinity of this pay phone her ringing so I picked up I had no idea who was on the other end of that uh conversely I don't know who called me it was just some random person at a pay phone they must have dialed the wrong number or something I don't know so again that physical layer of Separation uh was was definitely uh something that existed with pay phones now I can't in my suitcase fit an entire pay phone but I do have a handset here this is the real deal it's got the uh you

know the armored cable and the steel cable inside very durable you can see it's just a standard modular Jack that would plug into any telephone that could plug it into the one that has the modular Jacks so yeah handset from a pay phone right there

red boxing uh red boxing was used by phone freaks to load fake money into pay phones by playing tones into the handsets mouthpiece thus enabling users to place free phone calls from telcone owned Telco owned and operated pay phones and I actually have some tones here again 21 till I die so somehow these tones got generated by me before I was born the math gets really fuzzy but just just roll with it uh and so here is a nickel so hopefully folks uh heard that uh the dime is really just going to be oops the same thing twice and then you can hear the porter and also what's interesting is we use dual tones here in the states in Canada

they had a single tone so you can kind of hear the uh the difference on those and also this sort of became a bit of a social engineering thing as well because telephone companies until you'd establish a call kind of wised up and you couldn't just play tones directly in the handset but people could still socially engineer an operator and say okay I got that phone number for you I've got a terrible memory and I I don't have a pen with me or ran out of ink or whatever could you transfer me to that number and they would say sure just deposit a quarter so I got my Payphone handset play it in there operator transfers the

call thinking I've actually put a real quarter into the pay phone so again that's another instance where social engineering intersected with all this tape recorders for those that were not Adept at building electronic tone generators and circuits using a tape recorder and Playback was a viable alternative because you could actually hear those tones uh playing on the phones themselves and if you could record those you could play them back nowadays we call those things replay attacks back in the day we really didn't and now modern times we think of Replay attacks with things like cookie files and packet captures and replaying those uh we didn't call it replay attacks but that's exactly what it was and so you know

oftentimes you could you know record a couple methods I've got a couple adapters so one is basically if I have modular Jacks I could plug in basically this is just a tap if you will that goes in one end with the modular Jack out the other uh and then it's got basically a side band to Port out to a mic Jack or an input jack where it could be recorded uh sometimes that wasn't available and for example we did talk about pay phones as an example so if you didn't have that available you could use essentially what this is an inductor coil with a suction cup on it that would do sort of the same

thing the vibrations pick up on the handset and it ports out the audio from that into the recording device and so often what you do is you just slap this on a handset and you can see it sticks pretty good if it's a nice smooth surface and it could use that to record telephone uh switch sounds or money sounds those sort of things scanners and radios were capable of listening into Wireless Communications and eavesdropping on conversations many people actually unwittingly bug themselves the early cordless phones were 43 to 50 megahertz and a lot of common radio scanners could pick up and listen on those I didn't bring that with me uh later on that has moved to 900 megahertz uh and

so these wouldn't do the the low end older versions uh but I did bring a couple software-defined radios that would absolutely do the 800 megahertz stuff and 900 megahertz stuff uh so early cellular phones when they were analog would go on the 800 megahertz frequency ranges same thing if you had a scanner capable now those were a little pricier to get your hands on but if you had one you could actually listen to cell phone conversations fairly easily now the government kind of caught on to that and so for a long time there were cellular band or you know basically cellular blocked uh scanners that were released that would intentionally not let you listen to certain frequencies

within the 800 megahertz range to do that eavesdropping what's interesting is Canada has a lot of the same frequencies a lot of the same steppings we do in the United States they didn't have such laws in their books so sometimes people would go north of the Border get a scanner smuggle it back across and they could listen to the cellular bands or if you could find second hand a used version that was for sale you could do that as well and listen to those uh to be honest I don't know that those laws have ever been repealed even though uh you know that's you know really no longer works so you could no longer listen to with just a very cheap

inexpensive you know relatively speaking scanner baby monitors also frequently worked with the same cordless phone frequencies and those channels people would unwittingly bug themselves and you know if they were talking about things that were illegal illegal whatever anybody in the neighborhood could listen in it's not just them being able to hear what's happening in their Nursery they were essentially bugging themselves uh not really sort of oblivious if you will thinking nobody's probably listening in well maybe they were and they just didn't even know uh pbxs or private Branch exchange and these were systems comparatively smaller to Telco exchanges uh and you know those switching systems but they were owned and operated by organizations and private businesses providing

interconnected phone services to them and a lot of pbxs had features that they couldn't even purchase through the telephone company of a lot of those you know sort of value-add things PBX abuse and hacking enumerating Company employee phone directory abuse back in the day used to not be LinkedIn so if you want to know if somebody worked somewhere or figure out what employees work for a business you could call into the dial by name directory and essentially pick different last names and figure out who worked for an organization and probably what phone extension they were at compromise voicemail boxes and listening and saved messages most Williams mailboxes back in the day were secured by a three or four

digit PIN so there's nothing to stop somebody from brute forcing those and if they could pop a voicemail box and a lot of times if nobody changed the default pin it would be the last it would be the you know those three or four digit extension numbers would be the default pin in a lot of these things that would enable somebody to just listen to voicemails for somebody else and then if the PBX was thoroughly compromised people could set up their own unauthorized voicemail boxes and make it other people think that they are an employee they just didn't pick up when they called and they could just sit there and do phone tag voicemail messages and social engineer people that

way transfers to extension 91 was a common scam or nine plus any other country code either doing switch methods such as call forwarding or just calling up somebody and say hey my name is Joe I'm with the phone company and I need you to transfer in extension 91 we're conducting some testing if they do it and they transfer you cold to 91 that gives you an outside line and dials the number one prefix Now with an open Line person could dial in whatever number they want piggybacking on that business's telephone bill really and call forwarding we talked about diverters and other routing tricks so diverters were often used like after hours for a business that might have a

answering service for example where where people call in leave a message for you whoever and if that would essentially use a diverter to send the call after hours to that answering service if when the answering service hangs up there is an open line if it wasn't configured correctly or was kind of insecure now again person could piggyback on top of that open line to dial whatever number they want phone freak tradecraft so dumpster diving or trashing uh fairly common and a lot of times it wasn't just for electronics and and pieces of technology sometimes it were for manuals because if I'm calling a telephone company I'm trying to socially engineer them their employees I better be able to

speak like another Telephone Company employee to convince them that I want to transfer a number or you know if I want to disconnect service things like that call routing Loops uh three-way calling use for eavesdropping uh and or pranks what we now think of often as man in the middle or adversary in the middle uh techniques again it wasn't really called that back then but that's exactly what it was and of course that's still a common Threat Vector today yes

all right good tip for those who didn't hear it people would write down passwords and pins and things like that and then throw them in the trash so some valuable Intel good ad um so social engineering phone operators and other Telco employees we talked about calling card Fraud and Abuse was again uh very commonplace Telco I'm sorry Telco countermeasures telco's implemented various fraud controls to detect and flag or block phone freaking efforts by the early 80s and old phone freaking methods in the various color boxes became Obsolete and unusable these countermeasures forced phone freaks to continually adjust their tactics amidst The Changing Times more changes switchboard operator career opportunities were mostly displaced by technology in recent decades the market

saturation of mobile phones made deploying and maintaining pay phones financially infeasible for telcos in North America consequently pay phones have largely disappeared from the landscape and most First World countries nowadays the proliferation of unlimited and flat rate cellular calling plans eliminated the incentive to steal phone service for the purpose of making free phone calls most new Telco uh or I'm sorry telecommunication deployments favor using voice over IP Technologies platforms and services calling card fraud once very prevalent has largely given way now to credit card fraud the new underground phone freak Bridges didn't really talk about those which were conference call party lines and virtual meeting places have largely been abandoned in favor of newer Technologies

things like web conferencing platforms encrypted communication mobile apps for example signal or telegram is being used by a lot of threat actors today and then dark Nets including the dark web which I presume most folks here have heard of and certainly those marketplaces where people can buy pretty much unlimited things out there the New Frontier data dumps and dark Marketplace use today is more prevalent than old school dumpster diving as we've we've discussed uh mobile malware is an ongoing threat is that really phone freaking I don't know but it's an attack surface that didn't used to exist before people had mobile phones proxy servers VPN services and Tor are mostly used to cloak communication Source endpoint Origins so you know

again there aren't pay phones so people have other methods now to sort of hide where they're really at as an epilogue technology and telephony abuse is less of a technology hobbyist Enthusiast and prankster activity now modern abusers often comprise of advanced persistent threats and threat actor groups hacktivists financially motivated actors organized crime and nation states modern phone freaking unless anybody think that all forms are completely dead reverse toll fraud is a common problem today still where well I don't know how common it is but it still it still happens where there are international or other high toll numbers that are paid per minute and so either it's somebody operating that number themselves or they're in

cahoots with somebody operating that number uh and so that's still a problem today uh Web Conference Calls most people here probably remember Zoom bombing particularly at the beginning of everybody quarantining and the pandemic so eavesdropping call bombing rating hijacking attacks uh common problem fishing and smashing again mobile platform attack surface that exists now that youth do not exist porting or Port out fraud is migrating a mobile phone number to a different service provider so if I can convince somebody that uh you know this is my phone number and I'm switching from company X to company Y and it might be you know inexpensive you know sort of pay-as-you-go plan or whatever either if I can convince them

through social engineering or just outright bribe that employee to Port the number to another service provider sort of similar to that is Mobile SIM swapping where again A lot of times people working for cellular companies can be bribed and they will essentially move the phone number from one person's mobile device to one that they control and that is definitely a modern problem this is an old school style talk so just some quick shout outs 2600 magazine been around for a very long time going back to 1984 not too far after that I don't think they've cranked out new material in ages and it sort of every once in a while you see a new uh volume release

but Frack easing back in the day was very prevalent in the phone freaking hacker scenes Phone Losers of America still an active group what's interesting is they still have a conference call line listed on their website so if you want to call into it might want to be careful but you can actually call into it and talk to other phone freaks you can reminisce about history or talk about modern times probably shoot the bull with just about anything project MF if you missed out on blue boxes and Captain Crunch whistles and those sort of things it's a stack that's built on top of an asterisk deployment it's mimics or simulates the olden days so you can actually use a blue box or a

software version thereof to go back in time if you will and recreate those things textfiles.com and Jason Scott just for archiving tons and tons of old bulletin board articles and posts and then I want to give a shout out to Tina kazaniak who used to work in the telephone company fraud department somewhere and I've had great fun chatting with her and their efforts to sort of bust the smart kids that were messing around the phone systems and and doing things they shouldn't have so really fun interesting perspectives has a lot of you know historical reference and knowledge uh just great fun talking to her with that I will not sure I'm doing a time here uh reasonably well so happy to

open it up to uh questions if anybody has any there is an open mic up there in the front of the room thank you uh if it's on

while they're doing that again if anybody wants to come up and see touch and mess around with my old junk I brought with me all the way from Cincinnati Ohio uh feel free to find me before I run the suitcase back up to my hotel room thank you Matt uh if any anyone having a question please you can come and speak here thanks [Applause] thank you so much for the talk it was really awesome uh one thing I think was interesting uh you were talking about PBX hacking you mentioned that voicemails used to be secured with a you know four or five digit PIN that's still a thing today A lot of times people See

Sweets you know their voicemails are secured with a four digit PIN and for those people interested in PBX hacking at Defcon there is a telechallenge um so check it out cool thank you so much for the ad that's awesome stuff

um sorry um Kevin mitnick quite famously got arrested and supposedly got put into solitary confinement because they were scared that he would be able to launch the nuclear missile codes how realistic do you think that is based on your research now yeah in fact uh so the old story Kevin mitnick was actually as I understand it somebody correct me if I'm wrong but he was actually sentenced to solitary confinement specifically because law enforcement convinced the judge he could actually whistle nuclear launch codes into a telephone and start a nuclear war uh I don't think that's realistic and uh was definitely overstated and there was a lot of hype and it's one of those interesting things where law enforcement

a lot of people will tell you they're still Beyond The Times They were woefully Beyond The Times back in the day so judges didn't understand technology for a long time and so they believed it and just as a precaution well let's just put this guy in solitary confinement don't give him access to a phone just in case he really can launch nukes by whistling into a phone great question anybody else all right I don't see anybody else coming up to the podium thank you besides Las Vegas for having me thank you for sticking around for my talk uh it's been great chatting with everybody and uh thank you [Music] thank you [Music] foreign [Music] foreign

[Music] foreign [Music]

[Music]

[Music]

[Music] thank you foreign [Music]

[Music] [Music] thank you [Music] foreign [Music]

[Music]

[Music] thank you foreign [Music] thank you [Music]

[Music] thank you [Music] [Applause]

[Music] foreign [Music] foreign

[Music]

[Music] foreign

[Music]

[Music] baby [Music]

[Music] don't wanna overthink it baby [Music]

[Music] baby

foreign

[Music]

[Music]

[Music] thank you [Music]

baby [Music] don't leave me alone [Music]

[Music]

[Music]

oh oh [Music] my God [Music] thank you foreign

[Music] foreign [Music]

[Music]

[Music] foreign

[Music]

[Music]

[Music] thank you [Music] foreign [Music]

[Music] [Music]

[Music]

[Music]

thank you [Music]

[Music] thank you [Music]

[Music]

[Music] thank you [Music] thank you [Music]

[Music]

[Music] thank you [Music]

[Music] foreign [Music] oh yeah [Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music]

[Music] thank you [Music]

foreign [Music]

[Music] thank you [Music] thank you

[Music] foreign [Music] foreign [Music] [Music] thank you [Music] foreign [Music] foreign

[Music] foreign [Music]

[Music]

[Music] thank you

[Music] foreign [Music] [Music] thank you [Music] foreign [Music]

[Music] thank you [Music]

[Music] foreign [Music] thank you [Music]

[Music] thank you [Music] foreign [Music] [Applause]

[Music] foreign [Music] [Applause]

[Music] thank you [Music] foreign

[Music]

[Music] baby [Music]

don't wanna overthink it baby [Music]

you're giving me Wind and Rain some kind of butterfly baby [Music] don't leave me [Music] but I don't wanna jinx it baby [Music]

[Music]

[Music] thank you baby [Music] foreign [Music] don't leave me alone baby [Music]

[Music]

[Music]

oh [Music] oh

[Music] [Music]

foreign

[Music] foreign [Music]

[Music]

foreign [Music]

[Music]

[Music] thank you foreign [Music] foreign [Music]

[Music] [Music]

[Music]

[Music]

thank you [Music]

[Music]

thank you

[Music]

foreign [Music]

[Music] foreign [Music] foreign [Music]

[Music] wow [Music] foreign [Music]

[Music] all right [Music] oh yeah [Music] foreign [Music] foreign [Music] wow [Music] foreign

[Music] foreign

[Music] thank you [Music] foreign [Music] foreign [Music] I understand [Music] thank you [Music] thank you [Music] foreign

[Music] thank you [Music]

[Music]

[Music] thank you [Music] thank you [Music]

thank you [Music] foreign [Music]

[Music]

[Music] thank you [Music] foreign [Music] thank you [Music]

[Music] foreign [Music] foreign [Music]

[Music] [Applause]

[Music] thank you [Music] [Applause]

[Music] thank you [Music] foreign

[Music]

[Music] me if myself

[Music]

[Music] you'll whip up my appetite [Music] but I don't wanna jinx it baby [Music] so stand up let's begin [Music] thank you [Music] baby [Music] foreign [Music]

[Music]

[Music]

oh [Music] oh [Music] oh [Music] [Music]

thank you [Music] foreign [Music]

[Music]

[Music]

[Music]

[Music] foreign [Music]

[Music]

[Music] thank you [Music] foreign [Music] [Music]

[Music]

[Music]

alone

foreign [Music]

[Music]

[Music] thank you [Music] foreign [Music] thank you [Music]

[Music]

[Music] thank you [Music] thank you [Music]

[Music] you're ready [Music] thank you thank you [Music] foreign [Music] foreign [Music] foreign

[Music] foreign [Music]

[Music] foreign [Music] thank you [Music] anything [Music] foreign

[Music] foreign [Music] foreign [Music] foreign [Music]

[Music]

[Music]

foreign [Music] foreign [Music] [Music] foreign [Music] foreign [Music]

[Music]

[Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music] [Applause]

[Music] thank you thank you [Music] [Applause]

foreign [Music]

[Music]

[Music] about my ass don't leave me alone [Music]

I overthink it baby [Music]

you're giving me Wind and Rain some kind of butterfly baby [Music] [Music] oh but I don't really miss you baby [Music]

[Music] butterflies [Music]

[Music] baby you'll get me you're with my appetite [Music]

[Music] oh oh [Music] foreign [Music]

[Music] foreign [Music] foreign [Music]

[Music]

[Music] I'll move it up

[Music] foreign [Music]

[Music] [Music]

[Music]

move it up

[Music]

[Music]

[Music]

[Music] foreign [Music] foreign [Music]

[Music] thank you [Music] foreign [Music] foreign [Music]

[Music] thank you thank you [Music] thank you [Music] laughs [Music] thank you [Music] foreign [Music] thank you

[Music] thank you [Music] thank you [Music] foreign [Music] foreign [Music] foreign

[Music] thank you [Music] foreign [Music] [Music] thank you [Music]

[Music]

foreign [Music] all right [Music] foreign [Music] foreign [Music]

[Music]

[Music] foreign [Music] thank you [Music]

[Music] foreign [Music] foreign [Music] thank you [Music]

[Music] [Applause]

[Music] thank you thank you [Music] thank you [Music] [Applause]

[Music] thank you [Music]

baby [Music] some kind of butterfly baby

appetite don't leave me alone [Music]

I overthink it baby [Music] baby you'll kill me giving me some kind of butterfly baby [Music] [Music] but I don't wanna miss you baby [Music]

[Music]

maybe you'll get make myself [Music] a day don't leave me alone [Music]

there's some kind of butterfly baby

[Music]

[Music] oh [Music] foreign [Music]

[Music] foreign [Music]

[Music] foreign [Music]

[Music]

[Music]

[Music]

[Music] thank you

[Music] foreign [Music] foreign [Music] [Music]

[Music]

[Music]

good afternoon everyone and welcome to besides Las Vegas uh this talk is about the telenovola of Latin America banking trousers a dramatic story of cyber crime and here we have sibeli who's gonna present the talk um a few announcements before we begin uh we would like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsors Prisma Cloud blue cat Toyota it's with their support along with other sponsors donors and volunteers that make this event possible these trucks are being streamed live and as a curtsy to our speakers and audience we ask you to check to make sure that your cell phones are on silent mode if you have any questions please use the

audience microphone so that YouTube can hear you as well and with that let's get started please welcome sibeli hey everyone thank you for waiting my little technical problems you know since all the time actually and first I know I didn't board in the US so my English is not perfect but just okay if you don't understand just raise your hands oh let it go if I say some weird words please you can correct me I don't care really sometimes it's good to learn and that's it uh someone here knows something about uh banking Trojans from Latin America a little bit okay if you're not that's okay um so it's about a telenovela because Latin America is very know about

telenovelas and they are very dramatic and also as our cyber criminals for this this name so who I am I'm I used to say I'm a mix of um Gossip Girl from mowerland wait Fortune for fortunate for a teller fortune teller because I work with Cybertron intelligence so I have to know everything what's going on in mowerland and all the disgraces and try to see oh what's going on in the future basically this is what I do and for over 10 years I've been work especially with cyber security and privacy in Brazil and some organizations in Brazil all around the world like Mozilla and our project basically this is what I do right now this is a real picture of me in Mexico

I'm not from Mexico but it's in Mexico and Dia de los Muertos so I like it so this is me and I have cats I love cats as you see before and I love tofu because I almost vegan not all because I love chocolate it's hard to know this you know that and I like spring eyes sprinkling water sparkling water and basically this so what we're gonna talk see I have many gifts is super cool thank you and what we're gonna talk about what we're doing well the board of Brazilian cyber Queen I know talk about all the Latin America you know thread landscape because I don't know is quite similar so we you'll understand if you

understand that Brazilian wise kindish similar than the rest of Latin America and about the common features about of these mowers and banking Trojans families and what's next or why this happened or let's see if it's possible to stop then or no no no it's it's impossible even it's very peculiar you know mowers so let's talk about you know uh well right now in times of AI we have like think like GPT or similar sensitive writing mowers and you know can you believe this I tell you if well most of banking Trojans mowers in Brazil and Latin America is to desktop they work in desktop multiple they write this kind of more more to desktop then to

um smartphones because yeah it is easier you know to bypass some security and desktop especially for people not so saving cyber security or whatever and for other people and I'm gonna talk about this specific issue but from the Strategic Cybertron intelligence I'm not a malware analyst so please don't ask super hard questions because I can say I can answer but for a strategic point of view I can do this um but wow what is strategic point of view it's basically this um I see everything is what's going on for this gossip go from our lands not just one tree I see the whole Forest you know all the disgraces you know in you know this place that's going on in mower

land is a very sweet name I gave for this what happened in cyber crime I think it's killed it and I talk about more general not just one specific you know thing sorry sometimes I forget the words in English and I know much more Awards in Portuguese than English so sometimes like some words sorry but you can help me please you can oh these words you wanna say please so um the born of Brazilian cyber crime um well first of that must they be thinking why I talk about mowers in desktop not in mobiles well as incredible it may sink this they are widely using them to make banking Trojans you know really really widely used everybody has a

mobile you know even two three mobiles they people especially in Latino America they have many mobiles with uh with with International connection International internet connection but not a desktop or a computer so everybody has some kind of way to be connected but some taxes uh we have to pay in desktop only desktop I don't know why it's weird or you go to the bank so what the people do they pay in the in the desktop especially companies you know small companies they have to pay these Government taxes there so it is a big surface you know to attack really big so big Treasures are developed for desktop because it's a little bit less complicated than to desktop to mobile

because mobile you have to say oh please uh accept the accessibility you know we have to unlock accessibility for you have to click click click click people say oh do I yeah people sometimes are dumb and they accept birth and the computer in desktop is easier you know just okay happens is there and that's it so uh of course we have many many many mowers that attacks uh smartphone especially Android like for example I love these names it's so unique summer neck I'm a valdo zanubis they are really weird names but fun and this last one zanoops they attack all Latin America except Brazil no wasn't me who write this because I can do this but

this is a very cool name so in cyber crime let's talk talk about a bit about the history I have a bachelor degree in history so you will learn about history of Brazilian cyber crime when internet in a commercial internet started like night middle of 90s you know people used to walk uh Brazilian Underground race you know bar and until like 2 000 people this phones kind of Falls not like fortune or other forums they talk only in IRC I think everybody remember you know to talking IRC you know very simple very not so friendly user not so many gifts or emojis or images so everybody was there and talking and talking um and then okay uh that is what that

was a place to learn people was learning how to how to you know in cyber security because that back that time is Frameworks I don't know if it exists some or was very expensive or I don't know and you have to learn to speak in English come on we are from Latin America it's not our language we I speak Portuguese not even Spanish I can't speak Spanish but the rest of Latin America speak Spanish and everybody knows is our very poor countries mostly so not everyone can speak English because expensive now it's easy we have YouTube but before no you have to pay like a teacher to learn so what's few people was there oh let's

learn you know and what I exchange learn Exchange and Financial Risk start to be very low you know Foundation return was high and risk are low basically it's this when everything starts I don't know how to compare here in U.S I have no idea because I never live here so I don't know this but basically the immersion the emergency of Brazilian underground starts in meeting of 90s until early 2000 IRC limited limited resources you know to learn knowledge exchange to cyber crime any platform can be considered a far in Brazil it's not like a bridge Forum or any this forums you know you have to be invited or you have to pay to be there and oh come on

selling some Bank compromises credentials or malwares or something as a service no in Brazil no everything is can be a platform like WhatsApp or Facebook or Talent especially if Telegram um given this resource limitation we had back time uh the thing how we learn how to like to attack something from the basement yeah it's easy it's not that wow super hacker but they want to know how to do this so the face movement was considered a learning experience you know in absence of this Frameworks however you know to educational purpose like educational this became a cyber crime was just a sense throw away it was super so it's easy to do this maybe maybe not

and these guys start usually guys I know I'm a woman but usually those guys one or two women or non-women start saying oh I have some a massive credit card numbers here because I don't know here please let me know um companies say oh I will send a credit card I but I didn't ask but yes I send you I don't know this happens in the U.S or happen well just sending you but what happened oh the male men say oh you keep these or keep that or the person receive that oh yeah this card you know so it's easy or someone Robert you know the mailman so they have a huge you know numbers of

credit cards and sell and spending the name of the others so easy and then besides carding we have um what what else uh so this discussion also was organized by topic well today we are organized like selling or buying or something like this is very organized back then new so the cyber crime scene migrate to irc2 or could do you remember or could yes it's like the Grandpa of Facebook or Grandpa of Instagram they went to them migrated then and started selling products and hacking services and then they headed to Facebook groups they closed at once and then the trust among these criminals shaking you know because some information start to leak these conversations and this Frozen fraud

so fraudsters yeah fraudster okay say I'm not liking this so what happened so unlike the Russians or the Brazilian people and Latino American General you cyber crime not don't use underground underground forms they use like surface photos it's not a photo at all it's what's up come on so easy Facebook sometimes Instagram no so that's it what where it's easier we go we know I don't that people go so and Brazilian cyber crimes are very quite nationalist they operate much more in Brazil in our territory or even Latin Latin American people operate in their country and then abroad some exceptions of course because for this and talk about distortions they are spreading out around the world and they don't they are

not afraid to change their ttps because ah it's not working okay let's change let's change here let's in there where money is easy they are going soap sorry I'm a kind of you know nervous so I mixing things everybody is okay but what I saying it's okay okay please if it's weird say please you better stop say again thank you thank you thank you thank you all well some common features uh among Latin Latin America mowers first Latin America is huge it's not just one country I don't know some American people don't know this but we have like 20 countries 14 territories including Mexico central Mexico here next to U.S Central America South America and Caribbean so we have a

lot of countries and Brazil is the only one who speaks Portuguese the area different I know good so all countries are different than others when we read some reports wrote wrote by someone from North Global North are very biased you know things like everybody is the same like Peru is like Mexico or everyone is Mexican is no it's a complete different cultures completely different everything even the way they talk is different you know super different but um something we have in common we don't post uh apts you know we don't have 80s in Latin America so far because no there is no reason for this so for this or environment is very unique for this kind of mowers Bank

mowers or some kind of fraud because the Cyber criminals are very persistent we have uh drug cartels you know uh recruiting people you know young people to work with cyber criminal because come on if I'm not selling drugs abroads heart how we can get money so we are recruiting people in Brazil we have large ganks you know criminal gangs that are recruiting you know oh I think you you can work with computers because it's always someone who works with computers they don't know what they do but is a computer person so they recruiting them is weird so please sorry people who born in U.S Latin America is all this well some more attributes uh even with

this different social uh difference between among us something are very common like some hours attributes they try to reach the larger number of victims everyone everywhere we don't not just a specific one or one bank or one person just wow you know what I forgot the word in English okay whatever but the quality for the malware is not so good you know it's just okay thank God they speak very loud now it's better come on people why did you say you didn't score oh then okay the most the mowers you know written in Latino America is not wow what a mower it's just they work this is the thing they work this is very important just work

they reach a lot a big number of weakness and The Operators is the full potential of the malware it's not just I use this time and yeah discard no they use and again and again and again uh if it's working that's good this is not working yeah okay we try we can modify a little bit just a little bit you know it's not like this um more more as a service you know you buying the chef mower uh okay so yeah again nervous for getting words but please if you're not understand following my what I'm thinking please please let me know you know so the operators use the mower for its full potential and when he's not running

our capabilities they just make some minor technical adjustment just enough to keep it running this is very very very common energy in America mostly our writing in Delphi even old you know all the not the new version of the elf but old ones uh there's a lot of social engineering because sometimes it's easy so just click here oh you get some something for free I do this I like free things so I give this so click OK I if I do this can you picture my mom or someone that whatever so they do this and the thing is with social engineering is persuade someone to do something well I think everybody knows here know how it works

so to trick people is kind of easy you know especially with free things or free money like this bet you know oh you can try here and get trip off money you can get you bet like one dollar and get ten thousand it's super easy to trick people and um what else they use um they uh they make a pop-up showing the screen you know choose to the data is a fake pop-up you know it's overlay screen so the people oh what's this I have to put my credentials here okay but it's fake even if the mouse don't don't move they use this and they use a lot of even try um in the motto to to do this you know to

trick people usually it's like oh we have update oh you have to update your computer right now you have update your bank platform right now it's very important everything is super urgent oh it has to be now now and people insert their credentials they credit card numbers and passwords and everything uh with this pop-up screen days to data anyway this is very regular but this is the the think what happened in Latin America not not much different than this because they it's not lazy but uh why do I have to work so much if I can get money just doing this this simple thing I can and then they write multiple very variants how can I pronounce this wear

it okay cool with minor modifications you know they are developed simultaneously not just one try one I developed one and sell and then it's not working I try again no they develop many many lots and that's it and threat actors disseminate this variant all around and this is very effective basically you know the the flow shot or a chain attack hands like this like collect information about the machine you know send notifications active windows and it found a Target window okay let's go if not oh let's come back and then the communication with the commander with CC and display fake pop-up Windows this is the base of Latino American Trojans Works basically are these and something very very interesting more

families share many many functions like Grandeur ozaba as I say it's very funny names even for me this doesn't mean anything this works it's just words every uh who found out this every company give a name so this is lots of name like for example ozoban this threat are often abuse cloud services to download the second stage of payload and and Google docs to retrieve the C2 configuration and under one casabanero they deliver a malware loader call it best loader and a rat that the name is very good AKA Ave Maria is like praying Ave Maria you know that's very Catholic praying and for example through the malware execution they use algorithms to decrypt you know

the strings but these algorithms algorithms versus the X at XML strings and use a chain of char operation you know the scheme to previous bite of the string this happened and where they come from this book someone wrote this book and this this family is just copy and paste to use she is in everywhere yeah it's funny right you are laughing it's funny but works a lot really really works in stupid what works this is the point of my my talk you know this works basically they do the same they are different but are the same you know is this don't don't think I like oh or or cyber criminals are bad no they are super cool

but they don't need to work too much to get money just yeah let's do it um I don't know if you are some people are aware of my father you know is a comic book you know this little girl is super cute little girl of course she's not talk about droppers originally but it's like the mowers as a service you know of the chef mowers oh I want you a dropper I Bank Trojan and this and that and another two and that and some more okay this is for you so it's very common you know to attract actors to buy this kind of mowers AKA mowers as a Services some female as a service is a big business

right now and adjusted to execute it for example a motet is everyone knows a motet is huge it's big and even Homeland Department classified as the most divesting mower because they have these warmable feature so it's bad but um that's it they buy and use execute but here sorry Gringos is not happening you know Latin America because every little thing you say oh it is not work I'm not working this anymore I buy a new one but not us not we change everything you know lateral adjustment as I said before and let's try again and again and again it's like you know you are old clothes you give for your younger siblings and then the other siblings and

2000 to the cousins you know and and this unusable is the same with our mowers basically is this so let's go to the more technical part Latin America banking Trojans collect information about the victim's machine this usually consists of computer name usernames and unique identifier and indications whether the security or banking protection software are installed you know uh the persistent usually is through Windows registry yeah but they don't use much you know the percent stage is they use but it's not it's rare you know it's not so why we can't go jump you know but the evasion part you know they use a lot of low beams defense evasion and you can check the low low bus projects you know

to see how they can use the low beams in different ways in a very creative ways so you can check there and this technique DL dll side loading they use a lot this is the most used thing um well they capture credentials data super in the browser astrology the families I will talk about later they capture browser Cooks this is very specific for these mowers and the screen overlay this was taking you know from one of our uh the guy I used to work he's a mower analyst not me he took this the Sprint you know the real campaign that was running this overlay skin screen so the the cyber crime you know is trying to

you know lure this guy and the final infection of chain the malware mentioned at all the mentions here they place this overlay screen this is the thing they do you know this cyber criminal then have this access remote access to the computer in order to perform Bank transaction sections in this overlay prevents the user to see or to touch in anything else you know that's it you know they just can see this picture they can change other screen or move the mouse or something like this they lose all the control of the computer now some Latino America banking Trojans yes they are weird like this family very nice family yeah so let's dive a little

bit into some of the families okay casbanero this word doesn't mean anything at all at all this is but the this infection its infection chain now I start with usually with um email you know to they send out your uh malicious can you read this or choose more oh good you can read for everybody please I can read from here it's I'm not using my glasses please can you do this help us oh it's in Portuguese sorry no you can't say sorry okay but uh with the this you know you can picture what how it works right or no can I explain yeah yeah what yeah I understand oh yes please explain everything well wow I don't know what happened here but

it's yellow my the letters here I can read in yellow because it's with white um the target account from you know financial institutions even cryptocurrencies as well and they screen the same as explained before what they do these mowers is obfuscate called encrypted strings and anti-analysis protection like entire VM and anti-debugger functions uh they have this malicious dll indicating the intrusion institutional Target you know oh now I see what's the institution so the the threats are encrypted in a custom algorithm which by used by Latin American Trojans they do what the mowers do you know nothing different and they one thing different in these families that they can monitor Bitcoin wallets they copied to the wallet and

they replace with their addresses so they can do everything okay now miss padum miss Padu has been linked from with many spam campaigns targets especially Bolivia Chile Mexico Peru and Portugal one of their main strategies is to compromise legitimate websites searching for vulnerable versions especially from WordPress to turn them into their C2 to spread them hour from there so cool nice they strike to filter this uh filled out by country to to the contribution you know to attack they drop in different types of malware but based on the counter they are infected so in Brazil is one and it's the same but different as I said before but um they use here the infection chain oh sorry this

is in Portuguese as well but sorry I forgot to translate but is this if someone would like to read a lot see you can speak in Spanish as well please so miss pado is a multi-stage infection strategist because they split the malicious techniques and two different components make it harder to detect super hard because they split and then they are diversely high the more inside a fake certification so it's harder to detect and they use certain too you know because it's a window legit May windows program and then the code executing the bank introsion so one of the camp campaigns they run in 2019 especially in Chile to distribute uh this malware through Facebook ads was

that's like faking uh McDonald's you know discounts happens a lot so many many many many people you know fault and it's malware and some wow an important feature of this mower process there because the Trojan and the command and control server has not changed since the first attacks even though it works not change it you know the the C2 but it's still running um most recently this lovely family backed by unpopular demands that they try to uh was identified 20 different different campaigns like from last uh film end of 2022 to now uh folks from metabase Q from X Co identify these campaigns they're using like banking Trojans spent all around costume mikochu is a very interesting

very active in Brazil that are very long infection chain really really really long that this is very simplified you can find this um there's in English this is in English actually because I I when I wrote this report for the previous company of work was in English so now you can no sorry it's in Portuguese again sorry oh my God I read some like fishing URL but can you understand can you understand yes no you're kind of cool

so very active in Brazil Chile Peru and Mexico is starting 20 2020 threat uh start your targets now at like three years ago they start to targeted countries in Europe and Spain Italy Portugal um the the family is a custom encryption the abused low beans as well and they use a lot of this technique name it binary padding super cool lots of inside that you know so it's hard and they use a scheduled tasks to start infections infection stage as well and execute a specific file you know but never never never use persistent this is this is very unique you know very long um infection chain don't use persistent because it's rare but happens a lot

and they uh their teeth piece very long list of ttps Mercato um this was this schedule text to a starting infection stage in the next minute the executive specific file and that's it superb cool and asteroid this is my favorite because he everything is automated there now they just automate everything um the the process is automated unlike the other mowers they use many human parts so humans can fail but Auto if you automated it's more difficult to do this so it's pitching they send email fission is unique a unique compilation of malware so this is basically almost impossible to detect them by rash and difficult to create Yara ayada yada I say in English because ichime is different so they

spend like a million emails per day it's a lot of mayo you know all their structure is it's based on cloth and they they have their own domains even the third party Services they have they protect against the Dos attacks so very hard to remove this guy so this is more modern malware we have a starot and come on one million spends per days a lot the campaigns are massive very generic you know the campaigns like oh click here to access your Google drive or local sign or something like this the infection chain is easier again in English sorry guys so so sorry but if you want I can translate for you and send sorry uh maybe it's easy

this more exploits a website's vulnerable to cross-site scripting you know attacks and deliver to deliver the initial payloads and then here like uh they fish and it's very yes I know this is in Portuguese I know because this is the campaign it's in Portuguese but you can see you know the cosine uh download your download your document here this and that they link the vitamin like Google Drive Dockside blah blah blah and something very very cool they are very hungry they still website sessions I love this one the Cookie Monsters and and now what so as I say they are very simple super simple but work a lot and why this more works because uh the thread

landscape in Latin American and in Brazil they uh is very specific we have despite everybody is connected to Internet they are not so Savvy in how to protect themselves I know here as well like in us I know this but people oh it's a weird link okay let me click uh I want to download a game or a VPN they do this a lot because in Brazil or in Latin America is super expensive you know for example to buy one dollar I spend five real eyes so everything's super expensive what the people do they crack they just download you know they are pirates for this this mowers happens mostly you know oh let me find some trick to my

game and happens a lot uh softwares vpns and they go to WS place like what's this oh this look like XVideos but it's like XX video oh I go there so it's super easy to download these mowers and but in the other hand the adversaries they are kindly lazy not lazy but okay I can do this with a little effort and they have a limited patient you know they just just deliver it you know the thread and change a little and modify a little as I said before like for to older siblings we younger to the cousin to blah blah blah blah blah and there's a lot of social engineer but these guys don't have very hard

technical skills they are super shallow you know really shallow they buy it and modify a little but and they not even think about their upset so it's easy to to spot them so why they are not in jail because mostly Latin America they this kind of guys don't go to jail we are trying this very hard you know for this we have jobs forever cyber security people and Brazil right now is they signed this Budapest convention that means International cooperation among the countries everywhere so be easier to rest these guys but even if they are wrestling we are other ones will show up and again and again a lot of problems and well last year the Kaspersky threat

report said the Brazil generate about 60 of our mowers in the world and in Latin America there's a lot of mowers followed by Mexico and then Peru it's a lot of malware we produce we are I'm not off you know it's not a very good title I know but thanks for this I have job forever this is good and then I can afford to come here to say to talk for you about this hopefully next year I'll be less nervous and my English a little bit better I promise you my English better than this but I'm a little bit nervous and then That's all folks but wait wait the best part I did please are they

there is a music like uh succession music hold on hold on and that's it thank you [Applause] someone have a question yes I would like to talk there loud for everybody

okay if it's basically the same malware why isn't caught by antivirus they just happened you know just happened it's not the same it's a little bit different you know they have different names you know they target different countries you know as I say if it's working it's working when I stopped to work they modify a little bit for this they keep on going and running and running just for this don't don't need to start from scratch you know they just reuse this a lot for this works and cheaper than by anyone someone else

louder louder I know you can speak louder

software that they're using on what well worldwide is Windows because it's cheaper you can crack this you can download like for free so that is of course there are some hours to make to Linux we know this but it's a little bit rare because not everybody use everybody uses windows I have to use Windows sometimes but okay I have some Protections in my computer and I use Mac as a c so and I don't use bank here yeah I am bulletproof baby no just kidding

new windows you know because yes because everybody is Windows most people use like Android phones because it's cheaper than iOS so there's much more mowers to Android than to iOS or xiaoming or any other brands just uh just this that's easy I think it's working now

thank you for trying to speak thank you a lot um my question is a lot of the families you went over you mentioned they had European targets too so in your opinion are these Brazilian operators selling them our overseas or are they just reaching targets because they have similar language like the victims speak similar languages what's your opinion both actually both some cells uh sometimes we don't know which one is is hard to you know to spot the exactly person we know the families because the ttps are similar but we don't know who is you know behind the small words so they sell and of course if the language is similar like to Portugal or to Spain

is easier or even Italy is not the same language but Latin languages is easier you know but some mowers are targeting like UK for example they sell and they well I don't know it's be if it's because there's they sell and they it's kind of easy you know some Bank protection besides everything I said we have very good Protections in Bank in Brazil you know one that the first internet uh bankings you know Online Bankers in Brazil start liking 1996. we have very good protections but of course there are fails holes there but but abroad especially in the UK here I don't know I don't have this Vision in the U.S but in in Europe is they have a

lot of fails so for this and because it's easy is there why not you're welcome someone else that's it one two okay so how effective is Latin American law enforcement can you repeat the lower how effective are Latin American police and finding some of these um well we have a very good police trying to you know to find these cyber criminals of court and everywhere but uh or cyber crime policies is not that good it's good it's just okay not good enough but there are a lot of people working against like me for my folks here from Brazil or Latin America we are tried hard to but when you arrest some cyber criminal is not so

easy everywhere in the world we see like a large hands of our groups being arrested because his hands away you know a lot of people a lot of big companies lost money and then it's you know they really try to catch these guys but not the mowers you know it's very specific but yeah they are good not the best well but they are good they are not so are not diminishing diminishing there's a word or Brazil or Latino America oh I'm very proud you know where I live and the the police uh that try to catch these bad guys and the cyber security we are very good okay really good but yeah they're good but like in everywhere else

sometimes it's hard you're welcome oh I have to stop now but if you have another quest for the question please you can reach me here I didn't put I just see a care code because no one you would scan but I promise I can explain better with less pressure what I did I know sometimes it's hard to understand what I say because I was nervous but please reach me out or I'll be around here and Defcon and black hat and around if you want to ask something and say my head is beautiful right now I appreciate thank you guys thank you very much [Applause] [Music] thank you [Music] thank you foreign [Music] foreign [Music] foreign

[Music]

[Music]

[Music] thank you [Music]

foreign [Music] all right [Music]

[Music]

[Music] thank you [Music] foreign [Music] foreign [Music] thank you [Music] foreign [Music]

[Music] [Applause]

[Music] thank you [Music] foreign

[Music] foreign [Music]

[Music]

[Music] leave me alone [Music]

[Music] baby you'll kill me giving me some kind of butterfly baby [Music] [Music] but I don't wanna miss you baby [Music]

[Music] oh my God foreign [Music]

apply [Music] baby

[Music]

[Music] we would like to thank our sponsors especially our Diamond sponsor Adobe and our goal sponsor Prisma Cloud blue cat Toyota it's their support along with other sponsors donors and volunteers that makes this event possible these stocks are being streamed live and as a courtesy to our speaker and audience we ask that you check to make sure that your cell phone are set to silent mode if you have any question you can use the audience microphone so that YouTube can hear you and with that let's get started please welcome our speakers foreign [Applause]

hyperscale detection and response maybe you've faced a similar problem with your sim that's scaling um and if you're just passing by and thought that this talk was cool we got you covered so um in a few slides we'll go over our introductions what was the problem that we faced how we approached it how we solved it a short demo and then we'll leave you with some future thoughts so who am I I am near Josh I manage eBay's security analytics and detection engineering team I led the development and delivery of Argus that's the hyperscale detection and incident response platform for eBay and when I'm not coding on when I'm not working I'm usually attending music concerts or I

like to dance and if not that then I'm fostering kittens from the local rescue center over to you Kirin hi everyone I'm Kiran shirali so I'm I and my team are Ninja's customers and in eBay so I lead the detection engineering team um I know she said security analytics and detection engineering so I guess I work for her too um so we are the team that basically writes security detections uh pay on on logs look you know does security research and we look at malicious content in support of our 24 7 incident Response Team um so that's what my team does and when I'm not in Endless meetings and uh at work I like to go out fun hikes on

especially on sunny days if the day is not sunny I like to sit back with a good fiction book so let me set the problem statement as to what I what I or what we want to talk about and what we wanted to solve right and also give you the context as to how we got there and as to how uh eBay functions because that context is very important now before I jump into that I am curious um a quick show of hands of all of you who work in incident response or you support incident response through like a sister function like detection engineering security tools or Sim development who all in the room okay

that's quite a few awesome so let me set some context as to how we function I'm pretty sure this is very similar to how your teams work um so we've got very specialized teams in eBay we've got assets that we need to monitor so somebody from detection engineering will go and work with these uh owners you know we do modeling on what potential attacks can happen on them we end is what logging artifacts are there on these systems we then work with a log onboarding team to get these logs onto a centralized Sim right we write security content on these logs we push it to production and then when something malicious happens alerts are generated from those contents

and our incident Response Team AKA cert uh responds to them so while not on this figure we primarily use service now as a case management system wherein all our incident Engineers on there but all analysis of logs and investigations is done on this centralized centralizer now let me spend a quick moment on infrastructure because it's it's important we got multiple zones but at a very high level think of two large zones inside of eBay networks one is MP what we call is marketplaces so that's got any infrastructure that supports ebay.com that's production infrastructure it's um I mean the the there is an infrastructure engineering team that manages this whole Zone then we also have corp corp is anything that has got

to do with employees and employee services there's a separate engineering team for that infrastructure engineering team so two infrastructure engineering teams got their own stuff their own cmdbs adds a level of complexity right on top of that we are predominantly on-prem we manage our own data centers so almost 95 percent of our deployment is all on-prem we've got a little bit of footprint on public cloud like Google cloud and uh uh Azure but predominantly it's on on-prem also being a mature company we essentially have a lot of custom stuff so out of the box connectors don't really work for us we have to build things to be able to get logging artifacts so all of this ads adds

complexity to our monitoring challenge now remember I also said about scale of marketplaces right there's a lot of scale there's a lot of uh servers now that uh adds the problem of scaling in in terms of large-scale security logging data sets I will share numbers in a little bit about how much our day-to-day logging uh ingestion is at but scale is a problem and then finally when we started this journey we were on a lot of unreliable data transport protocols so log loss had become a huge issue for us so all of these were the the problems that we needed to solve um and and um this this talk is about about this right so what did we do what

they how did we solve this our monitoring and detection and you know response Journey started almost a decade back uh somewhere around that 2014 at that time we wanted to expand coverage we went out at that and looked at the more popular Sims out there we settled on the most popular Sim we bought the Sim we um the infosec team deployed it set up all the infrastructure for indexers uh you know forwarders search at clusters we reached out to the teams within marketplaces and card got all syslogs I know syslog is very unreliable but nonetheless we got it we started writing detection rules on it the piped alerts into into service knobs for our incident Response Team uh to

work on um one terabyte per day logging became two two became four four became eight uh I don't know some of you are an incident response some of you work with incident response anytime I talk to my incident response team they go oh yeah get us more logs get us more data get us more context to err on the side of caution just get us everything right so to meet that need we kept on expanding and expanding and expanding and we started feeling the burn of Licensing fees at 20 terabytes per day at that time we realized this is not tenable this is not scalable we got to do something right so we went back to the drawing board and we

started thinking what could we do how can we still ensure that we are reducing risk for eBay expanding monitoring coverage but not breaking the back and we started internally looking at what could maybe eBay's infrastructure teams provide us how can we solve this problem and that is when nija's team came in and helped us solve this solve this issue so I'm going to hand it back to her to walk us through the rest of the story thank you Kiran so as Kiran was suggesting we had two major problems to solve one was the reliability issue and the other was scaling issue so how did we go about the reliability issue uh while we were researching we realized

that one of our eBay's internal infrastructure team called as unified monitoring platform leverages elastic beats to reliably collect logs from Marketplace hosts these elastic beats agents reliably reliably sent logs to the eBay's infra Ingress and then from this Ingress we added our pipeline that was three components predominantly Kafka Apache fling and Hadoop why we chose these three components uh the the choice was straightforward for us Kafka is a distributed stream processing lock collection and transportation mechanism which integrates seamlessly with Apache Flink again kafu can be used to transport uh reliably transport data reliably between different components of a Sim so uh moving on to Flink Flink is a very robust and a very strong powerful stream

processing engine that worked well for us and at the massive scale you can basically scale it to however you want to moving on to this all the reliability problem and then moving on to the scaling problem we wanted to see uh to save these logs like huge petabytes of logs reliably and cost effectively and while we were thinking Hadoop was a no-brainer for us because it has practically flat or linear cost for all the ingestion and again we had an eBay's internal team supporting our Hadoop clusters so the Synergy of Kafka Apache Flink and Hadoop was uh the way to go for us while we were discussing about the data pipeline reliability and scaling issue

we realized that we can leverage Flink and its massive computing power to build a detection or an event pipeline and then we leverage Flink SQL to build detection logic and reliably get the data build the detection logic and sync alerts to servicenow which is again our case management system so uh the the whole concept is called as Argus and these three components are the open source components that work as a Sim as well as a data analytics platform for us I'll quickly go over a short demo to show how easy it is for a detection engineer to write a detection use case using Flink SQL and for an incident response engineer to go on service now

look at the alerts and perform investigations using Hadoop UI

so this is how a fling SQL dashboard looks like uh whenever you are trying to build it it may look a bit different this is a Rios dashboard again Rios is the team that maintains Apache Flink and Kafka for us they've added a SQL editor for us and when a detection engineer goes to write a detection script they'll usually use this editor write the script uh name it use the SQL version that they want to and then go on editing their Flink SQL script so I will go over the different components of the script one by one and and show you how you can Leverage The Power of Link SQL to build a detection use case as you can see you can import

any user defined function here again a user defined function can be written in Java so the possibilities are endless you can create a function using your user imported user defined function and use it in your script now let's talk about the three components of the script the first being the log Source table this table will imagine a Kafka Stream So the lock Source table will get the data pull the pull the data from the input lock stream then we are going to do some detection Logic on the log stream and then sync the the relevant alerts or the or the logs that match your detection logic back to the Kafka stream and then you can route it

anywhere you want to so I Define a a lock Source table with the relevant Fields I create an alert sync table and Define it with a relevant Fields here I'm using the connector type Kafka you can use any connector type that matches your architecture the third component is the actual detection logic component in the script here we are inserting into alertsync again it's pretty simple you can plug your detection logics the the fields that match the detection logic from the lock Source table will be inserted into alert sync once the detection logic is uh is is complete the detection engineer will basically Save The Script and then spin off of Link job from this and these

are all the running fling jobs uh again they are running on streaming data so all these detections will continuously run on a real-time data this is where the detection Engineers work stops and an incident in response engineer work starts so this is a servicenow dashboard where you can see test alerts I will walk you through one of the alerts so when uh an incident response engineer gets an alert these are some alert metadata Fields some additional information again we've worked with our internal service now automation team to get a customized Sim drill down uh Link in the alert itself when a cert engineer clicks on the Sim drill down alert Sim drill down link it redirects them to

a UI now this UI is what we call Zeta again you can use any uh other UI of your choice you can use any olap or it can be as simple as a hive query to interface with your Hadoop backend and I'll go over what is a drill down so you know once uh an alert is triggered it can be triggered by one matching event or multiple matching events so uh when a incident response engineer sees an alert they want to have additional context additional information and want to be able to correlate it with additional data to make an informed decision so while they are routed to a Hadoop UI we have a pre-populated query that is

the drill down search that will be running and will give them the results and the relevant data in in seconds and once the the relevant data is given again you can plug and play your own logic here and once the the uh the drill down is running and it gives the output they can easily use this uh to make an informed decision whether the alert is benign or a true positive uh now what should be our future State you say so uh you know we are currently leveraging Argus as our second reason and we are in the process of migrating all the uh all the content from our third party Sim to Argus in the future State we want to

completely get rid of a third-party Sim and we want to build and Ingress that is getting logs from Corp as well as Marketplace and then leverage Argus as our centralized Sim and completely move off of our dependency of a third party Sim um and how did this approach help us let's hear it from the customer or do you get it thank you in Asia that was pretty cool huh there was that's a lot of content that we had to uh put together so that you can digest it in a 20-minute uh demo but the gist of this this whole presentation was that open source components tend to work right uh it has worked for us it will work for

you too uh we used Apache uh Kafka Apache Flink Hadoop uh you can too you can use elastic beads to basically get data sets we built our own Ingress there's a custom Ingress but you can use something like logstash so if you are thinking about open source components for your incident Response Team your detection uh Team you can come and talk to us there was a lot of things that we already evaluated we can give you suggestions um if you think that you know a detailed blog post about how we set this up would help you let us know we have contact details right at the end of this uh talk you can reach out to us or just come up

after this after this conversation also um you may think oh is this a lot of uh uh coding scripting how would my security Engineers be comfortable with this so we use the principle of keep it simple right you saw Nija walk us through a a fling scripture that's essentially a detection rule that has been templated so they gave us these templates so my team can only focus on the SQL content that is needed to look for that detection right when when alerts fire and then an alert is you know generated incident response is looking at it the drill down searches immediately go to a templatized query on on Hadoop so that way an incident engineer only needs to tweak the query

and run it and they don't need to relearn a lot of these things so by making it simple for the the security Engineers on our team we were able to adopt this system and and you know embrace the system um now in summary how did this help us first of all remember I said we were breaking the bank at 20 terabytes per day we are now at 55 terabytes per day in security logging but um and we are having higher coverage our CSO is no longer complaining about my uh you know Sim costs anymore um large data sets we are now able to query large data sets and this is important because we're thinking about our future

and just hold on to that thought I'll come to it in in a few seconds we're no longer dependent on customer support of a vendor um if we need anything we need something customized all we do is we we just turn it on ninja sitting right next to us we go hey Ninja can you build this for us right and and we get that support we have embraced open source which means that we can build you know uh sorry we can contribute back to the community and then finally we are thinking about machine learning because we've got these large data sets now we never had it in our third party uh Sim and we are

looking at what can we build uh using ml or simple ml models to get better insights and our hope is a year from now we can come back set on the stand on the same stage and walk you through our journey of ML and Argus but till then this was our talk thank you for coming any questions [Applause] thank you

all right thank you this is a really great talk um so in terms of like the open source you mentioned contributing back how do you uh budget time for engineers to contribute back to these open source library and what types of things are you trying to contribute back hi I can take that so um just an example of how we would do that there have been a lot of customization while we are trying to connect to you know some um some public clouds like gcp um we have Flink that is our uh that's kind of you know tweaked to our system and our architecture so if there is a connector that needs to be built uh to

to leverage the uh Power of the gcp pub sub and get the logs onto our pipeline that's Argus we end up doing a lot of custom stuff uh you know recently we had this example of having a a synchronous pop sub connector that's blink gcp connector and then we had to build an asynchronous one it was funny enough that there wasn't an asynchronous uh fling gcp connector built and then while we were building our own stuff and our own connector we thought of hey we can just you know contribute it back so uh these are some examples where you know while we are tweaking these uh these systems for our own custom architecture we realized that

while we are working we're also you know we can we can shed that time and then just like hone it for a more open source uh you know contributions thank you

I guess this makes it simpler for everyone so thank you though this is a great presentation um I I do want to know what were some of the Alternatives that you had discussed or considered in this process that uh you didn't immediately go wow this is great we could just go directly to Kafka and then uh automatic yeah nobody has that Insight so what what are some of the considerations there's also the consideration of saving some of the uh the the FTE or the people the people power within the company and Outsourcing that to someone who has an off off the shelf solution that could handle maybe some of these uh use cases or things like spark

you know to handle streaming I know that they have a streaming service too so were there other kind of Alternatives that you considered and um eliminated so we did we did look at a couple of solutions out there when we were looking um evaluating this uh situation right we were looking at other Sims uh other stuff but one of the push that came from all the way from the top is that there is a there's a culture of Open Source that our CTO and our CSO is embracing and that has been a strong Factor because we use it there's the aspect of also contributing back also the second thing that uh went very strongly into

this factor is the fact that a lot of this the platforms were being used by infrastructure teams uh within eBay so we didn't need to reinvent the wheel and we could just leverage an existing platform take it only for you know our portions like think of it as a cluster just for us and be able to write stuffs uh specifically for us so it was that combination again for our scale and what we wanted to achieve the pros and cons this was like the best uh Pro and that's why we went here again it is not you're right it has not been like a we woke up in the morning and said yeah today we're

going to do Flink and SQL this like I said stop the journey started all the way back from 2014 uh the solution this I think it was what 2018 2019 was when we were we started on this on this plan of link and the data Pipeline and eventually it became an event pipeline for us can I quickly follow up on that yeah so outside of these considerations for your specific company's requirements are there things that the audience can take away that were considerations that were eliminated along that process that were heavy considerations that people should be considering here so the best thing that I would say as a takeaway is a lot of these things a lot of these

technology stacks We Fear them at least we did because they were unknowns once we started using them uh you quickly realize that they're very easy to use they as long as you have some kind of a engineering background you can write you know code that is that it can reach out to rest apis and things like that so that's what I would say just look at them um you know just play with them and you will see that a lot of these these these Tech Stacks actually do work and that's what I would say uh should be a takeaway from this talk um and if in case you're also asking for any technologies that we tested and like

thought that this isn't working uh we did try a few of those we tried Druid we tried elastic we tried you know S3 so we tried a bunch of those and then I think these three components with the best for us so in terms of Technology yes we did try a few things okay um I think I speak for a lot of people here the a write-up on this would be awesome this is a lot of good information um probably the second thing was how many millions was Splunk costing you in the first couple months yeah you should talk after the talk yes just our licensing fees did become very expensive and because of our scale this

made a lot of sense for us right and this this would work for us I I know we are out of time so if you have any questions please we'll be right here after the talk please come up but thank you so much for sending our talk [Applause] okay all right I'm sorry for the detection I don't know

[Music] foreign [Music] foreign [Music] thank you [Music] foreign [Music]

[Music]

[Music] foreign [Music]

[Music] foreign [Music] laughs [Music] [Music] thank you [Music] all right and I have a few announcements before we begin we would like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsors Prisma Cloud blue cat Toyota it's with their support along with our other sponsors donors and volunteers that make this event possible these stocks are being streamed live and as a courtesy to our speakers and audience we ask that you check to make sure that your cell phones are set to silent if you have any questions please use the audience microphone so that YouTube can hear you and with that let's get started please welcome Christina

[Applause] good afternoon everyone I am Christina Liu oh my goodness it's Mike um who am I I am a senior security engineer at Cisco Meraki I am also a certified information certified information privacy technologist I am at cluthulu on I guess it's Twitter and I have a website if you want to find me later so what will this talk cover first we're going to get into why this is important second we're going to get into what is personally identifiable information or data then we will go into the dangers of re-identification then we will end with some practical takeaways that hopefully you can go and implement so to better understand the power of personally identifiable data I want to

play an imagination game and to do this I am going to make a game for all the burrito lovers out there I'm here to espouse the wonders of burrito match this app is the hottest thing in burrito recommendation engines this will take this app will take all of your likes dislikes run it through its algorithms and find you your perfect burrito so to do that it will need your dietary stuff like are you pescatarian vegan omnivore and do you have any dietary restrictions yeah you gluten free do you need your food to be Halal kosher do you for some reason hate avocados it will take all this information run it through its algorithms and find that perfect burrito but not

only is it a perfect burrito it's the perfect burrito that's closest to you right now because time is of the essence when you're hungry and kind of hungover so this app is so freaking good you use it like every day for six months because ain't nobody got time to cook but what if this app was not forthcoming about its data sharing policies what if the information that you like every burrito with extra sour cream and two modelos which exceed the doctor recommended weekly good idea stuff that information gets sold up to health insurance providers and for some reason your health insurance premiums goes up now even worse what if the information gets then sold up to

organizations and companies that do religious surveillance which is possible because it has location data and Halal kosher filters now this app suddenly goes from like Whimsical and fun to dangerous and disturbing so thank goodness that this app is completely imaginary but there were and are apps that are personal data nightmares does anybody remember with the super old iPhones how the light only turned on when we took flash photography which was a feature that nobody liked what we actually wanted was the light to stay on so that we could use it like a flashlight and because of this user-driven demand there became this proliferation of flashlight apps um all over the place I'm going to talk

about one in particular and it's the flashlight app done by ihandy and an analysis that was conducted by Authority which is a mobile security software company they found that the flashlight app had access to the user's location could read the user's calendar could use their camera and had access to the unique ID of the device itself and with that information they also had the ability to then send that information up to advertising Networks all without user consent and users care what happens to their data so in a 2022 consumer privacy survey done by Cisco 76 percent of the people surveyed said that they would not buy from a company that they do not trust with their data

and not only is this a trust issue this is a user respect issue because whatever code you write whatever software you're involved with building it will impact people and you want your impact to be positive and you want to be building better and safer products you don't want products Rife with unintended consequences in the code and in the architecture because when privacy and security are mishandled the consequences affect people in very real ways so here's a chart from 2017 from experience it was a little out of date but it shows the dollar value of people's uh information on the dark web so your social security number was worth about a buck which is kind of surprising

but passport information is worth a thousand to two thousand dollars so in this chart you can see some real quantifiable harms um that this generate and it should be obvious now that privacy is important but like what is privacy so privacy usually gets talked about in terms of like buzzwords and rants in our industry and we hear usually hear about privacy in terms of Damages in the millions of dollars lost in terms of like data breaches but at its core privacy is an individual's rights to maintain control over their personal information because privacy allows people the ability to be themselves it gives them the ability to control what to share where to share it and with

who they're sharing it with and thank goodness privacy can be achieved through policy such as legal and corporate policy and also technical engineering controls and hand in hand with privacy comes security especially in this Modern Age we should all know the answer to this one what is information security but again this industry is Rife with buzzwords rants so many Rants and our talk of threat actors and our most popular threat actors are always hackers hackers and more hackers Now privacy Angelina Jolie aside privacy excuse me security at its core is the systems and the controls built to protect information that's what it is and the information that we are protecting are things like proprietary code credit card numbers and yes

personally identifiable information often referred to as pii in an acronym form so security can help achieve privacy but it alone is not enough to protect privacy or npii when we get into pii it's usually categorized into two buckets sensitive and non-sensitive and what counts in different buckets will depend on your country depend on a jurisdiction depend on your laws so be very careful when you are creating the classification for what is sensitive and non-sensitive pii sensitive pii as defined by the Department of Homeland Security is data that if lost compromise or disclosed without authorization could result in substantial harm embarrassment inconvenience or unfairness to an individual but the tldr is any information that can quickly and accurately identify an

individual so some examples up at the top is social security number that number follows us throughout our lives we need it for everything from employment to housing driver's license numbers we don't usually change these unless we are moving to another state and Biometrics information because I don't have the Men in Black zapper so I kind of keep these so now we go into non-sensitive pii and that is basically information that by itself is not generally considered to be a risk to an individual's privacy or security and so this information is generally collected for things like marketing customer service research but care is still needed to ensure that this data is protected from unauthorized use access disclosure destruction all

that good stuff because though even though by itself when you take one piece of data if you can have multiple pieces of data that then can quickly and accurately identify an individual then that becomes dangerous so for example if you just have an address you might not be able to find that person especially if they're living in a giant apartment building but if you have an address a gender and a birthday you may be able to find the person you're looking for so to protect data and to be able to use collected data there's a concept called de-identification and that is the tools and the techniques that organizations use to minimize the Privacy risk of

storing and Publishing data containing pii here are common de-identification methods note here they may be called different things depending on your industry but the idea very very similar first one we're going to talk about is redaction is the idea of removing your removing data from a data set so I like to think of redaction in terms of like Hollywood military movies where they'll have a letter and then they'll cut out sensitive information from it so you have like a letter with a bunch of holes in it so same thing removing data so for example if you have a data set that has people's names and Social Security numbers can you remove the social security numbers and still get what you

need done the next one is masking is the also known as pseudonymization it's the idea of just like obscuring your pii so instead of having clear text Social Security numbers can you replace it with all stars or or make smaller stars or can you run these fields through functions that will generate real random strings and Fields next is generalization the idea of grouping your data to get rid of those specifics so for example if you have a data set where you have people's ages so instead of publishing their actual age or using their or storing their actual age can you instead say that these people are over 18 under 18. over 65 under 65. then we get into obfuscation which is

the idea of adding noise to your data so again if we think about the data set with ages so instead of having the age can you round their age up or down to the nearest decade can you instead average out everybody's age in the data set to be like you know between 46 and 54 or something like that a note here is that obfuscation can be aggressive and can make your data harder to use but if you are dealing with data sets with very sensitive information like Health Care records this could be a good way to go so save data handling and disclosure is more important now than ever before because companies are getting fined big

time so back in May of this year the Ireland data protection commission commission find meta 1.8 billion with a B dollars they ordered meta to stop sending EU users information to the US So Meta is actually still appealing this so only time will tell whether or not they're going to have to pay this and what they're going to be doing with that data so protecting pii is important because we're really not Anonymous anymore on the internet and re-identification can happen from data sets that have been de-identified this was proven in 2006 by two researchers from the University of Texas their names are Arwin and vitilish matakov they're not actually Lego people I just couldn't find real images of them

so in 2006 Netflix had a contest called Netflix prize it was a one million dollar prize contest where they asked Engineers to help create a better movie recommendation algorithm for Netflix and to facilitate this work Netflix released a data set that had information of over 10 million movies had information of almost half a million of their subscribers and six years worth of that data so what our researchers did was they took the information from the Netflix data set and was able to cross-reference it from the public records in IMDb and from that they could re-identify the user in the Netflix data set by simply matching whether and how someone ranked a movie so did they like this movie or

disliked this movie and two of those rankings could have been inaccurate and the posting day could differ by 14 days and with just this little tiny bit of information uh narayana for 99 confident that the users could be re-identified kind of scary but also they published that other traits like sexual preference political party and things like that could be inferred about this person because how we rank movies on whether or not we like them are very specific to our own personal interests another example from re-identification happening from unlikely data sources is an experiment done by Dr Latonya Sweeney she is the founder and the director of the data privacy Lab at Harvard so she had an experiment that showed

that you could match hospital records to newspaper articles so she got a data set from the state of Washington and this data set had information about patient demographics clinical diagnosis procedures this was de-identified so names and addresses were removed but some of them still had their zip codes so what she then did was she went to Lexus Nexus which is a newspaper database and found 66 articles that matched her search term and her location which is Washington so newspapers or in the business of informing the public of current events so they do publish specifics like name age treatment hospital and other information so she basically matched the information from a newspaper article to the record in the patient data set here

is one example of that so in the newspaper you can see in yellow that this was a 60 year old man which matched back to the record in teal the location is soap Lake man which matched back to the zip in blue over there the time of the accident which is Saturday afternoon which matched back how this poor this poor soul got in the accident um they had a motorcycle accident which is in green and then the treatment Hospital in Orange Sacred Heart Hospital and in pink you can see that the poor person's name is Ronald Jameson so now that we know it's Ronald Jameson we can see also see in the patient Set uh demographic set is that they he was

charged 71 000 for care and also he has a slew of other things he's dealing with like pulmonary problems from this accident so I am not a lawyer um and there are different laws that companies can be sued for or fined for if they have data breaches and mishandled data at the time of this talk the U.S there's there's no comprehensive Privacy Law federal law that standardizes how pii should be handled there is one called the American data privacy and protection act but that's still a bill it's not a law it was introduced last year no idea where it's going to go from there so as you can see from this map um there are different states with

different privacy laws and different statuses of whether or not they're there so all the pii enforcement stuff is really piecemeal by States so what can we do even though this sounds very ominous well here's five things that we can do the first rule of pii Club is don't collect or store unnecessary data the second rule of pii Club is don't collect or store a necessary data if you remember nothing else from this talk just don't collect or store unnecessary data if you do nothing else this will get you far if you're going to be storing data two you want to be automatically deleting old data create a schedule for when that data is going away that's called a data

retention policy um luckily most cloud storage systems like AWS have configurations to make this a scheduled thing so that you can set it and forget it three use only the data needed to get the job done so Advocate to be incredibly selective of the data that will get processed and shared because we want to make it harder for re-identification attacks to succeed four this one we all should know bill for privacy and security right in the beginning because it's never cheaper less effort or faster to bolt it on later and if you try to force it in later you may end up building Mission critical systems that then have to be materially changed because or retired

because they are Privacy Law violations so also build to the strictest standard for most of us that's going to be gdpr finally work with a privacy lawyer so Privacy Law is complicated varied and quickly changing even in California there were new laws coming in in January in Colorado they literally had a new law coming in in July and with the new stuff who knows when that will be coming in and with what things you'll need to do so just remember the code that you write the systems you work on has a human impact even if at the surface level it doesn't seem that way so we as security Engineers we're the stewards of our users data so it's

important to know how users are expecting us to protect their identity because it's the right thing to do even if it takes a little bit more time or effort to build because after all at the end of the day I know that you would want the company that's responsible for your pii to be doing the utmost care and consideration with your data and be doing the right thing too once again my name is Christina Liu I want to say thank you to b-sides that is a QR code to a LinkedIn not anything nefarious thank you to everyone here on the camera our volunteers and our av staff thank you [Applause] it's our time for questions

no okay two I have two questions

going once going twice oh okay

uh do you think some form of anonymity could help in applications with saving users data is there any research in that area yeah so there is there are like functions and things they're called um my brain at the moment like K anonymity and um oh I can't it's like L something it's very mathy um but basically like a lot of data scientists are already doing these type anonymization functions they're kind of unfortunately the best things we have right now but they're not perfect so they can still be um reverse engineered because true on the optimization is actually incredibly difficult yeah are there any uh tips for uh unstructured data like large oh yeah yeah so

um if you just need data to play with there is a great website called kaggle which is k-a-g-g-e-l they have data on all sorts of things my favorite one right now is like the Thailand tourism data one so it's fascinating to see what Thailand is doing and if you just need something to generate like a Json blob or something real quick there is a website called makaroo that will absolutely do that for you with actual random data because you shouldn't be testing with prod data ever is that it yeah there was a talk a little bit earlier this morning about machine learning and kind of the remote spyware boss wears people are calling it right

one of the things that I I think is interesting I want your perspective on is as companies have started tracking employee usage heuristics data generating all this stuff to put together Insider threat profiles all kind of other things you can make an argument that that could be considered pii because it's fingerprinted and unique to you like biometric data yeah what do you see that kind of turning in so actually California this year one of the expansions on the California privacy Rights Act is that there is a pii uh category specifically for employees so this was like the old stuff was just general like regular people but California specifically has one for um their employees internal so and I don't I don't know

like what other states do or don't I'm not a lawyer so hashtag not legally yeah not legal advice um I think a lot of people in the crowd are probably in security engineering and stuff like that how do you justify a lot of these initiatives to management and The Wider organization within what you're doing right because sometimes these things can fall down in priority or go up in priority well

our fines are very expensive so like if it's a less severe violation in gdpr okay so they give you they give you choices um the less severe violation it's two percent of last year's revenue or I think it's 10 million euro whichever is higher and then if it's a severe violation it is four percent of last year's revenue or 20 million euro again whichever is higher so not getting fined is probably a good impetus is that it do you use woohooing once twice Thrice sold foreign [Applause] thank you

[Music] thank you [Music] foreign [Music] thank you [Music]

[Music] foreign [Music] foreign [Music]

[Music] thank you [Music]

[Music] foreign [Music] hahaha [Music]

[Music]

[Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music] foreign [Music] [Applause] [Music]

[Music] thank you [Music] foreign [Music] [Applause]

[Music] foreign [Music]

[Music]

[Music] don't leave me alone [Music]

don't wanna overthink it baby [Music]

to fly baby [Music] [Music] oh but I don't wanna miss you baby so enough [Music] fly [Music] baby [Music] don't leave me alone [Music]

[Music] baby you'll get me you're with my appetite [Music]

[Music] oh [Music] my God [Music]

foreign

[Music] foreign [Music]

[Music]

[Music]

thank you

[Music]

[Music]

thank you

[Music] foreign [Music]

[Music]

[Music]

[Music] thank you

[Music]

[Music]

thank you

[Music] thank you [Music] foreign [Music]

[Music]

[Music] thank you [Music] foreign [Music] foreign [Music] oh yeah [Music] foreign [Music] five [Music] foreign [Music] foreign [Music] thank you

[Music] thank you [Music] thank you [Music] foreign [Music]

foreign

[Music] foreign [Music] thank you [Music] foreign [Music] thank you [Music]

[Music]

[Music] thank you [Music] thank you [Music] foreign [Music]

[Music] foreign [Music]

[Music] foreign [Music] thank you [Music]

[Music] thank you [Music] foreign [Music] [Applause] [Music]

[Music] thank you [Music] thank you [Music] [Applause] thank you [Music]

[Music] foreign [Music] you're giving me wind away [Music]

[Music]

[Music] don't wanna overthink it baby [Music]

[Music] don't leave me [Music] but I don't wanna jinx it baby again

[Music] but I don't wanna miss you baby oh

[Music] oh my God [Music] don't leave me alone baby

in the rain there's some kind of butterfly baby

[Music]

[Music]

oh [Music] my God [Music]

[Music] foreign [Music]

[Music] thank you [Music]

[Music]

move it up

[Music] foreign [Music] foreign [Music] [Music]

[Music]

[Music]

[Music]

moving on

[Music] foreign [Music]

[Music]

[Music] foreign [Music]

[Music] thank you [Music] foreign [Music]

[Music] hahaha [Music] oh yeah [Music] thank you [Music] foreign [Music] foreign [Music] foreign [Music] foreign

[Music]

[Music]

thank you [Music]

[Music] foreign [Music] [Music]

foreign [Music] foreign [Music] foreign

[Music] foreign [Music] foreign [Music] [Music] foreign [Music] thank you foreign [Music]

[Music]

foreign [Music]

[Music] foreign [Music] foreign [Music] [Music] foreign [Music] foreign [Music]

[Music] laughs

[Music] foreign [Music] foreign [Music] thank you [Music]

[Music] foreign [Music] thank you [Music]

[Music] [Applause]

[Music] foreign [Music] [Applause] thank you [Music]

[Music] foreign [Music]

[Music] everything in myself

[Music]

some kind of butterfly baby [Music] don't leave me [Music] but I don't wanna jinx it baby [Music]

[Music]

[Music] foreign [Music] everything [Music] don't leave me alone baby [Music]

[Music]

[Music]

oh [Music] oh

[Music]

[Music] thank you

[Music] foreign [Music] foreign [Music]

[Music]

[Music] thank you move it up

[Music] come on [Music] foreign

decision making by Vanessa Redmond and I have a few announcements to make before we begin uh we would like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsor Prisma Cloud blue cat Toyota it's with their support along with other sponsors donors and volunteers that make this event possible these stocks are being live streamed and as a courtesy to our speakers and audience we would ask you to check to make sure that your cell phones are set to silent if you have any question please use the audience microphone so that you you can hear you and with that let's get started and please welcome Vanessa [Applause] thanks everyone I'm not usually used to the the mic here

so um and I tend to my volume goes up as I talk so at any point I need to speak up or lower you know just somebody in the back give me a signal that way we can keep it comfortable for everyone so um welcome everyone uh today we're going to be talking about negotiating compromise um something I think is often missed when we're talking about infosec in general it's not something that's commonly taught when you're when you're going through a an academic course these are some of those kind of soft skills that I think is really important especially as we progress in cyber security so um hopefully there'll be a little bit of something for everyone here

to start off I'll do the obligatory who am I and then I always like to have a slide of why this matters why am I talking about this why should you care and then the classic who's this for and then we'll talk about you know what's the easy part when it comes to communicating security posture and security needs to an organization or two senior leadership and then establish what the challenge is you know from there then we can start looking at some of the solutions what my aim here is is to actually bring in common negotiation tactics that you probably have heard of in different Industries whether it's you know putting an offer on a house or just other

General negotiation tactics you see these sometimes in negotiating salaries or other things the the idea is to use well-established principles and how we can apply them to cyber security because of the time I'm going to hit six Hot Topics then we'll go through some honorable mentions of some others that we probably won't have time for then we'll go into some common pitfalls of just things that that naturally we kind of fall into as we progress usually in middle management having to speak to senior leaders I'll go through my personal mantras that I have to repeatedly tell myself and then finally we'll end it up on a really high note and talk about the chance of failure

so who is this is a lot of words this is all to say I currently work in financial services and information assurance I handled second line control testing and I also run the Cyber threat Intel program for my company previously I spent 10 years in the Air Force where I worked for a red team and I also taught at the weapon School locally here at Nellis where I cover topics like vulnerability management patch management miter attack framework my favorite course was on social engineering and open source intelligence I have my bachelor's in computer science and I have a sec plus certification I'm originally from Louisiana as you might be able to tell generally what I like to

talk about is Game Theory and usually my talk center around strategic planning and strategic operations so this is a little bit different from what I usually talk about more on that soft skill side and my LinkedIn and Twitter's here it's also at the end so the great disclaimer side so I want to start by really kind of setting the scene here the number one answer in any kind of you know cyber security infosec question is usually it depends right there is no clear black and white answer it's always dependent on an environment a budget this particular industry this particular person this presentation is going to be no different if you're looking to find a slide that you disagree with nine times

out of ten I'll probably have at least one that you're like oh I'm not so sure about that and that's completely okay in fact it's encouraged the whole point of having this conversational talk on soft skills is that it's going to be opinion based it's going to be based on my experience uh and your experience is going to be different the idea is I don't think that this is a topic that we talk enough about that we have open discussions about and I want to help facilitate by giving this presentation so if you say no I tried that it absolutely failed that's awesome I would love to hear it and I and I would encourage everyone for any kind of

disagreements or agreements that you have that conversation let's let's talk about the different experiences that are out there and ways different ways that we've been able to problem solve and be successful or fail so that we can all kind of cross learn so that we can be more successful in general as an industry so why does this matter what I have found is going to conferences in the last couple of years and sitting around and just talking to people that's already established in the industry it's very interesting because there's not usually a lot of talks on the mid management level so people that are have already been in for a couple of years they've seen kind

of The Good the Bad and the Ugly there's not always a lot of mentorship in that middle management before you're getting up to Senior Management so that's one thing that I really noticed the other is what I'm seeing right now in the industry is a lot of people getting Masters in cyber security without having a traditional maybe computer science or other kind of technical bachelors in a lot of ways I compare it to the MBA of the 70s and 80s as kind of a top off that gives you that extra Edge in whatever kind of feel that you're going in cyber security has become that a little bit but it's a little against tradition usually your

old security people were the people that were sis admins 20 years ago they've gone through the trenches now they know from a security perspective exactly you know for that environment what works what doesn't work what makes sense we have a lot of senior educated people that are entry level on understanding how an I.T department works how it works within a business or company construct and and so that is a big portion of why I think that this is important so we can kind of bridge some of that Gap also in my opinion a highly successful cyber security professional is one that people want to come to you don't want to be that person that's like oh gosh

I'm gonna have to tell Vanessa that we just introduced 10 000 more vulnerabilities in our system and she is going to flip out in my opinion that doesn't make a super effective leader what you want is someone that you know is going to be cool headed about it as much as to be expected but be able to help you problem solve and to help you be successful not be the parents or the manager that's like you suck and so I think that understanding some of these principles can help you do that and ultimately the goal is to make the business or the company or the Enterprise as a whole better so a lot of times when we're talking about

negotiation it's me getting max value for myself but in this situation your end goal is actually to make sure that the Enterprise is as secure as possible given the challenges you're not always going to get what you want so sometimes when you're told no we need to figure out a way to still achieve those goals of reducing risk for the organization without maybe getting your awesome Gucci tool that you first presented and was told no you're not going to get that who's this presentation for it's for everyone I mean honestly these are these are common enough skills that everyone can gain some sort of insight or purpose from this like I said before though that

middle management that's first now it's time for me to help make decisions I'm not just on I'm not just doing the decisions that other people made it's it's now time for me to be able to help promote better decision making this is primarily the audience for that so the easy part finding things that are wrong with processes I'm sure that plenty of people if you've if you've worked in it you show up to a place anybody that tells you that they have a well-run I.T Department is either woefully ignorant or they're just absolutely lying to you so you don't run away like every it department is going to have that one Department maybe two departments maybe one team

there's going to be something that they don't do great and maybe they don't even do well at all maybe they do terribly those are kind of easy to spot especially as somebody just walking in right fresh eyes you can immediately see definitely this is not how it's supposed to be um or and similar to that finding things to improve oh yeah yeah this doesn't work quite right how about we do this or simply threats I work in threat intel if I want to find threats that's going to scare the company that I'm talking to I can find those and I could probably find those pretty easily so it's all about how you're presenting your message what is it that you want to

do do you want to scare them do you want to have the fud fear uncertainty and doubt approach that's certainly a tactic to use some people do find success in that that's the easy part the Doom and Gloom is kind of the easy part right the challenge of course is having a solution and then being told it's how much don't we already have enough security tools out there didn't we just buy one like two years ago like why are we buying another tool um why can't we just use what we already have we already have 10 tools you're telling me you can't do this one thing pushback is going to happen it's a very natural piece of the process sometimes

it's part of the defensive process but being able to explain why in a way that your audience understands so that you can be successful from a security posture perspective is is really where the goodness lies

all right so here is the meat of the matter six techniques that I chose to talk with you today about and we'll go through each and every one and kind of talk about them a bit like I said this is not groundbreaking this is not meant to be groundbreaking this is meant to be oh yes of course that makes sense hopefully if I've done my job right the first one being excited versus being anxious this one is near and dear to my heart because when I get excited I get loud my voice Rises people think that I'm yelling at them they think that I'm out of breath and I'm giving myself a heart attack because I'm going to talk really

really fast but I'm just excited sometimes I'm just passionate about the subject but if you go through yelling at the top of your lungs and looking like that you're angry that is going to possibly hurt you when it comes to you trying to actually promote good decision making depending on what solution you're choosing so interestingly people care more about delivery sometimes than the actual message it's your body language it's it's confidence you hear that all the time about people giving presentations and you need to be confident and and um you know your voice not Shake too much a lot of the delivery is very is very important part of that is actually being able to

read the room being able to see if you go in and it could be that depending on who you're talking to they are very motivated by a threat of hey if you don't fix this vulnerability we could be hacked tomorrow um that could be very motivating but it could be that they hear that all the time anyway yeah yeah we're always about to get hacked so being able to read the room know your audience being able to read their body language it's like you're being able to read your body language then that's very important yes um the way you're using your hands a very open approach and I've seen others thank you thank you I appreciate that at

this point I don't know what I'm doing with my hands and then the last point of this is reserving the extreme words for the extreme situations so you know log 4J we got to figure out if we're using log 4J on the system you know do we have it in any kind of third-party dependencies do we have it actually in our Enterprise by itself you know if if not yes that's a big thing that's going on in the industry movement is also a perfect example you know if I'm not using move it then I'm not using that extreme language I'm not I'm not promoting this as the sky is falling as a classic Chicken Little example because

I'm going to reserve some of those extreme emotions for things like a ransomware incident in which we're actually being hit with ransomware if everything is up here all the time then how are you going to know the difference between here and here when things really are at the top of the line next is be cool and collected a lot of these are going to have similarities so obviously be cool and collected runs in very smoothly with being excited versus not being anxious right that's that's a part of it this I think comes easier with experience over time if nothing else because at some point you have heard pretty much all of the extreme things that have happened did

you know that this worker is doing this that they were able to bypass you know this security thing here it just gets more extreme the longer you've been in the industry the kind of stories that you hear things that are happening that you're like no no surely not yes probably so so over time you're not as surprised when somebody comes to your desk or to your office with some sort of did you know or I looked at this and I found these holes or these vulnerabilities so I I think that in the very least it's something that comes over time but it doesn't have to it can be kind of a conscious decision uh when I was creating this I

don't have any children but I I often hear parents talk about you know if if their kids have an accident if they've scraped their knee or something instead of just being like Oh my gosh are you okay it's that cool and collected just asking them not freaking out so they don't freak out and so that's how I kind of equate this also expectation management can be very powerful anybody that that knows me has heard at least once me tell them when they come to me and say I can't believe and I'm like repeat after me lower your expectations that sounds crazy um but it's powerful and it's useful make sure that you know you're going

into an environment you have a real sense of how the environment is operating and you're not expecting them at this level that doesn't mean that they can't achieve that level it doesn't mean that you can't push them to that level but you just need to really make sure that you understand the reality of the situation you understand that if this situation exists it might be because of things that are outside of their control and they're not solely responsible for that there's a lot of second and third order effects there and so by understanding some of those expectations it's going to allow you to be able to look at the situation from a higher big picture perspective allow you

to look at it from a logical perspective instead of an emotional one as much as possible and help you be more effective at problem solving and then the last one I put on here and looking at it kind of makes me laugh now I am a classic overthinker so I think of all scenarios all the time so it's it's from one to the extreme you know from I'm going to get into a wreck into an asteroid's going to like completely destroy the Earth I have thought it all and then when I'm done I repeat them so I always anticipate roadblocks I think I'm going to go talk to this person and I'm going to tell them that they need to

do X and then I'm going to have all the ways in which they tell me in some form or fashion no screw you and are you ridiculous I have I have had it all anticipated out so then then I can have my counter arguments and I find that it helps me feel like that I'm in control of a situation and it helps me feel prepared so regardless of what somebody says I mean I still get surprised don't get me wrong but for me it helps me to be cool and collected if I feel like then I know all of the possible answers and I already have contingencies for those situations

bring Draft Solutions not long ago I found out Cunningham's law and I find it fantastic I love that that's there's a name for for this and that is the best way to get the right answer on the internet is not to ask a question but to post the wrong answer and I've seen it I've seen it a lot Reddit is full of it it's fantastic um and I've I've definitely done that before when coming up with Solutions courses of action different things to propose even in my military time if you were going through and determining three or four things that a commander or a senior leader had to choose from you know you had your top solution of of what you

were going to do one of those was always going to be an absolutely crazy solution the you know if we had infinite money if we had infinite power this is the solution and it does a couple of things one is it allows you to all agree upon that dropping a moose from a helicopter into a building to destroy that building could be effective but is not really a reliable applicable solution at least we can agree on that right like it's it's it's a classic social engineering we're just going to pick one thing that we can agree on we can agree on all of these things but we can at least agree that acquiring a moose and a helicopter and

dropping it from the sky is probably not our solution today right it helps form you know at least if nothing else it makes everybody smile for a minute sometimes it doesn't and that's super awkward but having at least a drastic solution often helps in my experience then you can say okay that one's right out it's kind of like taking a multiple choice test if you can mark off two of the questions and it'd be 50 50 then you you feel good about that right you feel like the progress is made I'm not completely stupid I can at least bring it down to two kind of a similar principle here if you can have enough Solutions in which you

can definitely Mark a couple off and then concentrate on a couple it kind of bridges that Gap helps with negotiation

Define the non-negotiables I find this interesting because this is definitely terminology for what you would think of as more of a Strictly Business thing it's not something that you would normally use these words to describe in a cyber security environment but if you think about it as a security professional you do have some non-negotiables right you can't say I'm just going to turn off antivirus like that's kind of a non-negotiable generally speaking you know so you do have some things that you're not going to be willing to compromise on and you need to know those you need to know what you're willing to accept but more almost more importantly what you're not willing to accept because I

guarantee you the thing is is a lot of times especially information security versus I.T sometimes it can appear adversarial right you know that they're you know the the old cliche they're just trying to get out of work they just don't want to implement it it's too much of a pain you know if something goes wrong with the network it must be the security tool like those are fun things that we can joke about and and laugh about and say oh yeah you know it's just I.T just trying to skate out from work but in reality it's a lot more complicated than that right it's a classic it depends situation usually people are not adversarial well if

vanessa suggested it we're definitely not going to do it I don't think that that's very typical so you have to understand that this is more of a where can we reach some middle ground and to understand that middle ground you have to know your non-negotiables also I think that it's really important to note that the answer could be no but it also could be not right now it might be I use the example here of a dental lab data loss prevention DLP solution right it might be that a business is like we definitely need a good DLP solution and maybe nobody disagrees with that it could be like you know what you're right but we can't do

that right now as a security professional I think that it's important that we at least recognize or consider that a non-negotiable might be a okay for it to be a not right now let's add it to the road map let's add it to the next year's budget let's document it to make sure that it's not something that you're just telling me that like next time you're going to be like I don't know what you're talking about like let's actually make a plan it's okay if a non-negotiable has a longer term solution it doesn't have to necessarily be a short-term solution as long as there's a plan the fair offer the low-cost easy to implement recommendation

there's tons of those right um sometimes there is often it's not but if it exists you should definitely present it again it's not I don't want you to have to create this extremely complex system that's so mature sometimes easy is okay sometimes easy to easy to implement is always good right as long as it's effective but low-cost Solutions absolutely you should absolutely be okay with those and again that's that olive branch of okay this is my fair offer I think that this can work and I think that it will be beneficial to everyone including the business acknowledging unique challenges I always think is a piece of that you can say I understand maybe that that this solution isn't

as easy to implement because of these unique challenges because of these Legacy systems because of these Unique Systems because of these third-party contingencies explain to them you know like I said this is not a you versus them this is let's have a conversation I do actually understand probably more than you think understand your unique challenges and I want to express that kind of sweetens the fare off for a little bit they're like you know she just wants what's best for us this is fair sometimes that can help and again I bring up this again a temporary solution is also okay I talk a lot about if the number one solution can't be implemented we can

always talk about mitigating and compensating controls sometimes if you can't sometimes you can't patch a vulnerability right because a patch isn't available so what do you do you have a temporary solution in mitigating that vulnerability that's okay that's acceptable it doesn't have to be a my way the highway we must be super secure right now with this kind of stringent guidelines we can still achieve the same purpose we can still reduce risk maybe we're not reducing risk at the rate that we want to but it's still progress so that's all part of the fair offer next is the value offer not completely dissimilar but I find this to be effective because it's never just the one thing right it's

never here's a tool you just have to install it especially in a corporate environment there's a lot more to that right if nothing else there's the contract process of acquiring a vendor going through all of that that's one side that I won't always volunteer for but one that I do typically volunteer for is the documentation piece for it nobody likes right writing documentation nobody has time to write documentation nobody wants to update this what about you know here's the standard how are you going to implement where are the procedures this could be audited what about compliance there's so many other little factors there that plenty of I.T people especially the ones that are on the

ground hands on keyboard they're like no it's it's like they're Kryptonite they hate documentation so I like to offer to write documentation immediately that's going to make them compliant plus they don't have to do it right and if I'm doing it then they don't have to worry about me editing it once they if they write it and they have to get my feedback because I'm writing it right which is Dual Purpose because then I can put those security pieces in there then I know they don't want to put in there but if I'm writing it then I have an opportunity to put some of those things in there so to me it's it's very much a win-win

and documentation to me is my most successful value offer in that but it could also be sometimes it's whatever kind of limited resource it is maybe in some departments you can transfer some of your budget money to that department if they're low on funds maybe it's I have a couple of analysts that would like to get some hands-on experience with um some of that troubleshooting or installing that tool maybe I can offer up those people if they don't have enough people to be able to complete that task so there's several different ones that you use like I said documentation usually is a winner for me honorable mentions so these all follow a very similar pattern to all the others right you

could get very similar arguments to these and just call them different things um and that's that's kind of the beauty of some of these tactics and techniques it's again knowing whatever speaks to you maybe one of the other ones you're like I'm not sure but focus on the win-win you're like that I can understand you know so ask for advice for a lot of people sometimes I think we get the reputation of we walk into a room and we think we're an expert on security and we're here to tell you how much you're not going to be able to implement your plan because of security but if we walk into a room and we hear

your pitch and then we ask for advice what would you like to do not like to do but what would you do in this situation people often respond to that I've met a lot of I.T people that are not in security but they study security they have their opinions about security it's not like they're completely ambivalent to that world they're reading the news maybe they're studying for certs they have some knowledge about security already so if you talk to them like a peer and you say you know what do you think about this my idea is implementing these kind of uh security things that's going to to make it feel like more of a team

environment and much less of me barking at you things that's going to make your plan impossible to implement use language as your audience understands I can give a whole talk just on that because a lot of times tech people they want to talk shop they want to talk technical details and they want to tell it to someone who's not from a tech background that really doesn't really care you don't have to pull out the Excel spreadsheet it's it's you can just tell them in layman terms but you have to know what that common language is I use the example of risk and impact because I have found that a lot of people on the I.T side don't necessarily

cage their situation in terms of risk and impact and because of that but you have whole business departments that are dedicated to risk from a business perspective inherent risk residual risk determine determining um your what the actual money amount that you might lose from an impact generally speaking operations I.T operations doesn't have to do a lot of those calculations but a lot of business people do so if you can come in with a threat with a we need to implement a new solution now and this is why if you cage it in terms of risk and impact then I think that your success rate significantly improves but like I talked about before you got to know what that sweet spot is you're

going to know who you're talking to and and maybe what some of the their industry jargon is and then apply it so that that you understand and they understand the same thing focus on the win-win I think that's kind of self-explanatory understand the big picture it's really easy in an IT environment to get the weeds when especially if you're talking about something like incident response and your down in the trenches and you're trying to quarantine systems and remediate and bringing down this segment and when do we bring this up and backups and all of this you can totally get in the weeds understanding the bigger picture seeing it from a broader perspective maybe seeing it from a business continuity

perspective or just a business perspective in general often helps when it comes to Solutions again still taking in some of those other principles making sure that you recognize the challenges you recognize the work that's been that's happening here but when it comes to trying to get people to make better broad decisions bringing in that big picture is definitely going to help and the last one make negotiations about the other team this is a classic I'm trying to help you and you're letting them maybe make things that are in their own self-interests but if you combine a couple of these principles like going through um and having your non-negotiables and and making it feel like that they have the power that

they're influencing you and your decision making and not making it one-sided is also going to help you be effective common pitfalls some of these are kind of General um like building reports with no recommendations from a security perspective everything should definitely have recommendations and that's going to help with that decision-making piece if you have recommendations then that's going to help facilitate the next discussion which is how would you like to implement those recommendations right but if you don't have if you're if you're only what feels like barking information that's going to create kind of a Stonewall effect Distributing reports with no follow-up again I put on here making sure that you document a plan if there is a plan

making sure that you're not sending reports for the sake of sending reports you're not sending them into the ether and then if somebody says did so and so read it be like I sent the reports follow through is very and follow up is very important here making sure that whatever you that it is that you decide on it's kind of funny in a meeting in a small meeting room with people at a table sometimes people will agree to anything right oh yeah absolutely yep yep we can totally do that if you don't follow through you don't maybe publish meeting minutes or you don't actually document and say here's the plan and here's how we're going to do this here's our way forward

then in some ways it's as good as not having agreed to it at all yes sir

yes

I I think that reading people is definitely an advantage for that and and over time you get to know your colleagues and you get to know the people that will do anything just to be able to get out of that meeting for sure um but I also think that it's important that you don't you don't ever call out those kind of people you just adjust your tactics you don't actually like you don't want to point that out you don't want to to make them embarrassed in any way so instead you just change up some of your tactics and you know if you have somebody that's like yes yes absolutely that's no problem let's go and then leave that's

where I find that maybe the meeting minutes is particularly useful so and so said this it's timed it's bulleted ways forward I need this report I'm going to send this list it makes them more accountable because it's in writing another Pitfall is always bringing up the negative I think that's super easy to do because all we do is read about all of the horror stories and the breaches that are happening and the data leaks and oh my gosh did you hear about this story it's super easy to always bring up the negative and sometimes it can be really discouraging because it feels like whether it's accurate or not we can have that discussion that defense is really

really hard right now and we're not necessarily winning the war and sometimes that can be really um discouraging to a lot of people that even if you remediate this there's only another one right around the corner it's not something that we should really focus on even though it's easy to we don't need to be yours here or chicken littles so as much as you can bring up more positive things or ways that that we're still progressing in security posture I highly encourage that um and the next one not acknowledging progress I think that that's extremely important especially in a program that's really difficult that they've gone through the ringer and made huge strides instead of

saying but they still have this far to go instead of concentrating on all the work that they've done is super important ultimately you want people to feel good about the progress that they've made it's going to help them want to progress even more nobody wants to be told hey I finished this you know I'm I'm working on this and I've worked really hard and it's like yeah but you still have a really long way to go like it's really important that you acknowledge where we've come from and it's hard to see that sometimes it's part of the understanding the big picture is being able to say you know we started here look at all the things that

we've implemented in such a short period of time and then settling with a US versus then mentality again very easy to do your I.T you just don't want to you know install security stuff and you're just and your security and you're just here to make my life harder um because that's just how you are you know definitely separating from that realizing we're one team one fight is definitely going to help you be successful so my personal mantras one is one that my boss uh brought up to me and sometimes it's really difficult for me to do and that is just to let things go it's easy to like hone in on an issue and you want

some sort of resolution you want somebody to acknowledge yes it's a problem yes you're going to fix it this is the timeline that you're going to fix it here are the tickets and and everything is going to be great we'll check on it in two weeks and it's done and maybe that's not possible maybe they don't even think that it's a really big issue maybe they're like you know what we accept that it's fine and you're like but you shouldn't maybe maybe it's okay that they do again maybe for a short period of time or maybe we can bring this up later but sometimes oftentimes you're not going to get the answer that you're looking for

you're not going to have somebody be like you are so absolutely right we're going to put 10 people on it right now and it'll be fixed by the end of the day so sometimes you just have to know when to let things go and if it's a big enough issue you know it's going to come back up again maybe you'll just bring it up the next time but it's okay sometimes to let things go and if you have a really hard problem doing that then find somebody that can remind you that sometimes you just need to let it go and sometimes this is a really useful when there's a Personnel conflict but maybe it's not an issue you just feel

like if there's a person that's just saying no all the time and they're stopping you from what you think is progress sometimes you still just have to let it go sometimes it's it's it's that classic I don't want you to do this thing I want you to want to do that thing so like the classic thing is I don't want you to do the dishes I want you to want to do the dishes right like sometimes I feel like that's how security is it's like I don't want to have to bark orders and say you have to do this I want you to be able to come up with this on your own and then

to be able to say hey this is what we want to do because it's better from a security perspective you're not going to get that always sometimes you're never going to get that so you just need to recognize that that's one of my personal mantras the second is considering strategy over procedure I will totally get in the mental Weeds on what steps need to be done when and from especially from in my environment where I'm on a second line perspective this is more of a Consulting this is not an operations I'm not touching anything even though I want to because I know that I can just go over there and in 10 minutes I can fix it but that's not my

job I need to worry more about the strategy piece the standard the what needs to be established and then let the teams that are actually doing the work actually concentrate on the how and that's a really difficult thing for me to do but when it works I think it works beautifully all right so the happy bonus slide always consider that there is a chance of failure it's possible that nobody disagrees with you you give your whole pitch and everybody's like yes absolutely nobody says no you know nobody says I disagree nobody says I think you're overreacting they're like yeah that's that's absolutely legit but maybe we can't do it right now or this doesn't fit for this budget

cycle you can do all the right things you can read the room you can use the right language you can have the fair offered you can all that and be still be told no and it's important that you recognize that it doesn't mean that you personally failed it doesn't even necessarily mean that your initiative has failed but you're going to definitely be confronted with failure at some point and it's important that to realize t