1 00:00:07,510 --> 00:00:22,710 Welcome, everybody, to DEF CON 30's DEF CON Group's VR Village presentations, where you're getting to see some virtual DEF CON presentations from people all around the world. 2 00:00:23,010 --> 00:00:25,910 In fact, our next speaker hails from Tijuana. 3 00:00:27,590 --> 00:00:30,910 Jabels is going to talk to us about Pwning the Lazy Admin. 4 00:00:31,010 --> 00:00:41,390 He's a co-founder of the Tijuana DEF CON Group and former intelligence consultant for the Mexican government, now working in IT service security full-time. 5 00:00:42,470 --> 00:00:47,310 So please welcome to our stage, Jabels. 6 00:00:51,390 --> 00:00:53,230 Hey, guys, how are you? 7 00:00:55,850 --> 00:00:56,770 Excellent. 8 00:00:56,770 --> 00:00:59,390 Can everyone hear me okay? 9 00:00:59,630 --> 00:01:01,570 Yeah, make sure you pick up the microphone. 10 00:01:01,570 --> 00:01:02,690 Yes. 11 00:01:04,350 --> 00:01:06,410 Ah, yeah, there. 12 00:01:06,410 --> 00:01:07,510 Okay. 13 00:01:07,510 --> 00:01:14,750 All right, but how do I look up? 14 00:01:15,310 --> 00:01:16,490 Okay. 15 00:01:17,190 --> 00:01:19,430 All right. 16 00:01:20,410 --> 00:01:28,310 Yeah, let me put it down because I can't... 17 00:01:28,310 --> 00:01:31,010 If you right-click, it goes... 18 00:01:33,970 --> 00:01:41,370 If you right-click, it goes between movement of your body and movement of your head. 19 00:01:42,110 --> 00:01:43,110 Okay. 20 00:01:43,110 --> 00:01:48,370 Now, yeah, so we have to turn to the screen, right? 21 00:01:48,770 --> 00:01:49,850 Yep. 22 00:01:51,940 --> 00:01:54,860 Because I don't see the other one. 23 00:01:57,610 --> 00:01:59,490 We got to see those lights. 24 00:02:00,350 --> 00:02:01,370 Those lights. 25 00:02:03,010 --> 00:02:12,550 Yeah, the presentation software that we're using, which is the explore function, broke. 26 00:02:12,550 --> 00:02:15,890 The service went down right in the middle of our thing. 27 00:02:15,890 --> 00:02:18,990 So what we had to do is export all the slides to JPEGs. 28 00:02:18,990 --> 00:02:24,850 And we're using a different type of viewer, but it doesn't allow us to do embedded videos, but we can at least share the slides. 29 00:02:24,850 --> 00:02:27,150 Okay, yeah, no matter. 30 00:02:27,150 --> 00:02:29,910 Yeah, I think I have... I'm in position now. 31 00:02:29,910 --> 00:02:30,550 Okay. 32 00:02:33,270 --> 00:02:34,690 All right. 33 00:02:34,690 --> 00:02:35,610 Thanks, guys. 34 00:02:38,210 --> 00:02:44,150 So for the first slide, as it was just mentioned, yeah, my name's Jabels. 35 00:02:44,610 --> 00:02:46,790 Others say Jabels, JB. 36 00:02:47,430 --> 00:02:49,550 It doesn't really matter which one. 37 00:02:49,550 --> 00:02:50,390 My name's Juan. 38 00:02:50,390 --> 00:02:53,670 You can use whatever nickname you want. 39 00:02:53,670 --> 00:02:57,390 I'm the co-founder for the Tijuana Deftone Group. 40 00:02:57,950 --> 00:03:10,150 And, yeah, I like breaking into stuff, but absolutely all the time I try to do it with permission, because I'm, as someone else mentioned here, a law-abiding citizen, right? 41 00:03:10,490 --> 00:03:12,890 And next slide, please. 42 00:03:17,920 --> 00:03:19,520 And the next one. 43 00:03:22,240 --> 00:03:25,240 All right, so that's the purpose of my talk. 44 00:03:25,240 --> 00:03:26,520 I'm going to give you guys... 45 00:03:26,520 --> 00:03:28,600 I'm not going to get too technical. 46 00:03:28,600 --> 00:03:40,540 I just want to give you guys some real-world examples on the stuff I found while working as a pen tester for the last, like, five years or so. 47 00:03:40,780 --> 00:03:49,620 You're going to notice that most of these are really just dumb things that could have been avoided easily. 48 00:03:49,900 --> 00:03:55,780 And all of these examples are for ISO 27001-certified companies. 49 00:03:55,780 --> 00:03:59,100 Now, that's not to say that the certification doesn't work. 50 00:03:59,100 --> 00:04:07,040 There are others that I'm obviously not going to use as an example, and they are using security right in their processes. 51 00:04:07,280 --> 00:04:20,520 But these are for just the ones that don't, either because they don't care or they're not taking the, like, due care to maintain security in their organization. 52 00:04:20,520 --> 00:04:27,320 Okay, so that's just to say that a piece of paper isn't going to get you secure. 53 00:04:27,380 --> 00:04:28,820 Next slide, please. 54 00:04:31,830 --> 00:04:34,010 Okay, so what's the problem? 55 00:04:34,010 --> 00:04:39,410 Mainly here in Mexico, we have a cultural problem regarding security. 56 00:04:39,410 --> 00:04:49,930 Everything's being looked at as if it was just introducing more bureaucracy or stopping the business from flowing when that's really not the case, right? 57 00:04:49,930 --> 00:04:57,510 You should embed security into your process, into your technology, into everything you're doing, even into your policies. 58 00:04:57,850 --> 00:05:06,790 So the thing here is that I've detected or I've tried grouping these cultural problems into three main categories. 59 00:05:06,790 --> 00:05:08,090 Next slide, please. 60 00:05:10,130 --> 00:05:14,130 These categories are, well, first of all, your leadership. 61 00:05:14,190 --> 00:05:19,930 Leadership, most of the time, doesn't really care about what IT is doing. 62 00:05:19,930 --> 00:05:27,170 They just look at them as an expense, and since they don't care about what IT is doing, they're not going to care about security, right? 63 00:05:27,170 --> 00:05:35,610 So they just see everything from buying a firewall, or buying antivirus software, or buying some other type of endpoint protection. 64 00:05:35,650 --> 00:05:38,430 Implementing security controls is just an expense, right? 65 00:05:38,430 --> 00:05:46,590 They just care about the bottom line, and there's an image out there on the internet where you have two cases, right? 66 00:05:46,590 --> 00:05:53,470 One, let's say that it's the boss for a company saying, hey, everything works. 67 00:05:53,550 --> 00:05:56,270 Why am I paying you, right, if everything's running smoothly? 68 00:05:56,270 --> 00:06:00,450 And then, on the other hand, why am I paying you if everything's broken? 69 00:06:00,450 --> 00:06:05,490 So that's a thought process where that type of leadership takes you. 70 00:06:06,050 --> 00:06:13,910 The second one that I've noticed is their security strategy is pretty much batch and pray, where batching is really optional. 71 00:06:13,910 --> 00:06:16,270 They just don't do it. 72 00:06:16,270 --> 00:06:26,890 They think that their small business or their industry that they work on doesn't really matter that much to hackers. 73 00:06:26,890 --> 00:06:29,670 So why should they implement all those security controls? 74 00:06:29,670 --> 00:06:34,130 Why should they work with such a high standard for their security? 75 00:06:34,370 --> 00:06:42,350 So with that type of company, what I usually find is that they still have eternal blue or blue key on their networks. 76 00:06:42,530 --> 00:06:45,850 And that's all supposed to want to cry, right? 77 00:06:45,850 --> 00:07:01,370 So you think that most of these companies that have fallen in the WannaCry ransomware attack way back a couple of years ago, would want to patch so that they don't fall victim to that type of cyber attack again. 78 00:07:01,370 --> 00:07:04,470 But yet, still, they don't do it, right? 79 00:07:04,830 --> 00:07:11,750 And lastly, I think this is the biggest problem on most companies. 80 00:07:11,750 --> 00:07:14,610 They have IT staff with a terrible attitude. 81 00:07:14,610 --> 00:07:20,630 And what I mean with a terrible attitude is that you have your... pretty much your know-it-all, right? 82 00:07:20,630 --> 00:07:24,530 Like, hey, you're missing... and why aren't you patching? 83 00:07:24,530 --> 00:07:37,550 And then they make some snarky remarks about how patches break everything or what they say goes within their company regarding technology, because no one else on their organization understands technology. 84 00:07:37,690 --> 00:07:40,050 And that's, I think, really dangerous, right? 85 00:07:40,050 --> 00:07:57,970 Because your IT staff is supposed to be your in-house experts regarding security and technology, and you should usually trust them to make the best decision for your business, because IT is a business enabler, and they will help you mitigate risks, and especially for the business, 86 00:07:57,970 --> 00:07:58,290 right? 87 00:07:58,310 --> 00:08:01,390 And most of the times, they don't. 88 00:08:01,410 --> 00:08:03,510 So these are the three main categories. 89 00:08:03,510 --> 00:08:11,310 I'm going to talk about stuff from IT that I found during most of the presentation. 90 00:08:11,310 --> 00:08:17,870 I might jump between the other categories, but IT is mostly the ones here that I'm going to focus on. 91 00:08:17,870 --> 00:08:19,230 Next slide, please. 92 00:08:22,700 --> 00:08:27,040 Okay, so how do I exploit these cultural problems? 93 00:08:27,040 --> 00:08:32,180 I don't do it, or for this talk, I'm not going to focus on the hacker stuff. 94 00:08:32,180 --> 00:08:41,940 I'm going to focus on the really stupid stuff that you don't even need to be properly trained on pentesting or cybersecurity or even IT to do it. 95 00:08:42,040 --> 00:08:45,460 You just need to poke around. 96 00:08:45,840 --> 00:08:47,480 So next slide, please. 97 00:08:48,600 --> 00:08:53,260 The first thing I'm going to focus on is password cracking. 98 00:08:53,260 --> 00:09:10,500 So whenever you're on a pentesting engagement, usually when you want to capture credentials, you would use a tool like Responder or Wireshark and put your computer on premise, and do something like that to start sniffing the network, capturing hashes, 99 00:09:10,500 --> 00:09:12,180 and then trying to break them. 100 00:09:12,180 --> 00:09:22,400 You can do that either with GenDripper, Hashcat, or whatever other method you want to use to hack your captured hashes. 101 00:09:22,920 --> 00:09:24,280 Next slide, please. 102 00:09:24,560 --> 00:09:41,020 What I'm going to do is, most of the time, whenever I'm in an engagement with a company for the first time, is I'm going to just walk around checking their whiteboards, because it's unbelievable the amount of information they leave there. 103 00:09:41,020 --> 00:09:42,420 Next slide, please. 104 00:09:44,380 --> 00:09:53,200 Here on the left, you'll see what says ContraseƱa, Pechugon, and then in French, you'll see that it says router. 105 00:09:53,240 --> 00:09:56,600 So that pretty much is, in Spanish, right? 106 00:09:57,080 --> 00:10:01,160 Password, Pechugon, and by router, they mean router. 107 00:10:01,160 --> 00:10:08,020 So they left their router password written on a whiteboard on some meeting room. 108 00:10:08,920 --> 00:10:13,140 So the problem here is that they're telling me their password, and they're telling me what it's for. 109 00:10:13,260 --> 00:10:17,380 So just by that, they're saving me a lot of time in the engagement. 110 00:10:17,580 --> 00:10:24,640 And the funny thing about this one is that on the image on the right, that's the name of a chicken place here in Mexico. 111 00:10:24,660 --> 00:10:28,660 That's a chain of food, right? 112 00:10:28,660 --> 00:10:37,440 And for this particular company, on that meeting room, they did have a window that looked right across the street into one of these places. 113 00:10:37,440 --> 00:10:41,380 So that seemed pretty stupid to me. 114 00:10:41,780 --> 00:10:43,060 Next slide, please. 115 00:10:43,580 --> 00:10:45,480 And that's a regular thing, right? 116 00:10:45,540 --> 00:10:48,340 It seems like most of the time they put their passwords. 117 00:10:48,340 --> 00:10:57,840 They just look around and say, like, okay, whatever store is right across my business, that's what I'm going to name it. 118 00:10:57,840 --> 00:11:08,980 So for physical intrusion, you usually want to do lockpicking or clone badges or do some RFID stuff or do something interesting, right? 119 00:11:09,020 --> 00:11:12,260 Tailgating or other type of social engineering. 120 00:11:12,720 --> 00:11:16,580 But the other thing you can do is just... next slide, please. 121 00:11:16,580 --> 00:11:18,260 Turn the doorknobs. 122 00:11:19,180 --> 00:11:21,560 That's another thing that I've noticed. 123 00:11:21,560 --> 00:11:25,800 A lot of the time, people don't lock their offices, don't lock their sites. 124 00:11:25,800 --> 00:11:40,460 Or if they do lock them, they put the bar that goes into the doorframe backwards so that you can poke it in with your guest badge that they provide you once inside the building. 125 00:11:40,460 --> 00:11:43,260 And you can just slide it in between the door and the frame. 126 00:11:43,540 --> 00:11:45,260 And that will open it right up. 127 00:11:45,640 --> 00:11:46,760 Next slide, please. 128 00:11:47,940 --> 00:11:55,000 So what I've been able to get access to is just laptops that are left there unattended. 129 00:11:55,000 --> 00:12:00,860 On the left side of the screen, I show a cheap laptop with a land turtle plugged in it. 130 00:12:00,860 --> 00:12:05,420 The thing about that case was that the person who left it there came back from lunch. 131 00:12:05,680 --> 00:12:10,580 And I'm not sure if they noticed that that was plugged in or not, but they didn't report it. 132 00:12:10,580 --> 00:12:19,160 And I use that land turtle example a lot because it's bulky and they want to have something visual there. 133 00:12:19,500 --> 00:12:22,240 Just to see if they report if they see something. 134 00:12:22,240 --> 00:12:24,300 In this case, they didn't. 135 00:12:24,300 --> 00:12:36,520 And then on the right side, that image is for the office of, I think, this person was the personal assistant for one of the managers there. 136 00:12:37,500 --> 00:12:41,380 It would be like kind of a C-suite kind of deal. 137 00:12:41,380 --> 00:12:47,240 But if you notice, there's a couple of routers in between the cabinet. 138 00:12:47,600 --> 00:12:50,580 There's another Wi-Fi router. 139 00:12:50,580 --> 00:12:54,380 And then on the wall, all the way to the back, there's a switch. 140 00:12:54,760 --> 00:12:56,360 So why is that there? 141 00:12:56,360 --> 00:12:59,220 Why is it visible and accessible for everyone? 142 00:12:59,220 --> 00:13:00,120 I don't know. 143 00:13:00,120 --> 00:13:08,080 But, again, since it was an office, the access controls weren't the best ones, right? 144 00:13:08,080 --> 00:13:18,440 And they didn't want to change it because that requires cabling, moving everything from that office up to the proper site. 145 00:13:18,520 --> 00:13:23,860 So, yeah, that's, again, pretty lazy from the IT perspective. 146 00:13:24,000 --> 00:13:25,480 Next slide, please. 147 00:13:27,540 --> 00:13:29,660 Okay, this one. 148 00:13:29,660 --> 00:13:34,640 This is, like, the main goal when you're doing some physical stuff, right? 149 00:13:34,640 --> 00:13:39,720 The left side, there is a site that was left, like, completely wide open. 150 00:13:40,060 --> 00:13:45,280 It was for the same building of the dudes with the chicken place for a password. 151 00:13:45,400 --> 00:13:53,120 And on the right side, this was a site for a really big building, like a 12-story building. 152 00:13:53,120 --> 00:13:57,520 They have one of their sites that's being, like, painted. 153 00:13:57,520 --> 00:14:03,360 You can see the stairs on the background of the image. 154 00:14:03,640 --> 00:14:14,700 And they were painting the plumbing for their sprinkler system because it needs to be color-coded according to one norm here in Mexico. 155 00:14:14,700 --> 00:14:19,760 So they were doing that, and they left the contractors unattended. 156 00:14:19,760 --> 00:14:25,560 And since they were unattended, they didn't have a way to lock the site. 157 00:14:25,660 --> 00:14:29,360 So I just went in, and I opened the door because it was wide open. 158 00:14:29,360 --> 00:14:32,400 And they took a couple of pictures for that engagement. 159 00:14:32,400 --> 00:14:35,540 They couldn't plug anything in, so I didn't. 160 00:14:35,540 --> 00:14:40,620 But at least I just made the mention that, hey, your site was left wide open. 161 00:14:40,620 --> 00:14:49,200 And for that building, everything that's running through that network, there were, like, two financial startups. 162 00:14:49,200 --> 00:14:56,820 One of them is widely used here in Mexico, so that one was really interesting to check out. 163 00:14:57,320 --> 00:15:01,920 It was a very big risk for this building. 164 00:15:01,980 --> 00:15:07,540 Now, for the one on the left-hand side, I did get found out that I was messing around with it. 165 00:15:07,540 --> 00:15:09,980 On that one, I did plug some stuff in. 166 00:15:10,020 --> 00:15:18,640 They checked the cameras, and then, like, an hour or so into the engagement after that, they did look for me and ask me why I was poking around. 167 00:15:18,640 --> 00:15:23,720 They didn't know who I was, the security guard and a couple of IT people. 168 00:15:23,720 --> 00:15:29,800 So on that end, they did a really good job because they did find out that, hey, someone's messing around with our site. 169 00:15:30,140 --> 00:15:33,940 Again, they did leave it open and unattended. 170 00:15:34,240 --> 00:15:35,640 Next slide, please. 171 00:15:38,140 --> 00:15:42,100 Okay, so the other thing for physical intrusion, the lunchroom. 172 00:15:42,100 --> 00:15:43,000 Next slide. 173 00:15:45,470 --> 00:15:50,410 Okay, so right there next to the fridge, you can see a LAN cable. 174 00:15:50,410 --> 00:15:55,230 And again, a LAN cable with a USB battery plugged in just to keep it going. 175 00:15:57,670 --> 00:16:02,590 That one was found completely by accident during pre-engagement. 176 00:16:02,590 --> 00:16:10,470 I just noticed that when I went to their site, on their lunchroom, when they went to get some water, they had this... 177 00:16:10,470 --> 00:16:14,850 they had cables like laying around in a couple of weird places. 178 00:16:15,090 --> 00:16:22,350 So once the engagement started, I went like right to them and see if they were like cable spins to see if I can get some DHCP. 179 00:16:22,350 --> 00:16:26,850 I could, and I did get a reverse shell from that device. 180 00:16:27,190 --> 00:16:36,630 So , I mean, I'm not sure physically why you would leave that cable there if it's going to be turned into a lunchroom. 181 00:16:36,630 --> 00:16:40,250 It seems like there's a lot of things that need to go wrong. 182 00:16:40,250 --> 00:16:49,170 I'm not sure they just woke up one day and decided, hey man, let's turn this office into a lunchroom and then bring everything back in. 183 00:16:49,170 --> 00:16:52,330 I'm pretty positive that's not the way that worked. 184 00:16:52,330 --> 00:17:04,370 So there had to be planning and there had to be a way for them to, you know, like inventory their network nodes and see what needed to be unplugged or disabled. 185 00:17:04,370 --> 00:17:10,670 And that gave me an easy entryway into their network from a public place, right? 186 00:17:10,690 --> 00:17:12,170 Next slide, please. 187 00:17:18,250 --> 00:17:21,130 Okay, so what kind of information? 188 00:17:21,130 --> 00:17:29,170 So that was a way that I got in just opening doors and plugging into stuff, right? 189 00:17:29,170 --> 00:17:37,990 So what was the information that I was able to get from those practices that were being performed on their sites? 190 00:17:37,990 --> 00:17:39,810 Next slide, please. 191 00:17:41,890 --> 00:17:46,190 The main one was like private pictures, right? 192 00:17:46,190 --> 00:17:56,450 This is going to have the least amount of impact on the business, but it is really bad from a personal... 193 00:17:57,770 --> 00:18:02,990 I hear a voice in the background. 194 00:18:19,290 --> 00:18:22,930 Hey, X-Ray, that's Charmaine with his mic on. 195 00:18:31,510 --> 00:18:32,710 We're good. 196 00:18:32,750 --> 00:18:34,770 Okay, I muted him, you can go ahead. 197 00:19:18,400 --> 00:19:20,140 Anybody else hearing audio? 198 00:19:20,860 --> 00:19:24,780 No, apparently it looks like he's muted, but I'm not sure why. 199 00:19:30,150 --> 00:19:31,670 It looks like he's muted. 200 00:19:31,670 --> 00:19:33,590 I'm trying to figure out why he's muted. 201 00:19:34,590 --> 00:19:36,250 Can you hear me? 202 00:19:36,610 --> 00:19:38,810 Yes, we can hear you now. 203 00:19:39,110 --> 00:19:41,490 Okay, where did I lose you guys? 204 00:19:42,970 --> 00:19:44,570 Beginning of the slide. 205 00:19:44,570 --> 00:19:51,790 Right at the beginning of the slide, somebody started streaming junk in here, so we had to mute it, and then your mic went dead. 206 00:19:51,790 --> 00:19:54,410 So if you could start the slide over, it'd be great. 207 00:19:56,850 --> 00:20:05,630 All right, yeah, so one of the first findings was private pictures for one of the people being employed in the company. 208 00:20:05,630 --> 00:20:11,970 Now, this is going to have the least impact on the business, but it is very important on a personal level, right? 209 00:20:11,970 --> 00:20:14,810 Because you don't want your pictures out there. 210 00:20:15,130 --> 00:20:26,670 Now, the problem here was that as part of the engagement, whenever I did find something like this, I'm usually required to tell the customer right away that someone's streaming porn. 211 00:20:26,730 --> 00:20:30,810 Your IT guys are playing World of Warcraft during the engagement. 212 00:20:30,910 --> 00:20:35,690 There's a bunch of different situations that might arise during the engagement, right? 213 00:20:35,690 --> 00:20:37,070 This is one of them. 214 00:20:37,070 --> 00:20:55,210 So I go to the security guy, tell him, hey, there's some weird pictures that are all stored in this computer that's labeled as belonging from a department that I knew was all men. 215 00:20:55,970 --> 00:21:07,130 Turns out that the computer just was mislabeled, and that it was signed to the girl at the reception. 216 00:21:08,030 --> 00:21:12,670 So those pictures were hers, but I didn't know it at the time, right? 217 00:21:12,670 --> 00:21:13,890 Like, I didn't recognize her. 218 00:21:13,890 --> 00:21:15,330 It was the first time I saw her. 219 00:21:15,450 --> 00:21:17,790 And the IT guy said, hey, where do you get them? 220 00:21:17,790 --> 00:21:18,770 Can I get a copy? 221 00:21:18,770 --> 00:21:22,550 Instead of actually going like, oh, no, that's bad, right? 222 00:21:22,550 --> 00:21:25,970 You know, he was requesting a copy, which I think is pretty stupid. 223 00:21:27,450 --> 00:21:36,590 And yeah, this is one of the main things that I would like everyone to take into their workplace, right? 224 00:21:36,590 --> 00:21:44,370 That we do have a lot of issues with telling people, hey, don't plug in your phone to the computer. 225 00:21:44,430 --> 00:21:51,730 Now, one of the things is that, yeah, you don't want the user or your employee to steal your information. 226 00:21:51,730 --> 00:21:58,530 But you also don't want their information to be stolen because of your lack of security controls, right? 227 00:21:58,530 --> 00:22:02,590 Like, in this case, they had internal blue all over. 228 00:22:02,750 --> 00:22:05,270 These were all Windows 7 computers. 229 00:22:05,270 --> 00:22:06,970 They were, like, really old. 230 00:22:07,050 --> 00:22:11,470 And they were jeopardizing the privacy of their employees' information. 231 00:22:11,470 --> 00:22:13,810 So that was, like, really bad. 232 00:22:13,810 --> 00:22:18,730 And the way they responded to that, it didn't strike me right away. 233 00:22:18,730 --> 00:22:20,990 Next slide, please. 234 00:22:22,910 --> 00:22:31,950 Okay, now, stepping it a little bit up into the more risky level for your business, identity theft, right? 235 00:22:31,970 --> 00:22:43,070 One of those engagements, I was able to find a shared drive that allowed anonymous or gift access. 236 00:22:43,070 --> 00:22:52,510 And in it, they had a financial folder with their scanned security cards for their companies and other PDFs that just said stuff like passports. 237 00:22:52,590 --> 00:23:02,390 So they had every employee that would travel for that corporate office scanned right there on a PDF that was left unprotected, right? 238 00:23:02,390 --> 00:23:05,490 And, again, that's why they would do that. 239 00:23:05,490 --> 00:23:06,810 I'm not sure. 240 00:23:08,670 --> 00:23:12,210 It's one of the problems here in my country, right? 241 00:23:12,210 --> 00:23:24,830 We don't really have any regulation for protecting privacy other than whatever you're going to do with that information, you need to tell that person that you're getting the information about. 242 00:23:24,950 --> 00:23:28,710 And if they ask you to remove it, go ahead and remove it. 243 00:23:28,710 --> 00:23:33,790 That's pretty much the scope for our privacy regulation. 244 00:23:34,390 --> 00:23:35,690 Next slide, please. 245 00:23:39,040 --> 00:23:47,600 Okay, now, this was one of my favorite cases because of a bunch of things lined up for this. 246 00:23:47,720 --> 00:24:01,560 What you're looking at is the administrator console for one of the most popular, and I wouldn't say like the best, but one of the most popular ones or that have more user interaction here in the region. 247 00:24:03,460 --> 00:24:13,100 These guys had a SQL injection in one of their search bars, and it was brought up to our attention because of a member on the group, right? 248 00:24:13,100 --> 00:24:19,540 Like he mentioned, he had found vulnerability on one of their websites for a radio station. 249 00:24:20,320 --> 00:24:22,240 So we asked him about it. 250 00:24:22,240 --> 00:24:27,840 He gave us like a proof of concept, and then we tried contacting the radio station. 251 00:24:27,840 --> 00:24:50,060 But during the report we were trying to pull together, we noticed that their database for usernames and passwords was exposed due to that SQL injection and that they didn't divide the database for users for the radio stations, for the news channels and news media that they have. 252 00:24:50,060 --> 00:24:54,300 So everything was in just one database, unencrypted. 253 00:24:54,300 --> 00:25:04,560 And once we made a dump of those access, what we noticed was that every user, every single user had the same password. 254 00:25:04,720 --> 00:25:06,880 And it was something really stupid. 255 00:25:06,880 --> 00:25:12,340 If you go with something like 1234abcd, that's the type of password they all have. 256 00:25:12,560 --> 00:25:26,060 So one of those accounts was the admin account, and what we were able to do with that information is to go back into their news articles and edit them, every single one of them. 257 00:25:26,060 --> 00:25:30,220 We could write whatever we wanted, had a legitimate resource. 258 00:25:30,300 --> 00:25:32,740 We could create a fake news article. 259 00:25:33,000 --> 00:25:39,440 This was during the election, so this was potentially harmful. 260 00:25:41,100 --> 00:25:43,740 And so, yeah, that's pretty much it, right? 261 00:25:43,740 --> 00:25:49,580 So the thing here was that they didn't know how to encrypt their database. 262 00:25:49,580 --> 00:25:55,560 They just gave everyone out the same password that I'm telling you about, right? 263 00:25:55,560 --> 00:25:57,140 So it's something really simple. 264 00:25:57,140 --> 00:26:03,160 It doesn't even follow, like, your standard, you know, special characters, four case uppercase numbers. 265 00:26:03,160 --> 00:26:07,660 It was just a really plain password, like, six characters long. 266 00:26:07,800 --> 00:26:17,320 And they didn't restrict where you could access this console from, and I think that was really terrible. 267 00:26:17,320 --> 00:26:22,200 Once we started working into how to patch this, it took us five minutes. 268 00:26:22,880 --> 00:26:41,560 Like, really five minutes just to have one person go through encrypting the database, and then it was, like, five minutes to find what function the search bar was using that was different for the rest of the websites. 269 00:26:41,600 --> 00:26:52,880 And it was just missing, I remember it was something like secure string, and that was the only thing that they were missing for that, because it wasn't performing the proper data input sanitation. 270 00:26:53,420 --> 00:27:01,140 So, yeah, it was something, like, really stupid that they didn't check, because they thought, oh, man, we have so many different websites. 271 00:27:01,260 --> 00:27:03,380 How are we going to go through all of them? 272 00:27:03,420 --> 00:27:09,000 And then I just told them, well, why don't you just use diff repositories, and that was it. 273 00:27:09,220 --> 00:27:10,620 That's how we found it. 274 00:27:11,260 --> 00:27:12,520 Next slide, please. 275 00:27:14,680 --> 00:27:17,900 And this is the stupidest one ever. 276 00:27:18,360 --> 00:27:21,960 I really fell into this one by accident. 277 00:27:21,960 --> 00:27:29,760 We were performing a pen test on site for the PBX that they used to recruit police officers down near TJ. 278 00:27:29,760 --> 00:27:37,380 And the thing here is that they forgot about us in the building, so we were left there alone. 279 00:27:37,380 --> 00:27:49,640 So what we did was just start wandering around, and all of a sudden we see this closet full of, like, swag stuff and police uniforms. 280 00:27:49,880 --> 00:27:56,520 So I, of course, put one on and took a picture, right, to let them know that, hey, guys, this should be locked. 281 00:27:57,940 --> 00:28:14,940 And now in hindsight, if you look at what's going on right now in, like, Ciudad Juarez or Guadalajara, you see a lot of people walking around with military uniforms that burning stuff, as of right now, like this, last two, three couple of days. 282 00:28:14,940 --> 00:28:16,540 They shouldn't have access to this. 283 00:28:16,540 --> 00:28:27,500 And in hindsight, I figured that, yeah, we have a big problem about not controlling access to this type of gear properly, right? 284 00:28:27,820 --> 00:28:39,440 So, yeah, I mean, if you notice, like, something as simple as you lock it or inventory your stuff or put a camera on the site where you have that stuff. 285 00:28:39,780 --> 00:28:44,580 And don't forget about your contractors when they're doing something for you, right? 286 00:28:44,580 --> 00:28:51,580 Like, be there with them so they don't wander around and have access to their uniform as well. 287 00:28:51,580 --> 00:28:56,080 Having their backpack with them can really help. 288 00:28:56,080 --> 00:29:00,940 I mean, all of this was just really terrible practice. 289 00:29:01,520 --> 00:29:14,060 And, I mean, it's, again, just being lazy, because as I mentioned, all of these companies are certified with, I would say, like, good enough standard. 290 00:29:14,240 --> 00:29:17,820 It should give you, like, the basic stuff, and you were following it to a T. 291 00:29:17,820 --> 00:29:19,700 This shouldn't have happened. 292 00:29:20,180 --> 00:29:34,800 So, yeah, this is just, like, laziness or, like, really bad practice, because I cannot attribute this to lack of knowledge, since they should know that this isn't the way that they should be doing their security. 293 00:29:35,660 --> 00:29:37,060 Next slide, please. 294 00:29:39,910 --> 00:29:50,070 Okay, now, I know that physical access isn't or usually isn't part of what most IT people do, but we can help, right? 295 00:29:50,070 --> 00:30:00,690 There's a bunch of standards that can help us achieve better security, even if you don't want to go to, like, ISO or something that you have to pay and maintain as a fee. 296 00:30:00,690 --> 00:30:02,270 There's a lot of free resources. 297 00:30:02,270 --> 00:30:10,290 There's stuff like CIS and NIST-CSF that can really help you and give you a lot of guidance on how to implement security. 298 00:30:10,290 --> 00:30:26,830 If you're new to this stuff, I would really advise you to just read through these and see what you can do or what's helpful for your organization, as well as a bunch of other stuff, right? 299 00:30:26,830 --> 00:30:39,870 There is FANS, Infosec Institute, DEFCON Groups, DEFCON Talks, the DEFCON YouTube channel has a lot of useful information, and it's free, right? 300 00:30:39,870 --> 00:30:42,550 That's the best part of it. 301 00:30:43,010 --> 00:30:44,170 That's pretty much it. 302 00:30:44,170 --> 00:30:56,030 On the next slide, you will see my contact information, and my friend who is also the founder for the DEFCON Group, that's his email as well. 303 00:30:56,030 --> 00:31:08,670 If you want to come over to TJ, you want to have a talk, you just feel like you have some questions, you want to go over some other stuff, we're glad to help. 304 00:31:09,130 --> 00:31:11,270 And yeah, that's pretty much it. 305 00:31:11,690 --> 00:31:13,750 Do you have any questions, guys? 306 00:31:30,080 --> 00:31:36,200 What's your advice for getting people to get past that laziness threshold? 307 00:31:36,200 --> 00:31:38,580 Because every company has it to some extent. 308 00:31:38,580 --> 00:31:49,400 A lot of companies make you go through, their employees have trainings that they go through, but it seems like a lot of the time there's no battling apathy. 309 00:31:49,600 --> 00:31:51,780 Has that been your experience as well? 310 00:31:52,500 --> 00:32:07,740 Yeah, and one of the things that I found that works best is I give them live demos, like put something together, something even really like simple, something like, oh, here's how they spoof your Facebook, right? 311 00:32:07,740 --> 00:32:13,620 Just something that gives them on a personal level, they can relate to their everyday usage. 312 00:32:13,620 --> 00:32:21,540 And that's usually the place where I find that they shift their attitude towards security. 313 00:32:21,540 --> 00:32:23,840 And that's when they start caring about MFA. 314 00:32:23,840 --> 00:32:25,980 That's when they start caring about security passwords. 315 00:32:25,980 --> 00:32:35,200 Once you start telling them how easy it is to get spoofed, and how their private information or personal information can get out there, that's when they start noticing. 316 00:32:35,200 --> 00:32:38,660 And then it starts turning into like a habit. 317 00:32:38,760 --> 00:32:44,320 And then that like rolls over to the way they work. 318 00:32:45,000 --> 00:32:48,860 That's the one I found that it's most useful for awareness. 319 00:32:56,990 --> 00:33:02,150 Yeah, one thing I found is that people rely on what are called folk models. 320 00:33:02,350 --> 00:33:09,510 And that's a set of rules of thumb that they believe are true for them and their environment. 321 00:33:09,550 --> 00:33:13,490 And it doesn't matter what credentials you have, they just won't accept it from you. 322 00:33:13,490 --> 00:33:16,350 And what I found got passed is exactly what you're saying. 323 00:33:16,350 --> 00:33:21,490 You show them something personal where it impacts them personally, and all of a sudden they start listening. 324 00:33:22,830 --> 00:33:30,930 Yeah, I know white people are like that, but yeah, it seems to work. 325 00:33:39,750 --> 00:33:42,730 Feel free if you have questions, ask questions now. 326 00:33:53,260 --> 00:33:56,180 Well, thank you, Juan, for an excellent presentation. 327 00:33:56,660 --> 00:34:00,720 And people, please give our speaker a round of applause here. 328 00:34:01,800 --> 00:34:03,680 And feel free to ask him questions. 329 00:34:03,680 --> 00:34:05,940 You know, we're here, if we're here, we want to talk to people. 330 00:34:05,940 --> 00:34:10,140 So feel free if you have questions or just want to talk, walk up to people and talk to them. 331 00:34:10,540 --> 00:34:21,560 I really appreciate this particular presentation because having worked at a university, this kind of problem, this lackadaisical attitude is rampant, it's everywhere. 332 00:34:21,560 --> 00:34:25,320 So thanks, thank you for doing this presentation. 333 00:34:26,180 --> 00:34:31,780 Okay, we've got about 27 minutes to our next speaker. 334 00:34:31,960 --> 00:34:35,060 So wander around, talk to each other, get something to eat. 335 00:34:36,060 --> 00:34:37,900 Maybe a bathroom break might be nice. 336 00:34:38,180 --> 00:34:40,640 We'll see you back here in about 20 minutes.