0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/1162 Thanks! 1 00:00:06,350 --> 00:00:07,350 We. 2 00:00:18,310 --> 00:00:20,379 So I guess everyone 3 00:00:20,380 --> 00:00:22,899 here knows the pain of security 4 00:00:22,900 --> 00:00:25,179 issues and that some made it to the news 5 00:00:25,180 --> 00:00:27,909 and made a laugh, but some made us cry. 6 00:00:27,910 --> 00:00:29,679 And our next guest 7 00:00:31,000 --> 00:00:33,669 will take us to a little security 8 00:00:33,670 --> 00:00:36,249 expedition in Birken Land. 9 00:00:36,250 --> 00:00:38,019 So watch out, there are dangerous 10 00:00:38,020 --> 00:00:39,139 security problems. 11 00:00:39,140 --> 00:00:41,769 I had to have him a warm applause 12 00:00:41,770 --> 00:00:43,869 and have fun with the talk. 13 00:00:50,400 --> 00:00:52,049 Welcome, everybody. 14 00:00:52,050 --> 00:00:53,789 Let's start with talk of a security 15 00:00:53,790 --> 00:00:55,229 expedition embarking land. 16 00:00:56,310 --> 00:00:58,079 Yeah, I'm talking about information 17 00:00:58,080 --> 00:01:00,239 security and our three 18 00:01:00,240 --> 00:01:02,909 fundamental aspects close Ally Land. 19 00:01:02,910 --> 00:01:04,738 And that's the reality today. 20 00:01:04,739 --> 00:01:06,209 But let's see what are the three 21 00:01:06,210 --> 00:01:07,919 fundamental aspects of information 22 00:01:07,920 --> 00:01:09,179 security? 23 00:01:09,180 --> 00:01:10,679 It's CIA. 24 00:01:10,680 --> 00:01:12,899 So first, think about this 25 00:01:12,900 --> 00:01:14,219 guys here. 26 00:01:14,220 --> 00:01:16,319 But it's totally wrong because 27 00:01:16,320 --> 00:01:17,999 these are the three fundamental aspects. 28 00:01:18,000 --> 00:01:20,369 It's C for confidentiality. 29 00:01:20,370 --> 00:01:22,529 It's I went to great integrity 30 00:01:22,530 --> 00:01:24,809 and a free availability and are the 31 00:01:24,810 --> 00:01:26,369 free fundamental aspects. 32 00:01:26,370 --> 00:01:28,289 But I will show you now that all this 33 00:01:28,290 --> 00:01:30,509 free aspects are gonna have 34 00:01:30,510 --> 00:01:32,729 problems in today's information security 35 00:01:32,730 --> 00:01:33,989 and all of them. It's like somehow 36 00:01:33,990 --> 00:01:34,990 broken. 37 00:01:35,550 --> 00:01:37,739 I look completely false security, one 38 00:01:37,740 --> 00:01:39,539 on one for everybody, for people who are 39 00:01:39,540 --> 00:01:42,149 really into it security. 40 00:01:42,150 --> 00:01:44,189 So there are a lot of different 41 00:01:45,690 --> 00:01:46,679 acronyms there. 42 00:01:46,680 --> 00:01:48,089 Let's check it out. 43 00:01:48,090 --> 00:01:50,669 So for first, there is severe 44 00:01:50,670 --> 00:01:53,189 severe stands for common vulnerabilities 45 00:01:53,190 --> 00:01:54,359 and exposures. 46 00:01:54,360 --> 00:01:56,369 It's a industry standard and it's a 47 00:01:56,370 --> 00:01:58,439 naming convention, and it's 48 00:01:58,440 --> 00:02:00,509 for public, publicly known security 49 00:02:00,510 --> 00:02:01,919 vulnerabilities. 50 00:02:01,920 --> 00:02:04,319 There is an example of CV 51 00:02:04,320 --> 00:02:06,929 that's the CV of EternalBlue. 52 00:02:06,930 --> 00:02:09,149 That's the exploit zero day 53 00:02:09,150 --> 00:02:10,649 from the NSA, which was used for 54 00:02:10,650 --> 00:02:12,719 WannaCry, for example this 55 00:02:12,720 --> 00:02:14,279 severe number. 56 00:02:14,280 --> 00:02:16,589 Then there is also CVST. 57 00:02:16,590 --> 00:02:18,749 CVST is common 58 00:02:18,750 --> 00:02:20,399 vulnerability scoring system. 59 00:02:20,400 --> 00:02:22,559 It's like a scoring system for 60 00:02:22,560 --> 00:02:24,719 for scoring there 61 00:02:24,720 --> 00:02:26,909 that the vulnerability like see a race 62 00:02:26,910 --> 00:02:28,529 like it's like not a big problem in 63 00:02:28,530 --> 00:02:30,539 tennis, like just shut, shut down the 64 00:02:30,540 --> 00:02:32,669 system and crash it away 65 00:02:32,670 --> 00:02:35,009 and built a new one or fix all the bugs. 66 00:02:35,010 --> 00:02:37,439 And it's based on a formula and are 67 00:02:37,440 --> 00:02:39,359 depending on different metrics, and it's 68 00:02:39,360 --> 00:02:42,029 also free and open industry standard. 69 00:02:42,030 --> 00:02:44,579 Well, let's go to the first security 70 00:02:44,580 --> 00:02:46,739 fault. So it's one it's like 71 00:02:46,740 --> 00:02:47,729 command injection. 72 00:02:47,730 --> 00:02:49,799 So the idea is 73 00:02:49,800 --> 00:02:51,989 to inject all controlled commands into 74 00:02:51,990 --> 00:02:54,719 a system like, for example, 75 00:02:54,720 --> 00:02:56,729 like the classic one is like some command 76 00:02:56,730 --> 00:02:58,679 interface on your rotor American like 77 00:02:58,680 --> 00:03:00,749 ping to some hosts and then 78 00:03:00,750 --> 00:03:02,849 you're just like, make semicolon and 79 00:03:02,850 --> 00:03:04,709 put some bash commands in there and you 80 00:03:04,710 --> 00:03:06,359 can just execute some commands in your 81 00:03:06,360 --> 00:03:07,709 router if it's like really bad 82 00:03:07,710 --> 00:03:08,609 implemented. 83 00:03:08,610 --> 00:03:10,559 It's like a classic command injection. 84 00:03:11,700 --> 00:03:14,069 Let's check out the first 85 00:03:14,070 --> 00:03:15,629 category of me. 86 00:03:15,630 --> 00:03:18,539 It's called Yeah, just fail. 87 00:03:18,540 --> 00:03:20,939 So the first category is just fail. 88 00:03:20,940 --> 00:03:23,399 And that's my example for this. 89 00:03:23,400 --> 00:03:25,499 It's the npm five 90 00:03:25,500 --> 00:03:28,379 point 7.0 release 91 00:03:28,380 --> 00:03:30,659 sort of thing is this 92 00:03:30,660 --> 00:03:32,909 release was not 93 00:03:32,910 --> 00:03:35,129 properly tagged as a prerelease, 94 00:03:35,130 --> 00:03:36,809 so it was not a release, but it was a 95 00:03:36,810 --> 00:03:38,999 prerelease and it was 96 00:03:39,000 --> 00:03:40,889 rolled out by update and people just 97 00:03:40,890 --> 00:03:42,989 updated it. And the problem 98 00:03:42,990 --> 00:03:45,059 was it fucked up all permissions from 99 00:03:45,060 --> 00:03:46,499 the file system. 100 00:03:46,500 --> 00:03:48,849 If you run it as sudo, so it 101 00:03:48,850 --> 00:03:50,609 should recursively in the folder. 102 00:03:50,610 --> 00:03:52,199 So if you like, run it and 103 00:03:53,250 --> 00:03:55,319 you could like fix it easy, you have to 104 00:03:55,320 --> 00:03:57,449 like restore a backup to fix all the 105 00:03:57,450 --> 00:03:58,889 file permissions. 106 00:03:58,890 --> 00:04:01,589 And that's the severe number down there 107 00:04:01,590 --> 00:04:03,839 and have like really interests checked 108 00:04:03,840 --> 00:04:06,239 out the the 109 00:04:06,240 --> 00:04:08,309 GitHub issue for that. 110 00:04:08,310 --> 00:04:10,469 It is quite well, 111 00:04:10,470 --> 00:04:12,539 funny enough to create some 112 00:04:12,540 --> 00:04:14,369 crying was also involved. 113 00:04:14,370 --> 00:04:15,629 Let's check it out. 114 00:04:15,630 --> 00:04:18,328 So there was this first comment was 115 00:04:18,329 --> 00:04:19,229 just destroyed. 116 00:04:19,230 --> 00:04:21,088 Free production server after single 117 00:04:21,089 --> 00:04:22,919 deploy surfing. 118 00:04:22,920 --> 00:04:23,849 OK? 119 00:04:23,850 --> 00:04:26,069 And then there's the next guy who says, 120 00:04:26,070 --> 00:04:28,349 Why are you using a prerelease version 121 00:04:28,350 --> 00:04:29,249 in production? 122 00:04:29,250 --> 00:04:30,539 Just asking. 123 00:04:30,540 --> 00:04:32,429 But the problem was it wasn't released as 124 00:04:32,430 --> 00:04:33,869 prerelease, and he didn't know that it 125 00:04:33,870 --> 00:04:35,669 was like a bug approval is. 126 00:04:35,670 --> 00:04:37,919 So it's not the the fault 127 00:04:37,920 --> 00:04:40,229 of Jogi that the update just destroyed 128 00:04:40,230 --> 00:04:41,879 pre-production server. 129 00:04:41,880 --> 00:04:43,619 There are even more comments, but they're 130 00:04:43,620 --> 00:04:45,689 like my two favorite about this issue. 131 00:04:46,860 --> 00:04:49,169 So the next one is also one really 132 00:04:49,170 --> 00:04:51,329 sad category. 133 00:04:51,330 --> 00:04:53,669 It's called Can 134 00:04:53,670 --> 00:04:55,319 I has the new bank, please? 135 00:04:55,320 --> 00:04:57,059 So maybe you read about it. 136 00:04:57,060 --> 00:04:59,069 So if you have a great mobile app for 137 00:04:59,070 --> 00:05:01,859 banking and you got this warning, 138 00:05:01,860 --> 00:05:03,420 so it's on German, but it's dead 139 00:05:05,010 --> 00:05:07,199 something or someone is like changing 140 00:05:07,200 --> 00:05:09,269 your connection and 141 00:05:09,270 --> 00:05:11,369 our connection test to a secure out 142 00:05:11,370 --> 00:05:13,769 bank that you say that it's 143 00:05:13,770 --> 00:05:16,259 not possible for a secure connection. 144 00:05:16,260 --> 00:05:17,819 So please contact support. 145 00:05:17,820 --> 00:05:19,379 So you forget this finding when a mobile 146 00:05:19,380 --> 00:05:21,209 banking app, it would just shut it down 147 00:05:21,210 --> 00:05:22,559 and don't use it. 148 00:05:22,560 --> 00:05:24,869 But if you're the great 149 00:05:24,870 --> 00:05:26,249 bank. 150 00:05:26,250 --> 00:05:29,399 Com Direct Bank of Germany, 151 00:05:29,400 --> 00:05:31,529 you just write on Twitter and tell the 152 00:05:31,530 --> 00:05:33,659 people, Oh, we know the issue, but 153 00:05:33,660 --> 00:05:35,759 just press OK and you can just use 154 00:05:35,760 --> 00:05:37,859 the app. So the problem was there 155 00:05:37,860 --> 00:05:40,169 are SSL certificate just run out 156 00:05:40,170 --> 00:05:41,879 and they just say, OK, we don't care. 157 00:05:41,880 --> 00:05:44,069 It's you can just still use this app. 158 00:05:44,070 --> 00:05:46,199 And so they're telling the users 159 00:05:46,200 --> 00:05:48,449 to still use this unsecure app for 160 00:05:48,450 --> 00:05:50,199 mobile. Banking. 161 00:05:50,200 --> 00:05:52,269 So if you have this bank, maybe 162 00:05:52,270 --> 00:05:54,429 maybe you should, like, go to other 163 00:05:54,430 --> 00:05:56,559 bank and put your money, where 164 00:05:56,560 --> 00:05:58,509 to like care for it security. 165 00:05:59,770 --> 00:06:01,730 Let's go to the next storm 166 00:06:02,800 --> 00:06:03,909 terminology. 167 00:06:03,910 --> 00:06:06,129 So back door Victoria is built in 168 00:06:06,130 --> 00:06:08,619 method to bypass notification 169 00:06:08,620 --> 00:06:10,929 or encryption of our system, and 170 00:06:10,930 --> 00:06:13,119 I have for two examples 171 00:06:13,120 --> 00:06:14,049 for a back door. 172 00:06:14,050 --> 00:06:16,239 The first one is Cisco, so 173 00:06:16,240 --> 00:06:18,999 Cisco is a big network equipment vendor 174 00:06:19,000 --> 00:06:22,329 and has like has a long vector history. 175 00:06:22,330 --> 00:06:24,159 But there is a positive thing there. 176 00:06:24,160 --> 00:06:25,989 They are doing internal auditing and I 177 00:06:25,990 --> 00:06:28,389 found quite a lot of backdoors 178 00:06:28,390 --> 00:06:29,680 during their internal auditing. 179 00:06:30,970 --> 00:06:32,169 So that's a positive thing. 180 00:06:32,170 --> 00:06:33,609 But still, there is a problem there 181 00:06:33,610 --> 00:06:35,559 because in their products and they're 182 00:06:35,560 --> 00:06:37,749 very creative about fitting synonyms 183 00:06:37,750 --> 00:06:39,009 for the backdoors. 184 00:06:39,010 --> 00:06:41,259 I have free examples for you. 185 00:06:41,260 --> 00:06:44,029 So the first one is, are undocumented 186 00:06:44,030 --> 00:06:46,479 user a privilege level 15? 187 00:06:46,480 --> 00:06:48,969 That's been OK. It's quite creative. 188 00:06:48,970 --> 00:06:50,859 But the other one is even better 189 00:06:50,860 --> 00:06:53,139 undocumented static user credentials 190 00:06:53,140 --> 00:06:54,969 for a different administration, and it's 191 00:06:54,970 --> 00:06:55,989 very difficult. 192 00:06:55,990 --> 00:06:58,569 It's also it's like even a better name. 193 00:06:58,570 --> 00:07:01,269 But my favorite is the undocumented 194 00:07:01,270 --> 00:07:02,769 test interface. 195 00:07:02,770 --> 00:07:04,299 There's not some part on the road. 196 00:07:04,300 --> 00:07:05,709 Just connect there and you get root 197 00:07:05,710 --> 00:07:06,669 access. 198 00:07:06,670 --> 00:07:08,529 Really nice backdoor. 199 00:07:08,530 --> 00:07:10,539 But if even more of them, but they're 200 00:07:10,540 --> 00:07:12,879 like free examples for their creative 201 00:07:12,880 --> 00:07:14,799 synonyms for backdoor. 202 00:07:14,800 --> 00:07:17,619 So the next one is really cool. 203 00:07:17,620 --> 00:07:19,749 So 10 the AC 204 00:07:19,750 --> 00:07:20,649 15 back door. 205 00:07:20,650 --> 00:07:22,899 So it's a Chinese internet affair 206 00:07:22,900 --> 00:07:24,939 out there, and 207 00:07:26,290 --> 00:07:28,429 they're easy root access and free 208 00:07:28,430 --> 00:07:30,279 steps on this device. 209 00:07:30,280 --> 00:07:31,480 So the first one is 210 00:07:32,800 --> 00:07:33,939 your request. 211 00:07:33,940 --> 00:07:35,859 You make a request to slash, go from 212 00:07:35,860 --> 00:07:37,929 slash, tell it on the altar and 213 00:07:37,930 --> 00:07:40,269 it starts to tell it on the order. 214 00:07:40,270 --> 00:07:42,589 The next step is you choose freely 215 00:07:42,590 --> 00:07:45,219 from free existing default icons 216 00:07:45,220 --> 00:07:47,649 on a device that the route that counts if 217 00:07:47,650 --> 00:07:51,039 like a user admin 218 00:07:51,040 --> 00:07:53,289 and another a third account. 219 00:07:53,290 --> 00:07:56,019 And then you just need to 220 00:07:56,020 --> 00:07:57,909 guess the password and then you have root 221 00:07:57,910 --> 00:08:00,009 access on account under some guesses 222 00:08:00,010 --> 00:08:01,010 for the password. 223 00:08:04,970 --> 00:08:07,309 Well, it isn't a test, but it's close. 224 00:08:07,310 --> 00:08:09,470 It has as much letters as test. 225 00:08:10,490 --> 00:08:12,619 The password was one two three four 226 00:08:12,620 --> 00:08:14,029 four all free accounts 227 00:08:15,770 --> 00:08:17,269 and then you're looking at if root access 228 00:08:17,270 --> 00:08:18,629 and or alter, it's really handy. 229 00:08:18,630 --> 00:08:21,319 So if you lost your root password 230 00:08:21,320 --> 00:08:22,789 or for admin, I kind of just use this 231 00:08:22,790 --> 00:08:23,790 one. 232 00:08:24,800 --> 00:08:26,569 So we the ninth is called, they want 233 00:08:26,570 --> 00:08:27,619 their passwords back. 234 00:08:27,620 --> 00:08:29,479 So please don't use this password for 235 00:08:29,480 --> 00:08:30,979 your author. 236 00:08:30,980 --> 00:08:33,469 And and up the door if you get firmware 237 00:08:33,470 --> 00:08:35,569 upgrades. It's also a problem 238 00:08:35,570 --> 00:08:37,279 that often devices don't get updates. 239 00:08:38,390 --> 00:08:41,689 So the next one out bypass 240 00:08:41,690 --> 00:08:44,058 is a notification bypass. 241 00:08:44,059 --> 00:08:46,219 Like, you can log in somewhere 242 00:08:46,220 --> 00:08:48,289 without user name or 243 00:08:48,290 --> 00:08:50,539 without password or 244 00:08:50,540 --> 00:08:51,679 without both. 245 00:08:51,680 --> 00:08:52,730 So that's the idea 246 00:08:53,810 --> 00:08:55,370 behind a notification bypass. 247 00:08:56,450 --> 00:08:58,549 Well, let's go to Fight 248 00:08:58,550 --> 00:08:59,479 Club. 249 00:08:59,480 --> 00:09:01,699 Do you know from which your fight club 250 00:09:01,700 --> 00:09:03,379 was? When was Fight Club released? 251 00:09:05,450 --> 00:09:07,820 Some ideas, which year it was released, 252 00:09:09,860 --> 00:09:14,029 it was released on 1999. 253 00:09:14,030 --> 00:09:16,819 So the blast from the past 254 00:09:16,820 --> 00:09:19,129 and 1999 there was 255 00:09:19,130 --> 00:09:22,039 this company called the Netscape 256 00:09:22,040 --> 00:09:24,199 and Head and Netscape 257 00:09:24,200 --> 00:09:26,599 Enterprise server and Netscape Phosphoric 258 00:09:26,600 --> 00:09:28,399 Server as software. 259 00:09:28,400 --> 00:09:29,749 And there was a remote attack. 260 00:09:29,750 --> 00:09:31,909 Very good privilege gained via 261 00:09:31,910 --> 00:09:33,679 HP basic modification. 262 00:09:35,210 --> 00:09:37,519 That was 1999. 263 00:09:37,520 --> 00:09:39,859 Well, that's already 264 00:09:39,860 --> 00:09:40,860 a really bad 265 00:09:42,350 --> 00:09:44,149 security bug. 266 00:09:44,150 --> 00:09:46,429 But well, what's the history 267 00:09:46,430 --> 00:09:47,430 of forgetting us? 268 00:09:50,180 --> 00:09:52,159 Back to the future, yeah, well, let's go 269 00:09:52,160 --> 00:09:54,590 back to the future to 2018. 270 00:09:56,220 --> 00:09:58,699 Um, well, there is HP. 271 00:09:58,700 --> 00:10:00,979 I look for notification bypass 272 00:10:00,980 --> 00:10:04,159 and remote code execution, so 273 00:10:04,160 --> 00:10:06,979 each piece I look for is a 274 00:10:06,980 --> 00:10:08,869 remote management console for servers. 275 00:10:08,870 --> 00:10:11,239 It's a it's a hydrocarbon. 276 00:10:11,240 --> 00:10:13,250 You can remotely access a server sent 277 00:10:14,630 --> 00:10:16,609 and there was a notification bypass and a 278 00:10:16,610 --> 00:10:17,959 remote execution in this. 279 00:10:17,960 --> 00:10:20,059 Otherwise it was found by the 280 00:10:20,060 --> 00:10:21,949 Airbus research team. 281 00:10:21,950 --> 00:10:24,139 They invested five men, mostly men, 282 00:10:24,140 --> 00:10:26,149 months for reverse engineering the whole 283 00:10:26,150 --> 00:10:27,379 firmware. 284 00:10:27,380 --> 00:10:29,569 It is from 2017, but the 285 00:10:29,570 --> 00:10:31,909 broad public was knowledge 286 00:10:31,910 --> 00:10:33,769 was in 2018, when they presented their 287 00:10:33,770 --> 00:10:35,779 whole research at the conference. 288 00:10:35,780 --> 00:10:37,879 And it's quite 289 00:10:37,880 --> 00:10:38,929 interesting how it works. 290 00:10:38,930 --> 00:10:41,269 I have a GIF of the life demo here 291 00:10:41,270 --> 00:10:43,759 and you can check it out. 292 00:10:43,760 --> 00:10:46,339 So they are requesting 293 00:10:46,340 --> 00:10:48,709 the interface and it says 294 00:10:48,710 --> 00:10:50,779 400 one unauthorized. 295 00:10:52,790 --> 00:10:54,949 So they use great party 296 00:10:54,950 --> 00:10:57,199 tools and just print 297 00:10:57,200 --> 00:10:58,429 twenty nine times a. 298 00:11:01,390 --> 00:11:03,789 Then to add a header to the request. 299 00:11:05,490 --> 00:11:07,889 With the Kadra 300 00:11:07,890 --> 00:11:10,409 connection with that is 229 301 00:11:10,410 --> 00:11:12,689 times to eight and then 302 00:11:12,690 --> 00:11:14,669 press enter. And the good full admin 303 00:11:14,670 --> 00:11:17,369 access. So it's like, OK. 304 00:11:17,370 --> 00:11:19,590 And yeah, administrator great. 305 00:11:20,670 --> 00:11:22,169 Yeah, it's really fun because you have 306 00:11:22,170 --> 00:11:24,269 like 10 times the service out there. 307 00:11:24,270 --> 00:11:25,289 You can just get administration 308 00:11:25,290 --> 00:11:26,639 privileges for twenty nine days. 309 00:11:27,880 --> 00:11:29,519 Um, yeah. 310 00:11:29,520 --> 00:11:31,739 The problem is, you see, 311 00:11:31,740 --> 00:11:33,839 this equation 1999 312 00:11:33,840 --> 00:11:35,999 equals 2018. 313 00:11:36,000 --> 00:11:37,739 Mathematically, it's not quite correct, 314 00:11:37,740 --> 00:11:38,699 but in I.T. 315 00:11:38,700 --> 00:11:40,769 security, it is because 316 00:11:40,770 --> 00:11:43,139 in both cases it wants to buffer 317 00:11:43,140 --> 00:11:45,959 overflow, which cause it calls the bug. 318 00:11:45,960 --> 00:11:48,089 Um, so if a buffer of offload citing 319 00:11:48,090 --> 00:11:50,459 security back, they managed 320 00:11:50,460 --> 00:11:52,589 to overwrite the 321 00:11:52,590 --> 00:11:53,969 data and they could like access 322 00:11:53,970 --> 00:11:55,890 administration and no threat if I can't. 323 00:11:57,060 --> 00:11:58,739 Let's get to the next category. 324 00:11:58,740 --> 00:12:00,879 Next category is that 325 00:12:00,880 --> 00:12:02,159 our richness? 326 00:12:02,160 --> 00:12:03,659 So it's the opposite of that to me. 327 00:12:03,660 --> 00:12:05,429 To me, that minimization what is like our 328 00:12:05,430 --> 00:12:07,619 goal in I.T. security because 329 00:12:07,620 --> 00:12:09,749 we don't need all all that of 330 00:12:09,750 --> 00:12:11,459 the people, we should just use the data 331 00:12:11,460 --> 00:12:12,719 we need for services. 332 00:12:12,720 --> 00:12:14,939 So all the thanks to GDPR. 333 00:12:14,940 --> 00:12:17,099 So it's unnecessary to have too much that 334 00:12:17,100 --> 00:12:19,199 things also like digital gold of 335 00:12:19,200 --> 00:12:20,309 the modern times 336 00:12:21,450 --> 00:12:23,000 there was Google Plus 337 00:12:24,120 --> 00:12:26,729 there, half life affected 500000 338 00:12:26,730 --> 00:12:29,069 users by the leak. 339 00:12:29,070 --> 00:12:31,349 They also stolen partially sensible 340 00:12:31,350 --> 00:12:32,519 data. 341 00:12:32,520 --> 00:12:33,520 And 342 00:12:34,770 --> 00:12:36,809 the thing is, although Google plus Google 343 00:12:36,810 --> 00:12:38,879 Plus was shut down, also because of 344 00:12:38,880 --> 00:12:41,129 this part, well, 345 00:12:41,130 --> 00:12:42,569 it's only 500000 users. 346 00:12:42,570 --> 00:12:43,589 It's not a lot. 347 00:12:43,590 --> 00:12:45,149 Well, let's check out on Friends of 348 00:12:45,150 --> 00:12:46,709 Facebook. 349 00:12:46,710 --> 00:12:48,689 So they have like approximately 30 350 00:12:48,690 --> 00:12:51,269 million users affected, 351 00:12:51,270 --> 00:12:53,459 like six times as much as 352 00:12:53,460 --> 00:12:55,829 Google Plus leak was affected, 353 00:12:55,830 --> 00:12:58,559 but they still didn't didn't shut down. 354 00:12:58,560 --> 00:13:00,839 I don't know why, but said 355 00:13:00,840 --> 00:13:01,840 maybe next time. 356 00:13:02,910 --> 00:13:05,099 But you see, there's a lot of 357 00:13:05,100 --> 00:13:07,379 data leaks happening 2018, 358 00:13:07,380 --> 00:13:09,329 and a lot of user data was affected. 359 00:13:11,040 --> 00:13:13,349 Well, let's check out the next category. 360 00:13:13,350 --> 00:13:16,049 It's called D.O.C.. 361 00:13:16,050 --> 00:13:18,329 Denial of Service said 362 00:13:18,330 --> 00:13:20,489 the idea behind iOS is 363 00:13:20,490 --> 00:13:22,949 make a system unavailable, temporary 364 00:13:22,950 --> 00:13:24,210 or permanently. 365 00:13:25,440 --> 00:13:27,659 Um, so who if you 366 00:13:27,660 --> 00:13:29,729 have a friend who have a friend, who 367 00:13:29,730 --> 00:13:31,919 have a friend that has IP camera? 368 00:13:33,780 --> 00:13:36,149 Noel Norman 369 00:13:36,150 --> 00:13:37,769 is friends with high peak cameras, oh, 370 00:13:37,770 --> 00:13:39,959 one person, at least one person. 371 00:13:39,960 --> 00:13:42,059 So this one friend has 372 00:13:42,060 --> 00:13:44,669 a camera, maybe as this IP camera 373 00:13:44,670 --> 00:13:47,399 and device to snap a camera. 374 00:13:47,400 --> 00:13:49,769 You can make it easy denial-of-service. 375 00:13:49,770 --> 00:13:51,779 So you just send the post request to this 376 00:13:51,780 --> 00:13:54,239 camera with a huge body size 377 00:13:54,240 --> 00:13:56,669 to the slash, you're out 378 00:13:56,670 --> 00:13:58,829 and the camera just crashes. 379 00:13:58,830 --> 00:14:00,899 So it's really handy to just send a post 380 00:14:00,900 --> 00:14:02,909 request and it just crashes. 381 00:14:02,910 --> 00:14:04,949 There is a proof of concept on GitHub 382 00:14:04,950 --> 00:14:06,029 about this. 383 00:14:06,030 --> 00:14:07,679 So if you have it at home, you can try to 384 00:14:07,680 --> 00:14:09,989 yourself or you can throw it away because 385 00:14:09,990 --> 00:14:11,130 I don't think it get update. 386 00:14:12,240 --> 00:14:14,579 And yeah, it's also a 387 00:14:14,580 --> 00:14:16,649 classic iottie embedded hardware, 388 00:14:16,650 --> 00:14:19,169 which like its bad implemented 389 00:14:19,170 --> 00:14:20,909 and just crashes. When you send out huge 390 00:14:20,910 --> 00:14:21,910 bodies us, 391 00:14:23,070 --> 00:14:25,499 then our next category 392 00:14:25,500 --> 00:14:26,969 is RC. 393 00:14:26,970 --> 00:14:29,759 You all heard it at HP I live for. 394 00:14:29,760 --> 00:14:32,099 So our CS remote code 395 00:14:32,100 --> 00:14:33,839 execution. 396 00:14:33,840 --> 00:14:35,909 So the idea is you can execute 397 00:14:35,910 --> 00:14:38,069 on a rural remote, target your own 398 00:14:38,070 --> 00:14:39,299 code or programs. 399 00:14:40,370 --> 00:14:42,479 Um, and so 400 00:14:42,480 --> 00:14:44,819 most of you are probably gamers, and 401 00:14:44,820 --> 00:14:47,819 most of you also use this what is like 402 00:14:47,820 --> 00:14:50,519 a well known gaming platform 403 00:14:50,520 --> 00:14:51,869 instead of steam? 404 00:14:51,870 --> 00:14:53,699 Yeah, Nintendo. But yeah, steam is a 405 00:14:53,700 --> 00:14:55,799 good, a good, good gaming 406 00:14:55,800 --> 00:14:58,019 platform because Steam 407 00:14:58,020 --> 00:15:00,269 had a remote code execution 408 00:15:00,270 --> 00:15:02,699 for nearly 10 years 409 00:15:02,700 --> 00:15:05,969 and it was like this year found 410 00:15:05,970 --> 00:15:08,009 it when you sent the mail from UDP 411 00:15:08,010 --> 00:15:10,139 packet, it was enough to trigger the 412 00:15:10,140 --> 00:15:11,279 exploit. 413 00:15:11,280 --> 00:15:12,989 There is a really extensive write up 414 00:15:12,990 --> 00:15:15,119 under the pitch here, so 415 00:15:15,120 --> 00:15:17,279 for ten years it was like theoretically 416 00:15:17,280 --> 00:15:19,109 possible to exploit the remote code 417 00:15:19,110 --> 00:15:20,400 execution in steam 418 00:15:21,450 --> 00:15:23,549 like a lot of users would be 419 00:15:23,550 --> 00:15:24,749 affected. 420 00:15:24,750 --> 00:15:26,849 We don't know if it was exploited, 421 00:15:26,850 --> 00:15:28,639 but it was in the cloud. 422 00:15:28,640 --> 00:15:30,269 They are debug. 423 00:15:30,270 --> 00:15:32,369 Really impressive is that 424 00:15:32,370 --> 00:15:34,589 after their reporting, 425 00:15:34,590 --> 00:15:37,019 the Steam team pitched it after 426 00:15:37,020 --> 00:15:39,239 eight hours, so after eight hours it was 427 00:15:39,240 --> 00:15:41,040 already patched. But but a steam team? 428 00:15:42,420 --> 00:15:44,100 So our next 429 00:15:45,810 --> 00:15:47,609 thing is P.O.S. 430 00:15:47,610 --> 00:15:49,019 proof of concept. 431 00:15:49,020 --> 00:15:50,729 So they're here for proof of concept is 432 00:15:50,730 --> 00:15:53,939 that you have, like some example. 433 00:15:53,940 --> 00:15:56,159 And if that to show that you can 434 00:15:56,160 --> 00:15:57,330 exploit the bug. 435 00:15:58,440 --> 00:16:01,259 So the classic proof of concept 436 00:16:01,260 --> 00:16:04,079 is that you pop up a calculator 437 00:16:04,080 --> 00:16:07,169 on your system and 438 00:16:07,170 --> 00:16:08,280 that's like the classic 439 00:16:09,960 --> 00:16:12,059 thing. Get to show the people that you 440 00:16:12,060 --> 00:16:14,609 exploit to the remote code execution or 441 00:16:14,610 --> 00:16:16,499 code execution, a system that you can 442 00:16:16,500 --> 00:16:18,579 like run calculator to 443 00:16:18,580 --> 00:16:20,650 X or X. 444 00:16:22,290 --> 00:16:23,290 So. 445 00:16:26,600 --> 00:16:29,899 So in my mind, in my first two iterations 446 00:16:29,900 --> 00:16:32,029 of this talk, I didn't have a life 447 00:16:32,030 --> 00:16:34,219 demo and then all that time 448 00:16:34,220 --> 00:16:36,589 people came to me and told me, 449 00:16:36,590 --> 00:16:39,109 Hello, can I have a life demo? 450 00:16:39,110 --> 00:16:40,929 And so I told me so. 451 00:16:40,930 --> 00:16:43,309 So I said, OK, well, let's prepare 452 00:16:43,310 --> 00:16:44,299 something. 453 00:16:44,300 --> 00:16:46,789 And yeah, we will have a life demo 454 00:16:46,790 --> 00:16:49,010 and what could possibly go wrong? 455 00:16:55,780 --> 00:16:57,859 Surface especially prepared leapt 456 00:16:57,860 --> 00:16:58,860 to. 457 00:16:59,920 --> 00:17:00,970 So I have here, 458 00:17:02,120 --> 00:17:03,399 no, I don't want updates, no, 459 00:17:04,869 --> 00:17:07,689 I have for it all to 16 04 460 00:17:07,690 --> 00:17:09,459 four before pictures. 461 00:17:09,460 --> 00:17:11,529 I have a virtual box before 462 00:17:11,530 --> 00:17:13,568 debut system. 463 00:17:13,569 --> 00:17:14,889 It's nearly pitched, 464 00:17:16,540 --> 00:17:18,819 so let's start my virtual box system. 465 00:17:27,599 --> 00:17:28,599 So. 466 00:17:43,740 --> 00:17:45,330 So I'm already sorry for the use of the 467 00:17:45,331 --> 00:17:47,639 name of dispirit tool box it was at first 468 00:17:47,640 --> 00:17:49,979 my mailbox tests over 469 00:17:49,980 --> 00:17:52,139 there are test emails server, 470 00:17:52,140 --> 00:17:53,369 but you will see yourself. 471 00:18:09,600 --> 00:18:11,399 It did a good job as a mail server, but 472 00:18:11,400 --> 00:18:12,900 now it has to be exploited. 473 00:18:20,180 --> 00:18:21,630 So, um, 474 00:18:23,000 --> 00:18:26,029 so if you are using 475 00:18:26,030 --> 00:18:28,369 a computer, no, you normally use it to 476 00:18:28,370 --> 00:18:30,649 surf on the internet and check 477 00:18:30,650 --> 00:18:33,739 out web pages, and 478 00:18:33,740 --> 00:18:36,469 you also want some cool desktop 479 00:18:36,470 --> 00:18:38,539 backgrounds for your laptop. 480 00:18:39,830 --> 00:18:42,209 So this is really not so 481 00:18:42,210 --> 00:18:43,669 could be more fancy. 482 00:18:43,670 --> 00:18:45,739 And then you see this fancy web 483 00:18:45,740 --> 00:18:48,169 page where you know they offer you sweet 484 00:18:48,170 --> 00:18:50,869 cat pictures and then say, OK, 485 00:18:50,870 --> 00:18:53,420 let's download this sweet cat picture. 486 00:18:54,890 --> 00:18:56,589 I want this cat picture. 487 00:18:56,590 --> 00:18:59,269 OK, let's download it, 488 00:18:59,270 --> 00:19:00,349 let's admit. 489 00:19:03,000 --> 00:19:04,000 Okay. 490 00:19:07,300 --> 00:19:08,300 And it's broken, 491 00:19:09,940 --> 00:19:10,940 no. 492 00:19:13,000 --> 00:19:14,769 Well, my life, they were just failed. 493 00:19:14,770 --> 00:19:16,749 But we will try again. 494 00:19:16,750 --> 00:19:17,750 So. 495 00:19:35,080 --> 00:19:37,179 So let's just download 496 00:19:37,180 --> 00:19:38,180 again. 497 00:19:49,140 --> 00:19:50,219 Nope. 498 00:19:50,220 --> 00:19:52,529 Well, then we'll just 499 00:19:52,530 --> 00:19:53,880 do the reset game. 500 00:19:58,930 --> 00:20:00,819 That works most of the time. 501 00:20:02,880 --> 00:20:03,880 Oh. 502 00:20:10,420 --> 00:20:11,420 So. 503 00:21:43,520 --> 00:21:45,079 Well, let's test again. 504 00:21:45,080 --> 00:21:47,089 No, it should probably work. 505 00:21:49,550 --> 00:21:52,369 So let's go again to our great 506 00:21:52,370 --> 00:21:55,160 page, or it can download cat pictures. 507 00:22:10,860 --> 00:22:11,860 OK. 508 00:22:12,930 --> 00:22:14,040 It seems to work. 509 00:22:16,020 --> 00:22:17,700 So I just open my download 510 00:22:19,500 --> 00:22:21,689 and I just got 100 cook, this 511 00:22:21,690 --> 00:22:23,309 popped up on my screen. 512 00:22:23,310 --> 00:22:24,900 So just off the dollar folder. 513 00:22:25,920 --> 00:22:28,259 Well, there is a great tool 514 00:22:28,260 --> 00:22:30,509 in a command line on Linux. 515 00:22:30,510 --> 00:22:33,179 You see all these great calculators 516 00:22:33,180 --> 00:22:34,109 maybe can use. 517 00:22:34,110 --> 00:22:36,599 I can calculate fast 100 of them. 518 00:22:36,600 --> 00:22:39,419 So it's OK, 519 00:22:39,420 --> 00:22:40,919 kill all. 520 00:22:40,920 --> 00:22:41,920 It's calc 521 00:22:43,230 --> 00:22:45,299 good that it's not a windows because 522 00:22:45,300 --> 00:22:46,709 I don't know what a command and windows 523 00:22:46,710 --> 00:22:47,710 for that. 524 00:22:49,560 --> 00:22:50,560 All right, so 525 00:22:51,810 --> 00:22:52,810 what happened? 526 00:22:54,150 --> 00:22:56,249 So I explored 527 00:22:56,250 --> 00:22:57,809 that that gold script, remote code 528 00:22:57,810 --> 00:22:59,999 execution, so it 529 00:23:00,000 --> 00:23:02,249 was overseen sort 530 00:23:02,250 --> 00:23:05,099 of pitched some on 531 00:23:05,100 --> 00:23:07,409 quite the same vulnerability 532 00:23:07,410 --> 00:23:09,659 in gold script two years ago, but they 533 00:23:09,660 --> 00:23:11,939 overseen this edge case 534 00:23:11,940 --> 00:23:14,339 and it just triggered 535 00:23:14,340 --> 00:23:16,379 when it's passing postscript and the 536 00:23:16,380 --> 00:23:18,629 thumbnail passer of 537 00:23:18,630 --> 00:23:21,839 events in the in the Nautilus 538 00:23:21,840 --> 00:23:24,509 file manager powers the thumbnail 539 00:23:24,510 --> 00:23:26,399 and in a thumbnail embedded is there is 540 00:23:26,400 --> 00:23:28,859 the remote code execution script, and 541 00:23:28,860 --> 00:23:31,889 in my case, it pops up 100 calculators. 542 00:23:31,890 --> 00:23:33,479 It was found by Davis. 543 00:23:33,480 --> 00:23:35,699 Or maybe this one on 544 00:23:35,700 --> 00:23:37,859 Google security researchers and there 545 00:23:37,860 --> 00:23:39,569 are multiple CVEs assigned. 546 00:23:40,800 --> 00:23:42,899 Well, that's the first life demo, but 547 00:23:42,900 --> 00:23:44,969 I have a second one, so 548 00:23:44,970 --> 00:23:47,339 everyone know blockchain is really 549 00:23:47,340 --> 00:23:49,949 the new hype in 2018. 550 00:23:49,950 --> 00:23:51,599 But I have a better hope for you. 551 00:23:51,600 --> 00:23:53,969 It's called exploit 552 00:23:53,970 --> 00:23:54,970 chain. 553 00:23:55,950 --> 00:23:58,289 So for this all, 554 00:23:58,290 --> 00:24:00,389 we have to pray for the demo 555 00:24:00,390 --> 00:24:01,619 gods that it works. 556 00:24:03,750 --> 00:24:06,119 So maybe someone it's like a MacBook 557 00:24:06,120 --> 00:24:08,309 to like sacrifice or something like 558 00:24:08,310 --> 00:24:09,310 this. 559 00:24:10,170 --> 00:24:12,749 Let's let's hope that it works. 560 00:24:12,750 --> 00:24:14,220 So we go back to 561 00:24:15,690 --> 00:24:18,440 our virtual machine. 562 00:24:22,950 --> 00:24:24,359 Oh, I have to delete it now. 563 00:24:29,910 --> 00:24:32,349 Oh, such great remote 564 00:24:32,350 --> 00:24:33,350 executions. 565 00:24:34,140 --> 00:24:35,140 Yeah. 566 00:24:49,390 --> 00:24:51,459 So you say, OK, 567 00:24:51,460 --> 00:24:54,669 this this cat picture is somehow broken, 568 00:24:54,670 --> 00:24:56,949 but this interesting website 569 00:24:56,950 --> 00:24:59,500 offers another picture 570 00:25:00,700 --> 00:25:01,700 and it's in 571 00:25:02,830 --> 00:25:05,049 4K resolution, it should be 572 00:25:05,050 --> 00:25:05,949 even better. 573 00:25:05,950 --> 00:25:06,999 Let's test it out. 574 00:25:12,440 --> 00:25:14,659 Let's download the better cat picture. 575 00:25:20,980 --> 00:25:21,980 So. 576 00:25:25,540 --> 00:25:26,799 So it's really fast, 577 00:25:28,360 --> 00:25:31,029 like in my home country, Austria, 578 00:25:31,030 --> 00:25:32,170 or I don't have internet. 579 00:25:35,340 --> 00:25:38,069 Yes, 3.5 kilobyte. 580 00:25:41,480 --> 00:25:43,939 Come on, Internet. 581 00:25:45,050 --> 00:25:47,239 Well, I have I think 582 00:25:47,240 --> 00:25:49,429 I have a copy of this on 583 00:25:49,430 --> 00:25:50,480 my laptop 584 00:25:51,740 --> 00:25:53,150 because we don't want to wait 585 00:25:54,320 --> 00:25:55,320 ten minutes. 586 00:25:57,160 --> 00:25:58,660 Oh, it's getting faster. 587 00:26:04,110 --> 00:26:06,089 But now you feel, you know, how people 588 00:26:06,090 --> 00:26:07,140 feel if some 589 00:26:08,230 --> 00:26:10,829 if some 10 megabit 590 00:26:10,830 --> 00:26:12,269 internet at their home. 591 00:26:13,290 --> 00:26:15,389 Well, I don't wait for the download. 592 00:26:15,390 --> 00:26:17,489 I have a copy on my 593 00:26:17,490 --> 00:26:19,150 desktop, so it just 594 00:26:20,400 --> 00:26:22,049 say we just downloaded it. 595 00:26:22,050 --> 00:26:23,050 OK, 596 00:26:24,900 --> 00:26:27,209 so we go again or downloads and 597 00:26:27,210 --> 00:26:29,399 there is this cool. 598 00:26:29,400 --> 00:26:30,419 Yeah, yeah. Broken. 599 00:26:30,420 --> 00:26:31,420 Let's delete. 600 00:26:32,340 --> 00:26:34,469 So there is, I say, let's we have 601 00:26:34,470 --> 00:26:36,899 downloaded it and then 602 00:26:36,900 --> 00:26:39,239 this happens again until 603 00:26:39,240 --> 00:26:40,799 it pops up. 604 00:26:40,800 --> 00:26:42,389 And I got this one. 605 00:26:42,390 --> 00:26:44,040 Oh, what just happened? 606 00:26:45,180 --> 00:26:46,319 So let's see. 607 00:26:46,320 --> 00:26:48,929 I have for Shell here with fruit, 608 00:26:48,930 --> 00:26:50,999 and it's called the Milky Way. 609 00:26:51,000 --> 00:26:52,069 So let's check out. 610 00:26:54,150 --> 00:26:55,200 The whole system, 611 00:26:56,610 --> 00:26:59,369 so it's also Milky Way hostname, 612 00:26:59,370 --> 00:27:01,709 let's see Milky Way, so we have a shell 613 00:27:01,710 --> 00:27:03,809 on the host system of the virtual 614 00:27:03,810 --> 00:27:04,799 box. 615 00:27:04,800 --> 00:27:06,609 Let's check out here. 616 00:27:06,610 --> 00:27:08,849 Yeah. So I got my username of the host 617 00:27:08,850 --> 00:27:10,919 system. I got the running VMS in 618 00:27:10,920 --> 00:27:12,389 the virtual machine. 619 00:27:12,390 --> 00:27:14,759 I got my running mail. 620 00:27:14,760 --> 00:27:17,219 And so to check 621 00:27:17,220 --> 00:27:19,409 the really show that the one host system, 622 00:27:19,410 --> 00:27:20,519 I would just shut it down. 623 00:27:21,600 --> 00:27:22,600 Oh, power of. 624 00:27:25,890 --> 00:27:27,390 And my letter was shot on. 625 00:27:29,700 --> 00:27:30,700 So. 626 00:27:33,990 --> 00:27:35,519 What the fuck did just happen? 627 00:27:36,780 --> 00:27:39,299 Um, well, I've 628 00:27:39,300 --> 00:27:41,549 implant exploit chain and are just 629 00:27:41,550 --> 00:27:43,709 part of my laptop on their root shell, on 630 00:27:43,710 --> 00:27:45,179 my whole system. 631 00:27:45,180 --> 00:27:47,659 And so the explanation was, I 632 00:27:47,660 --> 00:27:50,849 thought, a dysphoric cat pictures. 633 00:27:50,850 --> 00:27:52,259 I opened the Nautilus. 634 00:27:52,260 --> 00:27:54,210 I triggered the remote code execution 635 00:27:55,350 --> 00:27:57,449 of a script, and then 636 00:27:57,450 --> 00:27:59,549 I used the VirtualBox 637 00:27:59,550 --> 00:28:01,679 escape exploit to escape to 638 00:28:01,680 --> 00:28:03,029 the host system. 639 00:28:03,030 --> 00:28:05,429 And then I saw like a third exploit. 640 00:28:05,430 --> 00:28:07,619 I just used dirty car to get root 641 00:28:07,620 --> 00:28:09,929 root root shell on the whole system. 642 00:28:09,930 --> 00:28:12,209 So that was the the whole exploit chain, 643 00:28:12,210 --> 00:28:14,010 and it's now part of the laptop. 644 00:28:16,080 --> 00:28:18,989 So the setup is it's 645 00:28:18,990 --> 00:28:21,419 the whole system is unpatched, are 646 00:28:21,420 --> 00:28:23,309 open to 16. 647 00:28:23,310 --> 00:28:25,529 Oh, for four. 648 00:28:25,530 --> 00:28:27,929 It has to be a specific VirtualBox 649 00:28:27,930 --> 00:28:30,179 version. It is five to six with 650 00:28:30,180 --> 00:28:32,129 this number. 651 00:28:32,130 --> 00:28:34,709 The guest system is nearly 652 00:28:34,710 --> 00:28:36,779 patched. Debian nine with 653 00:28:36,780 --> 00:28:38,879 good and on a guest 654 00:28:38,880 --> 00:28:40,949 user. I have no password option for the 655 00:28:40,950 --> 00:28:43,469 pseudo rights and it's a self-written 656 00:28:43,470 --> 00:28:44,699 exploit chain. 657 00:28:44,700 --> 00:28:46,829 The public available exploits in 658 00:28:46,830 --> 00:28:49,109 Python and Bash and I also 659 00:28:49,110 --> 00:28:51,599 modified the proof of concept 660 00:28:51,600 --> 00:28:53,699 because the the first 661 00:28:53,700 --> 00:28:55,169 proof of concept of the virtual box 662 00:28:55,170 --> 00:28:57,449 escape only worked on on the command 663 00:28:57,450 --> 00:28:59,639 line before. If no graphic 664 00:28:59,640 --> 00:29:01,859 user interface and I 665 00:29:01,860 --> 00:29:03,209 implemented it, that it works on the 666 00:29:03,210 --> 00:29:04,350 graphic user interface too. 667 00:29:06,030 --> 00:29:08,729 So the virtual box escape uses Typekit 668 00:29:08,730 --> 00:29:11,019 all right to ram for 669 00:29:11,020 --> 00:29:12,479 exploit. 670 00:29:12,480 --> 00:29:14,759 So the shared video buffer between host 671 00:29:14,760 --> 00:29:16,829 and guest system and 672 00:29:16,830 --> 00:29:19,049 there is excellent writing about proof 673 00:29:19,050 --> 00:29:20,219 of concept author. 674 00:29:20,220 --> 00:29:21,750 And in the end, I put 675 00:29:24,720 --> 00:29:26,609 a shell code into the buffer and it got 676 00:29:26,610 --> 00:29:28,679 executed by the but against 677 00:29:28,680 --> 00:29:30,889 and it's a bug in in 678 00:29:30,890 --> 00:29:33,119 in the optimization of the compiler 679 00:29:33,120 --> 00:29:35,459 of the VirtualBox compile process. 680 00:29:36,750 --> 00:29:38,609 So dirt can't. 681 00:29:38,610 --> 00:29:40,109 It's too severe. 682 00:29:40,110 --> 00:29:41,609 It's homework for the audience to check 683 00:29:41,610 --> 00:29:43,169 out. What's the problem, but dart to cart 684 00:29:43,170 --> 00:29:46,109 to get root access on the device. 685 00:29:46,110 --> 00:29:47,609 So the next thing? 686 00:29:47,610 --> 00:29:49,709 Let's check out hardware security. 687 00:29:49,710 --> 00:29:51,149 There is also hardware out there with all 688 00:29:51,150 --> 00:29:52,150 the software. 689 00:29:52,890 --> 00:29:55,229 Let's check out our 690 00:29:55,230 --> 00:29:57,689 favorites or one of my favorites 691 00:29:57,690 --> 00:29:59,759 because like a lot of five, for a 692 00:29:59,760 --> 00:30:01,889 lot of fuck ups, it's meltdown 693 00:30:01,890 --> 00:30:04,439 and specter. So Meltdown and specter 694 00:30:04,440 --> 00:30:06,809 box are like design faults 695 00:30:06,810 --> 00:30:09,449 in the CPU in a modern CPU architecture, 696 00:30:09,450 --> 00:30:11,549 and it leads to sensible data 697 00:30:11,550 --> 00:30:14,369 exfiltration extraction of their CPU. 698 00:30:14,370 --> 00:30:16,829 It's like a hoverboard. 699 00:30:16,830 --> 00:30:19,139 So the thing is the 700 00:30:19,140 --> 00:30:21,509 speculative execution is used, 701 00:30:21,510 --> 00:30:24,869 so it pre-computer undervalues 702 00:30:24,870 --> 00:30:26,639 at the same time and devalues it. 703 00:30:26,640 --> 00:30:28,709 Don't use it, just throw it away. 704 00:30:28,710 --> 00:30:30,959 But with this feature, 705 00:30:30,960 --> 00:30:33,239 you can extract the pre-computer 706 00:30:33,240 --> 00:30:36,209 values which would throw away. 707 00:30:36,210 --> 00:30:37,799 There are software fixes out there for 708 00:30:37,800 --> 00:30:40,019 that, but it's really a big 709 00:30:40,020 --> 00:30:41,999 performance loss. 710 00:30:42,000 --> 00:30:44,099 So, yeah, software fixes 711 00:30:44,100 --> 00:30:46,079 there, but so big performance loss that 712 00:30:46,080 --> 00:30:47,339 even some companies need to buy new 713 00:30:47,340 --> 00:30:48,989 hardware because they don't have enough 714 00:30:48,990 --> 00:30:50,249 performance for the software. 715 00:30:51,810 --> 00:30:53,969 There was a great meltdown pitch 716 00:30:53,970 --> 00:30:56,369 by Microsoft for Windows 717 00:30:56,370 --> 00:30:58,799 seven and Server 2008. 718 00:30:58,800 --> 00:31:00,749 There was the PLM for pitch tables 719 00:31:00,750 --> 00:31:03,359 accessible for everyone on the system. 720 00:31:03,360 --> 00:31:05,339 So appealing for pitch numbers are the 721 00:31:05,340 --> 00:31:07,409 master pitch tables in the system, which 722 00:31:07,410 --> 00:31:09,029 should be only readable right through by 723 00:31:09,030 --> 00:31:10,019 the kernel itself. 724 00:31:10,020 --> 00:31:12,659 So no user should be accessible to it 725 00:31:12,660 --> 00:31:14,699 and just everyone could like just right 726 00:31:14,700 --> 00:31:16,829 in there and modify it and load 727 00:31:16,830 --> 00:31:18,149 on pages. 728 00:31:18,150 --> 00:31:19,829 So in the end, it was like this. 729 00:31:19,830 --> 00:31:21,849 Like, I get people for paid tables to 730 00:31:21,850 --> 00:31:23,009 people for pitch tables. 731 00:31:23,010 --> 00:31:25,349 Everyone gets people for pitch tables. 732 00:31:25,350 --> 00:31:27,089 So it's really bad because like everyone 733 00:31:27,090 --> 00:31:29,189 could just modify the whole system and 734 00:31:29,190 --> 00:31:31,469 like mess of it around 735 00:31:31,470 --> 00:31:32,669 and there was a pitch. 736 00:31:32,670 --> 00:31:34,589 They fix it like a month later, but it 737 00:31:34,590 --> 00:31:36,210 was still a really bad pitch. 738 00:31:37,470 --> 00:31:40,199 Well, some of you also like drive cars 739 00:31:40,200 --> 00:31:42,329 are some of you maybe drive, 740 00:31:42,330 --> 00:31:44,759 especially this car, it's BMW. 741 00:31:45,990 --> 00:31:48,089 So BMW has sought to sue 742 00:31:48,090 --> 00:31:50,369 telematics control unit in there, 743 00:31:50,370 --> 00:31:52,529 and there are affected vehicles 744 00:31:52,530 --> 00:31:54,719 from 2012 to 2018, 745 00:31:54,720 --> 00:31:57,389 and there was a remote attack via Chisom 746 00:31:57,390 --> 00:31:59,759 that could could they could execute 747 00:31:59,760 --> 00:32:02,279 arbitrary unauthorized 748 00:32:02,280 --> 00:32:05,099 diagnostic requests on a canvas 749 00:32:05,100 --> 00:32:07,689 or they are working with BMW. 750 00:32:07,690 --> 00:32:09,959 They should release two thousand 751 00:32:09,960 --> 00:32:13,019 nineteen extensible writes up about 752 00:32:13,020 --> 00:32:16,169 about vulnerabilities. 753 00:32:16,170 --> 00:32:17,639 Now we just know what it's like a remote 754 00:32:17,640 --> 00:32:19,439 attack in your car and you can execute 755 00:32:19,440 --> 00:32:21,119 arbitrary, unaddressed diagnostic 756 00:32:21,120 --> 00:32:23,279 requests. But there are no details about 757 00:32:23,280 --> 00:32:24,280 what's the fault? 758 00:32:25,630 --> 00:32:27,839 So probably you heard of you 759 00:32:27,840 --> 00:32:29,799 use looks for a look picking, for 760 00:32:29,800 --> 00:32:30,969 example. 761 00:32:30,970 --> 00:32:33,099 But some people are really like 762 00:32:33,100 --> 00:32:34,849 comfortable and they use locks with a 763 00:32:34,850 --> 00:32:36,429 fingerprint reader. 764 00:32:36,430 --> 00:32:39,249 So I have like a look like this. 765 00:32:39,250 --> 00:32:41,509 And then you see this 766 00:32:41,510 --> 00:32:43,989 screw there and then you think 767 00:32:43,990 --> 00:32:45,909 that should be a secure lock? 768 00:32:45,910 --> 00:32:48,189 The vendor thinks it is because 769 00:32:48,190 --> 00:32:49,659 there is. This guy on Twitter could look 770 00:32:49,660 --> 00:32:51,729 pick a lawyer who like checks out 771 00:32:51,730 --> 00:32:53,889 looks if lock picking, and 772 00:32:53,890 --> 00:32:56,469 he got this look from this company. 773 00:32:56,470 --> 00:32:58,629 And they told him, 774 00:32:58,630 --> 00:33:00,579 well, the money quote is the look is 775 00:33:00,580 --> 00:33:02,649 invincible to the people who do not 776 00:33:02,650 --> 00:33:03,999 have a screwdriver. 777 00:33:04,000 --> 00:33:05,949 Well, like, everyone has a screwdriver 778 00:33:05,950 --> 00:33:07,899 more or less to him, more of her. 779 00:33:07,900 --> 00:33:09,639 So you just get your screwdriver, opened 780 00:33:09,640 --> 00:33:11,079 the lock and you don't even leave a 781 00:33:11,080 --> 00:33:12,069 fingerprint. 782 00:33:12,070 --> 00:33:13,989 So it's a really bad lock design. 783 00:33:13,990 --> 00:33:16,779 And yeah, 2018 security. 784 00:33:16,780 --> 00:33:17,780 Not here. 785 00:33:19,690 --> 00:33:21,549 Well, our next thing is quite 786 00:33:21,550 --> 00:33:22,749 interesting. So. 787 00:33:24,040 --> 00:33:26,679 Combine the words 788 00:33:26,680 --> 00:33:29,179 mining rigs that the center 789 00:33:29,180 --> 00:33:30,489 600 in Iceland. 790 00:33:31,990 --> 00:33:34,089 So if you combine this verts, 791 00:33:34,090 --> 00:33:35,559 you get this headline 792 00:33:36,910 --> 00:33:39,249 Bitcoin Heist 600 powerful 793 00:33:39,250 --> 00:33:40,749 computer stolen in Iceland. 794 00:33:42,400 --> 00:33:44,499 So wait, Iceland is 795 00:33:44,500 --> 00:33:46,899 an island and there is like water 796 00:33:46,900 --> 00:33:48,489 all around. 797 00:33:48,490 --> 00:33:50,559 And this computer was in a 798 00:33:50,560 --> 00:33:52,629 datacentre like 799 00:33:52,630 --> 00:33:54,849 some mining rigs. So how you steal 800 00:33:54,850 --> 00:33:57,489 600 mining rigs on a datacentre 801 00:33:57,490 --> 00:33:59,659 on Iceland were all on water 802 00:33:59,660 --> 00:34:00,729 around? 803 00:34:00,730 --> 00:34:02,349 Well, we don't know. 804 00:34:02,350 --> 00:34:04,629 But they're just escaped six on mining, 805 00:34:04,630 --> 00:34:06,129 just escaped from a data center in 806 00:34:06,130 --> 00:34:07,130 Iceland. 807 00:34:07,750 --> 00:34:10,238 But there is bonus content. 808 00:34:11,679 --> 00:34:14,109 So that's all already ridiculous 809 00:34:14,110 --> 00:34:16,269 enough. But it could be it can be 810 00:34:16,270 --> 00:34:18,039 get more ridiculous because, 811 00:34:19,840 --> 00:34:22,718 well, they got like a suspect 812 00:34:22,719 --> 00:34:25,388 and they put this into jail 813 00:34:25,389 --> 00:34:27,488 and the suspect managed to flee out 814 00:34:27,489 --> 00:34:30,279 of jail, get on a plane 815 00:34:30,280 --> 00:34:31,899 and on a plane was also the prime 816 00:34:31,900 --> 00:34:34,359 minister of Iceland also, 817 00:34:34,360 --> 00:34:36,579 and he flew to to Sweden on 818 00:34:36,580 --> 00:34:37,580 the plane. 819 00:34:38,080 --> 00:34:39,369 That's like the bonus content. 820 00:34:39,370 --> 00:34:41,499 So you got the suspect sources get 821 00:34:41,500 --> 00:34:43,569 out of the jail VR 822 00:34:43,570 --> 00:34:45,609 window and then gets on a plane to 823 00:34:45,610 --> 00:34:46,599 Sweden. 824 00:34:46,600 --> 00:34:47,600 Nice trial. 825 00:34:48,969 --> 00:34:51,249 So the next, 826 00:34:51,250 --> 00:34:52,509 however, fuck up. 827 00:34:52,510 --> 00:34:55,329 It's it's a combination of 828 00:34:55,330 --> 00:34:57,399 solid and hard disks. 829 00:34:57,400 --> 00:34:58,540 So if you have 830 00:34:59,650 --> 00:35:02,469 if a combined is, you get 831 00:35:02,470 --> 00:35:05,019 death def for two hard disks, 832 00:35:05,020 --> 00:35:07,269 though the roster not stuck. 833 00:35:07,270 --> 00:35:09,549 It's all stock operation 834 00:35:09,550 --> 00:35:11,709 in in the Baltic states or in 835 00:35:11,710 --> 00:35:12,729 Sweden. 836 00:35:12,730 --> 00:35:15,009 And there was a gas based 837 00:35:15,010 --> 00:35:17,379 fire suppression system, so if a fire 838 00:35:17,380 --> 00:35:19,389 starts, it would like start and kill the 839 00:35:19,390 --> 00:35:21,280 fire and 840 00:35:22,450 --> 00:35:25,089 then it destroy it, the hard disks 841 00:35:25,090 --> 00:35:27,219 by releasing the gas at 842 00:35:27,220 --> 00:35:28,220 the high speed. 843 00:35:29,140 --> 00:35:31,629 And this caused some repressions 844 00:35:31,630 --> 00:35:33,699 and destroyed the hard disks. 845 00:35:33,700 --> 00:35:36,099 And like the well, 846 00:35:36,100 --> 00:35:38,229 the sad thing is there was 847 00:35:38,230 --> 00:35:40,079 no fire at the data center. 848 00:35:41,590 --> 00:35:42,590 They 849 00:35:43,900 --> 00:35:46,029 released it by accident 850 00:35:46,030 --> 00:35:47,379 and by accident. They also destroyed 851 00:35:47,380 --> 00:35:48,819 their heart risks. 852 00:35:48,820 --> 00:35:50,979 And the other problem was there were 853 00:35:50,980 --> 00:35:53,139 not enough hard disks in Sweden 854 00:35:53,140 --> 00:35:54,849 for the servers. 855 00:35:54,850 --> 00:35:56,919 So I had to get Newhart's 856 00:35:56,920 --> 00:35:59,109 out of other countries that 857 00:35:59,110 --> 00:36:01,629 were not operational for five hours. 858 00:36:01,630 --> 00:36:03,609 They should start at 9:00 in the morning, 859 00:36:03,610 --> 00:36:05,619 and it's not like at two o'clock in the 860 00:36:05,620 --> 00:36:07,749 afternoon and 861 00:36:07,750 --> 00:36:09,459 there were affected markets. 862 00:36:09,460 --> 00:36:11,769 Narang included Sweden, Finland, 863 00:36:11,770 --> 00:36:14,079 Denmark, Iceland and the free Baltic 864 00:36:14,080 --> 00:36:15,430 states. But this accident? 865 00:36:16,570 --> 00:36:18,999 So they had to import the machines 866 00:36:19,000 --> 00:36:21,729 to to make operational again. 867 00:36:21,730 --> 00:36:24,639 And there's also a link to another video 868 00:36:24,640 --> 00:36:26,829 where the guys are in the data center 869 00:36:26,830 --> 00:36:28,839 and they have a monitoring when the hard 870 00:36:28,840 --> 00:36:29,739 disks. 871 00:36:29,740 --> 00:36:31,919 And they show on the harpists, at 872 00:36:31,920 --> 00:36:34,299 the at the data center and you 873 00:36:34,300 --> 00:36:36,489 see on the monitoring that they are just 874 00:36:36,490 --> 00:36:38,979 rests in the air. 875 00:36:38,980 --> 00:36:41,109 So if you're shot at Tartus, 876 00:36:41,110 --> 00:36:43,119 you can destroy them if bad luck. 877 00:36:45,380 --> 00:36:47,499 Um, well, I'm nearly at 878 00:36:47,500 --> 00:36:48,489 the end. 879 00:36:48,490 --> 00:36:50,559 Let's uh, my future 880 00:36:50,560 --> 00:36:51,489 predictions. 881 00:36:51,490 --> 00:36:53,649 I mean, I must say 2018 882 00:36:53,650 --> 00:36:56,439 was really rich of fuck ups. 883 00:36:56,440 --> 00:36:58,509 I don't have everything there was 884 00:36:58,510 --> 00:37:00,789 like some days ago. The US them Esquire 885 00:37:00,790 --> 00:37:03,279 light a remote code execution down there. 886 00:37:03,280 --> 00:37:04,629 There was even more stuff there. 887 00:37:04,630 --> 00:37:06,699 I can't check out 888 00:37:06,700 --> 00:37:07,869 everything. 889 00:37:07,870 --> 00:37:10,029 But, well, 2018 already 890 00:37:10,030 --> 00:37:12,339 made a good year for five foot cups. 891 00:37:12,340 --> 00:37:15,729 But my prediction for 2019 892 00:37:15,730 --> 00:37:16,870 is the following 893 00:37:18,040 --> 00:37:20,319 Oh, it 894 00:37:20,320 --> 00:37:22,509 can't get better. 895 00:37:22,510 --> 00:37:24,609 It will be just the race to the 896 00:37:24,610 --> 00:37:26,829 yellow guys. I t 897 00:37:26,830 --> 00:37:28,179 and the bombs are I.T. 898 00:37:28,180 --> 00:37:30,669 security, and it will try 899 00:37:30,670 --> 00:37:32,979 not only to run away rules to try 900 00:37:32,980 --> 00:37:35,439 to fix the stuff, but until 901 00:37:35,440 --> 00:37:37,389 now we have some were just running away 902 00:37:37,390 --> 00:37:39,309 off the box and not fixing them. 903 00:37:39,310 --> 00:37:41,489 So I hope that one will not be 904 00:37:41,490 --> 00:37:43,569 the whole reality, but just a part of 905 00:37:43,570 --> 00:37:44,570 it. 906 00:37:45,100 --> 00:37:48,309 And also one question I also 907 00:37:48,310 --> 00:37:50,529 asked myself is why should 908 00:37:50,530 --> 00:37:52,629 I care about all this stuff I just 909 00:37:52,630 --> 00:37:53,909 told here? 910 00:37:53,910 --> 00:37:55,629 Um yeah. 911 00:37:55,630 --> 00:37:57,849 And my answer is we should 912 00:37:57,850 --> 00:38:00,189 care because security problems 913 00:38:00,190 --> 00:38:01,929 affect us all in some way. 914 00:38:01,930 --> 00:38:04,269 It affects myself for like software. 915 00:38:04,270 --> 00:38:06,459 I used to have boxing there. 916 00:38:06,460 --> 00:38:08,109 It affects my grandmother. 917 00:38:08,110 --> 00:38:10,269 If she is somebody who's out 918 00:38:10,270 --> 00:38:12,069 there for the internet, it affects my 919 00:38:12,070 --> 00:38:14,529 neighbor investor, my security cameras, 920 00:38:14,530 --> 00:38:16,659 if it affects everyone because everyone 921 00:38:16,660 --> 00:38:18,429 uses hardware and software of boxing 922 00:38:18,430 --> 00:38:21,069 there. And so my 923 00:38:21,070 --> 00:38:22,670 my motto is, in the end, 924 00:38:24,910 --> 00:38:27,369 make the world a safer place. 925 00:38:27,370 --> 00:38:29,469 Report security vulnerabilities 926 00:38:29,470 --> 00:38:30,470 the research. 927 00:38:31,940 --> 00:38:34,579 And because 928 00:38:34,580 --> 00:38:36,679 if the world is a safer place, 929 00:38:36,680 --> 00:38:38,899 everyone has also a better life. 930 00:38:40,070 --> 00:38:41,780 So if interestingly, today 931 00:38:43,340 --> 00:38:45,499 all the stuff I did most 932 00:38:45,500 --> 00:38:48,409 of my research on the COVID at the base, 933 00:38:48,410 --> 00:38:50,089 so there is. 934 00:38:50,090 --> 00:38:51,859 So if you read obvious, it's quite fun 935 00:38:51,860 --> 00:38:52,939 and interesting. You get quite 936 00:38:52,940 --> 00:38:55,159 interesting surveys out there like 937 00:38:55,160 --> 00:38:57,529 some command injection 938 00:38:57,530 --> 00:38:58,609 micro servers. 939 00:38:58,610 --> 00:39:00,079 Why not? 940 00:39:00,080 --> 00:39:01,909 So there is, for example, TV to tell a 941 00:39:01,910 --> 00:39:04,549 sitcom for CV details. 942 00:39:04,550 --> 00:39:06,799 There are also other web pages, but 943 00:39:06,800 --> 00:39:08,209 they're quite interesting surveys out 944 00:39:08,210 --> 00:39:10,439 there like also getting remote 945 00:39:10,440 --> 00:39:12,649 execution by email in outlook 946 00:39:12,650 --> 00:39:13,579 is always interesting. 947 00:39:13,580 --> 00:39:14,580 Why not 948 00:39:16,340 --> 00:39:18,739 that most of my presentations 949 00:39:18,740 --> 00:39:21,019 are the questions of the of the people 950 00:39:21,020 --> 00:39:22,020 here? 951 00:39:22,740 --> 00:39:24,029 Thank you. 952 00:39:24,030 --> 00:39:26,789 Thank you, Hetty, for the talk. 953 00:39:26,790 --> 00:39:28,889 We have two microphones on the left 954 00:39:28,890 --> 00:39:30,239 and on the right, and if there are any 955 00:39:30,240 --> 00:39:31,769 questions, please 956 00:39:32,910 --> 00:39:34,110 feel free to ask them. 957 00:39:35,550 --> 00:39:37,329 So maybe I will start with a question. 958 00:39:37,330 --> 00:39:40,049 What's your favorite security issue 959 00:39:40,050 --> 00:39:40,709 this year? 960 00:39:40,710 --> 00:39:43,379 I mean, this year, like 961 00:39:43,380 --> 00:39:46,619 meltdown and Specter was quite hyped, 962 00:39:46,620 --> 00:39:48,749 but like one of my favorite was this 963 00:39:48,750 --> 00:39:50,939 npm fuck up because like people 964 00:39:50,940 --> 00:39:52,379 just update the servers and the whole 965 00:39:52,380 --> 00:39:54,689 production is like just fucked up and 966 00:39:54,690 --> 00:39:56,999 are not even like their fault. 967 00:39:57,000 --> 00:39:59,249 It's like was my one of my favorite 968 00:39:59,250 --> 00:40:01,739 and this contract bank, which just tells 969 00:40:01,740 --> 00:40:04,019 the users, Just ignore your certificate. 970 00:40:04,020 --> 00:40:05,159 It's everything's fine. 971 00:40:05,160 --> 00:40:08,219 It's like the the the worst 972 00:40:08,220 --> 00:40:10,499 thing you can do as a bank. 973 00:40:10,500 --> 00:40:11,789 Shut up and take my money. 974 00:40:11,790 --> 00:40:13,619 So do we have some questions now? 975 00:40:14,820 --> 00:40:16,379 Well, then 976 00:40:16,380 --> 00:40:18,479 OK, so let's give her a big 977 00:40:18,480 --> 00:40:20,519 applause and thank you for that talk. 978 00:40:26,970 --> 00:40:29,129 So there are also some contact details, 979 00:40:29,130 --> 00:40:31,229 you can also ask me in person, I 980 00:40:31,230 --> 00:40:33,779 can also show I the public 981 00:40:33,780 --> 00:40:36,389 published a source code of my exploits 982 00:40:36,390 --> 00:40:39,239 and gets up in the ring to Congress. 983 00:40:39,240 --> 00:40:40,679 And you can also talk to me and I can 984 00:40:40,680 --> 00:40:42,749 show the exploits again on my machine, 985 00:40:42,750 --> 00:40:44,879 if you like else and 986 00:40:44,880 --> 00:40:46,169 try to Congress. 987 00:40:46,170 --> 00:40:47,969 Stay safe and pet your systems. 988 00:40:47,970 --> 00:40:48,970 Thank you very much.