CANNABIS VILLAGE - Compliance and Infosec Within the Cannabis Industry
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
| Titel |
| |
| Serientitel | ||
| Anzahl der Teile | 322 | |
| Autor | ||
| Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
| Identifikatoren | 10.5446/39844 (DOI) | |
| Herausgeber | ||
| Erscheinungsjahr | ||
| Sprache |
Inhaltliche Metadaten
| Fachgebiet | ||
| Genre | ||
| Abstract |
|
DEF CON 26135 / 322
18
27
28
40
130
134
164
173
177
178
184
190
192
202
203
218
219
224
231
233
234
235
237
249
252
255
268
274
287
289
290
295
297
298
299
302
306
309
312
315
316
00:00
HackerLikelihood-Quotienten-TestAnalysisAnonymisierungCross over <Kritisches Phänomen>HackerMalwareWeb-ApplikationPunktAnalysisInternetworkingBitSelbst organisierendes SystemDatenfeldSoftwareComputersicherheitNeuroinformatikComputeranimation
00:47
FlächentheorieFormale GrammatikHackerPhysikalisches SystemNetzadresseWebcamPlastikkarteQuick-SortTypentheorieOrdnung <Mathematik>ComputersicherheitFlächeninhaltSoundverarbeitungNichtlinearer OperatorDifferenteFramework <Informatik>Service providerProzess <Informatik>CASE <Informatik>EinsSoftwareentwicklerVektorraumAdressraumSuite <Programmpaket>Computeranimation
02:46
ATMVektor <Datentyp>Prozess <Informatik>VektorraumPhysikalisches SystemTypentheoriePlastikkarteIntegralPhysikalismusTransaktionSoftwarePunktServerURLDatentransferGebäude <Mathematik>DatentypComputersicherheitFlächeninhaltBildschirmmaskeDatensatzStandardabweichungSystemidentifikationTreiber <Programm>DifferenteKundendatenbankNeuroinformatikProzessfähigkeit <Qualitätsmanagement>Cross-site scriptingInformationsspeicherung
04:31
VerschlingungDienst <Informatik>ComputersicherheitOrdnung <Mathematik>IndexberechnungHardwareVerschlingungDifferenteEinsEreignishorizontPasswortSoftwareVektorraumEinfache GenauigkeitService providerInformationMailing-ListeSchreib-Lese-KopfPublic-Key-KryptosystemMapping <Computergraphik>Physikalisches SystemFlächeninhaltDigitalisierungKette <Mathematik>MAPMultiplikationsoperator
06:50
Internet der DingeInternetworkingGraphFigurierte ZahlRechter Winkel
07:39
Internet der DingeMaßstabWebcamInternetworkingReelle ZahlPhysikalisches SystemNetzadresseTelnetKartesische KoordinatenZentrische StreckungInternet der DingeInternetworkingWeb-ApplikationProtokoll <Datenverarbeitungssystem>Virtuelle MaschineHardwareWebcamRouter
08:43
VideokonferenzFirewallMereologieTelnetPunktUmfangSpannweite <Stochastik>SoftwarePasswortDefaultSoftwareschwachstelleVirtuelle Maschine
09:23
WärmeleitfähigkeitPortscannerInformationNetzadresseSoftwareschwachstelleGradientVerdeckungsrechnungInformationsspeicherungKryptologie
10:09
Web SiteProdukt <Mathematik>Web SiteDomain-NameKundendatenbankQuick-SortDifferenteProdukt <Mathematik>Domain <Netzwerk>Vorlesung/Konferenz
10:50
TypentheorieQuick-SortSystemplattformWeb-ApplikationAutomatische IndexierungOrdnung <Mathematik>KundendatenbankFront-End <Software>GoogolComputeranimation
11:39
InjektivitätMIDI <Musikelektronik>NP-hartes ProblemInformationInjektivitätFehlermeldungMultiplikationsoperatorDatenbankFahne <Mathematik>ComputersicherheitSoftwareentwicklerUnternehmensarchitekturBildschirmfensterSoftwaretestCodeGanze FunktionQuick-SortAnalysisDienst <Informatik>Computeranimation
12:54
ATMATMPasswortDesign by ContractInformationIdentitätsverwaltungPlastikkarteFlächeninhaltZahlenbereichSoftwarewartungEinsDatenbankInformationsspeicherungNichtlinearer OperatorDatensatzComputersicherheitPhysikalismus
13:44
PasswortDefaultEndliche ModelltheorieATMNichtlinearer OperatorElektronische PublikationDichte <Stochastik>DateiformatProdukt <Mathematik>
14:09
ATMDefaultCodeComputeranimation
14:33
Likelihood-Quotienten-TestWeb-ApplikationMapping <Computergraphik>InternetworkingFirmwareServerWeb-ApplikationDienst <Informatik>Web ServicesWebcamVersionsverwaltungBenutzerbeteiligungAnalysisVorlesung/Konferenz
15:22
Web-ApplikationZeitzoneWeb-ApplikationStandardabweichungTypentheorieFigurierte ZahlPasswortElektronische PublikationAbschattungSkriptspracheComputeranimation
15:46
Web-ApplikationSkriptspracheFlash-SpeicherDefaultWurzel <Mathematik>PasswortWebcamWurzel <Mathematik>PasswortDefaultElektronische PublikationInternetworkingExploitWeb-ApplikationServer
16:24
SystemprogrammierungÄußere Algebra eines ModulsSystemverwaltungPhysikalisches SystemAuthentifikationMapping <Computergraphik>Dienst <Informatik>Wort <Informatik>Mailing-ListeComputeranimation
16:55
SystemprogrammierungVirtual Home EnvironmentWeb-ApplikationInternetworkingQuellcodeLeistung <Physik>Tablet PCDialektObjekt <Kategorie>Physikalisches SystemServerTypentheorieValiditätKartesische Koordinaten
18:17
SystemprogrammierungPhysikalisches SystemCoxeter-GruppeComputeranimation
18:38
SystemprogrammierungPasswortNetzadresseHackerTypentheoriePhysikalisches SystemMorphingComputeranimation
19:00
SystemprogrammierungSatellitensystemGruppenoperationSpider <Programm>VerschlingungFigurierte ZahlBenutzerbeteiligungComputeranimation
19:40
SystemprogrammierungÄquivalenzprinzip <Physik>CASE <Informatik>SatellitensystemDefaultPasswortMathematikVektor <Datentyp>Analog-Digital-UmsetzerWidgetSmart DeviceAuthentifikationDigitalsignalStetige FunktionWeb ServicesTelnetSweep-AlgorithmusInternetworkingComputersicherheitChiffrierungRechnernetzSoftwareCoprozessorOpen SourcePunktGanze FunktionService providerVektorraumDefaultPhysikalisches SystemComputersicherheitAuswahlaxiomTelnetTypentheoriePasswortMathematikBenutzerbeteiligungWeb SiteDienst <Informatik>Rechter WinkelArithmetisches MittelDatenverwaltungMultiplikationsoperatorExogene VariableHilfesystemProzess <Informatik>EinsTeilbarkeitSystemplattformWidgetUnternehmensarchitekturProdukt <Mathematik>Web-ApplikationGebäude <Mathematik>Design by ContractVirtuelle MaschineDelisches ProblemComputeranimationVorlesung/Konferenz
23:07
PortscannerInnerer PunktPell-GleichungInternetworkingFlächentheorieWeb-ApplikationGleitendes MittelProdukt <Mathematik>PortscannerEigentliche AbbildungTypentheorieVollständiger VerbandEndliche ModelltheorieUmwandlungsenthalpieAbfrageOpen SourceComputersicherheitProjektive EbeneComputeranimation
23:51
HackerE-MailTwitter <Softwareplattform>E-MailTropfenGruppenoperationTypentheorieHomepageHackerInformationComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
I'm going by the handle weed anon for the promotion of this talk, but my name is Alex Hyde and I'm one of the co-founders of the Hack Miami conference and I was using a pseudonym for the promotion of it just to avoid any SEO crossover because we're going to be going into some pretty interesting topics. And so a bit about me, I'm from South Florida and I work with the Hack Miami organization as one of the co-founders,
00:23
the other co-founders sitting up front with me as well. My background is in the field of web application security, network attacking and also malware analysis and threat intel. And most importantly I like computers, the internet and I love smoking weed. That's probably the most important point to be brought here.
00:49
So some of the stuff we'll be going through is we're going to be talking about the different areas of compliance that are being foisted upon the cannabis industry with their new, essentially it's a new industry, a lot of it's unregulated still even with
01:04
proposed stuff coming up and there's a lot of grey areas to what existing compliances need to be fulfilled in which new ones are upcoming that may need to be thought of. And as anyone who's been attending DEFCON for, as anyone who's attended DEFCON ever knows compliance does not equal security.
01:27
So once things are compliant then what? And so we'll be going over the use of IoT technologies as it relates to agricultural development and essentially just the giving an IP address to all sorts of things that previously didn't have IP addresses.
01:42
In this case it's farm equipment, hydro gear, webcams to watch gardens, that type of stuff. And most importantly from the areas of third party risk, most cannabis industries rely solely or not entirely on third party vendors
02:06
to supply all the business operations that are needed to meet the existing compliance frameworks that they have to go in. So merchant services, they can't have bank accounts so they'll need to use a certain provider to be able to process, to either process credit cards if they're allowed or use some kind of evasive credit card to cryptocurrency to cash system
02:28
in order to make those purchases. And then we'll also be going into some examples of scaled attacks against IoT systems that can definitely have a big effect on the cannabis industry
02:40
from the smallest type of webcam hack going up to more intense types of attacks. And when it comes to the vectors of risk of what is actually being, what is actually being, what is at risk for the customer and what is at risk for the business. So for the business there are existing areas of compliance that are applicable.
03:03
So if they're processing credit cards there's PCI, CSS. If they're doing health, if they're handling medical cannabis records then HIPAA compliance standards apply. And this is all for the storage, transmission and basically they're intending to maintain the confidentiality, integrity and availability
03:25
of all these data types and transactions and very few places will actually use their own setup. Everyone's making use of, for example, point of sale systems that are specially designed for the cannabis industry.
03:42
So the experience of walking into a dispensary, providing a driver's license or other form of identification that's either scanned or taken a picture or entered into some computer, that's hardly ever stored within, just within the building itself. It's being used of some type of, they're usually using some kind of third party customer relationship management software
04:04
that will serve oftentimes many different cannabis companies or other types of companies. We'll be going into those types of issues as well and we'll also be going into actually some of the physical security risks that exist within the cannabis industry as well and how it relates to information security and compliance practices
04:28
especially as it relates to cash and garden locations and the like. So to wrap your head around the concept of third party risk, it's the idea that the weakest link will be exploited.
04:43
So when you have a bunch of different companies working together, one company is making use of a service and there creates a digital supply chain. The weakest one is oftentimes the one that will provide a vector into all the other different companies, oftentimes through password reuse or interconnected networks.
05:05
Some examples of that would be the target breach. Even the OPM government hack was based off of a compromised contractor that had credentials and were able to get into the government system. So while they're targeting all these major industries, they've always been targeting because that's where the money is,
05:21
they're going to be targeting the cannabis industry as it emerges for several reasons. One, there's a lot of hardware to be able to take over and compromise and turn it into a botnet. Two, there's a lot of cryptocurrency stuff that goes on that makes it, there's an incentive to actually steal private keys or actually do the reconnaissance to be able to get into these businesses to be able to steal private keys and information.
05:43
And we'll be going through some of the aspects of what these third party vendors look like and where the risks lie. So one of the more prominent ones that they seem to be doing decent from a security hygiene wise is, for example, like weedmaps.com.
06:05
So you have all these different dispensaries that are using weedmaps.com to do their listings and also process their orders. And in the event that a service like weedmaps.com would get hacked, every single dispensary and customer of that service is impacted. And so attackers are no longer going after individual entities, they're going after the service providers that handle all the entities.
06:28
And then that way they're able to actually get in. And from the standpoint of weedmaps.com, I didn't see any indication that they're going to be hit anytime soon, but everybody will eventually get hit and it's not about blaming a person or an entity when it happens,
06:45
it's about how do you respond to it to be able to mitigate the fallout that's going to occur. And so as we touched on with an increase in IoT technology, so this is a graph that came from Cisco and they're estimating that about 200 million, no sorry, 50 billion IoT devices will be on the public internet by the year 2020.
07:10
So if 1% of those devices are exploitable through the public internet, that means 500 million exploitable targets. If a percentage of those are agricultural or cannabis related, it doesn't matter.
07:23
Attackers are just, they're looking for absolutely anything they can be able to get into and then they'll figure out what they're going to do with it after the fact. There's a huge nation right there. Yeah, essentially a small nation or a big nation of compromised devices.
07:41
So IoT devices are definitely more than just routers, printers, webcams, coffee makers, toasters. The innocuous consumer electronic technologies that everyone's making use of. More and more agricultural, industrial, manufacturing, heavy machine systems are being given IoT capabilities,
08:04
are given internet browsing features, things like Telnet or real weak looking HTTP applications. And the reason is it's easy and they're fast and they do communicate, the protocols work. And they're even older equipment that was never designed to be put online in the first place
08:22
is getting retrofitted with hardware that will give it an IP address with Telnet and a really lame web application to be able to host all the everythings. And we're definitely seeing that also emerging when it comes to large scale agricultural growth because it's much more efficient that way.
08:44
And so as we touched on earlier, the increase in IoT is way more than just being able to compromise a machine, make it part of a botnet or the like. It's essentially a bounce point into the internal networks.
09:01
So any perimeter device that can get compromised either through an exploit, through a misconfiguration, or through a weak password or a default password, this is just kind of one example of what that would look like. A default or a weak Telnet password, the attacker enables SSH and now they can do an SSH tunnel and now they're able to start port scanning the internal ranges and so forth.
09:23
So when it comes to the tools for discovery, the most important thing is to have high quality cannabis usually from the top shelf with the highest grade of THC that's available from the store. And then pick up a VPS with some cryptocurrency to be able to conduct scans from something that's other than your home IP address.
09:42
Using Google, you can find a ridiculous amount of information with the Google Dorking technique and for anyone not familiar with Google Dorking, it's using Google to find things that are indexed that show vulnerabilities that they might not have wanted to be indexed. So just Google Google Dorking to find more about that. And then the tools MassScan, Zmap for your own port scanning, and Shodan and Census for pre-scanned ports.
10:10
And interestingly enough, powered by footers are still a thing. And not only are they on the old websites that they shouldn't be, they're being printed on the receipts of the dispensaries.
10:22
So when I picked this up earlier this week, it said powered by and then the domain name of this company. And when we went to the domain name, it was essentially a CRM that has all sorts of different customers.
10:40
They serve all industries and they seem to have a few products that are targeted towards the cannabis industry. And their main use is e-commerce. So they'll be pretty much blocked out absolutely everything to be able to maintain who they are. But they're a CRM, a very kind of entry-level Salesforce type thing.
11:05
And a lot of dispensaries use this platform as a back end for when you check in, when you go to the front desk and you check in, when they send your order to the back, every patient's order is saved in here along with a whole bunch of others. And what's more, it's cold fusion.
11:22
It's running a legacy web application of cold fusion, parameterized. All the URL is heavily parameterized. Google Dorking showed all sorts of indexed things that shouldn't have been indexed but were publicly available. And when you basically throw just the simple percent 27 into the URL,
11:43
you get the 500 error which indicates, oh, maybe there's an SQL injection there. And, well, that's where we stopped because that's, I mean, we'll see Windows 2008 R2. Yeah, it's definitely a problem there.
12:02
All the entire database is available and just leaking for this dispensary and every single other one that's using this service and we're going to be contacting them to get that sorted. But the thing is it's a third-party vendor, so they're going to have to call some companies, going to have to call some companies, going to have to call their developer that was hired by some contractor,
12:21
and then they have to explain the whole thing of what happened and then it will get fixed. So even when it comes to high-risk security issues, the average time to remediation is still about six months for even enterprises that have their stuff together. From the time it's identified to the time it's fixed, it could take six months. And, meanwhile, from both dispensaries and other businesses,
12:44
because this company does all sorts of other stuff, those databases are just sitting there waiting for someone to come along and use more intense flags on the analysis tools. And from the standpoint of physical security and ATMs, okay, so maybe there's no credit card numbers stored in these on the databases,
13:04
this is just patient record information, maybe we could do some identity theft, but what's the big deal with that? Say the dispensary has an ATM on site, and now all of the ATMs that are available come from brands like Hio,
13:21
one main manufacturer is Hiosung and there's a few others. The way most stores get these in there is they don't accept cards, so they'll get a contractor with a company who has a contractor with a company that will put an ATM in, and then they'll contract somebody else to come in and do the maintenance and all that.
13:40
No one's communicating, but everyone has the manual from the manufacturer, which has the operator passwords of 2-2-2-2, 5-5-5-5. Those are basically just the default passwords. If you, again, Google Dorking, file type, colon, PDF, ATM manufacturer name, model number,
14:02
you'll find what you're looking for because they're making them available because people have to be able to fix their ATMs. When it comes to the actual safe that's in the ATM, also a default code, 50-25-50, and when you try to change it, the instructions are very complicated
14:23
on how to actually get this changed, but they emphasize how important it is. I don't know if many people are doing it, and again, it's all a matter of percentage to when it actually becomes a problem. When it comes to web application exploits, one of the analyses that we did is we found a web application,
14:43
a CVE from CVE-2017-7577, and we did a mapping on the entire Internet for any HTTP service that's running a web service known as UC-HTTPD. It's an embedded firmware that's used on a lot of cheap manufactured webcams
15:03
that are white-labeled and OEMed all over the world. We found about 205,000 of them a little under a year ago, and version 1.0 is the only version of this web server that exists, and it's vulnerable, and there's no update for it. So they're still like that to this day,
15:22
and when we look into what the exploit is, it's a very standard little web application login. The usual passwords are, again, admin123456, that type of stuff, but even if you can't figure out the password, there's a Python script available on ExploitDB, where it's just a very simple dot dot slash. It's just a dot dot slash, and you can read any file,
15:44
and there's no shadow file or anything like that. It's just the encrypted root password, and this was the default, but even when they change it, you could still get the most updated one and crack it pretty easily, and then you can also download every file that might be on the server and whatnot.
16:02
Again, this is shown that this could definitely be more than just a little web app exploit. If you've been able to map out all these cameras and be able to download the files continuously from them, there's definitely things that people probably don't want done on these devices, and should probably close them off to the public Internet.
16:23
So when we go into the heavy stuff of SCADA systems, we did a mapping of, again, just HTTP services, port 80, and alternate ports, 80, 81, and if you Google for HTTP alternate ports, you can find a nice list. Oftentimes, people will set those up without... People will set up something new.
16:41
It'll spin up an alternate HTTP port, no authentication, maybe administrative permissions or something, and people just won't turn it off. So we did a scan for that with just looking for the word SCADA, just to see what could happen, and we started finding electrical facilities. So from the standpoint of impacting industry,
17:02
if your cannabis grow is, one, a SCADA-based hydro system or whatnot, these types of web applications are the stuff that are used to monitor and guide them, or if you're making use of a power system like the solar panel to power it, it also has a web application like this,
17:21
or if your third-party vendor happens to be the electrical company, which pretty much every person who has a company and does business has the third-party vendor of the electrical company, what happens when their stuff ends up on the Internet and you can just start flipping switches and turning power off in regions?
17:40
And so this was a server that wasn't supposed to be on the Internet. The manual of this manufacturer says, don't put this on the Internet, so of course we found a bunch of them on the Internet, and they were smart, though, because they had password protection, but these were designed because these are for tablets, so when you walk into an electrical plant, you'll see a big tablet,
18:01
or the employees will be walking around with the hardhats and they'll be typing in tablets, and they're never really intended to be used on a desktop, let alone put out on the Internet. So when you just view source code and remove the JavaScript object, because there's no real validation on the application, you get into the actual SCADA system itself, and that's that.
18:23
So this is a solar system, a solar electrical plant that, for the sake of this presentation, we can say, well, if hypothetically it's powering a region, then cannabis grows in there would be impacted if this were to go out. And then we just kind of poked around to see what type of more systems we find.
18:42
This one didn't even have a password on it, and we were able to, so we see this one, the knobs will actually be spinning around and moving during the, when you actually connect to the IP address, and there's no hacking in this. This is just visiting an IP address and pressing enter.
19:00
And here's another one which actually has the red button that can do something. We don't know what yet, but when we kind of keep clicking around, we figure out what it might be able to do. It's actually for a dam. So yeah, if you want to make sure that no one has any weed in a certain city, you can just mess up their crops with this,
19:21
and they actually have the red button. So what happens when, so forget an APT group, forget a terrorist threat, forget competition. What happens when a Google spider or a Yahoo spider, just some web crawler, starts hitting links and just goes click, click, click, click, click, click, click, click. And then basically it's a situation like this,
19:42
which ends up in something like that. And then that's basically the most extreme way to represent third-party risk that I would have come up with for now. Hopefully that's where it ends. And so essentially what we're,
20:01
so the main points I'm trying to convey is that third-party risk vectors are going to be the biggest single impact for not just a business, but an entire industry overall, because when one big provider gets hit, the entire sector gets hit, sometimes across multiple industries. And increased scrutiny of default deployments is the only thing
20:21
that's going to prevent these types of screw-ups from taking place in the future. People are plugging stuff in, thinking it's working, and the right hand doesn't know what the left hand is doing, and all the ownership of who's responsible for this is being pushed off and shared between different people, and no one's doing anything because no one is technically responsible to do anything.
20:43
It's all built into the contracts and whatnot. And also legacy systems are going to be online and just as stupid as those things that we saw. So those are like the cutting-edge new SCADA systems that are just everything's HTTP on web application, and older stuff is just going to have telnet widgets hooked on to old machines,
21:04
and now you're able to connect into them and make them do things. And again, the only security on a lot of these things were client-side passwords or SSL. So if they had SSL, they believed themselves to be secure. And so again, the way to prevent this is continuous monitoring
21:25
of the external of what your network is, what you know it to be, and then also figuring out what your service providers are and using your choice of third-party vendor risk management platform to be able to track them, or using open source tools to kind of build it yourself.
21:43
If you have the time to do it yourself, by all means do it. If you need companies to do it, seek the help of professional services. And then the last main things would be change default passwords, double-check the passwords are changed, because a lot of crappy equipment won't register a password change or it'll still have an old hard-coded one.
22:02
Just research the technology heavily before you deploy it into production, like everyone should be doing, but no one is doing. And again, when choosing a third-party service provider, basic due diligence will do things like making sure you're guaranteed not hopping into a fire when it comes to sharing data.
22:25
So for example, if you want to use a merchant processor that's running a cold fusion site versus a merchant processor that seems to have something that was made within the last ten years, you might want to go with the newer one. And it's ongoing.
22:40
A lot of people will go for what's cheapest, what's available, what salesperson got to them first. There's a million factors that go into that. And at the end of the day, people are going by what's compliant, what's going to allow them to keep operating a business, and what's going to be the easiest thing overall across the enterprise. And security oftentimes becomes an afterthought in this process to the potential scenarios of some pretty annoying to pretty disastrous things taking place.
23:08
And that's for some resources. Masscan, Zmap, two open-source tools, they scan the Internet really fast. Just load them up, roll some joints, and watch them go. And for web application security, definitely recommend the OWASP project.
23:24
They have proper design methods. They've got local meetings all over the world. Definitely recommend getting involved with them. And if you don't want to spin up your own scanners, check out Shodan and Census. And you can query global Internet scans looking for the same types of stuff that we had and even more specifics if you happen to know manufacturers of cannabis-specific products.
23:44
The trick to finding the products is to search for the make and model numbers, and they'll start surfacing. And for that, any questions? We'll go into that. Yeah, we've still got a few more minutes.
24:01
All right, on that note, I'll be around. If anyone wants to chat afterwards, feel free to drop me an e-mail. You can e-mail the Hack Miami group at info.hackmiami.org, or you can just shoot me an e-mail at alex.hackmiami.org. Check us out on Twitter, and if you have AOL, go to the keyword and type Hack Miami, and you'll see our AOL home page.
24:24
Thanks, everyone.