Gone in 60 Minutes: Stealing Sensitive Data From Thousands of Systems Simultaneously with Open DLP
This is a modal window.
Das Video konnte nicht geladen werden, da entweder ein Server- oder Netzwerkfehler auftrat oder das Format nicht unterstützt wird.
Formale Metadaten
Titel |
| |
Serientitel | ||
Anzahl der Teile | 122 | |
Autor | ||
Lizenz | CC-Namensnennung 3.0 Unported: Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen. | |
Identifikatoren | 10.5446/40536 (DOI) | |
Herausgeber | ||
Erscheinungsjahr | ||
Sprache |
Inhaltliche Metadaten
Fachgebiet | ||
Genre | ||
Abstract |
|
DEF CON 19107 / 122
3
5
10
11
12
22
23
24
30
31
32
38
43
46
47
49
51
54
56
59
60
62
71
73
76
84
85
88
92
93
96
97
98
104
106
109
112
113
115
119
00:00
InformationSoftwareProgrammierungHalbleiterspeicherBildschirmfensterSensitivitätsanalyseGanze FunktionBelegleserBenchmarkEinfach zusammenhängender RaumPhysikalisches SystemRechenschieberResultanteStellenringVirtuelle MaschineVersionsverwaltungFontGewicht <Ausgleichsrechnung>VerzeichnisdienstZusammenhängender GraphSystemverwaltungCoxeter-GruppeComputersicherheitVollständigkeitParallele SchnittstelleQuaderBildschirmsymbolOffene MengeMailing-ListeArithmetischer AusdruckRegulärer Ausdruck <Textverarbeitung>Elektronische PublikationProzessfähigkeit <Qualitätsmanagement>HyperlinkDomain <Netzwerk>Rippen <Informatik>LoginMultiplikationsoperatorFreewareStandardabweichungSpider <Programm>Keller <Informatik>Dienst <Informatik>Demo <Programm>Web-ApplikationGamecontrollerDefaultMikroblogEinsDatenbankInformationSoftwareHalbleiterspeicherBildschirmfensterSensitivitätsanalyseGanze FunktionSoftwaretestTotal <Mathematik>BefehlsprozessorBelegleserBenchmarkEinfach zusammenhängender RaumExtrapolationInverser LimesMaßerweiterungPhysikalisches SystemPhysikalismusResultanteVerschlingungFestplatteServerRegulärer GraphFontGewicht <Ausgleichsrechnung>VerzeichnisdienstZusammenhängender GraphSystemverwaltungCoxeter-GruppeVollständigkeitGemeinsamer SpeicherStrömungsrichtungHash-AlgorithmusAuthentifikationKartesische KoordinatenArithmetischer AusdruckQuellcodeRegulärer Ausdruck <Textverarbeitung>Workstation <Musikinstrument>ClientSichtenkonzeptPasswortRechenbuchSelbstrepräsentationFreewareSchreiben <Datenverarbeitung>Spider <Programm>ZweiDemo <Programm>Web-ApplikationPortscannerComputeranimation
05:35
GraphInformationMehrrechnersystemDateiverwaltungHalbleiterspeicherDigitalisierungProfil <Aerodynamik>BildschirmfensterSensitivitätsanalyseGanze FunktionKonfiguration <Informatik>BefehlsprozessorGeradeInhalt <Mathematik>Inverser LimesKomplex <Algebra>MaßerweiterungPhysikalisches SystemResultanteSpeicherabzugStellenringStichprobenumfangTabelleZahlenbereichVerzeichnisdienstSystemverwaltungAdditionNotebook-ComputerQuaderHash-AlgorithmusAuthentifikationWeb-SeiteRegulärer Ausdruck <Textverarbeitung>PlastikkarteElektronische PublikationPasswortDomain <Netzwerk>Patch <Software>NeuroinformatikTouchscreenVerdeckungsrechnungMultiplikationsoperatorURLCase-ModdingDienst <Informatik>Demo <Programm>Office-PaketInterface <Schaltung>OrtsoperatorPortscannerSoftwareSpieltheorieCAMProgrammierungHalbleiterspeicherBildschirmfensterGanze FunktionBefehlsprozessorBelegleserBenchmarkExtrapolationLokales MinimumPaarvergleichPhysikalisches SystemPrinzip der gleichmäßigen BeschränktheitResultanteSpeicherabzugViereckZahlenbereichZentralisatorVerzeichnisdienstGemeinsamer SpeicherVollständiger VerbandDateisystemQuellcodeRegulärer Ausdruck <Textverarbeitung>Domain-NameNeuroinformatikMultiplikationsoperatorSpider <Programm>Demo <Programm>Web-ApplikationWeltformelComputeranimation
11:11
DreiPhysikalisches SystemResultanteZahlenbereichMinimumSichtenkonzeptSystem-on-ChipOrtsoperatorPortscannerSpieltheorieAmenable GruppeStörungstheorieDualitätstheorieHill-DifferentialgleichungLatent-Class-AnalyseLemma <Logik>Physikalisches SystemResultanteTUNIS <Programm>ZahlenbereichCASE <Informatik>Elektronische PublikationSichtenkonzeptSystem-on-ChipSuite <Programmpaket>OrtsoperatorPortscannerComputeranimation
12:18
DatenbankDatensatzDatenstrukturProfil <Aerodynamik>BildschirmfensterSoftwaretestKonfiguration <Informatik>InjektivitätLoopPhysikalisches SystemRechenschieberTabelleZahlenbereichSystemaufrufNabel <Mathematik>SkriptspracheElektronische PublikationSQL Server 7.0Trennschärfe <Statistik>DifferenteMultiplikationsoperatorRechter WinkelDemo <Programm>GamecontrollerPortscannerDatenbankDatensatzDatenstrukturSpieltheorieAmenable GruppeBildschirmfensterRungescher ApproximationssatzTotal <Mathematik>Dynamisches RAMPhysikalisches SystemPolygonzugRechenwerkResultanteTabelleTUNIS <Programm>ZahlenbereichRuhmasseGemeinsamer SpeicherAuthentifikationDateiformatAliasingArithmetischer AusdruckPlastikkarteSichtenkonzeptVerdeckungsrechnungPERM <Computer>Message-PassingPortscannerComputeranimation
14:42
DateiverwaltungHalbleiterspeicherBildschirmfensterGanze FunktionSystemverwaltungNabel <Mathematik>SkriptspracheElektronische PublikationDemo <Programm>PortscannerHackerHalbleiterspeicherBildschirmfensterMaßerweiterungPhysikalisches SystemVerzeichnisdienstGemeinsamer SpeicherDateisystemPortscanner
15:29
SoftwaretestSystemaufrufReelle ZahlVerzeichnisdienstAmenable GruppeResultanteMIMDMagnettrommelspeicherRahmenproblemPasswortVerdeckungsrechnungComputeranimation
15:51
CodeDatenbankInformationKryptologieMehrrechnersystemProgrammierungDateiverwaltungHackerROM <Informatik>Profil <Aerodynamik>MAPBildschirmfensterSoftwaretestKonfiguration <Informatik>BitGarbentheorieGeradeGruppenoperationLastMaßerweiterungPhysikalisches SystemPortabilitätProjektive EbeneResultanteSchedulingStellenringTabelleZahlenbereichQuick-SortVersionsverwaltungGüte der AnpassungServerComputervirusProzess <Informatik>VerzeichnisdienstSystemverwaltungGemeinsamer SpeicherNotebook-ComputerBetrag <Mathematik>Offene MengeWeb-SeiteHilfesystemMailing-ListeQuellcodeRegulärer Ausdruck <Textverarbeitung>PlastikkarteElektronische PublikationWeg <Topologie>DifferenteDomain <Netzwerk>VerdeckungsrechnungLoginMultiplikationsoperatorSoftwareschwachstelleRechter WinkelDienst <Informatik>Demo <Programm>BenutzerbeteiligungInterface <Schaltung>VirenscannerWeb-ApplikationSpezifisches VolumenDefaultPortscannerEinsDatenbankInformationSelbst organisierendes SystemSoftwareSpieltheorieVakuumInformationsmanagementHalbleiterspeicherAmenable GruppeIterationBildschirmfensterGanze FunktionSoftwaretestTotal <Mathematik>BeweistheorieBinärcodeDynamisches RAMLemma <Logik>MaßerweiterungMultiplikationPhysikalisches SystemRechenwerkResultanteEinflussgrößeVerzeichnisdienstFibonacci-FolgeSystemverwaltungComputersicherheitZeiger <Informatik>Gemeinsamer SpeicherSummierbarkeitKonvexe HülleHidden-Markov-ModellAdressraumQuellcodeElektronische PublikationSichtenkonzeptPasswortSystemplattformLoginSchreiben <Datenverarbeitung>Message-PassingVirtualisierungDemo <Programm>Suite <Programmpaket>Kanal <Bildverarbeitung>OrtsoperatorWeltformelTwitter <Softwareplattform>PortscannerComputeranimation
Transkript: Englisch(automatisch erzeugt)
00:00
Good afternoon. My name is Andrew Gavin. I'm here to talk to you about a tool I wrote about a year ago and I've been updating ever since. It's called Open DLP and how you can use that to steal sensitive data from thousands of systems in less than an hour. So just a standard disclaimer, I'm here just representing myself. Even though I work for Verizon business, they have nothing to do with
00:22
the tool, nothing to do with the presentation. And also if you use my tool and you get in trouble, not my fault. So my outline here, I'm going to talk about what Open DLP is for those of you who aren't familiar. This is by the way building on a presentation I gave at Smoocon earlier this year. My reasons for writing it, how the agent portion
00:43
works. I'll show benchmarks between the agent and the agentless scanner and you can see the drastic speed improvements that an agent offers. I'll give a live demo of the agent and also live demo of some new features. I've got four demos lined up. I plan on flying through these slides. I don't have much time, but I do have quite a few slides
01:01
and I hate slides. I like demos. And then at the end we'll show my contact info and we'll have a few minutes for Q&A. So what is Open DLP? For those of you who don't know, it is a data discovery tool and there are two components to it. There's a web app that kind of controls everything and that's on the LAMP stack. So Apache,
01:21
MySQL and Perl. And there's a Windows agent that runs on Microsoft Windows. It's open source, released under the GPL version 3. And it is useful for compliance people. So if you're like a PCI guy, you want to find out where your PCI data is, you want to use this. It's also good for proactive network and system administrators because we all know they are
01:42
proactive, right? And then finally the coolest thing, what I do, I'm a pen tester, so I really wrote this for myself and I write this, I use this after I get domain admin and then I just let this thing rip on the entire network and it's pretty cool. So what was my reason for writing it? Well there really was no free agent-based solution last year
02:03
when I started this. The only solutions were really gooeys that you could run on your desktop like Cornell spider and you could hack those to be an agentless scanner where you would do a net use to the remote hard drive and mount it locally. But as you'll see with the benchmarks, it's not really ideal for a very, very large deployment. It's going to
02:22
be very, very slow. So how does it work for the agent-based scans? How do you get it going? Well the first thing you want to do is create a policy and this policy is going to be reusable. You're going to have your administrative credentials because the agent runs as a service and you need to be an admin on the box to install a service. And then you can do other things like whitelist and blacklist files and
02:41
directories. And then you want to configure your regular expressions that you're going to use. It uses PCREs, I assume we're all familiar with that here. And then a few other things that I'll show. Then you're going to start a scan and you're going to it's going to be deployed over SMB and it's going to get kicked off by the WinEXE program which is like the Linux PS exec and it
03:03
can concurrently deploy the scanners up to as many as you want in parallel. So instead of just sending out one at a time, you can send out maybe 30 or 50 at a time just to get it going faster. Now when the agent is running on the Windows box, it's going to run as a service, as I said, but it'll run at low priority. So no one's really going to see or feel it. There's not going to be a little pop-up gooey
03:22
box or nothing in the system icon tray or anything like that. It's also going to limit itself to a percent of memory. So if you want to scan some huge 10 gig file and the Windows box only has a gig and you try to load that 10 gig file in the 1 gig of memory, bad idea. So what it will do is it will chop up that large file into smaller chunks that's defined as a percent of system memory. So
03:41
like 10% of system memory or 20% or whatever you decide to use. Finally when it's done, it's going to scan, go through the white list and black list and scan the resulting files. And then every so often it's going to ping back to your web app with results and it will give little status updates and stuff. And this is done securely. It's over a two-way trusted SSL connection. So if
04:01
someone tries to man in the middle it, it's not going to do anything. It's written in pure C. There's no dot net requirements. So if you want to run this on an old Windows 2000 or XP box that doesn't come by default with dot net, it's still going to work. And finally when it's all done, it's going to uninstall itself automatically as a service. It's going to delete its directory completely. Really
04:21
the only way that you notice it was there is by looking at the logs and certainly 99% of the Windows users won't even notice it was there in the first place. In the web app you can monitor the agents and as I said before, it's going to ping with results every so often and you can see how many files and bytes it's processed. You can control the agents, pause, stop, uninstall, resume the
04:42
agents, and you can also view the results live as they're coming in. You can, if you see a finding, you can download that file just to verify if it's actually there. There will be a little hyperlink there and it will tell you the byte offset inside the file where it thinks it found whatever regular expression like I found a social number at
05:00
offset 500 in this file. So I know what you're thinking. Yeah, I invented multiplayer grep but someone I guess had to do it. And just to go through some benchmarks, these are the specs. It's a couple years old machine but just for the sake of this benchmark, I ran it on two gigs with 13
05:24
regexes. It took just over an hour, an hour and seven minutes. I'm not going to go through the rest of this but on the flip side, an agentless scanner, the same exact thing, took an hour and 20 minutes for 13 regexes. And for the agentless scanner, about 20% of the time
05:42
was spent downloading the files because with an agentless scanner, you basically have to download the entire file system to your own box so you can process those files. So 20% of the time was spent on that and nearly 80% of it was spent on crunching the numbers. Now if you're going to do this for more than one box, more than one target, you're going to run into some bottlenecks. And probably the biggest bottleneck is going
06:01
to be your own system CPU and that's what's really going to slow things down. So just for one system, it's only really 19% slower but if we extrapolate this to more systems, we see here the blue line is the open DLP agent remains flat. Just about one hour. And the
06:20
agentless scanner with one core for 25 systems will take over a day. Just 25 systems takes over a day. Oh, sorry. So on the bottom, there's really not much information. It just says for this graph it shows going from 100 to 2,000. Sorry about that. So for 2,000 systems
06:43
which is way on the right, it will take almost three months to scan 2,000 systems with a single core system that I use my benchmark on. But with the open DLP agent, it just takes one hour. You can't see that but trust me, it's there. So it just remains flat. The
07:05
upsides to an agent-based solution are that all the computations are done on those victim systems. It's basically a distributed project. It's like CD but instead of searching for aliens, you're owning data. And it also doesn't have much network traffic. It's only sending out
07:20
about one meg initially with the agent and every so often it pings back with those results and the log files. So it's really not a whole lot of traffic. The downsides to the agentless scanner are of course everything has to be processed by you by your own laptop or your own system. So if you're going to do this 2,000 times in parallel, it's
07:41
really going to crush your CPU and of course you have to download everything to your system as well. So I'm going to show a live demo of the agent. And this is the interface. Make it a little bit bigger. And what you first want to do is you want to go to the profiles and you want to create a new profile. So for this, we'll just call it
08:01
agent. And we'll select the Windows file system for the agent. And you can mask or unmask sensitive data. I don't like to mask sensitive data because that's lame. So we want to do the local administrator account with the secure password of blah123. You have to specify the
08:23
domain or the work group. If you don't have the password though, someone sent a patch to you, you can put in the SMB hash. So even if they've got like a 64 character long NTLM password that's super complex that rainbow tables won't even touch, no problem. Just put in the SMB hash and you're good to go. The install path, this is kind of important because when the agent is uninstalled,
08:42
it will recursively and forcefully delete this directory. So please do not, do not, do not install it to the Windows directory or anything like that. You've been warned. This is the memory limit that you can set where it will chop up the files. Here's where you can whitelist and blacklist directories. So I've got some sample data in this directory. And likewise, here's where you
09:04
can whitelist and blacklist file extensions. So pictures, movies, EXEs, things you really probably don't care about that would contain sensitive info. Here are the regexes. So we'll check some of these. You can add your own regexes. As I said, they're based on PCREs. These options here tell the agent what, what regexes to treat as
09:24
credit cards. So if it thinks it ran across a 16 digit number, you might think it's a Visa or MasterCard, but it's going to run that through the mod 10 check. Yeah. Yeah, exactly. That's what this is exactly. So it will cut down on false positives. And these options here, it will read inside zip files. So office 2007, open office, just
09:43
normal zip files. It will pass them over once as a normal file. Then it will try to unzip them and go through its contents a second time. This is the upload URL. And the, it takes basic authentication credentials in addition to the certs. So I don't want
10:01
to fat finger it, so I'll copy paste. This is the time between uploads. So I'll often, I'll ping back and we just fill out this stuff and submit the new policy. Now we want to go to start the actual scan. So we'll just name this agent. We select the profile that we just created and we enter our guinea
10:23
pig here. And it's going to start. So if you were to scan maybe a thousand, two thousand systems, on this screen you would see a live scroll of this here saying zero systems remaining, or 500 systems remaining to you, 400, 300. Once you get down to
10:40
zero, then you know it's safe to leave this page. Because if you don't leave this, if you leave this page before then it might interrupt the deployments. So if we go back now to our guinea pig system, we can see that open DLP is running below normal. It's going to run as a service. And let me try to bring that up. Oh, it's just done.
11:05
We see here it's running as a service and eventually now it's gone. So when it's done or even while it's running, you can view the results live. So you just go to the view scans and results. And this is, it's going to give you a summary of the scans here. And you select one.
11:23
And here it's going to give you all the systems in that one scan that I just launched. So there's only one system. And we can view the results here. So we found possibly a SOC number, let's say in this file here. So we can click it and we can download it and open it. And we see, yeah, there's probably a SOC
11:43
number, the number ones, number twos, and then down here number threes. So we can verify that. If you think you found some false positives, you can check these guys and scroll to the bottom and just mark them as false positives. Go back, they're gone. If you think you accidentally marked something as a false
12:01
positive, you can manage your false positives here and just drill down to the system and uncheck a couple. Now they're not a false positive. We can go back to the results and refresh and they're back now. So that's pretty much it for the agent scanner. Go back to my
12:20
slides now. Recently I added some new features though. I gave a talk in Amsterdam in May and I added database agentless scans. So I've got support for Microsoft SQL server and MySQL. And then most recently, right before this conference, I added agentless support for Windows and Unix. So for the database scans,
12:41
it's very, very similar to creating a policy for an agent scan. The only difference though is that instead of whitelisting and blacklisting files and directories, you can whitelist and blacklist tables, databases and columns. That's pretty much the only difference. It's going to run as a shell script, a Perl script on your own system in the background. And it's going to walk the database structure
13:01
just like you would walk through an SQL injection. So it's going to enumerate the databases and the tables and the columns and it's going to go after the data. And then you can control the scans too. So I'll give a quick demo of that. So we're going to create a new profile again. We'll call this MySQL and
13:24
test and test. And here's where you can whitelist and blacklist your databases, your tables, your columns. You can limit how many rows you can grab. So if you want to grab all rows, just enter a zero. But if you're going to just be aware that some tables are quite large. If there's a million rows, it would
13:42
take a while. So we'll submit that. And we will launch our scan just like we did last time. Select the profile that we just created. I'm going to cheat and just do a loop back because I didn't bother to set up MySQL listening on 3306. So this is going to go
14:01
pretty fast. In fact, it should be done because there's not a lot of stuff. Here's the scan that we just ran. And we see that it's done. And we see, you guys really can't see that. There's five findings, trust me. And they're all stosh numbers and it will give the database the table
14:24
and the column name. So if we want to verify that, there's no option for me to verify that right now. But what we can do is just go into the database itself and we see that here's what it found. All that good stuff. So that's
14:40
it for the MySQL demo. Now what I'm going to do is demo the agentless OS scan. Let me talk about it first. The policy is, again, very similar. You don't need admin credentials for this scan. It's helpful. But obviously if you don't give it an admin account, it's not going to be able to read all the files most likely. So it's also
15:02
honors the whitelisting, blacklisting, the memory ceiling. It's going to be the memory ceiling on your own box, not on the guinea pigs. And then it's going to run in the background as a shell script, as a Perl script. And I currently have support for Windows, the entire file system over SMB. Windows shares, you guys
15:21
can't see that. And then also UNIX over SSH using the SSHFS method there. So I'm going to do a demo of UNIX real quick. So create a new profile, call it UNIX. And
15:42
I've got some test data in a directory somewhere. So I've only got about five minutes left. I don't want to scan my entire system. And again, the same file extensions options, the regex is
16:02
here. Credit cards, zips, and we're good to go. We'll start the scan. And it's now started. So we can view it as it's going.
16:24
And wow, it's okay. It's already done. And it's just like the last time. You can see the results and do all that good stuff. So and then finally what I'm going to do is I'm going to demo a Windows share because that's just slightly different. So we'll create a new profile.
16:42
This one, this particular share is completely wide open. You don't need credentials at all. So I'm not going to fill in anything. So when you run your vulnerability scanners, you'll probably see that quite often. The directory here is a little bit different. It's relative to the path of the share that you're going to give it when you start the scan. If you try to put in C colon back
17:01
slash Windows, it's not going to know where that is because it's got to be relative to the actual share. So we'll just leave that blank for now. And the file extensions and regex again. And the same thing, credit cards and zip files. So we'll submit that. And we'll start a new
17:21
scan again. And there's a slightly different thing here where instead of giving it a list of IP addresses, you have to give it the actual full path to the share so it knows where to go. And if you were to whitelist or blacklist directories, it would just append them here like that. But you don't have
17:41
to do that. Just give it to the base path of the share. So we click start. And it's going to go in the background. It's going to download all those files over the share. And we can view the results as they're done. And that was faster. Usually if you catch it in time, you're going to see that it will give you like I'm 20% done. I'm
18:01
estimating there's maybe a half an hour left in my scan. But just for the purpose of this demo, I don't have that much time. But here again you can see same exact stuff. You can download the files, check them out. And you're good to go. So conclusion for pen testers. Open DLP,
18:21
it's free. It's open source. After you get domain admin or after you find some database credentials or UNIX credentials, let it rip. Because you can show the C level executives, show your customers that there's very much risk to getting domain admin. A lot of those people don't really realize that, oh, you got domain admin, okay, whatever. But if you show them that, oh, okay, well, here's all your
18:41
customer's social numbers or here's all your customer's credit card numbers that were on Peggy and HR's system or Bob and finance's system, it's pretty damning. And then finally for everybody else, if you're some sort of admin, this is free. And really you should be using this to find your
19:01
own sensitive data on those weird systems that you don't know about before people like anonymous or lulsec or our favorite nationally sanctioned hacking groups use or find. And just to reiterate, it's multi-platform. It does file systems and databases so really there's no excuse why you shouldn't be using this. But this
19:22
is the project page. It's on Google code. And the current version is 0.4. And it's kind of a bit of a pain in the ass to install. So I made a VM about a year ago. The VM is a little outdated. I'm going to update it in the next few weeks. But it's based on 0.2.2. It's easy to upgrade. And then my contact info is there.
19:41
And I believe we have time. Yeah, we have maybe five minutes for questions if anybody wants to, yeah, go ahead. Sorry. The question is if I've looked into using iFilters on Windows to
20:01
look into different binary types, I do want to get into that, especially outlook PST files because those are just going to be a freaking gold mine. Yeah. Yeah, in fact, you can make your own Regexes. So just by default it comes with 13. But here's
20:22
an interface here where you can create your own Regexes. So just give it a name. And, you know, some kind of pattern here. Or whatever. And then just you're good to go. Yeah. Okay.
21:14
So the question was how do I know that this tool won't modify data or harm data in any way because people are leery about open source tools.
21:23
I open the files read-only. So if they are modified after I open them, I am not sure what happens. But it will not purposely modify the files at all. It's just read-only, strictly read-only. Yes,
21:42
it would be listed in the logs here. There's a section here for the logs. And any file that I cannot open, it's going to be mentioned here in the logs. So there's not much here. I can open all the files that I tested on my demo. But it will mention it there. Yeah.
22:06
Have I thought about enumerating CACLs? Oh, the ACLs. Okay. Not so much right now, but perhaps down the line. Yeah. Yeah. Great
22:22
question. So as a consultant, I don't like to leave my systems on the job. And his question was how do agents deal with a lack of communication with the web app or your own server? And there's that phone home option every five minutes or whatever you set. It's going to keep trying every five minutes. If
22:40
it cannot contact your web app, it's going to keep running and it's going to keep doing its grep. And then every five minutes it's going to try to phone home. At the end, if it's completely done searching all the files, it'll try every five minutes just to phone home still. So let's say you launched the scan on Tuesday, you come back in Wednesday morning and plug in, you're just going to get a crap load of
23:00
data like in the first five minutes. It's kind of cool to watch. But yeah, it'll handle miscommunicating with the web server just fine. Yeah. It depends on how many systems you're running and also how many findings there are and certainly you
23:21
can set the log verbosity in the profile too. I haven't really investigated it too much except that I know it can handle several thousand just fine on just a decently recently made laptop.
23:40
No, there are no agents on a database server. The database scan is agentless so it's going to remotely connect and download all the tables and stuff. Yeah. Oh, oh, negligible. It's just downloading the tables and stuff just like a normal client would. It downloads it locally and does the processing
24:00
locally. It doesn't do anything on the database except to download the data. Yeah. So yeah, the question was self-destruct like if it can't contact the server after a few days it'll just uninstall itself. The problem that
24:21
I ran into with that I haven't thought of that but I'm thinking of how Windows works and you can't as far as from what I understand a running process can't uninstall itself because it's running. I might be wrong but that's why when these uninstall them when open DLP uninstalls itself it's the web app sending
24:41
another one of those win EXE commands to the system. But that is a really good idea. Just to cover your tracks more. Yeah. Another great question. What happens when the victim systems that you're scanning
25:00
with the agent die or they get rebooted or something? Since it runs as a service and it'll automatically restart when the system restarts and open DLP knows it keeps track of the last file it scanned so it'll just go back and resume where it was before. I mean if the system is completely dead obviously nothing's going to run on it so I can't help that. But if it gets
25:21
rebooted or if no one's logged in it'll run and it'll resume just fine. Antivirus. Good question. Right now open DLP is not labeled a virus by anybody and I think if it ever does it'd be quite interesting because a lot of those AV companies also have DLP programs so
25:41
a little conflict of interest there but right now it's not identified as a virus. If it tries to open a file that's identified as a virus then something will pop up and the user will see that because I've run into that with ABG on occasion. Yeah. Like a
26:07
schedule? His question was have I set up any sort of scheduling or do these systems at a particular time? Not yet but that is on my to-do list. Absolutely.
26:21
Anybody else? Otherwise I'm going to wrap up. Yeah one more question. I'm sorry it's really hard to hear you. How
26:45
am I what? Oh how am I storing the data? It's stored locally in a MySQL database and you can select whether to mask or unmask that data so if you select to mask it and you're worried about you becoming another risk it'll unmask the first 75% of whatever string it finds
27:01
and it will leave the last 25% unmasked. But it is stored in plain text. If you are really worried about it you can set up a true crypt volume for your MySQL stuff but that's kind of outside the scope of my tool right now. But that's all the time I have. Thank you.
Empfehlungen
Serie mit 6 Medien