CANNABIS VILLAGE - Compliance and Infosec Within the Cannabis Industry

Video thumbnail (Frame 0) Video thumbnail (Frame 1183) Video thumbnail (Frame 4153) Video thumbnail (Frame 6777) Video thumbnail (Frame 10249) Video thumbnail (Frame 11480) Video thumbnail (Frame 13073) Video thumbnail (Frame 14070) Video thumbnail (Frame 15229) Video thumbnail (Frame 16259) Video thumbnail (Frame 17466) Video thumbnail (Frame 19353) Video thumbnail (Frame 20609) Video thumbnail (Frame 21227) Video thumbnail (Frame 21831) Video thumbnail (Frame 23052) Video thumbnail (Frame 23650) Video thumbnail (Frame 24588) Video thumbnail (Frame 25387) Video thumbnail (Frame 27423) Video thumbnail (Frame 27942) Video thumbnail (Frame 28495) Video thumbnail (Frame 29494) Video thumbnail (Frame 34669) Video thumbnail (Frame 35766)
Video in TIB AV-Portal: CANNABIS VILLAGE - Compliance and Infosec Within the Cannabis Industry

Formal Metadata

Title
CANNABIS VILLAGE - Compliance and Infosec Within the Cannabis Industry
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
WeedAnon is a long time infosec practitioner, cannabis enthusiast, and active volunteer with the HackMiami Conference of South Florida. WeedAnon believes that cannabis use is a great way to pass the time while awaiting internet wide port scans to complete, and sees the emerging cannabis industry as an under-served marketplace when it comes to the implementation of information security best practices. This talk will discuss the emerging attack surface of the cannabis industry. Analysis of physical, digital, and compliance risks that go hand-in-hand with newly drafted medical and recreational legislation will be examined. Examples of discussion points include topics such as the secure management of PII, various compliance requirements, secure data storage, interaction with regulatory authorities, physical security issues, IoT security, legal loopholes and ambiguities, as well as suggestions for best practices and resources for followup research.
Point (geometry) Pseudonymization Mathematical analysis Likelihood-ratio test Field (computer science) Neuroinformatik Web application Software Hacker (term) Internetworking Chromosomal crossover Self-organization Hacker (term) Information security
Webcam Point (geometry) Surface Suite (music) Asynchronous Transfer Mode Building Server (computing) INTEGRAL 1 (number) Device driver Process capability index IP address Data transmission Neuroinformatik Different (Kate Ryan album) Operator (mathematics) Vector graphics Information security Address space Formal grammar Physical system Form (programming) Area Standard deviation Software developer Data storage device Plastikkarte Sound effect Physicalism Database transaction Cross-site scripting Type theory Uniform resource locator Process (computing) Vector space Software Personal digital assistant Internet service provider Customer relationship management Order (biology) System identification Quicksort Hacker (term) Row (database)
Service (economics) Link (knot theory) Multiplication sign 1 (number) Disk read-and-write head Event horizon Different (Kate Ryan album) Internetworking Single-precision floating-point format Computer hardware Information security Physical system Area Link (knot theory) Graph (mathematics) Mapping Information Digitizing Electronic mailing list Price index Public-key cryptography Vector space Software Password Internet service provider Chain Figurate number
Webcam Point (geometry) Real number Virtual machine Mereology IP address Internetworking Computer hardware Internet der Dinge Router (computing) Perimeter Physical system Vulnerability (computing) Webcam Scale (map) Default (computer science) Firewall (computing) Cartesian coordinate system Web application Internetworking Software Telnet Password Videoconferencing Communications protocol
Domain name Information Gradient Data storage device Port scanner Cryptography IP address Product (business) Product (business) Auditory masking Different (Kate Ryan album) Customer relationship management Website Quicksort Website Thermal conductivity Vulnerability (computing)
Injektivität Type theory Web application Subject indexing Injektivität Customer relationship management Order (biology) Quicksort Error message Computing platform
Asynchronous Transfer Mode Service (economics) Code Multiplication sign MIDI 1 (number) Design by contract Number Operator (mathematics) Flag Software testing Information Information security Identity management Area Enterprise architecture NP-hard Information Software developer Mathematical analysis Data storage device Plastikkarte Physicalism Database Software maintenance Entire function Password Quicksort Window Row (database) Asynchronous Transfer Mode
Default (computer science) Asynchronous Transfer Mode File format Code Password Product (business) Asynchronous Transfer Mode Probability density function
Webcam Server (computing) Standard deviation Service (economics) Mapping Mathematical analysis Likelihood-ratio test Web 2.0 Revision control Web application Type theory Web service Internetworking Password Web application Figurate number Firmware
Scripting language Default (computer science) Scripting language Computer file Flash memory Time zone Password Root Root Password Web application Acoustic shadow Default (computer science)
Authentication Server (computing) Service (economics) Computer file Mapping System administrator Electronic mailing list Web application Word Exterior algebra Internetworking Web application System programming Physical system Webcam
Ewe language Dialect Server (computing) Presentation of a group Validity (statistics) Source code Cartesian coordinate system Power (physics) Tablet computer Type theory Web application Internetworking System programming Object (grammar) Physical system
Type theory Morphing Hacker (term) Password System programming IP address Physical system
Web crawler Group action Satellite Link (knot theory) System programming Figurate number
Axiom of choice Building Multiplication sign 1 (number) Design by contract Mathematics Personal digital assistant Information security Physical system Enterprise architecture Satellite Smart Device GUI widget Digital signal Type theory Web application Data management Arithmetic mean Process (computing) Internetworking Vector space Telnet Internet service provider Website Right angle Sweep line algorithm Encryption Information security Point (geometry) Service (economics) Divisor Open source GUI widget Authentication Virtual machine Password Online help Coprocessor Product (business) Vector graphics Telnet Computing platform Default (computer science) Default (computer science) Dependent and independent variables Computer network Continuous function Mathematics Software Doubling the cube Analog-to-digital converter Web service Password Äquivalenzprinzip <Physik>
Email Open source Projective plane Interior (topology) Port scanner Lattice (order) Drop (liquid) Port scanner Proper map Product (business) Web application Type theory Pell's equation Latent heat Query language Internetworking Moving average Information security
Email Type theory Home page Email Group action Information Hacker (term) Hacker (term) Twitter
I'm going by the handle weed and on for the promotion of this talk but my name is Alex hight and I'm one of the cofounders of the hack Miami conference and I using a I was using a pseudonym for the promotion of it just to avoid any SEO crossover because we're going to be going into some pretty interesting topics and so bit about me I'm from
South Florida and I work with the hack mammy organization is one of the co-founders so the other co-founder sitting up front with me as well my backgrounds in the field of essentially web application security network attacking and also malware analysis and and threatened tell and most importantly I like computers the internet and I love smoking week that's were the most important probably the most important point to be proud so some of the stuff
will be going through is we're going to be talking about the different areas of compliance that are being foisted upon the cannabis industry with their new suits a new industry a lot of its unregulated still even with proposed stuff coming up and there's there's a lot of gray areas - where - what existing compliances need to be fulfilled in which new ones are upcoming that may need to be thought of and as as anyone who's been attending DEFCON four as anyone who's attended DEFCON ever knows compliance does that does not equal security so once things are compliant then what and so we'll be going over the use of IOT technologies as it relates to agricultural development and essentially just the giving an IP address to all sorts of things that previously didn't have IP addresses in this case it's farm equipment and hydro gear webcams to watch to watch Gardens that type of stuff and most importantly from the areas of third-party risk most cannabis most kind of industries rely solely or not not entirely on third-party vendors to supply all the business operations that are needed to meet the existing compliance except they have to go and so merchant Merchant Services they can't have bank accounts so they'll need to use a certain provider to be able to to process the other process credit cards if they're allowed or use some kind of evasive credit card to cryptocurrency to cash system in order to make those purchases and and then we're good and we'll also be going into some examples of scaled attacks against IOT systems that can definitely have a big effect on the cannabis industry from the smallest from the smallest type of a web cam hack going up to to more intense types of attacks and when it comes to the vectors
of risk of what is actually being what is actually being but what is that risk for the customer and what is that risk for the business so for the business there are existing areas of compliance that are applicable so if they're if they're processing credit cards there's PCI CSS if they're doing Health's if they're handling medical cannabis records then it hit both HIPAA compliance standards apply and this is all for the storage transmission and and made basically there today intending to maintain the confidentiality integrity and availability availability of all these data of all these data types and transactions and very few places will actually use their their own setup everyone's making use of for example point of point-of-sale systems that are specially designed for the cannabis industry so the experience of walking into a dispensary providing a driver's license or other form of identification that's either scanned or taking a picture nor entered into some computer that's hardly ever stored within just within the building itself it's being used of some type of they're usually using some kind of third-party customer relationship management software that will serve oftentimes many different cannabis companies or other types of companies I will be going into those types of issues as well and we'll also be going into actually some of the some of the physical security risks that exist within with and within the cannabis industry as well and how it relates to information security compliance practices especially as it relates to cash and garden locations and the like so the to to wrap
your head around the concept of third-party risk it's the idea that the weakest link will be exploited so when you have a bunch of different companies working together once making use of assert that one companies making use of a service and there creates a digital supply chain the weakest one is oftentimes the one that will provide a vector into all the other different companies often times through password reuse and/or an interconnected network some examples of that would be the target breach even the OPM government hack was based off of a compromised contractor that had credentials and they're able to get into the to the government system so while they're targeting all these major industries they've always been talking because that's where the money is they're going to be targeting the cannabis industry as it emerges for several reasons one there's a lot of hardware to be able to take over and compromise and turn into a botnet - there's a lot of cryptocurrency stuff that goes on that makes it that there there's an incentive to actually steal private keys or actually do the reconnaissance to be able to get into these businesses to be able to steal private keys and information and we'll be going through some of the aspects of what these what these third-party vendors look like and where the risks where the risks lie so one of the one of the more what are the more prominent ones that they seem that they seem to be doing decent from a security hygiene wise is for example like weed maps calm so you have all these different dispense the areas that are using weed maps calm to do their listings and also process their orders and in the event that a service like weed map sitcom would get hacked every single dispensary and customer of that service is impacted and so attackers are no longer going after individual individual entities they're going after the service providers that handle the all the entities and then that way they're able to actually get it and from standpoint of weed maps calm there's I didn't see any indication that there gonna be hit anytime soon but everybody will eventually get hit and it's not about blaming blaming a person or the T when it happens it's about how do you respond to it to be able to mitigate the fallout that's that's going to occur and so as we touched on with an increase
in IOT technology so this is a graph that came from from Cisco and they're estimating that about 200 million yeah no sorry 50 billion IOT devices will be on the public Internet by the year 2020 so if 1% of those devices are exploitable through the public internet that means 500 million exploitable targets if a percentage of those are pretty sensitive those are agricultural or cannabis related it doesn't matter attackers are just they're looking for absolutely anything they can be able to get into and then they'll figure out what they're gonna do with it after the fact yeah yeah it'd be essentially a small nation or a big nation of compromised devices so IOT devices are definitely
more than just routers printers webcams coffee makers toasters the innocuous business to kanockers consumer electronic technologies are everyone's making use of more and more agricultural industrial manufacturing heavy machine systems are being given IOT capabilities or given internet browsing features things like telnet or real weak-looking HTTP applications and the reason is it's it's easy and they're fast and they do communicate that the protocols work and they're even older equipment that was never designed to be put online and in the first place is getting retrofitted with hardware that will give it an IP address with telnet and a really lame web application to be able to host all all everything's and we're definitely seeing that also emerging when it comes to large-scale agricultural growth because that's it's much more efficient that way and
so as we touched on earlier these the increase in IOT is way more than just but then just being able to compromise machine make it part of a botnet it of the like it's it's a it's essentially a bounce point into the internal networks so any perimeter device that can get compromised either through an exploit through a miss configuration or through a weak password or a default password that through this is just kind of one example of what that would look like a default or a weak telnet password the attacker enables S&H SSH now they can do an SSH tunnel and now they're able to start port scanning the internal ranges and and so forth so when it comes
to the tools for discovery the most important thing is to have high quality cannabis usually from the top shelf with the highest grade of THC that's available from the store and then pick up a VPS from crypto with some cryptocurrency to be able to conduct scans for something that's other than your home IP address using Google you can find a ridiculous amount of information with the Google Dorking technique and for anyone not familiar with Google Dorking it's using Google to find things that are indexed that show vulnerabilities that they might not have wanted to be indexed so just Google Google Dorking to find more about that and then the tools mask and zmapp for your own port scanning and showdown and census or for pre pre scant ports and
interestingly enough powered by footers are still a thing and not only are they on the old web sites that they should it be they're being printed on the receipts of the dispensaries so when when I picked this up earlier this week it said powered by and then the the domain name of this company and when we went to the domain name it was essentially a CRM that has all sorts of different customers they serve all industries and they seem to have a few products that are targeted towards the cannabis industry and their and their main in their main use is you know ecommerce so
there'll be I pretty much blocked out absolutely everything too be able to maintain who they are but it's there a CRM a very kind of entry-level Salesforce type thing and a lot of dispensaries use this use this platform as a back-end for when you check-in when you go to the front desk and you check-in when they send you order to the back every patience order is this saved in here along with a whole bunch of others and what smarts ColdFusion like it's a it's running a legacy web application of ColdFusion parameterised all the URL is heavily parameterised Google Dorking showed all sorts of indexed the index things that shouldn't have been indexed but we're publicly available and when you
basically throw just the simple percent 27 into the URL you get the 500 you get the 500 error which indicates oh maybe there's an SQL injection there and well
that's where we stopped because that's I mean this would see Windows 2008 r2 code yeah it's definitely definitely a problem there are the entire databases available on test leaking for this dispense iary and every single other one that's using the service and gonna be contacting them to get that sorted but it's the thing is it's a third party vendor so they're gonna have to call some companies gonna have to call some companies gonna have to call their developer that was hired by some contractor and then they have to explain the whole thing of what happened and then it'll get fixed so even when it comes to high risk security issues the average time to remediation is still about six months for even enterprises that have their stuff together from the time it's identified to the time it's fixed it could take six months and meanwhile everyone from both dispensaries and other businesses because this company does all sorts of other stuff those databases are just sitting there waiting for someone to come along and use more intense flags on the analysis tools
and from the standpoint of physical security in atm so okay so maybe there's no credit card numbers stored in these on the databases just patient record information hey maybe we could do some identity theft but what's the big deal with that say the dispensary area has an ATM on-site and now all of the ATMs that pretty much that are available come from brands like one main manufacturers Hyosung and there's a few others the the way most stores get these in there is they they won't they don't accept card so they'll get a contract with a company who has a contract with the company who has a contract with the company that will put an ATM and and then there then they'll contract somebody else to come in and do the maintenance and all that and no one's communicating but everyone has the manual from the manufacturer which has the operator passwords of you
know to 2 2 to 5 5 5 foot you know yeah those are those are basically just the default passwords you can if you again google dorking file type : PDF ATM manufacturer name model number you'll find what you're looking for because they're making them available because people have to be able to fix their ATMs and when it comes to the actual safe
that's in the ATM also a default code 50 25 50 and when you try to look at what is actually when you try to change it the instructions are very complicated I'd actually get this changed but they emphasize how important it is I don't I don't know if many people are doing it and it's again it's all a matter of percentage to what be when it actually becomes a problem and when it comes to
web application exploits so one of the analysis is that we did is we we found a web application of CVE from CVE 2017 75077 and we did a mapping on the entire internet for any HTTP service that's running the web service known as UC httpd it's a embedded firmware that's used on a lot of cheap cheap manufactured web cams that are white labeled an OEM to all over the world found about two hundred and five thousand of them little under a year ago and they were version 1.0 is the only version of this web server that exists and it's vulnerable and there's no update so it's they're still like that to the when we look into the actual what
the exploit is it's a very standard little web application log in the usual passwords are again admin one two three four five six that type of stuff but even if you can't figure out the
password there's a Python script available on exploit DB where it's just I mean it's very simple dot dot slash it's just dot dot slash and you can read any file and there's yeah yeah there's no there's no shadow file or anything
like that it's just it's just the encrypted root password and that this was the default but even when they change it you could still get the most updated one and crack it pretty easily and then you can also download every
file that might be on the server and whatnot and and so again this is shown that this gets definitely be more than just a little web app exploit if you've been able to map out all these cameras and be able to download the files continuously from them there there's definitely things that people probably don't want done on these on these devices and you're probably closed them off to the public Internet and so when
the heavy stuff of SCADA systems we did a mapping of again just HTTP services port 80 and alternate ports 80 81 and if you google for HTTP alternate ports you can find a nice list oftentimes people set those up without people will set up something new it'll spin up an alternate HTTP port no authentication maybe administrative permissions or something and people just won't turn it off so we disk and for that with just looking for the word skate up just to see what could happen and we started
finding electrical facilities so from a standpoint of impacting industry if you've got a if your cannabis grow is one a SCADA if you've got a SCADA based hydro hydro system or whatnot these types of web applications are the stuff that are used to monitor and guide them or if you're making use of power power system like this solar panel to power it also has what like this or if your third-party vendor happens to be the electrical company which pretty much every person who has a company and does business has the third-party vendor of the electrical company what happens when there's when their stuff ends up on the internet and you can just start flipping switches and turning power off in regions and so this was a server that wasn't supposed to be on the Internet the manual of this manufacturer says don't put this on the Internet so of course we found a bunch of them on the Internet and it has they were smart though cuz they had password protection but these were designed because they were these are for tablets so when you walk into an electrical plant you'll see a big tablet or the employees will be walking around there with the hard hats and they'll be typing into tablets and there they're never really intended to be used on a desktop but it won't put out on the Internet so when you just view source code and remove the JavaScript object because there's no real validation on the application you get into the actual
SCADA system itself and that's that's that so this is um this is a solar system a solar electrical plant that for the sake of this presentation we could say well if hypothetically it's powering a region then cannabis grows in there would be impacted if something if this were to go out and then we just kind of
poked around to see what type of morph systems we find this one didn't even have a password on it and we were able to so we see this one the knobs will actually be spinning around and moving during the during the when you actually connect to the IP address and that there's no hacking and this this is just visiting an IP address and pressing enter and here's another one which
actually has the red button that can do something we don't know what yet but when we kind of keep clicking around we
figure out what it might be able to do it's actually for a dam so yeah you could you know if you want to take out a make sure that no one has any weed in a certain city you could just mess up their crops with this and they actually have the red button so what happens when so forget an apt group forgetteth of terrorist threat threat forget competition what happens when a Google spider or Yahoo fighter just some webcrawler starts hitting links and just goes click click click click click click click and then you basically it's a situation like this
which ends up in something like that and
then that's that's uh that's basically the most extreme way to represent third-party risk that I maybe would have come up with but for now hopefully that's where it ends and so essentially
we're we're so the main points I'm trying to convey is that third-party risk vectors are going to be the biggest single impact for not just a business but an entire industry overall because when one big provider gets hit the entire sector gets hit sometimes across multiple industries and increased scrutiny of default default deployments is the only thing that's going to prevent these types of screw-ups from taking place in the future people are plugging stuff in thinking it's working and the right hand doesn't know what the left hand is doing and all the the ownership of who's responsible for this is being pushed off and shared between different people and knowing that no one's doing anything because no one is technically responsible to do anything it's all built into the contracts and whatnot and also legacy systems are going to be online and just as stupid as those things that we saw so those are like the cutting edge new SCADA systems that are just everything's HTTP on web application and the and older stuff is just going to have telnet widgets hooked on to old machines and now you're able to connect into them and make them do things and again the only security on a lot of these things were client-side passwords or SSL so if they had SSL they believe themselves to be secure and so yeah so again the way to prevent this is continuous monitoring of the external of what your network is what you know it to be and then also figuring out what your service providers are and using a using your choice of third party vendor risk management platform to be able to track them or using your own or using open source tools to kind of build it yourself if you have the time to do it yourself by all means do if you need companies to do it seek the help of professional services and then the last last many things would be changed default passwords double check the passwords are changed because a lot of crappy equipment won't register a password change or it'll still have an old hard-coded one read it just research the technology heavily before you deploy it into production like like everyone should be doing but no one is doing and and again when using when choosing a third-party service provider basic due diligence we'll make we'll do things like making sure you're guaranteed not hopping into a hopping into a fire when it comes to sharing data so for example if you see if you want to use a merchant processor that's running a cold fusion site versus a merchant processor that seems to have something that was made within the last 10 years you might want to go with the newer one and and it's it's ongoing examine a lot of people won't but they'll go for what's cheapest what's available what salesperson got to them first there's a million factors that go into that and at at the end of the day people are going by what's compliant what's going to allow them to keep operating a business and what's going to be the easiest thing overall across the enterprise and security Paulding times becomes an afterthought in this process to the to the potential scenarios of some pretty pretty annoying to pretty disastrous things taking place and that's for for some resources
masscan zmapp to open source tools they scan the internet really fast just load them up roll some joints and watch them go and when it comes to and for web applications security definitely recommend the OWASP project the proper design methods to got local meetings all over the world definitely recommend getting involved within and if you don't want to spin up your own scanners check out shoten and census and you can query global internet scans looking for the same types of stuff that we had and even more even more specifics if you happen to know manufacturers of cannabis specific products that the trick to finding the products is to search for the make and model numbers and they'll start to start surfacing and on any
questions to that we yo still got a few more it is so alright well on that note I'll be around anyone wants to chat afterwards feel free to drop drop me an email we
can email anyone hack Miami group at info hack Miami or agree just shoot me an email Alex at hack baby org check us out on Twitter and if you have a o L go to the keyword and type hack Miami and you'll be able to take you'll see our our AOL homepage [Applause]
Feedback