50 Shades of AppSec
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Title of Series | ||
| Number of Parts | 133 | |
| Author | ||
| License | CC Attribution - NonCommercial - ShareAlike 3.0 Unported: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal and non-commercial purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this | |
| Identifiers | 10.5446/49585 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
|
NDC London 2016133 / 133
2
6
10
12
15
17
23
24
28
30
31
32
35
36
39
40
43
44
45
47
51
52
55
58
59
60
61
62
63
64
67
69
71
73
74
75
82
84
86
87
97
103
107
108
111
112
114
115
117
120
123
126
128
129
132
133
00:00
VideoconferencingDenial-of-service attackSoftware developerLocal GroupHacker (term)State of matterCausalityCybersexBitGame controllerConnected spaceError messageNeuroinformatikHacker (term)Message passingPhysical systemDifferent (Kate Ryan album)QuicksortTerm (mathematics)Right angleSoftware developerProcess (computing)Denial-of-service attackRandomizationCartesian coordinate systemVideoconferencingIP addressInformation securityType theoryMultiplication signNumberInformationObject (grammar)Software engineeringCuboidVideo gameGame theoryExploit (computer security)SpacetimeTime zonePunched cardLine (geometry)Mobile appHecke operatorMathematicsPoint (geometry)Archaeological field surveyCentralizer and normalizerComputer animation
05:01
Software developerConfiguration spacePort scannerVulnerability (computing)Revision controlInternetworkingInformationWebsiteHacker (term)BitReal numberMereologyDisk read-and-write headWorkstation <Musikinstrument>Information securityQuicksortSoftwareHacker (term)Auditory maskingString (computer science)Point (geometry)Software bugTerm (mathematics)Digital photographyRight angleSelf-organizationPhysical systemDatabaseGodCybersexIncidence algebraWebsiteSingle-precision floating-point formatExtension (kinesiology)Green's functionOnline helpIntegerWordMedical imagingOrder (biology)EmailQuery languageCASE <Informatik>System administratorFreewareVulnerability (computing)Moment (mathematics)Perfect groupProjective planeInternetworkingException handlingWeb pageStructural loadDifferent (Kate Ryan album)ExpressionPlug-in (computing)Multiplication signRevision controlControl flowWritingDenial-of-service attackUniform resource locatorInjektivitätBinary imageWeb 2.0Service (economics)CuboidLocal ringArithmetic meanWeb browserHecke operatorNetwork topologyFocus (optics)19 (number)InformationLine (geometry)Office suiteMass
13:46
Computer fileVideoconferencingCuboidDrop (liquid)Binary fileSoftware developerHacker (term)Reading (process)PasswordComa BerenicesOnline chatEmulationMaxima and minimaModemStudent's t-testObservational studyAddressing modeFaculty (division)Right angleHacker (term)Term (mathematics)BitWebdesignSoftwareFamilyFacebookFocus (optics)IP addressStudent's t-testTheory of relativityProgram slicingQuantum stateType theoryAreaPiQuicksortWebsiteRoyal NavyGoodness of fitDigital photographyWeb pageNumberService (economics)Direct numerical simulationRow (database)Default (computer science)Router (computing)Physical systemCore dumpSet (mathematics)Element (mathematics)Lattice (order)Arithmetic meanAddress spaceProcess (computing)Control flowMereologyComputer fileVideoconferencingPhysicalismCuboidOperator (mathematics)Coma BerenicesWave packetSign (mathematics)Drop (liquid)Traffic reportingSelf-organizationShape (magazine)Discounts and allowancesTwitterMultiplication signPattern languageDisk read-and-write headRoutingBuffer overflowDecimalData storage deviceWeb 2.0Latin squareDifferent (Kate Ryan album)EmailPoint (geometry)Group actionStack (abstract data type)CybersexClosed setLetterpress printingCross-site scriptingCopyright infringementMetadataAutomatic differentiation10 (number)FirmwareMaizeSource codeComputer animation
22:31
Software developerPasswordMobile WebNumerical digitLoginComputer iconOnline helpAnnulus (mathematics)Gamma functionSimultaneous localization and mappingDampingoutputLocal ringEmailInclusion mapConvex hullNumberHypermediaBlock (periodic table)Address spaceInternet service providerShared memoryGoodness of fitBackupMessage passingWeb browserCASE <Informatik>Regulärer Ausdruck <Textverarbeitung>Field (computer science)InjektivitätView (database)PressureWordBitUsabilityReading (process)Level (video gaming)Presentation of a groupComputer fileEmailRight angleBlogWebsiteSingle-precision floating-point formatInformation securityTable (information)LoginStatement (computer science)Form (programming)ScalabilityServer (computing)WritingPasswordNumberWeb pageAlgorithmSelf-organizationSoftware frameworkDrop (liquid)Process (computing)String (computer science)Validity (statistics)Hacker (term)Pattern languageDatabaseSubject indexingProcedural programmingHypermediaTerm (mathematics)Object-relational mappingParameter (computer programming)BuildingSoftware developerCodeTwitterPhysical systemWeb application1 (number)Link (knot theory)QuicksortExact sequenceDifferent (Kate Ryan album)Scripting languageSequelSource codeCircleDean numberGroup actionWeb 2.0System callWechselseitige InformationDigital photographyContent (media)Computer clusterData storage deviceComa BerenicesMultiplication signRow (database)TouchscreenMathematicsWeightXML
31:16
Information privacyTerm (mathematics)EmailSoftware developerDenial-of-service attackInformation securityWebsiteDomain nameGoogolMaxima and minimaIRIS-TFunction (mathematics)String (computer science)WordInformationEncryptionBitLaptopSpacetimeFigurate numberType theoryAddress spaceCodierung <Programmierung>BuildingInformation securityNeuroinformatikMereologyPhysical systemBuffer overflowTwitterPlastikkarteStack (abstract data type)Goodness of fitVideoconferencingWave packetQuicksortRight angleObject-oriented programmingWebsiteCodeSoftware developerUniform boundedness principleTerm (mathematics)Moment (mathematics)BlogOnline helpCoefficient of determinationSlide ruleDatabasePassword1 (number)Dot productConnected spaceFunction (mathematics)IP addressGodSelf-organizationInternet forumYouTubeDefault (computer science)Multiplication signBlock (periodic table)Revision controlData storage deviceWordFrequencyDisk read-and-write headWater vaporCausalityThomas BayesFLOPSCASE <Informatik>GoogolAngleCodeSocial class
40:01
InformationSoftware developerHypermediaComputer virusData transmissionNoiseGradientAngleRight angleDrill commandsProof theoryInformation securityPlastikkarteWeb pageNetwork operating systemPublic key certificatePasswordEmailVideo gameForcing (mathematics)Data managementEmailBitQuicksortOnline helpProper mapPasswordPublic key certificateWeb pageHypermediaWebsiteInformation securityHypothesisHacker (term)Game controllerField (computer science)Right anglePhysical systemTwitterInformationSensitivity analysisQuery languageIdentifiabilityAndroid (robot)Row (database)Mobile appMultiplication signMessage passingElement (mathematics)Condition numberObject (grammar)TouchscreenAddress spaceWeb 2.0CountingKey (cryptography)Uniform resource locatorIncidence algebraTelecommunicationFeedbackDependent and independent variablesGoodness of fitPrisoner's dilemmaExistenceInheritance (object-oriented programming)Antivirus softwareRaster graphicsPort scannerPlastikkarteHecke operatorGroup actionDisk read-and-write headPiMetropolitan area networkDigital photographyFormal verificationTraffic reportingInformation privacyDirection (geometry)Arithmetic progressionCovering spaceVideo gameComputer animation
48:46
Software developerVideo gameGotcha <Informatik>Hacker (term)Service (economics)Personal identification numberUniform resource locatorPhysical systemDisk read-and-write headCASE <Informatik>Order (biology)Confidence intervalWebcamDegree (graph theory)Address spaceRandom number generationInformation securityInheritance (object-oriented programming)View (database)Reverse engineeringCheat <Computerspiel>Automatic differentiationGenderEmailComputer iconContext awarenessInformation privacyRight angleTerm (mathematics)Propositional formulaPlastikkarteWebsiteWeb pageSpywareLink (knot theory)Message passingInclusion mapGreatest elementInternetworkingSoftware testingPhysicalismTouchscreenSoftware developerIncidence algebraQuicksortBitFamilyTouch typingFormal verification2 (number)CybersexConnected spaceEvent horizonMemory managementInformationDigitizingVideo GenieWindowResultantMobile appTablet computerDatabase transactionToken ringTheoryNumberUniqueness quantificationAuthenticationSound effectMetreRobotType theoryTrailFerry CorstenPhase transitionBridging (networking)InjektivitätEndliche ModelltheoriePoint (geometry)Archaeological field surveyGame theory9 (number)Row (database)Computer animation
57:31
Hacker (term)Software developerInternet der DingeDefault (computer science)Object (grammar)NumberAddress spaceTouchscreenRow (database)SoftwareEvent-driven programmingInheritance (object-oriented programming)Attribute grammarFlash memoryQuicksortBitGoodness of fitVulnerability (computing)Scheduling (computing)Physical systemSet (mathematics)DivisorGenderSmartphonePoint (geometry)Digital photographyCASE <Informatik>TelnetPersonal identification numberMusical ensembleOrder (biology)Information securityParameter (computer programming)PhysicalismUniformer RaumDatabaseTerm (mathematics)Statement (computer science)Dependent and independent variablesAsynchronous Transfer ModeConnected spaceHacker (term)Key (cryptography)Reading (process)Graph coloringEmailInternetworkingMultiplication signSoftware bugSequelWebsiteExecution unitProcess (computing)Figurate numberRight angleEvent horizonBit rateGod
Transcript: English(auto-generated)
00:12
Quick tutorial on how to DDoS. Now before I start I'd just like to say I'm not responsible for anything you do
00:20
With the information I've provided in this video for you So if you go and DDoS someone with this information, which I've given you I'm not responsible for nothing Absolutely nothing you do So yeah, now that I've got that out of the way, let's get started so What we've got to do is we've got to load up command prompt, colour green
00:45
Then what we want to do is we want to type ping and Then I've got a bunch of random IPs here So ping
01:01
And then just paste it or you can type out And then So this just a command it pings them and This is the IP it will ping This is how long we want it to do it for so I've put a limited timer
01:22
This is how many this how many packets you want to send So let's just hit that As you can see it's already began the process of DDoSing the IP Now there's one thing I'd just like to say like
01:42
when You do this sometimes it will come up with like a timeout message. This means that the IP could be wrong or in fact your connection is not strong enough to send packets or
02:01
Could just be a general error because I it could do all of this and then Just say timeout and then carry on so it could just be like the pings not actually sent so once you're done you hit ctrl C and Sent 43 packets they received 43 packets. They lost nothing on their computer so 0% lost
02:25
So basically They must have a strong connection You've got to do this for a while with this method Go outside and play Yeah
02:45
All right who liked that how to DDoS with ping is it good I'm not responsible if you go and DDoS anyone with ping But do you like the bit where he goes just go out and play while you're DDoSing gives you a little bit of a sense of
03:03
How sophisticated some of our cyber hackers might be? So, you know, we see a lot of this sort of stuff from anonymous and the like and I saw this come up the other day, so this was after the Paris attacks and Anonymous decided they're going to take down Isis, which is a worthy objective And there was this story about we're gonna take them down
03:22
You got to remember anonymous a lot of the time of these, you know kids with a bit of spare time on their hands But what I liked about this article was the number one rated comment on it It's funny because it's true All right So moving on this talk is about 50 shades of appsec and the idea is is that application security is a really broad
03:48
Space and there's a lot of crazy stuff that happens There's a lot of really interesting things that happen and a lot of things we can learn from it Particularly as developers and software engineers and all this sort of thing It's really interesting to sort of see some of the stuff that's happening out there in terms of what is built
04:03
How things get compromised and how some of these malicious actors actually behave? So here's where I thought I'd start and it's gonna be 50 different things gonna show you those are 50 shades But it's not a salacious sort of thing. You gotta see 50 different interesting things. I
04:20
Start here democratization of hacking. So let me talk a little bit about what I mean by this This is about how anybody can become a hacker So it's becoming really really easy for anyone to start breaking the systems. I Want to give you an example? You know, so this kid here a Couple years ago this kid hacked the Xbox
04:42
We know he hacked the Xbox because the news headlines tell us but he did actually hack the Xbox He managed to fat-finger the controller and elevate privilege to circumvent parental controls This is serious, right? His dad's a security guy. His dad was pretty happy about the whole thing He's now on the Microsoft Security Research's Hall of Fame. This is a five-year-old kid, not the dad
05:02
The kid got a bug bounty. Look how excited he is. So yes, I broke into the Xbox But this is proper hacking in so far as he could reproduce it as well It wasn't just like a one-off. He figured out how to actually escalate privilege He's five years old Makes the rest of us sound like kind of failures sometimes. I haven't even hacked an Xbox yet
05:21
Anyway, five years old. So this is the point right with anybody being able to be a hacker Now that one in a way is kind of simple, although it's Microsoft and the Xbox and he's five years old We'll move past that. If you wanted to hack stuff you could go and get a browser plug-in like this. It's called Bishop
05:42
So there's a browser plug-in that just runs in the background So you browse around the web and as you're browsing around it looks for vulnerabilities in the sites that you're using The news site, your bank, whoever it might be and it looks for things like exposed version control misconfigured admin and it does it all automatically
06:02
So when all you need is a browser plug-in anyone can be a hacker. It is that easy Now you might then decide that you actually want to get a little bit more serious about it and actually learn how to hack And you can find tutorials online like this and what they do here is they find a website
06:20
That's got a query string with an integer They add a single quote and load the page and when they do that they get a SQL exception So it's probably a SQL injection risk All you got to do after finding that is you copy the URL and you paste it into this free software called havage and then you click the analyze button and now you have all the data and
06:42
It is literally that fast It is really really simple freely available software You just find a URL with an ID in the query string. A lot of sites are at risk of that This is exactly the sort of thing that happened to talk talk I mean, I assume that was big news here because it was big news even in Australia It was kids who managed to use tools like this and they knew how to copy and paste and that was about the extent
07:05
of their security prowess Now just in case you don't want to hack yourself, but you'd like someone else to hack for you You can go and use a hacking service It goes like this Find professional hackers for hire
07:21
Now what struck me with this is that this is not a dark web site. This is out there in the clear It's kind of a nicely designed site Lots of smiling stock photos. Everybody looks very happy. This is a very mainstream Sort of site. It's even got HTTPS. It's quite nice You can go and start a project for free
07:43
A project usually involves something like Compromising your significant others email in order to figure out if they're having an affair That's what they mean by project Now the interesting thing is is that because it is so easy for anyone to become a hacker We start getting a lot of this. We start getting hacked of us
08:05
There's a bit of a confusing term and everyone's got a different idea about what a hacktivist is But I really like this definition and this is it Literally 30 minutes ago. I was sitting there waiting for my talk and I'm reading the news and
08:23
Nissan has been hacked Distributed denial of service. Maybe we don't call it a hack, but they've been taken offline by Anonymous Anonymous has taken Nissan down. You know why they took Nissan down? Because of the whales That is the reason it's in the news at the moment Nissan is offline because Anonymous doesn't like the fact that Japan is knocking off some whales. It's fair enough
08:44
It's not Nissan's fault though, but still so that's where we are And by the way, if you don't follow Swift on security, that is an awesome account. It's got really really interesting stuff in it So let me give you an example of this this whole sort of opportunism So this was an Aussie site a few years ago
09:02
And as we can see it was hacked by Anonymous Australian government continues to bla bla bla bla bla bla the rest of it doesn't really matter because it's all sort of pointless ranting It is op Australia, op trapwire, op free assignment It'll be what op the hell they want it to be in order to make up something That seems like they had a good reason to break into you
09:21
so they thought this was a government site and It turns out that it was an NGO and it was an NGO to help people with disabilities become rehabilitated And frankly, I think in this case Kath has probably even been a little a little reserved. I might have used some stronger words
09:40
You know, this is crazy. It's it's an NGO trying to help people and they've knocked them offline because it was there That's about the extent of it Now the problem that that creates is that you end up with situations like this So you end up with kids either legally kids or they are younger than us. Therefore they are kids
10:02
Going to jail. So these guys are from LulzSec. They had a lot of infamy in about 2011 They're both turning up at court with their mums Right, because this is what happens when you're a kid and you get caught hacking you get your mum to take you to court Have a look at the expression on the mums faces too. They are seriously pissed
10:22
These kids are grounded like just forever Also, maybe going to jail different story But this is the thing they are just innocent kids and for all the sort of dark masks and green writing and binary images that you see every time when the news breaks You notice that every news article they have three things like the hackers that are the stock photos
10:40
They have hoodies they have Guy Fawkes masks and then they have binary somewhere in the image and green lots of green That's hacker talk Now thinking about Hacktivists as well. So I mentioned talk talk When the talk talk incident broke one of the first news stories I saw Was a detective said we think that they are Russian Islamist cyber jihadis
11:05
There is a news story about this. I swear to God Russian Islamist cyber jihadis Which is just like the perfect storm of scary terms Now as it turns out it was a 15 year old kid in his bedroom in Ireland I assume in his bedroom because where else can I hack from when he is 15
11:22
It's not like you go to work and do it So they arrested a 15 year old arrested two 16 year olds and then there was this really old guy like 20 years old and that's what it took to break into talk talk and That was obviously a really massive story and it did some serious damage, but it was just kids with free time
11:42
That's what it takes to break into a lot of our systems today Now the problem is even kids with free time Once they break into systems we get into this realm of criminal activity And that's why these kids are turning up a court here because it's a serious crime when you break into these systems and pull data out
12:02
Now the thing about Cyber hacking for want of a better term is that as a crime it's pretty safe Like you think about it go back 20 years If you decided that you wanted to to be a criminal and you might break into a service station You might try and rob a bank Someone might actually smack you in the head with a baseball bat
12:23
Other parts of the world America, they may shoot you, you know, you are at serious risk. It is a high-risk venture But you hack online and it's it's like the kids, right? They're just in their bedrooms So there's a very very low risk of getting caught If you're involved in criminal hacking
12:43
So this is a real problem and I'll give you some examples of the sort of criminal hacking we see So we see stuff like this and this is sort of really kind of a name criminal hacking It's a pace been paced goal still an assload of data for the lulls Once you database off the internet send Bitcoin
13:01
So what these guys have done is they've broken into a system. They've published the data and They're they're trying to hold the company for ransom saying we will remove you from the internet if you pay us money and As ridiculous as this sounds this is what professional organizations are also doing when actually Madison happen
13:20
They said hey you can sign up for our service and pay us a few hundred bucks and we'll remove you from the internet I mean don't worry about the fact it was torrented like hundreds of thousands of times, but we'll work it out We'll try and remove you from the internet So in this case they're saying give us Bitcoin and we'll take the stuff offline Then we see things like this, which is give us Bitcoin and we'll put more stuff online
13:44
so they're appealing to a different demographic and We see a lot of this sort of thing where what they're doing is saying we have got some data from a system We will give you more data if you pay some money. So this appeals to a certain criminal element Now does everyone remember when seven million Dropbox accounts got hacked
14:04
Because I don't because it didn't happen. They just make it up So they make it up and they seed these data dumps and very often it is on the likes of payspin They seed them with data dumps from other places so they will take a whole set of data and then they just rebrand it and
14:21
I know this because when I use a system like my have a been poned and I search for Accounts to try and figure out if something is legitimate I see the same accounts appear over and over again So the Dropbox.com hack was the same as the snapchat hack Which was the same as the Facebook user hack and the Twitter hack and the data just gets rebranded as a different attack
14:44
Now, I don't know how many people actually pay for this You know how many people do actually throw them a Bitcoin which is a few hundred pounds like a Bitcoin's not cheap these days Lot cheaper than it was though So they throw them a few hundred pounds but even it's only one or two people It's such a low overhead thing to actually create this sort of criminal activity
15:04
now another interesting one that we saw recently was this and This looks like it's got a fold in it because it does this is actually a physical piece of paper that was sent out To businesses and this went to a pizza place in New York as well as a whole bunch of other Organizations and it is an extortion racket
15:22
So what they're saying is give us Bitcoin or we're going to do bad things to you We're going to do things like make reports of mercury contamination or marijuana grow operations Possibly terrorist training activities in your pizza place as well
15:41
Not quite sure how that works, but let's just assume that that is a thing. So they were threatening reputation damage if money wasn't paid And when I saw this it kind of reminded me of Pulp Fiction a lot of you probably seen Pulp Fiction start of the movie They're talking about a guy goes into a bank. He's got a phone He says give me money or I'm gonna tell the other guy on the other end of the phone to kill a little girl
16:03
Don't know if there's a little girl. You don't know if any of this is gonna happen But it's a threat and one Bitcoin. Yeah, you know, you don't want to give it away But if you just paid one Bitcoin to make this go away It's not a whole lot of money and inevitably people did pay it We see people pay extortion records
16:21
So we've seen extortion records like this freshly Madison as well After the data came out very easy just to do a mail merge on 30 million people You've only got to get a very tiny slice of that to give you a Bitcoin and you've done quite well So What do cyber criminals do with their money when they get it?
16:41
They go to Rio and buy hookers And this is one of the things that they were doing after compromising routers there So have a think about how this works and this is an attack that does happen a bit the route a bit anyway So what they do is they find a cross-site request forgery risk in the firmware of a router
17:01
So imagine you go to a website somewhere. It could just be a normal everyday website could be infected with some malicious ads which does happen quite a bit and when you load the ad it makes a post request to 192 101 whatever the default router IP is and that post request says change the DNS records of the router
17:21
so that we get host names resolving at the attackers service rather than the legitimate service and Then when you can do that, you can route every single request to a legitimate host name to say phishing page So you go to your bank, but it's not actually going to your bank. It's going off to the hackers phishing page
17:41
They compromised a huge number of people using a text like this Now it does pain me to see criminals being successful but it excites me to see them failing and We've seen some really interesting things in terms of the way criminals come undone online
18:00
So give me an example. This is a stack overflow question how can I connect to a tall hidden service using curl and PHP and The example the guy gives here a very very specific and What ended up happening was it was discovered that this was a question asked by a guy called Ross Ulbricht
18:21
Now Ross Ulbricht was also known as the dread pirate Roberts and he was also known as the founder of the underground drug market called Silk Road and He was using stack overflow to ask about how do I connect to my underground drug market? Using an email address that was traceable to him and this was one of the pieces of evidence that eventually got him caught
18:44
He was also trying to kill people. So none of that really worked out too well for him He probably won't be ever coming out of jail He made tens of millions of dollars in Bitcoin from running this bad stack overflow question brought him undone So moving on here's another good example. So this guy was in the news quite a bit a while ago Jihadi John
19:03
Now he was in Syria chopping people's heads off and making videos about it and creating much fear and alarm and What was unusual about Jihadi John is he had this strong British accent Which is not sort of the demographic you tend to get from this kind of actor
19:20
so everyone's trying to figure out like who is he who is this Jihadi John because obviously he spent time here in the UK and Then the feds found some interesting activity They found that a Syrian IP address was buying web design software from a UK store Apparently that's an unusual traffic pattern Not only were they buying web design software, but they were using a student ID to get a discount when they bought the software
19:47
So this is the guy Mohammed and was he he is Jihadi John and they brought him undone Because he was buying some sort of web software using his ID to get some stupid discount Use a VPN at least so as terrifying as some of these guys are some of them are also kind of stupid
20:06
Which is good news for us, you know, how's the good guys? Now speaking of doing stupid things Has anyone seen this? So here's what happened here this is a Sort of I guess inflammatory sign and basically what was happening is there was a hacktivist group known as cabin crew
20:28
Going around owning Texas law enforcement Now I've not been to Texas, but I don't reckon they got a whole sense of humor about kids coming and owning their stuff So anyway what these guys decided to do this guy wormer wormer and cabin crew
20:45
he's obviously trying to you know sort of rub them up a little bit in terms of upsetting the law enforcement and he He goes to his girlfriend and he says hey I've got this good idea right print this sign out get a low-cut top lean over and then with your iPhone
21:01
Take a photo of it and then we'll put that on the sites that we compromise Now who knows what goes on to a photo when you take with an iPhone? Metadata geotag data down to about seven decimal places of latitude longitude So the cops now have this right so they have the photo they have the Latin long and
21:23
As it turns out it was down in Australia where this particular lady was and I can only imagine that they've got the Latin long and I got the photo and The sort of got a rough idea of the area and then they have to go around and try and somehow match it up The mind boggles but but they did match it up, and it was this lady here and
21:46
this guy is wormer and What strikes me with this is how normal they look? Like they're just you know you'd pass them in the street and go just two normal people like he doesn't even have a hoodie right so They're just very normal people and it sort of goes to that point again of anyone being able to be a hacker
22:06
You can just be a perfectly normal couple and then you know behind closed doors You're you're sort of online cyber jihadi for maybe just cyber Activist so it's a curious thing anyone doing this sort of thing can easily become a hacker
22:22
And When you look at this and you go all of these people are really really easily breaking into our things You got to ask the question Is this the problem do we make it too easy so we as the developers are we building systems? That are too easy to break into
22:41
So that got me curious, and I went and I had a bit of a look around I thought let's see if we can find some of the ways that people are breaking into our systems and I found a login form and now You can google that text and you will find this it is real it exists. This is not fabricated
23:06
It's not as bad as it looks in a way. I mean it doesn't make password resets easy. You just go okay I remember my mobile number. That's cool If you do need to password reset you basically have to change your phone number, which is problematic You then can't give it to anyone either because it's a secret right so you can't give your secrets out to anybody else
23:25
But this is a system somebody designed this and I thought it was a good idea I don't even know why you bother with a password like can't they just do a substring or something and just go okay one less step This was another one this one was from the UK Betfair. I have a lot of UK examples very coincidentally
23:42
But what happened with Betfair I was watching the Twitter's one day, and there was a journalist having an online argument with Betfair and what the journalist was saying was I Went to Betfair and I went to reset my password and all I did was enter my email address and my birth date and
24:01
Then set a new password so not receive an email With the unique link in it that's time-limited with the nonce and does all the things that a resets meant to do I just did it all in the browser and Betfair's going no you can't do that That's that's not how it works, and they're arguing with the guy and Betfair was really obnoxious about it It was likely that they were going to delete it so I screen-capped it so they had a backup
24:25
Which is now on my website But they were being really obnoxious about the whole thing and anyway then the penny drops and Betfair realizes Oh shit, we can actually do this you can actually reset it this way So they say to the journalist you shouldn't share your username with anyone
24:43
And the journal is going, but it's my email address That's how I get email So Betfair says well You shouldn't share your birth date with anyone and the guys are like cake and presents and things like that
25:03
And the thing is this is legitimate. I end up going through and recording so I can't believe I do this Oh, man, they actually did this so I recorded the whole thing and put in the blog post and Interestingly I showed this example at a keynote in Amsterdam last year and after I did the talk I came at the stage and this guy came up to me, and he gave me his card, and it was Betfair security
25:25
Oh, no shit. I'm in so much trouble But the interesting thing is he was really cool. He said thank you so much for writing that we knew this was stupid But marketing and I never hear this but marketing marketing would like to do it this way for usability There is some business reason and it's often only after there's a bit of social pressure
25:44
To get the organization to do the right thing that they change and the people there know that it's stupid But they've been asked to do it and here we are So another good example I found so you can see a problem with this one
26:01
Now this is JavaScript on an HTML page. It's a login form Now you're laughing, but consider the virtues for a moment as well. Number one latency. No latency No server postbacks Scalability. You could have a million people log on at once. It wouldn't matter, right? The thing would scale very very well
26:22
But this is a login form People do this This is a site map This is one that I found It is legitimate. I saw it firsthand and let me explain what's going on here just in case it isn't immediately obvious So this is a site map which is meant to be an index of all the resources on the site
26:44
And someone in all their wisdom has said, you know what? People are a resource So what we'll do is for each person in the database we will make a node in the site map And we will put their email address and their password And this is what was in their site map. This is legitimate. It's not fabricated
27:02
So when we do things like that we do make it enormously easy on attackers I mean ridiculously easy. Do you know how to view source? Yes, good. Now you're a hacker So that's really super easy stuff But we also see stuff like this Now some of you may recognize this as a SQL command and some SQL syntax
27:21
Some of you may also recognize this as a SQL injection risk Because you can put whatever you want in that txt email field And the text value will be appended into that statement So for example I could go and sign up on this website, inevitably it's an email field And I could say single quote which would close off the string value of email
27:44
Semi-colon which would close the SQL statement Drop table login table And then I'll just whack a little dash dash in there as well to comment out that other single quote That's going to be appended to the end And if the web app had the rights of DBO on the target database And frankly if you're doing this you're probably going to screw that up as well
28:03
The logon table would be dropped And I explained this to someone once and they said aha But that would not comply to an email pattern and there's a regular expression validator on the email Okay so on the end of it I'll put at.com Done. Job done Now the reason I showed this is because I show this to people and they go
28:23
Ah yeah but SQL injection like this was a problem before right? Like this is something we used to get wrong And these days we're all doing entity framework and ORMs and even stored procedures All of these things give us a lot of good protection against SQL injection This is a tutorial that was written last year
28:41
It's up on the web, it's still up there It's about how to do password resets It has a very long comment from an Australian guy saying maybe you shouldn't do this But it is still up there and it hasn't been changed So people go to these resources and they copy and paste the code and they build their systems And these things just keep propagating
29:03
So that remains a problem We still have a problem with the way we're building our systems Now I also think we have a problem with the way we're setting things up for users We're setting users up for failure I'll give you a good example of that This is Lego If you want to create a user account on Lego
29:22
It's a typical sort of login form but they give you a little bit of advice here This is not good Don't do this Now I can get by the fact that they say big and small letters instead of upper and lower case They're probably targeting kids right?
29:41
Kids will know what big letters are and small letters are But this is not the message I want to give to kids either You know we want to start teaching our kids how to create good passwords Hey if you want to teach your kid how to create a good password Teach them a passphrase You know that's so much better than something that is short so it's easy to remember Yet this is what we do
30:01
Now as bad as the advice is that we give to kids We're also giving bad advice to adults Another British example Now this was curious because what Virgin Media were doing Is they had a JavaScript file with all the words you weren't allowed to use Which was enormously entertaining reading
30:21
Because you could download the file and go I hadn't thought of it that way before All these different words Of which wankers was one And it made me curious as to why they would be blocking particular terms from the password Because it's not like when the hashing algorithm sees wankers it goes
30:41
And gets embarrassed It doesn't work that way Hashing algorithms don't care Humans care So there are humans at Virgin Media seeing these passwords Which tells you something about the way they're creating them Also tells you something about the way they may be asking for them They're handling the passwords insecurely
31:02
That's the only reason this happens Now security also becomes quite complex When we look at things like security questions and answers And it becomes complex in so far as it's hard to write good ones It's hard to write a good security question and provide answers And we see it screwed up quite a bit
31:26
Now this is not good This is a pub trivia question So this is not a good security question Anything that you can Google is not a good security question Or as it may be a good security answer
31:40
And this is the problem because anyone can figure out what that is If you choose that particular value Frankly things like colour aren't very good either Red, green, blue, okay there's half our audience And then you can pick a few others And you pretty much guess pretty quickly So these ones are very easily discoverable But sometimes we see security questions
32:00
That are almost impossible to create answers for I'm pretty sure that wasn't the dog's name However This is ridiculous We really struggle with security questions And look, for the most part security questions are probably more pain
32:22
Than what they are actually good So these are really problematic And it's just amusing to see how many times people get this wrong And at the end of the day It's one of us Colloquially as a developer that's sitting down there Writing this code, writing these questions And that got me thinking if maybe it was a problem with the way
32:43
We're teaching developers So are we teaching them the wrong things Are they learning to be insecure by default So I thought what I should do is go around And find some interesting resources In terms of some of the education we're giving technology professionals And here's one of the first things I found
33:01
Can we have some audio back please Let's try that again Audio, here's one of the first things I found Hey what's up YouTube This is Next Gen Hacker 101 And today I'll be teaching you guys How to view other computers IP addresses Alright what you do is you type in
33:21
Tracer T Space Alright now this is a cool thing Tracer T and then space Now what you want to do is you want to type the site You want to view So you want to go HTTP Semicolon Slash slash
33:41
And then well not semicolon The little dot dot And then the website So like let's just say Google Oops So like let's just say we want to see how many IPs Are looking at Google right now And like at this exact moment We're going to find how many people are looking at Google What their IPs are And what their connection speed is
34:01
Here we go Once you're done Tracer T Space And then the website HTTP Dot dot Slash slash And the website I'm doing Google You want to go ahead and do that as an example And then you enter it And here we go Here they come One two three four Five six seven eight nine ten
34:26
And hold it Hold it Alright Ten people are currently using Google And looking at it It's a bit of a slow down Google That one No doubt
34:40
Just one pro tip as well When you are looking for tutorials And particularly video training If their voice hasn't broken Do proceed with caution Treat as suspicious Be good on the kid for having a go And the same for the kid in the first video You know they're out there Maybe they're doing wonderful things now Who knows But when you hear a kid
35:01
You kind of expect it to be Maybe not the best of advice right But the problem is Is that you can go to professional training resources And find other really bad advice So here's one that has As part of the course This little exercise Where you need to encrypt a credit card It gives you an example of how you might encrypt that credit card
35:25
For those of you who are Perhaps not familiar with Base64 The problem with Base64 encoding Is Base64 decoding It's encoding right You encode and then you decode There is no private key It's not encryption
35:40
But this was in an actual professional learning resource So that's problematic Now some of the professional training is questionable Let's be honest A lot of the way other people learn as well Is via Stack Overflow And there was a question there a little while ago
36:01
The question was How do I securely store passwords in my system How can I encrypt it Now this was one of the answers And I'll sort of give you a bit of a hint About what's going on here If it's not immediately obvious So what the guy here has said Is what you're going to do right Is you get the password And then for each character in the password
36:21
You take the ASCII value of each character And then you add 5 And you just do this for each character And then the output of that Is what you then save into the database And then guess how you decrypt Right, you get each character And then you get the ASCII value And you decrease by 5 Now this was one of the answers
36:42
The next answer said You Base64 encrypted The same as the last slide And then there was another answer Which basically said the same thing But they said no no no We've got a more secure way What you do Is you get each character And you add 13 And then to decrypt You take away 13
37:02
Now fortunately Stack Overflow Tends to filter this stuff out And it did disappear I may have screencapped some of them And put them on a blog Just beforehand Because it was kind of interesting But one of the things that also struck me Is very interesting with this Is how quickly these answers appeared After the question
37:21
Now have a think about that for a moment How do you get a block of code like that Very very quickly They weren't sitting down and writing it by hand They were going to their systems And going I've done this before I don't know what I can do I'm going to copy this And paste it into my answer Think about this We all have passwords
37:40
In other people's systems stored this way Guaranteed At best we all probably still have passwords stored as plain text Maybe inversion So this stuff keeps happening And this is really quite a problematic thing But we can learn an awful lot as well By looking at the questions people ask on forums
38:02
We can learn a lot about the way Organisations are implementing their security So we can learn things like this I so hope that's not my bank I really do And it's just amazing to see this stuff out there
38:22
You see so many examples where Just at first glance we all go Oh my god what are you thinking But it also made me realise that security is confusing Stuff like this is confusing Obviously the guy was confused as to why this was a bad idea Even things like whether you should use PGP or Wingdings is confusing
38:44
Well come on it's like little buildings and airplanes and cars That's encrypted right You can't figure out what it is I like the last sentence I just bought a laptop so I can install my own stuff With my Wingdings encryption And people do this
39:02
I wonder if we've got passwords stored as Wingdings How do you even store passwords as a Wingding I've got no idea Now I don't want to just blame us And again this is a colloquial us Because it is developers that build these systems And we've all done stupid things with code before It happens I also do want to blame the users
39:21
And I think we all probably like to blame users Any of you who've had sort of a help desk role before Has probably had to deal with users that we'd probably rather forget And they do do some crazy things And we can see it evidenced in examples like this Now whose Twitter account is this
39:44
This was a few years ago And this was Burger King's Twitter account And apparently the Whopper has flopped And they have become McDonalds Now this was when Twitter got hacked Remember when Twitter got hacked No, it didn't really do that
40:00
Even though the news headlines say that Because you open up the news headlines And they say Burger King's Twitter is hacked That is one possibility But probably a more likely possibility is Burger King just had a really crap password Or they did something really stupid And you still see it to this day all the time Such and such Twitter hacked And that's never what it actually is
40:20
It is bad password practices Almost every time It's either that or phishing Falling victim to a page which says Please log in to your Twitter And they just go, okay, here's your stuff Curiously, Burger King's follower count Went up massively when that happened They had like 90,000 followers Within 24 hours they had 120,000 followers
40:40
I'm not necessarily saying this is good social media advice However, it did get a lot of attention So it makes you wonder, right So how are people losing their passwords so easily Because we see this stuff all the time I saw this with Tesla last year as well It happened to them too Another one that it happened to last year Was TV5Mond in France
41:03
So TV5Mond had their Twitter hacked So they go and they interview this reporter At TV5Mond Because they're trying to figure out how on earth this could have happened And the guy's sitting there at his desk In front of the wall behind him With his passwords On the wall
41:23
So the penny dropped And they went, oh man, look what we've done That wasn't good I know what we'll do We'll come back the next day We'll do another interview So they interview this other guy This is how Twitter gets hacked
41:42
Post-it notes But you know, the other thing it says Is that in these incidents There's no multi-step verification as well So you should be able to lose your Twitter password And not have someone take over your Twitter account And think about this For all your social media accounts And every account that's important to you Could you publicly post your password
42:01
And not have your account owned So clearly they were missing something pretty serious I do think though That we give mixed and confusing messages Or we encourage people to do bad things security wise Just by the design of a lot of our apps So for example, what if you wanted a QR barcode scanner
42:20
For Android Now don't worry, okay, the barcode scanner Does need your calendar, your contacts and your location I assume it's trying to schedule When it should do the scan And it has to look at your calendar or something I don't know, like why would you ask for this stuff It's massively invasive And it could well be more web But here's the problem
42:42
When a user goes to download this app What do you reckon the one thing they see on the screen is? It's accept It's like what is the thing that is getting between me And achieving the objective that I came here for Just that button So we build these systems And again, colloquially we
43:01
We build systems that ask for excessive permissions We build systems that throw security warnings all over the place And then tell users just to accept it Which is really bad news And the thing is Security is confusing to consumers They see things that look legitimate And then they take it as gospel
43:21
Good example is If you're going to buy an HDMI cable Would you get one that had antivirus protection Now, buying HDMI cables is confusing at the best of times But can you imagine Let's say one of your parents Say you've got non-technical parents
43:41
And they're at the shop and they're like Looking at two They're trying to decide Well, this one's got antivirus You know, what are they going to do? Someone wrote this and decided this was a good idea And it's in shops Which is kind of scary Now, as bad as that is I also think we give very bad messaging to people
44:00
And particularly when you look at the messaging that comes via social media You see some really, really crazy security advice So I saw one just a couple of months ago It's this one from TWU Social media site And the guy here had said Hey, you're accepting credit cards over HTTP And TWU tried to make them feel a little bit more comfortable About their security prowess
44:21
By directing them to the VeriSign logo We have a VeriSign bitmap on our page Ergo, we are secure Please enter your credentials into an insecure page And this is a proper official account Giving consumers this sort of advice
44:41
One a little bit closer to home for you guys, British Gas Someone had complained that they couldn't paste in their password From their password manager And this is apparently why you can't do it Now, I am not sure what the security certificate is This is the first thing Like, is it they take away your SSL Or how does this work if they allow pasting
45:02
But I love this last sentence Leave us open to a brute force to take Now, have a think about this, right Because what they're saying is You shouldn't be able to paste passwords into the field And the best I could come up with is like a Chinese sweatshop Right, just thousands and thousands of people All going control C, control V, control C, control V I don't know
45:21
Doesn't make any sense Another one a little closer to the UK This is EE Now, EE is responding to people who have queries And saying Please send us all your sensitive information Over Twitter Using DM Where it will sit in our Twitter account Which may be hijacked at some time
45:41
Because we know why now Maybe emailed to them as a notification insecurely But more than that Think about the conditioning side of people If you created an account called EE-support-help Whatever is available Dash help 2 Probably doesn't even matter You put the logo on Doesn't matter that it's not verified
46:01
And you just started replying to people like Jay Sheppard With this message How many people would just go reply And then send their sensitive data A lot of them would And these practices Even though that's a legitimate account Verified account Mind you, Tesla was verified When they got taken over as well So assuming this was actually their intention
46:21
It's just setting a really, really bad precedent Now some of you may remember a few years ago Tesco and I had a little chat And they sent me some advice about how they stored passwords This baffles me to this day
46:43
If anyone knows how this actually works If there is anyone from Tesco here Please come and tell me But this was their response When we discovered that they were emailing passwords around And again, this is enormously confusing Because they are giving this feedback to consumers People are getting these messages
47:00
And they're going Oh, okay, now I understand It's fine that you email it Because it's automatically copied And blah blah blah blah blah So that's the communications we're giving people There was another thing happened last year as well Which was kind of interesting And it's in many ways a lot less humorous Although there's some funny aspects And this was the Ashley Madison hack
47:22
So Ashley Madison was a really, really serious security incident And we learned an awful lot from it So basically what happened August last year Hackers broke into Ashley Madison And they said We have stolen all of your things Shut the service down Or we're going to publish all the data publicly And there were a couple of things
47:41
That the hackers weren't too happy about So one of the things that they didn't like Is that if you were a member of Ashley Madison Hypothetically, I'm not saying any of you are Hypothetically And you then wanted to leave And you wanted them to delete your data You had to pay them $19 Permanent delete fee it was And what the hackers found
48:01
Is when they broke into the system The way that Ashley Madison did the permanent delete Is in the membership records They zeroed out all the personally identifiable data Okay, so your name, your address, your email All that sort of thing But when you paid You now had a payment record That had a foreign key to the membership record And your payment record had
48:21
Your name, your email address Everything on there So these guys had to break into the system To discover that But they were quite right Ashley Madison was charging people for something Which they weren't delivering on So they were upset about that They were upset also about The very existence of the site Because as the slogan here says
48:40
Life is short, have an affair So clearly they had a moral dilemma The hackers that is And they thought, okay, we've got to take these guys down So they took them down And they published all the data And it just got torrented massively Very, very quickly It's all over the place It is never going to get back into the can That genie has well and truly popped Anyone can go and download
49:00
All the Ashley Madison data now very, very easily Now because it was so broadly distributed A lot of people started monetizing it So we saw stuff like this So this was a service Where you could search For people in the Ashley Madison data breach And then when you found them It would return all of the information they had in there
49:23
So here we have things like the name Obviously I've obfuscated a lot of this Our phone number, address Everything It also included things like credit card transactions So you could get a really high degree of confidence That someone actually deliberately had a site there And then what their activity was Now I also have this system
49:41
I have an endpoint system And I let people search for their own data And it would only say yes or no In there, not in there But only if I knew that they owned it But these guys were just making it a free-for-all And you might look at this and go Well, why would you do this? Like what is the value proposition of standing up a service like this?
50:00
And it helps to understand when you see it in context Alright, ads So they're monetizing via ads Top one, is he cheating on you? Reverse search So, you know, Chloe was contextual I'll give them that much I also saw that rotate over divorce lawyers So they were trying to sell divorce lawyers there As you can see on the right-hand side of the screen
50:21
GPS trackers Maybe you should track your significant other The one down the bottom right Is sexually transmitted disease tests Because if you're on Ashley Madison That may be something you want to consider Although curiously it was basically just guys and fembots So I'm not quite sure how relevant that actually is Some of the other links there towards the bottom left
50:42
Include links to things like spyware And one of the links goes off to an app called MSpy And MSpy was spyware that you could install As they represent it They say you could put it on your kids' devices And make sure they're doing the right thing In actual fact, most people were putting it on their significant others' devices
51:00
Or compromising someone else's devices And spying on all their activity MSpy, earlier last year, was hacked And all their data was leaked publicly So now you've got this here as a result of Ashley Madison being hacked And all this personal data there Encouraging you to use the spyware tool Which was also hacked and leaked all the other personal data And it just kind of makes your head spin
51:21
How entwined all of these attacks are now becoming Because there's just so many of them Now in terms of monetizing the data, we also see things like this So this was a company called Trustify Trustify PI, Private Investigators And they stood up a service that allowed you to search for anyone
51:42
And what they did is immediately after you searched It sent an email to the person you searched for And suggested that they buy their private investigator services How sleazy is that? That is terrible And regardless of your ethical view on the whole thing The privacy issues are just enormous
52:02
So you've got a wife searching for a husband And again, it was normally a wife searching for a husband Because it was mostly guys And then the guy gets an email address Says, hey, someone's searching for you on Ashley Madison You know, that would just be terrifying But what's interesting about this Is that this message was generated from a social icon on the page after the search
52:21
So what Trustify were doing was not only encouraging people to search And then sending email addresses to the person searched for But then encouraging the searcher to share socially the fact that they had searched And that they had found their ex Not only were they encouraging them to do it But they even favorited it These Trustify favoriting it
52:41
Now you might look at that and go, okay, well that's a bit of You know, people are going to search for their ex It's a bit of, you know, screw you, you're on Ashley Madison But they were also doing this Man, with friends like these, hey They're encouraging people to search for their friends Same sort of thing And again, they were selling private investigation services and making money out of it
53:03
But what a lot of this doesn't recognize Is just how serious the incident was And I got literally thousands of emails from people after this thing happened And I got one like this And I sort of highlighted the bit here that's really significant I've contemplated suicide daily for the past week
53:22
My two beautiful children and wife are keeping me alive And I had multiple emails like this Where people were literally willing to kill themselves over the incident Now granted, look, they're having affairs They're doing the wrong thing They're always going to have some degree of problems But Ashley Madison and the data breach was the catalyst to that
53:41
And some people did kill themselves afterwards And I just thought this was curious for us Particularly as developers because normally we think of users as these faceless things We say users, we're not even people But they are individuals out there that have lives and families And in some cases like this, if we get it wrong, they may even die
54:04
So that was Ashley Madison and that was a pretty unprecedented event But I want to move on a bit and talk about security in physical things And this is where it's getting really interesting Because we're seeing a lot of connected physical things And a lot of security incidents in physical things these days
54:21
But sometimes security in physical things can actually be a really simple concept Like this That just wouldn't feature in your threat model, would it? You know, it's like you're worried about cyber jihadis obviously SQL injection, all that sort of thing Envelope with the window No, it wasn't even in there
54:42
And I just think this is a great example of how we can take this sort of digital world And do everything right And then as soon as you print it, yep, it's all over We just circumvented the whole thing Now we can also use the physical world to great effect To circumvent digital security We can do things like this
55:01
So let me explain what's going on here For those who may not recognize RSA tokens This is two-factor authentication You have a token which is seeded and then shows a unique number And it's like 2FA that we have now in our phones Which is kind of two-step verification Because you often just have the one device But this is generally a separate device
55:21
So you have the unique random number on the device And you've got a pin number just beneath that Or just above it on the white paper which is obfuscated here So what someone has done is to solve the problem Of having to give everyone secure tokens or carry it around They've gone, you know what we'll do? We'll just point a webcam at it, right? And then we will go to an address somewhere
55:41
But it may be publicly accessible A lot of publicly accessible webcams And then we'll have everything that we need In order to complete that second step of verification It's cool, it's ingenious, I like that I mean, don't do it, it's kind of cool Another good example recently of physical security was this one This was VTEC So VTEC was a big story that broke a couple of months ago
56:02
A journalist got in touch with me and said Someone has given me a whole heap of data I want you to help me verify it And see if it's legitimate Because a lot of this stuff is fabricated And we sort of went through all the data And we discovered it was legitimate And discovered how it was collected Now what VTEC does is VTEC creates kids' toys
56:21
They're a Hong Kong based company Billion dollar revenues They're very large And one of the toys they create is like Imagine if Fisher Price made an iPad, right? And it's going to be all colourful and cute and stuff like that And the theory was that little Johnny could have an iPad Or a VTEC tablet And little Mary could have one as well And then they could talk to each other
56:42
And what parents obviously didn't realise in many cases Is that the way this magic talking to each other happens When you're in completely different locations Is the internet There's services There's APIs behind it So what happens is little Johnny and little Mary are signing up With their names Okay, fair enough Mary wants to know she's speaking to Johnny
57:00
With their birth dates Which is also kind of fair enough Because when you have kids creating social networks They probably want to pick an age that's pretty similar And their genders Again, kind of fair enough Girls want to talk to girls So on and so forth But they had to create this data in the system And the parents had to set up an account Under which the kid could create theirs So the parent had to create a whole bunch of data as well
57:23
And what it meant was that the data that was given to me Had about 4 million parents in it And about 280,000 kids And the kids' records had foreign keys to the parents So you could literally pick the child that you wanted In terms of those attributes And then find them
57:41
Because the parents' records Had physical address and phone number and email address And everything you need in order to find them And that was 280,000 records And then VTech in one of their announcements said It's actually 6 million kids So 6 million kids, 4 million adults And all of this data has now just been made
58:01
Fortunately not made public Because we think that the guy who broke into it Only gave it to the journalist The journalist only gave it to me I certainly didn't give it to anyone So hopefully that was the end of that But it also leaked the photos as well So not only could you pick the gender and the age of the kid But you could actually pick exactly what they looked like So VTech made serious, serious mistakes
58:20
In the designs of their systems So they did some things which were just obvious Although not entirely uncommon So they had no HTTPS anywhere They did other things that were kind of ridiculous So when you logged in The API that you hit returned a response That had the SQL statement that was run in the database Why would you even
58:41
Maybe debugging, I don't know But that's just the weirdest thing They had direct object reference risks Which means you could load your record And it would pass a parameter Your ID is number 257 If you asked for record 258 You'd get someone else's 259, you'd get someone else's again So they made all these really big, big security mistakes
59:03
But they're moving on They're now doing home security This was CES last week The journalist who wrote the story Took this photo for me He said, I thought you might find this amusing I probably wouldn't buy this home security gear That's probably not what you want
59:20
So this is what those guys are now doing But of course, particularly at CES There was a huge number of internet connected things IoT is everything these days They want to connect all of the things Apparently your fridge and your toaster Need to be able to chat while you're asleep Or do whatever fridges and toasters are meant to do with each other But we're seeing other things
59:41
In the IoT world like this This is LIFX This is an Aussie invention There are other light globes out there Connected light globes LIFX is Aussie And they're really neat And I'd really like to have them If they weren't exorbitantly expensive But basically the way this works Is you've got your smartphone And you can change
01:00:00
The color and you can change how bright it is, you can set schedules and moods and all sorts of things and it's all kind of geeky and cool. But LIFX had a vulnerability in their light bulbs. And here's the curious thing. People think about vulnerabilities in IoT and they think about the risk to the device. And people would say, okay, my light bulb might get hacked.
01:00:22
Think about that for a moment. My light bulb might get hacked but do I really care if an adversary puts my home into disco mode. It makes everything flash. However, the vulnerability in LIFX didn't just allow them to put the home into disco mode, it leaked the Wi-Fi credentials of the home network.
01:00:41
So this is a much broader issue. Just yesterday I was reading about an internet-connected doorbell. You heard me right. An internet-connected doorbell that did exactly the same thing. And there is an internet-connected kettle called the iKettle that you could telnet into. Yes, you could telnet into your kettle and discover that there's a default pin on it.
01:01:00
And you could actually de-auth the kettle, make it join your network, telnet into it and then get the Wi-Fi credentials of the original network. So anyway, LIFX said, okay, we've had a vulnerability and we're sorry we're screwed up. We'd like everyone to patch your light bulbs. And I thought about it and I'm like, is it USB? Like do you plug it in or maybe you do it with the companion hub.
01:01:22
I've got no idea. I have not yet come to the sort of realisation of what it would take to patch a light bulb. And I think a lot of other people have either. The other thing they said is, yes, we had this vulnerability, patch your things, but we're not aware of anyone having been owned by their light bulbs.
01:01:41
And I thought that was curious because I also don't think we're quite at the point where we're ready to accept that our light bulbs might be the attack factor into our home. And particularly when you think about the risk, right? The risk was disclosure of Wi-Fi credentials. So the exploit to that would be that your neighbour's torrenting over your network or something like that. And if you discovered your neighbour was doing that, would you say, I bet it's the
01:02:04
bloody light bulbs that were put in the other day. We're not kind of at the point of accepting that yet. But in terms of connected things, it does get worse. Anyone got one of these? This is elixill satis.
01:02:21
This is genuine. It's from Japan, like all good toilet things are. Now I can't read any of this, so we're going to have to speculate a little bit about what's on there. So first screen, top left, I assume is some sort of a splash screen. Middle screen evidently is a calendar, and this has me curious.
01:02:43
It's some sort of event-driven data, as best I can tell, on the calendar. I'm not sure exactly what it is. But the right screen is a music player, and in case you can't read it from the back, this is genuine. You can Google this and find it. The toilet is playing I Can't Get No Satisfaction.
01:03:01
Now I saw this a couple of years ago, and I had a talk, and I said, look, we're going to have to be a bit cautious here, because we may well find that there is a vulnerability in the toilet at some point. And wouldn't you believe it? There is. It's a security advisory from Trustwave. This is terrifying.
01:03:21
Can you imagine an attacker activating the bidet while you're there on the toilet? I mentioned this in a talk, and someone said, yes, that's known as a backdoor attack. On that note, thank you very much.