 So I guess everyone here knows the pain with security issues and that some made it to the news and made it laugh, but some made us cry. And our next guest will take us to a little security expedition in Borkenland. So watch out. There are dangerous security problems by Hetty. Have him a warm applause and have fun with the talk. Welcome everybody. Let's start with a talk, security expedition in Borkenland. Yeah, I'm talking about information security and there are three fundamental aspects plus Neuland and that's the reality today. But let's see what are the three fundamental aspects of information security. It's CIA. So first think about these guys here, but it's totally wrong because these are the three fundamental aspects. It's C for confidentiality, it's I for integrity and A for availability. That are the three fundamental aspects. But I will show you now that all these three aspects gonna have problems in today's information security and all of them get like somehow broken. I will combine it with a security 101 for everybody, for people who are not really into IT security. So there are a lot of different acronyms there. Let's check it out. So first there is CV, CV stands for common vulnerabilities and exposures. It's an industry standard and it's a naming convention and it's for publicly known security vulnerabilities. There's the example CV, that's the CV of eternal blue, that's the exploit zero day from the NSA which was used for WannaCry for example, this CV number. Then there is also CVSS, CVSS is common vulnerability scoring system. It's like a scoring system for scoring the vulnerability, like series, like it's not a big problem and tennis like just shut down the system and trash it away and build a new one or fix all the bugs. And it's based on a formula and they're depending on different metrics and it's also free and open industry standard. So let's go to the first security fault. So one is like command injection. So the idea is to inject own controlled commands into a system, like for example, like the classic one is like some command interface on your router where you can like ping to some hosts and then you just like make a semi-colon and put some bash commands in there and you can just execute some shell commands on your router if it's like really bad implemented. That's like a classic command injection. Let's check out the first category of me. It's called just fail. So the first category is just fail and that's my example for this. It's the NPM 5.7.0 release. So the thing is this release was not properly tagged as a pre-release. So it was not a release, but it was a pre-release and it was rolled out by update and people just updated it and the problem was it fucked up all permissions from the file system if you run it as sudo. So it changed recursively in the folder. So if you like run it and you couldn't like fix it easy, you have to like restore a backup to fix all the file permissions. And that's the CV number down there and have like a really interest. So I checked out the GitHub issue for that and it was quite, well, funny and some crying was also involved. Let's check it out. So the first command was this destroyed free production server after a single deploy. So I think, okay, and then there's the next guy who says, why are you using a pre-release version in production? Just asking. But the problem was it wasn't released as a pre-release and he didn't know that it was like a buggy pre-release. So it's not the fault of Jagi that update just destroyed free production server. There are even more commands, but they're like my two favorite about this issue. So the next one is also one really sad category. It's called, can I have a new bank, please? So maybe you read about it. So if you have a great mobile app for banking and you got this warning, so it's on German, but it states something or someone is like changing your connection and connection test to secureoutbank.io say that it's not possible for a secure connection. So please contact support. So if you get this warning on your mobile banking app, it will just shut it down and don't use it. But if you're the great bank, com-direct bank of Germany, you just write on Twitter and tell the people, oh, we know the issue, but just press OK and you can just use the app. So the problem was there are SSL certificates just run out and they just say, OK, we don't care, you can just still use this app. And so they're telling the users to still use this unsecure app for mobile banking. So if you have this bank, maybe you should go to other bank and put there your money where they care for IT security. Let's go to the next terminology, Zobector. Zobector is a built-in method to bypass authentication or encryption of our system. And I have two examples for a Zobector. The first one is Cisco. So Cisco is a big network equipment vendor and it has a long backdoor history, but there is a positive thing. They are doing internet auditing and they found quite a lot of backdoors during their internet auditing. So that's a positive thing, but still there is a problem, there are backdoors in their products. And they're very creative about fitting synonyms for the backdoors. I have three examples for you. So the first one is undocumented user account with privilege level 15. That's when, okay, it's quite creative, but the other one is even better, undocumented static user credentials for a default administrative account. It's also, it's like even a better name, but my favorite is the undocumented test interface. There is some port on the router and just connect there and you get root access. Really nice backdoor. But they have even more of them, but they're like three examples for the creative synonyms for backdoor. So the next one backdoor is really cool. So Tenda AC15 backdoor. So it's a Chinese internet Wi-Fi router and there is easy root access in three steps on this device. So the first one is you request, you make a request to slash go from slash telnet on the router and it starts to telnet on the router. The next step is you choose freely from free existing defaults accounts on the device that are root accounts. You have like a user admin and another a third account. And then you just need to guess the password and then you have root access on the account. Are there some guesses for the password? Well, it is not test, but it's close. It has as much letters as test. The password was one, two, three, four for all three accounts. And then you log in and you have root access on the router. It's really handy. So if you lost your root password or for admin account, you just use this one. So yeah, the ninth is called they want their passwords back. So please don't use this password for your router. Get up to the router if you get firmware upgrades. It's also a problem that often devices don't get updates. So the next one out by pass is out by pass like you can log in somewhere without username or without password or without both. So that's the idea behind by pass. Well, let's go to fight club. Do you know from which year fight club was, when was fight club released? Some ideas which year it was released? It was released 1999. So the blast from the past and 1999 there was this company called Netscape and had a Netscape enterprise server and Netscape fast track server as software. And there was remote attack where we got privilege gained via HTTP basic authentication. That was 1999. Well, that's already a really bad security bug. But well, what's this do you have for guesses? Back to the future. Yeah. Back to the future to 2018. Well, there is HP ILO 4 modification bypass and remote code execution. So HP ILO 4 is a remote management console for servers. It's a hardware card where you can remotely access your servers and there was the modification bypass and the remote execution in this device. It was found by the Airbus research team. They invested five main months for reverse engineering the whole firmware. It is from 2017 but the broad public was knowledge was in 2018 when they presented the whole research at the conference. And it's quite interesting how it works. I have a GIF of the live demo here and you can check it out. So they are requesting the admin interface and it says 401 unauthorized. So they used great Python tools and just print 29 times A. Then they add a header to the request with the header connection with that is 29 times the A and then press enter and they got full admin access. So it's like okay. And yeah, the administrator, great. Yeah, it's really fun because you have like 10,000 servers out there. You can just get administration privileges with 29 A's. Yeah, the problem is you see this equation, 1999 equals 2018. Mathematically it's not quite correct but in IT security it is because in both cases it was a buffer overflow which caused the bug. So if a buffer overflow is IT security bug, they managed to overwrite the data and they could access administrative accounts. Let's get to the next category. Next category is data richness. So it's the opposite of data minimization, what is like our goal in IT security because we don't need all data of the people. We should just use the data we need for the services. So thanks to GDPR. So it's unnecessary to have too much data and it's also like the digital gold of the modern times. There was Google+, they have like affected 500,000 users by the leak. They also stole partially sensible data and the thing is also Google+, Google+, was shut down also because of this. But well, it's only 500,000 users, it's not a lot. Well, let's check out our friends on Facebook. So they have like approximately 30 million users affected. Like 60 times as much users as Google+, leak was affected. But they still didn't shut down. I don't know why, but it's sad, maybe next time. But you see there's a lot of data leaks happening in 2018 and a lot of user data was affected. Well, let's check out the next category. It's called DOS, denial of service. The idea behind DOS is make a system unavailable temporary or permanently. So who of you have a friend who has a friend who has a friend that has an IP camera? No one? No one has friends with IP cameras? Oh, one person, at least one person. So this one friend has an IP camera, maybe it's this IP camera, and if he has this net wave IP camera, you can make an easy denial of service. So you just send a post request to this camera with a huge body size to the slash URL, and the camera just crashes. So it's really handy. You just send a post request and it just crashes. There is a proof of concept on GitHub about this. So if you have it at home, you can try it yourself or you can throw it away because I don't think it gets updates. And yeah, it's also classic IoT embedded hardware which is bad implemented and it just crashes when you send a huge body size. Then our next category is RC, you all heard it at the HPI ILO4. So RC is remote code execution. So the idea is you can execute on a remote target your own code or programs. So most of you are probably gamers and most of you also use this, what is like a well-known gaming platform? Steam? Yeah, Nintendo. But yeah, Steam is a good gaming platform because Steam had a remote code execution for nearly 10 years. And it was like this year found when you sent a mail from the UDP packet, it was enough to trigger the exploit. There is a really extensive write-up under the web page here. So for 10 years, it was like theoretical possible to exploit the remote code execution in Steam. Like a lot of users would be affected. We don't know if it was exploited but it was in the client there, the bug. Really impressive is that after the reporting, the Steam team patched it after eight hours. So after eight hours, it was already patched by the Steam team. So our next thing is POC, proof of concept. So the idea of proof of concept is that you have like some example and with that you show that you can exploit the bug. So the classic proof of concept is that you pop up calculator on your system. And that's like the classic thing that you show the people that you exploited the remote code execution or code execution of the system that you can like run calculator, the XA or Xcalc. So in my first two iterations of this talk, I didn't have a live demo. And then all the time people came to me and told me, hello, can I have a live demo? And so I told me, so I said, okay, well, let's prepare something. And yeah, we will have a live demo and what could possibly go wrong. So I have this specially prepared laptop here. So I have here, no I don't want updates, no. I have a Ubuntu 16.04 without patches. I have a virtual box with a Debian system. It's nearly patched. So let's start my virtual box system. So I'm already sorry for the username of this virtual box. It was at first my mailbox test server or test a mail server. But you will see yourself. We did a good job as a mail server, but now it has to be exploited. So if you are using a computer, normally use it to surf on the Internet and check out web pages and you also want some cool desktop backgrounds for your laptop. So this is really not so, could be more fancy. And then you see this fancy web page where they offer you sweet cat pictures. And I say, okay, let's download this sweet cat picture. I want this cat picture. Okay, let's download it. Let's open it. Okay. And it's broken. No. Well, my live demo just failed, but we will try again. So let's just download again. Nope. Well, then we'll just do the reset game that works most of the time. Well, let's test again. Now it should probably work. So let's go again to our great page where we can download cat pictures. Okay. It seems to work. So I just opened my download. And I just got 100 calculators popped up on my screen. So just opened the download folder. Well, there is a great tool in the command line on Linux. You see all these great calculators. Maybe I can calculate faster with 100 of them. So see. Okay. So it's all xcalc. Good that it's not a Windows because I don't know the command on Windows for that. All right. So what happened? So I exploited the Go script remote code execution. So it was overseen, so they patched some quite the same vulnerability in Go script two years ago. But they overseen this edge case. And it is triggered when it's parsing PostScript. And the thumbnail parser of events in the Nautilus file manager parsed the thumbnail. And in the thumbnail, like Bandit is the remote code execution script. And in my case, it pops up 100 calculators. It was found by Tavis or Madi, this one known Google security researchers. And there are multiple CVs assigned. Well, that's the first live demo, but I have a second one. So everyone knows blockchain is really the new hype in 2018. But I have a better hype for you. It's called exploit chain. So for this, we have to pray for the demo gods that it works. So maybe someone has like a MacBook to like sacrifice or something like this. Let's hope that it works. So we go back to our virtual machine. Oh, I have to delete it. Ah, such great remote executions. Yeah. So you say, okay, this cat picture is somehow broken. But this interesting website offers another picture. And it's in 4k resolution, it should be even better. Let's test it out. Let's download the better cat picture. So it's really fast. Like in my home country, Austria, or you don't have internet. Yes, 3.5 kilobytes. Come on, internet. Well, I have, I think I have a copy of this on my laptop. Because we don't want to wait 10 minutes. Ah, it's getting faster. But now you feel, you know how people feel with some 10 megabit internet at their home. Well, I don't wait for the download. I have a copy on my desktop. So we just say we just downloaded it, okay. So we go again to our downloads, and there is this cool, yeah, yeah, broken, let's delete. So there is, I say, let's, we have downloaded it, and then this happens. And the terminal pops up, and I got this one. Oh, what just happened? So let's see, I have a shell here with root, and it's called Milky Way. So let's check out the host system. So it's also Milky Way, host name, let's see, Milky Way. So we have a shell on the host system of the virtual box. Let's check out here. Yeah, so I got my username of the host system, I got the running VMs in the virtual machine. I got my running mail. And so to check, really show that I'm on the host system, I will just shut it down. Oh, power off. And my laptop is shut down. So what the fuck did just happen? Well, I've implemented the exploit chain, and I just part off my laptop on the root shell of my host system. And so the exploit chain was, I downloaded this 4K cat pictures, I opened it in Nautilus, I triggered the remote code execution of GhostScript, and then I used the virtual box escape exploit to escape to the host system. And then as like a third exploit, I just used dirty call to get root shell on the host system. So that was the whole exploit chain. And it's now powered off the laptop. So the setup is, the host system is unpatched Ubuntu 16.044, it has to be a specific virtual box version, it is 526 with this number. The guest system is a newly patched Debian 9 with GUI. And on a guest user, I have no password option for the pseudorites. And it's a self-written exploit chain with public-available exploits in Python, in Bash, and I also modified the proof of concepts because the first proof of concept of the virtual box escape only worked on the command line with no graphic user interface. And I implemented it that it works on the graphic user interface too. So the virtual box escape uses the virtual RAM for the exploit. So the shared video buffer between host and guest system. And there is excellent writer by the proof of concept author. And in the end I put a shell code into the buffer and it got executed by the guest. And it's a bug in the optimization of the compiler of the virtual box compile process. So Dirty Cow, it's this CV, it's homework for the audience to check out what's the problem with Dirty Cow to get true access on the device. So the next thing, let's check out hardware security. There is also hardware out there, not only software. Let's check out our favorites, or one of my favorites, because a lot of vibe for a lot of fuckups. It's Meltdown and Spectra. So Meltdown and Spectra are bugs or design faults in the CPU, in a modern CPU architecture, and it leads to sensible data extraction of the CPU. It's like a hardware bug. So the thing is the speculative execution is used. So it pre-computed other values at the same time, and the values you don't use, it just throws away. But with this feature, you can extract the pre-computed values which you would throw away. There are software fixes out there for that, but there's a really big performance loss. So yeah, software fixes there, but so big performance loss that even some companies need to buy new hardware because they don't have enough performance for the software. There was a great Meltdown patch by Microsoft for Windows 7 and Server 2008. There was the PLM4 page tables accessible for everyone on the system. So the PLM4 page tables are the master page tables in the system. It should be only readable and writable by the kernel itself, so no user should be accessible to it. And just everyone could just write in there and modify it and load on pages. So in the end, it was like this. I get PLM4 page tables, you get PLM4 page tables, everyone gets PLM4 page tables. So it's really bad because everyone could just modify the whole system and mess with it around. And it was a patch. They fixed it a month later, but it was still a really bad patch. Well, some of you also drive cars. Some of you maybe drive a special disc car. It's BMW. So BMW has TCU, telematics control unit in there. And they're affected vehicles from 2012 to 2018. And there was a remote attack via GSM. They could execute arbitrary unauthorized diagnostic requests on a CAN bus. They are working with BMW. They should release 2019 extensible write-up about the vulnerabilities. Now we just know it's like a remote attack and you can execute arbitrary unauthorized diagnostic requests, but there are no details about what's the fault. So probably you use locks for lock picking, for example. But some people are really comfortable and they use locks with a fingerprint reader. So if you have a lock like this and then you see this screw there and then you think that should be a secure lock, the vendor thinks it is because there is this guy on Twitter called Lock Picking Lawyer who checks out locks with lock picking. And he got this lock from this company and they told him, well, the money code is the lock is invincible to the people who do not have a screwdriver. They're like everyone has a screwdriver, more or less, with him or with her. So you just get your screwdriver, open the lock, and you don't even need that fingerprint. So it's a really bad lock design and yeah, 2018 security, not here. Well, our next thing is quite interesting. So combine the words mining rigs, data center, 600 and Iceland. So if you combine these words, you get this headline, Bitcoin haste, 600 powerful computers stolen in Iceland. So wait, Iceland is an island and there is like water all around. And this computer was in a data center, like some mining rigs. So how you steal 600 mining rigs out of a data center on Iceland, they're all around water around. Well, we don't know, but they're just escaped. 600 mining rigs just escaped from a data center in Iceland. But there is bonus content. So it's already ridiculous enough, but it can be get more ridiculous because, well, they got like a suspect and they put this suspect into jail and the suspect managed to flee out of jail, get on a plane, and on the plane was also the prime minister of Iceland also. And he flew to Sweden on the plane. That's like the bonus content. So they got the suspect, suspect gets out of the jail via a window and then gets on a plane to Sweden. Nice try. So the next hardware fuckup, it's a combination out of sound and hard disks. So if you combine this, you get death, death for the hard disks. So there was the NASDAQ, it's a stock operation in the Baltic states or in Sweden. And there was a gas-based fire suppression system. So if a fire starts, it would start and kill the fire. And it destroyed the hard disks by releasing the gas at the high speed. And this caused some vibrations and destroyed the hard disks. And like the, well, the sad thing is there was no fire at the data center. They released it by accident. And by accident, they also destroyed the hard disks. And the other problem was there were not enough hard disks in Sweden for the servers. So I had to get new hard disks out of another country. They were not operational for five hours. They should start at nine in the morning. And it's not like at two o'clock in the afternoon. And there were affected markets that were included Sweden, Finland, Denmark, Iceland and the free Baltic states by this accident. So they had to import the machines to make it operational again. And there's also down a link to another video where the guys are in the data center and they have a monitoring on the hard disks. And they shout on the hard disks at the data center. And you see on the monitoring that the IO just raced in the air. So if you shout at hard disks, you can destroy them if you have bad luck. Well I'm nearly at the end. Let's, my future predictions. I mean, I must say 2018 was really rich of fuckups. I don't have everyone, everything there. There was like some days ago, there was the sql light, remote execution down there. There was even more stuff that I can't check out everything. But well, 2018 already made a good year for fuckups. But my prediction for 2019 is the following. Oh, it can't get better. It will be just a race. So the yellow guy is IT and the bombs are IT security. And it will try not only to run away, it will also try to fix the stuff. But until now, we are somewhat just running away of the bugs and not fixing them. So I hope that will not be the whole reality, but just a part of it. And also one question I also asked myself is why should I care about all the stuff I just told here? Yeah, and my answer is we should care because security problems affect us all in some way. It affects myself for like software I use that has bugs in there. It affects my grandmother if she use some buggy router for the internet. It affects my neighbor, it affects my P security cameras. It affects everyone because everyone uses hardware and software with bugs in there. And so my motto is in the end, make the world a safer place, report security vulnerabilities, do research, and because if the world is a safer place, everyone has also a better life. So if you're interested in all the stuff, I did most of my research on the CV database. So if you read CVs, it's quite fun and interesting. You get quite interesting CVs out there, like some command injection micro servers, why not? So there is, for example, CVDetails.com for CV details, there are also other web pages, but they're quite interesting CVs out there, like also getting remote execution by email in Outlook is also interesting, why not? Which most of my presentations are the questions of the people here. Thank you, Hetty, for the talk. We have two microphones on the left and on the right, and if there are any questions, please feel free to ask them. So maybe I will start with a question. What was your favorite security issue this year? I mean, this year, Meltdown inspector was quite hyped, but one of my favorites was this NPM fuckup because people just updated the service and the whole production is just fucked up and they are not even their fault. That was one of my favorites, and this Comdirect Bank, which just tells the users, just ignore your certificate, it's everything all fine, it's like the worst thing you can do as a bank. Shut up and take my money. So do we have some questions now? Well, then. Okay, so let's give Hetty a big applause and thank you for that talk. So there are also some contact details, you can also ask me in person, I will publish the source code of my exploits on GitHub during the Congress, and you can also talk to me and I can show you the exploits again on my machine, if you like. Anything else? Enjoy the Congress, stay safe and patch your systems. Thank you very much.