 Hi, everybody. Hi, I'm Mike Bailey. I'm Raph. This is Raph. We are here to talk about web services we just don't need. Now, I had a talk that I wrote. Well, I sort of wrote it a while back, and I had slides, sort of, and they all self-destructed with the major malfunction of encryption and hard drives. I don't have any slides or anything now. So we're going to wing it. My opinion is that if the best way to be prepared for any event is to just be able to wing it anyway. If you don't know this shit by now, we probably shouldn't be up here right now. I don't know shit. Okay, sorry. These are Rockstar mics. Okay. Does that mean we need groupies? Dude, I have groupies. All right. Not you, Mike. He does not count. All right, so let's talk about some web services. I break a lot of web applications. I do application research penetration testing for a living, and occasionally I stumble across things that just don't belong on the Internet. You guys know a few of those, right? Yeah. You've probably got some ideas, and actually, we might have them shout some out, and then we'll discuss. Yeah, if you feel like you have one that you'd like to hear discussed, it's a good one. Windows. Windows isn't a web service. You're in the wrong track, dude. AOL. AOL stats is a big one. All right. What are we going to start with? I have a friend. His name is Trey Ford. Is he here? He's not here. Trey takes his barbecue pretty seriously. If you guys don't know what a barbecue is, it's a big box that makes smoke, and when you're grilling your, or not grilling, when you're smoking your meat, you have to, there's going to be too many meat jokes here. It's 10 a.m. on Sunday. Why are you people here? This was unexpected. All right. So when you're smoking your ribs, you have to be very careful about constant temperature monitoring your meat. So what Trey has is he has a PC fan and two probes attached to his... Does anybody have a bottle? He can make Mike drink every time he loses his train of thought. I'm not losing my train of thought. I'm just trying not to make any dirty jokes. But you know what? The best dirty jokes are the implied ones. Yeah, do you know where you are? Anyways. So he's got the probes and the PC fan attached to a computer, which is in a plastic bag because it rains sometimes in San Francisco, and that's all sitting outside next to his smoker. So this is all run through a web server that's sitting in that PC, and it tweets too. So during the course of like a 14 hour smoking of a piece of pork, during the course of that it'll be tweeting the whole time, and he can monitor it. It makes graphs nice little updates, things like that. One day when he first got it, he was showing it off and he actually uploaded some of the graphs to TwiPick or some shit like that. Speaking of web services, we don't need. We'll get there. First of all, in those graphs it has the IP address of the smoker. And I'm sitting there... An internal IP address that may not be all that useful. So as we're talking at some point, when you guys hear something that sounds interesting to you, I want everybody to go, what could possibly go wrong at the same time? Yes. Alright, so anyways. Alright, they're awake. Yeah, why? Why are you guys here? Don't you have better things to do? Dude, they're still coming in. Alright. Anyways, so now I have the IP address of his smoker. I have the version of the software that's running so I can go find a copy and download the source code. I actually had to find the guy that wrote the code because it's kind of obscure and ghetto. And I had to actually con him into giving me a copy of the source code by telling him that I wanted to help him do development on it. And so I start looking at it. It's fucking full of cross-site scripting holes, cross-site request forgery holes, things like that. So what you're saying is you can help trace smokies. So anyways, the end result is that now every time Trey, I have a great slide with a screenshot, but now every time Trey goes to update his smoker, it pops up little messages at him and he gets a nice little reminder of me. It's fun. It's beautiful. Yes. Every time Trey goes, his smoke is made, there's Mike. Alright. So that's one of the stupid ones. That's not really all that serious or that dangerous or anything like that. It is. It's a bad thing. No, but actually think about how many of those there are on the Internet. If you use that really cool banner grabbing... I think there's four on the Internet. I told you this theme was ghetto. The fact that you know that worries me. Yeah. Does anybody here have one? Do you have a smoker on the Internet? There's other stupid services that use Twitter, though. Who's heard of Tweet My PC? Anybody? Yeah. Well, Mike. Tweet My PC is a way to remotely control your computer via Twitter. Now Twitter... Yeah. Twitter... It's like go to My PC or WebEx, only more secure. Yes. Because nobody has ever hacked Twitter account before. So the way it works is you basically send commands to your PC. It'll execute them and then send the response back. The specific commands you can do or you can say CMD and then say whatever shell command you want it to run. Now, this was written by a guy. He's a Microsoft MVP, most valued programmer. I don't actually know what that means because I'm not in the Microsoft culture. They have acronyms for everything. But this guy knows how to code. He's built a project that's actually a fairly impressive code base for what it is. And he never stopped to think what could possibly go wrong. That's awesome. So some of the other commands that this thing can run are things like take screenshots and post them up to TwitPick. Now, if you're... Hold on. I want to reflect on that for a second as we watch the firecrackle. It's a really good idea to take screenshots randomly of your PC. When you don't know what's on the screen, obviously, because you're taking the damn screenshot. Yes, because it's a really good idea because there's no possible way anybody could view those in order and see what you have. Read your email. Yeah. So I have a directory on my web server now that... I actually have a bot that pulls down those pictures every time they get posted. Yeah, funny story. So we were talking a while... It must have been last year, I think, Mike. Yeah. We've been slacking on this project horribly, haven't we? We're bad at everything. Yesterday, apparently... Who was here for the fail panel yesterday? Yeah. So you know the really cool thing they did with the data mining to pictures? Yeah, we did it a long time before that. We're just too damn lazy to do anything with it. One day, we'll get around to taking it to the next level, like OCRing all the screenshots. It'll be badass. So the backstory is... I apologize for my loss of voice, but it's really hard to yell over 1,400 people. We were sort of chatting back and forth about some things we saw. And I just sort of saw somebody post a screenshot. And I'm like, hey, that's a random alphanumeric six-character length identifier. I bet we could write a really quick loop that could grab all of them. So apparently the math I didn't do in my head is how many combinations there were, times about 120K each? We pulled down all of Twitter. Yeah, we pretty much have all of... Yeah. So there's a one and a quarter terabyte someplace. So by the way, EXT3 does not like that big of a directory in one place. I think I've accidentally found the limitations of which. Every time you try to open that directory, it just sort of looks at you and goes, no. I'm sorry, but no. So there are some interesting things. As I was looking through there and deleting all the porn because nobody wants that and sending it to Mike, I did notice that there were some very interesting things like there was a guy that was getting help from his tech support team with the spreadsheet he was working on for next quarter's forecast. I just want you guys to think about that for a second because that's this quarter. Yeah. Oh, yeah. I've got the screenshot. It's beautiful. Is it still up on Twitter? It is still up on Twitter. So did you know that you can't actually, this is not true anymore. You can now as of a few months ago. Until a few months ago, you weren't able to actually delete pictures from TwiPik. You could remove them from your stream, but they'd still be there if somebody knew the path. And when this tweet makes PC thing post those pictures, it would have the path on there. So even after people deleted them, I could go back and find them later on. I found all kinds of interesting things. There's one I found was somebody just set up a remote desktop server and they had their username, password, IP address, all the connection information, sitting there waiting for clients to connect. It was great. I didn't actually connect. I should have. So I don't have anybody here that was at ThoughtCon? Yes. One person? Do you guys remember what we talked about, what I did? Flash. All right. So thank you. That's awesome. So I have a particular love for Flash if you guys don't know. I don't have Flash so much because I'm not really... I have a special hatred for Flash. We know, Mike. It's okay. Step number three, man. And it's not that I hate Flash particularly. It's I dislike the people that write Flash because they're not really IT people. They really have no desire to code anything. They just like to drag and drop. So yeah, it's okay. Give yourselves a round of applause. That's kind of cool. So I do a fair amount of these web assessments in my everyday job in the boring part of life. I get out there and try to convince people that doing things that were bad in 1997 with JavaScript is now bad with Flash because it can't seem to grasp that concept. So case in point. So we're going to talk about services that we don't need. So this is a place that I was at. I was having a conversation with the C-level group, C-level executive. And he was telling us about all the awesome Web 2.0 stuff. By the way, if we say Web 2.0, you can throw shit out of us. It's all right. All the Web 1.9999999 stuff that they had and how the great development they were doing and how they're migrating to new media and that they were migrating there. They're migrating all their platforms to more usable, more open, more flashy environments. And he couldn't stop bragging about this new ERP app they were writing. Does anybody see what this is going at? Yeah. So go ahead. Say it. Nice and loud. That's right. So yeah, so he's talking about this ERP app. And I'm just sort of staring at him. I mean like just staring, like he just grew horns in a tail staring. Yeah. And he just, he stops midstream and he's like, am I saying something wrong? I said, you wrote a ERP front end in Flash. He said, oh yeah, that's really cool because you got to see this. And so then he decided to take it upon himself to demo it, which was awesome. By the way, you guys, does anybody here use a Flash encryption tool? More on that later. Or maybe we should just segue into that real quick. So sidebar. Oh no, Google it. It's viewed as an entire market. If anybody wants to, you can look it up right now. There really isn't any such thing as a Flash encryption tool, but there's a market for it. So people will sell you one. There's about, oh no. Fail. There's several hundred tools out there, several hundred companies that will sell you a tool anywhere from $99 to the Enterprise Pro version for $1,999 to encrypt your Flash apps. Right? That was weak. Weak sauce. Is that right? You can try again. We'll let it slide this time. Beautiful. That was loud. So, yeah, so what's the, after all, Flash is a language that requires something to run it, right? It requires a sort of interpreter to run it on the local machine. So if you're going to encrypt the Flash files, step one of running it is what? Thank you for your $1,999. Anyway, so this guy's telling me about all this beautiful Flash app and how they've encrypted it. And so I gave him this story about why that was just completely, you know, smoker. And that's going to be a joke, dude, to say smoker randomly. Yeah. And so... It already is a joke. Yeah. Very nice. So he's talking about it and he's showing it to me and I'm like, can I show you something real quick? He's like, yeah. I'm like, well, there's this free tool and there's hundreds of them, right? There's lots of free tools out there that you can decrypt Flash with. I know a couple of good ones if you know one, shout one out. So there's this app and I load the Flash app in there and I click the decrypt button. No, I'm just kidding. That'd be cool, though, wouldn't it? So I... Oh, somebody's phone's ringing. Dude, there's Ann's teleporting into your pants. Leave it there. Let's not talk about that. I'm not even going to go that way. So anyway, I was talking about Flash, yeah. Yeah, Flash. Yes, so he compiled this app and I'm just scrolling down, scrolling down, scrolling down ago. Do you see this? He goes, yeah, like, you know what this is, right? He goes, well, I'm not an engineer, but it's like a database connection string. Like, yeah. Thank you. This is fun. I got him trained now. Yeah. It's like, you guys are like Pavlovzogs. This is beautiful. Can we make him do tricks now? No, I might be pushing it. So I immediately explained to him why that was a bad idea by opening a SQL server manager on my laptop, connecting to his server using those credentials and just listing all his tables. And he says, well, that's no fair. You have source code. Did anybody here not know you can decompile Flash objects? Okay. Okay, cool. Thanks. Apparently there's a lot of people who don't know that. Well, I'm going to finish my story. I'm just going to tell a story. I want to finish mine. Okay, go. Fight. My story's better. Whatever. So mine's almost done. And they're listening. So as I was explaining to him why this is a bad idea and the whole idea of how I could have source code possibly without actually talking to anybody and just getting the object, he says, he looks at me dead in the eye and he says, so we should probably pull us off the Internet? Floor zero. Beat that. I was actually going to tell this one later, but we're talking about Flash stuff and how nobody knew you can decompile them. Has anybody heard of Schlage Link? You know, the lock people? Yeah, the company that makes those locks that go on doors that hold doors shut. Thanks for coming, sir. They decided to create a web-enabled home automation system called Schlage Link. Oh, that was weak. We'll give you one more chance to do that one. They're better for me. You didn't do the visual cues good enough? I'm not even trying. This is how good I am without trying. So, anyways. You're a ninja. I was out at CES a few months ago. Well, here at CES a few months ago. And I was bored because CES actually isn't that exciting if you're not into that hardware and the latest and greatest stuff. And I actually hate technology. So, I was at CES and I was wandering... You're in the wrong field. What? You're in the wrong field. No, I'm not. I break technology. That's how I just express my anger. And there is a lot to express. Yes, I'm an angry person. So, I was bored and I was wandering around and I see the booth for the Schlage Link thing. They're looking at their... They have the little kiosk set up and they have 18 salespeople that mob you the second you... Flash them. Okay. Throw candy or something next time. Alright, so... They're returning fire. Yes. We're going to hide behind the table and build a fort. Raph, get up from the table. They don't... I'm still up here. Alright, so anyways, I start playing with this Schlage Link system on their kiosk. While the salesperson is talking to me, I'm sitting here viewing source and looking for cross-site scripting, cross-site request forgery holes. That was fun. But then a little bit later, I got more interested because I wanted to follow up on that. And I went and I bought the lock for my door. I didn't actually ever install it. I should because my door still doesn't have a lock on it. But I don't trust that lock. I'd rather have none. So, I set up this lock and I start playing with it and I'm looking through the web application that they have set up for the back end. And I noticed that there's a flash object that loads up but it doesn't actually make any... I'm watching all my traffic with Firebug if anybody thinks that Firebug is awesome. They're right. I'm watching all the HTTP requests it's making. But I noticed this flash object, it looks like it should be making requests because it's called... I can't even remember what it's called, but it had some other name that was like Network Object or something like that. And I start looking at it, but it's not actually making the HTTP request. So, I decompile the thing and look at it. And it's connecting to an arbitrary port on their system. It's not an arbitrary. It's not arbitrary. Oh. That's good. It's connecting to a port on their system. It sends over a few lines of data and then it keeps getting data back. And it turns out what this is doing is whenever you unlock or lock your door, the system sends a message to your base station, which is on your local network, which then uploads that message to the server. That server in turn broadcasts the message back to you through this flash object to the web application. But there's no actual authentication on this thing. So, with one line of Perl, I was able to actually watch every single lock being unlocked in their entire system all day long. Hold on. And I would do a live demo, but I like the fireplace too much. Also, I might get in trouble because I don't know if it's legal. It's probably at least a violation of term of service. Huh? What's your point? I like him. Well done. Mike's easily influenced. I am. Do-do-do-do-do-do-do. It'll take a minute to connect. It might take a minute. It's making a whole bunch of requests saying, I want to listen to all of these different user IDs. There it goes. There we go. Yeah. Every time, this is actually only watching lights right now, not locks. Every time somebody turns their lights on, off, or dims them, it's letting me know. It's sort of like watching the matrix. That's pretty cool. All right. This is my visualizer. You know, it'd be cool if they had, like, geotag that. You could put it in, like, Overlay with Google Earth. Oh, man. And then we could cross-reference, like, people's tweets. With Foursquare. With Foursquare. I actually can't, this is only monitoring. So I actually can't turn lights on and off through this system. I may still be able to do it through the web application, but I returned it to the store because it wasn't up to par. To who? Those hunters. Is that a TV show? I have no idea. No, I just, I just said it didn't fit my needs. Can you imagine feeling out there in return form? Sir, where are we turning this lock? The web app sucks. Or the other reason, it's horribly insecure. Yes. A web app. So, you know, I can't think of a more epic way to fail than that. I think with that, we're done. I'm just kidding. We've got to talk for another 45 minutes. Wow. Seriously? So I've got, I'm going to do, like, yeah, I've got a couple of stories I'll share with you guys. If you guys read my blog back in April, then you'll recognize some of these. What is your blog? Are we telling them? Are you being anonymous right now? I have to be anonymous for a minute. Okay. For professional reasons. You can just Google white rabbit. All right. Follow the white rabbit. Yeah, that's it. Okay. So there's a, there, you guys watch, you guys watch, anybody watch any light night TV? You ever seen the pitch men do their thing? But wait, there's more. No? Okay. All right. Billy Maze is dead. If you're still watching, play Maze. Turn on. That's true. He's still wanting his ads. Yeah. He's still getting paid. So really, really interesting, really interesting failure of a web app. You can put the fire back on, dude. Dude, this is my fire now. We're watching, we're watching the Matrix fire. Yes. So. Somebody's calling me. Hold on, Mike's going to take a call real quick. You keep talking. That's Shaleigh calling. What's up, man? He's taking a live call. Hey, let me put you on speakerphone. Let me put you on speakerphone. This is Beho. Hey, man, you're talking to like an entire group of people, or an audience of people. How you doing? Good. What do you have to say to them? We should probably hang up. All right, I'm going to hang up now, dude. So, story. This is, I like to call this one, but wait, there's more. So at the appropriate places, I'm going to do this and you guys are going to say, Right. Yeah, what could possibly go wrong is kind of implied on this one. So, again, I do a lot of these types of things for more private organizations. Usually, the audience is a little less receptive than you guys are. The usual look is like this. Tell me if you recognize this from your developers. And that means I totally buy what you're selling, right? I did an eval of us. We were trying to help somebody, a group, build a more robust, I guess more robust is the wrong way to say it because that would imply there was something there to begin with. But we're trying to help them build a sapling of a security program for their web apps. This just so happens that it's a very, very large company that unfortunately all of you touch somehow during your day. No, no, no. Those stories are for later. That's creepy. So, looked at their company's homepage, the company name dot com page. I don't know about you guys, but the first thing I'm always drawn to is, oh, look, log in box. And so I asked the guy that I was working with as we were doing this mini assessment that we were supposed to do a report out on what this does. And he's like, oh, yeah, it's a star web login for, it's a strong authentication web login and it's single sign on for the rest of there, which for those of you that don't know, and somebody says single sign on, it means their cookie is usable across their entire domain. All of it. Go silent. Right, exactly. Thank you. I didn't wait on that one. I don't know what's going on here. So he's explained to me how only this part of the system is just to sort of log in and check the status of your claim and look at any kind of bill you might have and stuff like that. I'm like, oh, so that's not regulated at all. So the funny thing is that assessment lasted, I think, 38 seconds because, you know, okay, so there's just some things that shouldn't work in 2010. Putting the single tick or one equals one in your login box is one of them. Right, exactly. So this is actually the beginning of the story. So we quit there and he asked, this guy needed help. He was a security manager and you all know how much people listen to security managers and the corporations, right? So he needed some firepower. He needs some ammo. Somebody that's kind of done this before and I was like, all right, I'll kind of come out and help you and see if we can draw up some support. And he's like, what, it would really be helpful if we could do a live demo for them. I was like, yeah, you know, I don't feel comfortable doing that on your live. He's like, come on, I'll get executive sign off. We'll do a live demo. I'm like, all right, dude, we'll do a live demo. So I threw on my best shades and went up there and we're talking and I'm explaining to them how this is. And by the way, so the room is set up sort of like this. There's a bunch of developers. There's like this sea level folks, a cluster of four sitting in the left-hand side and there's a bunch of DBAs across the back. It's like high school, it's like grade school. It's like a grade school dance where everybody's sort of in their own space. Girls looking at boys across the dance floor. It's kind of like what this was. So they're sitting there and they're listening and so I told them how easy it would be to pop this database and they're like, well, can we see it? I said, sure. So I worked for company that does a little bit of web app stuff and I have this tool that's sort of named after what it does. It's called a SQL injector, right? It's not rocket science. So you basically copy, paste the URL, you click the button that says go and it starts going and while it's going, I'm talking about the bad things that can happen from SQL injection and such. And I'm getting this. Apparently I'm wasting their time. So immediately, about a minute into this, there's a little box that pops up and it shows the machine's name, the SQL version number in the IP address. So the guy, the security guy now is kind of got a small smile creeping across his face and DBAs in the back are like, huh, that's probably not good. But they're not panicked yet. And so I'm trying to explain that hacking, this really isn't hacking, it's just sort of stumbling through accidental fail. So I look over at the C folks, can I get your permission to see this button? Here it says, get rows. Can I do that just for posterity? Yeah, go ahead, click. Within about 30 seconds, we had about 20% of the database on my laptop, the row names and stuff. Then we got the column names and it only gets better from there. So at that point I decided I was going to really kind of show them beyond what a tool can do because now I'm extracting data so I can own your data, which is cool and now they're slightly panicking. Security guy smiles just a little bit bigger. And so I open a... I'm writing out a command line that's got the command string, stop me if you've heard this, net user ad administrator. Okay. So there's a guy in the back that at that point just goes, whoa, stop. And the entire... And the entire room at that point does one of these. And not being able to help myself, I said, what's up? He's like, well, I think it's... That's good enough. He's like, yeah, I really don't think we should go any further. Why? So what could possibly go wrong? And so he looks at me and he says, well, here's the deal. I really... I don't know if we could talk about... I can't really know if we could talk about it because you guys are technically a vendor and we should... Well, we're here to learn, Mark. Why don't you just go ahead and tell us? At this point, I think he may have crapped himself. Because here's where it gets really good. So normally when I look at a database and I've got full access to your machine, I can pop all the data. That's pretty good, right? I'm a happy guy. Life's pretty easy. It's better from there. It's like sprinkles on ice cream. It's just delicious. So... By the way, Mike, did you notice the room filled up? Yeah. I think people are just waking up or maybe they're just looking for somewhere to sleep. You guys rock. Anyway, so back to this... Yes. They came for the fireside chat. Yes. So I'll hurry this along. He goes, don't hit enter. I'm like, well, you know, it's just a local account. You can delete it later. He goes, well, look, we went through this round of server consolidation. There was a lot of extra hardware glut, and this box was overbuilt. So we had to consolidate this instance of SQL Server. Mike, really? And he says, well, the architect decided that it was similar classifications of data that the ERP system should live on it. The fact that this gets better is a testament to how really bad things get. So the security guy is now smiling just a little more. And I'm actually like really interested. Because this is a level of fail I haven't seen in a while. I'm like, oh, okay. Well, I'm like, yeah, I know. I'm going to cross the different SQL instances and stuff. That's pretty bad. At least you're still limited. He goes, well... The fire is over. Should we try to count fire? There is more. So as he says, nice. The relaxing fishies. So now he's explained to me that because the ERP front-end app is written in. Ready for this? And it didn't work across the firewall. That server is where? On the inside. That's right. And so the security guy now has a smile that goes from about this year to this year. And if he goes like this, his head might flip over. So... I'm like, wow. That's pretty special. That really is a bad idea. I'd be making myself a username on your internal network. And he goes, actually, and at this point you're asking yourself, how? Do we kill kittens? Well, folks, because these guys have decided to do this so well, corporately, corporately, corporate security policy dictated that all internal machines, all internal Windows machines had to be on the domain. And because of server consolidation, you know the rest of that. So if I would have hit enter, I would have been what? God. Administrator on the domain. You would have been God. So... I... I... Is there more? No, there isn't any more. But at that point, my security contact, he's looking at me, and he might have actually wet himself. Because this is a completely unanticipated failure. And so he goes, so what do you recommend first? I... The sales guy that was with has just looked at me, and as serious as I could say it, as seriously as I could say it, I looked at him dead in the eyes and turned it off. But yeah, that's probably my best one. I've run into that twice now, where... Look, let's be realistic, right? Corporations have server... server consolidating, virtualizing, cloud... Sorry, that was for Hoff, he's probably not here. Yeah, he's gone, he flew out this morning. Oh, he flew out this morning on a Cisco plane. All right, let's talk more about web servers. You guys ready for more? All right, Mikey, take it over, buddy. Money is cool. People manage their money through web applications, and that's convenient, but it's not necessarily such a good idea. You know, the online banking and things like that, they hacked over. Well, actually, you don't really hear about it that often, but they do get hacked all over the place, at least all the ones I've looked to have vulnerabilities. My mortgage company, actually, I've been fighting with them for... Well, actually, I've moved away now, so hopefully I'll be done with them soon, but I've been fighting with them for... Did you sell your house? As soon as I do sell it, I'm done with it. Good luck with that. Yeah. Anyways, their web application and my mortgage and my online banking and all that stuff. Session ID is a timestamp. There's cross-site scripting, cross-site request for other hills all over the place. I actually sent all these vulnerabilities to them. Okay, let's keep going, actually. My statements are actually PDFs that are just sitting there in the server. Sequentially numbered probably. Sequentially numbered by your loan ID number. Yeah, let's go. Yeah, actually, during tax season, my social security number's in there, too. Great. In a publicly accessible folder? Yes. I'm not even telling you guys where I live. Yeah, he's not going to tell you what bank he uses because you guys probably have this problem, too. All right. So I reported a whole bunch of issues to these guys. The response comes back. All right, the timestamp issue, it's not a problem because we have a secret formula we use to generate that session ID. I'm like, no, it's a timestamp. I did it. I stole my own session three times. Yeah, I know about these things. And they insisted that the cross-site scripting holes don't matter because they have countermeasures on the back. And I'm like, no, I stole my session three times. The PDFs, they actually did apologize for that and remove just the PDFs with my social security number in them from the server. But the links are all... Actually, I actually just got that wrong. They removed the links from the server. The PDFs were still up there until I complained the second time. Put the fish back. We've got different aquariums now. Piano, rain music, nature scenes. All right. Okay. Whoa. No. I do not need that. Anything that says name that fish, you just don't know what's coming up on screen. Nobody wants a Lindsay Lohan shot or anything. David Soxby's reef aquarium. Yeah, I went there. Okay. That's the online banking apps. These are the online banking apps. They're pretty bad. They're not the worst out there. Who's heard of my money? It's actually not very big and there's a good reason for it. Online banking through Facebook. It's a Facebook app. Dude, this is a terrible aquarium. That is quite possible. Or it's like Quentin Tarantino style. Fish are all packing. Resident of Water Fish. Go back to the fireplace. Yeah, we're going back to the fireplace. I'm stoking up the fire now. All right. So my money. Facebook app for what? Hands up on the table. You don't want to be stoking up the fire. Okay. Anyways. It has vulnerabilities like the fact that you can put a different Facebook user's user ID in and get a different profile to come up. You have to guess which users are actually using this My Money app, but it's not hard because there's a list of the fans. And the advertisement page from this company that created it, it says something to the effect of you can harness the power of social networking to advertise your bank or some shit like that. It's robbed on the net. Free. And by the RBN. Yeah. So my money's bad, but that's, at least they're trying to make things private. Well, sort of, ish. Blippi. Everybody's used Blippi. I use Blippi. I want everybody to know what I'm buying. All right. Blippi is awesome. Let's just skip that one, actually. We don't have time for it. Bring me off into an angry rant. What else do I have? This is my lazy, my depressed hungover rant. I have many flavors of brands. All right. Where should I go next? Source code. What? So while the hamster's getting back on the wheel, one of the, so we work with, we want to talk about web services for just a second. Just a second. We'll talk about web services. I think that was the title of the talk at some point. If anyways I can, Dr. Pepper, I've always wanted to say trust me, I'm a doctor and hold that up, so I'd appreciate that. Anybody has some beer? I want beer. Dude, it's way too early. It's way too late. So lately, there's a talk I'm working on called no rest for the wicked, and rest stands for representational state transfer, rest for web services. Now, does anybody know the main problem that I could possibly have with rest as a security person? Wow. It's insecure. The answer up front was it's insecure. Good answer. So rest calls are entirely unstructured. So I'd like to, I'm a testing kind of guy, I like to poke and prod at things. So if you're writing something, I need to be able to write a script or create a problem with rest is every developer gets to choose how they implement it. For those of you that are, I don't know why people are still coming in. Should we stay afterwards? Yeah, that must be a really good talk after us. So for those of you new to the room, we're playing a game called look at possibly go wrong. When I do this, everybody should say, right, cool. So testing these things is evil and I think the only people that actually write restful web services are the ones that either don't know how to code or are too lazy to follow rules. There's this whole thing about how, you know, APIs are, if you really need a lightweight API, go with rest. I prefer to say that if you don't ever want to document what you're doing, go rest. Go rest. Get it? No? Wow. Okay. It wasn't that funny. Working on a... I don't know if I can tell you who it is. So working on a particular implementation of rest, there was a set of services on a particular domain that interested me that was passing data back and forth and it was just a serial string of numbers. And anytime I see numbers passing back and forth on a social media site that I use a lot, I'm always interested. And I think Mike, you might have mentioned this at some point. Not that I can talk, but you've mentioned this before. And I was very interested in watching things kind of go by. And I like to tinker and manipulate. So at one point I just started randomly putting things into the string that was being passed around. Interestingly enough, if you substitute take the number 1 out and put in a string of script and just let it go, it gets passed around to 21 different servers eventually, because how do I know this? Because they all posted back their IP address. Some of them the same IP address, but you can use me more. So the moral of the story is had a conversation with one of the folks that writes this and he says, well, developers get to write... Are you flicking us off? What is that? Oh, sorry. He's telling us to hurry up. He's telling us to hurry up. Cool. Thanks. We can fire off into a wrap-up rant soon. Wrap-up rant. And he says, well, the developers wrote an open API that allowed outside folks to sort of you guys know where we're going with this to allow outside folks to start writing their own code and to create new interfaces and new plugins and new gadgets and crap like that. And the flash of brilliance there is that we want to leave it as unstructured as possible to not restrict creativity. You guys got it now. Well, what could possibly go wrong if you cross-site script like a crap ton of this domain completely by accident unfortunately from your corporate IP address. And the biggest challenge you have with something like that is again, testing it, right? So figuring out what it does as a security guys, you know, you guys go back to work at some point and some of you work. The rest of you just make my life hell. So if you go back to work on Tuesday or Friday, what is today? I don't know. Whatever today is, whatever then you go back to work. You'll look around your company for rest web services and ask yourself how the hell are you going to test that? Because they're not going to document it for you. There's no pretty XML structure. There's no SOAP envelope. It's just crap streaming back and forth. So I thought I'd just throw that out there as a closing thought from me. Good luck. So there's a lot of things that are being pushed into the web. There's a lot of web services out there that some of them are useful, some of them are good ideas, some of them are bad ideas. One thing that everybody here, we really haven't even gone over it that much, but I want everybody here to understand there's absolutely no security built into the web. Wait, what? Is this a shocking revelation to anybody? Because we've been trying to hack on terrible, terrible fixes for web application problems for 15 years now. More than that, actually. Browsers are incredibly insecure. They have no boundaries. Web applications have no inherent boundaries built into that. We're trying to hack it up. See, I'm actually just about to get momentum here with my rant. He stopped it. He killed it. Browsers suck. I'm going to get my momentum. Alright. I've hacked his brain. You've hacked my brain. I win. Anyways, web applications are very insecure. Cross-site scripting, cross-site request forgery, these stupid little attacks that are getting people owned right and left all the time. They're not complicated. They're not but they're incredibly useful because they work everywhere. XSS is like the universal API. It makes it so that you can integrate your web application with anybody else's. Anyways, whatever people want to move things onto the web, whether it's the admin panel for your network appliance or is there a reason that your firewall really needs a web application to work the CLI, you shouldn't be managing a firewall. You realize it just disqualified about 50% of the firewall built out there, right? Speaking of, earlier this year I found a XSS in the Palo Alto firewall within five minutes. It was the first place I looked. I think that people just aren't looking at them because they're expensive and people who have spare time aren't actually looking at them. It's just as we have and most of them are really dangerous. I'll finish up with one story. Go for it. How much time do we have? We're done. Hey, cool. Hey, thanks.