 I will immediately hand over to Dino. He is the CEO and founder of TellSpace Systems, which is a South African IT security company which was founded in 2002, and on that note I will hand over now we've got tech. Cool, thanks for the patience everybody, so I kind of feel a little bit helpless there but we will check. Thanks guys. So I'm going to get straight into it. It was supposed to be a 50 minute talk so we're going to push it into a 30 minute talk. I'm going to speak pretty fast so sorry about that. But thanks for sticking it through. Thanks for coming to the talk. Thanks for the organisers. Appreciate everything. So just a little bit about me. So basically I work in a penetration testing space. I've been working in this penetration testing space for about 20 years. And I'm pretty much trying to keep a work-life balance, not really working properly. And basically I'm about 4,000, 5,000 RFQs in my career so I thought let's make a talk about some interesting points that I've seen. So what exactly does this talk about? So basically it's about essentially killing the buzzwords. It really irritates us. Because what we're seeing at the moment is apt sub, kill chain, next gen, all that kind of stuff that people are basically buying into, when I say people as corporates, they're buying into that kind of marketing. So essentially how easy would it be to basically make a company, put a website up on the internet and basically that company could be fake, apply for RFQs, RFPs and basically take advantage of those processes and a lot more in line with that. But essentially for me there's a lot that's kind of incorrect with the RFQ process. There's a lot of problems with the RFQ process. And what I really want to stress here is that companies are getting broken into now basically from passive compliance, from like patch management, misconfigurations, phishing. It's not really like this insane zero they stole or yet, sorry. And basically like don't buy into the heart. That's the problem that we're having. So what are we doing wrong? What's wrong with the RFQ process? Essentially it's basically the procurement process and whether you're in blue teaming or red teaming doesn't really make a difference. This talk's going to be quite interesting for you. It's also not just specifically in my country. I'm from South Africa. It's a worldwide issue. I'm going to be showing you like real life scenarios, real life networks that basically I've seen that are publicly available for you guys to actually go and see. And the kind of information that's going to help you during the enumeration phase. Essentially companies basically mean they want big sets of work. They go out on the RFQ process. So in other words like let's say there's a big pen testing job that needs to be done over a year period or let's say that there's end point protection that needs to be implemented. They go out on RFP and they say hey you know we're looking for supplies that can basically help us with the specific need. So on my side it's basically quite cool because you can get a lot of information from that as a potential pen tester or an attacker. And there's a lot of complications with that. So essentially what you're doing is inviting the criminals in, inviting the hackers in to come and learn more about your inner workings of your company. And it can kind of be likened to the insider threat. Case in point, essentially like last month we attended a briefing or RFQ briefing and basically there were 40 companies there. In my country we don't even have 40 pen testing firms. We basically have three or four. So there's basically a whole bunch of random people that were there learning about some really hectic stuff about networks. Essentially that list when people come isn't actually really even vetted. So it's a big problem. And we're basically inviting the hackers. We're inviting guys. We're saying hey guys this is our entire list of IP addresses. This is what our internal network looks like. This is what our diagrams look like. Please give me a quote. That's amazing. So we could essentially be sharing this really confidential information with people that we don't know. That's what we're doing. And when you're actually doing a pen test or if you're on the blue team or red team basically that information is generally available on the internet. Sometimes it's actually an advertisement in newspapers still because especially for government you have to actually advertise these things so that it's a fair process. And I'll get into a little bit more. Case in point is that basically if we tender for a set of work and we go in and we say all right well we're going to go in super cheap so that we specifically win this work because obviously price normally wins. And we're a really bad company and we're basically a malicious attacker. We know we're going to win that work. So we gain access to the whole network without really doing too much. We're not really a legitimate pen testing firm. We're basically the bad guys. Better yet what we can really do is basically find out all this information about the actual penetration test and about the actual company. And then when you know the whole RFQ process actually ends we can drop out of it and then we know as an example like let's say a penetration testing firm is basically going to be doing testing during a certain period. We know this is happening so during that period of testing we can actually legitimately penetrate the network as bad guys so they get blamed for what we're doing. That's going to happen. So if you know you're getting a penetration test and we take down some servers or whatever the story is that real vendor is probably going to get blamed for what we did. All right. So what about resellers? Now the massive problem worldwide is that there's a skill shortage. Everybody knows that. So a lot of people are basically reselling services as well. And we often find out about like the reselling, you know, actual tenders through random resellers that basically want to make money off certain types of jobs like antivirus or input security or whatever it may be. And really essentially it goes back to what I said. It's because cyber is hot now. It's like a cyber thing. So everybody is trying to make money off that and I hate that word. And actually just in line with that we've got badges that basically says forget the buzz words so anybody wants a badge after the talk please let me know. Because we really feel like that people we've got to stop talking about the cyber stuff now. But essentially what resellers do is they basically put a markup on a markup on a markup on a markup and your price is like, you know, 10% at the end of the day in comparison to what they're actually charging the end customers. So what I'm basically saying in terms of resellers and everything else is that you need to test the procurement process as well in your organisation. And when you're doing penetration tests, that's a huge portion of it. So if you're doing like a red seaming assessment over a period of let's say six months or whatever it may be, test the procurement process. You know, basically try and sell something to the company, get on the books, get into the company that way so you could become like a contractor for something completely random but you're inside the business through the procurement process. I mean you could sell toilet paper, it doesn't really matter what you're doing. So attack the procurement process is exactly what I'm saying and if you're on the blue team like, you know, take a look at those procedures. Proof of concepts, this is amazing. Anybody ever asked for a set of work first to test you out and then if that works good they'll give you the contract? Don't do it ever because basically it happens a lot and it's also again incorrect procedures. It shouldn't be an RFQ process. Basically what you're doing is you're giving a bunch of random people access to your network if it's in production to test. So a case study again, the international bank was massive. We got asked to give them like as an example a quote for some pen testing work. We gave them a quote for pen testing work. They came back to us and they said, oh cool, we want to go and do the stuff. Anyway, they asked us for a free test and we said no and then they said okay cool, we'll find another way to do it. What did they do? They came up with the RFQ and they included the proof of concept as part of the terms of the RFQ but on a non-production server. Anyway, they came back to us and they were like, oh you guys have made the finals and I'll turn you between you and somebody else. You have to do the proof of concept and we said all right, give us a non-production server. I don't think any of you will guess that they gave us a production internet banking application to test and then they WhatsApped us credentials, two sets of credentials. I don't even really know what to say about that but that is a legitimate case that actually happened last month. So proof of concepts are really bad, don't do them, there's a lot of other reasons behind it but legitimately it's really bad for business and for procurement and for security. Okay, so how do we exploit this process? This is a really complex diagram and you can see that from this we basically created a 160,000 line piece of software that enabled us to exploit the whole process. So we can get all this information, correlate events across different media that basically enabled us to gather advanced information. I'm actually completely joking, that's a search engine optimization diagram and we don't need to code anything, basically just go to Google and search for RFQ and then the company name. So there's nothing complex about it at all. What I'm going to do basically for you guys is I'm going to put URLs at the top of everything that I'll show you so you can see that it's not something that's made up. You guys can literally go there and sorry I'm speaking fast but I've got to get through this phrase within a certain amount of time. All right, let's give you some personal examples before we actually go into the ones that are available on the internet. So we had a company that issued us a $2 million purchase order for a set of work that wasn't actually supposed to be given to us, it was supposed to be given to another pen testing firm. Don't even really know how that happens but again procurement issue. We had a government department which was a financial intelligence centre issuing us with an award letter with our major competitors name on it, with their pricing on it. And basically said like, you know, congratulations for winning this work. That was basically the cheapest tender wins. We knew that obviously that's not the case because we had this letter. We have a major telco, worldwide telco, very hard to get on these lists, very hard to get on the lists. They sent us the entire excel sheet with every single vendor's pricing, with every single role that they have. It's just crazy, I mean like this kind of information is being leaked, that's really confidential information. This is stuff that we know that's being tested by certain companies, we know how much they're charging. We could just basically phone up and say, hey, we phoned you from XYZ as part of this pen test and then, you know, do certain things. And then even worse, like we had a massive revenue operator like internal revenue service, kind of a similar thing. We're basically catered for a specific vendor, that's very, very common as well. And basically what happened here is that they told us we couldn't win the work because we didn't know an internal acronym for a specific system that we never dealt with before in our lives. So that also happens where basically like the specific vendors that obviously, you know, are catered for in this kind of process. But that can also be exploited because if you know as an example who these companies are using on a regular basis and you know that nobody else is doing the work, you can kind of call on behalf of them again or do something malicious. So what can we get from this whole process? A list of a whole bunch of stuff here is a lot more network diagrams of very, very confidential stuff. Internal incident response procedures, internal external IPs hosts, websites, application, firewall types, firewall rules, questions and answer sessions, patch levels, operating systems. I mean like the list basically goes on. And the more that you search and the more you get into it, it's kind of like this really deep rabbit hole and you kind of get involved in it. And I think for this specific talk I went over 350 RFQs and basically I just couldn't put them all in here, it's just that simple. So let's get into the meat. These are real examples. You probably can't see at the back there if you can, you've got amazing sets of eyes. But basically these are international companies. I'm going to give you examples from all over the world. This particular example is from the UK and this basically is a typical RFQ document. It's basically a nice breakdown over here of what these guys are running. So if you look over here, it's basically telling you they're running a Rome SSL VPN and basically Blackberry Enterprise Server. I don't really know who runs Blackberry Silver anyway. Microsoft Exchange and Outlook, what kind of entity virus they're running, general purpose file servers in the sand. It basically carries on. No, no, no. It's a very big tender document so I'm just going to kind of fly through this. But this carries on in terms of the Blackberry Enterprise Server Exchange Outlook and how they actually handle the data of what's in scope, what's out of scope. But we can basically see that they run super outdated versions of Outlook here and there's really no support for patching those either. So right at the bottom you'll see that the laptops run Outlook 2003 and then the Thin Desk Tops Outlook 2010. So we know that there's no patching on those. You can see where I'm going with this basically for your internal recon. And you can actually see that there's two MS exchange servers that are subject to specific health checks that need to be done. But basically this carries on in this document. This is the base for me. It's basically Windows 2000 at eight domain controllers. They actually even tell you which offices they actually act like physically located so you can actually see there's like one at Sheffield. For example, there's antivirus deployment servers there. They're running Windows 2000 in three DHCP servers. And this is actually a very, very big international bank that's basically running with us. But if you're an attacker you know that you're going to go for the 2003 servers or 2008 servers just really depends. And a lot of them just can't get patched. The nice part about this is they tell you what's out of scope as well. So they don't just include what's in scope, it's also like out of scope. But it's amazing because they tell you that there's 16 firewalls. So it's 16 firewalls where the extra net is. And they're basically going to saying like they have nine picks and specific ASA firewalls with 18 Nokia, which is also something that I don't really see very often. But basically it's at the bottom here and it tells you that basically there's seven firewalls in Sheffield and amazing 17 in London. So it basically gives you a really good idea of where things are physically located, not just for like internal pen testing, external pen testing, but social engineering as well. Right, this is awesome because basically if I'm an attacker I'm looking for some kind of web application. And typically that's going to give me easy access. And this one goes into detail about how things are actually uploaded through edu-serv, which is like an educational platform. And they have uploaded and downloaded facilities here. And if you're into application assessments or web penetration testing, you pretty much know what you have to go for there, upload a shell and there you go. All right, so I kind of cater a little bit more to the US as well for this. So you're an obviously government. So like this is at the top you'll see luck.gov. And what I've done is basically put the whole URL there so you can go there now if you like and check it out. But basically like it's across the board. So it's anything from telcos, banks, gov, carries on. This is a little bit blurry I think for you guys at the back, so I'm just going to kind of go into it a little bit. But on this side you can basically see it's over here. You know two domain controllers, what versions they're running again, how many IP addresses are internal and external. So basically we know how you know it's probably one flat nurse segregation on the network. And you know what kind of exchange service they're running once again. At the bottom what kind of firewalls they're running. And basically like it's given us a really good idea of how Oaklawn government works. So in terms of enumeration, like we don't really have to do too much from our side. Sometimes it actually goes into like deposit compliance policies even. But they're giving everything on pretty much a silver platter. Here's another one, this is from Kirkland. Also a government website, it's quite cool because actually this is something separate to what this talks about. But basically at the top you can see assets, finance and admin, finance and admin, PDS purchasing carries on. But this is what we call the QA document. So earlier in the presentation I told you about questions and answers, right? So what basically happens is when you basically pitch for the work you can ask questions. And it's up to kind of the customer if they're going to tell you the answers to the questions. This is awesome, this is amazing. Because basically it even tells you they're running like some form of a skater network. So you can see on this that electric water and sewerage is actually in scope for penetration testing. Even more mind-blowing is they told you when the last penetration test was done, this was 2011. This is like probably going to find quite a lot of stuff. And I mean it carries on again what kind of device is running, running Cisco devices. All of our servers are running Windows. And we standardise the operating systems to Windows 7 or Windows 10. So basically from the outset you know kind of which exploits you're going to need, you know, what you're looking for. I mean this is actually really funny because one of the vendors actually asked at the bottom, and I don't know if you can read it back again, is that are there God dogs and CCTV and fire extinguishers? And you know what they said? No, we don't have Gods or cameras or dogs. So pretty much for social engineering you cool, you're good to go. More worldwide ones. So this is quite serious because it's actually a question and answer document to this as well. But I want to give you different kind of examples. And this one is actually a network topology. I know it says proposed network diagram that's actually underneath the specific screenshot. But you can see the IT and the interpret diagram high level is covered under the audit which is provided below. And this basically gives you everything. How the internal network is actually structured, external network is actually structured, where the firewalls are, and in the bottom right is basically all the endpoints. So you kind of know where you've got to go in terms of your actual attacks which is quite cool for us, not for them. This is amazing. This is an internet banking platform and basically they let us know what kind of platform is actually running off and how many external IPs they have related to that, what kind of product it is. They're running Oracle 11G, only one server. So basically like what we're finding here is that the banks aren't shy with giving us information as well and I'll get into a little bit more about Swift a little bit later. But this carries on. I mean it literally is like an endless thing. These are also possibly one of my favourites between this and another one. These are web applications. And web applications are quite cool because when they go through scoping documents and they're sometimes very sensitive like these ones. This is a CCC payment portal. They give you like a URL, temporary URL, just temp in brackets so temporary. But basically it goes down to like what versions are running in terms of MySQL PHP if there's multiple roles in the application like five different roles in this case. Are we going to be testing in production or staging? This one says staging. But I mean we kind of already know what it's going to be like because we can, if we're an attacker we can basically just start attacking that now already. On the other side it's quite funny because this is for IT security professionals. So in the top right you'll see that this is primarily used for facilitating e-learning. And again it kind of goes through the same questions. We've got everything right. We know that it's running this specific version of Moodle. I don't know if anybody's ever worked with that before, but you know that there's a lot of vulnerabilities. So basically we know what to attack before we even done anything kind of invasive. Again, it's part of the same tender. Project name, it's a big blue button web portal. We get another URL that we can test. And again we know this is JSP, staging environment, the same kind of information. I'm not going to go through it line by line. In line with this is more problems with the RFQ process. I don't know how many of you guys have actually dealt with it, but again for your penetration testing and social engineering it's quite cool because and on blue teaming it's good for you guys to know. Because basically there's a lot of platforms that let you know when a tender has actually been awarded. So in other words let's say that there's a whole bunch of guys that went out for work and you know we won the work order of the story is. This is a platform in my specific country, but we have one, we have a lot here in the USA as well. So if you have like government spending you usually know who actually won that specific contract. But I want to basically go through this in a little bit of detail because this is a massive issue. We know who's actually winning tenders. This is a problem. So this was actually for financial services board and this is public information, the URLs at the top of this. It's not like we did anything dodgy. And we can see that Deloitte's actually won this set of penetration testing work, right? And we can actually see at the bottom that there's a whole bunch of other vendors who are not successful but also the director's names. So there's one or two vendors that you'll basically know that are actually really good vendors. And then you'll have a lot of other vendors that you've never heard of and that goes in line with what I said earlier about this dodgy reset is putting markups and markups and markups and you don't really know who's actually testing your network. But another problem with this is that you can phone in this case from Deloitte and you can start the pen testing or ask questions about their network because they know that they've awarded the pen testing and Deloitte, as an example, is a very big company. So I'm phoning from them and I'm asking for information and when can we start, when is the pen testing on? I mean it's kind of endless because if you know when the pen testing is happening, like I said earlier and you're a bad guy, you can exploit that process. But essentially what I was telling you about price discrepancies and stuff, I just want to highlight something. So if I go back to this screenshot, you'll basically see there's some really good vendors here and average median price is about $200,000 or $300,000. Right? And if you go into this screenshot, right at the bottom, that's about $2.5 million. So there's a little bit of a difference there between what we're talking about in terms of resellers and the real guys that are doing the work. Right. So this is another one. You're at the top. This is actually back in my country in South Africa. Also another QA document because this is awesome again and this is not specifically again for my country but we find this in a lot of documents. In this instance we can basically see again operating systems are running, but we can see they're running Splunk as well and we can see that at the top it says like, you know, do we need to give a high level network architecture diagram? It's not really required because everything's from a centralized location. So probably again, you know, flat network. The nice thing about this is they break up the end points for us as well. So about 300 servers, 700 end points, so many thin clients and there's quite a few remaining RPs after that. But they even go to a level where they basically say they only have about 10 firewall changes a month. So that's awesome. Right this carries on. What specific model of Cisco ASA are you using? Well, they tell us. There's only two of these firewalls going high availability setup. Are you using integrated IPS in a firewall device? Yes we are. Which is licensed and goodness it's licensed. And the best part which I actually just left out of this actual screenshot is the bottom and it says like, what is the expected SLA response for intrusion detection? So we basically know how long they're going to take to react to us if they actually catch us. Right this is my favourite one of the praise. This is our reserve bank. Pretty serious. And they're going to detail about SAMX web and into Swift and Samos. It's quite serious. Again this is publicly available. Not doing anything wrong. It's up here. But basically it's business systems and technology. And this is really bad. This shouldn't be online to be very honest. But it gets much worse unfortunately because they come back and tell us exactly how things work on Swift Alliance and how it works through VPN and the actual client browser and this is the logical view apparently. So anyway as an attacker thanks very much. I really wanted to know how things work and actually it gets worse which is crazy. They tell us exactly how things actually work in terms of sand storage that runs DBMS and basically there's a web application that we can basically utilise and transactional messages are sent and received via the Samos application that I spoke about. So transactional messages are what we're looking for to steal the money and obviously via MQ and Swift Alliance access. But it carries on going into Swiftnet and it tells us how we can actually send and receive Swift messages and to be honest when you're doing a red team or Swift before it's quite technical so it's quite nice that they're breaking down here for us to be honest and obviously the Swiftnet secure IP network but this basically carries on and you can look through this in more detail when you release the slides because I don't want to go through this line by line but basically it provides everything from user authentication and authorization through to how things work in very, very big detail. The nice thing is it actually tells us that HP connectivity works just fine. It's good that they're using HPS it's really pretty much easy money from here if we were to attack this network. The nice thing here is that they actually tell us about two-factor authentication as well so we know they're running two-factor USB tokens, it's at the top here with PKR certificate combinations provided by Swift but the worst part of everything for me personally besides the fact that they've given us all this is that at the bottom it says a successful vendor will be provided with additional details. We don't know how much more we basically need, we kind of have everything here but it says once we've actually put an NDA in place. Okay. So I just wanted to highlight here basically that again this is not just for penetration testing this is across the board. So whatever you deal with if it's like AV as an example, if it's EDR if it's anything in cyber like I was talking about earlier all those hot kind of words that are the buzz words at the moment it's everything across the board. So just to iterate that towards the end of my presentation is that this is obviously very big municipal government website and it's in Canada we just provide a lot of different stuff and these guys went out specifically for end point protection and we know they're running synaptic end point protection we know which licenses they're running we know how many units they need and basically it carries on literally like you know you can basically get really sucked into this information that's out there and it's not just like a random target it's a very specific target that I looked for and different for example sectors so you know this one for example is municipal governments previous ones are telcos the one I'm going to go into next is actually a gas company so this is a man gas and it's a huge multi-billion dollar company and again we're looking at end point protection for these guys and we know that they're running McAfee plus end point protection they're looking CTP or CTP which is complete end point threat protection all these fuzzy words again and we know again how many kind of end points they have and so forth so what I'm basically saying is that the information that you're putting out there this is crazy because we could get a as an example McAfee license and play with it before we actually do our red teaming or if you're a legitimate attacker you're going to have those but basically what I'm saying is the information that you're putting out there like all these processes are in place in corporates to stop forward and everything else but they're not really working in our industry and it's actually adverse it's actually working in the opposite direction because you know when we do kind of a red team or a pentest now we look for whatever's out there before even doing scans and end maps and everything else but on the other side of that solving this issue is really hard it's not something that's going to be solved overnight and you know I can only give like my best advice based on what I've seen in the last 20 years it's hard, it's really hard because your hands are basically tied if you're like a security professional you have to go through the normal procurement process but close tender process with trusted vendors is a must so vet basically all the vendors that you use they have to be properly vetted like qualified you can basically have contactable references with track records they have to have a work history each staff member that works on your project and they have to have a criminal and credit checking the whole company as a whole should be vetted so it's not just like randomly putting it out there don't advertise on like newspapers and like on e-newspapers and on the websites I know it's tricky for procurement but you can show them up presentation if you like and basically like for me the bottom line is don't put information out there that you wouldn't be proud of basically sharing with potential intruders because anybody can get this information so basically remember this presentation next time you're doing a pen test or if you're on a blue team and you're going out for pen testing or EDR or whatever it may be and that's basically it I think I have two minutes left from what I can see but thanks very much guys thanks for waiting on the earlier with the AV issues