 I'm going to say the name wrong I guarantee. I've got my speaker Amaro here. If I've said the name wrong I've said everybody else's name wrong all day long so he's just going to smile and be like yeah that's me. Okay um the final talk of the day is I fought the law and the law lost. This is part of a series of talks that aims to collect vulnerabilities in the Argentinian security forces and without further ado I will pass over to Amaro right now. Thank you. Hi how are you? Well now do you hear that? Well this is a talk that was intended to be a series of talks of many Argentinian security forces. I know my pronunciation is not the best so I ask for your pardon in advance if something is not understood just raise your hand and I try to say it slowly or better. As this is the final chapter it's intended to last at least for an hour so I have cropped it out and trying to make it on a short way. So I'll go a little faster on the first part it's not as important as the last one the first part is basically every antecedent that got the Argentinian security force system to what it is today about one. So let's start. This is a brief introduction. My name is Mauro I was born in the 90s in Argentina. I worked all my life for the government on different sites not something right. I have a really little security firm we are very few people from Argentina and we work on every every contract is based on government or security forces. So we are in an apocalyptic situation now or what is related to security forces. We have four what we call the four horsemen four events that carried out what it is today to be the what is the current status of our security forces. A fifth talk is the final chapter I have divided in those four events everything disclosed here is publicly available or retrievaled on making us inquiries or even reaching the news or pace being or any other place where I'm here. So the four events that took us to what we have today in Argentina were the following we have a leak from two federal forces happening to work together it's they were the federal police of Argentina and the national gendarmerie the leak of the ministry of national security during a spearfishing campaign that led to the disclosing of many officials officers and public figures accounts the Buenos Aires city police internal leaks led by unhappy cops it was an internal leak and the Buenos Aires city police entire database stamp contained the personal information of every officer ancient and even the political side of the force tossed from the security minister of the city it's a long way to get here so let's start the Argentine federal police suffered three attacks two were made using the same technique on 2010 it was a defacement led by the ACIB gang they are very popular on the police side hacking is in the PFA works Prada on 2011 and project X which was a national scandal let's start abusing the put method on the web server they lead to a simple defacement everything was hit was nothing really really surprising it lasted for an hour and it was gone they just restored the site like nothing had happened 10 this is the photo of the leak of the defacement sorry 10 the next year they made a another defacement using the put method again it was in Spanish la federal vista la moda is a reference to the movie the devil world's Prada using the put method again they defaced the site and saw an image of someone dressed as a policeman during a gay parade this was intended as a simple joke but it posed it exposed it sorry what was our security setup from a federal force a federal force that deals with drug trafficking with human trafficking with money laundering with things that might be hosted there or not but are dangerous to be exposed on that way 10 on 2012 it was a year of really hard political tensions there were many people doing what we call the casero lazos the popular like a popular march and people gathered themselves via facebook to march on different places of the city during one of those marches uh this leak and defacement happened there was a rumor that it seemed verified to this day that the asian tank federal police participated together with a gen armory on a civilian surveillance or espionage uh campaign there wasn't any uh any proof of that it was like a rumor 10 the group was uh leaked to be called project x okay then on september during one of those marches the bf side suffered one of the last attacks uh during the defacement the hacker published some links to internal databases of the sites one of the databases contained information about pfa the federal police and gna the gendarmerie are uh they are two forces that are not related they didn't even have the some tasks the gendarmerie it's like a border patrol aside from having uh tasks like drug trafficking smuggling uh human trafficking too and the pfa have other tasks different to them so why were they working together as there were no political agreement no no police agreement to work together the leaks went viral during months uh people used those leaked passwords to reuse their passwords to enter uh their personal accounts personal police accounts then uh it started like a viral thread on tarin and many latino-american sites disclosing what it was later a new leak from the original leak happened here in project x people started doing their own hosting queries started to hack if we like to call it that way into the police accounts the personal accounts creating new dumps for example uh facebook of police officers a thriller of police officers every everyone with uh its user and password some people reconnected some of the names in the dump and they discovered that there were only officers there were personnel of ministries the justice one and the defense ones that by law my constitutional law are not allowed to work together justice and securities for internal use while defense is for external changing rates and other forum people started using oscint against those names and posted them on the internet with information such as workplace other contact information and created like a viral chain of new leaks every day passwords were stored in plain text and mostly were reused in other sites many of them can be easily found on uh dictionaries like racu texty the polish it files were mdb microsoft access databases so anybody could have download them as they were served publicly this is the fault of the leaks for example here is people mocking their passwords for example here's another one saying a those passwords from the police stations accounts are working go now and download them before they change them so people was advising other people to keep on leaking once again hey information is true this information is true i have entered on a facebook of a girl those passwords are used on this system but many other people reuse it them and later the attacker didn't aim as me anything on a reddit uh and confess it he abused it uh default template file a gsp file to upload items to upload files it was an example that was never deleted when deployed he used it to upload a show then he got it right and hugged it finally the site went offline forever while no one had no one gave an explanation of what happened not from official sources or from the police sources project x was never had again well the walling of the minister of security during january this is the every time i talk about a security force or a government uh office i put their logo here sorry okay during january the last year the minister of security twitter account was hacked announced her retirement and published in personal data their personal phone not the work phone not the one this twitter account was registered to the attacker claimant to have owned more than 30 mail accounts from the ministry including one reserved to organize a crime to this day something i haven't written here uh even our intelligence service was leaked and they were using to this day hot mail accounts they haven't used any uh institutional accounts but they were official they were used for official uh business okay and then the entire national criminal information system was leaked too here you have patricia's number patricia ball rich is our minister of security to this day then patricia ball rich means seg is minister of security ministeria security here we have uh mobi star it's a phone company it's just like it and the very song this is an official request what we call official an official request of information for example uh federal police wants to listen to this uh these lines conversations so whatever uh request for official information that was made it was copied and dumped and leaked so try to imagine what is happening behind the scenes let's suppose you uh report a drug trafficker this guy is a drug dealer okay now that drug dealer knows someone ratted him out and now it was you ratted him out and even knows who the cops working on his case are this is really dangerous but it's a real threat to uh to the original guy who reported it and to the original cops that are that are where uh investigating him or her here's the hacker saying i have complete access to the national criminal information system as you might see it was an sql server with every port open to the world so he wasn't lying at this point as i was saying before personal data of three sides were revealed from the national criminal information system the data of all criminals and organizations even those who have an intelligence task ordered upon what means having that that you're not uh prosecuted legally you're just being investigated but you it's supposed that you don't have to know you're being investigated well now you know 10 from the mail accounts particularly from the one of organized crime the data of all once again the data of all the agents that participate in tasks of record and intelligence that poses a real danger as we'll see later in argentina public information is really misused really misused some people think that uh for example you americans have the social security number we have a tax id a dni a national id number or tax id is composed of of public data uh for example as we'll see later uh what you earn your tax category is also public so everyone knows where you live how much you earn and probably which hour you are away from home 10 uh another another thing the organized crime division using an email without any key any cryptographic key so a simple plain text email from the mail account of compliance the data of all civilians reporting a regular situation shows as police carnivans or abuse you're denouncing your own police and they had been leaked so if you have denounced at any cop he's in carnivans with a smuggler he's in carnivans with a human trafficker now he knows you rather him out is it understood to this point uh i know my pronunciation is not the best but sorry about that okay two people were found guilty of the attack and later prosecuted later it was found they commanded a spearfishing campaign where they compromised 30 accounts including the ministers data from people with criminal records and police officers feds mostly obtained from the leaks uh is currently being used on certain data stashes in argentina it's really popular to have uh what i call parasite sites every time every time uh for example all federal revenue agency has a leak these parasites are abusing it and keeping and storing it for example uh during some years our federal administration got a bad control of the api so anyone could query it infinitely on a loop these are stashes armored themselves with a database crowded one by one constantly and they are for example now you have to pay in bitcoins to search for anyone just a little satoshis and you can search for anyone have their address have the tax ID how much they earn and so on we'll talk about this during the last week and a lot lost upon dissolving uh Buenos Aires metropolitan police our mayor had government or as your Rodriguez Larreta announced that the creation of the Buenos Aires city police if someone knows the difference between Buenos Aires city and Buenos Aires metropolitan i would gladly hear it okay in his own words this new force is the most modern police in the world you know we are argentines we have the better things the best things are ours always i know you can love no no problem as the original members from the metropolitan police remember a metropolitan police is just for the Buenos Aires city police a big city but you know you can't compare a city police to a federal police in any way okay so he signed a political agreement to convert federal agents to local agents mostly because he could not cover what he had promised the most modern police in the world what happened here is the first thing uh the first important thing more than the other intestines that lead to what we have today cops became unhappy you know one day you're a federal agent you take care on this is without meaning any disrespect to local agents obviously but you train for years to be a federal agent you're trained and you can take action under trafficking economic crimes money laundering human trafficking cybercrime every time the local police meets on a cybercrime case has to call defense and then you are trained on criminal intelligence you are trained for years or whatever specialty you want to take but now you cannot uh exercise it you cannot use that specialty you are like uh degraded to local agents then a new series of technological control uh technological control measures were implemented these new officers who had their own freedom of working they worked on their own way faced from one day to another a new series of measures they are not used to for example carrying an android device with them at all times with a gps enable and a battery uh how you call it uh a portable battery uh that tracks their activity and their world turns they can't live amid earlier that seems good in theory but what happens when it starts to fail let's see soon when all these new technological measures stopped working as intended and generated a further conflict instead of resolving situations the personnel started ranting first between them hey this phone it's not working it says i located one block away so i cannot start my turn you know you when you need a cop you need him here doing his job why does he have to deal with a phone that doesn't work with a gps that marks him two blocks away with a timer that says hey uh you owe me one minute stay one minute longer what happens when you have uh an emergency and say hey you left your area of course i left my area ten remember sorry first between them and then on the net just created what we later see as the blue whistle blowers people started ranting online and sharing information that should be shared remember the station world war once pfa operatives and the data was leaked before and they continued leaking but voluntarily let's start checking the perimeter of the most modern police in the world we'll use a passive record and we won't try to exploit anything once again so all of the Buenos Aires city police sites share the same SSL certificate causing errors like domain name mismatch and marking them as insecure every one of them is vulnerable to puddle slot and round from 2014 okay this can be checked with third party tools like a model SSL analyzer and also our objective was to prove that it was easy as writing four lines of code so we made a repo on github a site that you can check this with any other tool you like our objective was that to show that with four lines you can prove our point choose four or three lines nothing more okay checking the common name mismatch that works on every certificate on every site and for checking puddle slot and round vulnerable sites as you might see it fails sorry the message is in Spanish but i think we all get the error ten it was they are using one certificate for six sites six main sites and it works only for one obviously i think we most of us know about CERBO or all the SSL certificate service for free well they seem they don't know it as you might see with Komodo this is SSL certificate name mismatch in Spanish it says that the certificate was issued for security at Ciudad Govar a domain that doesn't point to anywhere but they have implemented that way ten again private security public safety internal network is vulnerable to puddle puddle round puddle one of the sites at Drupal sorry will randomly serve the default Drupal installation script upon accessing it so any uacitor can interact with the instance by installing a new one atop the original they're browsing a plop Drupal welcome to installation and you say what the rest of the sites tend to have their lesson activated by default so we not only deserve it have a script files but also custom tests the original dv lovers wrote and committed to production also upload directories are publicly available let's stop for a second on this if the original dv lovers do not clean up what they are committing it reminds me of what happened to pfa with the default remember the default example for bloating files it's basically the same situation you know notices policialis means police related news Govar as you might see is an official site okay the deal listing this is the private security site a few might know there are any mce it's a little ide for how sorry reading in how a script here an instance of tiny mce is hosted there and it can be activated abusing an xss for example if one could be found the police recruitment site is highly righted from the original metropolitan site you can check this look 2016 during eight years seven as one of sire's metropolitan police and one as one of sire's city police that site suffered from an xxs vulnerability so we can activate tiny mc for obvious reason we won't do it we deploy two books for testing the vulnerability to proof of concepts that as i'm dealing again available at the head when abusing the input for triggering the xss the site locks and prints an error stating a failed sql query you know an sql injection is possible for example what's the malicious script you want to load malicious.com that site doesn't exist with framework it writes your url and as you might see the source it's located you already load a big framework instance for anyone to visit this time what we do is executing in line have a script we change every link to malicious.com slash trojan.x on the sire's city police click here malicious.com trojan.x also we can note that none of the sites implemented captcha systems toward automatic requests not even the firewall or gateway also the private security site may need client side have a script login mechanisms as we all know you can disable any or tamper any mechanism written in have a script no captcha no captcha this was one of the site leakage this one too no captcha and also uses the client side have a script this site was on leakage this is the real quick sofos again file it as a cell and no captcha this version of sofos provides no captcha by default so on the other hand sofos was questioned as true a few months ago because it's happy uses md4 hashes without salt without paper simple and plain md4 hashes you know hash killer.co the uk or any online service for free can break them in a matter of seconds it was broken in 2007 I should not protect anything the blue freaker this is a character that appeared during the blue wister blowers every police and every officer had an an assigned phone a custom android phone assigned one of these guys that isn't a hacker or a freaker by itself started playing with the phone and located a lot of facts and even rooted his phone and all his partner phones and they are now out of the police systems so as a lot of cops went online ranting then the phones tracked them at the current location what we were talking before does not allow them to enter their servers all the simple offline that in work hours what looked like they were absent from the servers or abandoned the servers they had to have to explain their situation caused by system failure they went online exposing this this blue freaker published online a series of videos of him breaking the underage locations obtained building information from the whole Buenos Aires police city account millions more expensive that what was publicly said privilege escalation to install apps whatever apps you like and so with it he installed king root and if definitely countered his phone we did his scan and his apn network finding a lot of weak assets and even some of the printers that were vulnerable to flaming you remember that botnet printed robots all are all around the world well the default port open uh 9001 without any password this step is the other talk as you might see these are like homemade photos he was just working around his service taking photos of what he was breaking installing social networks then looking for routine sorry for the quality is as he's admitted he's admitted it takes away and then this guy this is him making a query that any phone can make that can make sorry he's asking with that number about his uh billing information how much uh how much money do we owe to the company this might take a second as you might see nine millions well it's not really 10 another incident happened sometime ago before the leaks a subway camera with an attached monitor failed and crashed to desktop the monitor then showed with a loving screen with an unmasked password and a public IP address probably the camera server it was visible during almost three hours before what a silent city police technician repaired it on site the password was leaking in text in plain text this is a really crowded area where anybody who happens to be can see the the password the blue with the blowers all of the blue several pasted containing personal data like users emails and password from various police sites were published on past vint it was later found that those credentials belong to critical assets the recruitment size the one I said that had no caption was hacked contained medical and psychological records you know that three do you draw to prove you are not crazy religious family and personal information for every officer chief cadet and patrolman and the police report database contained information from both criminals informants and complainants with a PII most passwords were one two three four five six or numeric only a lot of passwords were personal names we might see this later as you might see personal names like Felipe Emilio and so on MD five okay on 2011 an anonymous blog exposed a complaint about money laundering in the metropolitan police exposing telephones and institutional males of officers chiefs and divisions once again these accounts are used for official proposed but are not institutional so they belong to public domains like gmail yahoo or hotmail it was never taken down it's been some years since it is active so we'll try to make some awesome queries over that and find where the leak could have happened at who could have been the zero the patient zero as you might see laundering in the metropolitan police blog spot let's start crafting intelligence from these smashes database all dumps and online runs one day it happened it the Buenos Aires city police was hacked uh and lose and lost uh three gigabytes of databases with important information it was a national scandal as you might see they were offline and they were offline for like seven days without having any notice until the fourth day having the having that message so we have a lot of loose ends to follow in order to reconstruct how the last leak was carried on the regional leaks the minister leaks the multiple vulnerabilities they have already the Buenos Aires city police leaks the previous one the intelligence the intelligence gathered crossing information from all the above all wars we'll see this if we had time later okay let's try to cross information from the previous section the blogger one I think you everybody knows how you've been pounded it's a place where you simply enter your username or a password or an email and tells you if it had been involved in any leak we search for three of the higher chiefs of the police three were looking before we search for another chief from the ministry not the police itself liquor too and also he's featured it in an entire user database leak from micro electronic cash then the cio he was a ticket to remember most of these leaks contain the password hint in plain text for example name of my daughter then it's easy to crack it yeah this uh this is the secretary of public safety pounded two three times three chiefs two civilians one of them the police cio at the time and the secretary of the public safety were compromised as we were saying by checking on right forums you can get a free copy of the richard database simple by earning points commenting sharing and so on in previous leaks they used a numerical password for the password containing their children's name even the hints pointed this out like my first child or dmi the national identification number as we say before this data is manipulated and awaited almost anything is made publicly available whether you want it or not for example if you google me you can find my tax id uh my fiscal address as i am not a company that's my personal house how much i earn so it's really easy to find uh valuable data sites the parasites i was talking about dateas buscar datos buscar personas informa multiboroc with online under like contain that information and even keep an historical record better than the federal tax agency and they are trying desperately to keep as much information as possible so you can query the gapi okay with these hints my daughter and my dna let's find those passwords by searching him by his name we have the tax id and the central part of the tax id is the dna so we have the password and where he lives his age it's and so on the tax id when you cut the first two numbers on the last one you have the dna their password now let's find the cio's daughter we'll search him online then based on the address we have we'll search how many people lives under the same street number the same roof it's easy if they all share the same surname the same last name they must be related the only problem we have here is that uh when you're talking about uh children mean or beige uh you might not have the same information disclosed as with adults but this method never failed in me so as you might see the link it is redacted just for security question it's the one with the r-roll as you might have as you might see we have five people camila pilar lucia are women they are all candidates five people live under the same roof we try to do uh the link in damp they are a sha one passwords unsalted so uh the secretary account won't be tested as every leak he was involved with stored and disclosed his passwords plain texts so uh sorry we hashed one of the passwords i won't say which one with sha one and it coincided with the link in damp so we have his passwords so this might be the way they were leaked just one minute and we finished warris it should be noted that during the leaks warris could have played an important role uh i recommend you decide i know what you don't know at it's uh like a bogus tracker not what was bought a strange tracker that exposed what you were downloading with your ip address so uh i had found that the Buenos Aires city police is involved in the federal crime of piracy strange enough this is the gateway look look some series but look at this counter strike global offensive war so game torres dot com will you trust downloading that oh no i know you have the entire police internet connection to download that really high speed but really you shouldn't be downloaded this once again lego dc comic supper heroes just a leak comic clash lego scooby-doo you might notice is dangerous whether you're in the police or not so our conclusions thanks and credits my con conclusions are we are not safe even those who have to take care of us neither are a false sense of security is a slow and insidious killer do not trust your data to be kept securely this is especially for argentine people it is not stored safely internet does not forget even if that means those all leaks on one made available some years ago and no we don't have the most modern police in the world let's stop being argentines for a moment we don't have the best things in the world we're argentines corruption money laundering we have more than a two prosecutors sir war mindset we lost out of question okay special thanks to the recon village crew for receiving me a heartfelt thanks to my working team that's what in argentina and to the blue freaker who shared with everybody what really was happening behind the scene okay already if any one of you has a question yes we have many laws about that accessing but what happens is that they are not respected at all for example i'm going to answer you based on my experience on government i worked for local for federal for security forces and for example when you need a federal place to get data from a local place it's a really hassle they mostly resolve it with okay i share the database link with you or i share the dam take this disk have it please don't lose it that's the national standard aside from what is written so we have many laws reading but they are not they are not taken seriously for example one of the the cases that shaken me the most people in the bursary city police were sharing reports with usb drives personal usb drives we never the system went offline so okay we have to keep working usb drive then you have to send like a messenger walking there sending them i think that might be but i have no proof that might be also an important point in the leaking part i say everyone could have a copy in their pocket if anyone has any other questions yes it's possible argentina is really well known for having many behind the scenes how do i tell it i have some shady interests between nations since yes you know we on during the last years during a federal investigation of terrorism one of our prosecutors was moderate and it's unsolved to this day you might see how the law is moving in my country how they work so it's yes it's possible mostly because it was announced as a political assets as a campaign a political campaign promise we will have a new world police with no corruption the most technological in the world etc etc so it could be yes well they patched a lot of these things but that doesn't stop the leak from being available on torrents or on great databases or on other world sites they patched for example the excess and the access to the gateway at least i don't know the rest for the last time we tried they did that we always try to update these because they were patching some things but they are a little bit slower excuse me i don't have a really ready to be public answer okay any other questions i hope you like it and i asked you once again pardon for my pronunciation it's not the best but well i hope you enjoyed it