 I'm going by the handle weed and on for the promotion of this talk, but my name is Alex Hyde and I'm one of the co-founders of the Hack Miami conference and I was using a pseudonym for the promotion of it just to avoid any SEO crossover because we're going to be going into some pretty interesting topics. So a bit about me, I'm from South Florida and I work with the Hack Miami organization as one of the co-founders, the other co-founders sitting up front with me as well. My background is in the field of essentially web application security, network attacking and also malware analysis and threat intel. And most importantly, I like computers, the internet and I love smoking weed. That's probably the most important point to be brought here. So some of the stuff we'll be going through is we're going to be talking about the different areas of compliance that are being hoisted upon the cannabis industry with their new, it's a new industry, a lot of it's unregulated still even with proposed stuff coming up. And there's a lot of gray areas to where, to what existing compliances need to be fulfilled in which new ones are upcoming that may need to be thought of. And as anyone who's been attending DEF CON for, as anyone who's attended DEF CON ever knows compliance does not equal security. So once things are compliant then what? And so we'll be going over the use of IoT technologies as it relates to agricultural development and essentially just the giving an IP address to all sorts of things that previously didn't have IP addresses. In this case it's farm equipment, hydro gear, webcams to watch gardens, that type of stuff. And most importantly, from the areas of third party risk, most cannabis industries rely solely or not entirely on third party vendors to supply all the business operations that are needed to meet the existing compliance frameworks that they have to go in. So merchant services, they can't have bank accounts so they'll need to use a certain provider to be able to process credit cards if they're allowed or use some kind of evasive credit card to cryptocurrency, to cash system in order to make those purchases. And then we'll also be going into some examples of scaled attacks against IoT systems that can definitely have a big effect on the cannabis industry from the smallest type of a webcam hack going up to more intense types of attacks. And when it comes to the vectors of risk of what is actually being, what is that risk for the customer and what is that risk for the business? So for the business, there are existing areas of compliance that are applicable. So if they're processing credit cards, there's PCI, CSS, if they're doing health, if they're handling medical cannabis records, then HIPAA compliance standards apply. And this is all for the storage, transmission, and basically they're intending to maintain the confidentiality, integrity, and availability of all these data types and transactions and very few places will actually use their own setup. Everyone's making use of, for example, point of sale systems that are specially designed for the cannabis industry. So the experience of walking into a dispensary, providing a driver's license or other form of identification that's either scanned or taken a picture or entered into some computer, that's hardly ever stored within, just within the building itself. It's being used of some type of, they're usually using some kind of third party customer relationship management software that will serve oftentimes many different cannabis companies or other types of companies. I'm going to be going into those types of issues as well. And we'll also be going into actually some of the physical security risks that exist within the cannabis industry as well and how it relates to information security and compliance practices, especially as it relates to cash and garden locations and the like. So to wrap your head around the concept of third party risk, it's the idea that the weakest link will be exploited. So when you have a bunch of different companies working together, one company is making use of a service and there creates a digital supply chain, the weakest one is oftentimes the one that will provide a vector into all the other different companies, oftentimes through password reuse or interconnected networks. Some examples of that would be the Target breach, even the OPM government hack was based off of a compromised contractor that had credentials and they were able to get into the government system. So while they're targeting all these major industries, they've always been targeting, because that's where the money is, they're going to be targeting the cannabis industry as it emerges for several reasons. There's a lot of hardware to be able to take over and compromise and turn into a botnet. Two, there's a lot of cryptocurrency stuff that goes on that makes it, there's an incentive to actually steal private keys or actually do reconnaissance to be able to get into these businesses to be able to steal private keys and information. And we'll be going through some of the aspects of what these third party vendors look like and where the risks lie. So one of the more prominent ones that they seem to be doing decent from security hygiene-wise is, for example, like weedmaps.com. So you have all these different dispensaries that are using weedmaps.com to do their listings and also process their orders. And in the event that a service like weedmaps.com would get hacked, every single dispensary and customer of that service is impacted. And so attackers are no longer going after individual entities, they're going after the service providers that handle all the entities, and then that way they're able to actually get in. And from the standpoint of weedmaps.com, I didn't see any indication that they're going to be hit anytime soon, but everybody will eventually get hit and it's not about blaming a person or an entity when it happens. It's about how do you respond to it to be able to mitigate the fallout that's going to occur. And so as we touched on with an increase in IoT technology, so this is a graph that came from Cisco and they're estimating that about 250 billion IoT devices will be on the public internet by the year 2020. So if 1% of those devices are exploitable through the public internet, that means 500 million exploitable targets. If a percentage of those are agricultural or cannabis related, it doesn't matter. Attackers are just, they're looking for absolutely anything they can be able to get into and then they'll figure out what they're going to do with it after the fact. Yeah, essentially a small nation or a big nation of compromised devices. So IoT devices are definitely more than just routers, printers, webcams, coffee makers, toasters, the innocuous consumer electronic technologies that everyone's making use of. More and more agricultural, industrial, manufacturing heavy machine systems are being given IoT capabilities or given internet browsing features, things like Telnet or real weak looking HTTP applications. And the reason is it's easy and they're fast and they do communicate the protocols work. And they're even older equipment that was never designed to be put online in the first place is getting retrofitted with hardware that will give it an IP address with Telnet and a really lame web application to be able to host all the everything. And we're definitely seeing that also emerging when it comes to large scale agricultural growth because it's much more efficient that way. And so as we touched on earlier, the increase in IoT is way more than just being able to compromise and make it part of a botnet or the like. It's essentially a bounce point into the internal network. So any perimeter device that can get compromised either through an exploit, through a misconfiguration or through a weak password or a default password, this is just kind of one example of what that would look like. A default or a weak Telnet password, the attacker enables SSH and now they can do an SSH tunnel and now they're able to start port scanning the internal ranges and so forth. So when it comes to the tools for discovery, the most important thing is to have high quality cannabis usually from the top shelf with the highest grade of THC that's available from the store. And then pick up a VPS with some cryptocurrency to be able to conduct scans for something that's other than your home IP address. Using Google, you can find a ridiculous amount of information with the Google dorking technique and for anyone not familiar with Google dorking, it's using Google to find things that are indexed that show vulnerabilities that they might not have wanted to be indexed. So just Google Google dorking to find more about that. And then the tools mask and ZMAP for your own port scanning and showdown and census for pre-scanned ports. And interestingly enough, powered by footers are still a thing and not only are they on old websites that they shouldn't be, they're being printed on the receipts of the dispensaries. So when I picked this up earlier this week, it said powered by and then the domain name of this company. And when we went to the domain name, it was essentially a CRM that has all sorts of different customers. They serve all industries and they seem to have a few products that are targeted towards the cannabis industry. And their main use is e-commerce. So they'll be pretty much blocked out absolutely everything to be able to maintain who they are. But they're a CRM, a very kind of entry level sales force type thing. And a lot of dispensaries use this platform as a back end for when you check in, when you go to the front desk and you check in, when they send you order to the back, every patient's order is saved in here along with a whole bunch of others. And what's more, it's cold fusion. Like it's running a legacy web application of cold fusion, parameterized. All the URL is heavily parameterized. Google dorking showed all sorts of indexed things that shouldn't have been indexed, but were publicly available. And when you basically throw just the simple percent 27 into the URL, you get the 500 error which indicates, oh, maybe there's an SQL injection there. And, well, that's where we stopped. Because that's, I mean, we'll see Windows 2008, R2, cold yet. Definitely a problem there. All the entire database is available and just leaking for this dispensary and every single other one that's using the service and going to be contacting them to get that sorted. But the thing is it's a third party vendor, so they're going to have to call some companies, they're going to have to call their developer that was hired by some contractor, and then they have to explain the whole thing of what happened and then it will get fixed. So even when it comes to high-risk security issues, the average time to remediation is still about six months for even enterprises that have their stuff together. From the time it's identified to the time it's fixed, it could take six months. And, meanwhile, everyone from both dispensaries and other businesses, because this company does all sorts of other stuff, those databases are just sitting there waiting for someone to come along and use more intense flags on the analysis tools. And from the standpoint of physical security and ATMs, okay, so maybe there's no credit card numbers stored in these on the databases, just patient record information. Maybe we could do some identity theft, but what's the big deal with that? Say the dispensary has an ATM on site and now all the ATMs that are available come from brands like one main manufacturer is Heosung and there's a few others. The way most stores get these in there is they don't accept cards, so they'll get a contract with a company who has a contract with a company who has a contract with a company that will put an ATM in and then they'll contract somebody else to come in and do the maintenance and all that. And no one's communicating, but everyone has the manual from the manufacturer which has the operator passwords of 2-2-2-2, 5-5-5-5. Yeah, those are basically just the default passwords. If you, again, Google dorking, file type, colon, PDF, ATM, manufacturer name, model number, you'll find what you're looking for because they're making them available because people have to be able to fix their ATMs. And when it comes to the actual safe that's in the ATM, also a default code 50, 25, 50, and when you try to change it, the instructions are very complicated and how to actually get this changed, but the emphasize how important it is. I don't know if many people are doing it and it's all a matter of percentage to when it actually becomes a problem. And when it comes to web application exploits, so one of the analysis that we did is we found a web application of CVE from CVE 2017, 7577, and we did a mapping on the entire internet for any HTTP service that's running a web service known as UCHTTPD. It's an embedded firmware that's used on a lot of cheap manufactured webcams that are white-labeled and OEMD all over the world. We found about 205,000 of them a little under a year ago and version 1.0 is the only version of this web server that exists and it's vulnerable and there's no update for it. So they're still like that to this day and when we look into the actual what the exploit is, it's a very standard little web application login. The usual passwords are again admin, one, two, three, four, five, six, that type of stuff. But even if you can't figure out the password, there's a Python script available on exploitDB where it's just, I mean, it's a very simple dot-dot-slash. It's just a dot-dot-slash and you can read any file. And there's no shadow file or anything like that. It's just the encrypted root password. This was the default, but even when they change it, you could still get the most updated one and crack it pretty easily. And then you can also download every file that might be on the server and whatnot. And so, again, this has shown that this could definitely be more than just a little web app exploit. If you've been able to map out all these cameras and be able to download the files continuously from them, there's definitely things that people probably don't want done on these devices and should probably close them off to the public internet. And so when we go into the heavy stuff of SCADA systems, we did a mapping of, again, just HTTP services, port 80 and alternate ports, 8081. And if you Google for HTTP alternate ports, you can find a nice list. Oftentimes, people will set those up without, people will set up something new. It'll spin up an alternate HTTP port. No authentication, maybe administrative permissions or something, and people just won't turn it off. So we did a scan for that with just looking for the word SCADA just to see what could happen. And we started finding electrical facilities. So from the standpoint of impacting industry, if your cannabis grow is one, a SCADA, if you've got a SCADA-based hydro system or whatnot, these types of web applications are the stuff that are used to monitor and guide them, or if you're making use of a power system like this solar panel to power it, it also has a web application like this. Or if your third-party vendor happens to be the electrical company, which pretty much every person who has a company and does business has the third-party vendor of the electrical company, what happens when their stuff ends up on the internet and you can just start flipping switches and turning power off in regions. And so this was a server that wasn't supposed to be on the internet. The manual of this manufacturer says, don't put this on the internet. So of course we found a bunch of them on the internet. And they were smart though because they had password protection, but these were designed because these are for tablets. So when you walk into an electrical plant, you'll see a big tablet or the employees will be walking around with the hard hats and they'll be typing into tablets. And they're never really intended to be used on a desktop, let alone put out on the internet. So when you just view source code and remove the JavaScript object because there's no real validation on the application, you get into the actual SCADA system itself and that's that. So this is a solar system, a solar electrical plant that for the sake of this presentation we could say, well, if hypothetically it's powering a region, then cannabis grows in there would be impacted if this were to go out. And then we just kind of poked around and see what type of more of system we find. This one didn't even have a password on it and we were able to... So we see this one... The knobs will actually be spinning around and moving during the... when you actually connect to the IP address and there's no hacking in this. This is just visiting an IP address and pressing enter. And here's another one which actually has the red button that can do something. We don't know what yet, but when we kind of keep clicking around it might be able to do. It's actually for a dam. So, yeah, you could... If you want to take out a... Make sure that no one has any weed in a certain city, you can just mess up their crops with this and they actually have the red button. So what happens when... So forget an APT group, forget a terrorist threat, forget competition. What happens when a Google spider or a Yahoo spider, just some web crawler starts hitting links and just goes click, click, click, click, click, click. And then basically it's a situation like this which ends up in something like that. And then that's... That's basically the most extreme way to represent third-party risk that I'm able to come up with for now. Hopefully that's where it ends. And so essentially where we're... So the main points I'm trying to convey is that third-party risk vectors are going to be the biggest single impact for not just a business but an entire industry overall because when one big provider gets hit, the entire sector gets hit sometimes across multiple industries. And increased scrutiny of default deployments is the only thing that's going to prevent these types of screw-ups from taking place in the future. People are plugging stuff in thinking it's working and the right hand doesn't know what the left hand is doing and all the ownership of who's responsible for this is being pushed off and shared between different people and no one's doing anything because no one is technically responsible to do anything. It's all built into the contracts and whatnot. And also legacy systems are going to be online and just as stupid as those things that we saw. So those are like the cutting-edge new SCADA systems that are just everything's HTTP on Web application and older stuff is just going to have widgets hooked on to old machines and now you're able to connect into them and make them do things. And again, the only security on a lot of these things were client-side passwords or SSL. So if they had SSL, they believed themselves to be secure. And so again, the way to prevent this is continuous monitoring of the external of what your network is, what you know it to be and then also figuring out what your service providers are and using your choice of third party vendor risk management platform to be able to track them or using open source tools to kind of build it yourself. If you have the time to do it yourself, by all means do it. If you need companies to do it, seek the help of professional services and the last many things would be change default passwords, double check the passwords are changed because a lot of crappy equipment won't register a password change or it will still have an old hard coded one just research the technology heavily before you deploy it into production. Like everyone should be doing, but no one is doing. And again, when choosing a third party service provider basic due diligence will do things like making sure you're guaranteed not hopping into a fire when it comes to sharing data. So for example if you see if you want to use a merchant processor that's running a cold fusion site versus a merchant processor that seems to have something that was made within the last ten years, you might want to go with the newer one. And it's ongoing a lot of people won't they'll go for what's cheapest, what's available, what sales person got to them first, there's a million factors that go into that. And at the end of the day people are going by what's compliant, what's going to allow them to keep operating a business and what's going to be the easiest thing overall across the enterprise. And security oftentimes becomes an afterthought in this process to the potential scenarios of some pretty annoying to pretty disastrous things taking place. And that's for some resources. Mascan, ZMap, two open source tools, they scan the internet really fast. Just load them up, roll some joints and watch them go. And for web application security definitely recommend the OAS project. The proper design methods that got local meetings all over the world definitely recommend getting involved with them. And if you don't want to spin up your own scanners, check out Shodan and Census. And you can query global internet scans looking for the same types of stuff that we had and even more, even more specifics if you happen to know manufacturers of cannabis specific products. The trick to finding the products is to search for the make and model numbers and to start surfacing. And for that, any questions? We're going to that. Yeah, we still got a few more minutes, so. All right, well on that note I'll be around. If anyone wants to chat afterwards feel free to drop me an email. You can email the HackMiami group at infoackmayami.org or you can just shoot me an email at alexahackmayami.org. Check us out on Twitter and if you have AOL go to the keyword and type me and you'll be able to take you'll see our AOL homepage. Thanks everyone.