 Okay hi everyone first I need to clarify things about my slides they're not built to be static so a lot of things wouldn't make much sense. So this talk it's one of my it's my first talk ever and it's been I've been traveling for the last two years giving this talk in many places last the last ones were in South Africa besides Cape Town and let me adjust my cell phone a little bit here. Okay in the last one was in the United States in this conference checkpoint in New Orleans just before COVID started so can you move the next slide please so a little a little quick note just before the pandemic started we were having a lot of demonstrations in my country we had five months of demonstration just like it's pretty similar what's happening what's happening now in the US so what happened is that before our agencies that are shown up here in this international they developed reports about the situation and they confirmed that human right violations were happening in Chile. Next slide please. So I was I was pretty active during the time here you have some some data so 35 people got killed by the police forces 25 people lost their eye because of rubber bullets and two people lost their sight completely. Next one please. I'm trying to go as fast as I can because it's a long one so I guess I told you before it was it was pretty active at the time we were rescuing wounded people from the what we call it the front lines so just a couple of days before the pandemic started we we rescue one guy that had brain trauma because of a tear gas canister launched by the police forces and he died next day so it was pretty it was pretty stressful for us so in a way the pandemic kind of released that stress and then the one in the right side with the big chill is a chill built by a TV so she was helping us with the with the most critical cases next one please. So after the quick brief I'm gonna present myself a computer science engineer it's a career that only exists in Chile that it's six years long but I really loved it so it took me nine years to get out of it and like I said before this is one of my this is my first talk ever related to cyber security and it got picked up by sky talks two years ago and it was like the beginning of everything for me regarding DEF CON cybersecurity and I do a lot of classes as a professor in different type of instances one is a free university that I teach CTF workshops and with most of these guys we went last year to DEF CON to present a workshop I will I will show you later that part and so I also work with a lot of projects related to health so recently we want we want finance to get this to do this project related to COVID-19 in my country and right now I'm learning OSINT so tomorrow we gonna participate in the trace lab CTF which is a very good exercise to improve your googling skills and I have a small company really small so I'm the founder the CEO and also the janitor the things that I do most I mean all the time are workshops so next please so last year I went to DEF CON so I had the chance to meet Jason Jason Street and then we went to DEF CON DEF CON 27 we that it was an amazing experience yep next one so that's that's all about me so for you to understand this talk I need to give you a little bit of context so in my country we have a health system that is 80% public and the public part is pretty much free it's very different than the US so the public sector we have around now it's 15 million patients so in the top of the of the graph you can see them what's called means on which is basically the health department and below that you have 29 what they're called services that are like institutions that they try to try to they try to coordinate the different hospitals and primary care institutions so I was working in one of those services right which is actually the biggest we have around 2.5 million patients okay next slide slide please so how bad I have I have trouble pronouncing the word macabre so how bad is this talk when I was given it about to to give it in sky talks I was receiving threats by some people that I knew some some people involved in the in the police units they were sending them messages that if I if I did the talk they will wait for me at the airport they will sue me and I at the time I just received an email from somebody that they were ordering to shut down all the servers from this the related to health institutions because they were afraid afraid that I will give information that it will allow death-con attendees to hack to hack all our systems which is really stupid so I asked I asked if they also tell me that they were sending some people to to watch my my call my talk and to record it so I asked if there were some government officials in the room and they actually raised their hand and months later I received a recording from my talk that was surprising because you know sky talks that pretty the priest strict you know that you cannot take on yourself on the way look that's not a hundred percent safe luckily luckily nothing happened after that well not nothing but you guys say that I don't want to be I want to give you spoilers so next one please so I prepared different different some stories that it will help you understand the context of what I have to face at work pretty much every day so I the first story is called a very secure web service and the idea of this slide is just part-by-part and then you will see the image so the health department they they asked to every institution for the patients that attended the attend the public sector of around 15 so they were they give me this assignment and I just find it weird that they will give you a web service but you have to deploy your own with their their web service you which isn't very weird in my opinion I worked as a developer for five years before getting into this job that I had at this place and I never seen that somebody sent you a binary of web service for you to deploy it and use it and then you will upload the files to the nftp server which is again really bad next slide please so then I thought maybe I should check the security of it right in the mindset of a hacker and you know at first I was like checking out the 3ds algorithm trying to find something that I could use but at the end it was easier to decompile it and they have no fuscation at all it was like it took me literally three minutes to decompile it and and I found the key so now I could download all the supports from the server and check all the data from all the page so at least the user was okay so I reported what they just tell me what were you about the problem why were you doing and at the time I had a sign of a testing function in my position that it was after everything that I got to talk to you about so he demanded me and the answer was nothing never had any life so the second story it's what we call it a very secure electronic health record and this software had over a million patients data you think that you can imagine it's and description they looked it in a net using Oracle very expensive databases and the data is with only 40G and they have no major sections so it's difficult in the public sector by fancy so they have 18 developers it's about where it's playing against the CVS but at least had 800 work files okay so what happened one day is that they was they were out of this this word and I was invited just somebody that was part of the project and at some point they asked this development of the project manager about the security of this software and he said secure because it was because they had invented five digits password and I couldn't you know I could not trace and ask them serious I mean five digits got me fired because I couldn't I couldn't attack or do fairly fire to my own colleagues even though they were not really my colleagues and I have to apologize I apologize because even though they were stupid I shouldn't have said that at this point so at that point not really understanding I think you're like something the people were criticizing me and they attacked me for for all the weeks they were asking some some people are asking for me to be fired you know directly she cannot work here anymore so I was lucky just my boss and your addition supporting me on the slide I want to work I couldn't get into Gmail we were in my own system so I couldn't Google it but work Twitter you could get get into any smear I made on it I mean I mean I hired me to do something that I didn't know how to do it so I have to Google but basically planning data server in the hospital so I was very critical I couldn't understand how something like this could happen in such a big situation so I did on the eye measure and the record in addition to what happened and the it gave her a very much and he said more than they walked every Google service because through Google we could get into forbidden like or games so they are they are pretty all bandwidth or it's a lot of limit I think I can work like a 2000 megabytes per IP so that's why every which was mind-blowing for this one please so time which reflects my reaction at the time and that's what changed in this slide how you get a little bit of the context of what work was about probably are gonna I'm gonna write not a book but block like I have 50 of those so go to do some part of this talk how everything next slide please so I think that you're working this is your new job and you will be there for 10 days and they ask you to find somebody please the range so devices and this is a part that you could understand the transitions they're not at all so you could see all the devices from the north the part of the country that you can point the stuff so what next though I couldn't read why I thought that I had a privilege and super IP unrestricted we did for the boys and it's one day so I said to check all those devices and I was fine more and more I mean many that even the software right because not respond properly because not so many devices for the screen so I found for this week public read privileges the and some with any of the hospital related files architecture for us so then I discovered they have public writing which is so anyone could have deleted server and the things that talk with the possibles that I could see I think a lot of parties it's not on the slide but you could I could access a lot of exams with an animation I was knowing your mind next one please so a couple of months and went by that trying to understand the problem like how this is possible right so what happened where is that you know like you didn't know how to share so imagine share say 500 megabytes file it will just folder on the chip folder and send the address to another without really checking using so what types of use of this next one moving unit to send email to them with API addresses exams mission you just throw the mic so let's continue with presentation so like I was saying I send this email report we the IP addresses the folders and the files that you could retrieve from the share folders so the book the worst one is that you could find information of HIV patients information is that is protected by an special law in Chile that it's implemented for that information to be anonymous otherwise you might be it's after you might suffer discrimination looking for a job etc so that was the worst part of it next one next slide please and you know what I didn't receive any answer directly to these animals but then my boss sent me one of the emails she received as an answer one of the things that I was more there was more upset about it was just that I didn't exist for them because I was like one month working for a month working there so not even a reply directly to my email let's say congratulations for helping heads up for trying to help the institution and then this guy the team support manager there was also the CSO which is very weird but they were choosing those those like let's say roles just just if you've completed like online course of ESO 2000 27001 that's the only records it to be part of the CSO let's say role so this guy sent an email saying that it was a big problem but not of those IP addresses were from our institution but the things that I didn't even think about it I didn't plan myself to find our AP so after that I sent another email with all the pieces that belong to us next slide please so they didn't factor anything right they just like trying to say say their their asses they didn't know that I had many many IP addresses so next one so when the third email I only included IP addresses from our institution and from all of the art which is called a health network so we we are responsible for what they do in terms of use of information so I send them I cannot read it from myself on that they were the most important so hospitals in the country the one of the hospitals he has over three million patients and they had a server with everything they had passwords of servers web cam I mean security cameras they had acts they had backups of machines x-rays whatever you can I don't even remember but it was so much information that I was not able to process all this next one so the answer for ten months was nothing at all next one please so I one of the one of the classes that I teach now is this one of the day was a student and what was a student I my son is not I don't know if you can hear me well on my end I'm getting a lot of noise well I had this class with one of the IT managers of the health department and we were both students she was quite older than me right and during the coffee coffee break I told her that I was the one who sent those emails that never got a reply back and she said we're fixing it you know like cutting cutting me off like giving me the hand you know what somebody tells you like stop like we're fixing it and also she said I know but then next one please she normally for the rest of the classes like for two weeks some crazy guy telling like things that she didn't know about okay next one please so after ten months no answer no changes I could still check all the IP addresses I was running scanners like two times per week two times per week and everything was the same and not even thank you you know we are all hackers we were sensitive so I was very sad next one please so how do you fix something that nobody cares about so I was I contacted one of these journalist groups they're very the very important in Chile they were part of the Panama Papers investigations they discovered a lot of our politicians from Chile on those on those leaks and I sent them the information in just right away that we're like we can't believe that it's true we need you need to prove it next day so they wanted me to show them all this information from my computer in order for them to be sure that I was that I was correct I mean that I didn't have like a special connection or whatever to check all these folders it was a very like it was very scary for me I was I was always thinking I'm gonna get caught and you know fire whatever and after a while when the process of this information they were asking me a lot a lot of these you know like send us all many patients in total how many patients with abortion so I had to work for a month you know like send them evidence and at some point they asked me to test the same thing in three different places so I needed to ask somebody to allow the journalist inside their offices so one of these guys asking a friend of a friend he almost he actually sent an email to their department and he said okay I just send an email to the department asking if this is possible you're you're destroying this investigation we're gonna get caught and luckily the actual department said what I wanted to do was basically get into the folders and from another from another office they said it was not possible so that saved me but the journalists were very nervous they even thought about publishing the information that day the very same day but this email with this guy is telling us it was not possible just make things make seems a little more calm next one please so how do they get this information it's very simple it's sometimes when I started doing hacking or I did some some pretty big stuff for example in Brazil what I was leaving I took control over with 3,000 words and it was so simple that I thought it was something that it was not worthy that it was like pretty lame you know but after that I learned that it doesn't matter how difficult it was it's what is important what you got out of it what what kind of information you can get and now they have more experience it's like getting into shot I mean you can do a lot of things without knowing everything just like running some scripts and for example a printer you can find printers that you can but at the time I didn't have a lot of experience so I didn't know so next one I didn't know that doing something that is not technically complex it's also you know so the things that things that my approach was to gather everything you know like copy every file that would find document the things that this network was so bad that some nodes they were giving me a hundred kilobytes per second speed so it was like I couldn't copy so the other thing that I had to manage is that computers most of those computers even first they were turning off at 6am so I only managed to copy 800 GB out of them first and scan and you're not really good at copying all these files because I was sending files to a firewall that somebody is copying or it's unique way in 24 hours but then I learned that nobody takes the firewall so now I'm really paying attention they just believe in the design so as I can't get everything I needed to just get proof that we have in our brains that sometimes we want to store everything you know some people have issues I know they have problems with information they're not never gonna see again people that buy books and buy books and never read them so I have to like be on copy files and then grabbing for terms key words like HIP or you know I didn't want to lose my vacations so I mean we in the flight and the other people I know they were all so I really prefer to be in another country that way I will be on the way with a proper skill or idea of this could actually that's what happened the first day of the flight he called me he was calling me and she said she said I could turn the keys and what I said since I talked too much you know she was always was too inclusive saying that things didn't work or the problems with everywhere and that was a good skill everybody thinks I don't like so probably some and that's the matter of the journalist and that's what happened and she believed it yeah yeah you do speak a lot so I could check the process and the privileges they had and you just be everything and just put it on a file and just every time the journalist asked me for everything I will just add information and so now let's get serious about this so this meme was pretty good if it was displayed after title but this is not that bad as when I did this talk in Beijing every job that I made every meme there was nothing I did some hearts and crops for me but it was only one of the worst talk I ever I ever gave no place example this server that I found block your and every phone number cell phone. The ID, we have a thing that is good, that is ID number and with that ID number you can do pretty much the social security number in the US. So another example is a server X and again you have all the information that is protected by two specific laws. That would seem to be in any way public. Did something happen? Okay. I apologize everybody for interrupting the talk again but the speaker needs to re-enter the space because it is a problem from his end probably or from the Microsoft end but we had Q4Q from Microsoft here to reset the space and rectify whatever the issue was and it worked earlier, right? But then we are facing the same issue again so I think we have to wait for Philip to get back and continue his speech. So until then, thanks a lot for your patience again. So do you hear me? Okay so as soon as he will be back, you need to continue the slides. Yeah. Do you want me to finish now? Okay. I hope we will not face any such issues for the future talks but like we hackers, we are not a big fan of being on Windows and this is a contradictory statement because we are on a platform that is backed up by Microsoft but then hackers love Linux. That is the whole truth, whole and whole truth that we know. So some of the speakers like Philip himself, he was trying to run all space. We are on Linux machine that he has. So I think probably this is one of the issues that he is facing. So thanks a lot for joining in and please stay for a while because we have another presentation coming up after Philip's. Okay I'm back. Can you hear me now? If you can still hear me, give me your claps. Okay, great. So I was being very tiring to restore. Let me get my slides there. So okay, just going to try to finish. I send the logs that they asked me to. So we can go to the next slide. Next slide, please. And another example of what I found. It's 35 gigs of monographies, again with all the patient data. It's blurred on the right side. Yeah, it's only one server. It's only three servers that I sampled. I was kind of, how do you say it? Pretty shortly at some point they're going to get my computer or my laptop. So I deleted everything. I run like three cycles of shitters, straighters. So then I don't have a lot of that information at the time. I just thought it was better to get rid of them. Next one, please. So again, I'm saying a lot of souls. And I'm trying not to dog files, TXT, PDFs, and over 4 million files. But I didn't count all the types. Photograph, for example, and zip files. They had a lot of backups of many servers. Next slide, please. In this slide you can see, for example, in this image, you can see peels. The word peels in Spanish, which is piledra. And how many files with the name piledra and format. And format, spreadsheet format. And there were 120. And this is a day after pill or MRTC pill. And if you see it data, if you get inside those files, you could see reasons why they were asking those peels. Some they were abused. Some people, some girls were raped. You could even see the situations. Okay, next one, please. Next one. And in this, no, the one before. One back, sir. In this one, I was looking for files with the word V, it's HIV in Spanish, mostly. And I found 772 files. And you can see the file names. I don't know if you can see them or if you can read them. But believe me that there were IP addresses followed by the name. And then I could retrieve them and send them to the journalist. They were looking for bad stuff. They were asking me, give me the worst. We want the worst. Everything that you can give us that will be pretty bad regarding to the laws and regarding the public interest. The next one, next one. I'm about to finish, so be patient. I know it's been long. I'm feeling it. Next one, not moving. So, again, what happened, what was their strategy? The reason why they asked me for three places is they wanted to be sure that this was a more general problem that they were trying to find proof that there was a widespread problem, like I said, because I was sure, you know, I was telling them, I'm sure that this is not a thing about my computer. And what they did is that they scheduled a meeting with this minister, with the health minister of the head of the health department. And they never said that they were part of this group called SIPER. So they presented themselves as a random guy. A random people wanted to talk to her. So after a month, I guess, they talked to her. They went to her office and they asked for her computer to show her the problem. And from the her computer, they managed to download all this information that I've given them, the IP addresses. They only put the IP address, the folder, and then you got many, many files with HIV patients. And she was, the journalist told me, she was white. I mean, she was like, she was shocked. Next one, please. And they were pretty badass. You know, they say you got 24 hours to fix it. They never said they were from a journalist group. So at that point, the minister, she didn't know what would happen. She thought it was just a problem that they needed to fix. So what happened after that is that they published 24 hours later all this information that I've given them and they were, it says some Spanish, of course it's in Spanish, right? But it says 100,000 workers could, even companies that were given services or let's say, outsourcing companies, they had access to all these files. And they put there that there are at least 3 million files that could be, that were unprotected. Next one, please. You can Google this information. And then all mainstream media pick up this information from other countries. So I was checking everything from Colombia at the time. Even some Colombian newspapers pick up this information and friends will tell me that it was all over the TV all over and I was receiving that some of the people told me that some people wanted to talk to me at the office but it was on vacation so I was free of that. Next one, please. So this solved the problem in a couple of days but what it is, they blocked the files from every institution. So you couldn't access share folders from another institution but you could still access all the share folders from behind your router. I even tried to test it. So you could access, for some of what it worked, I could access information from five hospitals and I could still access a lot of information that they should have forced everyone to unshare the folders because it's against the law to have personal data, sensitive data exposed, right? But I'm going to tell you later why this fix was enough for them. Next one, please. The funny thing is, not the funny but the worst thing is that before doing all this leak to the press we tested that in many places, 100% of the places that we tested, you only needed to connect to a network tag cable and there was it, there were no restrictions. You're just connecting to any plug and you will access to the entire network. So she was called to, she was called to Congress to give an explanation but she just lied and again she was saving a lot of people's asses and the good thing, one of the bad things is they created a feeling of panic. Nobody wanted to give you any information at all, not even the one they were required to give you. They were like, no because of what happened I cannot give you anything. But I'm allowed to have it, I mean internally as a part of the same institution. So they created a panic and then they were not sharing any information, they created the opposite effect, like the extreme effect. And for me it was good what happened afterwards after it was good in my job because they gave me, the director of the institution told me to create a security department specializing on finding these issues. But we were too against the world. Nobody wanted to be told that they had a problem. So I found, for example, that they had default password in 5,000 email accounts and I told them and I did a presentation explaining why they were bad and their answer was crazy. They said, public servants are public, I mean no, it was wrongly proposed, it didn't say correctly. Since there were public servants, they said that their emails should be public. So for them it was okay that you could look in from the internet, not even from the internet, you could look in on their account and check their email. And inside those email accounts they have patient information again. So at some point we're not going anywhere, it's just us against the world. Next one, please. So again, after the government changed after this right-wing government that set foot or created this scenario for demonstrations that lasted for five months that I told you at the beginning, they fired me on the first day. Like the first hour they sent me an email to fire me, but I knew it, they were gonna do it, so I was again on my holidays, I was on vacation. So that forced them to fire me by email. But that gave proof and evidence that they fired me with no reason because they never gave a reason on the email because they thought that they were entitled to but they didn't know that the law, it's complicated but they didn't know that the laws changed regarding whether you can fire without any cause, a public employee. So they fired me. And a lot of projects that I was in charge of with the UCL, for example, University College of London and the Jap Hopkins, which is the best university in the world regarding to the health sciences. And then I sue them. I knew before the firing that I could sue them. I knew exactly what part of the law changed. The Supreme Court ruled that every public servant, even though they had temporary contracts, they're allowed to be compensated if they had a permanent role. And I have a permanent role. So they wanted to fire me, they were just like, ah, nothing's gonna happen, just fire this guy and that's it. Then I sue them. And that ended up in the media. They accused me of being a hacker, that I stole information, that I destroyed servers. And again, this lawsuit, it was just about proving that I worked there or not, not about me. But the China, you know, assassination of a character and they said it was a biohacker that he went to DEF CON. They even copied the screenshot of the talk that it gives Skytalks as a proof that it was bad even though the talk was after I was fired. Next one, please. So after that, this government is still in power, right? I've been banned from working with any government agency. I was about to do a PEM test and then in the last day, they said that they lost the resources. But then a friend of mine told me and even sent me the WhatsApp conversations, they told this person that she was going to be fired if she hired me. So I'm getting, I got very famous at the time in a bad way, but that didn't stop there. I wanted to know, because I did an investigation, an investigation of what happened. I went there as a witness and blah, blah, blah. And I got the investigation report. I got the documents. There were over 1200 pages. I have to pay $50 for them to give it to me because they have to print it and they have to remove all the sensitive information, which is stupid because I removed the email addresses that I could get easily. And I wanted to know what happened. I wanted to know why nobody did anything about their reasons. At least I wanted to know, even though I was a witness or I testified in a way, they never gave me any feedback. They don't call you and tell you this is what happened or no, nothing. And they just tell you to get the information using the proper channels. So I got this next slide, please. I got this big chunk of paper. You know, it's like a big pile of papers. Next slide, please. So I started to read them through every page. And they have a lot of... A lot of people say that they didn't know me at all. A lot of people lied. They said that they never received an email, never heard about it, that they didn't know about me. But then they have this part of the document. They say that it was possible to fix it, but they would have taken a big impact of their operation, which was not true because they fixed it in a day without any disruption. Then they say that it's every person's responsibility and it's a personal issue, which is not true because the law entitles every person in charge of sensitive information for patient data to be responsible for it. And this guy just... It's all about this typical thing about working in IT that everyone blames the user, the same. It's a user's problem. If the chair information is their problem, next one, please. So this was the excuse number one. And then, excuse number two, again, another guy in the top rank of the institution said that it's, again, the user's responsibility and it's very complex to identify these folders. You remember that the script that I run was like five lines. It was really easy to do it. They had access to everything, all the tools that I didn't have. And the last one, again, 14 sets, is a fault. They're blaming the users again. They say that they didn't find me because I should have informed them or my boss, which I did. And again, they didn't know anything about it. Even though I sent many emails, I tried to reach them in many channels, but nobody wanted to listen. Next one, please. The main reason, and this is like the most incredible thing that I discovered in this investigation, is the main excuse, even from the minister, is that the ISP provider, the internet provider and the email provider, which is the same, they couldn't fix their email for a year. So the main person, the minister of the health department didn't have an email working properly for a year. And that was the excuse. And even this email, it was sent by one of the ISP providers which is a big contract. It's $4 million per month contract they have. They say it's correct. Her email didn't work for a year. So, next one, please. So the latest update, because this lasted for, this happened two years ago. And November, the last year, it was the final step, the Supreme Court rule, my favorite, so they had to pay me $25,000 in compensations, which is not what I wanted, but it's not that bad. Next one, please. But the funny thing is that with that money, I had to pay the money that I spent going to DEF CON for two years. So they ended up with, I don't know, like $500. So what can we do to avoid these situations? In my country, as well as the entire world, we don't have a lot of people knowing that there are experts in security. And people hiring, they don't even know where to computer science degree. It's different from, here we have different types, but it's a technical degree. They don't know the differences. So when they hire someone, they will ask you, do you know about security? And say, yeah, I did this certification. And say, oh, okay. So you're ready to help us with this issue. And it's the opposite. So we need to change our laws. I mean, we have the laws, but they're not enforced. Right? And I do have these topics in my classes that I do in these masters that I explain some things that happen in other problems that ended up nowhere. I mean, the CTO of this health department, he was fined with 10% of his salary for one month. That was the only punishment. And we need, what I learned is that we need less ruptures and more mentors. And I'm actually mentoring a lot of students five or six months. It's weird because of a bit, right? Everything stopped. But we were competing tomorrow, actually, with four of them in the Osint Treslav CTF. Next one, please. So we'll take this last one. Well, me now. A lot of images of me, said or whatever. Next one. And I think it's the last one. Well, thank you. It was a long talk. There are problems involved. There's a link to the slides. That's my Twitter account and my LinkedIn account. I hope you liked it. And thank you to all of the organizers as well. I know that they're working a lot to get this through. Have a good day.