 cool how they got hacked episode six six already six already it's because he's tired he's been popping boxes for the last week prepare for some exams yeah the OSCP for all you guys who who are familiar is not an easy exam not an easy exam lots of work lots of studying lots of late nights falling asleep at the keyboard waking up to a lot of unintentional keystrokes lots of code execution there's piles of empty red bulls around them but it's worth it it's worth it it's pretty intense that's that's the important part is in the end it's worth it I've been learning a lot yeah so Tom Lawrence Xavier D Johnson more re-snash all right so now you know who we are in case you are just starting at this episode if you shouldn't go go roll back five episodes go give us a couple spins yeah we have a couple things we're gonna talk about today so we have the Wi-Fi jamming the WP3 and some mobile app hack but the big thing we're gonna talk about the end today we didn't we heard you about the honey pots and we're gonna actually set that up as not this video but as a demo of a honeypot yes he's just been busy and hasn't had time to do it and but we're gonna set one up that's gonna be like a separate video but we were listening we read all the comments like we said each time we got you we're gonna do we're gonna cover like the setting up for the honeypot putting out a honeypot out there what you collect with a honeypot and then we'll talk about that but that's gonna be like a separate we'll just dedicate a honeypot video that so this is just your how they get hacked we're gonna talk about a couple news topics but dive into the matrix we're going into the meat are we following the white rabbit we're following the white rabbit because the matrix got hacked and so we'll glitch in the matrix glitch in the matrix and we'll cover that in depth after we start with these couple of our news topics because you know back when I was in high school if you wanted to get out of an exam you would well allegedly maybe someone sort of maybe pull the fire alarm a couple ways you can allegedly get out of a test back in the day you could pull a fire alarm yeah you could call you could call in a certain situation you should never call in a situation but you know these days kids are you know more technologically event so and their Wi-Fi jamming so yeah a couple kids in Jersey the courting to North Jersey North Jersey dot com Dennis Miller said school officials and I reached out to the police department notify them the students were part of a scheme where they would disrupt the school's Wi-Fi upon demand Wi-Fi the course this is where it goes bad first they figure out they can disrupt the Wi-Fi then it becomes a scheme because they're offering it as a service would you like your Wi-Fi disrupted during exam time got that exam you forgot to study for we'll press the button for you 2995 whatever they were charging I have no idea so I've actually there's a video if you look at my channel called Wi-Fi D offing I they they just peer to be doing it a little bit different but they weren't overly it didn't get as technical maybe as I want because it sounds like they were doing jamming yeah versus D offing which are very jamming as an FCC problem which is going to get these guys in more trouble D offing is intact but it's a different law you're breaking yep because you're manipulating an electronic device as opposed to broadcasting a signal to disrupt other signals they should just use a D author that's my debrief to these guys advice D off next time look up be often ESP on Google and you'll find that the chip is like five bucks to be able to pull this off or you can go to Tom channel I have the GitHub and I walk you through how to do it that's one of the reasons I have the Wi-Fi device that he's seen in my thing as I have a video on this there you go not that I'm authorized you should do it but it's you should understand how these attacks work on your network because if there was a smart network admin watching this this is how one there was obviously some type of admins they caught them they caught them the way all young boys get caught trying to impress a girl oh boy oh yeah yeah she told on them there you go yeah we can we can girl I'm so cool I can take the school down I can shut down she's like oh can you can you do it during my test so I won't have to take it sure baby and he did it and now they're in trouble oh boy yeah so some FCC yeah but FCC won't let me be salute to the young hackers I always like when you know they start early it just shows you know a techno less prowess ingenuity ingenuity oh boy yeah yeah I don't know if I can condone this guys if you just do any amount of googling you'll see that this is how we get botnets yeah this is this is why we can't have nice things so do you guys remember Mariah remember the Mariah button it yes do you guys know the motivation behind the Mariah button it yeah that was one of the games the Minecraft server no no no no no the Mariah button that was the one in New Jersey actually at Rutgers and if I'm not mistaken this kid got caught and everything went down and he was he was basically collecting all of these routers and all of these IP cameras to do DDoS attacks on the college when they were booking oh okay so he could get the classes so that so that people couldn't register for class is that was like just don't do stuff at school like go yeah I'm not condoning that I'm just condoning their I'm trying to think of a word their ingenuity ingenuity it's interesting we just gotta mold these young kids and they get them to do something in the right direction the right direction and things like that so that's definitely there at the co-hackers yeah I mean I think that Wi-Fi jamming is a I think it's low-hanging fruit I think the problem is is that these kids got their hands on the equipment to do jamming versus do I think that yeah this would be a completely different topic from our perspective if this was a deal off versus a jam jamming could could be potentially dangerous not only because of you know the lack of communication on a particular band but because of the overspill and the bands next to yeah it is an FCC problem do this because for a while there there was a few people and they realized was legal I can't really exact article what people would be more aggravated in New York about people who are on their cell phones in a subway yeah so someone this came up with hey I can just press a button and create interference but the problem you're created is what if someone had an emergency and wanted a call 911 or something like that well now you've now blocked all cell phones I mean yeah I got that person being loud they oh yeah yeah you know and it's annoying sitting next to a subway with someone's having a conversation real loud like that but you've also stopped an emergency and that's where this comes into an FCC problem because you're actually blocking potential emergency access now be interesting is if these kids come back and go you know what we thought about that and we accounted for it and we're using this amount of power and we only could get this amount of wattage and we can only get this amount of feet yeah that'd be interesting oh no we were localizing our de-authentic I mean excuse me we're de-authentic we were localizing our jamming attacks to this class focus beam to shoot it only out the Wi-Fi device that covers the classroom see that see be that be those hackers kids be so good be so good that the jury just goes were they really trying to cause damage yeah hopefully that doesn't ruin your lives honestly because I mean they're young they've made some mistakes yeah it'll be okay related to Wi-Fi Dragon's Blood oh boy analyzing WPA 3 not 2 3 the new what standard dragonfly handshake and I'll leave a link I'm not gonna go over every little detail but what essentially has happened so the Wi-Fi Alliance is a group so you have the IEEE group that assembled standards but the Wi-Fi Alliance is a little different they are a pay-to-play and they develop it behind closed doors because us other outside hacking people they're what now yeah they're a private organization that develops Wi-Fi and develops a standard behind closed doors because they don't want a smart people on the outside interfering with the smart people on the inside and when they're done they do publish this which led to someone going wow you implemented it wrong but by the time you find out they implement it wrong they've also gave it to the vendors they sent it out as a ratified standard of alright go make these Wi-Fi chips to sort WP 3 and these methodologies and they have a flaw that was discovered in a handshake now these security researchers aren't your average matter of fact I don't know why these aren't the people and even kind of they make a kind of snarky comment on in here that I could like for if this wasn't designed through security through obscurity these are the same people that found in the crack attack that happened last year that caused a lot of updates to WP2 protocol which of course didn't happen because most old stuff never gets updated yes if you're running commercial or if you're paying me to supply your Wi-Fi I updated and I maintain my clients equipment but we know most people go there was an attack last year I haven't updated my Wi-Fi in five years yeah probably you're right so it probably exists in there so same people who did this research they applied some really interesting algorithms to WP3 and the referred to as the dragonfly handshake they have a very very technical debrief and that's why I said I could make an entire episode maybe I will do a deep dive walking through their security research but it's a 16 page detailed write-up of how they're able to leak information but not exactly crack it so there's two to pronged attack what they have here first D off thing WP3 was designed to avoid situations like the crack attack because WP3 is last year was ratified WP2 was ratified I think like 10 years ago maybe longer longer yeah so it's been around for a long time and you know security protocols are not better but what they found was they just implemented a couple things out of order in their security handshake and that's where these guys found that edge to get in now they also this is my favorite part when hackers are smart asses they found out that they could do a denial of service on a commercial WP3 device with a Raspberry Pi and they commented it doesn't even get above 27% CPU usage to shut down commercial Wi-Fi the attack that it was literally supposed to mitigate is possible now through that edge attack they're able to acquire encrypted credentials and then they would have to use they talk about the compute time needed of a depending on how much entropy was used in the password so it's not like it's just drop in password it's not it's a non-arbitrary attack by the way it also is fairly complicated but it's documented it now has CVE's insert IDs assigned to it and the trickier part is if this would have been engineered with the thoughts that these people are putting into from the beginning one it wouldn't happen to they're trying to do a work around on the engineering of a ratified standard versus if they would have done the standard differently now this is it developing things behind closed doors in a security market you know you know we're gonna poke at it security people are gonna poke at it geniuses like these these two are gonna find a hole in it this is why there is no security through obscurity all standards if you have to have obscurity in the way you're developing a security standard it's probably not secure you're hiding something you're hiding something yep you're afraid you're you don't want someone to check your math problem to make sure it equates properly here I like that this is why your teacher always says show your work I like that this is to show your work you can't just say it's secure you need to prove it and public code audits do that but when you develop it and then say hey this is the gold standard we came up with you took it away from public eye so I'm really not happy with the way the Wi-Fi Alliance does this and you know hopefully this is a lesson maybe they'll learn maybe they'll change their ways maybe they'll look for okay you're right they'll be far we'll have a different flaw in it that these same people I have faith in well in another 10 years we'll have WP for and these guys will drop another yep or it'll be me or maybe have they may they may retire what someone will pick the torch up and find this and find the security hole in the way that would probably be those kids who are just jamming Wi-Fi at high school yeah they're jamming Wi-Fi high school now by time to be for comes out to be cracking WPA for and going you guys could have been pulling this better if you would have asked us like hey and they can see that look we were jamming Wi-Fi back when it was high school 20 years into our careers we're like really good at this now exactly stick out of kids stick out of kids yeah nothing see there is no security throw security this just doesn't work the next one is that this is a report and it's kind of not a paywall but it's a one of those you got to sign up probably from give them a bogus email address so you can get the full detailed report already the highlights of the report the vulnerability epidemic and financial services and mobile apps and you know everyone wants it I need my phone to do my banking and all that actually I don't I don't do any banking on my phone that's there's a reason I don't do banking on my phone because I don't trust the apps I don't feel like to reverse engineering them I have this weird feeling without reading the rest of this report what do you think lowest bidder newest guy they could find out of high school probably develop the app what do you think what are the odds I think it's probably like Xamarin or something some bad framework or what Cordova Apache Cordova or something as opposed to go to every single phone yeah yeah Xamarin's not bad if you do it properly but then they make Xamarin I come on Miguel is an awesome dude so anyways I like Miguel you come up a gnome at least I'll leave it alone well that's a whole different it's a whole different topic but anyways this is the they did not name specific apps they didn't have to they see they took all the major banking apps so we can and odd you can figure out who the major banking apps American Express yeah yeah and a lack of binary protection they found a 97% of them yeah so I actually kind of wish you would have done an inverted list but I just told the wall this one past and that's how it's interesting maybe this is this is this may be industry problem this may be industry problem maybe because and this is speculation here on my I used to I used to dabble and you know apps you have to pass your package along to Apple I don't know if people realize that like you have to basically say here's my package go through to make sure it doesn't do malicious things and so if you're packing it right with a cryptor quote unquote so that it is off of Skate it then that auditor doesn't really get to see no no no all right no because the way they text the way they test a sandboxes a signal does it in a secure way yeah so does so does what's the other one key base both of them pass the security it's a you can use those anyway I agree no benefit of doubt for you guys nothing I mean we can't skip over the fact that most people are doing mobile banking on open Wi-Fi networks yeah yeah there's definitely other security concerns about mobile banking so are you a couple that are unintended data leakage 90% of the apps tested shared services with other applications leaving data from the financial institutions app accessible to other applications now this is a checkbox when you're doing is a developer do you want to share with others no I want an isolated app what does not have abilities to share matter of fact even like signal when you're going through the app screen it you can have it turn off so it does not even display if he sends me a message on signal it does not show up as a notification because you can say don't share any information forcing me to open the app and then you can go a step further and put a password on top of the app so they're not doing that weak encryption now this is where the encryption gets a little bit more detailed 80% of the apps tested implemented weak encryption algorithms or incorrect implementation of strong ciphers so the strong cipher was available they didn't use it they didn't it's like oh yeah I have this awesome encrypted system and I said that to be the password one as the password so when you don't properly implement strong encryption so yeah oh cool aes 256 cbc all the way but we forgot to add a longer key to it so or we use the same key all the way across all the devices yeah we're using admin so yeah great it's encrypted admin though it's encrypted admin encrypted admin so like you know they didn't I just said you don't have to know the details but the strong ciphers were there they're available to us aes 256 is common now it's not hard to implement well if you come up with your own way of implementing it I guess it is don't please don't yeah please don't roll your own crypto don't roll your own crypto trust the people who have vetted other crypto out there just use it work around current frameworks unless you're a super genius in your nope it's not easy it's not easy I'm not saying no one can but I'm super genius you know why you just go to the vetted yeah the vetted solution there's a reason as the people get smarter they go oh I guess I don't need to invent my own security stack this aes s stuff pretty works good matter of fact we now have we can do Diffie helman full key exchange we can do elliptic curve encryption we have some of the quantum proof stuff it's out there it's documented how to use it don't think you're smarter than the guys that did that I mean maybe you are but you better really be willing to test that that's not tested that's not security through obscurity at all no those dudes are like secure security through math how yeah how will the how those key exchanges are implemented is well documented it's not a secret at all 70% of the apps use an insecure random number trader a security measure that relies on random values restrict sensitive resources making the values guessed and hackable R&D yes not not getting good R&D you need good random numbers random whatever they were doing they weren't doing it right so yeah that's this is like 91 called and we're like having the same poor R&D poor encryption like what no obfuscation on binaries what like what is this what is this this is like the most highly attacked you know sector of our world right now it's finance how dare you not put the extra security on it yeah you already have all the money you have it all even before I spend it you get it yeah it's just but is this a security issue or just yes this is a security or is it a rush from the developers that hurry up and get it out without properly security is the very most and utmost primary concern we know that but do the banks I think so because I could just put sideload this video game that's candy crush with a K that can now see every single time you get a bank deposit it may be able to do something weird with that notification because you're sharing data yeah and this is part of the problem they stored it in some of the because we when you're when you're a app developer apps develop a little differently so each one in this goes across Android and on Apple there's a series of randomization so there's not a common place they store data that's part of the obfuscation for every app it's randomly generated that's perfect then you have to go to the common areas on a phone so I can share data between them like your downloads folder things like that they only it's a banking app why would I ever need information to come from any of those other or share things or those are restrictions they just didn't check the box yeah like why would I ever execute from the temp directory right there's never yeah or share any data into or into the temp directory right so there's just some in these are just some security things and these are those edges you need to get into the system so it's it's a mess it's a mess but we're gonna the least we're gonna cover the next mess because this is fun this is this is the debrief here so welcome to matrix this is matrix org an open network for secure decentralized communication so I'm gonna read a little bit about what matrix is if you haven't heard of it but matrix is basically a decentralized message message that matrix is an open-source fabric for communication that anyone can participate in a good intro to matrix is by joining the decentralized chat rooms like matrix hq now if you've ever used a lot more people have heard of we chat in riot mm-hmm those are pretty popular chat apps are built on matrix so it's an open-source sent decentralized but ability to federate and what it means and it's a little bit complicated picture like you think of a company like Facebook or anyone and they have a chat system or WhatsApp but you can't host your own WhatsApp server you you use the WhatsApp client and use the WhatsApp thing on the back end that they own well matrix is going hey you can run it against our servers which are open but you can also stand up your own server in your own hosting and from there you can centralize it so you can connect the chat rooms in this other central server so it's a system that allows you some integration but it kind of decentralized this is a cool concept there's a couple companies like Massadon coming up with a Twitter replacement that are decentralized instead of one company being in fully control it's kind of a cool movement if you want to get into it but let's talk about the security one and if you want to get into it someone wanted to get real into it and they did and they did spoiler alert they definitely did and so this is where things go a little off the rails for them is now the attack was they how they got a foothold in there let me read the actual exposure so it's this is an interesting one right this is one of my favorite kinds of attacks is something that I'll talk to people over at Amazon about is something that you know when people when I like to talk to people who are just getting into into security or are like you know in that mid-range insecurity I always like to talk about these this particular kind of attack because it's something that as an entry level or as a mid-level security person it bends your mind because you go okay how do I protect against this because you're this is what you're up against you so here is the incident report which is great matrix one open source developers open source company so here's what you need to know more leave links all this in the show notes here an attacker gained access to servers hosting matrix or the intruder had access to the production database potentially giving them access to the unencrypted message data password hashes access token has a precaution if you you're in it matrix or you should change your password now the matrix or home server has been rebuilt and running securely bridges and other ancillary services this blog follow as soon as possible and modular dot I am home servers have not been affected now this is one of things they want to make clear as separation if you stood up a server yourself your self-hosting matrix you are not affected by this directly and the reason why it's not a flaw in the matrix protocol this is completely a flaw in the developing team that was running this this is the DevOps problem this is when we're gonna break down everything DevOps said wrong and thank you thank you because we didn't have to do much work on this the hacker because he had control and took control of the GitHub and the packages he had he poem them top to bottom oh yeah then he went and posted on their own GitHub here's what you all could have done better and I love that I love what he did and we're gonna read through it because it's fine and by the way I must throw this out here what he did is literally what I do yeah I go and make issues and go this is not this you shouldn't do this like fix this then it's so refreshing to see someone who is just an anonymous looks to be gray hat doesn't look to be a hundred percent black hat because he didn't try and do anything he actually told him what or she we don't know who they are they're doing some interesting work on the weekends I'll tell you that whoever they are yeah so that's the whole matrix debrief of you know short answer would happen but let's talk about the back end and how this person did it we're gonna we're gonna do the blow-by-blow because there's we're gonna do in post mortem and this I just love that they took the time to write up everything that went wrong so hackers love write-ups they love write-ups and this is this is that little dance on your grave a ponja I'm on the end field I'm tossing football I'm doing to dance I'm like you know double fingers up here just I'm on the way out I got everything I can everything I can running mini cats yeah so he noticed their blog post that I read and it's got a few more things in there I'm not gonna bore you with it because he didn't think it was extensive enough so he starts with I notice your blog post they were talking about doing a post mortem and steps you need to take as someone who is intimately familiar with your entire infrastructure I thought I could help you out oh by the way this is all been taken down but we'll leave links to where I have acquired all this we had to have a discussion so we could find us because once he hacked their github and posted as them on github they decided to redo their github and took all the stuff down but don't worry we got copies of it all we'll leave links for all you down there so if you read through this let's face it I'm not a sophisticated attacker there was no crazy mail where root kits it was SSH Asian forwarding authorized key to because he just he was able to keep the keys and we'll get that in a second here and through a well okay Jenkins old zero day this you know this could have been detected by better monitoring of log files learning of anomalous behavior compromised and oh compromised began well over a month ago considering deploying an elastic stack and collecting logs certainly you're for your production environment so first debrief here no logs he was he gained access a couple months ago with the he said zero old day so yes it was a flaw in the Jenkins server that they did this is not a piece of the DevOps framework they had in the back end that was not patched so there's your edge found it popped it and zeroed yeah zero zero old day I love that the shirt comes in clothing.com yeah so here's another thing the internal dash config repository contains sense of data because you got in their github from this so we acquired access gets in their github the internal config can repository contain sense of data and the whole repository was often cloned onto hosts and then left there for long periods of time even if most of the configs were not used on that host host should only have the configs necessary for them to function and nothing else kudos on using passbolt this could have gotten real messy otherwise so you know they at least had a couple he give him kudos when they use a couple different things are you from a passport I'm not yeah me either so not really I didn't take time to look that up to see what that was but then it gets worse this is this is where the bigger mistake was made on each host I tried to avoid writing directory to authorize keys because after a through a peek at your matrix dash ansible private I realized the access could have removed by any time by employee that add a new key or did something else redeploy users but SSHD config allowed me to keep keys authorized key to and not have to worry about any ansible lock me out which authorized keys to I'm pretty sure that's like discontinued right well no no what they did was and this is interesting so when you have authorized keys so you have an SSH key pairing so we use public key authentication that's good that's strong what ansible does when I rebuild my servers ansible is gonna look at the keys ansible is gonna go get a server and go oh here's the key file let me pop it in there what he was able to do was go I'm gonna order if I can add a second key and he leaves a second key so even if they redeploy the server and redeploy the ansible keys it's allowing a second set of keys to be on there it should only be implicitly allowing a single set of keys so what he did was he just copied it in there added to the config to look in these both these key files ones mine ones these other DevOps guys who aren't paying attention to me because they don't have an elastic stack they're not they're not looking so he was able to do this and what the concept is when ansible deploys it should be erasing the old keys not allowing any other keys and doing that so this is that little comment on on how they did that so it's just these are this is such a minor thing to do from a DevOps standpoint if you're gonna go through trouble you know how to build an ansible script just tell it you can only use one key file there's it's not this is not like a huge like reengineer your whole tool stack here it's just don't allow another key file but because they did he just said oh I'll just put my keys and key to and allow it there you go and when they overwrite the because what they're doing to revoke access and this is actually a problem that would occur when you revoke access let's say each one of us has our own set of keys and Xavier doesn't want to work on the project no more we redeploy the keys without Xavier's key but what if Xavier popped a key file to on there we shouldn't be allowing a key file to it should only be a single key file on her server that's that's kind of a breakdown for that I was able to log in the servers via internet address this is where things get bad this should no good reason to have your management ports exposed to the entire internet never that is almost like think what he should have said in the very first line of this why would you have your management ports on SSH exposed consider restricting access to production either a VPN or a Bastion house so you this is one of those things like you don't want to open up SSH unless absolutely you have to especially when you do things like allow a separate key file you allow second key file you leave SSH open I mean this is one of those debriefs on there hmm why was it open why aren't you all VPN again VPN is not that hard you know even pivoting through a jump box with proxy chains I did a video on how to use proxy chains to get into something there's ways you can do this you can do it over VPN you can do it with the proxy chain there's ways you can help add layers of access we've recently started using I did that video on there and you'd like zero tier yep I like zero tier and I like shuttle to yeah shuttle there's zero tears bad bad ass I gotta throw out that I mean he's even talked to one of the engineers there yeah they're they know their product really well it's tight it's a persistent secure access it's actually one of those weird times when yes there's some convenience but there's actually some security put in and it's a little bit different the VPN I'm not gonna go in and out and I'll throw this out there right red team this one that you guys know red team always wins that UDP hole punching yeah going out man yeah that's a powerful stuff if you're inside a corporate environment the bells don't go off whether that was interesting that will just say Xavier tested a few places and it worked it was didn't go off and he had access hey so that's another side of zero tier that we just were impressed with yes either way if they were using something zero tier because zero tears not opening any ports at all there are no ports open so he's able to access your chair at home and zero tier at other places he was at other places and which is cool but it's also no ports are open on either server you can have a hundred percent locked firewall with with the exception of zero tier will have problems if there's certain amounts of egress filtering it will have problems but that's not that what egress filtering is not where the who does egress filtering yeah but egress filtering wasn't a problem this is ingress filtering the fact that they actually had ingresses into their DevOps network that's where the problem is that's the debris found this it's really bad to don't do that this is going next or once I I like this once I was in the network a copy of your wiki really helped me out and I found what someone was forwarding ports over to flywheel with Jenkins access this allowed me to add my own key to the host and once again adding you and make myself at home thanks Jenkins thanks Jenkins there appeared to be no legitimate reason for this port forward especially since Jenkins itself was being used to establish communication between them I'm not too familiar with the two different products are talking about right here Jenkins yes but not the other ones but either way once again they had an internal documentation server because you assume you don't have to lock down your internal documentation server and yes someone's gonna point out hey Tom don't you have a wiki yes I do how is it locked down very very extremely like even VPN internally to get over to the network and two factor authentication with only SSH and filtered firewalls and ACL rules so yeah even if you were in my network I always assumed someone is in my network so you take the time to lock down your documentation and how your network works because you need to have all that so yeah and when you want to test it give me a call yeah yeah and you do we he's doesn't he pokes his stuff you know I want to know if I don't just think I'm smart and secure things I think is I'll just send an email to one of your guys and be like free pizza yeah oh shit free pizza now principle of least privilege yeah this is just learn this beat this in your head escalation could have been avoided if developers only had access the absolutely required did not have access to all the servers I would like to take a moment to thank whichever developer forward their agent to flywheel without you none of this have been possible that's some real smart assed up there but I enjoyed it but this is this is a we had a conversation with a company maybe one of the DC 3 and 3 events that kind of said hypothetically and we're like looking at I'm gonna look we know your work but hypothetically what if you had a dev team with the root access pretty much every server on there and your company grew really fast and now they're trying to figure out how to pull it back but they want to keep the devs happy we're like pull it back but don't make the devs happy get a dev ops team make everybody a dev ops engineer only hire full-estat guys yeah be smart be smart so this happens at companies and it becomes a very awkward thing and we've talked about this like you have to pull it back if you don't want to end up being on the show if you don't want to be episode number seven pull it back not everyone should have root access on there this is bad so the final one is the SSA forwarding complete compromise could have been avoided developers were prohibited from using forward agent yes or not using dash a inter SSH commands this flaw the flaws with the user agent forwarding is documented this is one of the things where you can forward through servers your agent keys so it's referred to as SSH agent forwarding I have it turned off on mine you only turn on like an as needed basis if there's a reason to use it but once what this does is allow that SSH key to be passed from one agent to another so once he had access to one you're able just to go laterally through all the servers I do like and the archived one that the first post to someone eating popcorn because you know these are the comments on this because this was posted on our github before they got control of their github and taken down because they had keys they had the signing search for the matrix they had the signing search do you know how much carnage could have gone down with the signing search to the package this person like they polled them top to bottom wrote it up told them what they could have done better and left it alone so this could have been much worse they could have sat there they could have developed threats inside of it they could have poked and put things in there which because of this is the nice thing about being open source development if someone were to start inserting code in there you would someone would have noticed someone to say what is this doing but how but then once that happens you start having to figure out because he had access to several DevOps people you'd have to figure out who he was impersonating doing as impersonation like hey yeah why'd you write this weird code over here that contacts the server in China I mean if someone would have found it but now it's already been deployed and compiled at that point so now you have to issue a different it thing this doesn't sound like you ever got to deployment it never got there because this person just wanted to prove they could and do a debrief and do a write-up I mean this is some great write-up this is in great insights this is the ultimate egg on your face that you got poem but you got poem by the right person so that much is true the debrief is good on there's some security lessons earn I bet I bet all this has been changed and I'm willing to bet we're gonna see an update from the folks at Matrix is hey man that guy's write-up it actually is pretty good we suddenly have p-lop I would like that I think that from my perspective when I think about this you think about the origin of how this guy actually got his foothold immediately yeah and that's kind of what I was what I was getting at the beginning from from what we know from from the data that's out there the compromise was not necessarily at the matrix level it was at the hosting provider yeah well so yeah it's kind of yeah is at the very base level because it's all a DevOps problem right you know they got in through the the architecture of the DevOps Jenkins system that managed all this and just that got them in right to the code base because that's where you're that's you don't just want at that back end but it's that one little hole and this is seeing what's happened with some of these other companies so it's really yeah everything is not application security no everything is not looking at the application secure the matrix protocol solid exactly operational security slash operational excellence and you know network security is really really important monitoring alerting lateral movement detection using deception aka honeypots right we like to we'd like to say honeypots but I like to call it deception just because I'm thinking about honeypots v2 right so being able to have maybe something that you know for factory developers aren't supposed to touch like another Jenkins box that have another set of signing keys and the moment that that attacker would have went to go touch that that would have been a booby trap and alarm would have went off and now I know that someone's moving laterally through my environment he was in their environment for over a month or a month we talked about that and this is the same thing this is where would you implement a honeypot in this you would have had it actually had that wiki had the outline of how their network was set up you would have had that in there oh yeah all every night everything's moved over to production to server over here winking an odd verbally you've met some agreement hey no production to server if anyone touches it you're fired because you're the guy with this is our trip this is our trip wire into the systems that we know someone got in so you documented as if it's part of your infrastructure so someone reading your documentation like this guy that's these are all different ways you can use that to do this but I think there's a lot of lessons aren't here it's a great debrief we leave links all this so you can read through it yourself and grab the popcorn and sit back I mean matrix like I said a cool project it's not really the fault of any here's the developers and dev ops or maybe some of the same people I don't know exactly who's in charge of each section of this because it's an open source project but it's still really interesting right up and it's something you can apply to your infrastructure because you're trying to work on keeping your security team clean but hey your dev ops team has to be keeping all this locked down as well and everything up to date yeah it's really up to them when you really think about it at the end of the day it really does come down to dev ops to keep the infrastructure and operational excellence intact they are the last quality gate I am a security engineer right for a for a fund company that you guys could probably guess where I work and you know I'm a security engineer on the dev ops team you know I mean we are the we are the last quality gate I want to keep them safe he tries he's like I make them aware right I put up guardrails and that's a part of it right yeah he called them bumpers but what I call them are guardrails and you make sure that your your users can't do more than this and they can't do more than that and you know I have users that go directly at the guardrails so but they learn and they start to flow with traffic and that's kind of the way that you know we talked about p-lock and principle at least you know privilege and so you know that that kind of is a part of the guardrails this user can't make other users this user can't edit roles this user can't edit groups you give it a mean this user can't do everything to every resource or as what we like to call star dot star in the identity access management world not 777 man this solves all the problems you don't you never need that no well you can get it done with four seven sevens all right yeah and more videos coming on that there you go and more videos coming on zero tier because uh this guy's poked at it too it's pretty nice and it's super easy and it looks like I get a hundred up to a hundred devices on unlimited networks yeah which is yeah interesting for what I do for a living it's going to be it's going to be places you know we're also talking about internally I mean I didn't include you guys in this but we said because you can create a public zero tier wherever you can join we tell about creating our own little net of stuff to play with mm where other people can join in the fun if you do that just make sure that all of our subscribers and you have to subscribe click the subscribe button all of our subscribers should be able to get some access and some shape or fashion that's all yeah I think it might be kind of fun because we could actually set up that and play a game of it there you go yeah I was thinking about some fun ways to do it because then people could just join the network on there and it doesn't pose me as much of a risk when I do it because the way zero tier works it does not have a gateway to give you outbound access you only get internal access because it's a private network because if I were to let you VPN then you could do something like go to some website that would get me in trouble using my IP address that's why I don't do that but doing it with zero tier could be fun because I can set up a little private repository and like a treasure hunting game there you go capture the flag yeah that'd be fun yeah I think that's one be a fine way to do it anyways that's enough today we'll put some honeypots on there and see some honeybots see what people can find see if they can trip the wire if you can't trip the wire right now he's been busy working on cracking servers and gaining root uh-huh the oscp um I'm in the pwk lap I'm not ashamed this is my third time right first time I went for 90 days second time I went for 60 this time I'm going for 30 this time I'm going at it with a completely different mindset my frame so um if I fail I fail but uh I learned so much from this go around legally but it doesn't even have to be a legit it's actual legally so um I'm just enjoying myself and I'm staying up way too late and drinking way too much caffeine so hopefully I survive the next 15 days yes yes all right go reduce that access close them firewall holes uh think about our ways to do it and see in the next oh and um upgrade windows xp service pack one because oh yeah they have some nasty vulnerabilities you might want to check out yeah quit these old machines come on and turn them off you know that's actually the challenge we have is trying to figure out which stories to cover because there's like it's too much there's too much all the time and so much of its stupid stuff listen to the dark net diaries we've mentioned it like no joke I love it the the one they just released on the banking stuff and a lot of it's some face palming like oh yeah they had an older version uh they found an old not patched windows box and then they didn't expect them to be inside the network and yeah great that though the whole atm hacking one the couple recent posts by dark net diaries listen to that it's it's inspirational i'm intense i want to get to that level of production so that too that guy is good there you go jack jack wrysider jack wrysider he's oh yeah inspiration inspiration man and hack five and all those other people give him a shout out oh yeah kitchen oh yeah for sure yeah moobix and uh in his blog and uh everything yeah we don't we we know someone because someone made a comment to me like oh you're copying dark no we're not copying it we're sharing like we're all there's plenty of security to cover we love all those people give them a shout out listen to them too hell i'll say they've they've been doing a great job on it so we're out man later later