[2022 javaone] halloween tv – or why it might really be watching you back

Speaker: Steve Poole

For more see the table of contents

  • Doing Java 27 years
  • True story. Happened to multiple people
  • Company in the middle of nowhere
  • Smart tv with an ethernet port
  • Discover new wifi SSID
  • Look everywhere for the router, use scanners and eventually learn it is the TV
  • Asked supplier for instructions. Suppliers didn’t know had wifi either.
  • Asked manufacturers how to configure wikif. Manfufacturer says no wifi in tv
  • Take apart TV and discover ”system on a chip” with the wifi (had everything a computer needs like a raspberry pi)
  • However, wasn’t the system on a chip (SOC) that the manufacturer shipped. Manufacturer may not know because SOC has extra capabilities they turn off. In this case, manufacturer says isn’t theirs
  • Problem: open wiki, unsecured gateway
  • This SOC phones home. Every time turn on TV, get new wifi and sends geolocation info to an IP.
  • Anyone could ”drive by” and access the network. Can compromise other things on intranet

Implications

  • Lots of thigs plugged into typical network – ex: printer/scanner. Could send your data
  • We all know not to plug USB into computer. However, tiny charger can be compromised and send data
  • A lot are espionage tools. More prevalent now.
  • Software applications can be compromised too.
  • Poor supply chain management
  • If buy charging cable (vs data cable), know what it can do. Can’t tell by looking at it.

log4shell

  • Worst vulnerability ever
  • 33% log4j downloads from Maven Central
  • Look at scanning tools and see if can find all instances
  • 742% increase in vulnerabilities since last JavaOne. Actively trying to create log4j situation in open source

My take

Steve is a great speaker so I’m glad I got to see this. It was poorly attended. Possibly becuse of the location (on the exhibit floor) or possibly becuase people though the stage was all vendors. Granted this is a vendor talk too. But it took more than half of the talk to even allude to something that relates to Sonatype and that’s if you know what they do. Only the last two minutes was a direct tie (and even then didn’t mention their products by name)

[kcdc 2022] insider threat : what is social engineering

Speaker: Crux Conception @cruxconceptoin (pen name)

For more, see the table of contents

On walking in

  • He asked what talk was in the room and teased people about giving too much info
  • Also commented there is too much info (wifi password) on the badge

Social Engineering

  • Ability and talent to connect with emotion
  • Can be offline or online
  • We all do it. Ex: lying about what movie you want to see.
  • May earn trust
  • Goal is to do something or gain data
  • Highly evolving method
  • Teaching in college now

Examples

  • Anonymous test messages with links
  • Facebook messages asking where from

Exercises

  • Phishing – say have tickets but didn’t plan trip. Asks for employee id to confirm. Also gave up name by confirming it and said interested in going to Budapest (came from screensaver), – Called you so already know name.
  • Team building – where grow up, how many siblings and unique challenge from childhood. Think about how much you disclosed and if you held anything back.
  • Scenario where pen tester tries to get in building. Try to get someone to let you in. Most people say take to security or get security
  • Scenario – pen tester pretends changed auto pay info and asks for employee id
  • Companies have offices all over US. Try to get id number by calling Miami office and speak to receptionist then victium

Useful insider info

  • Knowing how much a company would pay to recover from an attack
  • Ids
  • Names
  • Departments

Attacks

  • Fill in the blanks
  • Spoof text message numbers
  • Israeli software to crack phone. Don’t even have to click link anymore. Get access to phone just by sending a SMS.
  • 40% of major companies reported industrial espionage incidents in 2016
  • Ex-employee stealing self driving car info from Apple. We focused too much on China. More African students in US than anywhere else.
  • Leaking is making info public. Info is power. Have goal.
  • Spilling is like leaking without intent.
  • Sharing info at conferences. Ex: where you work.
  • Russian and China trying to steal COVID vaccine research using malware and spear phishing
  • Twitter hack on Obama/Biden/Bezos.etc, Trying to get money. Got data from internal employees
  • Fake social media

Espionage

  • Steal sensitive data
  • Espionage is like a double life
  • Affects personality
  • Traits (thrill seeking, sense of entitlement, desire for power/control) are also found in politicians and CEOs
  • Helpful to be calm (see in tech a lot) and strong sense of responsibility
  • May have regrets after
  • Logical at the time
  • More life crises because more than one personality

Tips

  • When someone calls and says “is this Jeanne”, ask who it is rather than confirming
  • Be cautious when people ask you a lot of questions
  • No defense. Just try to avoid answering too many questions.
  • Be careful if they initiate call.
  • Think about info they should now. Ex: HR has employee id already

Human Traits

  • In psych, organized means have life together.
  • Psychopath – born that way. Sociopath – traumatic event started it

My take

Crux is an ex-cop. I like that they had someone from outside development for a different perspective than we usually get. He’s a good speaker and kept it interactive. The scenarios were fun to think about.

[devnexus 2022] java and ransomware

Speaker: Steve Poole

Twitter: @spoole167

Link to table of contents

———————

Ransomware crimes

  • robbery
  • blackmail
  • extortion
  • revege
  • murder – ex: hospital attacks

Symptoms

  • files gone
  • files corrupt
  • unexpected files on system – obvious so believe it is real
  • prevent logging on
  • threats to delete or publish data
  • link to cryptocurrency wallet and amount – hard to trace

How get into system

  • Phishing – Impersonate boss, etc. Significant targetted social engineering. Understand business/context. Attachment with malware
  • Malware – mostly Windows
  • Government #1 target. Then education/services/health care/tech/manufacturing/retail/utilities/finance
  • Target single company or org. Look for poor security hygene
  • Vulnerabiliteis/CVEs
  • Suply chain attacks
  • Remote code execution

Once have access

  • Pull encrypton keys
  • Encrypt files not used often first
  • Then encrypt files used in memory so works until restart
  • Gigabytes/terrabytes of data – takes time
  • Would notice if network got slow so sneaky
  • Copy critical data out disguised as normal traffic. Hide in other payloads
  • Sometimes responses to ”legit” request
  • Almost always via botnets
  • Paying helps fund more
  • Rare to shut down. Instance of giving up decryption keys when one group folded

Motive

  • Data kidnapping – pay or release data
  • Blackmail – dirty payments, porn
  • Revenge – disgruntled employee, cripple systems
  • Competitor – wipe you out/steal secrets
  • Worse – weaponsized attacks from nation states
  • Some of these cases do not intend to give data back
  • Cybercrime beat drugs in value
  • Ransomware is worth 6 trillion

War

  • Can be test case to see if can get in
  • Goal is to infiltrate infrastructure and essential serices quietly so can manipulate/terminate when need
  • Break supply chain

Attacks

  • Used to wait for vulnerability to be announced and build attack. Now create own.
  • Open source repo attacks – attempts to get malware into source
  • Typosquatting – lookalike domain/dependency with minor typo
  • Build tool attacks – attempts to get malware into tools tat produce dependency
  • Dependency confusion – later version ex ”latest”
  • Designed to stay hidden until needed

General

  • Dependency confusion, typosquatting and malicious code injection increased 650% in 2021
  • New world – state funded, professionally developed, regularly exercised very sophisticated and exeremely lucrative
  • Could even be someone at conference – have to gain the skills

Costs

  • Being out of action
  • Recovery
  • Data loss – data recovery never 100%
  • Human cost – finger pointing, guilty feelings, feeling of being invaded/not trusting security systems
  • Data integrity – can modify/inject data when return

Java

Log4j

  • Still lots of log4j downloads (thru 4/11/22)
  • 36% on a day in April were vulnerable
  • Need right tools – check dependencies, not just your pom or in fat jar
  • Try dependabot
  • Write test cases and see if your tool can find

My take

Good collection of info and supporting data. Wrapped in a compelling story. Security talks are often scary and first conference in a while provided more time for bad things to happen!