"It's Fine," They Said. "Just Ship It," They Said.
Vložit
- čas přidán 22. 08. 2024
- Ask yourself - Have you ever worked in an environment where pressure is applied to the staff by middle management or executives to ship a product? Have you ever experienced the awkward silence when an engineer asks the management about features or security that was overlooked or purposefully avoided to make a product ship date happen? Are you familiar with the term 'minimum viable product'? Well, my friends, you are in luck, for today I shall be taking you on a safari. Today I'll be showing you what happens in the real world when scenarios like the one I've just described are put into reality, and products are shipped with not a care in the world.
Powerplants, electrical switching stations, acid tanks, cows, chickens - even curtains. People are putting nearly everything they can on the internet for no other reason than because they can. I'd like to introduce the 'Internet of Things' to you! Please make sure your helmets are fastened on tightly, and please keep your hands and feet inside the vehicle. Things are going to get weird.
Dan Tentler is the founder and CEO of The Phobos Group, a boutique information security services company. Previously a co-founder of Carbon Dynamics, and a security freelancer under the Aten Labs moniker, Dan has found himself in a wide array of different environments, ranging from blue team, to red team, to purple team, to "evil hacker for a camera crew". When not obtaining shells or explaining against how to get shelled, Dan enjoys FPV racing, homebrewing, and internet troublemaking.
Tuesday, April 12, 2016
Co-sponsored by ISTS and the CS Colloquium
This audience was clueless. Do they NOT understand that all of this work was done by one guy, in his spare time? They’re asking questions that would take teams of people many months to do. When he offered to provide answers to their questions if they were willing to pay for it, I didn’t see anyone open their checkbook. Nothing here needed to be quantified. The whole message here is that we have a HUGE problem and it needs more attention. No more, no less. There should have been someone at the entrance pulling these people’s heads out of their asses before they entered the room.
No kidding and the people asking questions were obviously professors too.
@HACKERS COMMUNITY Lmfao there is no way your name is Bill. Learn English.
Then what is the point of the talk? - he could have said that there is a huge problem and just left it there.
- there is plenty of hyperbole in this talk, vaporizing people with liquid metal, killing people in pools by decreasing water PH...
there are sooooooo many assumptions, this guy ASSUMES, that he can go to manual modes with no authentication, he ASSUMES that there are no further safety lockouts... lots of the talk is bollocks. (he states clearly that he's just uncovering these things, not actually trying anything.)
This is a college, where students are paying a huge amount in fees to be taught facts. not listen to the imagination of Vis and what he thinks might be possible...
Most of the questions are questioning how he has reached his conclusions, and about the methodology he's used. - perfectly valid questions for students to ask.
Also, it's not his spare time, he made it clear that this was a work activity undertaken by his security company.
Algorithms continue i see
It's still happening today in 2020 and I'm successful in finding all these things in a matter of minutes. My fave is vnc lol
Apparently the law of nature that states "if you can imagine it, someone had already put it on the Internet" applies not only to content.
I'm not sure the people understood early on that Dan was talking about publicly open stuff, with either default or no login credentials. As in you can just walk in and do whatever you want, don't even need to "hack" it.
@HACKERS COMMUNITY In need of a professional spammer? Hire the guy above me!
Even if you tried to hack it it's impossible to hack without any sort of recon.. if you brute Force then good luck with that as that's the only way......to brute Force ssh,vnc,telnet it will take forever. Your grand kids will be old and grey by the time the computer cracks the pass word it's fact. Videos you see on CZcams are of their own servers and they know the password and user so it takes the brute Force script a few seconds to crack.
And that's if you can get past the fire walls first. Some are open and easy access but it's not hacking it's knowing about networks and how to do scans. That's not hacking.
I never did anything this guy is talking about but I did find an open webcam one time that was filming a baby giraffe and its mom in some weird container.
If you were a little earlier you might have seen it giving birth! :)
There are tons of webcams that are _meant_ to be publicly accessible, like in a zoo for your example, or cities sometimes have webcams so you can look up how the weather is or how busy it is in town. That's not what this guy is talking about here.
Why not bro it's the only way to learn
"What could possibly go wrong?!"
Famous last words...
license plate reader in lithuania!
it says "PL" right there...
For any people who don't understand what's going on, basically the security researcher used a specialized search engine to search for non-password protected VNC sessions, basically VNC is a in a way quite similar to Windows Remote Desktop, it allows you to remotely control a computer as if you are there. The reason why this talk is important is that in these examples, the people who installed VNC or made it public deliberately decided to remove password protection, meaning anyone (on the Internet) could theoretically access and even control the equipment mentioned if they searched for them with the tool mentioned without permission of the people who are in charge of running those computers/devices running VNC. This is a hacker's dream come true, there is no password to crack and you can potentially do all sorts of things on these exposed devices.
Love the "No Food or Drink Zone" sticker, and the cup just above it next to the laptop ;o)
24:07 I did the same thing, poked a hole in my home firewall so I can access the lights in the house (Insteon system running on s Universal Devices ISY-99 controller) over the internet. Sometimes to turn random lights on and off on vacation or to make sure I didn't forget and leave a light turned on when I left, but mainly because cause it's cool and geeky.
I guess I'm not worried about a random stranger finding it and turning my kitchen light off, and my lighting controller is the only device that I opened a port for.
Man, I was really feeling your pain by the end of it. The part about CERN (and a couple others after) had me making little involuntary squeaks of darkly amused surprise.
But just how the hell do you even go about getting DOS 6.22 online? Presumably someone who had bridged its serial-terminal redirectability into a Telnet session or something?
The DOS one was probably KVM over IP which tends to have integrated VNC.
It's hard to tell if your audience is understanding the humor, meme references, lingo. If they were laughing with Dan, great, good job. If they weren't, Dan ends up looking like a nut up there! Oh well, I'm laughing along at home!
JJNess - I was thinking the same thing. When one of his slides had the word “MOAR” on it, I wondered how many people thought that he was horrible at spelling and wouldn’t take him seriously after that. I really think that a lot of the acronyms, hacker-speak and humor in his presentation went over a lot of people’s heads. I know he’s just recycling slides he uses at Cons, but he should really tailor them to the audience that he’s targeting in order to get the most effect. I’m hardly in a place to criticize him, though. My hacking skills are laughable, at best.
When you live in Philly and you're like... I'm not surprised SEPTA does shit like that.
Oh jesus, the Polycom VCs. Place I worked had a whole, dedicated, _physically padlocked_ (I am not even joking) ethernet port for it in a small number of rooms, which were literal hotlines to ports on the WAN interface on the wild side of the main firewall. Because even our combined team of network wizards (who were reasonably sharp in every other regard) couldn't work out how to pipe its various protocols though the firewall. It really hates being NATted for some reason.
Horrible piece of work all round (it had a terrible camera, actual video codec, control interface, low resolution, hopeless sound, etc), it was a happy day when we managed to get Skype working instead (after a flirt with some more enterprise grade solutions that were about halfway between the two in terms of quality and hassle), and moreover found webcams with drivers that would work with our AD security policies, and could just transition everyone over to webcamming through their computers like everyone else in the normal world.
About a year before I left, whilst I was off on holiday, some bunch of cowboy installers convinced one of the non-IT managers to have a whole new fancy multi camera VC system (I think also a Polycom?) installed into a wholly unsuitable room. Without making any attempt to wire it in properly or set up the network side of things. I never, ever saw it working and in active use. At least two grand spent on something that could have been done just as easily with a couple of cheap all-in-one desktops and webcams, and thanks to the primitive nature of its protocols it couldn't even be used. But I did put USB webcams in there, connected to the desktop PC wired to one of the flatpanel displays, more times than I'd care to count.
Embedded tech is such a nightmare for obsolete, insecure, inflexible protocols and procedures that actively encourage you to indulge in wrongheaded practices just to make them work. Given the example of those videoconferencers - which were things specifically _built_ to work on corporate nets (though I got the strong impression it'd have been much happier plugged into a phoneline where its low resolution would match nicely with the 56k bandwidth) - all the other examples of various embedded level systems that are blithely exposing their underwear regions to the world are not really any kind of a surprise.
That Conference Gear screenshot. I used to work at the company which probably did this. And nope it's not the MIT logo.
no it's not MIT logo.
Yeah. It's actually Swiss Re.
There is a 3D printer controller program called Octoprint. Runs on a Raspberry Pi, lets you stream G-Code, and it can host a webcam. I was setting mine up, I googled "Octoprint Webcam" and someone's printer webcam was in the top three hits on Google.
They did the drinking water attack in 2021, this is still a thing.
I found a WeatherBug cam once with its interface open to the Internet.
10:20 actually it's a Control system for some sort of license plate press
You would be surprised (or maybe not,) How many businesses are still using outdated operating systems like 2000, ME, XP or 98
Around the 53 minute mark, Viss is showing slides of some 4.9GHz wireless network equipment, it's Tranzeo, and at least at one point, some of their equipment had a hidden account, and they are Linux systems... root:default ... yeah, that's real secure...
16:23 couldnt be more true.
Particle physics? *PHBBBT* CRYPTOCURRENCY!
He look. So familiar to me. Like a friend I knew from 1980ths
He's Viss on social media... Also he's fucking awesome.
If you lost the password for the ruggedcom you can run the Mac address through a perl script to obtain the backdoor password.
Plays never going give you up on the speakers. and just rick roll who ever is listening.
1:02:00 lol, is that G. Edward Griffin?
quick question i just thought of some of the stuff online that has a touch panel in the building and ur seeing the screen of it online and u have a touch screen on ur computer can u control the touch panel with ur touch screen?
Is the guy in the start speaking sign language
This talk looks awesome, but the audio is terribad.
I want to hear Dan wreck shit.
Dan,how can you help me With CTTV Footage Camera reading a licence plate,pictures are blurry..
France is the EU host ISP off all EU providers, the WAN IP's get stacked i this huge ISP host as having over 50 countrys they provision in a SSL VPN uplink, so we travell data over this UDP layers to that HOST in the provider VPN uplink then routers take over , a package from .be to a .nl travells over france to USA redirects to countrys like korea,UK,Russia,Iran,China,Japan,ending in a middlepoint AMS(Amsterdam Dutch Holland Server ) no Domain nor any info only an IP , but this location is not accidental as it's the peer to Russia, as the arin A IP lays 1 bit higher so the Web is in fact a intranet , governments don't use public IP's but these private peers assigned as 10.0.0.0/32 , simply 100 private IP's provision the ISP's host gateway and that's enough to accessto complete IP4 over a class A private IP , nobody sees this
I think the legal problem mostly goes away since it's open for everyone. It's public
Check out the most recent HOPE conference, specifically the one about disclosure. Even if you are not only not doing anything malicious, but also seeking to help the company by telling them about their vulnerability, they can push to punish you via the CFAA. If someone wants to punish you for touching their systems, and they have enough money, they can.
If I leave my house door unlocked, you still can't legally waltz on in uninvited (at least, not in my jurisdiction!)
if you have a store with the door open, people can legally walk in
Lake I would say this is more like public land. If it has no fences and no signs saying private property you can just waltz right in.
@@LakeVermilionDreams Logically speaking it doesn't really work that way, the internet is based on asking for permission to access a page/service/whatever, and if that webpage or service says "Sure, why not?" and lets you connect without authentication that is considered publicly accessible.
A more accurate comparison would be walking up to the door man at a restaurant and asking to be let in, and he holds the door open and says "sure, go ahead" and points you to a empty table with no questions asked because no one told him that he should deny people or check them against a list of authorized visitors.
It should be very hard to prove that someone didn't have a good faith reason to believe they were allowed to be there in that case.
If you request access and it is given to you, you should be able to in good faith assume that it is intended to be so, because otherwise the internet as we know it would cease to function.
But then again the CFAA has very little to do with logic and is written vaguely enough that it comes down to a matter of interpretation that can be twisted however the powers that be wish in the particular case.
want some fun do a world wide port scan for kali machines...you might want to keep that list and updated i can guantree any default kali system out there is being used to hack somthing by someone who dont know enough to use it
9:57 Hey, I know this company...
I try to tell our Police force here @31:08
so i can lookup random ip's and put them on internet and being nosy about everything and its ok ?
at the 37:44 mark I spy exacqvision VMS software lol
Is he on speed?
birthplace of what we know as the internet
#funfact #darpa>=stark industries
I see viss, I click
If it's public it's not just public, do not take that as advice pls. If you see a house with the door open that does not mean you can go in the house or that the house is public. It's still illegal to go in, and you will get arrested if not cautious.
No, it is illegal to go in because there are laws preventing trespassing. As he stated in the talk, the Internet is a complete grey area because no one can put laws on it. You can walk down any street and look at a house from the road, this is exactly what he is doing here. When you start doing stuff like messing with the system with intent to harm, installing malware, or anything more lucrative, THAT is when you start breaking laws. He hasn't needed to enter a password to get in or anything.
Under the law, an unlocked door is an invitation to enter.
As he said, in order to be gaining "unauthorized access" there has to have been some effort put in to separate the authorized from the unauthorized.
@Hostile Pride to be clear, he doesn't say that nobody CAN make laws about this, but that nobody HAS.
Logically speaking it doesn't really work that way, the internet is based on asking for permission to access a page/service/whatever, and if that webpage or service says "Sure, why not?" and lets you connect without authentication that is considered publicly accessible.
A more accurate comparison would be walking up to the door man at a restaurant and asking to be let in, and he holds the door open and says "sure, go ahead" and points you to a empty table with no questions asked because no one told him that he should deny people or check them against a list of authorized visitors.
It should be very hard to prove that someone didn't have a good faith reason to believe they were allowed to be there in that case.
If you request access and it is given to you, you should be able to in good faith assume that it is intended to be so, because otherwise the internet as we know it would cease to function.
But then again the CFAA has very little to do with logic and is written vaguely enough that it comes down to a matter of interpretation that can be twisted however the powers that be wish in the particular case.
Ayyy @viss
51:13...
I can't stand watching presenters like this. He presents like he is a kid.
Impedancenetwork he do it in his way
He has done this kind of presentation for years, in the form of the comedy inception panel for Defcon. His nickname is Viss and he is pretty popular. But I do get what you are saying, I have watched a number of his videos and they are funny as hell, if you understand what's going on, I think it needed to be explained what he actually did and what it means.