📺 CFTV Anniversary: Hacker Time

Hello and welcome to another installment of Hacker Time. I am your host Evan Johnson from the Cloudflare product security team and this is the one-year anniversary of Cloudflare TV week, a whole week of shows celebrating the one-year anniversary of Cloudflare TV.

We launched about a year ago and tremendous hard work from the Cloudflare TV team and internally people both going on the show, organizers making everything run smoothly and engineers building the product.

Tremendous amount of effort from so many people and it's been going a year.

Hacker Time hasn't quite been going a year but we're part of this week and couldn't be more happy to celebrate one year on the air soon but one year of Cloudflare TV this week and this is the number one security show anywhere and so this week instead of doing some programming we might do a little programming at the end.

We are going to talk about some recent security news.

There has been a ton going on in the news related to security.

You can't open a news site without seeing all sorts of headlines, op-eds, all sorts of things going on.

And most recently one of the biggest topics is ransomware which I wanted to talk about for a little bit.

Last week we had JVS, maybe two weeks ago now, JVS the beef supplier get hit with a ransomware attack and they reportedly paid 11 million dollars to resolve a ransomware attack.

I believe I saw that the meat supplier couldn't continue their operations and had to shut down their operations for a time period and I believe I saw a report that the US government reached out and said that they could assist if necessary but it was big news and also a hefty ransom, 11 million dollar ransom to the cyber criminals who knocked out the plants.

And that is just a staggering amount of money and I'm not sure how much of that, I know Bitcoin's price fluctuation has, it's been fluctuating a lot recently and I don't know if things have been, if like that was 11 million dollars and now it's like 7 million dollars or less than that now but still a hefty sum.

And prior to that about a month ago you had, what else do we have, Kernel Pipeline, so the Colonial Pipeline, not Kernel, the Colonial Pipeline in the United States had its operations disrupted when they fell victim to a ransomware attack as well and paid a 2.3 million dollar ransom in cryptocurrency and much of that was recovered which is very interesting.

The US government was able to recover it and there's been a lot of talk about how exactly they were able to do that in the past week over Twitter since when you send the cryptocurrency you shouldn't be able to recover it.

And I saw another article on The Hill here that the CEO of the Colonial Pipeline was also, ended up speaking to lawmakers about it and this was really interesting as well, it says that he was reportedly grilled about actually paying the ransom and then the date on this is 6 -8 and the reports on the recovery of the money was 6-7 so you can see that despite being, despite recovering the money and knowing that that paying the ransom is something that several of, something that is quite controversial and but my point here is there's been a lot of press about ransomware and a lot of high-profile ransomware attacks and it's really interesting because as a security professional it doesn't seem like there's more attacks, there's always been attacks constantly, what it seems like is they're just getting more press and they're getting more notoriety as they happen.

So it's really interesting for me to observe and as a security person to sit there and wonder about all the ransoms that have been paid that weren't potentially publicized or didn't get as much press because it didn't shut down the operations of the company.

In both of these cases the operations of the victims were severely impacted.

JBS and the Colonial Pipeline both had to shut down and they did that out of not being able to continue operations they said or thinking it was too risky to continue operations and so it is, there must be a lot of instances potentially where this has happened, the ransom gets paid and it just kind of doesn't get reported because it either doesn't rise to the level where it shut down the company for a time period or whatever other reason.

So I found that really interesting and maybe this type of reporting continues, maybe there is a rise in ransomware, we'll have to see.

I don't have any information on, I'm not there with the cyber criminals asking who the next target is and all of that but I do wonder if this is just par for the course and we're just happening to hear about it.

Just like as same reasoning behind COVID testing, how you do more testing, you're bound to find more cases but that doesn't mean there's more or less cases based on how much testing you're doing, you're just more aware of this thing that's happening.

So I thought that was really interesting and then we also had the big news yesterday around EA, hackers use Slack to break into EA games and this was super interesting to me.

It was reported that the source code of some games was stolen and the, but the most interesting part to me is this, a representative for the hackers called Motherboard in an online chat and who knows how trustworthy this is but this is something that these people told the reporter that the process started by purchasing stolen cookies being sold online for $10 and using those to gain access to a Slack channel used by EA.

Cookies can save the login details and potentially let hackers log in to services as that person.

In this case they were able to get into the Slack and from there it's a social engineering exercise messaging people on Slack who might be able to help, who are trying to be helpful to their fellow employees and don't necessarily realize that they might be helping a hacker who's social engineering them.

And here you have the once inside the chat we messaged a IT support mess members we explained to them we lost our phone at a party last night the representative said and this was just staggering to me because this is almost a year to the Twitter incident last year where an internal dashboard was compromised due to a stolen cookie and this is another stolen cookie for a third -party provider not an internal dashboard but this is a software as a service tool that they were using and it's really just it goes to show how difficult it is to protect your protect your boundary so whether internal or external one thing that I think I've preached at the time of the Twitter incident is for sensitive internal things it really makes a lot of sense to be binding your IP the IP address of the person who logs in to the actual session cookie and you can't do this in Slack or a third-party provider some of them might do it for you there's most of them don't have this checkbox where you can enable this feature but if it's an internal website or internal support tool or whatever it is dashboard it really makes a lot of sense to bind that IP address to the to the cookie so I log into internal dashboard a I get a a session cookie that identifies me and if I am on mobile and leave the house I should probably get reprompted to log in because my IP address has changed I just dropped one of the keys from my keyboard because my IP address has changed and that prevents it's not going to prevent internal malice where an internal person who has access to this thing could always just do malicious things but it does prevent the case where somebody has lost a cookie and is selling it or a vulnerability allows a attacker to get access to a session cookie so it stops a big classification of attacks but it's it's not foolproof by by any means if somebody has access to the data and they're malicious then they they can do what they like but a year ago I think we recommended on this show to make sure that you're binding your IP addresses to session cookies and a lot of other things in that case second factor authentication was involved in the Twitter case second factor authentication was involved and we recommended using security keys and those are unfishable by design so it's the best practices are what wins in in the game of defense and that brings me to the the Biden cybersecurity executive order which I actually still haven't gotten to read but I think it's timely it came out in I believe May almost a month ago and I might have talked about it briefly on the show already but it just mentions a lot of the positivity uh these positive best practices that I'm mentioning here so we have multi-factor authentication multi is mentioned eight times in it multi-dash factor multi-factor multi-dash factor multi-factor looks like they're switching every other I'm not sure which one they they like better but you've got within 180 days of the store this order agency shall adopt multi-factor authentication and the FedRAMP guidelines and and a lot of the the compliance guidelines all say you need multi-factor it's just the simplest mechanism to to prevent these compromises and second factor not always foolproof but use your security key and and multi-factor is something you should have on on all of all of your websites all of your service providers even as an individual not necessarily as a company so there was a lot that went on the last couple weeks and I'm sure there's more to come it's a really hot area that a lot of places are dedicating that a lot of news agencies are dedicating reporting effort to and you can hardly go a day or two without a story right now of about ransomware about cryptocurrency involved in ransomware and about companies being being compromised so I'm not sure if it's just a it seems like there's more reporting of it and so it seems like there's more issues of it or if it's actually happening more frequently but still very interesting and all of the unique situations and circumstances are interesting to like look at the details of and understand why why they happened and that's all I really had to talk about for for those two instances use use multi -factor authentication everywhere you can don't don't pay the ransoms and what else even if the U.S.

government is able to sometimes retrieve those ransoms and then lastly oh yeah bind your IP addresses to your sensitive cookies and if you're a service provider if you're watching this and you have a business-to-business service software as a service where you're where people rely on the service you're providing make sure that you are binding your customers IP addresses to their session you know you can make an argument that people don't want to log in so frequently if their IP address changes or or whatever but they also don't want their accounts compromised and they don't want to get pulled into a room at work when their account was unknowingly sold on sold for ten dollars to a malicious entity so those are my takeaways from this and with that I'm going to switch gears to my honeypot that I've been working on we're going to pick up where we left off and just do a little bit of refactoring I have my honeypot right here honeypot d and the goal of this is supposed to be cheap detection very easy to run get set up detect people as they compromise your network or move laterally in your network with really simple software that just doesn't do a whole lot but it's it's the canary in the coal mine so where we left off we built a singular HTTP honeypot that needs to be formatted properly as you can see it is not formatted properly here and there's a little bit of wonkiness with this code it does work we can make it a little nicer and then within notification we are getting text messages through the Twilio API notifying us that our that our canary has in the coal mine has been accessed so it's working end to end where we could deploy this wait for wait for it to receive a request and if it does we know there's something that has connected to it and externally if it's external facing and you just put this on the open Internet that won't mean much at all but if you put this internally on a private network you can expect that anything searching random services on your private network is probably malicious and if it's a just an employee doing that deserves a conversation and if it could be somebody malicious connecting to it so what we're going to do here we're going to refactor this a little bit clean it up actually we might clean up this one as well since this is a little wonky we've got this emptiness here that's actually getting used though and clean up the formatting as well so let's start with the formatting that's that's a very easy one so i think all i have to do is press save yep okay so go formatting uh go code has to be formatted in a very particular way and this just ran the go format command to format my code in that very particular way and it really improves readability and your ability to transfer from debugging one code piece of code to another because all the code looks the same doesn't matter if i write it or you write it or or the inventors of go wrote it um it'll it'll all look the same and what i want to do here in this is i want to make it so we can have more right now we have a web server that's acting as the honeypot i want us to be able to have more i want to add ssh and ft uh ssh mysql and ftp so we also need a new folder we need http and that's where our code should go so i think i just will copy this here and then in http we'll do new file it should be dot go package and this will not work at all but i'm curious why not honeypot is in honeypot honeypot honeypots using plurals is always a mistake in your code try to avoid using plurals because then you end up in the situation where you're wondering is this a plural or a non-plural and if you just have the rule of thumb to always avoid plurals then you'll save a lot of time in your lifetime and this might just work where we have our oh no there's an issue here now this is no longer honeypots it's http and i think this is working let's run it and make sure awesome so my my text was way too small let's make my text a little bigger today so we want to source our bash rc which has all of my secrets and stuff in it for this example and then we want to oh i hope it actually works because you know what i rotated my twilio api credential last week and i don't know if i updated it okay our honeypot is running on port 8080 and if i get a text message waiting a second not sure it worked i've not gotten a text message which tells me two things one i broke my code two we don't have good enough debugging here that that tells the operator of this program that something has gone wrong so let's add that we should at least know why why it didn't go properly when we're building this and huh what's going on here oh no this is this is correct um listen and serve our function is just it's all it's doing is sending the message to um twilio what we actually want is we want our message to twilio here it is so we're sending the request and not even looking at the response we're just seeing if it failed but sometimes um you'll send the request client that the when we're when we're making our api called the twilio it will um if it completely just like fails to make the request then we'll get an error if it makes the request and something goes wrong like we have the wrong api token or whatever we're actually not checking for that so we actually need to check the http response here and if rest dot status code does not equal http.status okay i believe it is not real okay what have i done here this needs to be an assignment now rest.status code does exist and then status okay okay so if we get a response from twilio that says hey not everything was okay we're actually going to return an error error making requests to twilio and we can um um defer okay and we will um marshal the response we'll get this really big horrible json blob as a string but it will help us exactly what happened every time i'm just gonna ignore this error i think we want to prompt the error f yeah here we go and then and is this going to work why is it angry okay well i think this will work i think this will give us a nice error message i believe so error notifying error making requests twilio okay a little bit of word salad here but um the reason that's happening is because we have error making requests to twilio here error making requests to twilio here we have um actually instead of this thing let's just do the status code and that'll tell us why so if it says something like 401 or 400 bad request we can debug it from there 401 authorization required so that tells us that when i rotated my api key after last week's episode i didn't update it here so this is a good check to have okay um i will say that we got we reformatted this piece here and um our code is in a much better place to add other um to add other types of honeypots i really want us to do mysql and ssh ssh has built-in support in golang um so let's look at how we might implement that so there is a server i'm guessing says so so we have a few servers new server con let's look at the docs here and see if we can figure out something in the next couple minutes so it looks like next week when we add a new honeypot we're going to add the ssh server using this new server con um method it will start a new ssh server with c as the underlying transport this connection as the underlying transport it starts with a handshake and if the handshake is successful it closes the connection and returns an error the request a new channel channels must be serviced or the connection will hang so it says they have an example and i'm guessing we can make a if you look at this nice little thing we can make a ssh server config we can program in our own password here look at that uh so we could uh we could talk about password hashing again and rehash some of that or public key callback to look up the right list of uh authorized public keys this is all really interesting stuff and it looks like what we want and then it looks like this is such a great example they have they show you how to make a listener on a specific port port 2022 here and let's find 2022 again i resize the page and then they start listening on that connection and then they create a new server config and there they have an ssh server so next week we will do that so that if you can deploy this anywhere and you'll be able to tell if somebody tries to ssh into it that they are up to no good at all because they're it's your server nobody should be sshing into it and um and you can hack in twilio um notifications or pager duty um or i think we'll add webhooks um in in the next week or two as well so thank you for joining me i appreciate it uh adios