Cloudflare TV

Hacker Time

Presented by Evan Johnson
Originally aired on 

Join Evan Johnson as he speaks with security professionals about recent security news!


Transcript (Beta)

And I believe we are live. Welcome to Hacker Time, the number one security show on Cloudflare TV, probably anywhere because the sample size of security shows is pretty small.

There's not too many of them. And today we've got, I think we'll have a nice conversation about some recent events and do some splunking and different open source security projects.

And very timely, the US elections were this week and there was a number of elections over the past couple of weeks and a bunch of different countries.

And I thought it'd be interesting to talk just for a moment about Cloudflare Fair Campaigns, which is a really cool offering that Cloudflare is able to make that I was part of the initial launch team for, and I'm very proud of my little contribution.

And it's actually really interesting. A lot of people, you might be familiar with the Athenian project.

I'll pull up that page. If you are watching Cloudflare TV, I think you're pretty likely to have heard of the Athenian project.

And it's free security and performance for state and local election websites.

And I sometimes hear people being kind of surprised for Cloudflare for campaigns, thinking that we already did this.

But actually, the distinction is Athenian project is for state and local websites.

The campaigns, Cloudflare for campaigns is for actual campaigns and candidates who are running.

And the really interesting thing about Cloudflare for campaigns that I was a part of, that I really liked, was figuring out what features and what campaigns wanted and how we could help them.

Because a lot of them, we do our DDoS protection and some of our security features really, really well.

And so once somebody is behind Cloudflare, we provide them with some baseline of security from denial of service attacks, volumetric DDoS attacks, different things like that.

But the thing that I really was interested in is figuring out how to make a little more compelling of the offering.

And so the thing here, at the bottom of the page, we have quite a few of our features.

Some of the things here that I thought were really interesting, and I can talk through kind of like what we offer and kind of why.

We offer, the first thing that I thought was really important was offering enterprise level security features.

So principally audit logs and election security contact. So a little bit like web service if something goes wrong.

And there's another here that's interesting.

Liability and security guide, that was big. And multi -user organization.

So a lot of enterprise ready features that are really important if you're running a well-oiled machine of a campaign.

And so the first one, audit logs, this is pretty table stakes for any SaaS product.

Like every single SaaS product out there needs to have audit logs.

There's actually a great, when I say enterprise ready, there's a great website that I'll pull up right now,, which kind of goes into a lot of these enterprise ready features that are really important for any product.

It doesn't matter what it is. And audit logs is one of these.

Provide admins with a detailed trail of account activity. And it's just such an important feature to know who did what, to be able to backtrack if something breaks, and then to have an audit log of things that change so that if something breaks and you want to see why, you can really quickly debug, okay, did something change in my Cloudflare config?

And the answer is either yes or no. And the audit logs will tell you that.

So super important one. And actually you'll see on this team management, and that's another one of these, multi-user organization, team management, manage your Cloudflare account with multiple accounts, each with granular permissions.

That's so important for any organization. And so part of the Cloudflare for campaigns offering, we wanted to make sure we were treating campaigns like we would treat any other company, so that each campaign has multiple people working on the tech side of things.

They have a lot of people who, not just one person who will be managing the account.

And so it's really important to provide multi-user org support and team management support.

Then we have a reliability and security guide.

And this was something that on the product security team at Cloudflare, we actually spent quite a bit of time on trying to write up how to best use Cloudflare, a lot of our services and what best practices people should be following.

And so we wrote up this really nice PDF and worked with our marketing and design team, and they made it look a lot nicer than our doc that we wrote.

But it contains a lot of information like you really need to sign up for and enforce that every account has two-factor authentication on it, because you have to protect your Cloudflare account in order to protect your website.

And so it's just critical to turn on two -factor authentication.

And then we had some guides and some baseline configurations that we thought in there, that we thought a lot of campaigns would appreciate.

So when we were looking for initial campaigns who might be interested in this offering, we had a conversation with a bunch of them, and one thing was kind of a common trend.

They all wanted their website up and their donations page up.

And so we tried to keep a lot of their needs in mind when we wrote this.

And so one of the things that we included was how to keep – if you have one page that's really important, how do you keep that up?

And so one of the things included here in this, for example, is the use of always online, a Cloudflare feature that will – even if your website goes down behind Cloudflare, we can serve this one or two or three pages that are really important to you straight from our edge to make sure that those pages are still up.

So that is really helpful for – especially in a campaign, you might be in a debate, you might be making some public appearance, and you kind of have the thundering herd problem where a bunch of people go to your website all at once, and they all try to donate because you've done such a great job telling people why they should donate and what you believe.

And it can take your website down, and so you don't want that. And so trying to keep your website and the important parts of your website up with always online.

Election security contact, this one was really important because at the time of launching this, I believe we launched it in, I think, mid-January.

There had been a lot of talk for the past couple of years about election security and how important that is.

And one of the things that's important in the world of security is having someone to call and work with.

And kind of any time that there's a security issue, you lose precious minutes trying to hunt for somebody to contact.

If you're using a vendor or working with a third party, whenever something's wrong, you don't want to wait minutes or hours to try to get a hold of somebody and be helpless.

And so we've made sure that we have an internal process and a internal kind of place that people could contact and kind of make sure that we're checking that regularly.

And so the election security contact, I believe it's a way for them to get in touch with our support team.

And our support team knows that it's very important and has a separate escalation path to the security team should they need extra help.

And then another cool one was, so that's kind of on the enterprise-ready side of the offering.

But the other cool thing about this offering was we included a lot of our newer features that are really becoming more important to the business.

So Cloudflare Access, this is part of the Cloudflare for Teams offering.

And this is a great product where it's an identity where proxy integrates with your identity provider, whether your identity provider is something like G Suite or something more robust, like an Okta or a OneLogin or something, or Azure AD.

And so this was really cool because Cloudflare Access is so flexible that it allows campaigns, no matter what their tech stack is, no matter what's going on behind the scenes, it gives them something really flexible that integrates with a lot of things that they can use to protect their websites.

And then Bot Protection was the other really new feature that we were excited we could include in this.

Our Bot Protection product is a really neat one, and it's been out for about, I'm not exactly sure, maybe two years now, if I had to guess.

But it's been, it is a really cool product and we're able to include it in this without any, so every campaign who would join would get this.

And part of our reliability and security guide tried to help campaigns set up the Bot Protection product in a way that we were basically rejecting a lot of the bots just right out of the box, all of the obvious bots, and no chance of blocking real visitors.

So the security guide we wrote helps create a baseline policy for Bot Protection for all these websites.

And those are some of the really interesting ones, like the Cloudflare for campaigns offering was really cool.

It was one of the coolest things that I got to be a part of Cloudflare because it went from kind of inception to launching it publicly in about a month.

And, and so we have different website I believe for the US here, Cloudflare for campaigns in the USA, and then I believe there might be one for the EU as well, or maybe, maybe I can't find that link anymore.

But it's really cool.

And, and with the election this week thought I'd bring it up and talk about it for a bit, because on the security side I'm really, really proud of it, and it is distinctly different from the Athenian project but they are kind of, kind of related, dealing with elections and.

And yeah, that's my plug for that. If you have any questions, feel free to always reach out to the email on the Cloudflare TV website or find me on Twitter, EJCX underscore.

But yeah, this is a really cool offering.

So the other thing I thought we could do today is just spend some time having some fun doing some digging and looking at a bunch of different GitHub projects that are trending for security.

So actually I went to GitHub, click trending, control left for anything that looked like security and I kind of pulled up a bunch of links, and it's pretty cool like the number one trending project in Golang is for today is this hack browser data.

And there's a bunch of really cool stuff on here some that's been around for a long time like the OAuth2 proxy, and a bunch of other stuff.

So I thought, thought we could go through take a look at some of these and do some digging.

So I thought I'd start with hack browser data here.

And this is pretty neat. So it's an open source tool that helps dig out information for from Windows, macOS, Linux, all the major, all the major operating systems and dig out information from all a lot of these major browsers, i.e.

doesn't appear to be supported, unfortunately, but it it can dig out a lot of like passwords, cookies, bookmarks, history from all of these things and that's a really good forensics tool for security purposes and also like I guess all good forensics tools when when depending on who the who they're being used on are also good adversarial tools.

So this is a really interesting kind of thing.

And I thought it's written in Go, which is really cool I think more security people should look at Go as their language of choice when they're developing software, because security people aren't usually the greatest software engineers which is, I can say that as a security person and and going helps you with a lot of different things like types.

There's, it's very well structured and it helps with a lot of these things that might be code smells in Python or or less strict languages.

It makes your code a little tighter as a if you're, if you're used to whipping things up to accomplish a specific thing and goes great for for a balance between readability and keeping things neat and tidy.

So looking at this, it looks like it's using the standard CMD kind of thing.

Where they put the actual program in the CMD and the core of it looks to be in here, you'll see decrypt.

And they have a few different strategies for decrypting.

And so I'm on Mac, so I pull this up and this immediately kind of jumps out at me as really interesting.

Just doing some 30 seconds of splunking here.

Hack browser data or decrypt, decrypt Darwin.

So we're decrypting things on Mac OS X and Chrome IV. I'm guessing this is Chrome initialization vector.

Jumps out here with a bunch of 32s here 16 bytes, I believe, 16 byte initialization vector.

So, used for Presumably AES CBC mode 128 AES 128 CBC and we've talked a bit about cryptography and some of the other episodes basic encryption and decryption operations and initialization vector is usually part of that.

And yeah, here you see AES 128 CBC decrypt. And so the assumption that this code.

This code here assumes that across all Chrome browsers.

The IV is static. They have a static initialization vector for protecting all this data on disk.

So they take your password you save the password in You type your password in a form from kind of saves it and then they have to save it to your, your disk and in a file.

And so they they protect it and encrypt it before they they save it to a file.

That being said, this is a, this is weird for any this is a bad thing to do for any like Protocol where you're This would be really bad.

But in this case, the purpose of this encryption being here isn't so much to protect the data.

So this is actually like fine here it's it's a the encrypting the data before it goes on to disk is with a static initialization vector is fine because If you can recover, even if if you're in a position where you can recover the encrypted data.

You're also in a position where you can recover the decrypted data as an attacker.

So, so Chrome. This is more for just to make sure that they're not storing the data in plain text is what I'm sure this is for And so I'm curious about the key, though, the key.

I don't see anywhere. And I'm sure we will be able to find it, but it looks like they're decoding some metadata.

It looks like they are doing some interesting stuff here bunch of padding, a bunch of Bunch of stuff.

Let us look A little bit more output. Looks like they're doing a bunch of outputting of stuff.

This doesn't look too interesting. They're doing some parsing of a bunch of different formats.

Whoa, this is cool. Looks like they're querying with a relational database data from something I'm guessing some SQLite database somewhere.

And I'm curious what they do with that. Because I'm actually not too familiar with with how this data gets stored on disk.

It's entirely possible that it's all stored in some SQLite database on your, your machine.

So when you have a browser.

And you are using it for a bunch of stuff logging into websites and all there.

You're actually generating quite a lot of data. And so A good way to keep track of it all is to put it in a database like a like a SQLite database.

So it would be reasonable for them to have a SQLite database here. But I don't see too much interesting.

Yeah, they're opening the SQLite database here and Firefox.

It looks like and Doing a bunch of scanning for bookmarks.

Not too interesting.

So this is one that I'm interested in. So Chrome parse gets called and I'm interested where it gets called from to see where the secret key is.

So let's find that Chrome parse. Okay, it gets called in CMD go And Chrome parse key.

Where does key come from browser get secret key. Okay, let's go there get secret key for chromium So we're what I'm trying to find is where the secret key comes from and where it is on disk.

I'm guessing it's in the key chain, which is the right place to keep it, but You never know.

Keychain Key was what it was called a knit secret key and it's your key is a knit Chrome secret key Firefox key always empty.

Okay, well, Browser. Let's check browser Linux.

That might be a little more clear what's going on. I went to Darwin, actually.

Okay, so the way that this program finds your Chrome secret key is it runs the security program find generic password WA and then C dot name.

C being chromium this Which what is the actual name.

Let's just check that really fast. Name.

Okay. So it looks like what's actually happening here is the full process that this kind of project is doing hack browser data.

They first are Using a few different strategies to find your browser secret key.

In this case, security, the program security.

It's an actual program on Mac OS X. I'll run it here for you and show you And there's lots of different programs, you can run here.

Lots of different commands that it will do all sorts of different things really cool.

But find generic password and it looks like they're pulling the secret key out of that they're decrypting the data from wherever it's stored.

It looks like it's going to be in different places, depending on Chrome profile path, the library applications for Google Chrome directory.

There's, there's different directories where the state is and decrypting it and kind of showing you everything that it has.

So pretty neat how that works. And I'm actually curious how the what they do in Linux here because in macro sucks.

They call the security program find generic password.

What do they do in Linux. Well, it looks like they are Getting this get secret thing.

And it comes from The key ring key ring get secret service.

They get a session there and then get all collections find the secret hanging out in the key ring.

And so that's a great place to store it.

I'm guessing that that security program when you call get whatever password.

It's doing the same thing. Key rings, definitely the place to be storing secrets and And I think that's something that a lot of CLS can learn from what Chrome is doing here.

I've noticed this This is my hot take of the episode, but I've noticed that a lot of programs when authors are writing them.

They kind of Put secrets in the home directory of the person running it.

And so one example of this is the AWS CLI where you press like AWS config or and then You kind of paste in your access secret and your are there's two tokens, your access key and your secret key and it just kind of writes that to a hidden directory and in your home directory.

And while that's like actually fine for most for most attacks.

It doesn't protect against It doesn't do a great job protecting against less privileged users on the system and you really want to be using the key ring to be getting the full Security protection of whatever whatever your OS thinks is the best way to protect secrets, because you might have different security chips on your On your machine, you might have, you might not have full disk encryption enabled.

And so you want to be you want to be using the key ring as a piece of software and that is storing secrets.

I did this in EJCX CF. So I have a command line program that interacts with the that I that I authored that I interact with the Cloudflare API.

And by default, it actually stores your, your secrets in the key ring and I have a nice right up here and it stores.

By default, it'll try to store it in the key chain.

So when you run CF configure actually here.

Here is it prompting you for your secrets, your API key, but if if you have like a key chain issue or actually a pressing reason to To not stored in the key chain, it'll do this no key chain thing dash dash no key chain and it'll store it in the home directory, you can actually choose to do that.

If you if you that's what you really want to do stored in your home directory and and not get the benefits of the key chain, but also you might have a reason for that.

So I wanted to make sure I supported that but by default.

You want to store it in the key ring.

And this has been a pattern that I'd like to see more of. So, There's that. Well, cool.

Hack browser data looks really cool. And I guess we only have a couple minutes left.

So I'll show Oh, I was gonna try building it, but maybe I will. Sure.

So it looks like you can install it with through which is cool.

Nope. This isn't it.

Is it Yeah, this is the right project looks like you can install it with through Filippo appears to be the person Oh, it looks like you first install this I don't know how to say it.

I've heard people say muscle muscle. I'm not really sure how it's actually pronounced and then you Can build this, it should be easy on.

Is it easy on Mac OS.

Why is it so difficult That's really interesting.

And then when you run it, you run hack browser data. And it doesn't just work.

It should just work. Hack browser all okay so I'll help browsers that is that is funny.

There used to be featuring Metasploit where Common super common exploit framework where it was called the auto pwn where you just gave it an IP and it would run every exploit that it had on the IP and hope it worked and It mysteriously got released around the time that backtrack became Kali Linux or it mysteriously disappeared.

Around the time backtrack became Kali Linux, but this reminds me of auto pwn where it's just like, okay, every browser, you have dig out all the information that you have about it and And print it to me and it looks like they take all the cookies that you have every single one for every single browser and they just dump it to all of these different files archive at all.

This is really neat. From a forensics perspective, I can see how this would be really, really useful.

And from an attacker's perspective, it's, it's almost like to Too robust like I don't know.

You, you might get by with something a little more minimal.

But anyways, we're actually out of time. We only have a few seconds left.

So thank you for joining me and I will see you next time. Adios.

Thumbnail image for video "Hacker Time"

Hacker Time
Join Evan Johnson each week for the latest security news, programming tutorials, and more!
Watch more episodes