Report Opening Keynote BHS 2019 by Victor Gevers
Wrap-up report Black Hat Sessions 2019 - Keynote Victor Gevers written by Justin Aarden - 31 July 2019
Below you will find a brief report written by Justin Aarden (Security Analyst at Secura), of the opening keynote given by Victor Gevers, founder of GDI foundation and Chairman of Global CERT. Victor has found vulnerabilities in complex databases, servers, NAS devices and has prevented valuable data from getting leaked. As the founder of the GDI Foundation, Victor is currently scaling up from individual vulnerability reporting to carrying out bulk reports which are all free and open source. Endlessly, he occupies himself by scanning millions of internet addresses and also engages himself in finding and reporting tens of thousands of vulnerabilities. By doing this, Victor (alias @0xDUDE on Twitter) most likely has prevented your personal data from being leaked too.
Victor starts his keynote about what responsible disclosure is. Responsible disclosure (hereafter referred to as RDP) is a vulnerability disclosure model in which a vulnerability can be reported to a variety of different companies in a responsible manner. The Dutch government started using RDP in 2013 and modified it throughout the years up until 2018. In 2018 the Dutch government came up with a new guideline, called the Coordinated Vulnerability Disclosure (CVD) which takes the human factor more into perspective. The Netherlands was the first country in Europe that ensured full protection for researchers whenever a vulnerability is reported through CVD. Currently, we see that more countries are following the example of the Netherlands, in implementing a CVD. At the same time, an ISO standard is available that deals with disclosure of vulnerabilities: ISO/IEC 29147:2018. The standard provides requirements and recommendations to vendors on the disclosure of vulnerabilities in products and services. In other words, all these initiatives have the aim to expose zero-day vulnerabilities and are there to encourage responsible disclosures.
Due to extensive research efforts, Victor gained a lot of insight as he started with plying statistics. Those statistics were totally open-source and showed organizations that they need to address the found vulnerabilities. To obtain those statistics Victor used websites as Shodan, ZoomEY, Cesnsys, Be and Github.
Victor did not only use open applications to gain statistics, but also scanned many websites on his own initiative using, for example, Google Cloudshell, causing an abundance of abuse reports entering his mailbox. The interesting part is that by scanning the internet, most known vulnerabilities were (and still are) within MongoDB. The cause for this is that it did not have safe defaults from start and that it was open by default.
The open MongoDB instances, have led to an enormous number of cybercrime incidents as these databases were compromised by attackers, demanding ransom money in turn for restoring access again. As a solution, the owners of the database restored the data with previously performed backups, however, did not emend the security issues, leading to an infinite circle.
Russia had fell also victim to this kind of cybercrime as the Kremlin had a remote login with an open database, which contained usernames and encrypted passwords. By performing thorough research,Victor managed to find a login of a nuclear power-plant in China, subsequently reporting this to the Chinese government with no follow up from their side. Another example of an open database, contained locations of public bikes, used in China. The database contained flags to see if a bike was locked or unlocked. In cooperation with a dear friend, Victor wanted to observe the result of such a flag changing. The friend went to a storage of public bikes and contacted Victor to change a value within the database. Once the values were set to ‘unlock’ a lot of bikes were unlocked at the same time, making it possible to use these bikes.
China is also a leading country with regards to surveillance systems as they possess surveillance means that are very accurate in the use of facial recognition technology. Although such systems are still lacking security measures, it was relatively easy to find people within these databases, including photos of citizens that were captured by using facial recognition.
Surveillance cameras are increasingly being used, not only by governments but also by citizens aiming to protect their homes from possible intruders. This shows that surveillance is getting more and more important in current day. The issue, however, with surveillance cameras is that a majority of them are publicly available and accessible by anyone with internet access (and with the intention of accessing them). By not taking any corrective measures, problems and incidents are welcomed. A first initiative in addressing this issue was done by introducing a Github platform to share and create a new platform for cameras so that they can be secure and not easily accessible. In doing so, ironically, credentials were forgotten to be removed making it very easy to gain access to every camera within China.
At the end of the keynote, Victor gave the following message to the audience: ‘’Stop putting things on the internet if it is not needed’’ as connecting objects to the internet could lead to huge security risks with new incidents as consequence.
Lastly, the chance was given to anyone who was interested in joining the GDI to contribute through Github: (https://github.com/GDI-foundation). It is also a possibility to contact GDI, whenever, you as an individual have found a vulnerability and the company refuses to fix it. GDI can then assist in the process of contacting the company in question.
SAVE THE DATE: Black Hat Sessions 2020 - 11 June 2020
Are you interested in participating? Keep up to date with the latest news about the Black Hat Sessions (BHS), receive exclusive (early bird) discounts and secure your seat for interactive workshops. Sign up for our periodical newsletter and we will keep your informed.