Sessions is temporarily moving to YouTube, check out all our new videos here.

Lessons From Billions of Breached Records

Troy Hunt speaking at Developer South Coast in June, 2017
68Views
 
Great talks, fired to your inbox 👌
No junk, no spam, just great talks. Unsubscribe any time.

About this talk

Troy will share some things he’s learned about how data is taken from our systems en mass due to coding flaws, complacency and oftentimes, outright stupidity.


Transcript


Let's play this one and hopefully it's not too bright in here, you'll actually be able to see it. - [Narrator] Do a quick tutorial on how to DDoS. Now before I start, I'd just liked to say I'm not responsible for anything you do with the information that I've provided in this video for you. So if you go an DDoS someone with this information which I've given you, I'm not responsible for nothing, absolutely nothing you do. So, yeah, now that I've got that out of the way, let's get started. So what I would do is go load up command prompt. I call it green. And then what we want to do is we want to type ping. And then I've got a bunch of random IPs here. So ping, and then just paste that. Or you can type it out. Hyphen T, hyphen L, and then So this, just a command, it pings them. And this is the IP it will ping. This is how long you want it to do it for. So I've put a limit of time there. This is is how packet you want to send. Right here. So let's just hit that. And, as you can see, it's already began the process of DDoSing their IP. Now there's one thing I'd just like to say. When you do this sometime it will come up with like a timeout message. This means that the IP could be wrong, or, in fact, your connection's not strong enough to send packets. Or could just be a general error, 'cause it could do all of this and then just say time out and then carry on. So it could just be like the ping's not actually sent. So what you do when you hit Control C, and send four or three packets. They receive four or three packets. They lost nothing. Nothing come up inthere. So service their marks. So, basically, they must have a strong connection. And you've gotta do this for awhile, this method. So you might go outside and play, wait DDoS But, yeah. - All right, what do you think of that? Do we learn something? - [Student] Go outside and play. -So that is part of it, that's a good point. The going outside and play bit. So in case you saw the guy and how sophisticated is the guy, like when this is what you do in the middle of hacking, going outside and play. Meh, maybe not so much. What did he do before he started DDoSing? Can you remember what he did to his screen? - [Student] Made it green. - Made it green. Remember this, you're gonna see a theme go through here. Soto that effect, what I thought I'd do tonight, like the title of the talk was like Clouds and Cybers and things like this, I've been doing a lot of talks lately where I'd do the same thing over and over again. And I kinda got sick of it. And I thought, instead of doing that, what I should do is I'll get like the best bits out of the talks I like the most and we'll just do those. And there'll be like no order to it. It will just be like, "This is interesting, let's do that. "And that's interesting, we'll do that." And because because it's a small group here everyone can see me really easily. You can ask questions and we'll just go and do what ever people are interested in. But I thought would start here. I'd start with a bit of my lessons of from billions of breached records, which is related to how I run this site. Who's used this site before? Okay, cool, excellent, it's all over the place. So this is how I've been pwned, it's a data breach aggregation service. And what it does is when there are large data breaches, so LinkedIn for example, and the data goes public, I get the data, I aggregate it. I load it into here. You can go to haveIbeenPwned.com and you can search for your address. And it will come back and say, you know, here's where you've been exposed. So LinkedIn was one of them. Who was in that breach? All right, what about Dropbox, who was in the Dropbox breach? What about Ashley Madison? Who was in the-- Ah, nearly got ya'. It's usually guys, by the way. So we talk about gender equality and everything in tech. This is not where you want gender equality in Ashley Madison. And the reason we know it's usually guys is because when the whole thing got breached, and I guess, first of all, I think innately we all know, yeah, it's gonna be guys who are stupid enough to put their things into there, email addresses into there. Aw, crap. Anywway, The reason we know it was mostly guys is because when the data got leaked and people went through and they analysed everything, they found that there were a huge proportion of females who signed up from IP address 127.0.0.1. All right, local host. So what we actually learned was that Ashley Madison was fabricating females and by calling them fem-bots. So guys would go in this site, thinking they're gonna hook up with someone, and they're talking to a fem-bot. So as if it wasn't bad enough that they've been found on Ashley Madison, which was a site for adultery, they then need to explain to their wives, girlfriends, it was only a computer I was talking to. I don't know if it makes it any better or worse. So, anyway, there's a lot of data breaches happening. And one of the things that I find interesting is the perception, if you like, of hackers, because we see this every day in the news. Like on the news this week, we've seen things like the Notpetya ransomware. So this was like the successor to WannaCry which hit last month. Even today, we've seen governments, departments, what is it, the open data, UK department, whatever, leaking people's email addresses. Like it just happens all the time. And people sorta get this perception of hackers like what are hackers? What do they look like, what do they do? So I went online and I thought I'd find some hackers for you. And this is exactly what you find on Google when you look for hackers. Now what can we derive from this? What do we know about hackers? - [Man] Hoodies. - Hoodies, okay, very good. Hoodies, important, what else? Well, green, we already established that. That was in the first video. So we know they like hoodies, we know they like green. They're very into binary as well, I don't know if you knew this. Hackers love binary. It's enormously useful for doing any sorta computer stuff. - [Man] And they do it in the dark as well. - Yeah, they do like the dark. And you know the thing about it, right, is the dark, and the green and the hoodies and all this sorta mysterious stuff, it makes it seem scarier. And this is like the quasi-serious side, which is the more scary we make this look, the more news articles people will read. It's like you go and look at the papers, particularly in the UK, with the tabloid garbage that's out there, the scarier the stories are, the more eyeballs they get. So stories get inflated into things that are more than what they really are. It's not just the press, though. So the press definitely spins this in ways that are just out of proportion with reality. We also see security companies do this. And I'll give you a good example here. There is a company that creates a product called Cujo. Has anyone got a Cujo? No? Good. SoCujo is security in a box. Like you put security in your house, no more hackers. Like job done, it's magic. And they have this little video to explain who they're trying to protect you from. - [Narrator] You may not know it, but you've probably already been hacked. Thousands of hacking attacks occur each day. - Now how do we know he's a hacker? Green text, hoodie, excellent, everyone's learning. Okay, now I saw this and this was a little while ago. And this was like one part of a larger video. And I saw it and I went it's really kind of odd because when you look at what the guy's doing. And, in fact, one part of the scree in particular I thought was very interesting. And you look at it and go it looks like he's hacking in a browser, 'cause this looks like an address bar, right? And I'm going how do you do this? How do you hack in a browser? Now I figured it out. And I wanna share this with you, because you guys will love this. And you can go home and amaze your family and friends. If you go to a web browser and you go to a website called Hackertyper.net. And then when you're there, you mash the keyboard like this. And this is exactly what is used in the video. But there's more to it, right? So what you do is whilst you're in here and you're sorta hacking away, this is when you're with your friends. You go, "Oh, look, I wanna try and hack into Donald Trump." Or something that we would all appreciate. And then you go, "Oh, can't get in." And then you try and hack a little bit more. No good there. I got this. Hack, hack, hack, hack, hack. Yes, we're in! Amazing. Isn't that awesome? And this is exactly what they used in the video. So they used hacker typer in order to try and convince people that you need to buy Cujo and put it in your house to keep hackers out. And this is kind of the some of the fud that we deal with in the industry, where things just get misrepresented and thrown way out of proportion. I'll show you one other thing that's interesting here, actually, just because it's part of this particular presentation. Everyone saw TalkTalk get very, very hacked, right? This was not too long ago, late 2015. And we saw sorta headlines like this. And one of the things actually that I found quite amusing in this headline is this detective came out and he said, "We think that it is Russian Islamic "Cyber Jihadis." This is literally the headline. It might explain why he's a former cyber cop as well, I don't know. Again, like you think about this, this sounds scary. Apologies to any Russians who might be here. Like it's the accent thing. Anyway. But if you are a Russia Islamic cyber Jihadi, this is just like combing words together and just throwing 'em out there and going, "Oh, this sounds good. "Someone will read my paper." Now, of course, what we learned after this was that the individuals that hacked TalkTalk were mostly children. So they were young kids. In fact, I've got a couple of the slides. Saw that, 15 year's old. 16 year's old. One really, really old guy. And we have seen since this point, we've actually seen people sentenced, there was a piece in the news just a few months ago where one of the kids is being sentenced. There's a photo of him coming out of court, gotta blur his face, 'cause he's 17-years-old by then. And it almost begs the question, and this is sorta what I think about a lot doing a lot of security training as well. How can a company like TalkTalk who earns 1.8 billion pounds a year get hacked by a 16-year-old? Like what are we doing so wrong that that can happen? And he used freely available software off the Internet as well. Sqlmap, go to the sqlmap.org, download it, job done. So I thought we'd start there because that sorta sets a bit of a scene around hackers and how we think of hackers. And I thought maybe from here what we'd do is we'd go and look at something a little bit different, which is actually a security control. And we'll do a little bit of a coding demo. But to do that, I thought we'd start with this guy. Is he really popular here? On the comedy circuit, yeah. All right, so it's basically like Australia and all of the world except for like just under half of the US. So it's like everywhere else he's just kind of a lunatic. You might recognise this photo, actually, 'cause it looks just like a stoned beaver. There is a remarkable similarity, isn't there? There is relevance for me showing this, though. And that the relevance is that... I don't know if you saw this, but in the news recently, he did something stupid. You're kidding me. No, seriously, this was in the news. This was a headline. So this was a headline in the news. This was actually about October. So it was while it was in campaign mode. And there is a technology angled to this. Like I'm trumping my way into something that's actually educational. And the problem was this. So why do you think this might be a problem? Why would this leave Trump's website open to attacks? - [Man] Anyone could update that plugin to GitHub. - Other people could change this particular library. If you were Igor Escobar and he does sound like he has a name which would fit within the cross-hairs of who Trump likes to target. So let's say Igor says, "Well, I like being in Mexico "and not having a wall and all this stuff. "I'm going to change my jQuery mask library "so that I can run script on Trump's website." And then what would you do, like what could you do if you could run JavaScript on Trump's website? - [Man] Anything you like. - Do what? - [Man] Anything you like. - Anything you like. You could actually make stuff start to make sense, or do whatever you want it to do. The point is that when you control JavaScript on someone else's website, you can do just about anything. So what I wanna do is I wanna sort of give you a little bit of a demo here where I'm gonna show you a website that does something very similar to this, embeds script from an external source and show you a security defence we have that a lot of people don't know about. So here's how I'm gonna do this. I'm gonna go to TrumpDonald.org. Just gonna make sure I give that a hard relay. Has anyone scene that site before? Oh, you'll love this. Your kids will love this. All right, now here's how it works. You watch the trumpet, now watch his eyes. And then you get just to the right spot. And it's great, 'cause you can just go around, around, around, around. All right, now as much fun as this is, let's get to the educational bit. If I jump into the source code here and I do a search for cloudflare, you can see here that we are actually embedding a library from another provider. Now really this is the same premise as embedding a script from GitHub. Okay, maybe GitHub when it's someone else's private repository, they might change stuff a little bit more, but it's the same sort of underlying concern. What if this library was to change on Cloudflare? And I hear people all the time saying "I am reticent to use a public CDN "because this might happen." The reason people do use public CDNs like Cloudflare is that Cloudflare's got 115 Edge nodes around the world. And all of these Edge nodes have caches of all this stuff. So when you have a website like this one, it might be one website that runs in one location, say over in the US somewhere, or maybe somewhere outside of US jurisdiction. When they embed Cloudflare. You're gonna get that library from the closest possible place. When they embed the library from Cloudflare. So you're gonna get a very, very fast load. You're not gonna pay for the bandwidth. Cloudflare is paying for the bandwidth to serve this library. On something like Azure App Service, you've gotta pay for your egress data. And the other thing is that if it's a common library, so particularly something like jQuery, just beneath that, someone might've already loaded it because so many other websites out there embed that same library into their website using Cloudflare CDN. So your visitors might come along and not even have to download it. So public libraries make a lot of sense. Now let's go and have a bit of a look at this one. We get out of there, Buzz, a JavaScript HTML5 audio library. And it goes all the way down to the bottom like that. Now here's what I'm gonna do. I'm gonna open up Fiddler. Anyone here use Fiddler? All right, well, just about everyone. Who's used FiddlerScript? One person partially has. So very, very little usage of FiddlerScript. Now here's what FiddlerScript does. There's a tab over here on your Fiddler that says FiddlerScript. And there's a little go-to just here. And what you can do is you can drop this go-to down and you can hook into events. Now keep in mind that Fiddler is an HTTP proxy. So what it means is is that when you run Fiddler and you proxy your traffic, your web browser's gonna make your request. It goes through Fiddler before being passed on to the ultimate destination. There is an on before request event where you can hook into that request and change stuff. You can change the headers, you can change the body, you can change where it goes to. There's one before Response, which hooks into the response when it comes back the other way, which means that you can change anything in the headers and anything in the body. You can't change where it goes to because it's coming back the other way, it's on its return journey. So let's do this. On before response. Now down here in my on before response, I have a trumpification script. And what this is gonna do is it's going to add my own little bit of custom JavaScript into the bottom of the JavaScript that's loaded off Cloudflare. Now what I'm really trying to demonstrate here is what would happen if the script changed upstream of the website, outside of your control. Now we're not really worried about, say, a man in the middle attack doing this, it's also a direct GDPS. We're just trying to emulate that the script has changed somewhere else. And imagine if someone at Cloudflare had said, "Let's just make a trumpification script in there." Okay, so that script is already saved. That's all fine. I can now jump back to here. I'm gonna reload this. This will pull it back through Fiddler. And we should now see trumpification script. So beauty, that's going in there, that's just what we want. Now I can go back to the website and give it a reload. And what it should do is it should apply that script. And that script is gonna make a change to the page. It's gonna add something to do the dom after everything loads. And you can see what it's done, it's added little crazy driving trump to the background of everything single div. And then, it actually still works, we just kinda Just looks like the hair's coming out of his ears instead. So you see the point here. We have modified the behaviour of the page. We've actually gone and put other images in the back of the dom. We could've put social logons on the page, we could've syphoned off cookies, could've done all sorts of other things. All right now this is the problem and this was why he was in the headlines and this is the thing that we need to try and fix. So I'm gonna show you a way of tackling this. Now if I go over to Have I Been Pwned, and you know what? Before I do that, in Fiddler there's a little capturing thing down the bottom left. I'm gonna stop capturing so it's not gonna apply trumpification. And I'm gonna go to Have I Been Pwned, like so. We'll ignore that Fiddler area. And in Have I Been Pwned, if I view the source code and I jump all the way down to the bottom, you'll see that we've got another Cloudflare embed here. So basically the same thing, right? It's doing the same thing and Trumpify. Now we're gonna go here, drop to the end, there's no Trump script, because I'm not proxing through Cloudflare. Now we do this. We go back to Fiddler, we start proxying by clicking on the capturing, we give this a hard reload to make sure that it's actually updated the JavaScript file and that it's gonna have trumpification in the bottom of it. And what I wanna show you is that when I go back to Have I Been Pwned and now load this, something different will happen. All right, so reload. So we're basically doing the same thing as what we did with the trumpify web page, the TrumpDonald webpage. The difference is is that you're not gonna see crazy driving Trump in the background of every single div. And I'll show you why. If I go into my dev tools and I go into console... Let's actually give that another refresh, 'cause I don't think that actually pulled it through. So you gotta make sure you give it a hard refresh, 'cause otherwise it's gonna come from cache. Everyone knows a hard refresh? You hold down the Shift key, you press F5, and then we got an error. I'll zoom in on this for everyone. Has anyone seen this before? Anyone know why this happens? - [Man] Integrity tagged about it to scripts. - Integrity tagged about it to scripts. All right, so let's look at how this works. You can see here it says: Failed to find a valid digest in the Integrity attribute for resource with computed SHA-256 integrity. Yada, yada, yada. What this actually looks like is that when we look at our script tag, you'll see I've got this at the end of it. Now that wasn't on the Trump Donald website. What this is is this is SHA-384 hash of jQuery.min.js, version 2.2.4. So have a think about what happens here. I have said here is a JavaScript file that I trust, right? A version of jQuery that I trust. This is a good one. It could be one on my site. I've created a SHA-384 hash and I've put it as an attribute of the script tag, an integrity attribute. When this is here, when the browser then downloads this file it goes, oh, you got an integrity attribute. I'm gonna hash the file using SHA-384 and I'm gonna compare it to that one. And if they match, it's good and I'll run it. If they don't match, I'm not gonna run it. This works because we trust this page. This page has been loaded from our site. We trust the page, we trust the integrity attribute, we trust the SHA-384 hash there. We don't trust this. So this is actually verifying that this is correct. Now it's even better than this, because what happens then is I've got a fallback position. And some of you may have fallback positions anyway if you use CDNs. And the fallback position says try to evaluate window.jQuery. And if you can't, document .write out, scripts/jquery. So, in other words, load my local version of jQuery if the one from the external resource doesn't load successfully. What do you reckon? Is that cool? Anything you don't like about it? What if they may do some maintenance on the original site? So what if they change that library? Excuse me, two things. One, is that this wouldn't hold true, you'd fall back, you'd load it from your local. Okay, so the first thing is is that you can do this without actually breaking the site. The second thing is, like take a step back and have a think about that. 'Cause what you're saying is what if this library that I'm embedding that I expect to do something very, very particular, what if someone changes it to do something different? And that's really the problem, right? Because you're saying that the file has changed without you expecting it to change. Now there are certain cases where that might happen. So, for example, if you embed, say, Google Analytics, and it pulls down script tags and things, and they're basically a managed service. You've gotta expect that stuff's gonna change. But libraries like this, hosted on CDNs are meant to remain static, they don't change. If they do change something has gone very badly wrong. Did someone else have a question on that? - [Man] Just on the browser support. - Sorry? - [Man] Just on the browser support. - Browser support. Does anyone else have any questions? I will answer your question, ah, browser support, okay. Now this is SRI, Subresource Integrity. I'll tell you what, let's make it a bit easier. Browser support is great. Microsoft browsers do not understand SRI. Safari's about to understand SRI. So what this means is is that you don't get any defence when you've got a Microsoft browser. And we let it all out, it's still got Fiddler open. Oh, there we go. Yep, see? So it's a bit of a shame. And, look, man, I work very close with Microsoft. I like a lot of what they do. I really dislike what they're doing with the browsers, because they're missing a lot of really fundamental security controls. And Microsoft sorta talks a lot about how it's very well sandboxed on the desktop, and it does really goo security stuff on the local machine and it's efficient and fast and all that sorta stuff. But there are all these open standards that Internet Explore and Edge don't support. So SRI is one of them. Another one of them, if we go back to Can I Use is HPKP, which HTTP Public Key Pinning. Another one they don't support is upgrade and secure request, which is supported by every other browser. Another one they don't support, and Firefox doesn't support either, is SameSite, SameSite cookies. Another one they don't really support very extensively is CSP Level Two. No support in IE, we only just got support in Edge. So there's all of these browser security headers and other security controls that are part of the spec, they're open standards, they're implemented by most other browsers, but unfortunately, not in the Microsoft browsers. I know that answers you, but I was gonna ask if you're happy, but you're probably not happy. It does answer your question. So you need to think if you wanna use a public CDN, I would use a SRI hash, obviously I would, 'cause I put it Have I Been Pwned. I would do that, I would still use something like Cloudflare, 'cause, frankly, if Cloudflare... All right, well, first of all, I think the chances of someone maliciously modifying public JavaScript libraries in Cloudflare is extremely slim. And, secondly, if they did, it would be a major issue, 'cause they have such a massive CDN, and so many people use them, a lot of other people's stuff is gonna start breaking right at the same time as yours and stuff would happen very, very quickly, if that was the case. All right, sorry, you had a question. Well, even if you forget all about SRI, how do you know your local copy's good? So let's make this a broad general question. If you use a third-party library, how do you know it's good? How do you know it's good at the moment? All right, well, man, we can talk about this so-- I think that there are multiple elements of this discussion. So one element is how do you know that it hasn't been maliciously modified by someone else? Which is really what SRI is there to stop from happening. So one way is is that you'll very often find that creators of any sort of software will provide SHA, usually SHA, one-hashes, or some other variant of SHA, hashes of their libraries. So you could go to an HTTPS page, serving a valid certificate from their site, which says here is the hash for our particular product. And then if you're worried about this, you can download their library. And then you can go and hash it and then compare it, do their match, yes, okay, we're good. So at least we know that we have gotten the thing that the producer of the software said you should have. There's another tangent to it, which is how do you know it doesn't have vulnerabilities in it? And you kinda don't. And, interestingly, we do have lots of JavaScript libraries that have vulnerabilities. And this is why we have Retire.js. So I don't know who's seen this before, but Retire.js goes through and documents all of the JavaScript libraries that you should actually be retiring, because they do actually expire. Okay, so first spin down here. Here's a whole bunch of them. Here's the CVEs, the Common Vulnerability Enumeration, so the actual risk that many of them have. And you gotta update a lot of these. And here's this title as well. This is interesting. What you acquire you must also retire. So, excuse me. One of the things you gotta think about is that when you get third-party libraries, whether they be client-side libraries, service side libraries, NuGet, NPM, wherever you get your things from, how are you gonna maintain 'em? How are you gonna keep them up-to-date when they have vulnerabilities? And this is a known theme. So who knows who OWASP is? All right, so maybe about half the audience. If you don't know who OWASP is, they're the Open Web Application Security Project. And what these guys do is they create a document called the Top 10 Web Application Security Risks. And this document, this thing's like this. It says number one risk on the web today is injection, namely SQL injection. Number three is cross-site scripting, number four, insecure direct object references. And down here, using components with known vulnerabilities. And this talks specifically about the fact that when you pull in libraries and components from third parties, you're gonna have to keep 'em up-to-date. Now how many of us actually do this? Because it's not an easy thing to do. One of the neat things about Retire.js is they actually have a grunt plugin, a command line scanner, extensions for Chrome and Firefox, which will show you as a browse to a site whether their libraries are out-of-date and whether they need patching because they've got vulnerabilities. But this is a hard problem. And then, of course, if you do take new libraries, you really wanna test things again. And you look at the rate at which libraries rev, how frequently there's new versions of it. It's a hard problem, it's a hard maintenance problem. If you wanna do the SRI thing, what you can do is you can go to srihash.org. And what you do there is you can plug in the URL of a library that you'd like to hash. So for example, I could go to, let's take this one, let's copy the JavaScript library from there, paste the path into here, hash it. And what this site does is it goes away, it downloads that, and then it hashes it and then it says here is the correct tag to use. And what you'll find is that this should be the same value, ry/, which is the same as that, ry/. Now you might say, "How do I know that I can trust the one on Cloudflare?" Now if you don't trust the one on Cloudflare, what you could always do is grab the one on your own site, which in my case is the one that's gonna be sitting just there and I can drop that there. I could load that. And there's my library. And I could go over to here, paste that one in, which is served from my site, I trust that, that's my good one. And I can say, okay, well, let's hash that. All right, any other SRI questions? Yes? - [Man] If a browser isn't supported, is there JavaScript libraries that you could potentially use that are not out-of-date? - No, and part of the problem there as well is that then how would you trust that library? Yeah. - [Man] Down the rabbit hole. - You're going down the rabbit hole. Look, to be honest, it's only the Microsoft browsers that don't support it, which today on the general populous, are a small proportion of the overall traffic. If you were just targeting, say, government departments might be different. They might be very, very beholden to Windows XP and IE6. There's still places out there. What I'd be inclined to do is say use the public CDNs like Cloudflare, because the chances of it going wrong are so infinitesimally small and the rate at which it would be fixed is so rapid. If you were really, really paranoid, what you could do is you could say if the user agent is Internet Explorer or Edge, we're not going to call it from a CDN, we're gonna call it locally. If the user agent is something that supports it, then we're gonna run with it. And I'm not sure if you can do like a service side feature detection or something on it, but, yeah, that would be your middle ground. But, frankly, I'd have no problems just calling off Cloudflare and putting in integrity attributes. All right, anything else on this? All right, well, silence, amazing. Okay, so let's go and do something a little bit different. And I thought we might get a little bit of SQL injection, because SQL injection is still a massive thing. We know it's a massive thing because we just discussed it's up here in number one. Now-- So in 2007, number one was SQL injection. In 2010, number one, SQL injection. 2013, SQL injection. There's a 2017 release candidate, SQL injection. I'm gonna show you just how much crazy SQL injection stuff there is out here as we get into this next demo. So I'll jump into here and I'll jump down, and I'm gonna show you. Where did I do this? I did this towards the end. Yeah. Whoops, I gotta escape out of that, and then I jump down. And then I go, okay, let's do, there, go. All right. Who here has corrupted their database with SQL before? Yeah, so all of us. All of us. I suspect they mean a slightly different context. And, incidentally, how do we know they're hacking? It's dark and there's a green screen Very good. All right, so I wanna talk a bit about SQL injection. And we're gonna spend a bit more time on here, because there's sort of a bunch of tangents I wanna go off on. And where we might start is there's a guy that wrote a blog post awhile back that has provided me with endless material. And he's this bloke, www.neeraj. Now we're going to pick apart someone else's blog post. And normally I wouldn't do this because it's not particularly charitable. However, this is a really bad one. And I left a very, very nice comment for the guy saying, "I really don't think you should be." Well, actually, "I really know "you shouldn't be doing this stuff. "You may want to reconsider publishing something publicly "and encouraging people to do the same thing." Now I'm gonna scroll down a little bit and I'll just sorta stop partway along and see what you guys think. Go there. Okay, it's web forms, let's just move past that, we know. How do feel about the connection string here? All right, well, so there's some mumblings. What don't you like about this? - [Man] It deviates his way - It was easy. That is probably the reason. Is this a frequent thing? Like do we have like a lot of SI out there? Do you wanna find out? All right, here's what we do. Who knows what a Google Doc is? Some people from my workshop today. I promise there's not much repetitiveness from today's workshop, but there is a little bit. So a Google Doc means that we can do things like this. We can do an in URL, da ta da ta, we'll bring that up. I'm gonna make it a bit more interesting. And I'm gonna open that incognito because you get more results, strangely enough. Okay. Hundreds of results of ftp web.config. So who here is an ASP.NET developer? All right, so those working with ASP.NET know that where web.config is like the configuration file of the app. It has connection strings, API keys, a whole bunch of valuable, vulnerable, potentially vulnerable settings. And what we're actually seeing here is we're seeing a bunch of websites returning their web.configs via publicly accessible ftp. So, effectively, anonymous access in ftp. And as we scroll down, we see a bunch of these. Now we could click through to these, but as I was discussing with people today, if we did, then you'd pull it off their site, and they would see that you're looking at their things and that's kinda like hacking. It's not hacking if you just grab the cached version. As best I know. Why can't we see it? 'Cause it's XML, but if we do the source code, then it's a different story, then we can see it. So these are people's connection strings. All right? And they're all exposed publicly. Let's go back and we'll filter this down a little bit. And I'll filter this down to SA, because this is where we're really going. Who uses SA? There, SASA. SA, password, password, SA, SA. You know what bugs me most about the last one? It's the capital W, who are these crazy people? It's like when someone spells database with a capital B. It's like, why? Like, quit now. What are you doing? All right, so there are plenty of people out there who do this, right? Where they go through and they put SA in credentials. Like we know, I think, sort of anecdotally in our hearts that people are gonna do this because it's such a shit practise, but it makes it easy. Now getting back to this bloke. What else don't we like about it? SA. - [Man] Well, the most common passwords. - It's eight characters. But, yes, they are sequential characters, but it's eight characters. The data source does look like he's local PC, but, I mean, he runs critical business systems from there. What's the problem? But one of the things that I often here people say, is you'll see something like this and someone will go, "All right, don't worry about this, "because this blog post is not about how to write "connection strings. "This blog post is about how to do a password reset. "So ignore the fact that "we've done a really lousy connection string." The problem with that attitude is that every time you put any code online, whether it's a blog post or stack overflow, public GitHub repository. People will come and copy and paste your code, and they'll reuse it in places. And they will have no idea what it actually does. And I wanna show you how I know this. Last year, in January, I was over in Norway and I was running a workshop, the same one I've been running here today. And one of the guys in my workshop was doing this exercise where we take in mobile devices and we proxy the mobile device through the PC and we look at the traffic that the mobile device is sending. And we sorta go, okay, are these good practises, bad practises, et cetera? One of the guys has one of these. It's a Nissan Leaf. And the Nissan Leaf has a connected app. A few cars these days have connected apps. And it has a connected app because he can do things, which maybe as an Australian I never knew you actually needed to do, which is turn the heater on in your car before you get in there. We have a very different set of problems. I get into my car at home and it's been sitting in the sun and it's been 40 degrees or something. And you're not wearing a shirt, 'cause it's Australia. And the seatbelt buckle is there in the sun and you sit on the seatbelt buckle with your bare top. You have different problems there. So, anyway, I didn't know that cars needed to be able to do this, but apparently they do. It's an electric car. So he can pull back the battery status with his mobile app as well. Has anyone got one of these? Oh, okay, interesting. You can also pull back the trip history, so the times, the durations, not GPS coordinates, just as well. Not thing likes speak and all that kind of stuff, but the trip history. And he was curious, he's like, how does my mobile phone know to talk to my car? Like why doesn't it talk to another car. And so he's sort of looking at the request. And what he realises is that the only thing that his phone used in order to identify his car is the VIN number o the car. Now the VIN number was effectively being used as an API key. And if you don't know what a VIN number is you can find out in the windscreen of every single car. That is an API key printed in the windscreen, visible to everyone. Worse than that, you can enumerate just the last few digits. So we found, like we wanted to establish, is this actually a real risk? Is it a problem? So what we did is we found that we could replay the request that went from his device to the API, the car itself, fortunately, isn't serving the request. There isn't missing API running on a web service somewhere. We could replay that request and just modify the last five digits. And we used a tool call Burp Suite. It's a freely available tool where you can capture a request and then say, for example, let's take these last five digits and let's just guess random ones between 10,000 and 20,000. And then we looked all the requests going through and every now and then one of them would return a result. It's a car. And we went, you probably shouldn't be able to do that, because I basically had the ability to start mucking around with people's climate control. Now you can only do this remotely while the car is parked, but a lot of them are gonna be parked most of the time. So I could just turn the climate control on and off, check their battery, track their history of where they've been travelling. So I went, okay, well, this probably isn't real good. I should get in touch with Nissan and let them know. So I let them know the next day. And we had a bit of backwards and forward. I had a meeting with them on the phone. And this was whilst I was actually in the UK while I did that last year. And they said, "Yeah, we'll look into this." And a month later they still hadn't fixed anything. Vulnerability was still there. And I eventually got to the point where I said, "Look, I'm writing about it, because this "is a privacy risk to people. "Plus, you can kinda control other people's cars, "which you're not mean to be able to do." So what I ended up doing is I discovered that one of my mates in the UK, this guy just here, Scott. Scott actually has a Nissan leaf. So we did this video where I went home and I sat next to my pool. And he was in the UK, so he was cold. And I'm sitting by the pool in the sun and I'm going, "Hey, Scott, you look really cold. "Can I turn your heater on for you?" And I'm basically controlling his car. The Internet here is terrible, so that's not gonna work. But you get the idea, like I have control of the vehicle. So anyway, I wrote this blog post. And immediately Nissan has pulled it. They've gone, "Okay, that's it, we're gonna kill the app." Because, apparently, when a whole bunch of journalists start calling up and going, "How come anyone can control your cars?" Now it's a problem. It wasn't a problem before. So they pulled the service, service went down, and it was down for a long time. It was like six weeks or something. And eventually they got it back online. And they pushed out the new app. Can anyone see anything in this app that looks a little bit unusual? All right, you're seeing this down here? Why would that be there? Why would Nissan do this? I'll show you why. If we Google Nissan copy stack overflow. We will find a result that is a story. Because this made the press. Like it wasn't bad enough, like their cars were kinda remotely hackable, but then when they fixed it, obviously they'd been copying code. And,the funny thing is is that we can go and have a look at this stack overflow post. Let's open that new tab. Okay, we'll go there. And we'll see this post, go.skimresources. What the hell is that? Wasn't that weird? You see that? The URL was go.skimresources. Hm, anyhoo. Weird things on the Internet. There you go. Which is crazy, right? Like they had copied this without actually realising what it done. But it's actually worse. What are the first two words here? What are the first two words here? So it was even worse than copying and pasting it. What they had actually done is someone obviously sat there and retyped this, which would've been a whole lot more effort, and, like why? Why did he do this? Oh, geez. Okay, so this is sorta the point I wanted to make insofar as when we see stuff like this guy over here, and people say, "Yeah, but, you know, "you're not to meant to sort of take this bit seriously. "Go to look at the other stuff." People will copy and paste it. Now we're gonna go on, because there's a lot of sort of SQL injection stuff here, which was the ultimate goal. I'm gonna scroll down a little bit. I wanna show you a little bit of SQL code. Now some people who are in my workshop have seen this, but then we'll do some other stuff as well. If we go down here, I'll put this up, maybe, where am I gonna put it? Get stupid notification thing in the way. All right, how do we feel about this SQL code? This is a question for those who didn't see it today. Sorry, what was that? We feel-- Okay, why do you feel bad about this? Okay, all right. How about SQL injection, though. How do we feel about that? - [Man] Pretty bad. - Bad about SQL. Well, we'll do a show of hands. Who thinks this is vulnerable to SQL injection? Who thinks it's resilient to SQL injection. All right, you guys win. You're in the work, he cheated, man, you know. Here is why it is resilient to SQL injection. What's happening here is we've got our SQL statement, select*from logintable where email=, and then email is decorated with the @ symbol. And then we go and we open the connection, and we go down to this select command object. We go to the parameters collection and we add with he value, email, which matches that one. And then the value of the text to email field, or the text that's in there. And what this means is that no matter what value is put in that email field, it will not change the structure of this query. So this is called parametrization. It's added as a parameter. So you can put the craziest collection of quotes and apostrophes and whatever else you want in that text box, and this query will look for an email with that address. So this is resilient. We can argue the select* thing. I don't know, maybe there's a right number of columns in there to begin with. Who knows? How do we feel about the next set of SQL down here? There you go, there. Who thinks it's good? Who thinks it's bad? Okay, very good, it's bad. And the reason why is because this one concatenates the value of this TXT email field into one big long string. And then it goes down to here and it executes it in this sort of partially obscured line. And what this means is that if you put just the right string in the TXT email field, you're going to change the structure of the query. So the right string, for example, would be something like, single quotes, semicolon, drop table, login table, dash-dash, 'cause the dash-dash, would then comment out the remaining single quote there. And your login table would be gone. And you know that the web app has the rights to drop the login table, because it's connecting under SA it couldn't do anything anyway. Does that make sense? Now sometimes people say, well, like, yeah, this is bad, but this condition won't be true because you won't find a record that matches here. You won't find an email address that's just a SQL injection statement. So what you do is you sign up with an email address, which is single quotes, semi-colon, drop table, login table, dash-dash @gmail.com This then holds true, you go down to there and you get your things dropped. So this is why I like this guy's blog post. And I really hope he doesn't fix it now. Because it's really handy to show everything in one screen. Because it shows not just the good one, but it showed the bad one. And, perhaps, more significantly, it shows that there's a lot of tutorial out there that actually talks about how to do bad stuff. I'll give you another example, just jump onto something else. When we sorta talk about tutorials showing people how to do things wrong. I did this talks, it was a couple years ago. And this was a really fun talk, actually. 50 shades of AppSec. It's just like 50 different really stupid things that people have done. And one of these ones in here has a little bit of a tutorial. This was from a professional training service. We'll just see what you guys think of this. How do you feel about base64 encryption? Mostly good. People pay money to learn from services like this. So I think more than anything, this sorta speaks to just how much crazy broken stuff there is out there. Now I mentioned this guy. And I said, look, I had left him a nice message, all right? So if we spin down here. I'd sorta said, "Hey, give you some friendly feedback." I was very constructive. You know, "You don't wanna do this. "Here's references, Password_Storage.Cheat_Sheet." All these really useful things. And then we move down. I'm not entirely sure what this is. As we go down here, one of the things that really frustrated me was stuff like this, right? It's like, did you not just read the big comment with the friendly advice between the blog post and where you then you scrolled down to comment? Useful one. Thank you, very nice and easy to understand code. And this was in September. And I sorta started seeing these replies and I was like, yeah, this is ridiculous. And I think I tweeted this at some point. And people started chiming in after I tweeted. And I sorta got the sense that somewhere along here they were starting to take the piss. Anyway, and it went on and on and on. So you see the problem here, right? People are literally taking this code. And we are all using apps and putting our passwords into apps that are built like this. Now let's go and continue the SQL injection story. All right, so we saw that. Now one other things that's very interesting with SQL injection is it's a very obtainable exploit. So I mentioned the kids break into TalkTalk, use SQL injection. There's a huge amount of material out there about how to do SQL injection. There's a lot of training material. And I wanted to find a video of someone teaching SQL injection to try and give you a sense of the sophistication of some of these people. - [Narrator] Let's do a professional video. Let's actually show you how the concept works. And I'm SQL, or squil method here, Squil injection. - So it wasn't just me that heard that and thought of this, was it? Except as a hacking squirrel. - [Narrator] But I will teach you how to do that. And there are easy methods to do this. So do not worry, do not worry about this. Yeah, I just... Don't worry about the little jump cut there. - So it's not like Pluralsight quality. For those of you who've seen Pluralsight before. So I do these Pluralsight videos, these online training that you subscribe to Pluralsight and you can watch these videos. And if my mouse flashes across the screen for like 20 milliseconds. I'll get feedback and they go, "I saw your mouse." "Go and fix it." So, yeah, it's quite different to this. Now what he does is he then goes to this website here, which lists Google Docs. So we were talking about Google Docs just before, like searches that find things that probably shouldn't be there. And he's highlighted one here. Inurl: Buy.php?Category=. PHP sites with a query string called category. Let's have a look at what he does. - [Narrator] Sorry, I don't know. I forgot that Firefox won't do that. - It's hard to watch, actually, isn't it? - So the first site was this one, which is literally this. So if I just go in here. Yeah, this opens up this. - He's chosen a site to hack. What was his selection criteria? First site, that's it. It wasn't like, "I'm a hacktivist and you have wronged me. "And I am going to wreak my retribution on yous." It's like, "Now you're at the top of Google searches, mate, "you'll do." All right, so he's picked this site. - [Narrator] Okay, so with this extension what we do is put a little apostrophe here. Little comma-ish. Put it there, press Enter. And there we go. So this means that we have an error in the database. So there's an error in their database. And their database is MySQL server, there you go. Because it's my squil, or MySQL. We can target it and grab all their info. - Sothe apostrophe. When you think back to the SQL statements we saw before, with the guy with the blog post. If there was SQL state, or if there was an apostrophe in that email address, you'd end up with this rogue apostrophe in your statement. And it wouldn't have any terminating apostrophe. And inevitably what's happened here is that somewhere someone is doing something like select* from widgets where ID equals, and then it's just taking whatever is in the query string. And now there's this sort of rogue apostrophe sitting out there. So what he's done is he's sort of, without really knowing it, he's demonstrated a proof. Like this proof is showing, okay, there's a risk. Let's have a look at what he does next. - [Narrator] So next you wanna have this programme, Havij. - All right, who, other than the people in my workshop today have seen Havij? All right, some people here, so many of you have not. Let's see what we can do with Havij. And this may be a little bit interesting with the connectivity we have here today. I have a website I use for a lot of my demos called Hack Yourself First at TroyHunt.com. It has lots of security vulnerabilities in it. I'm gonna scroll down, I'm gonna choose one of these cars down here, one of these makes. And I'm gonna copy this URL, which you can see has a query string value. I'm gonna go down to this little carrot thing down here, which is Havij, and paste the URL into the target and tell it to analyse. Now what it's doing is it's making HTTP requests. This is all it is. This is the most simply, basic, Mickey Mouse thing you could imagine. HTTP request trying to cause exceptions in the database. It's done that and it's just found the internal name in the database. Hackyourselffirst2_db. Had to create another database today, 'cause things really broke. Now I actually don't think it was the hacking, it was Azure just did some funky stuff. Anyway, so I go to Tables and I say go and get me all the columns. Ooh, I lost that. Go to there. Go and get me all the tables, rather. 'Cause I wanna find all the tables in this database. So here are all the tables in the database. Now this is not making like connections over 1433, direct to the database. This is HTTP Web Request. We're getting all the columns. And then we go through and we say, "Oh, well, isn't this wonderful, we've got all the columns. "Let's get all the emails and all the passwords, "now go and get that data." And that's it, there's your data. Like how easy is that? That's why it's up there in number one on the OWASP Top 10, because this is so freaking easy and the impact is messy because this is the data from the internal database. Do you think there are many sites at risk of this? Do you wanna have a look? I'll show you. We'll do a little demo. Is anyone here a PHP developer? Not anymore. Okay. Inurl.php?ID=. Now what we'll do is we'll let this run and we'll just go and grab the first few results here. Result, result, result. These are loading. Now when they load, they're going to have a query string parameter with an ID equals something. And all we're gonna do is we're gonna do what the kid did, we're just gonna type one character, 'cause one character isn't hacking. No one has ever corrected me. Okay, there you go. That's at risk. What about the next one? Da-da-ta. Takes a little bit longer on the wi-fi here. That's at risk, that's no good. What about the next one? That's at risk. - [Man] What's the best tool for me to find vulnerabilities in my site? - In your site? Yes, very, very important caveat. All right, so that's actually a good question. Things like Havij, to be honest, it's not a great tool, it's very, very basic. The reason I use it in demos like this is it's a GUI, it's very impactful. I do talks where I get my seven-year-old son to demonstrate SQL injections. And he comes up and he has his hoodie. He actually puts his hoodie on when he gets up. He has to stand on a chair so he can see over the podium. But then he does this 'cause it's such a, again, like a Mickey Mouse tool. One of the tools that's very effective at SQL injection is called SQL map. And for those of you that are interested in seeing how this stuff works, go and get SQL Map from SQLMap.org. This is a very offensive tool. Like this will break into stuff and do nasty things. You're welcome to run it against hackyourselffirst.troyhunt.com. And I promise I won't deport you as a convict to Australia, or anything like that. But this is the tool that people ran against the likes of TalkTalk as well. Now, again, this is a primarily offensive tool. So if you were saying, "What's the best way "for me to get started and actually testing my own apps, "I'll give you a couple of suggestions." If you wanna try a free tool that's very easy to get started with, try OWASP ZAP. Anyone use ZAP? All right, so ZAP is produced by OWASP so it is an open, not-for-profit company, they're not there to sell it. It is what you would expect of a free tool in that it's a little bit rough, it's not particularly easy to use if it's your first time. But it is a way of actually doing dynamic analysis. And it's dynamic analysis in that what you do is you run it against a live running website. And it will issue a request and will try and cause exceptions, and it will try and find SQL injection and things like that. The one that I really like is called Netsparker. And Netsparker is a commercial tool. And just to show you what it actually looks like. If we fire it up... Actually, well, it's loading there. That's the website. It's gonna come out, it's gonna tell me there's a new version. There's always a new version. But I want the new version. Here's what we do. You put in a URL like that. You can configure authentication to go through and log into the site or do other things. And then you say start scan and you go outside and play. And then when you come back it's made tens, hundreds of thousands of requests to your site looking for every possible vulnerability you can find. Now that's gonna run terribly here because the Internet connection's so bad. But what it will do is it will go through and it will find SQL injection. It will find XXS. It will find loads of things. Even already things like there are cookies here that aren't marked as HTTP only, so JavaScript could access them. There are missing X-frame options here to say you could be vulnerable to a click-jacking attack. You're disclosing the ASP.NET version. You're putting out a stack trace. You don't have same-site cookies, which helps protect you from CSRF, and so on and so forth. And it found all of that within seconds over a really bad connection. Now the problem with tools like this is that they're not cheap either. And they're not cheap because companies like Netsparker know that they're very, very effective. And it sounds like a lot of money until you go, well, how much is dev time worth? You know, places like the UK, as a modern first-world country where developers are expensive. And $2,000 disappears very, very quickly. So they know that automating this is enormously good in terms of the ROI. They know it's very, very good if it saves you from a security incident, because security incidents can get very expensive. TalkTalk says it cost them 42 million pounds. Tools like this finds precisely the vulnerability that they got hit with, which makes me pretty certain that they are probably pushing stuff out in production that didn't actually get tested. Not security tested anyway. Does that help answer your question? Yeah, yeah. If you're interested in automating it, this guy wrote a blog post, Troy Hunt. Netsparker, in fact, I did it with TeamCity. And what I did is I had... So are you using TeamCity? - [Man] Yep. - All right, sweet. So I had a build age. And I had one dedicated server that its own build age on it. Had Netsparker installed. You can then call Netsparker from the command line. And I had a build trigger which was there had been, I think the build trigger was that there'd been a deployment. And I had another trigger that would actually do the deployment based on if there'd been code changes during the day. So every time we made code changes, that night, it would build the project, push it into a staging environment, run Netsparker over it, there'd be a report waiting for us in the morning. So go and check that out. That was quite handy, that was really useful, actually. Yes? - [Man] Are you aware of any tools that exist that allow you to monitor your website for potential hacks? - Like someone else trying to break into your things? - [Man] Yeah, sopotentially-- - Yeah, so there are a number of things. There are a couple of providers out there, and the names escape me now, where they create like in-process tools, where it's like bin deployable assemblies that can look at what's executing on the site, which I'm a little bit worried about. I don't really wanna muck around with the processes on the site. The tools that I think are very useful. In fact, I'll give you some examples. Anyone use Raygun before? So Raygun's very handy. Now Raygun does effectively crash reporting. So you integrate this into your app if you have unhandled exceptions and things that will log them, works across a whole bunch of different frameworks. Not a security-specific tool. But what you'll find is that when you start getting hammered by automated tools trying to break into your things, you end up with lots of errors, not necessarily 500s, 'cause maybe you're handling those well, but you'll get lots of 404s. And a tool like this is very good at logging them and then you go into your dashboard, and you say, "Wow, there's a lot of requests here." Here's the raw HTTP request. It's some user agent from the Ukraine trying to find wp-admin. So there's a good example. The other thing that I would look at, that's more dedicated security is this sorta class of device called WAF, a web application firewall. And it's ab it of a generic term, but in principle we're saying let's have a device that sits between the website and the people. So that when they then go and try to access your site, it has to go through this WAF, the rules have to get analysed and applied. And a good example of that, so there's my crash reporting for Have I Been Pwned recently, just as an example. And I'm actually not logging 404s anymore, 'cause I just got too much junk in there. But there are few unhandled exceptions here, which will be things like just bizarre timeout exceptions. And I can go and get all the details what they were. In terms of sorta WAF stuff, the kinda thing that I'm finding really, really useful is Cloudflare. Anyone here use Cloudflare? All right, so if you don't, Cloudflare is totally awesome for many reason. One is that you can get HTTPS for free. They will give you a free certificate, you can get the green padlock on your site. There are many nuances to it. Google my name in Cloudflare if you're interested. So there's that. The other thing is is that because they act as a reverse proxy, so when you go to something like Have I Been Pwned, or your traffic goes to Cloudflare, they decrypt it, they look at it. And then they pass a lot of it on. They also cache a lot of stuff. Because they do that, they can identify all sorts of various threats which come through. See if I got that right. Nope, no. Use your password manager, too. It usually works. Magic. There you go. I'll let it log on there. So Cloudflare is really, really good for stopping all sorts of threats. They are the world's largest Internet property. It's either them or Facebook. They kinda vie for position. And the reason they're so big is because they have tens of thousands of websites that route their traffic through them. So they had this massive, macro view of what's going on in the Internet. And when they see bad traffic in one corner of the world, and they can create patterns around that, they can start to block that bad traffic when it comes to your site. And then there's lots of other things in there which will help you identify bad traffic, block it. Do things like say, "Look, I'm actually under attack at the moment--." Turn on multi-step verification they said, it'll be awesome. This is a perfect example of the security versus user ability paradigm. This is sort of the reason why multi-step verification has such low adoption levels. But for you guys, in particular if it's something important, like this literally manages my DNS as well. If someone go into there, I would be screwed. It'll be very, very nasty. However, when you get it right, five, four, five, one, ugh, and then it changes when you're halfway through typing it. Five, two, two, two, yeah, four. 'Cause that computer is safe. All right, so, yeah, give Cloudflare a go. IT takes about five minutes to set up. You get HTTPS, you can get it for free. My blogs run free cloudflare. You'll see I got a nice certificate and all that sorta stuff. That's a really good thing. Does that help answer your question? Any other questions around the sorta SQL injection? That sorta things? This eventually loaded just as we're done. Let's skip past that. All right, I'll do something different. And I got a couple things to show you. We've got probably about 20 minutes left. What should we do next? Give you a good example of what's happening with a lot of data leakage. So I did a talk recently in Australia, just before I came overseas, Playing Nice and Staying out of Prison. So this was about how to do responsible disclosure and basically how to be good citizens. And there are a couple of things I spoke about in here, and I thought I'd show sorta two of them in a row here. Now one of them was these guys. Anyone got one of these? You know, the funny thing is I did this same talk in London two nights ago and there were hundreds of people, it was massive. And I said, "Has anyone got one of these?" And a guy down the back holds up his Cloud Pet. He brought his Cloud Pet to the user group. Now in case you don't know what these are, it's very simple, they're messages you can hug. They are teddy bears, unicorns, this sorta thing, with a Bluetooth device inserted within them. And they're also a listening device. They've got a microphone, they've got a speaker. They've got a little flashing LED on their chest and they've got a button in the paw. And the idea is is that you might have, say, a little kid, mom and dad. Mom works late and the little kid wants to talk to mom, you know, while mom's still in the office. So what happens is mom and dad both have a smartphone. And they create CloudPets accounts on the smartphone. And, of course, when they do this, they're creating accounts in the cloud. And then what happens is dad, 'cause dad's at home, pairs the Cloud Pet to his Bluetooth phone. So now the kid can talk to the Bluetooth phone, the little girl can record a message, goes to the phone, goes up to the cloud, and then comes down to mom's phone. And then they can repeat the thing in the opposite direction. Now there are multiple problems with CloudPets. And one of the problems was found by a guy over here. This is a guy called Paul Stone, works for a company calle