Season 4, EP 6

Red Teaming the Indian Government

May 17, 2023

In this episode, host Paul Roberts chats with John Jackson, a senior offensive security consultant about red team exercises he and the security research group Sakura Samurai conducted on web sites and applications belonging to the government of India.

EPISODE TRANSCRIPT

JOHN JACKSON
Thanks for having me. My name's John Jackson. I'm a senior offensive security consultant, and I am the founder of Sakura Samurai, which is now defunct. But I actually got into cyber when I started doing application security. That's, when I really consider my real hacking journey to begin, because I was doing a lot of web app hacking, and then I moved over to a consulting firm and started doing a lot of independent research and leveling up and made the hacking group.

PAUL ROBERTS
Okay so Sakura Samurai, this is a hacking group you started, you guys operated for a couple years. Tell us sort of the idea behind Sakura Samurai.

JOHN JACKSON
Yeah, so the idea was to be the first real hacking group to focus on vulnerability research ethically, aka legally. 

PAUL ROBERTS
Yeah and that means that you all really looked for responsible disclosure programs that companies, or in this case, governments offered. And you worked within those. So you weren't like, oh, we'll hack 'em and then we'll be nice and go and tell them what we found and hope that they don't sue us.
You were looking for organizations that were actively saying, yeah, come and take a look. Poke around at our stuff and tell us what you find, is that how it worked basically?

JOHN JACKSON
Without a doubt. Yeah, and I think the thing that was interesting about that is our primary focus was government because that's where there was a lot of shortcoming. And honestly, looking back in hindsight, I think the government entities we researched on were probably more open to vulnerability research than private industries, as I found over the years.

PAUL ROBERTS
Often the case. Yeah. I would describe you as a red team expert, but like how do you describe your own like skillset and expertise? What's your superpower? What are your like real interests in the kind of security research, red teaming world.

JOHN JACKSON
Sure. Yeah, so red teaming is pretty much how I'd describe myself nowadays because I don't think any one person can breach a company just focusing on one aspect. It might work one time around, but you have to be malleable and really look for different attack vectors and even non-standard vectors.
So I think my claim to fame in particular is web application hacking. I find a lot of weird web app type of vulnerabilities that end up getting me onto the network. I think over the years I've developed that skillset into finding specific zero days and chaining them for access to networks.
So that's something that I take pride in. But, you know, I don't shy away from network hacking, mobile reversing and even the strange things, right? Like I'll sit there and use non-standard tools to reverse applications or to look through GitHub repositories for credentials or to think outside of the box.

PAUL ROBERTS
Okay. So like non-standard tools? What types of things are you talking about?

JOHN JACKSON
So this is actually a kind of funny segue, but GitGuardian is a good example. GitGuardian was never meant to be an offensive tool, but for a little while I was using it offensively to-

PAUL ROBERTS: How did that work?

JOHN JACKSON
What I would do, kind of as a bypass or a workaround is I would fork repositories so that I had a copy so that GitGuardian was thinking that it was my local code and then I would have it scan it and it would recover deleted files it, it would look for credentials and it was actually really good at it. Yeah.

PAUL ROBERTS
Have they - did they - since figured that out? And is that not something you can get away with doing anymore?

JOHN JACKSON
I feel like I've gotten good enough at source code review that I don't have to rely on that. I could just clone it down and look for secrets myself. And to be honest with you, as you saw what the Indian government hacks, I didn't necessarily go through GitHub repositories for that.
We were finding these GitHub repositories attached to the web application.

PAUL ROBERTS
So talk about the Indian government hack. This was around two years today actually, or right, right around the second anniversary of that report coming out. How did you get turned on to the Indian government's responsible vulnerability disclosure program and decide to start poking around inside these Indian government applications and services? 

JOHN JACKSON
Sure. Yeah. So the funny thing about that was if you look at all of the organizations that are sub-organizations of the Indian government that we looked at I wanna say the majority of these were out of scope, actually. Which we didn't realize until way after, but that's just because of how their program was organized.
But we picked it because we just were looking at- I think, it might have been CISA that had a list of VDP programs somewhere. Nowadays, they're all over the place. You just Google VDP and you'll find them. But it was like a GitHub repository and I think Indian government was in there.
And we were like, you know what, let's just take a look at that. And we hopped in there started taking a look at some of their assets, right? 'Cause it looked like and this was... I can't fully blame them, but the scope was very hazy. So it, it really seemed like it was all of Indian government, which made sense, right?
Because if they wanna identify problems...

PAUL ROBERTS
Why pick your targets? Let the hackers pick your target. 

JOHN JACKSON
Exactly, so it seemed pretty good. So we just sat down and just started doing enumeration on it. And Jackson Henry and Zultan Holder at the time, started doing some domain scanning and fuzzing and found a couple of exposed Git directories, and then at that point we knew there was gonna be a lot of vulnerabilities, so we just started going in, on a weekend.

PAUL ROBERTS
We should probably talk about some of the other folks you did this work with, members of Sakura Samurai at the time, and again, like the group's defunct now, and these folks have gone their own way. But I thought of you guys as like the Avengers. You had like different people with different like superpowers, but who are some of the other people you worked with and what were they bringing to the table?

JOHN JACKSON
Sure. So yeah, there was Robert Willis and he is a government hacker, so it made sense to bring him on for this. And there was Aubrey Cottle at the time who is now a fugitive, I believe.

PAUL ROBERTS
Fugitive from justice. Yep, ties to the Anonymous Group going back there.

JOHN JACKSON
Correct. So he was considered a founding member of Anonymous, although obviously I can't validate...

PAUL ROBERTS
OG. Yeah. It's hard to know, but...

JOHN JACKSON
Yeah I'd say, if anything, probably like an OG, Anonymous person back in the day. And honestly we were just trying to clean up his skillset and get him more on the white hat side of things.
But we had our differences. We split off. And then from there on out, everyone just got busy and split and went their own way. We all started getting our own little contracting gigs and doing our own research.

PAUL ROBERTS
No shortage of work, right? 

JOHN JACKSON
No, definitely not. 

PAUL ROBERTS
And so you talk about like fuzzing, these domains, there are tooling that you can use to automate that, do that for you. But the, basically you're looking at these Indian government or government agency domains and you're basically just looking for sub-domains, many of which have like applications attached to them, right?
And then poking around in those.

JOHN JACKSON
Yeah, absolutely. I think in retrospect, just going back two years and just comparing kind of my workflow from then to now a lot of my workflow for web application hacking remains the same. Although I have to say, when it comes to like automation and looking for specific things I'm interested in, I've probably gotten light years better at that.
Like for instance, all of these vulnerabilities were found through sub-domain enumeration with different sub-domain finding tools and then fuzzing with things like dir search and whatnot. And then using like nuclei and using templates. That was years ago, like two years ago. So there's, I wanna say thousands more nuclei templates now than there were two years ago.
Maybe hundreds. Maybe it's an overstatement. 

PAUL ROBERTS
And how do those facilitate the work? How do they speed things along?

JOHN JACKSON
A lot of those requests in nuclei, for instance, have default credential modules, right? Where it'll go through and it'll fingerprint certain technologies, and then if it finds a login portal, it'll [00:09:00] attempt to log in with default credentials. There's ones that look for default files that have PII. There's ones that look for headers that indicate that there might be SQL injection and all of that kind of stuff gives you a good footprint. I think now though, my manual methodology over the past two years have definitely probably scaled a hundred times better than they were. So I think if I were like, let's say I were to look at the Indian government again and go through and use all kind of the same tooling and the automating tooling, and automated tooling brings up nothing, I'm gonna breach them no matter what. Because there's just so many things that you can test manually with parameters and lack of sanitization and all that kind of stuff and even the technologies that they use that have exploits developed.
But there's no nuclei template. There's no fuzzing methodology or port scanning methodology that's gonna help you find that. But just knowing what I know it now, and using my manual methodology, I'd be able to identify it.

PAUL ROBERTS
So Git Guardian, actually back a couple years ago, did a really good writeup of this and talked about and Sakura Samurai, did a, I think 35 page report for the Indian government describing your findings. But among the things that they documented, 35 separate instances of exposed credential pairs.
Three instances of sensitive file disclosure, five exposed private keys. Key pairs and something like 13,000 records containing personally identifiable information. Yeah, that's a pretty good haul, and that's not all of it. Where did you find this stuff and what, to the best of your knowledge, explains why this stuff was exposed in the first place?

JOHN JACKSON
Sure. So yeah, I- finding this stuff was like .git files, .environmental files for Laravel
Which is pretty common. It's overlooked a lot especially like a debug console and stuff like that where you can potentially get account takeover, DB passwords, what else? if you really look at it, a lot of it, or most of it was development resources. So yeah, looking at it cause I'm actually looking at the page now because it's been two years, right? So I'm also reviewing myself and being like, oh yeah, what else did we find?
It's funny 'cause when I look at this, I think back to how out of all of these credentials, some of them were on the internal subnet, meaning you couldn't like remotely get into the service, for instance, right? You would have to be on the network, which is still an issue. Some of them were remote that you could get into remotely if you wanted to.
But looking back and knowing all of the things I've done with red teaming and hacking now, these internal credentials would be absolute gold for me. I would go [00:12:00] through, I'd cred spray them to try to access other things depending on what type of credential it is. And then the other thing too is like for instance, that server that we got on the financial server, I was just running commands, but honestly I would've probably just shelled it and then looked at the internal subnet to see if it's connected to an active directory environment and gather secrets from there and try to pivot like, there was some windows-

PAUL ROBERTS
The domain controller... 

JOHN JACKSON
Absolutely. I would say based on that deployment, it was probably unlikely. But there were definitely Windows boxes on that network that were just as exposed . And if we got on one of those windows boxes, I would've just dropped a Cobalt Strike beacon and just literally went in.

PAUL ROBERTS
Talk about some of the government agencies and applications. You mentioned there was a finance application, like what types of things did you discover? I know there was a police station I think, where you just early on in the sort of reconnaissance, just stumbled on a whole bunch of sensitive, investigative files and stuff like that.

JOHN JACKSON
Sure. Yeah, my take on that, is it was like a trick shot game of like horse, like on the basketball court. Everyone was just going through and just demonstrating what they can do. Which was really funny. I know it sounds ridiculous, but that's how I look at it.
And that's, we were all laughing 'cause that's what it seemed like. But the police reports, for instance-

PAUL ROBERTS
No hands, nothing but net. 

JOHN JACKSON
Right.
Yeah, that was the Satara Police Department, if I'm saying that correctly, and Robert Willis found that, that was crazy because those police reports were just like domestic violence claims and like all sorts of stuff.
I can't even tell you what it was a hundred percent, but it was like forensic data and yeah, that should not have been just hanging out in a slash files directory. What else? Going through the PII exposed that Jackson found and stuff like credentials for a Corona database. You're talking medical data. That's not great. I think he even found like school data. At some point we could see data where it talked about who had clean drinking water and who didn't which is just absolutely mind boggling. And then the financial server was, that was really interesting 'cause it was like their entire government of CORs, local self-government like self servicing portal.
But we were in admin, right? So we can go in and just start submitting finances and tampering with like federal or I guess they would consider that state government related stuff, which was just, yeah, that wouldn't have, that wouldn't have been good. And then what else did we have? And then I guess Aubrey Coddle chained.
I wouldn't call it chained back in the day, I would've thought it was a chain. But nowadays, really, he just reused session, local cookie to get into the application. But we didn't really even need to do that 'cause I had remote code execution, so we could have just taken the admin credentials for the portal and logged in, which is ultimately what we ended up doing.

PAUL ROBERTS
Yeah. Cause you had a couple other flaws that you discovered in these applications.

JOHN JACKSON
Yeah, there was a lot there. And the thing is, two years ago, I wouldn't have considered myself a red teamer. I would've considered myself more of a researcher and a hunter. But with all of this stuff that we found, the attack chains that we could have made, especially if we were a state actor, that really wanted to exploit the Indian government, we really could have changed some gnarly stuff together.
And I think that's what happened when, I forget which APT group it was, but they tampered with the power grid, if you remember that.

PAUL ROBERTS
I do. Yeah.

JOHN JACKSON
Yeah. The funny thing about that is we found that server

PAUL ROBERTS
Which one? There? There have been so many reports like that. Are you talking in the US or in India?

JOHN JACKSON
In India specifically, I hold-

PAUL ROBERTS
There was a similar report about the US, but Oh yeah. Okay. Yeah.

JOHN JACKSON
Yeah, they attributed it to China. That was March of 2021. So think about that for a second. Our report was when, February of 2021?

PAUL ROBERTS
Yeah.

JOHN JACKSON
China was threatening India to, to black out their power in March of 2021. And I think they did black out parts of their power either within a week of that or a few weeks after they threatened them, somewhere around there. Yep. In April, actually a co couple months about a month after they targeted the power grid, and we actually reported that to them. And I can't exactly say who, but when I was on a call with one of the really, let's just say really high ranking people that has control over cyber related stuff for the Indian government, I actually ended up having a call with them.
I actually told him, I was like, hey man, I think there's Chinese web shells on one of your servers that has to do with the power grid. 

PAUL ROBERTS
You saw those in your recon?

JOHN JACKSON
We did. Yeah. And the thing was, we actually got into that server. We got remote code execution on that server at some other point.
And I was looking at that and I was thinking to myself, I'm like, hey, huh, this host name is really suspicious. It's got something to do with like power, right? And I saw what looked like a China chopper web shell. That's what I'm assuming it was. I really couldn't tell. It was written in Mandarin, I think. So I just, yeah, I was not able to deduce exactly the logic behind it, but it was highly encoded.
They were encrypting it. First of all, they didn't even need to do all that because there was, there, it's not like there was AV on this Linux server. I mean we were on it with a very basic exploit, so yeah. When I reported that, basically I was told that attribution can be faked by anyone, which is technically true.
However, I think one of the forensic firms did a post-op and discovered that, yeah, it was one of the APT groups.

PAUL ROBERTS
Kind of Occam's razor, right? Like the simplest explanation's usually the correct one.

JOHN JACKSON
I warned them though, and I did tell them that they need to get on top of securing that like immediately because there was a good chance that it was gonna be abused. And I think what happened is probably whoever had access to that server or had access to other power servers, when they saw that we started helping them fix stuff, they were like, okay, it's now or-

PAUL ROBERTS
Time to move.

JOHN JACKSON
Our access is gonna be burned.

PAUL ROBERTS
What was the response to the Indian government when you approached them with all of your findings? You were, like you said, there was a lot you could have done given the access that you had, but that you didn't do because you were working as part of this Responsible Disclosure Program and you weren't there to maximize your control over the environment.

JOHN JACKSON
I think initially we, we sent in the report that we wrote via proton. And I don't think I even went under my real name 'cause I was just so nervous. We were all this is... what did we do? You know what I mean? It was like a dog that destroyed a couch, we're like looking back at it and we're like...

PAUL ROBERTS
Sorry.

JOHN JACKSON
Fluff everywhere.
And we wrote up this report and we're like, oh my God. This is, I don't know, this is astronomical, right? We need to like, probably not disclose under our real names at first and feel out the waters, test the waters. And we did that and they were just received or something like that.
Basically like a one sentence kind of thing. And we were like what's going on? What do you think? This is like a 34 page report. And yeah, then we just didn't hear back from them at all. And then we were just thinking about the attack surface and we were like, we have to do something.
We have to talk to somebody because this is just, if we don't get attention to this and get the right people looking at this right now it might end up really bad, right? Because we don't know who else is on these servers, they might try to use their access and beat us to it. All that type of thing.

PAUL ROBERTS
So you reached out not anonymously and engaged with them.

JOHN JACKSON
I think at that point, that's when we ended up disclosing on Twitter, I think. Like not a full disclosure right? 
We didn't want to tell anybody what exactly it was that we found and where, we just gave a very brief synopsis of the type of stuff we were finding.
And then I contacted or reached out to DC3 because someone said they had a connect over there. And yeah, DC3 was really on top of it. And they were like, hey, we're gonna, we can bridge this gap in communication. And I think they established a line of email communication with them as well as posted that thing on Twitter saying, yeah, we want to help our partners. Right?

PAUL ROBERTS
Yeah, absolutely. Indian government, US government, work closely on a lot of things, so yeah.

JOHN JACKSON
Yeah. So that's the gist of it. I don't think they were ungrateful in any extent. I think they were so used- and I hate to say it if they ever if they ever listen to this is just the truth. But I think they're just so used to ignoring researchers,

PAUL ROBERTS
Yeah.

JOHN JACKSON
That they, that's just how they were gonna handle it.

PAUL ROBERTS
Just stick it on the shelf.

JOHN JACKSON
But that wasn't the case. Yeah. Because we obviously had the people behind us to really help.

PAUL ROBERTS
Did they address the issues as far as you can tell, at least the ones that you found?

JOHN JACKSON
I think at some point, they did tell me to recheck and I started rechecking and yeah, they were resolving all of the critical issues, which was pretty good. But I think the concerning part, if I had to really even think about it today, or just government in general, is this was less than 24 hours of us doing what we do.

PAUL ROBERTS
Tripping over the bodies, as they say.

JOHN JACKSON
Yeah, in longer engagements, like when I think about my day-to-day, some of the red teams that, that I've done have been up till six months. Imagine spending six months looking for a foothold on a government. I promise you, you do it.

PAUL ROBERTS
You know what's really interesting about reading this is, first of all, it's very similar. You, Sakura Samari also did some [00:23:00] work on I think a UN agency website. Similar type of approach. It also really reminds me of reading Sam Curry's recent stuff on his forays into automotive systems, automotive and telematics.
Applications, very similar approach, right? Like scanning for the sub-domains, poking around, finding, for Mercedes you found a whole bunch of GitHub repositories exposed, whole bunch of credentials in those, got access to their internal slack. It was just like, it was like, buda-buda- boom, and it's just the same MO like this is how you're gonna get hacked. And yet, and of course, these automotive companies are, by and large Fortune 500 companies. They've got huge assets and obviously security minded. And yet still so vulnerable on this on this attack vector.
Like what, why is that, and, what can these organizations do to wrap their head around this exposure that they have?

JOHN JACKSON
I've thought about that and I think there's a couple of components at play. That make it a little more complex. Like for one, how much revenue do you want to trade? Number one, like what is your acceptable threshold for revenue lost? And I know that sounds weird, but it's like companies, they push out these products really quickly.
Especially when you're talking about, I think you were talking about like automakers, right? Non-standard devices. And when I say non-standard, I don't mean it's not normally connected to the internet, but security is more lax in my opinion-

PAUL ROBERTS
It does not look like a laptop desktop computer or a server, right?

JOHN JACKSON
Like I, I obviously when you think hacking, everyone just automatically jumps to like websites and servers.
I think there's been a lot of work over the past years on things like medical devices and, as you saw what John Deere tractors and all sorts of stuff like that, hardware hacking has been a thing for a while, but the exposure of specific hardware and components, right?
Like cars for instance. When you think about a car, right? That has all this stuff, Bluetooth, it's got, it's Bluetooth internet connection. I'm no auto hacking expert, so I couldn't possibly go over everything, but it's like Tesla. Tesla makes API calls to an application, right?
Where you could turn your car on and off and do all sorts of stuff like that. It's got a USB plugin thing and that's just like one example. And then there's radio type of hacking and spoofing, right? RF hacking. That relates to cars. And then you think about all the really non-standard devices, right?
Like who needs a wifi air fryer? I don't know, but it exists, right? NSA released like a, it might have been either the NSA or Rob Joyce that was like, hey, you don't need a wifi connected air fryer. And I just thought about that okay, what can you do? Can you turn the temperature up? Can you leave it on all  night?
You know what I mean? These are weird kind of considerations. And I think companies, they need to think about what their product does and think about what the worst possible scenario is, right? So if they're an automaker, is your car autonomous? Yes. Okay. So how is it performing these autonomous functions?
Are there any controls that are internet connected? That's like the number one thing they should think about. Because if a hacker hijacks that and takes it over and crashes someone, right? That's huge. So that's one kind of aspect there, right? And then the, you know, so considering what the product does, it's like air fryer.
Okay, what can you do over wifi? You can heat it up. Is there an auto safe or safe fail, right? If it's left on for X amount of minutes, for instance, right? Like maybe you turn the temperature up to whatever it preheats to that, is there some sort of auto shutoff function if it's not being used for X amount of hours or minutes or whatever.
Is there a fail safe that you could even set if you want to be able to interact with that type of application? Fridges that lock over Internet, which sounds crazy, but it exists, right? Is there an override? There's things that you need to think about when it comes to these devices and it's look, if you wanna secure yourself as a company, you need to be willing to trade the profit to go through, and hire people to try to hack your application. You need to hire good developers. 'Cause I think one of the things you asked me earlier that I forgot to answer or mention was about like what I, why I thought the Indian government was so secure. What they were, what the developers were doing. The developers are not properly going through the access control process server side to restrict those directories, right? And that's something simple that can save a company millions of dollars or make a company lose a lot.

PAUL ROBERTS
Yeah. Yeah. And it seems like it's incredibly common that isn't part of the, development and release process.

JOHN JACKSON
And yeah, it's not, so I think part of that is hiring secure devs. If I had to wrap it up. Part of that is ensuring that you know what your product does and how to secure it. First of all, you don't have to secure it like that if you don't build it like that. Does your air fryer need Wi-Fi?
No, problem solved.

PAUL ROBERTS
Yeah, exactly. One question might be, these are publicly exposed applications, for a reason. They're, maybe trying to in the case of the automotive applications, they've got suppliers or customers that they want to give access to, features and data and so on. Indian government obviously is serving citizens and businesses, so these need to be public facing.
But it seems like there are steps that these organizations should be taking to harden the  application so that you're not able to flip into developer mode and lo and behold, stumble on a whole bunch of credentials or, references to repositories that lead you on your way as a red teamer or malicious actor.
Are there things like simple things that they could be doing to harden these applications prior to, unveiling them that they just aren't doing?

JOHN JACKSON
Yeah, absolutely. It depends if they're government or private, but for one, vulnerability disclosure programs have always been something good. 

PAUL ROBERTS
Wisdom of the crowd. 

JOHN JACKSON
Yeah, even if you gather your own kind of, team of hackers, which is what I found out the Japanese government does, for instance.
You know what I mean? They don't do a lot of vulnerability disclosure programs. Instead they'll have hackers that they trust come and take a look at it, right? Which is the same concept. And obviously I can't speak for all of government, but that's just one example. The other thing too is simple things they can do besides hiring hackers or hiring firms, right? If budget is tight, is to probably just work near to far, is what I call it. Focusing on what is really easily accessible and critical. And then way back, right? Is it absolutely necessary for you to blow all of your money on hardening some internal software that you're using? No. Is it necessary to secure it? Yes. Probably. But you should probably focus on externally facing assets first and work your way inward. And the other thing too is multi-layered security is huge to stop these attacks, right? Okay. You have to map out and plan the different attack vectors and who you're lacking as far as like secure coding or certain security aspects go. Like for instance, one aspect of security is [00:31:00] endpoint detection and response. If you have an EDR team and you're deploying agents to the different hosts Windows and Linux within the environment to monitor with security rules.
If I had gotten remote code execution on that Corliss server, and then it threw up a flag in EDR. Or I, or they had something like Tripwire, for instance for SIEM, and they saw that, I'm writing a file or whatever the case may be. Maybe it could make a difference, right? Maybe it could have stopped me from going any further.
The other thing too is let's say they're weak at having secure coders that can restrict things on the file on the server side, right? To restrict like directories or something like that. Okay what is their multi-layered approach look like, right? What's gonna prevent me from accessing that remote server?
Because the thing is, if I found credentials and it says the remote host is X IP address, but I try to connect to it and it requires a private key and a password, that just foiled that attempt.

PAUL ROBERTS
You're gonna look for something easier.

JOHN JACKSON
Server... so it's like the little things too. Definitely starting with the low hanging fruit that literally takes a couple minutes worth of changes and pushing those changes out.
And then working your way back to that multi-layered EDR, SIEM, firewall, web application firewalls, right? CloudFlare, like I can't sit there and scan. Nor do I want to scan a load balancer for instance, you know what I mean? That doesn't make any sense. I'm gonna look for all of the hosts that don't have a WAF stood up in front of it first, because if it has a web application firewall and I can't see the real IP, then pretty much all of my hacks have to go through that web application.
I'm not gonna be able to just SSH to the server, for instance, or FTP into the server. So these are basics that I feel like everyone knows about, but they're low cost solutions because you could have your people that are already employed there just when they're deploying the code, like implementing small code or infrastructure reviews.
You don't even need to be a hacker. Like just take a look at the ports. Can you see the FTP port? Yes. Does it have anonymous login? Yes. Okay. Maybe we should change that right.

PAUL ROBERTS
And final question on the secrets question in particular. Cause again, you uncovered so many credentials and other, private keys and so on. Anything development organizations, development teams should be thinking about before they just lard up their code with hard coded secrets.

JOHN JACKSON
Absolutely. They should use, and this sucks given all the recent events, right? How we're learning that vaults the store credentials are also vulnerable. Credential managers like, I think for GitHub there's Vault. For instance, that's what called. I'm not really Devs/DevSecOps, if that's the team that would manage secrets, but there's Puppet and stuff like that. Yeah those should be enforced heavily within an organization, right? There needs to be internal tooling for source code review, and there needs to be multiple layers of failure, right? You shouldn't just give developers unlimited access to push to production without having a review, for instance. That's one, one layer, right? A manual review from another human. The other layer is automated scanning tools to look for these credentials. Things like GItGuardian, I know has GitGuardian Enterprise or something, right?
Where it can proactively look for credentials and then implementing ways for your developers to store these credentials in a vault, that the code can reference in a way where if I get access to your code internally or externally, unless I pivot into that vault, which isn't impossible by the way, that's another story, but I can't just automatically access it, for instance.

PAUL ROBERTS
John, is there anything that I should have asked you about that I didn't or anything you wanted to say? I didn't give you a chance to say.

JOHN JACKSON
Honestly we reviewed a lot. But I would say overall when it comes to these entities I personally found that over the years I've shifted more into developing my own exploits and looking for ways that I can make money and highlight my skills and get private contracts and all sorts of stuff like that.
And I think new hackers and organizations alike should just be aware that the attack surface has just increased astronomically. So I'm not the type of person anymore, I think to really just look at Last Pass for instance, or look at any of these  companies and be like, "Oh, you're stupid. You're dumb."
Or whatever, right? Because if you spend enough time on any organization, you're gonna get in, like you are gonna get in, or you're gonna get hacked, gonna get embarrassed, and it is what it is. So if you're in an organization, you just have to understand, like reputational management and acknowledging it first and foremost, because the more you just deny the hack, the more people, or users, clients, whatever, lose faith in your product. Lose faith in the security and your shareholders lose faith in you. And it just looks bad. Like you just got to accept it. Be like, look, we were breached. This is what happened. And I think they're starting to do that. Last Pass admitted it, right? I'm not happy with it. Because it's just, it's one of those things, it's look, we all knew this was gonna happen eventually. But the reality is hackers, nowadays can develop exploits for literally anything. So I don't think blue teamers should be too hard on themselves about that.
And as long as you're proactively, just like continuously looking to see if you're organization is vulnerable against new exploits, hiring pen testers, doing everything you possibly can to implement multiple layers, I think you'll be in a good place. And new hackers shouldn't be so gung-ho to help private organizations for free.
For instance, like companies they lose millions of dollars when they get hacked. Even a simple thing like a website, one website deface of a company can end up losing them millions of dollars in stock. So they can, so they could pay hackers, they could pay hackers twenty grand for a remote code execution.

PAUL ROBERTS
Okay. Speaking of that did you guys any money for your work with the Indian government?

JOHN JACKSON
No. But we accepted that and we knew that was part of it. And with government, that's, I think that's why I liked doing government hacking so much is because with government hacking, it's like you get what you get and know what you're gonna get, so you go in there, you try to help them, they're usually really thankful for it, and then you get it fixed, and you made the world a little bit safer, which I like.

PAUL ROBERTS
Yeah. It's farcical actually to even think about that, but it's incredibly common that these, incredibly affluent companies, that are incredibly reliant on this technology. You don't offer bug bounties for their publicly facing systems, it's-

JOHN JACKSON
you remember Ford, that was a VDP. That wasn't even a bug bounty, that was a VDP and we were trying to help them for free. To this day, that report has never been publicly released.

PAUL ROBERTS
That right? Yeah.

JOHN JACKSON
Yeah, you can't find that public. Like I, we publicly released it, but you can't find that on HackerOne for instance.
And that's just an example. And like these intermediaries, that's a whole other conversation, bug bounty platforms. But the intermediaries, the platforms are not helping between hackers and researchers. And I think that's because they're very scared to lose the client. Because the client's paying the money to run a program. So there's a lot of collusion there. If you think about it. 
I know people like Casey Ellis would be like, "No, you don't understand. We try to do what we can." But I agree. I think it depends on the platform and the program, but at the same time, I don't think it's that cut and dry. And I think a lot of people get abused in this situation, especially like hackers that live in poor countries. They have it the worst. 

PAUL ROBERTS
Absolutely. Absolutely. Yeah, because they're not really in a-

JOHN JACKSON
They're hoping to eat. They're hoping to eat and they're waiting for that bounty- and that's the reality.

PAUL ROBERTS
That's often what's going on. You're right. I was writing about, I can't remember ex- it was like somebody else who was doing like, application research also on automotive, who was saying like, basically the same thing. I found all this stuff. It's, I'm happy to report it to you, but I'm not gonna just keep giving it to you. This is a lot of my time and effort and you guys can pay-

JOHN JACKSON
That's the other problem, because you can't, you also can't dangle vulnerabilities in front of companies and be like, hey, I found this crazy exploit, but you should pay me money, right, that's extortion.

PAUL ROBERTS
Eaton Zveare is the guy I'm talking about. 

JOHN JACKSON
There's just, there's no protection laws there. And it's pretty awful for researchers. 

PAUL ROBERTS
And it's also, the other problem is that the, there is no incentive for companies to do this beyond their own, perception of their own risk and desire to protect their own assets and so on their reputation. But nobody's got a gun to their head to say you better be hiring people to crawl over your stuff so that they find the stuff.

JOHN JACKSON
Well, it depends on the, it depends on the sector. Bug bounty in general, no. But yeah, obviously hacking related stuff like quarterly pen tests and stuff...

PAUL ROBERTS
Yeah. Depending. Yeah. Some sectors have that, finance. 
Broad swath of our economy, there is no, yeah.

JOHN JACKSON
In the broad sense, yeah, you don't, and they're like releasing applications that manage people's finances.
What the hell man? And the way they do it is they just integrate third party components so they offset that issue onto the third party, right? For instance, like if I want to take payments, I could technically use Stripe, right? And then whose fault is it if something happens to card data, Stripe. But what if I chain your vulnerable application to mess with Stripe? Do you see what I'm saying? There's ways that could be done and that's, that's one small example. Just chaining vulnerable application to get to, third party OAuth tokens to take over third party accounts, for instance, and then what? Right?
That's like a good example of that. And I think, yeah, like companies, they, the thing is like these breaches have gotten absolutely out of control. There's so many of them now, like it's I feel every day, at least three new breaches are announced and it's [00:42:00] actually I don't even know, I think in five years every single piece of personal data that we have is gonna just be publicly available.

PAUL ROBERTS
Aren't we already there?

JOHN JACKSON
I- close. But I'm talking like everything about you just exposed 
So I think people are starting to not care anymore. 
There's so many breaches, it's what makes this one so different if you remember when we first started with Sakura Amai, Like even before that, right? We were finding vulns in TCL NeoPets, of all places. And when you like look at that history, like even smaller things like neo pets, that was like rotating through news and going on YouTube and people were making videos about it. And nowadays it's like cybersecurity news and reporting. It's like "is this a new technique? Are millions of records exposed?"
Oh, you got remote code execution on a server and you prove that you could pivot to another server in the active directory. That's cool. Did you do anything malicious? No. Okay. Next. They don't like ethical research. Just doesn't, it does not hit like it used to. In terms of like vulnerabilities, it's more I think it's more shifted towards vulnerable components. If you find zero days in products, that still resonates usually.

PAUL ROBERTS
John Jackson, thank you so much for coming on and speaking to us on ConversingLabs. It's been great talking to you.

JOHN JACKSON
Yeah. It's been a pleasure. Thanks, Paul.

Paul Roberts

About Author: Paul Roberts

Content Lead at ReversingLabs. Paul is a reporter, editor and industry analyst with 20 years’ experience covering the cybersecurity space. He is the founder and editor in chief at The Security Ledger, a cybersecurity news website. His writing about cyber security has appeared in publications including Forbes, The Christian Science Monitor, MIT Technology Review, The Economist Intelligence Unit, CIO Magazine, ZDNet and Fortune Small Business. He has appeared on NPR’s Marketplace Tech Report, KPCC AirTalk, Fox News Tech Take, Al Jazeera and The Oprah Show.

Related episodes

Subscribe

Sign up now to receive the latest weekly
news from ReveringLabs

Get Started
Request a DEMO

Learn more about how ReversingLabs can help your company.

REQUEST A DEMO