Inadvertent Adversary: Unwitting Foes in the Workplace


Inadvertent Adversary—Unwitting Foes in the Workplace: Detect ‘19 Series

After you have watched this Webinar, please feel free to contact us with any questions you may have at



Oh, so welcome to our talk.

You can probably guess what we're going to talk about today, but it's the most malicious actor that can ever be unleashed upon your company, which is your own employees.

So we'll just start with introductions.

So first off, Parthiban?


Hello, I am Parthiban.

So I work as a threat intel analyst with Anomali.

Prior to that, I worked as a security analyst in Microsoft and as, again, at Symantec as a Blue Team analyst in their MSS service.

That's about me.

RYAN ROBINSON: And I am Ryan Robinson.

I'm a security researcher at Anomali.

Again, if you look at my bio in the program, not much of a security background.

A sort of overview of what we're going to go through today is that security misconfiguration is the most popular way for your organization to get breached.

Again, if you go back to the keynote talks, Admiral Michael S.

Rogers was talking about [INAUDIBLE] that is bad hygiene-- Improper patching, security misconfigurations.

I'd probably argue that that's more than 90%.



That is just [INAUDIBLE].

But so really, you're your own worst enemy when it comes to [INAUDIBLE].

And it's in the OWASP Top 10, but I believe this is the most common.


RYAN ROBINSON: You know, even though it's not number one.

But so that's sort of our background.

We'll actually go through a case study of this in action.

There's some-- we posted a blog post on a while ago [INAUDIBLE] looking at Confluence and Jira servers across the world, like, a sort of software-as-a-service ones.

They also-- there's on-prem ones, as well, exposed.

But yeah, people, just through simple misconfigurations, can expose some really, like, bad stuff-- even stuff that made the news.

And we'll sort of go through, at the end, that the configuration is the responsibility of the organization.

You know, it's a shared responsibility.

You can't just rely on the service provider themselves.

So posting stories like this in the news-- it's almost every single day there's an AWS [INAUDIBLE] misconfigured, stuff leaked.

There is United Nations accidentally exposed passwords, sensitive information.

This year, it was probably [INAUDIBLE] Google, NASA, hundreds of Fortune leaking data via misconfigured [INAUDIBLE] servers.

It wasn't Confluence, [INAUDIBLE]..

But [INAUDIBLE] Not even every week, every single day, there's a new story like this, because it's the most common way [INAUDIBLE].

So I'll sort of go into, sort of, the history of these sorts of products.

PARTHIBAN R.: Yeah, so let's talk about some of the tools and apps that we used before moving them to cloud.

So I mean, it's going to be as brief overview on-premise-based applications that we used.

So for example, if the apps and services were installed on the on-premise, so basically, the enterprise will have the entire ownership of software, hardware, and the data.

So the enterprise is not going to save, store or any of the data on the cloud like AWS, Buckets, or Dropbox, anywhere else.

And there's zero third-party access.

So that is, again, saving the internal property documents or any data that is even on the company's customer data-- they are all on-premise, and the access are heavily restricted.

I mean, everyone knows, I mean, the work-from-home or work-from-remote are so easy these days, but they are definitely very painful in the past-- even, like, I'm talking about 2014.

So that is my first company.

So all of the softwares that they used, they are all hosted on-premise.

Even the VoIP servers are hosted on-premise.

So you need to connect to VPN to access to any of the single server outside the company's network.

So access is completely restricted.

So even if there is this a misconfiguration inside the tools and software that you use, the exposure is limited.

I mean, inside the organization, not to the public.

And again, so if some of the tools were homegrown, tools can be customized as needed.

So for example, let's say if the tools that are provided by the software, they're not useful for that organization, they can build, [INAUDIBLE],, for example, in my previous-- one of my previous organizations, we built a tracking tool for threat-related activities.

So that's purposefully built for SIEM solutions.

So that was really useful, and they're all hosted on-premise.

And the best example that I can share for on-premise hosting is the SharePoint.

So everyone knows SharePoint is the intranet for the organization.

All the documents, like, merge-- all the sensitive information, meeting nodes, et cetera, everything is stored on the SharePoint Server.

So that's basically a web server, or it's a go-to place for most of the employees.

Let's say all the KB articles, a new employee orientation-- everything is stored there.

And so this is one of the examples of this is the tool that I used first in Symantec.

So this is HP services.

So this-- and the other one is SharePoint.

So I mean, this is this a tool from 2014.

So I mean, when I used it, it was really slow, and it's impossible to scale when you need it.

And let's move-- let's move to the cloud or internet.

So when I talk about the cloud or internet, I'm specifically talking about the SaaS applications, so Software-as-a-Service So the introduction of SaaS was around the late 1990s.

So that's when the era of SaaS began.

And the primary reason most of the companies are using this, because it is really easy to set up, and you can-- the company can get on its feet within days, maximum two weeks.

So they are good to go to on their productivity.

And scalability-- one of the most used examples for cloud-based software is that you can increase the storage or increase the processing capability when in need.

And so the scalability, again, comes [INAUDIBLE] users are increasing the cost.

And the SaaS-based apps are big on API.

So you can basically access data, whatever data that you're accessing, in the UI, all of them can be accessed via programmatically.

So you can build multiple-- I mean, you can merge multiple different APIs, and you can create your own different softwares and tools out of it.

I mean, the data can be manipulated in an easy way, which was not very easy in the on-premise hosted or the previous softwares that are proprietary softwares.

And ease of access.

So when you talk about ease of access, that's when-- for example, the best example I could give is the GSuite.

So you can start creating documents, and just one single link that you can shout out to your co-workers.

And you can basically see four or five people typing in the same document together.

And also, the bring-your-own-devices.

So I mean, you can basically access the GSuite from anywhere-- your phone, your laptop, home computer.

I mean, there is literally no restriction.

The maximum restriction that the company these days can give is the two-factor authentication.

That's the best they are doing these days.

And increased collaboration.

It's really easy to use the SaaS-based apps.

And when all the things are coming into SaaS, and these days, even the SIEM solutions started using the cloud-based SIEM solutions.

So there is Splunk, and there is the recent ones are the Google Backstory as your sentinel.

So these are some of the new cloud-based SIEM solutions.

And basically, SaaS, you can get SaaS apps for almost all of your needs-- so from blogs, website, hosting, payroll.

I mean, I think these days, almost all the companies are using payroll as SaaS-based app.

For example, the workday paychecks, and for the reimbursements-- what is it called again?


PARTHIBAN R.: Certified.

So everything is SaaS-based.

So all these are actually showing more gateway to the companies' proprietary data.

So I mean, it just increases the revenue for risk.

So that's what the cloud-based apps are giving.

So these are some of the most commonly-used SaaS-based apps.

So here we are and in this presentation, we're going to take a brief look about the Atlassian Suite and the Google Suite in the upcoming slides.

RYAN ROBINSON: So there was last year one day where we were trying to get into our own Jira, as it were.

And it turns out I was in an incognito tab.

And as I navigated to the URL, I realized that I could see the dashboard of our own Jira, even though I wasn't logged in.

So I thought, what's going on here?

I found out that the default settings to view the dashboard are actually open to anyone, even if you're logged or not.

But in order to actually view tickets within that, we need to be logged in.

So it's able to stop you there.

But we thought, just, this could somewhat be quite bad.

So what we did one day was we went onto the Atlassian website to see what their customers were.

They've actually got [INAUDIBLE] slash customers.

And they even had a little thing you could flick through pages of all the most recent customers they had.

And all you needed to do was take that customer name, put it on top of their cloud domain, and navigate their link, and see what you can see.

And some of them, we noticed you can even see tickets now.

So that's when-- we actually left it for a bit.

And then, there was news came out that NASA had their Jira exposed.

And so we decided to come back and revisit this.

And this is where we came up with this case study, the "WorrisomeWiki," where we try to find out what the scope of this was.

So product management tools and information collaboration workspaces are, essentially, hugely important for organizations even such as ours.

We have got offices in Colombia, United Kingdom, people right in the Middle East, you know?

They all need to collaborate across.

Again, to bring it back to the keynote that Michael S.

Rogers said.

He says the amount of access points is now so vast, and it's just for the need of convenience.

But the thing is, the wider you make this, the wider the attack surface.

It's a bit like having soccer nets.

The wider you make it, the easier it is for someone to score.

So yeah, so again, the two we're going to look at now are Confluence and Jira.

So an overview of both of them.

Jira is a product management issues tracking software.

According to their own web site, there's around 65,000 customers.

And the way it works is that you create projects and you make tickets or issues [INAUDIBLE],, and you can assign these tickets to people, and then they can get them done, so that people can collaborate on it.

And Confluence, it's a document collaboration thing-- so like a Wikipedia-style thing.

It's like an internal Wikipedia for your own company.

So knowledge base-- anyone, really, new can come in.

There'll be onboarding stuff, stuff to set up accounts, and even general information about the company.

According to their website when we last checked it, there's around 35,000 customers.

So the way that we went about trying to collect different sites was, we know we know the cloud domain, which is

And there are certain URLS that you can use navigate to Jira, certain URLs that you can use to navigate to Confluence.

So the first one we've done was just domain name permutation.

And what [INAUDIBLE] a really crude way of doing it is think of a company name, and just try to stick it in top of the domain to see if it's there.

And you'd be surprised how effective this is.

So that's what I have there This here, they don't actually have this on the website at the moment, but if you went to the customer page, there's a widget.

And I know that the resolution's no good there, but you could filter what type of organization you want, what industry they're in.

And just all their logos and names are there.

And all you need to do is flick through all these pages.

Maybe take a few of these and just stick them on the tray.

And obviously, since these are our customers, these would actually hit.

Another funny one I've done was I went to the RSA 2019 founders' list, and seeing them, you have a couple thousand vendors, if that.

You just grab all their names from that and start sticking them on.

And you'll be really surprised how many security companies that I had [INAUDIBLE]..

But anyway, we'll get to this sort of [INAUDIBLE] stuff later.

So Google Dork was another one which is a screenshot on the bottom left-hand corner here.

What is quite easy do if you use the advanced search queries, since if it's open and it's been linked somewhere, the possibilities are that Google's indexing spiders went through and actually indexed that web page.

So an easy way, then-- why do I need to go through and do half this stuff if Google's already crawled if for me?

Just Google it.

You'll find all these open issues.

Another one is Internet Census.

So if anyone here use Shodan or, they actually have search filters where they identify the product type that's been served back to them.

So you can just set, OK, I want all stuff, port 4448, it's served back a [INAUDIBLE] web page.

Probably the one that got us the most results is using a Farsight DNSDB.

All you do is you'll just give a wild card, and then the subdomain,, and you'd get thousands of results [INAUDIBLE]..

PARTHIBAN R.: So for example, the Shodan and Census, they basically index servers that are-- so if the server is using Jira, so they actually-- they have a tag called Jira.

So you can easily filter out what server they are using.

So I mean, if you want to look for what is the server that is running on-- what are the software that is running on a server, you can easily filter, if it's Apache, the same way Jira can be indexed in Shodan as well as Census.

So that's very easy to filter out the companies that are using Jira.

RYAN ROBINSON: So actually, some of the results that we would get, especially in Google Dorks and Census, you would actually get some people hosting their own on-prem versions of these products as well.


RYAN ROBINSON: But of course, we just tried to stick to the SaaS solutions.

So how do we filter it?

Well, here.

So the way that we tried to filter it was by just the [INAUDIBLE] was [INAUDIBLE] not used by HTTP status code responses.

So there's, like I said at the start, where you can go to a dashboard.

That is one URL.

But if you actually want to see if there's any projects open with viewable tickets, you can got to a different URL.

So we find-- actually, that this is not an exhaustive list.

This is just where we stopped collecting.

We wanted to get a blog post in.

So we stopped when we collected 53,000.

That means we could have just kept going to try to find more, but it would be a never-ending sort of thing.

But with open dashboards, we find about 23,000-odd, which is probably not surprising since that appears to be the default settings.

But of those ones with open dashboards, stuff with public access, there's about 706 we had there.

It might possibly be more or less.

There's some weird things to [INAUDIBLE]..

There's a lot of these things that are open source projects, and so we're kind of intending for these to be open.

And in a lot of cases, we try to filter these out, just to see what was not meant to be left out but was.

And for Confluence, with Public Spaces, there's almost 4,000 there.

And so when we had these domains, if we got a successful status code response, obviously, you would see something like this, but you would get one of the 200 codes.

If it had been set that you need to be logged in the company, you get a 300 status code which would redirect you to a login page which you would see down here.

And so that's the basic filtering worked.

When it came to try filtering more stuff, there are some times where you get a successful status code, but then, maybe it wouldn't be [INAUDIBLE] on the page.

And quite a novel way we've done this is using Selenium script to go and take a screenshot of the website.

If there's nothing on the page, the colors don't change much.

If you see, there's a lot of tickets here, lots of colors everywhere.

If there's less colors on the page, the file size is lower, compressed more.

So we were able to filter out those that are smaller size image in kilobytes and move it away.

So yes, we'll go through some risks of actually misconfiguring your things.

Again, if anybody has any anecdotes, [INAUDIBLE],, don't be afraid to [INAUDIBLE].

Oh, I know this is bad.

So we'll go for a corporate espionage, credential exposure, phishing, reconnaissance, and GDPR.

So obviously, [INAUDIBLE] the first stage in the attack chain is reconnaissance.

There's a huge amount of information just on these sites.

And we're at a threat intelligence conference here.

All the information that you can gather to possibly use to inform your decision whether to attack something, that becomes intelligence.

So if you just give them access to all the information, the stuff that they can with that is insane.

So you'll have a user picker that has all your employees in it.

Every single one will have their emails and all beside them.

You can work their name, email, what department they work for, where they work, their hierarchy, where they're stationed, what language they speak-- many things.

There's stuff like customers.

So this screenshot here is quite a nice one.

It's really common for, especially, people that give services.

They would have a project for each one of their customers.

And it's really crazy.

If you're leaving your customer data exposed, it's insane.

I don't know if anyone here is Australian.

[INAUDIBLE] there.

That's a wee bit concerning, too?

So there's infrastructure as well.

We've seen a couple of things that lay out what assets they have, network diagrams, everything.

It's like why would I need to go through the trouble of trying to map out your infrastructure if you're just going to [INAUDIBLE].

And stuff like software-- so applications they're using, [INAUDIBLE] SaaS products.

If I see these, is there a way I can exploit these, some with version numbers on them?

Or are these non-patched, the vulnerable version?

There's so many pivotal points, it's hard to say.

Just there's everything in these, you know?

The most important thing I see in this, it can affect your clients, which, in some cases, could be worse.

So a really basic one.

I'll go first-- credential exposure.

Everyone knows why that is bad.

So we've seen so many instances of credentials just sitting out in the open.

If you think yourself, how many times has someone needed access to someone, and you just Slack them over the details, and they send it over in an email, just the password, out in the open, same people just chuck them in the tickets and in the Confluence pages.

It's really, really surprising.

They don't use any sort of secure methods whatsoever.

So the obvious thing is that if it's behind a password, it's probably sensitive for some reason.

So I can get access to sensitive information.

I can do lateral movement.

As you think, if I were to get into someone's email, VPN thing, I could also use that to stage further attacks, use it as a platform to go for someone else.

Again, it's the concept behind business email compromise.

If I can compromise someone's email in your company, I can use that email, which, because, obviously, you check the email.

It comes from the person sitting upstairs from me.

That's pretty [INAUDIBLE].

I can click on that, you know?

So yeah, oh, there was even an example, there's sometimes where you just come back to look at what people have [INAUDIBLE].

Because again, you come back, they always have new customers-- customers letting go.

There was-- I said quite a popular car company in Europe.

Some of you guys might have even drove this brand of car here today.

They left a password open to their privacy training software open.

And it was the car company name followed by 2019.


You're kidding me.

Make it so easy for us?

So another easy one to go for is phishing.

So this is probably the most common way of attacking people, especially for APT-level stuff.

It's really effective.

And so it's, as I was talking about, you'll have the entire employee list exposed.

And you see-- if I can even see stuff like one person's email, say like first name, last name, or the email pattern, maybe use the first initial and the last name, even if I don't have the emails here, if I see all their names, I can probably infer what the email pattern is going to be, because I'll probably just take their first name, take their last name, and then append on the thing.

And I can be able to send an email to them.

And some of these are connected to Active Directory Server.


RYAN ROBINSON: So what is probably, I was going to say the best thing about this.

The worst thing about this-- it depends what side you're sitting on here-- Is that you can do more targeted phishing emails.

So I was talking about yesterday when we got a phishing email with malware sent to our feedback@anomali address.

You're probably going to be less likely to succeed if you send it to info@company, feedback@company.

You can send it to the point of need.

And also, what you can do is you can send something that's probably more relevant to them.

So these things that come back to your feedback address, it's probably something really generic, like something just basic-- just "enable macros" because we said so.

If you have information that you gathered during the reconnaissance stage, you can leverage that to socially engineer someone to actually convince them to open the email [INAUDIBLE]..

And again, you don't have the care about lateral movement.

If you can just send it straight to the correct person whose machine that you need to get onto.

And what's also a big thing, especially on Confidence-- there's loads of documents they use, like internal documents that are on shared [INAUDIBLE] meeting notes, stuff internal, you know, [LAUGHS] "do not share," "confidential"-- a lot of these things.

So if someone sends you something that's a confidential doc, internal, you're going to be, oh, yeah, they're there in the company, [INAUDIBLE].

But these things can be weaponized quite easy.

There's builders that people can use.

They can just add macros on [INAUDIBLE]..

And so there's just, I would say, a plethora of stuff that you can use to actually phish people with.

Now, there's corporate espionage.

And so the thing about this is that if you think that your corporate competitors are not doing intelligence on you guys, you're wrong.

Everyone's doing-- maybe they've set up Slack channels specifically about your company to talk about you.

They read your blog posts.

They watch your seminars.

They'll try to see any product demos you're doing.

Because again, intelligence [INAUDIBLE],, knowledge is power.

So maybe someone who's not an APT actor but, say, someone that's just your competitor is able to also use this information against you.

So again, there's people, even [INAUDIBLE] meeting notes.

We've seen stuff like Campion's like-- Martin Campion's, well, we're going to do this in the future, and they're building up logos and stuff for it before stuff is even announced.

PARTHIBAN R.: Public, yeah.

RYAN ROBINSON: Before stuff's even public, you're able to find out about it.


So if there's any innovation you've maybe stuck in these, they can find out about that.

Any tactics you're organizing yourself-- as you should be in these collaboration softwares; you're going to organize yourself-- and tactics.

They'll be able to find out.

One of them, we found a Fortune 500 company that were talking about acquisition negotiations in the [INAUDIBLE].

And that's hugely important to them.

Is there some information that could go there that the other team could use to either leverage to get more money during the acquisition, or some of them might devalue the company thing.

That's really insane.

And so we find a couple of instances of code, and we find a major defense contractor had left code out for military drone testing software.

So, yeah.

And there was no one-- there was-- one that we found quite humorous was is a [INAUDIBLE] security product that possibly quite a few of you guys in the room would use, the source code that was left out.

So no need to buy it.

You can just get the source code and deploy it yourself.

So really, really crazy, you know?

So yes, and another one is GDPR.

So for those people that either are based within the European Union or people that handled data of European Union citizens, as we were reading through the legislation, it's very, very long and boring.

You have to go through many articles and paragraphs.

But if you're letting out sensitive information, especially of your clients, we believe, as we read, it could fall within in the scope-- there is higher brackets of fines, but we believe it falls within this bracket here, the 10 million euro fine, or it's a certain percentage, of which is higher.

I forget with the percentage is-- just whichever is higher.

So the EU will try to sting you.

PARTHIBAN R.: Global annual turnover.

RYAN ROBINSON: Global annual turnover.


RYAN ROBINSON: Again, you've seen was it Google and Facebook getting fines slapped upon them.

So that can happen to you.

These guys aren't playing about.

So it's very, very dangerous.

If anyone else has, again, any consequence of leaving this stuff open, there's almost too much to go through.

But ways to [INAUDIBLE] this we came up with is that there's multiple ways you can manage permissions and restrictions.

And we kind of feel bad for some of these guys because there's actually multiple ways that it can be leaked.

It's kind of a complicated software to use a lot [INAUDIBLE], Atlassian Suite.

But the way you do it is that you don't assign permissions to individual people.

You have like a permission, and you will assign a group to allow them to do that the permission.

And so this is [INAUDIBLE] they're saying called "anyone".

And so that can be open to interpretation, but this "anyone" actually means just "anyone in the world." People might think, oh, "anyone," that means anyone within the company.

No, that means anyone in the world.

So if you have that set for a project that has sensitive stuff in it, you know you really need to turn that off now.

There's also another thing called permission schemes.

And so whilst there's global permissions that you can add groups to, you can apply a permission scheme to an individual project or space that can specify more individual stuff about, maybe, who can create tickets, who can [INAUDIBLE] comments or change component types.

So it's worth taking a look at that.

There's a thing that they-- is this recently they released this?



And so if you have this on, you're able to see all the actions that are taken in your [INAUDIBLE]..

So if you examine your logs, see if there's any activity that shouldn't be there.

Oh, so you will have some nice screenshot now.

So this here is the audit logging here.

This here in the top left corner is for the global permissions-- so the permission, for instance, [INAUDIBLE] prize users and groups, like the User Picker.

If you have that, anyone [INAUDIBLE],, Take it off now because you don't want that.

And you have just permission schemes here, which can be applied to a project itself.

And again, you can you can add groups to that.

So if you want to you remove that?

So, and other examples?


PARTHIBAN R.: So we'll talk about some other examples, like other collaboration tools that are popularly used.

So the first one is the Trello.

Trello is a task management tool that has been popularly used by a lot of organizations because it is really easy to use.

And many people use this as an alternative to sticky notes because you can share it with your team and it's free to use for a limited number of users.

So a lot of organizations are using that.

I think in 2018, there was a huge exposure of the Trello boards to the public.

I believe Krebs, he reported the story to the public last year.

So basically, a lot of customers, government, organizations, states, they were using it to store passwords and the Google document links.

So again, it is really easy to use those tools, but you need to be really careful because the only link that you need to access the document is-- you only need the link to access the document.

So they are using the Trello boards to paste the Google Doc links.

So anyone who has access to those links, they can view the internal documents.

And the most popular one is the Google GSuite.

The primary problem with this one is oversharing of the documents and via links.

That is the main problem here, and you can easily Google-- or you can browse all the documents in Google, or Bing, or any search engine.

So you just need to use Google Advanced Search or Google Dork.

If you want to find Google documents that have the keyword "private," you can just paste this into Google search.

You will get all the documents that are editable to the public, not only the organization.

So anyone can edit those documents.

So again, you can just replace it with any interesting words, as Ryan said-- private, confidential, meeting notes-- anything.

So this is an example screenshot for the Trello board.

So I think this is the exposure from a governmental organization in the US.

And this is the screenshot of the same search engine, this Google Docs, that I used.

So in this case, I just used "meeting notes" as an example.

So you can basically see the Angular.js meeting notes.

So sometimes, you will actually see meeting notes with their meeting recordings as well.

So their recordings are public.

So most of the companies, they use either Zoom or public, SaaS-based meeting softwares.

So all the recordings are stored in the cloud, so it's not inside the organization.

We'll talk about it in the future slides.

So these are some of the Google Dorks that you can use to find interesting documents.

So you can search all the different softwares that are provided by the Google GSuite.

So if you want to find spreadsheets, you can just use the same and just replace the product with "spreadsheets." Or if you want, I mean, these days, a lot of people use Google GSuite for service, Google Forms.

So the forms, the [INAUDIBLE] view analytics, is after the survey, you get to see the responses to your slides, your questions.

You can see them again.

The responses are the same as forms and spreadsheets, presentations.

You just need to replace the keyword to either confidential, private.

I mean, creativity is the limit, so you can just look for any documents that you want.

I mean, you can even replace the keyword to "company name" if you are trying to do recon on them.

Again, the other important thing is their Google Calendar.

Again, a lot of Google Calendars are exposed to public.

So if their calendar is set to Public, anyone can actually add their calendar to their own.

You just need a Google account to import this calendar into yours.

So recently, also recently, Google publicly acknowledged that there is a huge wave of spam that are spreading in the Google Calendar.

So they are looking to address it.

So I mean, again, so whatever Google offers, you can use their own search engine to mine the data.

So you can just use the same Google Dork.

You just need a company email address to find out if there are any open calendars for the particular company.

So just replace the email address with the real email address, and if the calendar is open, you get to-- you can actually add them this way.

So if you find a public calendar, this is how, when you click the link, you'll see this window.

So this is a calendar of a primary, elementary school in the US.

So I mean, that's not really important.

But I mean, you can find-- in one case, I was able to find a calendar with all these Zoom meeting invites.

All the meeting invites are public, so you just need to have the link so you can just log into the meeting.

Just replace it with any of the usernames, and you don't even need to do anything.

It's really easy.

The other important thing is VirusTotal.

So these days, almost all the people are using VirusTotal because everyone is being educated, like just Cybersecurity 101.

So be careful of all the spam email, [INAUDIBLE] try everything.

So a lot of people are getting cyber aware, and they are just uploading literally everything to VirusTotal.

So if they're receiving an email, if they're receiving a document, they just check if it is good or bad.

So again, VirusTotal is a multi-vendor AV scanner.

So they have around 50 to 60 AV engines in them.

So if upload-- you can upload any file, and it is going to tell you if it has been flagged by any AV vendors or not.

So using VirusTotal, we were able to obtain really sensitive information like SSH private keys, FBI Amber Alerts, emails, confidential documents, passwords, resumes, VPN configuration files, and so much more.

You can basically find everything in that, again.

So Yara has been-- Yara is, by a simple term, it's a string matching or pattern matching tool.

And it's primarily used for classifying malwares and hunting malware families.

And you can use the same Yara tool to hunt for document exposures or any internal documents that are uploaded to VirusTotal So you can just use the keywords.

And so in this Yara [INAUDIBLE],, I'm just looking for PDF documents that are having this set of keywords.

I mean, after running this, I was able to find around 700 to very important to companies.

So this is another interesting technique to find.

So VirusTotal tags-- so there, you can call it as search modifiers in VirusTotal.

So VirusTotal classifies files as you upload, so based on the nature of file.

So if you want to find any private keys, you just use the search modifier, that's id_rsa.

That's the default name for private keys.

So the name is the search modifier.

It's just the name of the file.

And if you want to get books and you don't want to pay, or you don't want to use torrents, you can just go to VirusTotal and just type the metadata as EPUB.

I was able to find the recently-released book of rootkits.

And I think the book cost-- one of my co-workers bought the book for 40 pounds, and it is there for free.

You can easily download that.

And if you want to look for resumes, just use the content.

I mean, I used the-- I think it's Portuguese or Spanish.

So I used this because one of the companies in Puerto Rico, they are-- like, they are Indeed.

I mean, I think they're-- what are they called?

RYAN ROBINSON: Like a job portal?

PARTHIBAN R.: Yeah, job portal, yeah, exactly.

So they are a job portal.

So whatever resumes they are getting into their system, they're basically sending everything to VirusTotal.

So it has almost all of-- so that's how I was able to find passports.

Almost everything was there.

And VirusTotal graph, it was released last year in 2018.

So it is interesting because VirusTotal started mapping IP addresses to different files.

So for example, if a file is reaching out to an IP address, so VirusTotal maps both the IP address and the file.

So the same way-- so if you want to find any documents, email addresses, that are related to a company, you can just use the company's domain.

So I was able to find-- not negotiation.

So the email chain between a security vendor and the compromised client.

So they got breached.

So they were talking, what are the things that you need to do?

And they're sending the files that are samples.

So they were replaying back, what is this file, and what actor is this?

So I have no idea why on earth they uploaded the file into VirusTotal.

And the breach was never announced public.

You can see that in VirusTotal.

And the other one is, if you wanted to get boarding passes to gain miles, you can go to any airlines, and you can just get-- type PDF, and you're good to go.

You can get all the boarding passes from there.

So these are some of the examples of the book.

And this is just how you can gain email addresses of a particular company.

So this is a sample of a graph, and it literally has passwords from a research laboratory.

And this is the incident response report for a company.

And this is the first email that was received by an employee to get his username, set up his access in the company.

So they gave username, password.

So you can see the password here.

I have no idea why it came to VirusTotal.

And that is the Amber Alert of FBI.

So these are some of the examples.

So the mitigation you can use is all the GSuite or [INAUDIBLE],, they provide almost all the tools to log and monitor, but it says that no one uses that.

So if you want to use-- if you want to protect, don't share.

So yeah, you can make a default that's share anyone within your company, so that when you're sending next time, it by default sets-- uses that privacy settings.

And the same goes to Dropbox.

So this is, again-- again, Dropbox is a very popular one.

Just use proper privacy settings, and keep-- and also keep regularly hunting for the document exposures in multiple places like Google or VirusTotal.

And this is the GSuite Admin.

So they have they have a big area to just monitor the file sharing activity.

If you ever have externally shared a document, it is going to show up here.

I'm not sure if anyone is using this, if they're using GSuite in their company.

And you can send all the logs to [INAUDIBLE]..

Please make sure to use them to avoid exposures.

So yeah.

RYAN ROBINSON: So yeah, just our continuing slides is that Gardner has this nice saying.

Gardner projects that through failures will be the customer's fault.

I believe them, yeah.

That's mostly-- again, what was this statistic the Admiral threw out, 90%?

Well, so security is a shared responsibility within cloud.

You can't just rely on the providers to protect you because they give you the options to do whatever you want.

And a lot of these people choose to accidentally expose it that way.

And I think [INAUDIBLE].

And so what I mean by this is you can have-- your employees are being more security savvy-- I'm going to make sure I'm not going to get hacked.

I'm going to upload this in VirusTotal.

And it's like, yeah, but you don't realize that those actually might have been sensitive meeting notes that now you've just given to everyone in the world.

There's no need to get hacked.

And that's sort of our conclusion of things.

Thank you very much.

PARTHIBAN R.: Thank you very much.

About Detect LIVE

We believe that threat intelligence holds the promise of allowing organizations to better manage risk and develop resilience. Detect LIVE, brought to you by Anomali, is a virtual event series that provides a platform for security executives, practitioners, and researchers to share insights and experiences related to threat visibility, detection, and response.