How Can Memes Improve Security?

  |  Compiler Team  
Seguridad

Compiler • • How Can Memes Improve Security? | Compiler

How Can Memes Improve Security? | Compiler

About the episode

Memes are goofy. They’re easily recognizable. And they’re often used to make a point. So it’s no wonder that people on both sides of the InfoSec community are not only familiar with memes, but often use them in their endless games of cat and mouse. Consequently, memes are often a sign of a breach of security. Because there’s little as satisfying as leaving a meme as proof of your security prowess.

This episode, we hear from a couple of Red Hatters who rose to an unusual security challenge. And while intentions were good, the memes could have easily been something much more nefarious.

Compiler team Red Hat original show

Suscribir

Subscribe here:

Listen on Apple Podcasts Listen on Spotify Subscribe via RSS Feed

Transcripción

Brent, Angela. Have you ever been pranked on a work computer? Never. Never. Wow! No. One time. Well, I'm ashamed to admit this, multiple times, I have left my laptop open. Oh, Brent. In the office. Oh no. And this, of course led to, I'll call them pranks. Go on. Well, they were mostly, I'll say kind reminders to lock my computer when I walk away from it. Kind reminders. Yeah. Kind reminders that mostly took the form of emails to myself, from myself. At a previous company I worked at, we would do something very similar where if someone left their computer open and unlocked, someone would post as them in Slack saying like, "Hey, donuts are on me tomorrow." Right? So there's that extra little incentive for them to be a bit more careful. That'll learn ya. Mm-hmm (affirmative). It's harmless fun, right? But it has its role. And that is to encourage people to have better security practices. Now there's a story I want to share with the two of you that happened here at Red Hat, and it's called Caturday. Caturday. Do tell. This story involves pranks and security, but it also involves memes. You have my full attention. This is a great story, but it also led me to wonder how can memes improve security? Good question. This is Compiler, an original podcast from Red Hat. We're your hosts. I'm Brent Simoneaux. And I'm Angela Andrews. We're here to break down questions from the tech industry; big, small, and sometimes strange. Each episode, we go out in search of answers from Red Hatters and to people they're connected to. Today's question: How can memes improve security? Producer Johan Philippine is here to help us out. Now, before we dig into the actual story of Caturday, it's really important that we understand the difference between blue teams and red teams. Angela, do you know what a blue security team is? Yes, I do. So the blue team are the security folks inside of an organization who do the defensive security measures. They're putting the things in place to secure the infrastructure. That's the blue team. You've got a defense team. And so I assume there's an offense team. That's right. Okay. So it's red versus blue. That's the classic, you know, clash of the colors. The red teams, they do kind of the opposite of the blue team, right? They're there to consistently and constantly test the defenses that the blue team have put in place. And when they find something, they usually let the blue team know so that the blue team can then fix whatever it is that needs to be fixed in order to make sure that other people who are looking to find ways into the system can't use that same vector for attack. And to clarify, the red team works for the same company as the blue team. Not always. Not always. Not always. Yeah. Okay. Not always. Sometimes red teams are external to your company. Yeah. Now, they're hired by your company. Yeah. But they've been given permission to try to scan and compromise your system and find out what your weaknesses are. It just so happens that this company has both red and blue teams. And this is for the purpose of learning? Yes. Seeing where your systems may be vulnerable and how to find and remediate those vulnerabilities. No system is truly un-hackable, right? So if someone's in your system that shouldn't be there, you've got to be prepared and able to identify them. Now, luckily we've identified the two culprits for Caturday and it turns out they're part of the blue team. They are Alison Naylor: I manage the North America incident response and operations team within the information, risk and security team here at Red Hat. And Richard Monk. My job is Senior Information Security Analyst. My title is Consulting Information Security Analyst. But if you look in Rover, it says Consulting Detective, and I'm happy for that. Now you may be wondering what memes have to do with red teams and blue teams. This is what I was waiting for. You're speaking my love language now. I love memes. Memes are so much fun. What's your favorite meme? My favorite meme that… this meme is in the hall of fame of memes. So when I was at my old job, we were on call and we rotated. So every time when my on-call came, I would post this photo of Beyonce, crying with her mascara running and she has a phone next to her ear and she looks a hot mess. And I would be like, "yeah, I'm on call this week." And I would post it on social media and I would send it to my boss. And then of course, when on call was over, I posted Mary Tyler Moore throwing her hat up in the sky and saying on call's over. Yeah, that's my hall of fame of favorite memes. Those two. Brilliant. I love that. Brent, do you have a favorite meme? I… I don't internet. I don't internet! Well, the reason we're talking about memes today is because it turns out that these InfoSec teams, red team and blue team, and really the whole InfoSec community: they really love their memes. I make jokes that the InfoSec team are ancient Egyptians and that we speak in pictures and worship cats. So Alison and Richard, they're part of the blue team, right? They're part of building up the defenses and they're monitoring the network, making sure that the systems are protected. They don't do any red team stuff… usually. But for this one project, Caturday, they switched sides. Here's how it started. I want to say that it was about 2010. It may have been a little bit later than that. When the very first TVs were put up in the office, our manager at the time said, "Hey, it'd be pretty cool if we got Business Cat up there." I ask this as someone who doesn't internet: what is Business Cat? Or who is Business Cat? Business Cat is a very adorable black cat with a little collar and a little yellow striped tie on. And he's adorable. And he's kind of the mascot for a lot of things. Pretty good mascot for a business prank, right? You put them up there and you know that something's not going right. Yeah. You know. Brent, would you mind kind of walking us through what these monitors are when and what they display, usually? So when I first started working at Red Hat, there were no monitors in my office. And then suddenly, they started appearing and they're in places like the kitchen and in the hallway. And they usually just display the weather, different announcements, the menu in the cafeteria, things like that. But they are all over the place now. So imagine there are these TVs put up all over the place, and you've got this challenge given by your boss to put Business Cat up on these TVs. I know that I would put at least a little bit of effort to try and get that done. Oh yeah. Yeah. The reach! Who wouldn't do that? Right? The challenge was issued in about 2010 or so, and there was a prize involved, but no one was able to claim it until 2019. Now I'll put a little bit more context onto this and say that over the course of those several years, it was something that they would maybe try and catch the monitors as they were being restarted to get as much information as they could. And they'd poke around a little bit, but weren't devoting all that much time into actually getting it done. You're saying this wasn't their full-time job. Exactly. Right? Oh, okay. The first breakthrough came in 2019. During my normal security analyst type of work, I was investigating an event. And in the process of doing that, I saw some post names that looked a little different to me. I didn't immediately know what they were. We have taps on the network where we're able to observe some parts of the traffic. And I saw what looked like unencrypted plain text, FTP traffic. And as part of that metadata, I saw what looked like a username and a password. A really, really easy password that no one should be using. And I was like, "no, that can't be," but I thought I would try it anyway. Was the password 1, 2, 3, 4? Password? It turns out that someone hadn't changed the default password for what turned out to be kind of this mothership server in charge of this whole network of Red Hat Tower TVs, monitors, displays. Oh no. And so at that point, she remembered the challenge, the Business Cat challenge, and she thought, oh, I might be able to actually finish this challenge. Finally. Even though I was logged into this mothership, I couldn't actually interact with the contents too much, but I wanted to learn more about the other signs, how they were named, how they were on the network in our building, in Red Hat Tower. I've started to browse our internal Wiki. And I found some host names. They seemed to follow a pattern and I found quite a nice list, once I knew the pattern to look for. And I found one that seemed to be different from the rest. And it looked like it was in the main lobby for the building. And I'd looked for default passwords and I found one and I thought I would try it. It can't be this easy, right? But it worked. Unfortunately the sign was pretty new and I don't think it had been fully set up. So the default admin credentials absolutely worked for me. She got super excited, she went over to her teammate, Richard. She told him what she'd found. She said, okay, let's go downstairs. Let's take a look at this. And let's get Business Cat up there. We're sitting in reception, probably acting very sketchy. We told our front desk person what we were doing so she wouldn't worry. We found a part of the interface that would allow you just to display any arbitrary image. You could just give it a URL and it would display whatever you pointed it at. So very quickly I went and made a little Business Cat meme myself. And I made it say, "You should probably change your password right meow." Aw! Right meow. Right meow. They displayed it in the lobby in all of its glory. Richard took this wonderful full picture of, it's got Business Cat in the background. And it's got Alison in the foreground kind of looking over her shoulder with this huge grin on her face. Like very satisfied with herself. What?! Like another famous meme that I'm thinking about. Disaster girl? Yes, yes. Internet! So they took the picture and then they take it down because they're well aware that they're in this lobby of a prominent tech company with a huge, huge screen that has some… Doesn't look so good. Yeah. It doesn't look good for a tech company to have a meme in their lobby about changing passwords. So they take it down and they go up to their boss and they say, "all right, we did it. Here's the proof. Now give us our prize." What was the prize? Well, apparently there was no prize at that point. What? Their manager said, "oh no, this isn't good enough. That wasn't the challenge. The challenge wasn't to get Business Cat on one screen that was new, that wasn't fully set up yet. The challenge was to get Business Cat on all the monitors and displays and TVs throughout the Red Hat Tower." Oh. Oh. The plot thickens. And at that point, Alison and Richard, a little annoyed say, "all right then, challenge accepted." And that's when they put on their work gloves. And I'm imagining this whole big montage of like an '80s movie, their fingers go on the keyboard, they're typing away, there's code flying around. And really that's when the real work began, right? And what follows is, well, it gets pretty technically hairy. I'll let Alison give us the details. We started to just look for everything that was accessible there, every part of it. And so we found some scripts that we thought we could maybe take advantage of. And so we were able to get an authenticated command injection vulnerability. Tell us what that is. The way I understand it is this allowed them to trick the system into giving them more permissions than they should have had. That allowed them to run commands as if they were administrators. Okay. We figured that needed to be a CVE. And we're going to have to tell them, we got to tell a vendor. But not right now, because we're definitely going to get Business Cat on the screens. So we started to find some other things. We were able to get a shell on this mothership and we started to examine the file system. We saw things like the temp directory. We could put programs there and run them. So we were able to do that. We were able to get ourselves an interactive shell, not just a reverse shell. And we really started to examine what we could find on that disc. Once you have shell access, and administrative shell access at that, that's the money shot. Yep. They could put programs on there and they could run them and they were able to get themselves an interactive shell. And it's just, at that point, that's when they were really able to do some mischief. We found that there was a user in the sudoers file that could read everything. We found that there were some other users that could run some other utilities on the system, including HT password, which can write out files and plain text, as long as there's a colon present somewhere in the line. Conveniently that also works for sudoers files. So we were able to explore that, to write a line into the sudoers so that we could make ourselves root. And now it's kind the game over from here, right? We have all the permissions we want. All right. I am a little lost here. What is sudoers? Sudoers is a file in the etc directory on a Linux system. And that file, allows you to set permissions for other users. You can set people's permissions. So imagine having access to be able to edit sudoers? Game over. You got the keys to the kingdom. So they have the keys to the kingdom, but it doesn't do them very much good unless they know how the system works. And we figured out that at one point in the scripts, there was a location where the files were downloaded and then they were moved into the cache. And so that was the point that we could insert something. So in the script we inserted a single line that called our own script. Let's get our whiteboard out. Let's get the whiteboard out. Let's get the whiteboard out. Got it. Love, love the whiteboard. Let's draw a big old cloud on the top of the whiteboard. Got it. Okay. We've got some lines going up to the cloud. Yep. Okay. And along those lines, we're sending files, we're sending images. We're sending, you know, menus, weather reports… These are the slides that I see, basically. These are the slides that you see every day. In the office. Every day. They go up to the cloud server, that cloud server then sends the files down to a location and moved into a cache, locally. So that you don't have to keep loading them every time from the cloud, right? It helps you minimize the amount of internet traffic and the bandwidth that goes from the cloud to your local server. Okay. And then from that local cache, monitors and displays would pull the images that they would need and display them. And these are monitors in offices, around the world, from China to San Francisco, to Sao Paulo, to-. Wherever we have offices around the world that have this system and these displays in the offices, they're pulling from this cloud server. Every time a new slide was downloaded, they were all just images. It would take a picture of Business Cat, like a translucent picture of Business Cat and overlay it on the bottom right of every single one, every single slide. This is pretty subtle. It's pretty subtle. Yeah. It's very clever. Yeah. The other thing was, there's a term we have called a CNC command and control server. And so we wanted to manage this thing. We wanted to see what it was doing because we're not going to be on the machine forever. And so I used a service to send every time one got updated, it would send both Alison and myself, a notification on our phones. It would say, "Hey, I saw a new slide" and it would give us a picture of the slide. So we could watch it in real time as it was updating these slides. Then they would know that Business Cat was on his way to a screen near you. Wow. And so they did that. They left some comments in the code to say like, Hey, this is InfoSec. We're playing around. If you see this, let us know so we can talk about what's going on here. Within about 24 hours, Business Cat started making his way around the world. So obviously he started appearing in the Red Hat Tower in Raleigh, North Carolina. But Alison and Richard also started getting messages about Business Cats showing up in Brno, in the Czech Republic. Wow. And in Brisbane, Australia. Worldwide Cat! Mm-hmm (affirmative). So after years of stalling, the challenge had finally been completed. That's awesome. Wait what happened? They were hoping that people would start noticing and contact them right away. That's not really what happened. So people did start noticing it because it was all over the place. They’d talk about it and they'd be like, "is that Business Cat on the monitors? What's he doing up there? What's going on?" And they'd be sitting there in the cafeteria, just kind of hiding their faces and giggling into their coffees, playing innocent. It took about a week before someone… A week? ... actually contacted InfoSec to be like, "Hey, do you know what's going on here? Why is Business Cat showing up on these slides? We don't think that that's normal." We don't think this is normal. At that point they say, "yeah, that was us. We had our little fun, but we've got some things we need to talk about." Wow. Okay. So they got Business Cat on all of the monitors, all over the world. That is such a feat… Yeah. ...in and of itself. And what was their prize? They went to their boss who had issued the challenge and explicitly told them that they had to get it. It couldn't be just one monitor. It had to be done all over the world. So they were like, "Okay, well this is what you asked for. Here it is." And their manager said, "Okay, good jorb," which is another meme. And then they ended up getting a, I believe it was a gift card of some sort as a reward for their efforts. But... Job well done. ... obviously this story and the street cred is much more valuable. I love this story. So today's question was: how can memes improve security? That's right. Johan, what did you learn from this story? Well, I learned that you can get some Cats up on some screens at Red Hat and the whole system becomes a little bit more secure. Let me trace out the logic for that a little bit more for you. Okay. Yeah. I'm sure people want to know what's the causality here, but yeah. Yeah. Alison and Richard took extensive notes about what they were doing and the ways in which they actually got into the system. Okay. They documented their procedure. I actually wrote a report with all the problems laid out. Alison and Richard shared their findings with the rest of the blue team at Red Hat so that they could patch these vulnerabilities. For those that weren't Red Hat's responsibility, they disclosed the rest of the findings to the vendor. We did responsibly disclose our findings to the vendor because we wanted to help them fix those issues and to prevent some bad actors from finding the same holes that we did. And kudos to them for listening and taking us seriously. On the Red Hat side, the problems were those basic ones, right? Like plain text, unencrypted password on the wire that we were able to intercept, using a very weak and easily guessed password. Some passwords hadn't been set at all in the newer equipment. So they still had the defaults that admin default set up. Always change the default password. Yep. Yep. Okay. That's one of the easiest ways for people to get in, is they just try the default administrative passwords and if you haven't changed them, then they just have access to the system. One corollary to that is to make sure that you're not transmitting those passwords even if they are changed in a way that people can read them. Encryption. Encryption. So using FTP is never good. Never good. If you're going to use FTP, then you use SFTP where passwords and things aren't going over in clear text. And the S in SFTP stands for? Stands for secure. There you go. There it is. That's lesson number one, is just be very careful with your password. Yeah. Password hygiene. Okay. Exactly. Step number two, is to make use of the principle of least privilege. I could describe what that is. Angela, would you mind giving us what that means to you? Sure. So, the principle of least privilege means, whatever user you are, you only have the privileges that you need to do your job. Everyone doesn't have to be root. You only get access to exactly what you need access to. So the principle of least privilege is, my account only gives me access to do the things that I only need to do, to do my job. Nothing more. Yep. Nothing more. So least privilege. Not everyone needs to have root access, which is basically the permission to change everything on a machine. Now the third lesson is more of a human thing and that's not to bypass security features for convenience. Wait, what do you mean by that? So, say for example there's a security feature that's put in place that's meant to protect a system, but it takes some effort to get around it or to get through it, right? It's just another layer of something that you have to do. A lot of the times people will find that to be an inconvenience and they'll find a way to get around that or to ignore it, right? And at that point, you're leaving the door open for someone to actually go in and do what that security was supposed to protect against. This is like, when I leave my front door unlocked, when I walk my dogs. Yes, that’s… yes. Pretty much because it's really annoying, slight inconvenience, but I find it annoying. The one example that Alison put in her report is that. Through various parts of the system, they also used curl dash K, which is insecure mode, ignoring SSL. So we could have  man-in-the-middled there as well. Those are the lessons, really high level lessons as to what not to do. But you might be wondering why is that important, right? Especially for a system of monitors and TVs in a Red Hat office. This is just the beginning. It's just the beginning. And even if you have access to just that system, there's still a lot of things you can do with it. And even though a Business Cat on screens is harmless, you can put things in front of people that aren't so harmless, like instructions to go to a certain website to fill out information, to update something for a made up… Oh. Yeah. ... work update, right? Say, Hey, everyone, you're supposed to go and update your profile and update all your personal information, and it turns out to be a malicious website. Then they start collecting all of this personal data about people from inside the company. I could also see, like a QR code or… Mm-hmm (affirmative). Yeah. Exactly. I'm thinking of a myriad of ways or things that you can put up on that screen that could be so detrimental to Red Hatters all over the world. Business Cat was very innocent, very cute, but it just shows the depths at which you could infiltrate and social engineer folks to do all kinds of things that they wouldn't bat an eye. It's up on the monitors in our office, of course it's legit, right? Mm-hmm (affirmative). It's not like a USB stick you found on the sidewalk. Exactly. It's not just one person picking it up and sticking it in their computer. Now I would like to reiterate at this point that it took multiple years of people kind of poking at the system before they found a way in. There's no such thing as a perfect unhackable system. That's true. Yeah. But this one seemed to be fairly secure up until it wasn't. Right up until they found that one little inch that they broke into and then kind of shimmied their way into the whole system. But look at what they learned in the process, the report that Alison wrote, detailing the methods that she used to break in and get business Cat on there, the things that she saw and learned along the way. Yeah. Yeah. They definitely learned a lot, but Johan, I'm curious about our original question. How can memes improve security? So I'm kind of curious how you're thinking about that. Are you not entertained? We've been talking about all these vulnerabilities that the blue team discovered, right? And I'm going to argue that it's thanks to the memes that these got found at all. I'm not sure that this challenge would've been completed, if it hadn't been for that meme element. If Alison and Richard had just been given a challenge to break into the system, it wouldn't have been as fun, right? There's that little element of mischief, that element of humor that I really think gave them the motivation to see it through. So I'm sitting here with my mug of tea, alone at my table, and I'm proclaiming that memes can be a fantastic way to find security vulnerabilities. Change my mind. And that does it for this episode of Compiler. Today's episode was produced by Johan Philippine and Caroline Creaghead. Victoria Lawton is always monitoring our work for shenanigans. I love her for it. Our audio engineer is Elisabeth Hart. Special thanks to Shawn Cole. Our theme song was composed by Mary Ancheta. Big thank you to our guests, Alison Naylor and Richard Monk for sharing the story of Business Cat’s big day at Red Hat. Our audio team includes Leigh Day, Laura Barnes, Claire Alison, Nick Burns, Aaron Williamson, Karen King, Boo Boo Howse, Rachel Ertel, Mike Compton, Ocean Matthews, and Laura Walters. If you liked today's episode, please follow the show, rate the show, leave a review, share it with anyone you know. It really does help us out. It sure does. Thank you so much for listening. We'll see you next time. All right. Bye everybody.

More about security

Security for modern systems is defined by its adaptability to newer attacks, and its integration into infrastructure and product lifecycles.

Publicaciones en el blog

Respuesta de Red Hat ante los puntos vulnerables de OpenPrinting CUPS: CVE-2024-47076, CVE-2024-47175, CVE-2024-47176 y CVE-2024-47177

26 de septiembre de 2024  |  

...

Linux
Seguridad

Publicaciones en el blog

La seguridad de Kubernetes en 2024

26 de junio de 2024  |  

...

Seguridad

Programas originales

The One About DevSecOps | Command Line Heroes

DevOps
Seguridad
Automatización de la seguridad
Historia de la tecnología

Programas originales

Steve Wozniak | Command Line Heroes

Historia de la tecnología

Sobre el podcast

Compiler

Do you want to stay on top of tech, but find you’re short on time? Compiler presents perspectives, topics, and insights from the industry—free from jargon and judgment. We want to discover where technology is headed beyond the headlines, and create a place for new IT professionals to learn, grow, and thrive. If you are enjoying the show, let us know, and use #CompilerPodcast to share our episodes.