Thoughts

• offer some training oppurtunities
• followup with Hemed and Mickey
• attack crypto frameworks

Notes

DPAPI

• @paulacqure
• personal story
• limited set of crypto to use, probably one of these
• animated walkthrough of concepts
• use of 3DES in chrome password store, password length?

whoami /priv

• Andrea Pierini
• @decoder_it

AWS Workshop

• @Rzepsky

• [email protected]

• public access through ACL - should be deprectaed soon

• encrypt your snapshots

• lazys3 enumarate possible s3 bucket names

• ransomware in cloud (without versioning)

• logs from cloudwatch take 10-15m

• KMS is quicker than the logs

• you can copy snapshots to volumes, and then mount them

• hidden info in a .git and previous commits

• “oops, forgot to remove keys”

• looking for files with high entropy

• budget running away - used public access to run the highest CPU for crypto mining

• pacu cloud attacking framework

• allowing security roles with * and adding too much

• AWS has soemthign called User Data which run a bash script on user startup, they should only be used once on instance create - you can add #cloud-boothook and cause it to run on every restart

• you can upload new permissions and just set them as default (internal issue when they allow to uplaod a policy, that has roles that are out of scope for the role setting it as default)

• there is an issue of figuring out what each roles does, in the end everyone get admin access

• murder by amazon - account take over including backup removed the entire company

• rotation of old keys is encouraged, but the date of last change (and alerts) only referes to the older key created

• provide an additional training session - workshop as a promo

GPS

• pretty good talk
• comm with servers in china
• darkamtter

OSINT

• a lot of tools, need to review