WEBVTT 00:00:00.319 --> 00:00:04.137 You know, I just remembered a really funny story. 00:00:04.137 --> 00:00:07.002 So, the criminals will find a way around this. 00:00:07.003 --> 00:00:11.944 We had a sort of compromise once, and it was a very similar sort of compromise, 00:00:11.944 --> 00:00:14.461 it was a harvesting compromise. 00:00:14.462 --> 00:00:16.352 But the JavaScript was really cool. 00:00:16.352 --> 00:00:20.003 It looked to the IP address of where the user was coming from, 00:00:20.003 --> 00:00:22.305 and if it was coming from a card payment brand, 00:00:22.305 --> 00:00:23.809 if it was coming from a payment processor, 00:00:23.809 --> 00:00:26.711 if it was coming from the merchant itself, 00:00:26.711 --> 00:00:29.048 it didn't fire the attack. 00:00:29.048 --> 00:00:32.896 So it would hide itself in circumstances where it might be identified. 00:00:32.896 --> 00:00:33.261 Yeah. 00:00:33.261 --> 00:00:37.645 And also it only did it in one in every five transactions. 00:00:37.645 --> 00:00:38.322 So, you know, 00:00:38.322 --> 00:00:40.958 that's the thing that made me think that the BrowseAloud situation before, 00:00:40.958 --> 00:00:42.847 like we got off really lightly because it was just 00:00:42.848 --> 00:00:44.687 like a shotgun that's on everything, 00:00:44.687 --> 00:00:47.754 there was no attempts at hiding itself or concealing itself from 00:00:47.754 --> 00:00:50.210 the people who are going to try and find it. 00:00:50.210 --> 00:00:54.022 So, if it like knew your IP address and Scott's IP address, 00:00:54.022 --> 00:00:55.390 who, and Scott found it, didn't he, Scott found this, 00:00:55.390 --> 00:00:55.527 yeah? 00:00:55.527 --> 00:00:56.300 Yeah. 00:00:56.300 --> 00:00:59.522 If it had known their IP addresses, like every security researcher, 00:00:59.522 --> 00:00:59.988 it would have just said, well, 00:00:59.988 --> 00:01:01.870 I'm not going to fire if it's that person looking at it. 00:01:01.870 --> 00:01:05.437 They'd have to start getting very intelligent then, but I take your point. 00:01:05.438 --> 00:01:10.070 When we saw this one that didn't execute if I was on my desk at work, 00:01:10.070 --> 00:01:12.604 but if it executed at home, I thought that was pretty clever, 00:01:12.604 --> 00:01:12.815 actually. 00:01:12.816 --> 00:01:16.308 So someone had to fingerprint your externally facing IP address range as well. 00:01:16.309 --> 00:01:17.133 Yeah. 00:01:17.133 --> 00:01:17.395 That's really creepy. 00:01:17.396 --> 00:01:19.646 And it wasn't just the card brand I worked for, 00:01:19.646 --> 00:01:23.173 it was the other card brand, it was the payment processor that was being used, 00:01:23.173 --> 00:01:24.560 it was the company itself, 00:01:24.560 --> 00:01:28.429 it was the four forensic companies that are used in the UK 00:01:28.429 --> 00:01:31.194 for doing forensic card breaches --- Wow. 00:01:31.194 --> 00:01:32.330 --- so these guys have spent some time doing it. 00:01:32.330 --> 00:01:34.989 There's some effort, there's some love. 00:01:34.990 --> 00:01:36.702 There is some love in crafting that. 00:01:36.702 --> 00:01:37.436 You're absolutely right. 00:01:37.436 --> 00:01:38.994 So, if we look at the, 00:01:38.994 --> 00:01:42.335 obviously we're going to try and do a detect by doing the standard things, 00:01:42.335 --> 00:01:45.549 or are we going to detect stuff that has gone wrong on our website, 00:01:45.549 --> 00:01:47.521 but then the next thing is, well, 00:01:47.521 --> 00:01:51.217 then it's a case of doing detection based on looking at what 00:01:51.217 --> 00:01:53.592 our website is serving as a remote user, 00:01:53.592 --> 00:01:55.954 and then seeing if that CSP has changed. 00:01:55.955 --> 00:01:57.727 But at least there's one thing to look for. 00:01:57.727 --> 00:01:59.528 See, when I thought about this originally, 00:01:59.528 --> 00:02:00.815 before I knew about CSP, 00:02:00.815 --> 00:02:04.175 I was thinking how do I look for a random piece of 00:02:04.175 --> 00:02:05.579 JavaScript that's just been added to a website? 00:02:05.579 --> 00:02:07.393 But now I've got one thing we're looking at, 00:02:07.393 --> 00:02:11.538 we're looking at just the CSP changing or being deleted, 00:02:11.538 --> 00:02:13.462 and that's technically feasible. 00:02:13.462 --> 00:02:14.302 Yes. 00:02:14.302 --> 00:02:18.302 So, that's pretty cool.