automation with telegram bots - security art work · 2016-07-26 · automation with telegram bots....
TRANSCRIPT
@bitsniper - @jovimon - FAQin Congress 2016
Automation with Telegram Bots
@bitsniper - @jovimon - FAQin Congress 2016
Automation with Telegram Bots
@bitsniper - @jovimon - FAQin Congress 2016
About us
José González
@bitsniper
Security Analyst
R&Di
Jose Vila@jovimon
Security Analyst
Incident Handler
If you want to join us: [email protected]
@bitsniper - @jovimon - FAQin Congress 2016
@bitsniper - @jovimon - FAQin Congress 2016
Communication Schema
@bitsniper - @jovimon - FAQin Congress 2016
Bots: Features
“Interface to code running in a server”
No associated phone number
No status
Name ends in “bot”
Unable to start chats
@bitsniper - @jovimon - FAQin Congress 2016
Bots: Features (cont’d)
By default don’t receive all messages in groups
Created by means of a “metabot”: @BotFather
Identified by name and token
https://telegram.me/<bot_name>
Easy HTTPS API
@bitsniper - @jovimon - FAQin Congress 2016
Bots: Creation
@bitsniper - @jovimon - FAQin Congress 2016
Bots: Creation (cont’d)
@bitsniper - @jovimon - FAQin Congress 2016
Usage @mpower_bot
11
@bitsniper - @jovimon - FAQin Congress 2016
Usage @mpower_bot
12
@bitsniper - @jovimon - FAQin Congress 2016
Usage @mpower_bot
13
@bitsniper - @jovimon - FAQin Congress 2016
Usage @mpower_bot
14
@bitsniper - @jovimon - FAQin Congress 2016
Server Interface
https://github.com/python-telegram-bot/python-telegram-bot
@bitsniper - @jovimon - FAQin Congress 2016
Useful examples
Official Telegram Bots– @ImageBot, @TriviaBot, @PollBot, @RateStickerBot, @AlertBot,
@HotOrBot, @GithubBot …
Inline bots– @gif, @vid, @pic, @bing, @wiki, @imdb, @bold …
Yago Perez’s bot– 57+ accepted commands (!boobs and !butts among others)
Even bot “stores”– storebot.me / @StoreBot (official)
@bitsniper - @jovimon - FAQin Congress 2016
Usage in Cybersecurity
Notifications (e.g. replacing SMS)– Vulnerabilities
– Critical attacks
– High priority mail
– Systems and Security Monitoring
– …
Actions– System and Security Monitoring
– Additional notificacions (Auth path)
– (un)block IP address/DNS hostname
– …
@bitsniper - @jovimon - FAQin Congress 2016
Reckless by default
Owner cannot control bot visibility on global search
@bitsniper - @jovimon - FAQin Congress 2016
Confidence isn’t that bad!
By default accepts anything anyone throws at it
If we do not protect our babies they can be abused by others
@bitsniper - @jovimon - FAQin Congress 2016
Education is the key
Easy remediation
@bitsniper - @jovimon - FAQin Congress 2016
Brace yourself, Sentence is coming!
We must pay attention to bot privileges upon interaction
– Controlled by the owner
@bitsniper - @jovimon - FAQin Congress 2016
Brace yourself, Sentence is coming!
Gossipping is ugly … and BAD!
@bitsniper - @jovimon - FAQin Congress 2016
Let’s go, kill’em all !
One shot, one death …
Bot limitations:
Cannot see user images
Cannot start chats
Cannot get user “last seen” status
@bitsniper - @jovimon - FAQin Congress 2016
Using bots for our own benefit
We need more power under the Hood!
From Derringer
To Colt 61
@bitsniper - @jovimon - FAQin Congress 2016
Using bots for our own benefit (cont’d)
• Far West is not fair
• Fair people bites in the dust…
• How can we obtain more information?
• MT-Proto: Full User API
– Wizardry
– Witchcraft
– Black Magic
– Extra reinforcement of Cryptographic Sorcery
@bitsniper - @jovimon - FAQin Congress 2016
Using bots for our own benefit (cont’d)
@bitsniper - @jovimon - FAQin Congress 2016
Using bots for our own benefit (cont’d)
@bitsniper - @jovimon - FAQin Congress 2016
FAQin Commercials presents…
• Not willing to code?
• Your code is as Ugly as Chema’s cap?
• Last time you coded universe almost exploded?
@bitsniper - @jovimon - FAQin Congress 2016
FAQin Commercials presents… (cont’d)
Handyman Method
@bitsniper - @jovimon - FAQin Congress 2016
Ugly and bad things together
The API is a nightmare
• TL-Language
• High-level component API query language
@bitsniper - @jovimon - FAQin Congress 2016
Ugly and bad things together
The API is a nightmare
• MT-Proto description
• Lacks on precise documentation
@bitsniper - @jovimon - FAQin Congress 2016
Ugly and bad things together
The API is a nightmare
• Where is the latest version of TL-Schema?
More… is not for more “Layers”
@bitsniper - @jovimon - FAQin Congress 2016
Ugly and bad things together
The API is a nightmare
• Where is the latest version of TL-Schema?
https://github.com/zhukov/webogram/blob/master/app/js/lib/config.js#L104
@bitsniper - @jovimon - FAQin Congress 2016
Ugly and bad things together
The API is a nightmare
• Where is the latest version of TL-Schema?
+22
@bitsniper - @jovimon - FAQin Congress 2016
Ugly and bad things together
The API is a nightmare
ThanksPavel Durov
DEMO TIME
@bitsniper - @jovimon - FAQin Congress 2016
Sybercomunity Gossipping
@mpower_bot
@bitsniper - @jovimon - FAQin Congress 2016
Sybercomunity Gossipping (cont’d)
NcN 2015
@bitsniper - @jovimon - FAQin Congress 2016
Sybercomunity Gossipping (cont’d)
SecAdmin 2015
@bitsniper - @jovimon - FAQin Congress 2016
Sybercomunity Gossipping (cont’d)
SecAdmin 2015
@bitsniper - @jovimon - FAQin Congress 2016
Sybercomunity Gossipping (cont’d)
Syber Salsa Rosa - 537 members (and counting)
• 182 have “last seen” disabled
• 355 have “last seen” enabled
• “Last seen” really disabled? (Future work)
• You can see when anyone becomes online– Doesn’t need mutual trust
@bitsniper - @jovimon - FAQin Congress 2016
Sybercomunity Gossipping (cont’d)
Syber Salsa Rosa - 537 members (and counting)
@bitsniper - @jovimon - FAQin Congress 2016
Sybercomunity Gossipping (cont’d)
Syber Salsa Rosa - 537 members (and counting)
@bitsniper - @jovimon - FAQin Congress 2016
Sybercomunity Gossipping (cont’d)
Syber Salsa Rosa - 537 members (and counting)
• Building digital identity– Twitter
– Youtube
– G+
@bitsniper - @jovimon - FAQin Congress 2016
Conclusion
• Telegram is:– Awesome
– Fairly secure transmission
– Not so on Telegrams servers
– Fails at privacy
– Victims cannot do anything
– API Sucks a huge FAQin lot!
• We are not the first ones:– http://oflisback.github.io/telegram-stalking/
Thank you !