Automation with Telegram Bots - Security Art Work · 2016-07-26 · Automation with Telegram Bots....

@bitsniper - @jovimon - FAQin Congress 2016

Automation with Telegram Bots


About us

José González

@bitsniper

Security Analyst

R&Di

Jose Vila@jovimon

Security Analyst

Incident Handler

If you want to join us: [email protected]


Communication Schema


Bots: Features

“Interface to code running in a server”

No associated phone number

No status

Name ends in “bot”

Unable to start chats


Bots: Features (cont’d)

By default don’t receive all messages in groups

Created by means of a “metabot”: @BotFather

Identified by name and token

https://telegram.me/<bot_name>

Easy HTTPS API


Bots: Creation


Bots: Creation (cont’d)


Usage @mpower_bot

11


Usage @mpower_bot

12


Usage @mpower_bot

13


Usage @mpower_bot

14


Server Interface

https://github.com/python-telegram-bot/python-telegram-bot


Useful examples

Official Telegram Bots– @ImageBot, @TriviaBot, @PollBot, @RateStickerBot, @AlertBot,

@HotOrBot, @GithubBot …

Inline bots– @gif, @vid, @pic, @bing, @wiki, @imdb, @bold …

Yago Perez’s bot– 57+ accepted commands (!boobs and !butts among others)

Even bot “stores”– storebot.me / @StoreBot (official)


Usage in Cybersecurity

Notifications (e.g. replacing SMS)– Vulnerabilities

– Critical attacks

– High priority mail

– Systems and Security Monitoring

– …

Actions– System and Security Monitoring

– Additional notificacions (Auth path)

– (un)block IP address/DNS hostname

– …


Reckless by default

Owner cannot control bot visibility on global search


Confidence isn’t that bad!

By default accepts anything anyone throws at it

If we do not protect our babies they can be abused by others


Education is the key

Easy remediation


Brace yourself, Sentence is coming!

We must pay attention to bot privileges upon interaction

– Controlled by the owner


Brace yourself, Sentence is coming!

Gossipping is ugly … and BAD!


Let’s go, kill’em all !

One shot, one death …

Bot limitations:

Cannot see user images

Cannot start chats

Cannot get user “last seen” status


Using bots for our own benefit

We need more power under the Hood!

From Derringer

To Colt 61


Using bots for our own benefit (cont’d)

• Far West is not fair

• Fair people bites in the dust…

• How can we obtain more information?

• MT-Proto: Full User API

– Wizardry

– Witchcraft

– Black Magic

– Extra reinforcement of Cryptographic Sorcery


Using bots for our own benefit (cont’d)


FAQin Commercials presents…

• Not willing to code?

• Your code is as Ugly as Chema’s cap?

• Last time you coded universe almost exploded?


FAQin Commercials presents… (cont’d)

Handyman Method


Ugly and bad things together

The API is a nightmare

• TL-Language

• High-level component API query language




• MT-Proto description

• Lacks on precise documentation




• Where is the latest version of TL-Schema?

More… is not for more “Layers”





https://github.com/zhukov/webogram/blob/master/app/js/lib/config.js#L104

https://github.com/zhukov/webogram/blob/master/app/js/lib/config.js#L104





+22




ThanksPavel Durov

DEMO TIME


Sybercomunity Gossipping

@mpower_bot


Sybercomunity Gossipping (cont’d)

NcN 2015



SecAdmin 2015



Syber Salsa Rosa - 537 members (and counting)

• 182 have “last seen” disabled

• 355 have “last seen” enabled

• “Last seen” really disabled? (Future work)

• You can see when anyone becomes online– Doesn’t need mutual trust




• Building digital identity– Twitter

– Youtube

– G+

– Facebook

– Instagram


Conclusion

• Telegram is:– Awesome

– Fairly secure transmission

– Not so on Telegrams servers

– Fails at privacy

– Victims cannot do anything

– API Sucks a huge FAQin lot!

• We are not the first ones:– http://oflisback.github.io/telegram-stalking/

Thank you !

Automation with Telegram Bots - Security Art Work · 2016-07-26 · Automation with Telegram Bots....

Documents

Transcript of Automation with Telegram Bots - Security Art Work · 2016-07-26 · Automation with Telegram Bots....