Hacking the international RFQ Process #killthebuzzwords

Dino Covotsos

Thanks to the‚ Äúboom‚Äù in the information security industry combined with the latest buzzwords, more and more large corporate companies are looking for the latest ‚Äúnext gen‚Äù anti-haxor services and technologies. In doing so they often go out publicly on tender and / or issue an RFP/RFQ in order to obtain the best possible solution to meet their requirements and budget (usually cost wins).

Due to this and a lack of maturity in the field, companies issue public RFQs / RFPs that contain classified and confidential / secret information such as network diagrams, architectural designs, software versions etc. This type of information would usually require that an attacker spend an extensive amount of time performing enumeration and / or gaining access to the internal network first and taking a significant amount of time to learn about that environment. Targeting the procurement process of an organisation exposes a largely unexplored attack surface.

This new research and presentation aims to demystify the above and give practical examples of large international organisations, which unfortunately fail at the RFP/RFQ process badly. This opens a “free and easy” attack vector for attackers to exploit without even conducting extensive enumeration and fingerprinting, or anything close to intrusive attacks. As a result, an attacker often has access to an extensive amount confidential information about the organisation, which could be utilised to launch more targeted attacks. Depending on the type of information gathered, such attacks, could be likened to an attacker that has insider knowledge.

I will also be demonstrating, via real world examples, the dangers of going out blindly and looking for specific services and products in the information security industry, with real life networks being shown on stage.

A short breakdown of what will be presented is as follows:

- An explanation of what is wrong with the RFQ/RFP process worldwide including proof of these issues.
- Multiple attack avenues of real hackers taking advantage of the process / information leaked.
- Scenarios where attackers would be in an advantageous position.
- Personal examples that I’ve seen over the last 16 years (I’ve contributed towards over 4000 responses to RFQs/RFPs over the years!).
- Real life examples that we’ve seen and found publicly online, including private information that attackers could utilise.
- Some advice on solving this difficult issue.

Dino Covotsos

Quick Info

Venue for DEF CON 27:
Talks: Celebrity 5
InfoBooth and CTF: Contest Area
Planet Hollywood
Las Vegas.

Got a question?
DM @reconvillage or Drop an email to info@reconvillage.org

Whats going on?

Designed with Mobirise