[#156] Jak skutecznie przeprowadzać symulowany phishing w organizacji? – Mateusz Nalewajski

Welcome! I am very glad that so many people came for my presentation Today we will talk a bit about phishing, about simulating phishing, but we will precede it with a certain introduction It will be a bit technical, a bit not technical I hope you will like it A little bit about me Mateusz Nalewajski I work now at Alior Bank, where I deal with security I am the team manager who deals with development of the bank’s security, in the field of security of introductory platforms But also many other things, among others what Wiktor said last time, protecting clients from malwere In fact, my adventure with security started about 5 – 6 years ago, while working in a consulting company, where for a long time, 3 years I performed penetration tests and red team exercises These exercises really gave me a lot of knowledge about how phishing can affect your organization However, working in a bank showed me a bit another aspect because I did not start from the phishing position, and the one who is struggling with this problem, and who has to deal with this problem This presentation will be about what problem phishing is, how can we deal with it We will also touch this educational aspect Short agenda Anyway, I’ll tell you a little bit about it, what is phishing in general in the context of examples, which I see, which we receive as financial institution I do not know if this is the case, but in general I’m clean on my gmail whereas only when working in a big company, this problem hits me I will say that people click on it, though I will tell you with some examples It’s also a bit technical to send an email, such a simple operation, yet difficult And at the end will be a bit about my tool, which might help you deal with the problem Spam is really a big problem, I will not say what phishing is, because you know it very well In fact, what I’ve met with is, that cloud providers are better at dealing with it I think it’s because of advanced analytics, Google has, or reads your emails What Google sees, what comes in large quantities, maybe with some probability it can say that is spam If we take into account the on-premise option, where we set up the email infrastructure ourselves, it is much harder Of course there are some services that allow us to do this, there are anti-spam gates, etc Nevertheless, this problem still exists and it seems to me that it is much larger with such installations Anyway – in point 3 – where they are downloaded from mails? Of course, they can be from various sources In my experience, I remember an anecdote, that one day I said it’s cool to have a gpg key Then I found it nice to have it signed and send signatures to the Internet The next day I received 20 phishing emails, because they really condense and see these sent signatures with your gpg key and they are trying to do something about it Also, this is an interesting source, just like mine experiences In addition, it is known LinkedIn as a target targeted, technical boxes, such as marketing@yourcompany.com, or contact@yourcompany.com, these mailboxes are very often the subject of phishing However, I wanted to sum it up, that regardless of whether we use ultra-great advanced anti-phishing solutions, or cloud boxes, targeted attacks will always hit, so it is not worth trivializing this problem and you have to think about it I will go through some examples of spam I will go through some phishing emails I’ll show you what the patterns are It’s really a short introduction to this, what we see as a bank Maybe you too see it on the right scale Attachment zip with some malwares, which is sent with a password from the mail to get around possible anti-spam filters Quite a simple case, but how effective, who would not open such an email The second example – like a rar, but it is not the format is rar As you know, in fact, anti-spam gates they try to go in attachments, try to read them, they try to verify what’s inside I do not know if you’ve ever tried to send it through gmail an e-mail that has an encrypted list of names and files It can not be done because gmail just looks if you are nor sending any x-rated files Anyway, here someone came up with such an idea, that he sends rar but in fact it’s not a rar, and an ace-type archive, so old Maybe you once had the opportunity to use it

Also, it turned out that many anti-spam gates don’t understand such attachments we think it is a rar, so we don’t care It’s probably safe However, if we try to open it as a zip, this file does not open A nice example An example from a different barrel – again an attachment, but nobody bothered to pack it in zips or ace Here is really a document in Word, which contains macros Here he is trying to exploit in the Word, it seems to me that it is related to the operation of equations, but I do not quite remember Either way, the effect is similar to how in the case of installing any other malwere It’s getting more interesting now We have increasingly sociotechnical scenarios In this case, something that needs to be done, because the box will stop working, who would not click I think that a lot of people in the company knows, however, that they must continue this work The criminal asks for personal data here, contact details for the mailbox, I do not know what for But he can definitely use them to break in on other accounts, on Facebook, because everyone uses the same passwords everywhere Either way, these emails also come, they have a dimension, as I said, more sociotechnical, but there are also cool things For example, I got trapped, I do not know if you you would also get trapped This is not an attachment – this is a picture that is a link It looks like an attachment Very nice – I think that someone had a lot of imagination to create something like that Just this link directs you to a file on Google, which is directly downloadable, is it a site that does something Anyway, even though the content of the e-mail itself says not to click on it, I mean it’s automatically translated, it does not really mean anything It seems to me that the attachment itself is very tempting open it An interesting example, I caught myself on him Of course, if we’re talking about working in an institution, for example, like me, financial, probably key words such as: “SEPA”, “IBAN”, you immediately associate with the fact that something important has come and you have to transfer it, to the team that deals with payments also some criminals probably act that way Here are some examples, that the choice of words, the selection of content can go to the chief accountant, someone thinks it matters, and in this way can reach the right people in the company The examples are analogous, they are different links, which lead to strange places These can be Word docs, which have some strange macros Okay, there are such examples You have to repeat the password, this is the most important thing in this whole email Of course, a scenario similar to what it was increase the size of the box However, here the situation is different – you just need to enter the password in the email And write it again so that someone by accident surely wont make a mistake This can actually be an interesting case, to check how many people would respond to something like that Anyway, you’ll probably tell me that most of these e-mails are obvious to be detected Who would click on them? People click It struck me, especially working in the company consulting, where under legal simulations various types of phishing emails were sent These emails really went to their recipients and someone always opened it Of course, it depends on how good this phishing was, maybe you can do such a good phishing that always someone will click This is my opinion, protection is also important many layers However, they click, independently, is it a scam for a Nigerian prince who repeats himself very much regularly – some of the case that I gave, giving the password again, is it something more complicated, people click and even respond This is an authentic example of the answer on phishing email, because someone has repeatedly tried to open this email Malware would have been installed many times Either way, if we try phishing we address the emotions of people, it works like that Here, for example, there is some debt collection, so we are trying to play some of these emotions People act emotionally and fall into this scenario However, let’s remember that criminals do the same Showing what scenarios are, you should stick to it these regular scenarios and you should try to reproduce what you actually do happens, not something simple,

which may not be a real situation Another example of real stimulation, I think that you can also like it How do I know people click? This is an example of how people click, at a scale of thousands of employees I do not know if everybody just got this email, I do not know if everyone was at work, but you can see that when we have about 140 clicks within an hour, then it decreases a bit We have periods that we can distinguish – work after hours, the first people at work from the 5th, Morning coffee and the first e-mails we read at 9am, Lunch break, so the clicks automatically drop Such charts show that it is worth it do something like that and I think it can also take you to convince you that phishing simulation, whether broadly understood education is something very important As a security officer, as I said – working in the company that was doing such tests, and many other companies offer such services I did not have this awareness, I did not feel this burden on myself that I’m really responsible for that In fact, only work in a bank and in an organization, who is struggling with this problem, has raised my level of awareness in this aspect Because really, I know that from one email many things depend However, there are several problems, these problems I wanted to discuss it now For me, this lack of awareness of threats is very present Very often, for example, how do you talk with your friends or people from work, people underestimate the phishing They should not do this, because more and more often, targeted attacks occur in large organizations These targeted attacks can take real advanced forms Here I mentioned a few – those that are related more with the financial industry Nevertheless, it seems to me that it is worth it to relate to this, when someone will ask you – why spend it money for education, and things like that however, these cases are simply possible losses associated with such things In addition, what I look at as a security officer it’s a mix of office and private environments I’m not against it, of course, let’s use it and let’s do it in a good way, instead if you work safely I suggest so that you can think about whether, in fact, if someone works from home, does he have the same protection, as in the office? If you have a gap here, I suggest you think about it or going in such a direction that people would work from home is good vpn, lack of wrapping traffic through infrastructure, the company that has some security mechanisms, it raises some risks Also, the fact that people increasingly work from home, work privately it can make them more and more vulnerable on threats and possible consequences of these threats they can be fatal for the company TLS everywhere, Malwere also encrypts, too if you’ve bought great solutions, ips, ids, and other monitoring, you have mapped the entire network, and Malwere encrypts the traffic, you will not see anything I also suggest you pay attention, if someone will tell you that there is a great solution that taps a network that searches for all traffic, please wait, note if it will actually work, because, in fact, practice shows that not always it is possible Of course, let’s invest in multi-layered protection, I do not say that you do not have to do it, because for me it is also very important to look at what the market offers Of course there are some advanced firewalls, sandboxes, ids, ips The word machine-learning, AI appear more and more often in security, but it is also worth training AI that we have in company – our people Someone forgets about it too, and that’s why let us remember that educating people also builds protection and for this I am going to show in my presentation that one open email it can have a very negative impact on the company and spoil many things See examples of Malwere who was confusing on the net However, the other way is also worth looking at – if these people are educated, even if someone clicks, if they report such an email, at a small targeted campaign, it can save the whole company because you know really where is the source of danger and how to deal with it I think that this is also a nice aspect of all education and it is worth to look both ways We are now going to the technical part It was an introduction to tell you what is my point of view I do not know if you agree with it, but these arguments have reached me too after some time Anyway, how to send an email well? Why do I talk about it? In fact, after all, simulation phishing scans that we’re talking about today, they require shipping these e-mails, so it can a little obvious, however, for many it can be a barrier

So what if we have a tool that makes it possible sending e-mails? So what if we bought a solution if in fact, we have a problem with placement, how this mail wanders through the network Shortly – MUA, i.e. a customer who sends this e-mail, MSA, or Message Submissive Agent, MTA, or Mid Transfer Agent, MX – email exchange, and MDA – Mail Delivery Agent Of course, these functional blocks can be included in specific devices It does not have to be that specific in all devices Surely MSA from MTA can be combined Either way, sending emails takes place in this one way Here is the submission protocol SMTP again via the internet, possibly LMTP, it depends of course on technology, I showed it on Unix example Anyway, this is how an email from root@baadk00d.tk to my other domain You need to pay attention to several areas The first is the connection that goes through Internet We will talk about it – why it is so important and why it can affect success or the failure of a phishing simulation, and these two DNS queries The first is to question, that is, when the MTA send an email to MX, inquires for a record A for a given IP address if it is so strange it often ignores these emails or classifies as spam It is worth it to be solved for what is sent in the field HELO or EHLO or possibly the domain name itself, from which someone sends an e-mail The second question is the SPF record question, which also strongly conquers the credibility of this communication I told you about it, I will tell you in detail Encrypting transport – you probably know how to mail to gmail will come unencrypted, an alarming red light appears This indicates that gmail is looking at it Nobody knows exactly what gmail algorithms are guided by to enter your anti-spam filters, nevertheless, I think that we should be aware that using TLS is very important here, however, I do not know, or you know, but this TLS between these mail servers on the Internet, it’s really just on paper, because it’s real no one verifies these certificates, these certificates for e-mail servers cannot to be trusted I do not know if there is verification by domain name, for example CN in the certificate, however, these certificates themselves are not trusted So if something tells you that we are safe e-mail connection, because we have certificates on both sides, this is not true, because these certificates can be incorrect and it will work for us Source address verification – I’ve already said that Of course, this is not a problem if you are a domain owner it is not a problem The Sender Policy Framework is something that already exists it exists very long Applying it says who is authorized to send e-mails on behalf of a given domain, so if I create an SPF record for my domain, who says that this IP can send, if another IP will try to send an email on my behalf this will be classified as spam These are the mechanisms that can cause that your domain will be credible, also me, following these rules while doing phishing, when you had to do it to order, and it was difficult to white-list, that’s it I managed the areas However, as to the content, of course it is still there wider area, because sending bulk-mail, 10,000 mails for gmail, it will be very much quickly detected How these mechanisms work are also worth it to read, it’s quite an interesting topic Here I showed you the documentation of such a tool Pyzor, which does checksums of content and reports them I do not know exactly who owns these domains, nevertheless, it works in such a way that motion is detected where these subtotals are more and more agree, the mail is bigger the probability that it will fall into phishing Interesting, it’s also worth knowing these rules, if you try to simulate phishing, knowledge of these rules can allow you to create a series of e-mails, which, however, will not fall into these rules Anti-spam filters obviously promote emails, here are my three comments: with a link to cancel subscription, with the signature of the DKIM message This is another layer of security, enough breakneck to set it up for an exercise, nevertheless, it will certainly win credibility And it is very important that it has both formats, this is also interesting, for example if you write an e-mail on your phone if you have an iphone

line, where only part of the email is displayed, this is just plain-text mail, if not it’s empty Therefore, sending an email only in HTML causes that it too loses credibility, because there is a chance it’s just phishing Of course, trust in the domain and IP’s very much it’s easy to lose This is even such an interesting story that when buying a VPS second hand, we can get a VPS, which is on the black list, so it is also worth looking at it, before attempting to run such a campaign and if necessary, it should be checked or think about something else Here is a bonus at the end I do not want to talk too much about such examples, however, it is also worth noting that sending an e-mail, the very protocol of sending an e-mail it is very old, it has many shortcomings and new technology is introduced somehow they improve it, but not completely Here is a very simple example – we send an email as an ESMTP command from one domain, and we have the main message from the other domain Which will show up in the client? Okay, the other one will show up What is an interesting phenomenon, and even if we are talking about postfix type servers verify SPF or DKEM, or any other mechanisms, they will just refer to this header, everything is great too, because we’ll turn it on to this domain, while nobody is looking at it, of course you can do it additional filters apply Postfix itself has such capabilities through filters on headings It can also help with the technology that you could heard about – demark This is a set of mechanisms, which allows you to report violations of certain policies, about which I spoke earlier, like DKEM and SPF, but also lets you determine how much you agree, for such behavior What does this mean and why does it work at all? I do not know if you’ll agree with me, but you know how mailing lists worked once This is a bit of an analogy – if I sent something on the list, other people received it, here was a mailing list mail and here was a mail the person who sent something to the list What I said is something that can be used when phishing is made as an order, but if you do it in your company, then personally, I will tell you that it is not worth it because really, it’s a lot of work to put in, many possibilities of failure, but if you do it internally, I suggest you to white-list, you do not really realize of how strong the security is in form of anti-spam gates, or other security devices you’re really researching people You should have free access to these people Gmail and Office allow you to easily white-list some IP I do not know, I do not use – you probably know better than me However, I simply say – in the case when you manage the infrastructure and you want to do it entirely internally, I suggest it Take advantage of the approach Okay, let’s go to the last part I think that the longest and the most technical one When I came to work for Alior, my supervisor told me that I need to do phishing, but he told me that we are not doing it on the 5, or 20 employees, we do all of them There are about 10,000 of these employees and yet if you think about it technologically, it is not such a simple task, because a task to be carried out on the organizational side, which must be done, but also technologically this is a big problem Nevertheless, such an exercise on the 10 thousands of employees made me aware how important it is to anticipate certain individuals Imagine what will happen, how suddenly 10 thousands of employees will get phishing – they will start calling the desk service The desk service will be clogged Then they will start to walk with laptops, they will start to disconnect computers, because they got infected They’ll start calling the security department and all phones are ready to answer A very nice exercise – it shows how people react, shows what needs to be further improved, how to reach people so that they know what to do in general in the event of such a threat, because really it is purely hypothetical when we create such a policy how to cope with phishing, we say: you probably have to do it; however, a real exercise at such a mass scale shows what weaknesses need to be further improved Sending mails, as I said, is not so simple It’s from what I said for a moment, but queuing is also a technical problem that number of emails to collect statistics However, what you do not usually do and what I think is the most important, what you do not do when you order such tests from outside this is the educational aspect In fact, I think it’s about education, however, this is often overlooked, because

it seems to me that companies that do exercises on order, they come with a report, we managed to save so much, we looked at the company, Yes great However, there is no real value for the employee, because if we do not tell employees what was wrong with this email, if we do not tell employees, what feedback was or if they clicked at all, because they may not have this awareness, it’s totally this exercise no longer matters How can this be done? This is ugly, I know, those yellow boxes with red ones the border is very ugly, but it seems to me that they perfectly show how to deal with it If there’s any phishing and if we tell people, how can they detect such emails, I will say from experience that they will start with time pay attention to such individual elements And if something disturbs them, something is wrong, then they will click on some link, they will see that it is directing somewhere else, they will see that there is a problem with the signs they’ll look at this e-mail more and will finally send it to you security department or just they will ignore it, and it’s okay Another example – you can multiply them, of course, and match the scenarios, this is the unfortunate example with an attachment, which is not an attachment Nevertheless, if people work with such mails every day, we’ll show them to them, they will eventually learn Of course, as Alior Bank, we also appreciated it, because it really works, I’m not kidding It was not my idea – it was an idea that was in our team and I found it, but I liked it very much, everyone liked it, that’s why we’ve initiated such a campaign, so that they can teach clients how to detect it, because in fact, as a bank, we have a large responsibility towards our clients and if we do not tell them how to detect such phishing where various banking threats can fly, which are trying to take over clients’ money, no one will show it to them Also, I personally recommend this website It shows some examples, both on the site Alior Bank, but not only shows some cool real cases phishing that can be shown technically How to deal with this Give feedback – I also talked about it on the previous chart If we write generally to the whole company, that there was a phishing simulation and it looked like this, okay, it will certainly bring something However, if we write directly to the person: ,, You clicked, do not do it, read, go training, here you have how to report. “, this person will understand After all, if we have such recidivists, who are compulsively clicking on these emails, they will finally understand, they will bookmark these links you have to grab all the funds Opening such an email can lead to bad things So much for the non-technical description As for the technical description, I will show you my tool I said that I got such a task – 10 thousands of employees and make phishing It was not that easy because we know how to send emails, we have technical knowledge to do it right However, it turned out that, however, the coordination of this technically it requires a lot of knowledge so I’ve set goals for myself that I need to achieve, to do this exercise regularly, every 2 months, once every 3 months scaling; campaign template definition so it can be repeated many times Hosting your own content, making some landing page someone enters the site and gives his details; definition of goals in a flexible way, i.e someone entered the site, clicked on the link, that it also counts to make statistics and real-time events it was good to look at them while working So I saw what are the solutions on the market At the moment it was 2 years ago, also maybe it has changed, in the end you can correct me, when you will ask me questions – I will be happy to listen to you I saw 2 solutions – an open-source office and the second commercial category regarding Gophish It is very nice, I recommend If you have never had such a tool to deal with, it is very simple, allows you to lead you by the hand, and you’ll do a nice phishing In my case, it had some drawbacks First of all, it had a rendering on the side front and filtering of all content on the front side, also how it loaded 10,000 employees, this browser broke down And finally, I had to get one out of the base, because it could not be pulled out of the front Of course, there were other disadvantages which they did not meet my assumptions In contrast, all commercial solutions I rejected at the beginning,

because as a bank, we had a problem some things to store in the cloud, besides, they are paid and there is no fun in that I made a tool that is quite extensive, I think so When I say this to someone, they say that it’s complicated I am happy to listen to your opinion In fact, Rails and Rubi are the base of everything which is on API support, API is for admin, that is to the front, or any public API that serves content We also have Sidekiq, which works on the same account that Rails Sidekiq is used to perform long-acting events, like sending emails In Go Office everything is in one binary, we run the binaries – one binary sends e-mail, the second serves the front, does the back I do not like this approach, that’s why I made it seperated I think it is a cool approach and it works well Of course, to Redis, to cash and do internal communication And a Postgres base because I’m a fan of it What is the strength of the tool itself and what caused its success it that it works with for us very well, because we use it, is that this infrastructure is quite strong fragmented and loosely bound In fact, most of the long-running tasks, Like campaign or victim, it works simply as jobs These jobs communicate with each other, they say that there is something to do, to create, there is something to send, as in this case the campaign creates many workers for victims, they communicate an e-mail in the mailer, which they only have sent it outside Then it answers back that everything is okay At the moment when all the workers for the victims they will stop living because they will do their job, the mine is restarting another pot, next 5, 10 or 15 you can easily save it anyway a large number of people The second plus, which was also significant for me, when we have a lot of traffic, and the resources are valuable to us that the clicks we collect are the events from the front, which we present as a landing page for a potential victim, they are first impregnated in Redis, and only then are they thrown into the database through such bulk-in ports So we do not have mass references to the database, that could clog it, could make the interface stop responding, we only have to supply this base from time to time data for individual events Simple, but I needed it It´s what I copied from office, but it seems to me that it has expanded strongly, templates, template language Mail can be freely described as specific victim, that contains the individual components, includes pictures This is the language of Liquid, I don´t know if you have heard about it But I created custom extension that allow you to convert certain elements that are in the pump to links because the resource is available everywhere, you can use the resource in the mail, You can attach it as an attachment, as the e-mail text The resource can also be displayed on the page and create a complex campaign which I will expain soon On the other hand, event reporting – these reports, these types of campaign objectives It can be really a lot The execution with help of HTTP request, so really to create and define the pump and then use this in a template, it will be converted into URL, which if you call in the context of the victim, It will mark that a goal has been achieved Similar with resource- if you want to use it, and for example, include an image we can do it similarly, using a helper as a resource What is also cool is that resources can be included in itselves Each can be a template so you can build such a small CMS that allows you to host a lot of things There is also a lot of other functionalities, which I won´t discuss in detail What I did recently – it is an import / export campaign template, which is very cool, you could make a small library, you can try to move them, you can duplicate them when we need to work on them Resources that are sent, the attachments, for example, can be transformed This is an advanced feature that is not yet documented, however, we used it successfully to send Word document to the victims that has a macro, which has a link to the individualized assessment purposes of this Word,

then pack it in a zip file that is encrypted by individual password embed this password in the mail We also slow the process of seding mails so called a token-bucket process And as CSV export statistics Everything is in GitHub, you´re free to use it I have a small demo, the demo is not live, because they never work out But I will tell you everything Okay, this is an interface that is divided into mailers, which is responsible for sending mail, we can define the name, on behalf of someone we send an email, with such a host we can connect, we have authentication Groups of victims affected by phishing, we can import from a CSV file, we can add and filter It allows you to easily create groups, the combined data areas of the company We can also determine the gender, because sometimes it also is important Campaign templates, they are composed of several sections We have plain-text email, HTML email we have ULR landing, or which resource will be loaded, if someone enters, the link you enter into in content We have base URL, which is the link to the IP, that shows us where the bomb is What is the definition? Here you can stop for a moment, because it is much different from this, what is the trend of tools on the market This is not a tool for this, to look cool It should work well, because I wanted to achieve great flexibility in defining everything For me to write HTML to create a campaign template is much more convenient than using the editor, which then you still need to improve On the other hand, here is an example of embedding the image in the body of an email, by calling the key words ,, embed ‘, it is in the documentation, if you are interested There is also plain text of email, which is right here Objectives – define the objectives of the campaign in a separate tab They have their own unique code in the template, which is then used technically It is automatically generated, they also have their scores Resources – here too we can stop for a moment Resources are loaded and can be any things which are deposited on the landing-page or in mail Here is the entire boot included You can make a small CMS out of this, I think that this goal has been achieved In contrast, attachments can be added separately These attachments are also based on resources, so by using the resource as an attachment and creating an additional file we can provide someone an attachment The mere sight of the campaign It allows us to create multiple scenarios Of course, the pump can run the same campaign at a certain time, it can also end it, but we should´t use it because we prefer to have control The campaign itself consists of a number of scenarios, because a scenario is a connection of these three elements, which are discussed earlier, the template emboded in the contex of a mailer which is something that sends e-mails; and groups, or people to phish as part of the exercise The creation of such a scenario It allows us to launch this campaign – mail will be sent The whole machine will start to run and then these e-mails will be put in a line Demo shows how the mail comes, and here is an example, it is not it, it is an old mail that I had in the inbox when I recorded it, but it is a real email We can imagine that this is the HTML that was written there, This button directs to a landing Page, which has been defined He can be complicated, it can be simple Here, in the background is used Java Script, which in the case of writing makes an HTTP request, which transmits the first character of your password and user name to the entire pump Reports made it as a goal, so we see that something is happening Here is a confirmation page, next one will appear soon I have seen, it is periodically asked Entering credentials and the view in the context of the victim allows us to verify a lot of information,

if someone didn´t forward this email, because you can see from what machine it has been running, what method was used to make the request It´s technical information, but I’m a technical person so I needed While the view within the campaign scenario allows us to control the course of the current campaign Here we have status and the individual elements – a rather simple Well it was a demo However, as it looks in reality – so, for example This is a large monitor on the wall, you can see how otfen people click and you can say : “So, this is a collegue from nother desk” I recommend this because it´s an experience, also positive At the end, something that I personally use for development of production and to broaden my own horizons, work in security is not always associated with the configuration of things, it is practically impossible anything related to the configuration On the other hand, you have to tell people how to configure it, so you might want to know how it works What I want to show you here is how to put the pump into docker´s swarm I will not do this with a large demo, It is an example published by me on GitHub Yes there are a few applications, because as I said before, the pump consists of application cruise, REDIT is there, postgres is there as well I wish you luck, if someone is going to use it and to put it If you can put it in one Docker, if you can put it in swarm or put a Docker Compose it seems to me that the likelihood is much greater, not zero Anyway, this set up, which is my GitHub, lets you put a tool from scratch There are a few tips on how to configure them Today I put there what I use at home for sworm I use Treafik – I don´t know if you know this solution What I wanted to show you is that some problems related to the configuration of such a tool, because everyone says nice tool that sends e-mails, but you need to get a domain, it must be redirected to the server, the certificate would come in handy, However, because it can send sensitive data, so if you are to be made public We have yet to have a TMP so these e-mails can be sent at all It builds more and more problems, so I took the Traffic, which is such a nice server, perhaps you know it, through labels in Docker can very easily throw new hosts So if I myself put a label with the same name within my stack’s machine, traefik automatically detects and pull a certificate, install it So really, in a few minutes I’m ready to go While, not avoid some problems that must be solved, for example, create a domain, buying this domain, or attach it to a given IP address, in general maintain that we need and this distinguishes it from commercial model, where you can just buy the service, either way, it seems to me that when we have this tool and we know how it all works and this tool becomes a curiosity I also use this solution so as to have easy and fast deployment I’m not a developer, so I do not write tests, for which I apologize, however, the easy way (Public comment) I need a delivery, but because any replacement and do it again, compile the package, because the individual components of the pump are in Docker, Do a build on each container, pushing it to the registry, deployment of this is something very risky, I also use something called a drone, I don´t know if you know it, works very good I assume that you know what´s sworm Docker, I do not know how many people know, because it is no longer so fashionable it works very good, I think it automates much I can show you how it can look like such exemplary pipeline CI/CD, I think it actually works and I even have this video as a bonus Like I said, I needed a quick solution, throwing to individual parcels, so you can easily update them, because if the pump is made up of several components, we have the front, we have a relationship at some API individual components are loosely coupled, you have to throw them in containers and you have to build them, therefore, an example of how this can be taken to the manufacturing process Here is installed NMP update package,

there are some additional things you need from time to time update On the other hand, throwing it to the repository, since I’m using sub-modules, within the image for each element, it doesn´t update these sub-modules, so a CD as a drone will work just fine by doing that push, I can easily upgrade the Docker image I do not have to do that manually I add commit,, I update one package it’s quite easy After ejection immediately go to drone, I do not know if it ever did It is an exercise that I’ve seen and it seems very cool It is a tool that is used to build Docker individual artifacts Here we have a simple script that pulls the pump, as a package of Java Script and pushes it to the repository as a sub-module pump Docker, you will also see the commits, it is constantly updated, that is, each commit to the source repository updates the Docker repository I did not want to show this to the public, as a whole CD on my side there, therefore, I created a second job that builds each elements builds a redis, as a Docker image, builds databases, Webb, Nginx, and applications, for example. cruise and it deploys it to my Docker sworm on a single host The whole process makes my development much easier I do not know if it is obvious for you, for me it was something new It taught me how developers are now working, and how to talk to them Therefore, as I try to do, I try to do it well, excatly like I want it to be done because then talking with developers and admins is easier for me to say what I expect Well, it would be enough Here was the whole pipeline, quite simple Do you have questions? (Audience question) ,, Why drone, and not, for example Gitlab CSCI, then it is different at all? ‘ I do not know how it works in GitLab, but from my perspective drone was native to the containers, Generally drone, for every job used to build a new pipeline, fires in the new container, which is to say that building the data repository container is automatically created based on the image, which you predefine him, and the image starts each command that you do Then the image is working It is very light, and freely allows me to work with such a small number of projects (Audience question) ,, you said at the beginning that this phishing emails, the password is sent, to get past spam filters How does that even work? How does this password makes email more reliable? ” It isn´t more reliabe, I mean that spam filters are looking into attachments If they are encrypted, they are not able to see what is inside Simply put, maybe I used a mental shortcut, but generally I meant that without the password, spam filters would see the atachment and it would stop it If this is the password, the user must provide it Once, a colleague said he was looking for programs agains malwere which will use a line of e-mail and then try to use it as a password, but there is no such solutions on the market That would be cool (Audience question) ,, How much did you have to talk to people from your company, with security, to make it work?¨ Am I the security? (laugh) Of course, I had to talk to admins, but it was not easy There was no need to open a lot, it’s a matter of architecture, I will not go into details, but notice that I showed here set up, based on the containers, but you can put it all on one server, as we put it simply, together with the admins, completely internally

We took advantage of the advantages that we could have all the traffic internally controlled by any DNS’y Good point But I it I referred to the generic situation, because sometimes it’s nice to have it out and of course there are some risks, but on the other hand, taking it out, we can detect when someone is forwarding an email to thiers private inbox or tries to open on the phone There are various situations, we will not always cover it like this but if the infrastructure allows us to include it within the company, it is better to do it internally (Audience question) ,, This is the code for Github’ie? Sure you took a little bit to release it publicly. ” Yes, it is private, it is not a project in any way associated with my employer, I was doing it privately in its entirety This is a private project, which I do at home To satisfy my own knowledge Thanks (Applause)