Rapid fire talk going through a number of topics that we'd pre-selected...one slide on the question, 1-2 slides on an answer....
Much goodness, for reference, here's the subjects:
Planes: Lets go from myth to reality in a couple of slides, including updates since 2015
Transportation in general, cars, trucks, trains and ships….
Why can we still do this?
What’s not changed?
The technology, reactive, static vs. predictive
The humans, why do we ignore them?
Why this needs to change…what does the future hold?
Why DO we stare into the abyss, why do we continue to deny it
Hacking humans, molecular
Hacking humans, consciousness
Why DO we need to fix and HOW do we fix it?
Fix the human
Fix the basics
Intelligent systems working collaboratively with us
Augmented intelligence, the science of giving us the edge.
Collaborate
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Dec2018 istanbul-2
1.
2. A Hackers Contemplation
Where Do We Go From Here?
Chris Roberts
Chris@hillbillyhitsquad.com
Sidragon1 (LinkedIn and Twitter)
3. Agenda
• Quick intro slide
– What IS the kilted hairy thing doing here?
• Transportation
– Planes, trains, ships and things
• State of the union
– Why’s everything still broken?
• Humans
– Evolution or dystopia
• How DO we fix this mess?
– Taser the vendors IS one option…
• Closing thoughts…
– Wise words from Martin Luther King, Jr.
5. The Purple Goatee…
• In the InfoSec/Cyber industry for too many years...
• Broke Nigeria, ISS, Mars Rover, airplanes, trains, etc.
– Researched a whole lot more…
• Working in the lab, consulting with Attivo, HHS, etc.
– Why? Because I need to work out what I want to do…
• Currently researching humans, AI, ML, and consciousness computing…
– Because there’s better ways than passwords!
– Because the future’s not already scary enough
– Because we’re heading off the cliff…and we need to wake up
• Might also have a whisky collection that borders on the obsessive…
– Occasionally travels with the whisky football (thanks Inbar!)
14. Trains, Signals And Rail Yards…
Rail yard, run by 3rd party, manages freight
across the entire country.
TELNET access, ID=Admin PWD=Admin1
GE-EMD Locomotive
Cellular, rail-line or network
access to train
ID=Admin PWD=000000
ElectroLogIXS switch (scattered ALL over the USA.)
Allows signals to be interrupted AND changed…
Man NOT Present, bypassed. PWD=password
Can change signals from RED to GREEN Etc.
15. 3 years of research and NOBODY
is listening yet.
17. Introspective…
• So focused on red teams and breaking things we
forget WHY we are truly here.
• Our charges who rely upon us to protect them are
looking at us wondering WTF.
• We keep blaming our charges AND we keep
increasing complexities.
• We spend more time building band aids than
actually FIXING things.
20. Safety vs. Security
• Human’s have evolved over the
last 50-60,00 years.
• Humans have always been
targeted, depending upon
various circumstances.
• We UNDERSTAND safety.
• Security is NOT part of our
language.
29. By The Numbers
Because in 2017 we “lost” 2 - 3 BILLION records…
(ish...)
Numbers are between 1.9B and 8B…
(Yea, we can’t even work out the right numbers…)
32. The 9 Circles Of Hell…
• Circle 1: Limbo: That age old Microsoft wait state…
• Circle 2: Lust: The new tech…just like the old tech
• Circle 3: Gluttony: All those dongles, all over again, Apple!
• Circle 4: Avarice: Falling for another Nigerian prince…
• Circle 5: Sullenness: Continually staring at that screen…
• Circle 6: Heresy: Facebook IS evil and there is NO privacy
• Circle 7: Violence: Cyberbullying, no more words needed
• Circle 8: Fraud: Technology used against us daily…scams, etc.
• Circle 9: Treachery: Arguably all parties betraying the other…
34. 2017…
Swimming nanorobots. Direction, motion
and other functions can be changed based
on the application of either heat (laser) or
electromagnetic pulses.
Nanorobots being taught how to code.
In this case, recognize the differences in
certain chemicals.
37. Mapping The Brain…
Left: Recording my brain interacting with my test computer.
Right: Replayed a heap of times along with phone and two other devices.
The brain interacting with the various
systems, get a baseline with some
deviation
43. The Revolution
• The industrial revolution went from 1712 to 1913 or
so…
• We went from steam to mass production of
automotive transportation, aviation, and everything
in-between.
• We’ve had computing power for about 80 years and
have changed EVERYTHING from transportation,
communication, food, health, shelter, etc.
44. The Consequences
• Technology usage is in the hands of the many.
– HUGE gap between developing/developed nations.
• Fewer still understand how it works.
– And fewer still understand how it’s fragmented.
• Fewer still understand how to protect it.
– And we have almost NO diversity.
• We are handing control over to machines.
– We don’t fully understand the repercussions.
– We REALLY don’t know who’s got control…
46. Back to Basics
• The human:
– 1 hour of awareness training PER year
– ½ session of “don’t click shit”
– ½ session of “don’t send shit”
– No understanding of balancing work and life security
– P@ssw0rd1 used at work and on Facebook etc.
– Thinks the “S” in HTTPS is for wimps
49. Back to Basics (2)
• Your computers:
– The ones on the FLAT network running W2k
– The ones in the warehouse running XP
– The ones the vendor said don’t touch
– The ones on the Internet with RDP!!
– The ones on the Internet with 1433/3306/Etc.
– The ones you don’t even know about!
51. Back to Basics (3)
• Your perimeter:
– Accept it, you don’t have one
– The laptops, iPhones, IoT took your control away
– Computer No1 on YOUR network is hacked
– 2018’s NGIPS/UBA/NGFW isn’t going to help
– Reactive, static defenses suck and don’t work
– There is NO cake, no fairy and NO simple answer
– Start looking at preventative, proactive, predictive
53. Back to Basics (4)
• Passwords (still)
– Stop the re-use!
– Teach pass phrases and password vaults.
– Teach separation/segmentation
– 2FA, it’s NOT hard to integrate
– All your users DON’T need to be admin!
– All your admins NEED to be separated
– All your developers DON’T need to hardcode
55. Back to Basics (5)
• Get a plan
– Face it, shit’s going to hit the fan at some point.
– Be prepared, simpler to reach for the IR forms than
wonder WHAT to do…
– Have the communications plan in place ready to go…
– Have the humans prepared. (No, not cannibalism)
– Practice makes perfect, headless chicken mode is NOT
needed…
– Know the steps (OODA or NIST IR)
66. The ultimate measure of a man is not where he stands in
moments of comfort and convenience, but where he stands at
times of challenge and controversy.
Martin Luther King, Jr.
66