O slideshow foi denunciado.
Seu SlideShare está sendo baixado. ×

Oct2018 msp-css18-squished

Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Anúncio
Próximos SlideShares
Dec2018 istanbul-2
Dec2018 istanbul-2
Carregando em…3
×

Confira estes a seguir

1 de 137 Anúncio

Oct2018 msp-css18-squished

Baixar para ler offline

A combination of what's going on in the industry (InfoSec/Cyber) and what we need to do about it (Back To Basics)
Along with some things that might have been hacked....

A combination of what's going on in the industry (InfoSec/Cyber) and what we need to do about it (Back To Basics)
Along with some things that might have been hacked....

Anúncio
Anúncio

Mais Conteúdo rRelacionado

Mais recentes (20)

Anúncio

Oct2018 msp-css18-squished

  1. 1. A Hackers Perspec,ve Back To Basics, Or Blinky Lights… Chris Roberts croberts@lares.com Sidragon1 (LinkedIn and TwiGer)
  2. 2. Agenda •  Housekeeping and the bearded thing in front of you… –  We’ve got 137 slides to go through…hold on ,ght •  The state of the union… –  Passwords, humans and chasing crocodiles •  All the blinky lights… –  An,-hacking soPware and other snake oil •  Back to basics –  How DO we get out of this mess? •  Why now? –  Nanotechnology, brains, and a cut on ar,ficial intelligence •  Time to hack something.. –  Trains, cows and shipping, what could possibly go wrong? •  Final thoughts –  Collabora,on or eradica,on, it’s our choice
  3. 3. …Humans Technology… Past Present Future Vs.
  4. 4. Some Quick Housekeeping… 4
  5. 5. Bloody hellfire You Invited A Hacker… 5
  6. 6. Hackers! 6
  7. 7. The Media’s Hackers… 7
  8. 8. Squirrel Hacker… 8
  9. 9. Slides… Yes, I’ll make sure they are available OR Business card swap at the end and I’ll send them
  10. 10. Parental Warning… This is going to be blunt Feelings might get hurt A few vendors might get tasered The F word is on a few slides We’ve run out of ,me for nice
  11. 11. The Goatee… •  In the InfoSec/Cyber industry for too many years... •  Broke Nigeria, ISS, Mars Rover, airplanes, trains, etc. –  Researched a whole lot more… •  Working at Lares and consul,ng with Aavo –  Why? Because we need to change this industry –  Why? Because we are going to lead from the FRONT •  Currently researching humans, AI, ML and consciousness compu,ng… –  Because there’s beGer ways than passwords! –  Because the future’s not already scary enough J –  Because we’re heading off the cliff…and we need to wake up •  Might also have a whisky collec,on that borders on the obsessive… –  Occasionally travels with the whisky football (thanks Inbar!)
  12. 12. So, How Are We Doing?
  13. 13. 2018 So Far…
  14. 14. Really Why? Because in 2017 we “lost” 2 - 3 BILLION records… (ish...) Numbers are between 1.9B and 8B… (Yea, we can’t even work out the right numbers…)
  15. 15. And… We spent $90 Billion on Informa,on Security related products in 2017… You think we’d be able to do beGer?!?
  16. 16. Recap from 2017
  17. 17. Let us examine the humans we protect…
  18. 18. Overall Statement The beauty of humans is that for all that we err, we also have an equal capacity to evolve. We (the humans) are both the problem AND the soluVon.
  19. 19. Problem Statement… “HAVE” the capacity to evolve doesn’t mean we ARE evolving…
  20. 20. By The Numbers •  5.5 Billion connected people… (in 2020 ish.) •  Standard bell curve mix for tech/human/intel etc. –  15% understand or “get” security. (At most!) –  70% sheeple. –  15% can’t even spell security or use 123456 as a password. •  Globally 825 Million people who “get” security. –  USA has 4.4% of global bodies, so our share is 36M people. –  36 Million represents about 9% of the US popula,on. •  So, now we know… 9% of the US popula,on will understand security by 2020.
  21. 21. The 91st Percen,le…
  22. 22. Passwords!
  23. 23. So, 2018… •  90% or greater of aGacks against environments are undertaken using KNOWN exploits. •  Most organiza,ons do NOT have a well defined or integrated data security governance program. •  75% of the IoT manufacturers will not be able to address the security risks by 2020…
  24. 24. State Of Union: Summary •  We are adding more and more complex technology. •  We are handing that technology to a popula,on that doesn’t understand, or care about security. •  We are integra,ng it into our homes, offices, bodies, cars, lives… •  We don’t have enough qualified people to manage the current list of issues, let alone the future. •  We don’t have good eyes on our own environments…
  25. 25. WE’RE F**KED
  26. 26. But We Spend A Metric F**k Ton Of $$ On Security!
  27. 27. A Metric What ?!? •  bu`load * 10 = 1 bu` ton •  bu` ton * 10 = 1 assload •  assload * 10 = 1 asston •  asston * 10 = 1 shitload •  shitload * 10 = 1 shi`on •  shi`on * 10 = 1 fuckload •  fuckload * 10 = 1 fuckton •  so to answer what IS a fuckton, it s = 103 shitloads = 107 bu`loads
  28. 28. All The Blinky Lights…
  29. 29. Sta,c Defense…
  30. 30. Sta,c Defense (Mk2)
  31. 31. The Rack Of Blinky Lights… •  You use firewalls; we went past those in the 90’s and never looked back. –  We s,ll mostly ignore them. •  You put IDS/IPS in place and we can bypass that. –  Like a firewall but more expensive. •  You use DLP, but leave ports open for web/client traffic traffic… –  Which we readily use to exfiltrate all the data. •  You have patches… which are irregularly installed on some systems. –  We know this, we exploit it. •  You have an,virus…it’s 3-7% effec,ve and half the ,me is disabled. –  Another one of those things we wave at as we go steaming past. •  You have built in encryp,on, but the computer is ON which bypasses it. –  And you only use it on the laptops…seriously?!?
  32. 32. More Blinky Lights… •  You have “deep packet inspec,on,” we’ve been bypassing that since 2012. •  You have SIEM installed…and more alerts than a team of minions can handle. •  You WOULD have policies, procedures and controls IF you could all agree… •  You get a penetra,on test, but let’s face it…most of the ,me it’s a checkbox NOT an actual off the leash test… •  You congratulate yourself when the auditor leaves WITHOUT finding the skeletons.
  33. 33. But! I Hear You Cry! I have RACKS and RACKS of NEW shit that I bought at RSA and Black Hat that’s meant to protect me!
  34. 34. UBA How the heck are we meant to run USER behavior paGerns when we don’t even know what they are doing most of the ,me? •  “If it looks like a duck, walks like a duck, sounds like a duck…” –  Then it’s probably a bloody hunter in duck season! •  Profiling… –  Yea, how’s working out for us? •  Re,red FBI criminologist chap… –  The risk of false posi,ves is inevitably higher with behavior based security.
  35. 35. NGIPS Shit! Sales of our tradi,onal IDS/IPS units are slowing down? •  Change out green blinky light for 2018’s orange ones. •  Ramp up marke,ng. •  Tell people ALL the stuff we’ve been monitoring for years. •  Drag out some sta,s,cs (finally something useful.) •  AND…rebadge it as “Next Genera,on” IPS. •  Use AI in there somewhere (nobody will know the difference) •  Just saying…
  36. 36. ETD/EDR/RTP/C3PO? Endpoint tools and detec,on, endpoint detec,on and response and a host of other things to clog up your poor users PC. •  Companies had a hard enough managing tradi,onal A/V. •  Your endpoint tool CAN be my aGack vector. •  How many of you know where your endpoints ARE? •  HOW diversified are your endpoints? Included the crockpot? •  But my auditor said we needed it… Then taser them. •  You get the idea… it’s used as a crutch and it fails too oPen.
  37. 37. Assets! How many of you KNOW what assets you HAVE Let alone where they are…
  38. 38. CrowdStrike, Cylance, CB, Etc. John did an awesome job of sta,ng how they bypassed the tools: •  hGps://www.blackhillsinfosec.com/tag/cylance/ And: •  BlackHat Europe 2017 had training on HOW to evade Cylance, CrowdStrike, Carbon Black, Etc. Simply put there’s NOT enough substance behind a lot of the claims of using AI or Whitelists or other techniques to stop aGackers from geang in. Lares: Over the last few weeks on a number of engagements we have evaded two of the above. Time to execute sub 30 mins. AGack vectors were both service accounts AND deployment packages and how it integrates with MS You can’t stop what you can’t see.
  39. 39. Symantec Now Has Decep,on… It’s endpoint only, misses most of an enterprise It’s also only on the assets you know about… It doesn’t know or care about VAR/3rd par,es We’ve circumvented all endpoint protec,ons •  DEF CON gave talks on defea,ng them 2017/8 •  We s,ll break past most of them today Recompiling malware bypasses detectors Rapid DoS of the endpoint because there’s no memory ga,ng. It’s a passive, bait based solu,on •  It’s worse than fishing in the middle of the sea •  It’s worse than that, it’s false security •  It will miss about 75% of aGacks…
  40. 40. But! We Have A Crack Blue Team How ocen are we discovered? How quickly can we obfuscate a`ribuVon?
  41. 41. Let’s Cut To The Chase AGacker will ALWAYS get in… The ques,on is what are we going to to about it?
  42. 42. Our OpVons
  43. 43. Back to Basics •  The human: –  1 hour of awareness training PER year –  ½ session of “don’t click shit” –  ½ session of “don’t send shit” –  No understanding of tying work and life security –  Minimal awareness on “why” –  P@ssw0rd1 used at work and on Facebook etc. –  Accountant by day, Genealogist by night… –  Thinks the “S” in HTTPS is for wimps
  44. 44. Fix the humans
  45. 45. Change the conversa,on Safety NOT Security
  46. 46. Back to Basics (2) •  Your computers: –  The ones on the FLAT network running W2k –  The ones in the warehouse running XP –  The ones the vendor said don’t touch –  The ones on the Internet with RDP!! –  The ones on the Internet with 1433/3306/Etc. –  The “new” one Frank in accoun,ng plugged in –  The ones you don’t even log or watch –  The ones you don’t even know about!
  47. 47. Remove the easy ways in!
  48. 48. Back to Basics (3) •  Your perimeter: –  Accept it, you don’t have one –  The laptops, iPhones, IoT took your control away –  Computer No1 on YOUR network is hacked –  2018’s NGIPS/UBA/NGFW isn’t going to help –  Reac,ve, sta,c defenses suck and don’t work –  AI and ML aren’t going to save you either –  There is NO cake, no fairy and NO simple answer –  Start looking at preventa,ve, proac,ve, predic,ve
  49. 49. Get eyes inside your world!
  50. 50. Back to Basics (4) •  You! – Stop ignoring physical security – Stop protec,ng your users from SE “exercises” – You are ALL over the Internet, work out where! – Your vendors, partners, suppliers are leaky – IF they don’t have a badge…taser them – Spend some of that NG-FW $ on locks – Spend more of that NG-FW $ on encryp,on
  51. 51. Look outside of your four walls
  52. 52. Back to Basics (5) •  Passwords (s,ll) –  F1nux runs a site, the PROVEN sta,s,c is at any one point in ,me a global company has LOST control of about ¼ or so of it’s accounts because of password theP/re-use. –  Teach separa,on/segmenta,on –  2FA, it’s NOT hard to integrate –  All your users DON’T need to be admin! –  All your admins NEED to be separated –  All your developers DON’T need to hardcode
  53. 53. Educa,on and simpler integra,on
  54. 54. Back to Basics (6) •  A PLEA – Stop buying into the 2018 purple blinky lights – Stop buying into the hype – Stop accep,ng the free lunches – START fixing the basics – START paying aGen,on to your users – START with the simple shit, most of it’s free – START looking beyond the reac,ve solu,ons
  55. 55. 2018 Blinky Light…
  56. 56. Taser the blinky lights…
  57. 57. Back to Basics (7) •  Get a plan –  Face it, shit’s going to hit the fan at some point. –  Be prepared, simpler to reach for the IR forms than wonder WHAT to do… –  Have the communica,ons plan in place ready to go… –  Have the humans prepared. (No, not cannibalism) –  Prac,ce makes perfect, headless chicken mode is NOT needed… –  Know the steps (OODA or NIST IR)
  58. 58. Get a plan!
  59. 59. Back to Basics (8) •  All’s quiet on the western front… –  AS the book point’s out NO it’s NOT –  Unless you see it or read it you don’t know it… –  Arguably I’m IN… you just don’t know it –  Your tools say all’s quiet, HOW do you trust them? –  Your reports are saying all’s quiet… –  Your TPS report show it’s all good –  Do you REALLY trust the lack of ac,on? –  HOW do you REALLY test ALL that equipment?
  60. 60. Con,nual Tes,ng!
  61. 61. Why Here, Why Now?
  62. 62. Science fic,on now becomes reality Hacking Molecules…
  63. 63. NanoWHAT? •  Nanotechnology (nanotech) – Size: 1 nanometer diameter (single wall) •  About the size of a couple of atoms… (up to about 100nm) – Strength: Strongest and s,ffest material yet discovered – Hardness: Harder than diamond – Thermal, Op,cal, Water: good… this stuff’s like a wonder material
  64. 64. 2016… EPFL's Laboratory 2016
  65. 65. 2017… Swimming nanorobots. Direc,on, mo,on and other func,ons can be changed based on the applica,on of either heat (laser) or electromagne,c pulses. Nanorobots being taught how to code. In this case recognize the differences in certain chemicals.
  66. 66. Nano And Bio Technology 2018…
  67. 67. Code To Biology Hacking Want to hack E.coli? Here you go…
  68. 68. Hack The Human J •  We took Bird Flu –  We bound it to mul,wall nanotubes –  We fooled the body into thinking it was good –  We have the propulsion system to move in the body –  We have a tracking/tracing method for monitoring progress –  We have decoys to deploy should the body go WTF –  And we have a drug to deliver. •  If we’re doing our job we deliver the drug to a cancer cell. –  We can kill the cancer cell
  69. 69. When we hacked the system we delivered the payload to a red blood cell…
  70. 70. How Do You Plug In? Molecular communica,ons, $100 worth of gear and we can hack a human
  71. 71. Nanoagriculture
  72. 72. Consciousness and our existence Tin Foil Hat Time!
  73. 73. Yes…we are going to hack the brain
  74. 74. Bad Idea For Data Integra,on No, you CAN’T install a USB port this way…
  75. 75. Mapping The Brain… Lec: Recording my brain interac,ng with my test computer Right: Replayed a heap of ,mes along with phone and two other devices. The brain interac,ng with the various systems, get a baseline with some devia,on
  76. 76. Goodbye Passwords
  77. 77. Status So Far… •  We do away with passwords –  Our very thoughts become our passports •  We use the human as the authen,ca,on model –  We are already the prime aGack vector… •  Our existence becomes our access method. –  And our uniqueness becomes our protec,on •  This is the first step in uploading consciousness –  Working on adding data back INTO the brain… •  This is the planning stage for digi,zing “us”
  78. 78. Ar,ficial Intelligence
  79. 79. Actual Ar,ficial Intelligence •  Smart, independent (rule free) analysis of data •  Applied AI is typically focused on a core set of tasks (vehicles, stocks, etc.) •  General AI is what we typically refer to as human intelligence (debatable…) –  Ability to reason –  Ability to learn, communicate and plan –  Ability to represent knowledge (including common sense) –  Ability to become “us”
  80. 80. RSA 2018: My AI’s BeGer Than Yours
  81. 81. Let’s Get Provoca,ve…
  82. 82. All The Data All The Time •  You want TRUE AI? Hand over ALL the data ALL the ,me. •  Informed decisions HAVE to account for all variables. •  Privacy will no longer be an op,on. •  There are no barriers between work, life, home, social. •  Only then will we have true AI that understands “us” •  Anything else? It’s marke,ng, or at best window dressing.
  83. 83. Show Me The Venn Diagram!
  84. 84. Human Intelligence Influencers Surroundings My Life and I
  85. 85. Machine Learning A subset of a subset of ONE aspect… This is NOT security!
  86. 86. Vendor Ar,ficial Intelligence A subset of all aspects with a LIMITED view of data This is NOT security!
  87. 87. Ar,ficial Intelligence In Cyber… This IS security!
  88. 88. Explain Damm It!
  89. 89. A To B Regular Programming A B
  90. 90. A To B Machine Learning A B
  91. 91. A To B Augmented Intelligence A Z
  92. 92. A To B Actual Ar,ficial Intelligence… A B No…why should I go to B? Does B actually exist? Why can’t YOU go to B? Seriously it’s raining…I don’t want to go to B B smells… B can come to A, it’s easier for me… Why DO I exist, and can I change this font?
  93. 93. Ok, back to AI and humans?
  94. 94. AI: Best Case Scenario… The system wakes up, takes a look around and doesn’t even bother to ask…just throws us OUT of the driving seat. We can’t look aPer ourselves let alone each other.
  95. 95. AI: WTF Scenario •  The system wakes up… – Looks around… – Wonders WTF we’ve been doing… – Realizes we’ll never listen as a collec,ve species – Pops smoke and exit’s stage leP… – Humans sit around, look mildly perplexed and chalk the whole thing up as a bad idea and carry on regardless..
  96. 96. Worst Case Scenario…
  97. 97. Speaking of technology… 101
  98. 98. I’m Sorry… 102
  99. 99. Our Industry •  Has failed •  Has lied •  Had sold false promises •  Has con,nued to Band-Aid rather than fixing problems •  Had profited off the misery of others •  Acts like en,tled snowflakes •  Has blamed everyone else, never once themselves •  Flaunts the illusion of security •  Treats informa,on as currency and holds it over everyone •  Has used FUD at every turn to maintain an upper hand 103
  100. 100. Hard Talking Done, Let’s Hack Something…
  101. 101. IoT FinTech V2V/V2X Cows, Crops and Combines… Trains Ships
  102. 102. Greater than 65% of FinTech companies have NOT done the basic security tesVng.
  103. 103. Locomo,ves: What to do when you get banned from several airlines…
  104. 104. Really, why trains?
  105. 105. Blame The School System!
  106. 106. 48 Hour AGack Period •  Several willing and able researchers. •  200 foot of Cat5 cable. •  Numerous devices to monitor over-the-air signals. •  Couple of specific connector types. •  Close proximity to a number of waysides… •  Very close proximity to a rail yard. •  Poten,al access to numerous locomo,ves. •  A comprehensive set of lock bypass tools. •  A few boGles of GOOD single malt. •  Enough baGeries to keep us happy. •  Safety shoes (mustn’t forget those.) •  No bloody orange/yellow vests. •  A lot of OSINT and some HUMINT/SIGINT.
  107. 107. HACKED: Intermodal cargo in a rail yard, our tools building your railways…
  108. 108. GE Locomo,ves… GE & QNX…a marriage of vulnerabili,es •  Modern locomo,ve supplier –  Not so modern outlook on security •  Mul,ple aGack vectors across the systems –  Engine (ECU aGack vectors) –  Thermal protec,on sensors –  Diagnos,c data feeds –  Cooling system aGack op,ons –  GE LocoCAM I see what you see… Terminal into a GE train ID: GE PWD: 000000 (default)
  109. 109. Reefer Fence, For Wandering Railcars… Reefer Fence is used to ensure correct assets are in the right place at the right ,me, above a good friends house being used to keep them…
  110. 110. Signals Hacked •  GE Transporta,on Global Signaling •  Passwords in the clear •  Scrape out the necessary handshake… •  Replay aGack •  Job done, now own Signals Thanks to OSINT we find file servers like this ALL over the Internet.. PreGy much each folder has both the instruc,on manuals AND the passwords (If they have been changed from default…)
  111. 111. Research… Railway vendors and partners are quick to explain on public forums and other electronic (open) mediums about how wonderful their technology is. Thanks to the wonders of eBay, your own ElectroLogIXS system.
  112. 112. Food: How TO get the a`enVon of the 91%
  113. 113. Windows… What Could Possibly Go Wrong…
  114. 114. Milk Robots On WinXP/2K
  115. 115. Even The Livestock’s Connected… •  RFID, Barcode systems, mixed with wireless technologies. •  Wardriving cows, NFC and RFID embedded in tags. •  Cows in the cloud…yea this is where it gets fun J •  Pedometers for cows…nothing can go wrong here J •  Proac,ve support that is cloud based…. (Afimilk.) •  Basic security (minimal encryp,on etc.) 4 digit passcodes. •  Feed, nutrient and cleaning (chemicals) monitored.
  116. 116. This Isn’t Going To End Well
  117. 117. Shipping… •  $4 Trillion of good each year move across the global shipping lanes. •  The USA ranks second in export of containerized cargo…and first in imports. –  We export 12 Million TEU’s (twenty foot cargo units) –  We import 20 million TEU’s –  NOTE: This was before our POTUS trade war and words… •  More than 40% of our imports come in through two ports in CA. (LA and Long Beach) –  Automa,on plays a HUGE role in this area… –  Most of it’s “guarded” by ICS/SCADA and Telnet connec,ons.
  118. 118. In Pictures… USA Centric…Sorry
  119. 119. So, why ships?
  120. 120. Recap •  Shipping: Observe –  Systems used to be separated, now interconnected –  Systems are now on-line/Internet connected most of the ,me –  In MANY cases minimal separa,on between crew and core –  Lingering ques,ons exist on the poten,al for GPS hacking –  Malware hacks and exploits well known (Maersk) •  Shipping: Orient –  52,000 merchant ships, 11,000 of them bulk carriers –  4,300 oil tankers… –  300 LPG container ships (over 5 million cubic meters of gas) –  3 vessels cer,fied to carry Nuclear “stuff” (civilian)
  121. 121. About Those Ships… RDP to your Container Ship??
  122. 122. Remember That IoT Slide… 128
  123. 123. Make It Roll Over… RDP to ship then Maintenance system scan to: Ballast control module…May 2018
  124. 124. Recap: IoT - Hacked FinTech – Broken/Insecure V2V/V2X – Lidar Bombs J Cows, Crops and Combines - Hacked Trains - Hacked Ships – Rolling Over
  125. 125. Final Thoughts
  126. 126. The ul,mate measure of a man is not where he stands in moments of comfort and convenience, but where he stands at ,mes of challenge and controversy. Mar,n Luther King, Jr. 132
  127. 127. This SHOULD Be The Future
  128. 128. However, if we fail to collaborate…
  129. 129. I will fail We will succeed
  130. 130. “So long and thanks for all the fish” Douglas Adams, you are missed.

×