Regarded as one of the world’s foremost experts on counter threat intelligence within the Information security industry, Chris Roberts constructs and directs a portfolio of defense services designed to improve the physical and digital security posture of both enterprise and government clients. With increasingly sophisticated attacks on targets of opportunity, Roberts’ unique methods of addressing the evolving threat matrix and experience with all information systems make him an indispensable partner to clients and industries that demand protection of financials, intellectual property, customer data and other protected information from attack.
2. Agenda…
• Intro (and thanks to EVERYONE here and the Hacker Halted crew!)
• We have 105ish slides give or take a few…hold tight
• Why are we here?
• Red vs. Blue
• And tanks…
• Mentality reset!
• Some solutions (hopefully.)
• Why here, why now?
• Some current research AND a glimpse into the crystal ball…
www.hackerhalted.com 2
3. Me…
www.hackerhalted.com 3
• Working in InfoSec (now Cyber) industry for too many years...
• Broke Nigeria, broke the ISS, the Mars Rover, airplanes, trains, etc.
• Working at Acalvio, rather an awesome company!
• Helping them build the next generation of deception platforms…
• Why? Because Computer No.1 is already compromised…
• Why? Because 25 years of chasing passwords hasn’t worked!
• Currently breaking humans, AI, ML and consciousness computing…
• Because the future’s not already scary enough
• Because we need a solution for the MOST annoying problem of all…
4. We Don’t Do Death By PowerPoint…
IF YOU see someone doing
DBPPT
You ARE obliged to taser them!
Hacker Halted Rule 303.a
5. Why are we here?
Let us examine the humans we
protect…
6. Overall Statement
The beauty of humans is that for all that we err, we also
have an equal capacity to evolve.
We (the humans) are both the problem AND the solution.
www.hackerhalted.com 6
8. By The Numbers…
• 5.5 Billion connected people… (in 2020 ish.)
• Take a standard bell curve mix for tech/human/intel etc.
• 15% understand or “get” security. (At most!)
• 70% sheeple.
• 15% can’t even spell security or use 123456 as a password.
• Globally that’s 825 Million people who “get” security.
• USA has 4.4% of the global bodies, so our share is 36M people.
• That 36 Million will represent about 9% of the US population.
• So, now we know… 9% of the US population will understand security
by 2020.
www.hackerhalted.com 8
13. Where ARE We Today?
• 90% or greater of attacks against environments are
undertaken using KNOWN exploits.
• Most organizations do NOT have a well defined or
integrated data security governance program.
• 75% of the IoT manufacturers will not be able to
address the security risks by 2020…
15. Sobering Statistics
• Estimated $2 Trillion per year to the economy by 2019:
• Financial impacts (financial, technology, pharmaceutical.)
• Data losses (intellectual property etc.)
• Over 800 “major” breaches:
• Major being the Really nasty ones….
• 171 Million peoples identities and records lost:
• That’s just the ones we know about…
• Millions of new malware programs “found”
• Recycle a good idea and re-use it to target other data…
• Let’s not forget the tools “lost” by our agencies…
www.hackerhalted.com 15
16. And… It Get’s Worse…
• In the US, 55% of men and 69% of women said no teacher or career
counselor ever mentioned the idea of a CyberSecurity career.
• Globally, 57% of men and 66% of women said no teacher or career
counselor ever mentioned the idea of a CyberSecurity career.
• In the US, 51% have never received a formal CyberSecurity lesson.
• Globally, 58% have never received a formal CyberSecurity lesson.
www.hackerhalted.com 16
18. A Little More Bad News…
• The demand for the (CyberSecurity) workforce is expected to rise to 6
million (globally) by 2019, with a projected shortfall of 1.5 million.
(Michael Brown CEO Symantec)
• Cisco Annual Security Report warned that the worldwide shortage of
information security professionals is at 1 million openings.
• Security leadership reported significant obstacles in implementing
security projects due to:
• Lack of staff expertise (34.5%)
• Inadequate staffing (26.4%).
• Given the above only 24% of enterprises have 24×7 monitoring in
place using internal resources.
www.hackerhalted.com 18
19. State Of Union: Summary
• We are adding more and more complex technology.
• We are handing the aforementioned technology to a population that
doesn’t understand (or care in many cases) about security.
• We are integrating it into our homes, offices, bodies, cars, lives…
• We don’t have enough qualified people to manage the current list of
issues, let alone what’s coming down the pipeline.
• We don’t have the in-house technical knowhow to manage all the
endpoints, systems and potential attack vectors.
• We don’t (typically) have good eyes on our own environments…
www.hackerhalted.com 19
27. 25 Years of InfoSec Conferences…
• We still bitch and whine about passwords.
• We still blame users, managers, developers, grandma’s AND the
network…
• We were safer with the mainframe ONLY because it was in ONE
room.
• We lost the battle when the data left the green-screen.
• We lost the war when the laptop arrived.
30. Introspective…
• We are so focused on red teams and breaking things we forget
WHY we are truly here.
• Our charges who rely upon us to protect them are looking at us
wondering WTF.
• We keep blaming our charges AND we keep increasing
complexities.
• We spend more time building band aids than actually FIXING
things.
32. Dammit Red Sucks – A New Reality?
• Red is the schoolyard bully that takes what they want, when they
want.
• What’s worse we are promoting it, building up as something to do,
something to aspire to, something to build a career out of…
• We have lost the core focus of what we should be doing, what our
purpose is and what we really got into this industry for…
35. Why Blue Has To Win
• We’ve helped built a multi-billion dollar industry on the misery of
others.
• We still find more issues that can’t be fixed, more systems that are
broken and more ways to break whatever IS there.
• We have neglected to actually DO anything to fix the problem aside
from standing from our pulpits lecturing everyone on how wonderful
we look in our ninja gear with our latest gadgets…
• We have quite simply failed, ALL the data still gets taken ALL the
time.
36. Really Blue HAS To Win…
• There’s too much to fix, and too few teams actually fixing things.
• The blue team folks are throwing up their hands as there’s too much
to do in too little time with too few resources.
• We still break more things and pump out more reactive software and
hardware that does little to alleviate the situation.
37. Vendor Vultures…
Security vendors preying on the dead and dying companies bleeding data.
Above; fighting over product placement and insurance policies.
38. One Team One Fight
• We need a better blue team playbook, we are putting one
together…it came out of the last six months of work with the National
Guard.
• We need to coordinate and collaborate better between ALL of us
AND we need more damm diversity in this industry.
• Too many fragmented and fractured solutions that are not cohesively
implemented.
40. No!
• Red IS needed:
• Keep the vendors honest, test everything coming in…
• HELP the development teams work through a secure SDLC.
• The mentality OF the attacker to help the blue teams.
• TRAIN the next generation of tools coming into our environments…
• Mentor the next generation, again attacker mentality, defender stance.
• Also!
• Some still needs to keep annoying the FBI…
• Someone needs to think outside of the box, BUT help with solutions.
43. Reset Part 1:
• Security IS NOT an afterthought.
• Build it in from the very start of a project!
• Security IS NOT something to remember AFTER QA.
• SDLC is not just a nice to have…make it a bloody priority.
• Security IS a mindset.
• Welcome to 2017 and beyond, the hackers OWN it.
• Security IS the differentiator.
• Your organizations actually might thank you!
• Your customers WILL thank you!
• Use it to your advantage in marketing.
44. Above All…
Security IS all of our RESPONSIBILITY
IF you don’t think so… guess who’s going to rip your new toys to
pieces.
45. Reset Part 2:
• Hold vendors responsible for delivering secure products ALL the time…
• Integrators need to be held responsible for educating partners.
• “Secure” is more than slamming product after product into the
environment.
• This years blinky light isn’t going to save you, last years didn’t save you.
• Save your money, train the users, get a maturity model in place and use it!
47. Evolve Or Die
• The industry AND InfoSec have to autonomously learn their
environment.
• Adapt, emulate and bloody camouflage the security tools!
• Learning behaviors should be built in.
• Anything we build has to be adaptive!
• This IS a game of chess, why are we hampering ourselves?
• Security HAS to evolve beyond the reactive stack
• Preventative (please!)
• Predictive!
• Anything we build has to be intuitive…
• PHD level installation instructions are BS!
Thanks Packet Storm!
49. Passwords (Seriously!)…
• Would be nice to NOT break into a company because defaults..
• Use biometrics, smartcards or two factor correctly please!.
• Cost of remediation is 8x the cost of deployment; fix your
passwords!
• User education and awareness training AND Executive buy-in…
• QUIT MAKING IT EASY! NO DEFAULTS! NO “Passw0rd!”
50. Summary:
• As red team:
• We don’t want more default passwords.
• We don’t want hardcoded passwords/phrases.
• We don’t need shared keys that are badly encrypted.
• As blue team:
• We don’t want more screens to look at.
• We don’t need our users to find more insecure ways to work!
• We want something intuitive.
• We want help…not hindrance please.
• Preferably we WANT collaborative purple teams!
51. Why here, why now?
Let us take a peek into the future…
58. 48 Hour Attack Period
• Several willing and able researchers.
• 200 foot of Cat5 cable.
• Numerous devices to monitor over-the-air signals.
• Couple of specific connector types.
• Close proximity to a number of waysides…
• Very close proximity to a rail yard.
• Potential access to numerous locomotives.
• A comprehensive set of lock bypass tools.
• A few bottles of GOOD single malt.
• Enough batteries to keep us happy.
• Safety shoes (mustn’t forget those.)
• No bloody orange/yellow vests.
• A lot of OSINT and some HUMINT/SIGINT.
59. Where IS The Cargo?
• ORBCOMM (Satellite or cellular on the move)
• Thanks to some badly handled SQL queries we can track all your cargo.
• TransCore (RFID in motion or in yard)
• Once again the SQL issues bites back, now we can organize your cargo.
• Softrail (railcars in the yard…where’s my stuff?)
• Thankfully the software can be readily downloaded and reverse engineered
to allow full access.
• We can now built YOUR train to OUR specifications.
61. GE Locomotives…
GE & QNX…a marriage of
vulnerabilities
• Modern locomotive supplier
• Not so modern outlook on security
• Multiple attack vectors across the systems
• Engine (ECU attack vectors)
• Thermal protection sensors
• Diagnostic data feeds
• Cooling system attack options
• GE LocoCAM I see what you see…
Terminal into a GE train
ID: GE
PWD: 000000 (default)
62. Signals Hacked
• GE Transportation Global Signaling
• Passwords in the clear
• Scrape out the necessary
handshake…
• Replay attack
• Job done, now own Signals
Thanks to OSINT we find file servers
like this ALL over the Internet..
Pretty much each folder has both
the instruction manuals AND the
passwords (If they have been
changed from default…)
63. MitM: Not Present Attack Scenario
• Take the concept of a MitM (Man in the Middle) attack used across the
InfoSec industry and apply it to signaling.
• System: Leave lights green as OUR train comes into upcoming signal
path.
• Wayside/lights/crossing: Need to lower/drop/flash/validate (please.)
• Attack: MitM “Sure” here’s the legitimate packets to cover to both
ends…
• Wayside/lights/crossing: Got it, go-ahead and pass friendly train…
• Locomotive: Thanks too, OUR HACKED train passing through.
• Wayside/lights/crossing: No problem, happy to oblige…
67. Pick A Country… Sorry UK
• Too many of them in Scotland, lost us the independence vote, therefore
payback…your tea’s going to suffer.
• How to find data, and how to do the research without breaking the
target.
• We focused on Fullwood and their suite of tools.
• On the right is the suite of tools.
• FULL herd management.
• Heaps of data on the forums!
• And….Windows
68. Research!
• OSINT, HUMINT, SIGINT Etc.
• Google IS your friend.
• Forums are your friend.
• Nmap is your friend (as is Shodan!)
• CVE Details will also help (useful to know what’s got issues.)
• Our Deep/Darknet platform is a HUGE help here…
• Your role is to be the analysts….this IS “Threat Intelligence.”
72. Even The Livestock’s Connected…
• RFID, Barcode systems, mixed with wireless technologies.
• Wardriving cows, NFC and RFID embedded in tags.
• Cows in the cloud…yea this is where it gets fun
• Pedometers for cows…nothing can go wrong here
• Proactive support that is cloud based…. (Afimilk.)
• Basic security (minimal encryption etc.) 4 digit passcodes.
• Feed, nutrient and cleaning (chemicals) monitored.
74. Got Crops
• All your Wheaties (and Cheerio’s) belong to me.
• Controllers and other access points in the manufacturing systems cracked.
• Monitoring systems reverse engineered.
• Quality Controls hacked.
• Product Inventory / Bar codes.
• Time/Date stamps - high-speed inkjet printers.
• All your farm animals are dead
• Chicken heating/cooling monitors (sorry Thanksgiving.)
• Pig and other automated feed systems.
• Manipulate the feed and food mixing systems so animals get wrong foods.
• All the drugs they are feeding the animals, we can manipulate the doses.
• All your crops are failing
• Hack the tractors revisited (getting Jesse back on point.)
• Hack the chemicals, Round-Up’s vulnerabilities.
• Hack the GMO (Sorry Monsanto…ish), all your crops ARE vulnerable.
• Seed supply, kill the supply now you hit next years crops too.
81. Code to Biology Hack In Action
Want to hack E.coli? Here you go…
82. OK, So to this point we’ve:
BUILT it, CODED it,
Now we have to DEPLOY…
83. Science Fact
Swimming nanobots: Direction, motion and other functions can be
changed based on the application of either heat (laser) or
electromagnetic pulses)
86. Our hexametric ring: six stations carrying different molecules:
• We have our keys
• Receptor-binding aptamer
• We have our transport
• siRNA
• We have our bypass tools
• Ribozyme
• We have our report tools
• Image Reporter
• We have our payload
• Drugs
• And we have our decoys
• Endosome disruptor
87. In English:
• We took Bird Flu
• We bound it to multiwall nanotubes
• We fooled the body into thinking it was good
• We have the propulsion system to move in the body
• We have a tracking/tracing method for monitoring progress
• We have decoys to deploy should the body go WTF
• And we have a drug to deliver.
• If we’re nice, we can deliver that drug to a cancer cell.
• We can kill the cancer cell
• If we’ve hacked the system we deliver it to a red blood cell.
• We now kill you
95. All Your Data:
• The Engine that we maintain brings in:
• Excess of 150k “verified targets.” (IRC/FTP/HTTP/I2P/P2P)
• 1 billion targets, forums, and malicious channels identified.
• Over 250,000 live and usable credit cards.
• Over 100,000 usable PHI records.
• Over 150,000 live identities.
• YOUR Information.
• YOUR Identity.
• YOUR Intellectual Property.
• A Month…
96. US Nuclear Stuff in Iran ?!?
Left, William States Lee III Power Plant drawings: Rights, folders taken from the PRIVATE side of
the server at IAEA:
Lower, spreadsheet containing names/addresses and primary military unit for the chaps guarding
the Iranian nuclear systems, all on same server farm.
97. Remember YOUR Vendors?
And your trusted partners
And your suppliers
And your integrators
And remember that excuse “it’ll never happen to
me”
98. Vendor Fail
An oil/gas pipeline company, this is the contractors personal NAS
with YOUR data….and his GF’s!
101. Future Thoughts
• In 25 years do we still want to be talking about passwords?
• Will we have moved onto the digital path of existence?
• How will you help move the needle in security, what
CHANGES?
• Root causes, not band aids please.
• Red IS needed, out of the box mentality HAS to find it’s
place.
• Bloody taser the vendor who states their blinky light fixes it
all.
102. Red vs. Blue
• You get the idea..
• There is a tsunami of tech coming our way.
• There is more to do than we have bodies to do it.
• Breaking most of this shit’s too easy.
• Fixing it is WAY harder!
• Hence…BLUE HAS TO WIN…
• AND…Red has to HELP us.
103. “So long and thanks for all the fish”
Douglas Adams, you are missed.
Hinweis der Redaktion
IoT Devices….
FinTech
80,000 on a human hair
Left Cello code, then moving the code to the file, which then can manipulate the DNA sequencing which produces the code in a biological sequence that corresponds to “hack the specific protein/cell/type”