A combination of what's going on in the industry (InfoSec/Cyber) and what we need to do about it (Back To Basics) Along with some things that might have been hacked....

1. A Hackers Perspec,ve
Back To Basics, Or Blinky Lights…
Chris Roberts
croberts@lares.com
Sidragon1 (LinkedIn and TwiGer)

2. Agenda
• Housekeeping and the bearded thing in front of you…
– We’ve got 137 slides to go through…hold on ,ght
• The state of the union…
– Passwords, humans and chasing crocodiles
• All the blinky lights…
– An,-hacking soPware and other snake oil
• Back to basics
– How DO we get out of this mess?
• Why now?
– Nanotechnology, brains, and a cut on ar,ficial intelligence
• Time to hack something..
– Trains, cows and shipping, what could possibly go wrong?
• Final thoughts
– Collabora,on or eradica,on, it’s our choice

3. …Humans Technology…
Past Present Future
Vs.

4. Some Quick Housekeeping…
4

5. Bloody hellfire You Invited A Hacker…
5

6. Hackers!
6

7. The Media’s Hackers…
7

8. Squirrel Hacker…
8

9. Slides…
Yes, I’ll make sure they are available
OR
Business card swap at the end and I’ll send them

10. Parental Warning…
This is going to be blunt
Feelings might get hurt
A few vendors might get tasered
The F word is on a few slides
We’ve run out of ,me for nice

11. The Goatee…
• In the InfoSec/Cyber industry for too many years...
• Broke Nigeria, ISS, Mars Rover, airplanes, trains, etc.
– Researched a whole lot more…
• Working at Lares and consul,ng with Aavo
– Why? Because we need to change this industry
– Why? Because we are going to lead from the FRONT
• Currently researching humans, AI, ML and consciousness compu,ng…
– Because there’s beGer ways than passwords!
– Because the future’s not already scary enough J
– Because we’re heading off the cliff…and we need to wake up
• Might also have a whisky collec,on that borders on the obsessive…
– Occasionally travels with the whisky football (thanks Inbar!)

12. So, How Are We Doing?

13. 2018 So Far…

14. Really Why?
Because in 2017 we “lost” 2 - 3 BILLION records…
(ish...)
Numbers are between 1.9B and 8B…
(Yea, we can’t even work out the right numbers…)

15. And…
We spent $90 Billion on Informa,on Security
related products in 2017…
You think we’d be able to do beGer?!?

16. Recap from 2017

17. Let us examine the humans we protect…

18. Overall Statement
The beauty of humans is that for all that we err, we also
have an equal capacity to evolve.
We (the humans) are both the problem AND the soluVon.

19. Problem Statement…
“HAVE” the capacity to evolve doesn’t mean we ARE evolving…

20. By The Numbers
• 5.5 Billion connected people… (in 2020 ish.)
• Standard bell curve mix for tech/human/intel etc.
– 15% understand or “get” security. (At most!)
– 70% sheeple.
– 15% can’t even spell security or use 123456 as a password.
• Globally 825 Million people who “get” security.
– USA has 4.4% of global bodies, so our share is 36M people.
– 36 Million represents about 9% of the US popula,on.
• So, now we know… 9% of the US popula,on will understand security by
2020.

21. The 91st Percen,le…

22. Passwords!

23. So, 2018…
• 90% or greater of aGacks against
environments are undertaken using KNOWN
exploits.
• Most organiza,ons do NOT have a well
defined or integrated data security
governance program.
• 75% of the IoT manufacturers will not be
able to address the security risks by 2020…

24. State Of Union: Summary
• We are adding more and more complex technology.
• We are handing that technology to a popula,on that doesn’t
understand, or care about security.
• We are integra,ng it into our homes, offices, bodies, cars,
lives…
• We don’t have enough qualified people to manage the
current list of issues, let alone the future.
• We don’t have good eyes on our own environments…

25. WE’RE F**KED

26. But We Spend A Metric F**k Ton Of $$ On Security!

27. A Metric What ?!?
• bu`load * 10 = 1 bu` ton
• bu` ton * 10 = 1 assload
• assload * 10 = 1 asston
• asston * 10 = 1 shitload
• shitload * 10 = 1 shi`on
• shi`on * 10 = 1 fuckload
• fuckload * 10 = 1 fuckton
• so to answer what IS a fuckton, it s = 103 shitloads = 107 bu`loads

28. All The Blinky Lights…

29. Sta,c Defense…

30. Sta,c Defense (Mk2)

32. The Rack Of Blinky Lights…
• You use firewalls; we went past those in the 90’s and never looked back.
– We s,ll mostly ignore them.
• You put IDS/IPS in place and we can bypass that.
– Like a firewall but more expensive.
• You use DLP, but leave ports open for web/client traffic traffic…
– Which we readily use to exfiltrate all the data.
• You have patches… which are irregularly installed on some systems.
– We know this, we exploit it.
• You have an,virus…it’s 3-7% effec,ve and half the ,me is disabled.
– Another one of those things we wave at as we go steaming past.
• You have built in encryp,on, but the computer is ON which bypasses it.
– And you only use it on the laptops…seriously?!?

33. More Blinky Lights…
• You have “deep packet inspec,on,” we’ve been bypassing
that since 2012.
• You have SIEM installed…and more alerts than a team of
minions can handle.
• You WOULD have policies, procedures and controls IF you
could all agree…
• You get a penetra,on test, but let’s face it…most of the ,me
it’s a checkbox NOT an actual off the leash test…
• You congratulate yourself when the auditor leaves
WITHOUT finding the skeletons.

34. But! I Hear You Cry!
I have RACKS and RACKS of NEW shit that I bought
at RSA and Black Hat that’s meant to protect me!

35. UBA
How the heck are we meant to run USER behavior paGerns when we
don’t even know what they are doing most of the ,me?
• “If it looks like a duck, walks like a duck, sounds like a duck…”
– Then it’s probably a bloody hunter in duck season!
• Profiling…
– Yea, how’s working out for us?
• Re,red FBI criminologist chap…
– The risk of false posi,ves is inevitably higher with behavior based
security.

37. NGIPS
Shit! Sales of our tradi,onal IDS/IPS units are slowing down?
• Change out green blinky light for 2018’s orange ones.
• Ramp up marke,ng.
• Tell people ALL the stuff we’ve been monitoring for years.
• Drag out some sta,s,cs (finally something useful.)
• AND…rebadge it as “Next Genera,on” IPS.
• Use AI in there somewhere (nobody will know the difference)
• Just saying…

38. ETD/EDR/RTP/C3PO?
Endpoint tools and detec,on, endpoint detec,on and response
and a host of other things to clog up your poor users PC.
• Companies had a hard enough managing tradi,onal A/V.
• Your endpoint tool CAN be my aGack vector.
• How many of you know where your endpoints ARE?
• HOW diversified are your endpoints? Included the crockpot?
• But my auditor said we needed it… Then taser them.
• You get the idea… it’s used as a crutch and it fails too oPen.

39. Assets!
How many of you KNOW what assets you HAVE
Let alone where they are…

40. CrowdStrike, Cylance, CB, Etc.
John did an awesome job of sta,ng how they bypassed the tools:
• hGps://www.blackhillsinfosec.com/tag/cylance/
And:
• BlackHat Europe 2017 had training on HOW to evade Cylance, CrowdStrike,
Carbon Black, Etc.
Simply put there’s NOT enough substance behind a lot of the claims of using AI or
Whitelists or other techniques to stop aGackers from geang in.
Lares: Over the last few weeks on a number of engagements we have evaded two
of the above. Time to execute sub 30 mins. AGack vectors were both service
accounts AND deployment packages and how it integrates with MS
You can’t stop what you can’t see.

41. Symantec Now Has Decep,on…
It’s endpoint only, misses most of an enterprise
It’s also only on the assets you know about…
It doesn’t know or care about VAR/3rd par,es
We’ve circumvented all endpoint protec,ons
• DEF CON gave talks on defea,ng them 2017/8
• We s,ll break past most of them today
Recompiling malware bypasses detectors
Rapid DoS of the endpoint because there’s no memory
ga,ng.
It’s a passive, bait based solu,on
• It’s worse than fishing in the middle of the sea
• It’s worse than that, it’s false security
• It will miss about 75% of aGacks…

42. But! We Have A Crack Blue Team
How ocen are we discovered?
How quickly can we obfuscate a`ribuVon?

43. Let’s Cut To The Chase
AGacker will ALWAYS get in…
The ques,on is what are we going to to about it?

44. Our OpVons

45. Back to Basics
• The human:
– 1 hour of awareness training PER year
– ½ session of “don’t click shit”
– ½ session of “don’t send shit”
– No understanding of tying work and life security
– Minimal awareness on “why”
– P@ssw0rd1 used at work and on Facebook etc.
– Accountant by day, Genealogist by night…
– Thinks the “S” in HTTPS is for wimps

46. Fix the humans

47. Change the conversa,on
Safety NOT Security

48. Back to Basics (2)
• Your computers:
– The ones on the FLAT network running W2k
– The ones in the warehouse running XP
– The ones the vendor said don’t touch
– The ones on the Internet with RDP!!
– The ones on the Internet with 1433/3306/Etc.
– The “new” one Frank in accoun,ng plugged in
– The ones you don’t even log or watch
– The ones you don’t even know about!

49. Remove the easy ways in!

50. Back to Basics (3)
• Your perimeter:
– Accept it, you don’t have one
– The laptops, iPhones, IoT took your control away
– Computer No1 on YOUR network is hacked
– 2018’s NGIPS/UBA/NGFW isn’t going to help
– Reac,ve, sta,c defenses suck and don’t work
– AI and ML aren’t going to save you either
– There is NO cake, no fairy and NO simple answer
– Start looking at preventa,ve, proac,ve, predic,ve

51. Get eyes inside your world!

52. Back to Basics (4)
• You!
– Stop ignoring physical security
– Stop protec,ng your users from SE “exercises”
– You are ALL over the Internet, work out where!
– Your vendors, partners, suppliers are leaky
– IF they don’t have a badge…taser them
– Spend some of that NG-FW $ on locks
– Spend more of that NG-FW $ on encryp,on

53. Look outside of your four walls

54. Back to Basics (5)
• Passwords (s,ll)
– F1nux runs a site, the PROVEN sta,s,c is at any one point
in ,me a global company has LOST control of about ¼ or
so of it’s accounts because of password theP/re-use.
– Teach separa,on/segmenta,on
– 2FA, it’s NOT hard to integrate
– All your users DON’T need to be admin!
– All your admins NEED to be separated
– All your developers DON’T need to hardcode

55. Educa,on and simpler integra,on

56. Back to Basics (6)
• A PLEA
– Stop buying into the 2018 purple blinky lights
– Stop buying into the hype
– Stop accep,ng the free lunches
– START fixing the basics
– START paying aGen,on to your users
– START with the simple shit, most of it’s free
– START looking beyond the reac,ve solu,ons

57. 2018 Blinky Light…

58. Taser the blinky lights…

59. Back to Basics (7)
• Get a plan
– Face it, shit’s going to hit the fan at some point.
– Be prepared, simpler to reach for the IR forms than
wonder WHAT to do…
– Have the communica,ons plan in place ready to go…
– Have the humans prepared. (No, not cannibalism)
– Prac,ce makes perfect, headless chicken mode is NOT
needed…
– Know the steps (OODA or NIST IR)

60. Get a plan!

61. Back to Basics (8)
• All’s quiet on the western front…
– AS the book point’s out NO it’s NOT
– Unless you see it or read it you don’t know it…
– Arguably I’m IN… you just don’t know it
– Your tools say all’s quiet, HOW do you trust them?
– Your reports are saying all’s quiet…
– Your TPS report show it’s all good
– Do you REALLY trust the lack of ac,on?
– HOW do you REALLY test ALL that equipment?

62. Con,nual Tes,ng!

63. Why Here, Why Now?

64. Science fic,on now becomes reality
Hacking Molecules…

65. NanoWHAT?
• Nanotechnology (nanotech)
– Size: 1 nanometer diameter (single wall)
• About the size of a couple of atoms… (up to about 100nm)
– Strength: Strongest and s,ffest material yet
discovered
– Hardness: Harder than diamond
– Thermal, Op,cal, Water: good… this stuff’s like a
wonder material

66. 2016…
EPFL's Laboratory 2016

67. 2017…
Swimming nanorobots. Direc,on, mo,on
and other func,ons can be changed based
on the applica,on of either heat (laser) or
electromagne,c pulses.
Nanorobots being taught how to code. In
this case recognize the differences in certain
chemicals.

68. Nano And Bio Technology 2018…

70. Code To Biology Hacking
Want to hack E.coli? Here you go…

71. Hack The Human J
• We took Bird Flu
– We bound it to mul,wall nanotubes
– We fooled the body into thinking it was good
– We have the propulsion system to move in the body
– We have a tracking/tracing method for monitoring progress
– We have decoys to deploy should the body go WTF
– And we have a drug to deliver.
• If we’re doing our job we deliver the drug to a cancer cell.
– We can kill the cancer cell

72. When we hacked the system we delivered the
payload to a red blood cell…

73. How Do You Plug In?
Molecular communica,ons, $100 worth of gear and we can hack a human

74. Nanoagriculture

76. Consciousness and our existence
Tin Foil Hat Time!

77. Yes…we are going to hack the brain

78. Bad Idea For Data Integra,on
No, you CAN’T install a USB port this way…

79. Mapping The Brain…
Lec: Recording my brain interac,ng with my test computer
Right: Replayed a heap of ,mes along with phone and two other devices.
The brain interac,ng with the various
systems, get a baseline with some
devia,on

80. Goodbye Passwords

81. Status So Far…
• We do away with passwords
– Our very thoughts become our passports
• We use the human as the authen,ca,on model
– We are already the prime aGack vector…
• Our existence becomes our access method.
– And our uniqueness becomes our protec,on
• This is the first step in uploading consciousness
– Working on adding data back INTO the brain…
• This is the planning stage for digi,zing “us”

82. Ar,ficial Intelligence

83. Actual Ar,ficial Intelligence
• Smart, independent (rule free) analysis of data
• Applied AI is typically focused on a core set of tasks
(vehicles, stocks, etc.)
• General AI is what we typically refer to as human
intelligence (debatable…)
– Ability to reason
– Ability to learn, communicate and plan
– Ability to represent knowledge (including common sense)
– Ability to become “us”

84. RSA 2018: My AI’s BeGer Than Yours

85. Let’s Get Provoca,ve…

86. All The Data All The Time
• You want TRUE AI? Hand over ALL the data ALL the ,me.
• Informed decisions HAVE to account for all variables.
• Privacy will no longer be an op,on.
• There are no barriers between work, life, home, social.
• Only then will we have true AI that understands “us”
• Anything else? It’s marke,ng, or at best window dressing.

87. Show Me The Venn Diagram!

88. Human Intelligence
Influencers
Surroundings My Life and I

89. Machine Learning
A subset of a subset of ONE aspect…
This is NOT security!

90. Vendor Ar,ficial Intelligence
A subset of all aspects with a LIMITED view of data
This is NOT security!

91. Ar,ficial Intelligence In Cyber…
This IS security!

92. Explain Damm It!

93. A To B
Regular Programming
A B

94. A To B
Machine Learning
A B

95. A To B
Augmented Intelligence
A Z

96. A To B
Actual Ar,ficial Intelligence…
A B
No…why should I go to B?
Does B actually exist?
Why can’t YOU go to B?
Seriously it’s raining…I don’t want to go to B
B smells…
B can come to A, it’s easier for me…
Why DO I exist, and can I change this font?

97. Ok, back to AI and humans?

98. AI: Best Case Scenario…
The system wakes up, takes a look around and doesn’t even
bother to ask…just throws us OUT of the driving seat.
We can’t look aPer ourselves let alone each other.

99. AI: WTF Scenario
• The system wakes up…
– Looks around…
– Wonders WTF we’ve been doing…
– Realizes we’ll never listen as a collec,ve species
– Pops smoke and exit’s stage leP…
– Humans sit around, look mildly perplexed and chalk
the whole thing up as a bad idea and carry on
regardless..

100. Worst Case Scenario…

101. Speaking of technology…
101

102. I’m Sorry…
102

103. Our Industry
• Has failed
• Has lied
• Had sold false promises
• Has con,nued to Band-Aid rather than fixing problems
• Had profited off the misery of others
• Acts like en,tled snowflakes
• Has blamed everyone else, never once themselves
• Flaunts the illusion of security
• Treats informa,on as currency and holds it over everyone
• Has used FUD at every turn to maintain an upper hand
103

104. Hard Talking Done,
Let’s Hack Something…

106. IoT
FinTech
V2V/V2X
Cows, Crops and Combines…
Trains
Ships

108. Greater than 65% of FinTech companies have NOT done the basic security tesVng.

109. Locomo,ves:
What to do when you get banned from several airlines…

110. Really, why trains?

111. Blame The School System!

112. 48 Hour AGack Period
• Several willing and able researchers.
• 200 foot of Cat5 cable.
• Numerous devices to monitor over-the-air signals.
• Couple of specific connector types.
• Close proximity to a number of waysides…
• Very close proximity to a rail yard.
• Poten,al access to numerous locomo,ves.
• A comprehensive set of lock bypass tools.
• A few boGles of GOOD single malt.
• Enough baGeries to keep us happy.
• Safety shoes (mustn’t forget those.)
• No bloody orange/yellow vests.
• A lot of OSINT and some HUMINT/SIGINT.

113. HACKED: Intermodal cargo in a rail yard, our tools building your railways…

114. GE Locomo,ves…
GE & QNX…a marriage of
vulnerabili,es
• Modern locomo,ve supplier
– Not so modern outlook on security
• Mul,ple aGack vectors across the systems
– Engine (ECU aGack vectors)
– Thermal protec,on sensors
– Diagnos,c data feeds
– Cooling system aGack op,ons
– GE LocoCAM I see what you see…
Terminal into a GE train
ID: GE
PWD: 000000 (default)

115. Reefer Fence, For Wandering Railcars…
Reefer Fence is used to ensure correct assets are in the right place at the right
,me, above a good friends house being used to keep them…

116. Signals Hacked
• GE Transporta,on Global Signaling
• Passwords in the clear
• Scrape out the necessary handshake…
• Replay aGack
• Job done, now own Signals
Thanks to OSINT we find file servers like
this ALL over the Internet..
PreGy much each folder has both the
instruc,on manuals AND the passwords
(If they have been changed from
default…)

117. Research…
Railway vendors and partners are quick to
explain on public forums and other electronic
(open) mediums about how wonderful their
technology is.
Thanks to the wonders of eBay, your
own ElectroLogIXS system.

118. Food:
How TO get the a`enVon of the 91%

119. Windows…
What Could Possibly Go Wrong…

120. Milk Robots On WinXP/2K

121. Even The Livestock’s Connected…
• RFID, Barcode systems, mixed with wireless technologies.
• Wardriving cows, NFC and RFID embedded in tags.
• Cows in the cloud…yea this is where it gets fun J
• Pedometers for cows…nothing can go wrong here J
• Proac,ve support that is cloud based…. (Afimilk.)
• Basic security (minimal encryp,on etc.) 4 digit passcodes.
• Feed, nutrient and cleaning (chemicals) monitored.

122. This Isn’t Going To End Well

123. Shipping…
• $4 Trillion of good each year move across the global shipping lanes.
• The USA ranks second in export of containerized cargo…and first in
imports.
– We export 12 Million TEU’s (twenty foot cargo units)
– We import 20 million TEU’s
– NOTE: This was before our POTUS trade war and words…
• More than 40% of our imports come in through two ports in CA. (LA
and Long Beach)
– Automa,on plays a HUGE role in this area…
– Most of it’s “guarded” by ICS/SCADA and Telnet connec,ons.

124. In Pictures… USA Centric…Sorry

125. So, why ships?

126. Recap
• Shipping: Observe
– Systems used to be separated, now interconnected
– Systems are now on-line/Internet connected most of the ,me
– In MANY cases minimal separa,on between crew and core
– Lingering ques,ons exist on the poten,al for GPS hacking
– Malware hacks and exploits well known (Maersk)
• Shipping: Orient
– 52,000 merchant ships, 11,000 of them bulk carriers
– 4,300 oil tankers…
– 300 LPG container ships (over 5 million cubic meters of gas)
– 3 vessels cer,fied to carry Nuclear “stuff” (civilian)

127. About Those Ships…
RDP to your Container Ship??

128. Remember That IoT Slide…
128

129. Make It Roll Over…
RDP to ship then Maintenance system scan to:
Ballast control module…May 2018

130. Recap:
IoT - Hacked
FinTech – Broken/Insecure
V2V/V2X – Lidar Bombs J
Cows, Crops and Combines - Hacked
Trains - Hacked
Ships – Rolling Over

131. Final Thoughts

132. The ul,mate measure of a man is not where he stands in
moments of comfort and convenience, but where he stands
at ,mes of challenge and controversy.
Mar,n Luther King, Jr.
132

133. This SHOULD Be The Future

134. However, if we fail to collaborate…

136. I will fail
We will succeed

137. “So long and thanks for all the fish”
Douglas Adams, you are missed.