The Nation State Actor Ate My Homework!

so yes thank you everybody for coming to the nation-states ekta ate my homework I'll explain the title in a sec quickly a little bit about me began the Capetown InfoSec community going to things like 0x coffee besides Cape Town you know things like that you've met the right people and yeah ended up doing the evil MSE at Rhodes snowflake because we were called the snowflake class probably maybe the anti snowflake class info SiC is my day job worker prodigy finance yes we're hiring anybody want to be an app stick engineer we definitely do one of those and we've obviously everybody needs developers all the time so I take it you guys like questions I'm gonna try

and fly through this because there's a lot of stuff to go through and then run out of question time so what is the research of at say its first of all so looked at a whole bunch of nation-state documentation source code and the techniques and the tools that they were you know described in there and the actual tools that were released this is coming from things like the shadow brokers who dumped stuff WikiLeaks yay thank you WikiLeaks for you know making things available to us also Snowden lots and lots of information it's a bit biased towards the Americans because well the information they got leaked can only see an observe certain other things anyway the idea was to find interesting things

within that large body of information or maybe bodies of information and then look for multiple occurrences of those interesting things to see that gave this those two was used and this other tool was used and you know they're they similar so you could maybe cost them together and you can start to pick out the patterns and by looking at the patterns we can understand what's enabling the attack like what makes it possible and from there you can start to do more useful things like defend against it so the process just give you an idea when you're dealing with large large amounts of data then you really wanna be using things like correct because you can't read it all you wanna

use find and then give a PDF so you're running PDF grape and you you basically just searching through lots a lot of data then maybe you search first thing you search for is top secret and off that maybe you search for secret and so on you go and then you find the little interesting bits and you find the you know confidential and by buyers only and so on you go so start by surveying all the sources identifying useful files then you would evaluate each file I find the best version of fowl because basically some of their wiki's got dumped so you'd find multiple versions of these files some of them out of date sometimes it's interesting

things in the older versions and you know you go through they find best versions and if you can select them for further analysis then you kind of go like this is the pile I'm gonna go look at in detail later the other thing is sometimes the dot and we're not just talking about text files you're also talking about binaries and the binaries could also be just things like PDFs I mean yes we can use PDF grip for some of those but it's also interesting to look at the metadata so do the metadata analysis using commands like XF tool which I really like was very easy and because it's come online and you can script it you can bet run it and say

find all these files throw them to XF dot also XF tool and then pull out the daughter that way if you're some binary so you can pull them apart reverse them with something like radar - it's actually a suite of commands and you can literally put in a debugger and have a look and see what they're doing inside there so basically you know if it's a binary disassemble it if it's meta dollar look at it obviously don't just assemble every binary in fact only a very small number of them because it takes a long long time to do that that's a lot more manual so the overall process was analyzed content and you know collect these things if you've seen it

before you kind of just increment the count because there were so many of these things you when you're trying to say versus the category that we've got all the collection of things this technique has been used Oh like we found the same technique again then use incrementing it so we literally just counting at those points obviously if you can't find another example we've kind of got these are all the examples then we start analyzing them and describing the findings so the key areas that we can talk about we can talk a little bit about zero days power and resource imbalances the lone wolf attacker which is I think one of the reasons why this is relevant it's not

just the nation-state actor who can do these things hacking all the things like literally and inherent exploit exploitability one of my big favorite topics is that one there miss F tribution because people think you can do attribution and well you can but whether you can be right is a very different question and some attack of pain points the reason attack of pain points is well if you know what they don't like then maybe we should do more of that because it seems to be working so the original focus so of the research talk about those quickly it's often not the final result you start looking for something but you either don't find what you looking for

so what do you do you you can't just oh I'm gonna keep looking for the thing I can't find or it's not there so you don't do that but what else that can happen is you can find other things that you were not looking for but they're very interesting so then the focus changes and this is very like typical of academic research so where did it start so why nation-state actors so after a heck somebody blames nation state actors it like well there's nothing we could have done I mean come on you know it's a government like Koreans as the Americans as the Russians as whoever like you know what are we supposed to do so I don't

like that excuse I'm not saying that you can always stop things but you can least try they do have a lot of resources they also do have zero days so that's makes it quite interesting the reason it was relevant individuals have done things like hacking hard drive firmware the guy's name surname is van I think it's Cayenne he's given a talk on that and shown how to do it so like if an individual can do it well it's not just the nation-state actor so if you look at the NSA with all the tools the a and T catalog and literally been reimplemented it's now called the NSA playset and people all took giving talks about this

at Def Con and blackhat and whatever so I think the point to take away from that is just because the nation-state actors were doing it doesn't mean they're the only ones you can do it so even if you say like hey nation-state actors out of bounds out of scope I'm not protecting against that well individuals are doing these things so perhaps we should care and then why zero days well because defending against the known attack is actually quite simple okay you know there's a bug in your piece of software like yeah and if somebody exploits it then they're gonna get in like well patch it you got a configuration issue like well then fix the configuration

but what about unknown attacks and that's to me a lot more interesting and the reasons why well we'll talk about that in a sec and basically there's always something new coming along so even if we discover everything we patch everything and we've configured everything right right now what like well just takes a bit more looking somebody's going to find some sort of bug in it and ok great so there's going to be an outbreak then learn the new version of the software you get which is gonna come with all new bugs as well to replace the old ones that they've fixed which is on software Dave you know what I'm talking about well as y'all like to use as it's

playing chess but you can't see all the pieces and the rules are not set so they change you can do different moves the pieces change and hopefully at least the laws of physics apply and keep that constant so the problem context is technology is flawed so either design is wrong and it doesn't account for something doesn't protect against something or the implementations flawed so for example if we assume that we have perfect cryptography and it's just you cannot break it you have to either brute-force it but we have the famous implementation error and great you can grab the keys out of memory well okay now there's a problem because now you don't need to break the encryption you

just use the keys you grab the keys human ingenuity so novel attacks so people are always thinking about things poking at them from different ways and figuring out new ways to do things and this includes the nation-state actors but obviously it's not just them so if you have a design and you're catering for a certain tax on oils you've got your threat model and you've got this is what you're catering for and then somebody else thinks of something you've never thought about the odds of that you've protect against that start to go down an issue get really lucky luck doesn't really hold so bit more about problem context processes I mean you can have some plead efficient processes or

you can have good prices which Knology a year - really got a good example parcel was supposed to come to me and they needed to be redirected and I had to start pulling in forms and I was sending off IDs and things like that and I was literally just told that when the gentleman who was going to the airport was really got the parcels coming in from internationally that they asked him for the forms cutoff - they handed him the parcel then they let him email it to them on his way out so then it was kind of like well why did I fill in all these forms you know like what's the point anybody

could have gone they asked for the possible God like sure I'll email you good luck with that people are vulnerable to exploitation not particularly talking about intimidation here or things like that but the lack of critical thinking so if you think about phishing you get this email and the email says hey we're doing a server upgrade and if you don't confirm your bank details the bank is going to remove your account like like no no no no the bank is not going to do that even if you don't ascend what an upgrade is what a server is you are a client of the cut of the bank but you also how they make money if the bank was going to review

account the bank would make less money the bank's not going to review account because they want to make money that's why they exist and at the same time you know the only they will shut down your account if there's major pressure from for example the government or there's some regulatory problem because otherwise they lose their banking license or something then they really lose money so you know people should think a little bit more critical thinking is a underrated skill but also lack of knowledge understanding if you don't understand how something works then it's easy to be bamboozled and conned into it anyway now we started getting to more of the fun stuff so some of the results that came out the

research they were various attacker techniques I've selected some of them because literally there's like hundreds of pages of stuff going on here and some defender take tactics I think which are useful against these techniques of the attackers some lessons that were learned and some interesting observations because quite a few of those were interesting so tacit techniques starting with Tempest the reason even know what Tempest is but basically it's about electromagnetic radiation so if you've got a computer it's actually sending out EFI and electromagnet NATO radiation which is a signal which is you know wave and you can pick it up with an antenna and this goes way back think of World War one with trench warfare and running a cable

but they'd literally run one strand and then use the earth or the ground as the return path so the other side figures us out and starts putting like poles into the ground and can have wires and tacking the signal so that's why you now have two strands at least in the later versions of the cables that were being run shame poor guys got a heavier backpack now if you look at operating system functionality it exists so attackers have been moving more and more towards reusing the operating system functionality I mean why go and re implement that which is already there it just makes your binary size bigger it takes more time so you know more complicated might not work so

if you want to delete a file just ask the OS to delete it for you if you want to read a file you know you don't have to go and write your own piece of software to do that anti forensics it's a big thing if you go you go through this there's some very interesting guides on it and they literally have development techniques to avoid attribution so you know remove the timestamps you know they say like don't set it to us time and you know don't leave the compiler flags in there and you know strip out the debugging symbols and though it's just it goes on and on very interesting if you ever want to see

what other people are doing don't don't do things like this they do hardware exploits as well firmware will go talked about now so this is going deeper to avoid security it's bit of a recurring theme that was observed so if you have the application and there's a problem in it and the technic it's in and they break it well ok cool what about the operating system the operating system can see what's happening to the application there you can say ok like you know it's throwing errors like so you've gotta log files and the log files could be going somewhere you could be looking at them so there's a problem which is why after you get into the application there's an

attacker you probably want to go down and get control the operating system and you know delete those log files clear your traces the same thing with the hypervisor it's sitting below the operating system as far as operating system is concerned it doesn't know what it thinks it's talking to some hard way and you can sit down you go to the CPUs got the protected mode so the hypervisor doesn't doesn't know about that then you have a service processor below that and yes if you're a big government customer and certain large corporates etc they actually managed to get their laptops without a service processor processor installed clearly some people think it's a very bad idea it has direct access to

the memory you know like that's that's useful functionality to have what's it has DirectX to your network card and can use that without you knowing about it and obviously the operating system can't see this so like how does your malware to take to about that so the one of the key takeaways from the talk is can you defend against something you can't see it's beyond the scope of what you control or is what's visible to you so if you can only see the OS now what so if you look at what the attackers are doing so the examining Mel way to learn new techniques as I recall I think the CIA was outsourcing it t was a ray upon

the tree like another company was going through malware that was coming out new mel and saying hey here's a new technique and like hey we haven't seen this before and then incorporated into their well their software they would also do a lot of testing against security products and not just like McAfee versus Kaspersky versus Norton or whatever it is but McAfee McAfee standard edition Enterprise Edition etc McAfee or Kaspersky with an internet connection without a internet connection because the antivirus software behaves differently or the anti-malware software so they keep testing until it goes through as in undetected so it does give you pause for word about how good is the software you've got and what's it going

to pick up some of the defender tactics is learning from attackers so if we look at what they're doing what is they behavior they sitting there they're looking and they they're looking for vulnerabilities they fuzzing or they're looking for bad code and they're trying to find these so we were probably two options one is we could fix them I'm second one is we can monitor them so I wouldn't really advise not fixing them and only monitoring them in your production but if you have a dev environment or you have a honeypot environment then perhaps not fixing in them and just monitoring them might be very interesting if anybody's ever poking at that hole then you very I'd

take it as a sign that I have problems coming the other thing is attackers respect this and if you look through the documentation you'll literally find warnings like if you see database order it auditing stop now and go and like get the guy who really knows what's going on here same with if you see remote syslog do not hack this firewall do not run this like zero day exploit against this device whether it's a I think it was a Cisco sa or might have been there juniper but anyway though talking about remote syslog so they're really really cautious of that and they say things will the right things along the lines of if you see this do not go

forward until you've at least disabled remote syslog or you've control you have gain control of the remote syslog service that you can raise your tracks cord amps is a similar one they're talking about if you're attacking an application for example that I think there was Solaris when you caused application to crash then it's going to by default writes out a cord I'm far with the memory now if you have your your executable or your attack code should say your shellcode it's going to get dumped into the memory like for that application which is the enemy dumped on file so they talk about running it again without a payload in order to overwrite the dump file to make sure sorry the

well the core file core down to make sure that somebody can't go and reverse it and grab hold of fuel nice exploit code now there's some interesting things you can do about this like if we know that we can say like oh I'll sit that there's a time stamp or something like you know makes it unique so that every time it writes out a core dump file you get a different core dump file so they can sit then they can rewrite it well I mean by the time you get like a hundred of them it could be quite a quite a good tell we're gonna look at the first one now you can also do a few things like

you know export them to a remote system maybe a remote filesystem make sure they get copied somewhere where it's you know another system is really locked down but the thing Jascha stuff is also why why do they respect these things like trip wire you know probably everybody knows a trip wire is but you basically put so yeah you baseline the file system and you fingerprint it and if somebody starts changing it then you know you got a problem somebody's got in there they're making changes why do they care well they don't want to be detected they want to maintain covetous one of the reasons why probably people don't realize they've been breached for so long is because people are trying to

keep a low profile but what does this mean for defenders firstly we should use these and similar techniques like these ones the ones that they don't like we should also understand what's happening here effectively like the same problem where you can't observe things and you can't protect against them because it's happening below beneath or outside of your scope that you control here effectively externalizing the defenses so we're going out and out and out so for example let's say the system is completely compromised and they're into the firmware they put stuff in the hard so it's a hard drive firmware and you can't see it and now they've got persistence and they're doing all these great things or

terrible things depending on which side you want to look at it then wait how you gonna pick this up and one thing that they probably want to do is still to exfiltrate the data so if you if you control the network and you can least monitor the network traffic you should maybe find it going to unusual IP addresses or at unusual times so you can look for things like time location the type of traffic I mean the one thing to do though is for the tech is supposed to hide in plain sight or do the stig nog Rafi root and you know they just going to they should know where your traffic is going and then put something there

and kind of like trying to hide amongst the herd of daughter going off to wherever it is with its Google Drive or Facebook whether if your employees are doing all day so another thing we came out is lower barriers to entry for attackers so the cost of technology continues to drop if you look at some of the things that the attackers we're doing like very very expensive like 175 thousand US dollars two hundred fifty thousand dollars but they're imitating a base station but some of the things are very cheap these little retroreflectors and with the cost of hard way if you look at the air chronic badges as I recall the the cost was less was about

400 Rand I think a pop to in terms of components and there's quite a lot of stuff going on in there if you think about Raspberry Pi how that's brought down the cost of things Arduino all these hackers like this is well within the scope and the means of I think the average person who was owns a soldering iron and you know it's got a computer and that's probably about it if you own those two things you can definitely forward the next bits anybody got the electronic badges that's going to esp8266 innit and you might want to have a closer look at that code and hardware use they're literally making these things modular so one of the problems

with if you're writing software and it gets detected by one of the vendors Kaspersky or whoever naughty then they flag this thing and then if it gets used again well it's going to show up and the long bells going to go off because hey it's really been identified as a problem so you make it portable or major since a plug-and-play you take the little bits in peace so you have the first thing to get your initial foothold like the actual thing that like the zero day or maybe the non zero day if you talking somebody with really old software Windows XP you don't need zero days whose patching that but you get but you can also have different payloads so if

your payload gets found at the payload to collect all the data or to scan the network if that gets identified you can swap it out with another one and now instead of having to build a whole new piece of software from scratch then take the old one out but then you run in and or if you go and same thing with like maybe the way it deletes itself or the way it's covered to cover its tracks so your modularity the hard way reuse for example just being up the exfiltrated Bluetooth module versus a Wi-Fi 2g 3G on the cellular side and so on now the fun thing I found a lot of portable apps they had a long list of them that were

they were using dll hijacking so start it off with stuff like well why is this the case why when an app is portable does it suffer so much from this problem and I think you know anybody familiar with the Isles this is like a search path and it goes and looks at the first location the second location to find the deal all in HD oh it's found it but when you take the application and you port it to a USB like how many developers actually go and remove all those search BOTS so they still be so you know knowing that you just put the dll where it's going to find it before it looks on the USB Drive

and yeah easy way to get to load your code some lessons learned air gaps been dead for a long time basically just means they're being compromised and there's even examples from universities I think it's been Goering University in Israel they got loads and loads of examples of these things literally take a USB device and start making it work like a radio like numbers of reads and writes and it creates a little signal and you get a little wave and then like you can put information out over that and then you can listen for that and grab it so the advice was always been like you it has not always been advice which governments keep under

wraps is basically you keep red and black so and so you've basically just increasing the distance because know the the powerful zorf words to the envious of the square of the distance is the power that you've got so if you start putting a bigger distance like you have this room versus that room over there you it's much better if you have like the computer versus the computer and they both played into the same wall sockets there's a nice copper connector you can start pulling things out of the power supplies and things like that very difficult to do these things but it's definitely possible like literally you can go and check the demos off another thing is the attack surface

varies on axis so if we have a system on the internet that's one set of axis you have the same system on an internal network it's a different level of access your threat model should be changing dramatically which is the same system it's not connected to a network because it's like a much wider to get on to this machine now because it's not on any network and you know this machine was sitting just Nick's newer machine and all it did was run that machine you know that does help although we all know about Stuxnet and things like that we're you know sneaking it with the USB and it's like well good way to get around

that but a much much greater level of how're you gonna say it resources were required time risk in terms being discovered another thing for example apps trust well this was a queue in this case the database is there it trusts the OS back to that the layers below that you trust so you add your use it the Swiss TV a group and as far as Oracle is concerned hey you're like you're the dude right you you're the systems administrator but ah debase more lessons are learned I like this one a lot security principles are often ignored especially if you're Intel and you try to like really make fast processes you're going huge into speculative execution I'm pretty sure we all know

about meltdown and Spectre now but the thing is they're ignoring what they should be doing is they're accessing memory they don't have access to but Sony speculatively and will throw away the result when we find out that it's wrong yes but it's already in the cache because you've done a fetch for memory which is what the cache is useful and then thinking about this you get to the interesting point like well you get information leakage by energy for side-channel but you can also get information leakage which is to do civil from other reader readable information for example the cache like oh it's fast it must be in the cache okay I guess we got that in piece of information like in

the hoops Eila is that these eight bits or was that these eight bits and then you find out which ones quick and then like okay kiss we figured out those eight bits you could also look at faults though so for example I mean the famous one like animations are the famous one but like the login thing we don't say hey you got your password right good username password because then you allowing for enumeration of the username but what happens if you've got a an error message saying like whoa hang on exception and they keep giving all the data like here's the API you know that you're talking to you and here's the token we used and says for etc and oh the fault

was the other side wasn't responding like great so I'll just try again and we'll see so not just for crypto analysis I think anybody's looked into that famous you're looking for an Oracle because you can't get at directly you look from the side and you poke at something and you either doing power analysis or timing analysis or size analysis if you have compression some very interesting observations that were found sanitizing gift repo is really hard WikiLeaks in general is a very very good job of sanitizing information you find like a PDF and it's been stripped there's no meta information at all you go find the same PDF because it's just a PDF that somebody's downloaded from

whatever like Kaspersky has got some research and I think the I think that was one of the examples I found it on the original and they were just talking about gray fish and some of the stuff that found and then you look at the exact same version it's the same file just had the meta information removed so they were quite good at scrubbing it but as we all know in your developers checking binaries and to get is bad because you're checking a PDF and well we can extend and go and find the people's names in that one so interesting to see read these people's names so OPSEC is important because they were literally using their real names I

mean you work for the CIA the NSA like you so I know the real name on the wiki with your real name and like yes WikiLeaks went and scrubs the stuff really well but if you look at the using the right commands you can look at the Ridgid Reaper even though they've scrubbed most of the the commits welcome message you say they've remove the people's names you can actually go find these people and like I'm not mentioning their names but it's interesting when you go and look up their names you go like oh guy says he used to work for the CIA looks pretty legit then and I don't think this has been falsified this

information because like yeah there'd be quite tricky to know that somebody's going to make a mistake in get and then somebody else is gonna miss it and and and and somebody else is gonna go look there's a very very interesting was the industrialized malware production this has been done on a vast scale so they have test bids set up and they're testing this stuff they're using agile they're having retros they have you stand up the using source code management wiki's think it all look like confluence and that's how I think somebody got hold of a backup if I had to take a guess of how that got dumped and turn into WikiLeaks leaked then we

have misattribution she's a horseman quash mistress avoiding attribution so first thing you can do is you can scrub the artifacts out and literally you know the compiler Flags you can change the variables and again like these organizations have long lists of they're not that long they've got good advice on their wiki's of how to avoid leaving anything behind that's going to be used to you know point you out like like what's the keyboard settings like what's the time zone what's the low call and like just they just scrub all that stuff out but Allah far more interesting thing to do is like well you know people gonna be looking they're kind of reverse engineer this they're going to do some

forensic analysis on this like they found this piece of malware and it's caused havoc on their system is well it cost them millions would have called the right people in it's been found why don't we just give them something to find and so it puts a few artifacts in place and some really great examples of marble and fourvel and they're literally mangling I shouldn't say mangling who they're encoding and decoding effectively so it's still the program still works they're swapping out characters Unicode characters specifically into things like variable names so anybody looks at it will then find things like you know oh here's some Arabic at the top or you can choose Chinese or Russian or Korean or Farsi

which is very very similar to Arabic but it really makes people wanna come on who's using you know Russian long it's got to be the Russians right that can be common or not it's the case maybe the other thing you can do is attack by a third party so this was just a list of the domains that were of systems that were compromised for pitch and peer and intonation which r2 was basically I suppose exploit slash implants which is the word they like to use for florists machines actually at carrots Laura's Linux and a bunch of different operating systems from all the UNIX ones the ones typically use for web servers and a lot of these were in universities if you

look up the domains or the IP addresses and we can see that you know it's like Japan and Korea there's quite a nice big big number there next to Russia there's a decent number and you know because on you go India etc and you know China they really big number well one these are actually all large countries in terms of population size the number of computers number of universities so it really stands to reason but and this stuff does get used later which it's great fun the one thing I was talking about though is you know people are trying to be covert and that is why they're worried about being discovered and remotes this log you know

China is kind of taking your different stance on us they're like hey great wall of Great Firewall of China so you basically only use their local services not only but trust me it's much easier to use WeChat there than it is to use whatsapp encryptions also block to the VPN level to register that VPN you have to be a Chinese company shiny China and you probably can be handing over the keys so it's very overt like we all know the Chinese are looking the Chinese know that we know like we know that they know and you know like it's kind of it's Miceli but you know they're not going to be worried about being found out that

they're looking like we all knows already so that changes the calculus there but the a bit of a Netta me of a hack so actually hacked we've all heard of the the Swift I'm pretty sure the Swift Network the one in east net is the one the CEO is very adamant they're not being breached like no dude no you definitely definitely were breached nice little bit of time line you can see starting in 2012 going through quite a bit later into 2013 so more than a year which is why I said about you if you don't know that you've been breached you can't do anything about it there's some really good write-ups on this I haven't

seen a timeline like this I suspect some of these are slightly wrong in terms of the dates just because the Yanks have a very special way of dealing with dates and sometimes their day and month was swapped around and sometimes they're not so it depends on who's writing it I suppose so the first time they actually got in with zero day using blyer and yeah he's literally broke into the firewall so the nice I think was a Juniper doesn't really matter though they had a whole long suite of these things for different vendors and yeah popped onto the firewall and the second thing they did in that instance was they installed an implement implant onto a Windows Server and

basically that was going to be their foothold now with a call back or you know if the networks going out against respond to connections so the second time so this is a few days later or month later or whatever they're just connect to the Windows Server you don't go and reuse the zero day you don't have to break the firewall again you've already got your foothold and now you do a network scan so they're starting to enumerate and anybody's done but a10 testing I starting to prepare for lateral movement right then enumerate and spread so third time connect to Windows Server and now they're looking for the Oracle databases so we could see what they're finding they try to get

into the database and collect information of it they sue they failed it's great fun reading their notes and then the notes say like oh you know I think they use the word talked a lot and anyway I'm like you know they bugged out fourth time they connected the Windows Server and this time they're successfully surveyed the Oracle database on my survey I mean they grabbed the water out of it that they wanted to make copy those two local files and they upload these files and they used nice random names that look very much like Windows I think it's temp file names so you won't find funny file names and then delete them cover your tracks right they actually even ran a

quantum campaign I think in MIDI lookup very interesting stuff quantum as like man on the side not quite man in the middle but very similar concept against the employees so they were trying to gather information they were connected the window server of course that's how they started and it will scan the network this time they're looking at the more the workstations the people and they were looking for specific individuals like by name trying to find I think they had bare credentials and I think they were trying to use those credentials on the inside now six time the four different Windows servers loading maintenance because you've got a patch of software even if you're the tech apparently it's quite fun some

things you can take away from this though so they used varying compromise jump servers so I didn't include them in these slides but every time that they did one of those intrusions they came from a different part of the world back to that other slide I was showing you and they used a lot of scripted automated tools they weren't going and then figuring it out like they're on the fly and SQL query to survey the Stata base they had them I mean the first one didn't work they just bugged out went and tried again and put it together again I mentioned lost more than a year so it's not just was a certain was it

who was that again target I think who's didn't realize for quite a while so apparently the Swift Network hoody who does banking awesome well documented the network diagrams I think a network engineer would be proud of them they had like little you know bubbles for the internet and different officers how they tied together with the VPNs the local networks they had dumped the contents of DNS they had like lists and spreadsheets and they had credentials that continent dumped the configs of the reuters they dumped the configs or the VPN devices little tree head they had everything really so when that dude who's the CEO says that they were not compromised like new you know you definitely were hack

all the things if you go look there you'll find they put scripts on grabbing the the pass to a database or attempting to grab the database from mikrotik reuters apple airport time capsule I uh I've used to have fights with people about Apple being secure like it might be more secure but it's not secure secure it's like you know it's like you've got one window in your house that they can break into versus you know five like there's looking to be in your house they pull apart the firm way so they buy these things they pull them apart Udrih now open source time it wasn't moonwalk the literally go through the the firm way the premier tends to be

packaged and packaged in the package and by what I mean that they pull out one chunk of the firmware anything that that's another archive and extract that and the literally looking for things like the keys and they used for encryption because why try and break encryption where you can just get the keys also break software create Hardware implants and firmware as well it's not on the slide so one of the things I'd like to touch on quickly is inherited exploitability if we think about phones they broadcast they're looking for the network saying hey I'm here or the any base stations can i connect and very it's the way it's been designed so back to that design

principle at the beginning so it's possible to set up a listening post or a tripwire to say like hey if this phone that I'm looking for comes into distancing you you know through the NSA or the CIA or whoever and you're looking for something GRU I think let's blame the Russians then when that phone gets into - well I suppose distance close enough to be you know identified then you can say like oh we now we know this person is rocked up so you know if you're going to do crime you probably don't want to be carrying these things as the takeaway from that DNS is public it's meant to be read it's not the only source but if you have DNS

records you put them in it you want people to query them so the tech is going to query them who's gonna make their lives easier let me dump the DNS now I know what you have that it's a nice set of here's all the systems to go and have a look at so that's why tech is can use to numerate the fun thing about these things is like they're a double-edged sword or you know it's two sides of the coin so you can modify the design okay it's very very difficult to do there's something with a cell phone network it may be what's a 6g maybe they'll fix some of these things you know the base stations

do the announcing all the shouting saying hey I'm here like yeah any phones like still here just just talk to me maybe they could actually like certify that they are who they say they are much like a serve an internet has got a certificate saying that it is who it is and it's trusted by various ports and maybe do not just one maybe do multiple like a wave of trust instead of a chain of trust you can put interesting things in DNS for attackers to find that you are monitoring for like honey tokens effectively and monitor for them so kind of flipping on us on its head like if they're gonna come and find things or

look for things you know it's not just anti forensics misattributions like the tech is yeah I have a look we'll be waiting for you people educate an app skill support them with technology and processes because you don't want them to be the only point the single point of failure had a quick check to Rudman who get talking about MFA and why you know banks don't use more of that to sometimes the customs are silly they just put the stuff in anyway some of them are quite good though they they resistant a man-in-the-middle attacks because they know where they are supposed to be used and they won't allow themselves to be used they're not going to talk to some

proxy so everything be like that's not where I'm supposed to go processors it's just a maturity model if you first if you should be identifying them you should document them and define them that these are now processes obviously should implement them and you should force adherence so you should probably monitoring them and they shouldn't be static so you should continual improvement going on there closing thoughts so there's always going to be bags or zero days if you want to want to call them that these were always be exploited this is the defenders dilemma which is the tech only has to get it right once to get in I think the IRA used to say that

interesting it is also the attackers dilemma which is kind of the inverse of that it's like the tech only has to make one mistake to be detected so if you're looking you've got a chance and I would say operate accordingly so thank you very much questions maybe about why something is the way it is or more information about something it had to fly through that to get it done yes no yeah

I didn't I didn't find the training for groups of people like external to their organizations they definitely had like hand-holding and new developers and buddies buddy systems and things like that so literally is it like it's running like a professional organization these people are rockin up their nine-to-five and so you think about the man manpower that's going on there yes the scale is quite large and can get a lot of things done that way the closest that I found of my thing that I think is the most valuable something Kaspersky's talked about they're looking at the code and the way it's written and they say like they're looking at the style of the code and I think that is harder it's harder

to fudge because you actually have to write code and you write code in a certain way based on the way your mind works so that I think is probably the closest anything else is much easier to fake and it's not to say you can't imitate somebody else's coding style but it's a lot harder so that's the closest location you go through a third party and forensic artifacts you can scrub them and you can cert other ones I mean I don't know if anybody else can think of something

they were literally pulling apart the code I could reverse engineering to actually get to the code so I think a lot of the stuff ends up looking a lot more like assembly what simpler depending on how you want is said and they started picking up recurring things so a lot of it's a human you get the get familiar if you keep looking at the code and you thought I think the NSA came unstuck because they were doing things that were interesting outside of the norm they were using custom crypto so like that stands out like well who does this and then they were initializing it using negative constants instead of positive constants which is the default

so like they really made themselves stand out and we're quite unique in that way and like nobody else is doing it there's a few other ones I think sometimes the way they do was effect the locking mechanism I think that also stood out so unique things stand out if you go and use open source software and you reuse that well now just looks like a piece of open source software so yeah sort of that helps on so how how to spot these things but a lot of a lot of manual effort yeah I'm in terms of technique or terms of technique from the teca's yeah I mean to me one thing that's one thing that really struck me

is that when they doing the stuff like actually using the things would be started for the initial get in and just like a pinch penetration test that was like it seemed very very similar is like one of these guys are explained testers or you know so what they do and what how they approach a problem and how pin test approach problem seems to be very very similar maybe bigger resources you know you can have custom hardware and you know imitate base base stations although nowadays you can buy those things don't let the customers find them pineapples etcetera is the Wi-Fi equivalent of what they're doing so the parallels are quite striking yep so do I do anything so one thing is

talked about was the network monitoring so I do like network monitoring and blocking things off like that compartmentalizing things so yes it's compromised but now you better get there and have your own Wi-Fi signal into this thing in order to be able to get the information out of it because I'm looking to provide you the network or if I do like gonna be watching what you're doing so big big fan of monitoring things like that I also like to upgrade firmware a lot myself so you know you can if you think the firmware is being compromised I would say dumping the firmware and so you can also read the firmware dump it and then checksum it so

if you know that it's good so you there's strategies that can be in place

[Applause]