State of The Net

hello b-sides mother indeed my name is is Miko and the tcp/ip protocol which really is the groundwork underneath the internet was invented in December 1969 if you actually go to Stanford University there's a building called William gates building which is called William gates building because Bill Gates donated the money to build the building and in the lobby of the building they have a plaque on the wall memorizing the innovation that was tcp/ip in December 1969 and just to put myself on the time line I was born two months before that I was born before the ins in it which means I am a dinosaur I've been working with computer security and reverse engineering and malware

hunting for for longer than some of you have been alive I started working with f-secure the company where I still work today in 1991 and in 1991 problems were quite different from the ones we have today my own background with computing starts from the 1980s I started programming at the age of 12 I sold my first programs at the age of 16 I ended up writing routines and turbo loaders for the computers at the time and had games some actually was really proud that last February one of my early games from 1987 was actually entered into a museum I have a an early work from my teenage years now now immortalized in a museum in the city of Tampere which is in

Finland which is where I live so how how did this all happen like how did computers change from the early 1960s stuff but this stuff to where we are today how did we get here and where are we going to go next now if you've seen my talks on YouTube you know that I quite often carry around a floppy disk an old virus from 1980s just to illustrate how much malware has changed but I've actually now started carrying something even older this is a punch court it's a punch card is 120 bytes of information on a piece of paper this is how you would program mainframes like these IBM mainframes in the 1960s and over the

years these computers started to become interesting for wrongdoers attackers or regionally pretty innocent stuff when I started analyzing malware in the 1990s it was just like a fun game like playing a game of chess against an unknown enemy because all the attacks we saw all the malabar we're analyzing they were being written by teenage boys for fun I'm we were really excited every time he found a new piece of marlborough we found another one and we spent days reverse-engineering it in full and we printed out the code that we made notes and long write-ups and then we were waiting for the next malware it was exciting and today it's not very exciting anymore at all we find hundreds

of thousands of malware samples every single day and they are not being written by teenage boys for fun they are being written by organized crime gangs they are being written by foreign nation states intelligence agencies militaries even extremists and if someone would have told this to me 27 years ago it would have sounded like science fiction but the main motivation of attackers today is money and money is a good motivation most of us go to work because of money although that's actually not entirely accurate I was actually in a workshop last week one guy from from Google from Google's security team made a really good comment he just mentioned in passing that he's been working as a

manager in different companies in different roles but now that he's been working in information security at Google as a manager he mentioned they feel sort of like cheating like working as a manager where your employees were yours where your team are all working insecurity is sort of like cheating because you don't have to motivate people people already know it matters people already know it's important people come to work understanding what's at stake they know they are the good guys fighting the bad people they know they are there to help people we know this is what we do and I thought that was really profound it's it's actually true you know like when you work in this

industry people rarely need motivation they do understand what's going on so if money is the main motivator for attackers how is it being made well it's being made with botnets and banking Trojan and denial of service attacks which are launched against online stores it's being done by ransom Trojans keyloggers credit card theft spam any way you can imagine that somebody could be making money somebody is making money with that a really good example of that is the first time I heard about Bitcoin first time I heard about Bitcoin was in 2011 or 12 the paper is from 2000 December 2009 was really obscure for the first two years the first time I heard about Bitcoin was that we were analyzing

a piece of both botnet hosting code in our labs and what the boat was doing on infected computers was not sending spam or stealing credentials he was stealing CPU cycles to mine for bitcoins imagine that a new innovation like Bitcoin the very first time I hear about it is already illegal use already botnets being used to mine using CPUs to mine for bitcoins which you could still do back in the day so these guys are pretty innovative it's sometimes hard to be angry at these criminals when they are so creative and innovative with their attacks good example of that is an attack we were looking at last December November December we believe it was a

governmental attack I can't name the nation that was behind it but it was China and this was targeting a defense contractor a European defense contractor and they tried getting in over and over again the reason why we use the term apt the real importance of the of the letters is P persistent criminal attackers who want money are not persistent they want money they don't want to attack you or your organization or your client they want money if it's too hard to get into your network they will just forget about it and go somewhere else that's what money-making criminals do but intelligence agencies want information from a particular organization and that's what they're trying to get into if they can't get in

they will retry if they can't get in they will retry until they get it they will not change their mind that I'm no longer interested in this information I'll go and hack someone else they are persistent that's why they are so so hard to to defend against and that was exactly what was happening in this case the persistent attacker was trying to get into this defense contractor over and over again searching port scanning their public facing networks and trying to find VP and exit node and trying to find vulnerabilities from their web services all kinds of stuff eventually starting to target employees with emails with attachments with macro based exploits in word attachments with links

to exploit it's even that wasn't working the employees were very well trained they had really good filters in place and then they tried sending employees key employees emails which were really simple which were just emails which were thanking those employees for subscribing to their mailing list thank you for subscribing to our mailing list from now on we will send you a new and exciting email every day best regards you poured now just think about this for a second you're at your workplace at your laptop and you get this email and you're like holy hell like who the hell has subscribed me to you porn does anybody see this like where's the unsubscribe link and you click on the unsubscribe

link and that's the exploit link and that's that's pretty clever you know not even mad not even mad five out of five that's that's you sometimes have to respect the attackers when they get creative you know and one thing I've started doing whenever I visit our customers or prospects is that at some stage I asked them to show me around I could somebody take me for a walk I'd like to see your facilities and they're always very happy to show me around let's go for a walk so here's here's our our design people here's our manufacturing people here sales here's marketing here's the top management this is the CEO nice to meet you and then I

asked could we go to the financial department alright let's go to the financial department which always means you go to top floor and then we meet the financial people here's our CFO here's the controller nice to meet you then I asked who are the people who pay the bills who are the people who pay the bills here let's go and meet those and so far every time the people who pay the bills look like this middle-aged ladies really nice people if it's a medium-sized company it's one person if it's an enterprise it could be five or six or seven people like this and we have a chat so what do you do will I pay the

bills nice how do you pay the bills well I use this corporate online banking interface with this smart card reader huh nice can you show me your computer that you use to pay these bills sure yeah you go and she shows me her desktop running Windows 7 or maybe Windows 10 all right cool how much money goes to this computer every month and now of course the answer depends on the company but it's always a lot of money like you know six hundred thousand euros eight hundred thousand pounds two million dollars depends and then my last question could you now show me the computer that you use for Facebook and Google and you know YouTube where's that

and now she's confused but how do you mean I'm using the same company and you can almost see the light bulb go on top of her head because I just told you I move two million dollars through this computer every month why am I going to Facebook with the same computer because computers are cheap and that's exactly the point I mean this is not rocket science you can just do the important stuff on one computer and then use another computer for everything else because that particular computer the computer that money is going through that's the key computer banking Trojan gags and financial attackers want to gain access to and I'm not recommending that you would completely seal that

computer off from all the networks that wouldn't work either she needs to be able to access email to get the bills and need to be able to access the online banks but just don't use a computer for anything else have another one for that but there is a clear shift going on in the world of the attackers and that has a lot to do with money laundering because when banking Trojan gangs do gain access to her computer and install a banking Trojan and start inserting extra transactions every time she pays bills they do make money but it's still virtual like how do they get it cash how do they get them Lamborghinis with this without getting

caught money-laundering is a choking point of online criminals and yes they have been pretty creative in coming up with ways of extracting the stolen money from the online world the real world this video here CCTV footage represents how the garbha NOK botnet gang does it pay attention to the ATM hmm nice I like ATMs that just spit money out for no particular reason this guy is a money mule that's why you can't see his face he knows with the cameras and then he picks up his phone and orders more cash that's why he has the back he's got empty the whole machine and yes we've seen attacks like these we've also seen rogue banks in countries like Lithuania

being used by gangs to launder the money but obviously the amount of money you can launder by emptying ATMs is still limited you can't make you know tens or hundreds of millions this way and this is the reason why we are seeing the shift in attacks right now shifting attacks from traditional financial attacks targeting online banks and online stores and credit card systems and starting to target crypto currencies and from the point of view of the attackers this makes perfect sense this makes perfect sense in a lot of ways crypto currencies are the favorite currencies of online criminals just like cash is the favorite kind of money of real-world criminals like most of real-world truck trade is

done with cash most of online drug trade is done with Bitcoin and Manero and zette cash it's kind of hard to buy cocaine with a credit card or so I've been told so one question I do get from people who know a little bit about Bitcoin and F the realm and and light-cone mo Nero and ego as and all these currencies and how most of the block chains work they asked a question that how come we can't follow the money which actually is a really good question because as you know blockchain is a public ledger of transactions public I mean you can all go if you don't already have a copy of the Bitcoin blockchain you can go home

today and download the whole whole blockchain it's correct me if I'm wrong I think it's around 200 gigs right now so it's it's it's big but you can fit it on a single computer and that file that blockchain file contains every single transaction which has ever been done in Bitcoin since 2009 when Satoshi did the very first transaction or early 2010 when Silius the number 2 developer mr. Marty mommy who's Finnish guy who actually I know the guy who did the first real-world transaction converting bitcoins into into euros well I've had interesting discussions with Marty about who is Satoshi but he tells me he has no idea he worked with him for a couple of

years but he has no idea who he is so if it's a public ledger if we can follow every transaction how come we can't follow the money so let's take a look at a real world example this is Betty Betty from last July the circle here represents the wallet were all the ransoms that were paid to the petia gang were stored into attack starting on the 5th of July or the 12th of July the rush attackers the attackers started moving the money from this wallet these wallets to six new bullets the size of the wallet shows you how much money was being moved and we can see this because it's a public ledger let me just see how the money is

being moved around and then on this on the next day they move the money from these wallets to these wallets and this went on for several days and then they started moving money from the Bitcoin blockchain to the Monaro blockchain using double-blind transactions and that's where our tracks end we have no idea where the money went and this is the trend that has created the problem of ransomware Trojans which we've now been tracking the rise of ransomware since 2012 and the amount of ransomware families that we are now tracking is so large I can't even fit them on a single slide anymore the tracking over 130 gangs which make all of their money with ransomware attacks this is one clear

shift we're seeing happening and it's all because of these cryptocurrency systems they were seeing tons of scams scams like Elon Musk is giving away free ethereum on Twitter what a nice guy just send me you know half etherial or half an ether and I'll send you 10 times more back here's my address and the worst part is of course it's not even musk this is Elon Musk the worst part is when we go and check either scan or how many ethers were sent by suckers into that address it's worth two hundred and three thousand US dollars which is remarkable people first of all for forty second of all they have at they're able to send

and they do send it and this is happening to everybody this happened actually this was a reply to the b-sides London Twitter account sent a month ago I'm giving away not only a theorem but also bitcoin and litecoin a thousand Bitcoin that's that's seven million euros that's a lot of money so this of course wasn't my account my account is called Miko this is a Ravelry 43 so that not really my account but this was sent as a reply to besides London official accounts so people are reading b-sides tweets click on a tweet will not only see the tweet but replies and they will see this there and they might know I'm keynoting here so this might seem

legitimate and it's not only scams and ransomware that we're seeing we're also seeing hacking into the exchanges and into the wallet systems that are being used to run these operations and this is an especially good example on how these attacks make a lot of sense when you think about them from the point of view of the attackers like your task as an attacker is to make money all right so you can choose your target you can choose a traditional financial system let's say a back and yes if you are able to break into a bank you will make a lot of money there's a lot of money in banks but it's kind of hard because banks have

been in this business for decades and they have security teams which have hundreds or even thousands of people they do follow their network or you can target a wallet system or an exchange they also have a lot of money because the valuations of crypto currencies have skyrocketed some of these companies have billions with the be just like real banks have billions these guys have billions as well but they are not leg as it companies these are startups they don't have security teams of thousands of people the whole company has 20 people is it easier to hack yes cities and the best part when you gain access to the money then it's game over then you don't have to launder it you don't

have to hide it it's yours it's game over so these attacks make a lot of sense from the point of view of the attackers but then we have the attackers who are not after money governments if I would have to rank different governments based on their offensive cyber capability I would rank United States number one they've been putting more money for longer periods of time into this than any other government anywhere in the world number two in my book would be Israel and then after that we get the Russians and the Chinese an oh man look at these guys March look at them I've seen your army March it doesn't look like this it doesn't look like this at all so when

governments enter the picture we get several new headaches I gave an interview to a newspaper maybe five years ago about governmental attacks especially spying and intelligence gathering and during that interview I I gave a quote which ended up being printed in the newspaper where I said that information has changed information used to be physical it used to be like something you would you know print on a piece of paper it would be something you could touch which means if you wanted to steal this information you had to physically come to this piece of paper to steal it or copy it or photograph it and then as you know today most information isn't physical most of

information is data it's on our computers it's in our networks which means you don't have to go anywhere you can reach the information from anywhere in the world and the quote I gave the newspaper was that because of this the work of intelligence agencies has moved from the real world to the online world after it was printed in the newspaper the next day I got a phone call from a friend of mine who works at an intelligence agency and it tells me that you know what Meachem that's not true that's not true spies have not moved from the real world of the online world they have expanded their work from the real world to the only world the real

world spies haven't gone anywhere they've expanded to a new domain and I can totally believe that because of course I mean we are an InfoSec company we're geeks and nerds we follow online attack we don't follow real world spice we don't see what the real real world spies are doing so to me it looks like they've moved but the term it looks like it's expanding expanding to a new domain and if you think about the work of intelligence agencies especially large intelligence agencies in superpowers they wouldn't be doing their job if they all wouldn't already have real-world moles in critical locations real-world spies and real-world moles still exist here's a video footage from January this is from

the border of Russia and Estonia this is a spy swap it's of attempting Jenko and rival Suzy Artem silchenko here on the right walking towards Russia and rival Suzy on the Left walking towards Estonia they're swapping the spies the Russian guys next to their cars don't look to happen but this is what it looks like when real-world spy swaps are being done so now for a second think about the work of intelligence agencies with which to operate guys like this where would they like to embed guys like these today what would be the most powerful organizations where you could have a mole inside how about companies like this and I think it makes perfect sense I would be

surprised if all major intelligence agency wouldn't all already have moles in key locations inside Google and Amazon and Microsoft and Apple and any large cloud provider yes it might be very slow process and very expensive but if you're able to get and get the right guy at the right location in the right company that is very powerful and we have to assume the largest intelligence agencies of the planet are doing exactly this and while we're speaking about Microsoft it's kind of hard to ignore what happened this week with the github acquisition I'm actually not mad about this at all if you look at what Microsoft has been doing over the last five years it's a

lot of pretty good moves they've done bad moves as well most notably the investment of spending 7.1 billion u.s. dollars into Nokia mobile phones which they then had to write off three years later or something like that Nokia was very happy getting getting seven billion out of the phone business for Microsoft that was a bad decision buying LinkedIn was probably a good decision buying github is probably a great decision Microsoft was already the biggest organization in the world if you look at the amount of pull requests Microsoft is doing more pull requests already 12 months ago in github more than Google more than Amazon more than Firefox more than anyone so this makes perfect sense they had already moved

Windows source code and office source code to github and github is an interesting organization some of you might remember the attacks they were under three years ago in August 2015 we saw some of the largest denial of service attacks in history targeting github dot org and these were actually reflection attacks this was traffic from normal Western users computers who were hitting the Great Firewall of China going to websites hosted in mainland China their traffic was reflected at the Chinese firewall level and pointed back to github so if you wanted to Envisat I don't know Alibaba or bi do you got nowhere instead your traffic was being used to hit github and the reason why github was being targeted by the Chinese

was that Chinese were demanding github to remove stuff from github github was hosting content which could have been used and was being used to bypass the Great Firewall of China China didn't like this so they were trying to twist github arm and they didn't give in it was very very expensive for them to continue operations but they did continue operations and they didn't kick the problematic customers out even though they were being demanded to do that and that's you have to give them credit for that absolutely and when we speak about governmental attacks the biggest example we have in recent history happened last July the petia attack petia the ransomware case which would overwrite the Master Boot Record

the first sector of the first platter of the first hard drive in your system 512 bytes on the beginning of your first hard drive overwritten by a piece of code which only displays a ransom note and this is after it has already encrypted all the contents on the hard drive which means infected machines no longer run windows now they are running petia you boot up an infected machine nothing happens it counts the memory from BIOS and plan shows this that's it and the way organizations were hit by petia was that they were running a piece of financial software a piece of financial software which you could use to do bookkeeping or to file your taxes

and on the fifth of July last year the vendor behind this bookkeeping software issued an update from the official update server signed with the official keys and that update was petty and the company that makes this financial software is called ME doc and they are headquartered in Kiev in Ukraine the software runs in Ukrainian it's only been used by Ukrainian companies this is how companies file their taxes to Ukrainian government in Ukraine this is the de facto way of doing it in Ukraine so in March 5 different intelligence agencies including GCHQ announced that they have evidence which would show that Bethea was launched by the Russian government and in fact petia was an attack in cyber war

attack between Russia and Ukraine and Russia and Ukraine are at war and we've seen attacks from Russia to Ukraine multiple times before most notably attacks three years ago targeting the second largest electricity creep of provider in Ukraine a company called prick up up pretty Brook this company an attack I hear somebody say actually I know how to say it speaker about table neck oh yes Rick about table neck and when picker but habla near ago was attacked not only were they able to cut power from 250,000 people they also over wrote the firmware on the serial to Ethernet converters that the operators were using to control the electricity grid so after the attack when power was off there was no way for

them to maintain their network anymore they actually had to go and physically turn off the power but this is not the story we heard about petia last July we didn't hear much about Ukraine at all how do you put out a fire in the middle of the winter in Ukraine thinking out of the box I like it this story we heard was not a story about Ukraine it was a story about petia hating Western companies companies here in the West in Europe in the United States companies like these massively large companies which make manufacturing goods or cookies or condoms or cement or ship containers and these companies are not Ukrainian why were they hit by an attack

coming from the Russian government targeting one country Ukraine well the answer is that even though these companies are not Ukrainian they are global like for example masks the fourth largest logistics company on the planet which ships containers into every country on the planet including Ukraine take a look at this ship god damn it that's a lot of containers imagine when it gets rocky on the Seas yeah we lost a couple of hundred containers last night I don't know they ship these into every country on the planet including Ukraine and if you do enough business in Ukraine then you have to file taxes in Ukraine and if you have if your company has to file taxes in Ukraine it means you have

at least one work station in your internal network which is running Amador and if you had one workstation in your internal network running ME doc on last July 5th then you got to pet you and once you have petia in your internal network it spreads like wildfire it doesn't spread using vulnerabilities it spreads using a Windows feature the feature which allows users to run files or execute programs on other people's computers and this is bad when it happens to your laptops it's bad when it happens on your desktops but it's even worse when it happens on your servers and even worse when it happens on your AEDs and this is the reason why many global organizations were sending IT

consultants on planes into data centers around the world with Windows boot CDs in their backpacks to go and rebuilt their a DS and servers because once your data centers go down you can't manage them remotely anymore because your servers are no longer running Windows all the tools you have for maintaining your servers expect your servers to be running Windows and now they're running Pythium the chairman of court of masks was speaking about the problems they had with petia in February in Davos at the World Economic Forum that meant that we were actually collateral damage surveys probably in a state attack situation so and the impact of that was that we basically found that we had to reinstall

our in an entire infrastructure we had we had to install the 4,000 who serviced 45,000 of pcs and two and a half thousand applications and 4,000 servers 45,000 workstations they estimate that the cost of petia them alone was 300 million euros I believe petia last July was the single most expensive computer security incident in history more expensive than one a crime more expensive than I love you or Melissa or blaster or slammer or Sasser more expensive than any hack ever more expensive than any data leak ever and this happened last July and the victims were call a taro damage they were not supposed to be the victims and this reminds me of another attack where the

Russian government is trying to hit a target but creates a lot of collateral damage this reminds me of case scrape out here in UK in April as Russian government used nerve gas to try to kill one of their old agents now living in United Kingdom and in process created a lot of collateral damage more than a hundred UK citizens were hospitalized they were not supposed to be the target but they happen to be they were not supposed to be the talk but they happened to become one and the interesting thing is to look at the reaction the reaction from the West what happened after scraper new sanctions happened Russian diplomats were being expelled from dozens of different

countries what happened after petia well nothing nothing happened after bit no sanctions no expel expelled diplomats nothing and now look at this from the point of view of the attackers they look at you know what are we doing or what happens like we do you know a nerve gas attack in UK and we get this and then we do petia we got nothing all right I think this is leading us to a new route the new route of attacks from nation-states new methods they will be using in their attacks which means we have to start thinking differently about the way we defend our networks what was their mistake what did they do wrong nothing this was not a case of running

Windows XP in production was not a case of unpatched servers of workstations there was no vulnerability they were running financial software that everybody thought was ok and it was ok they just happened to got hacked and they had automatic updates enabled which was the default and they if they would have asked us that is it a good idea to have automatic updates enabled we would have told them yes then you get all the security patches right away we've been telling companies for a decayed to patch right away and patching is what got them here yeah of course they could have segmented their network better and stuff like that but the big picture is they did nothing wrong

so we have to start thinking differently about our networks for 15 years we've been thinking about our networks like waltz like Bank waltz whatever you put in there needs a really thick wall to protect it and really thick door with really good luck and if you have thick walls and thick doors and good locks nobody's never going to get in this is how we think about our networks blink Nets make sure nobody gets into a network ever let's have really good firewalls and proxies and intrusion prevention mechanisms and if you have a vault with really thick walls and thick door and good lock then you will not need a motion detector inside the wall like why

would you put a motion detector inside the wall because nobody is going to get in there's a very thick wall and thick door but you know what just in case the attacker thinks about a way of getting in that you didn't think about like I don't know coming in through the ceiling in that case it actually would be very very nice to have a motion detector inside the vault even though you think you will never need it and this is how we should be thinking about our networks yes we do need the firewalls and the proxies and the filters and the intrusion prevention mechanisms but it's still a good idea to have motion detectors inside of our networks to build profiles

of what normal traffic looks like because then you can start looking for abnormalities you can start looking for weird stuff like why is this workstation sending gigabytes of traffic that is IP address at 4 a.m. which you will never be able to even tell unless you're looking we have to stop assuming we can keep the attackers out because we can't question how many of the fortune 500 are hacked right now answer 500 every single one of them why because if you are a fortune 500 company you have a massively large network of at least hundred thousand computers around the world if you have hundred thousand workstations I will guarantee to you you have a breach

it might be a small bridge like a single infected laptop at an airport lounge but that's a bridge you cannot keep everybody out all the time so we have to stop thinking about keeping everybody out all the time and instead we have to start focusing on being able to detect and being able to respond to breaches when they happen we have to assume bridge whatever we do we have to assume the bridge at any time and this is the difference with companies who got hurt badly about petia or read petia and who did it if you were looking for abnormalities in your network petia was like a wildfire you would see it immediately it looked really really

weird if you were watching most companies are not watching so let me finish with this this is our first web server April 1994 it's a 486 DX 25 megahertz with 40 megabyte hard drive it was running our first weapon I set up our first website in April 1994 I was really proud we had our first website it was the website number 16 in Finland when we set it up by today's standards this computer is pretty but you know it was powerful enough to run a website so it's it's it's not completely powerless it's it's it's no it's pretty well for its time I wonder how small a computer with this power would be today well let me show you

in February I BM announced that they have a new breakthrough this is a photo of a pile of salt and the black dot over there is a computer which has roughly the computing power of a 486 DX 25 megahertz this is probably enough to run a website and it's smaller than a grain of salt so now think about everything we will have to start defending forget about everything we know about defending computers and servers and laptops and networks and realize that we will very soon have to start defending everything because everything will become a computer good luck thank you very much