BSides Las Vegas 2019 Wednesday - Common Ground

magician today you're

always make sure my

right

[Music]

[Music]

oh yeah he does

my lucky here

there's five do you water oh yeah a little bit

[Music]

[Music]

[Music]

test test

all right you consume ice-cream that's good sounds like a plan

No

yes

never works for you

it's right

test test test all right there's a slight bit of feedback all right all right fantastic very good

I'm on so many cool tablets

could you do me a favor I look like a flight crew thing on the back could you just grab it because okay everything's lit man things up all right bring it in thank you so much yes I'll take some more of those please thank you open it the right way

I like to pace so I like to pay so I'll end up like moving a little bit anything said basically from now until the end of the day we'll be on the live stream we had no air they were speaker set some things had to be removed Oh your pants I'm Jim I'm Chris nice to meet you I will try to keep it PG rated it doesn't matter about that no no no no no just okay okay

see luckily I'm working my stuff right yeah thank you so much yeah work

just seems to be working

right

how's everybody doing today come on let's get some enthusiasm in this room excellent excellent I just want to say thank you to our sponsors critical stackin Vail Mel also our sponsors Amazon blackberry the National Security Agency silence Microsoft Robin Hood secure code warrior and paranoids you can go out here in the room and you can meet with all of our sponsors that are there if you want a sponsor next year feel free to reach out to us we need all the help that we can get this is day 2 of beat sides with that we're gonna have another amazing speaker with us that's gonna give us the road to hell is paved with bad passwords

the fabulous Chris take it away well good morning everyone thank you so much for having me be sides and it's going to be a pleasure to share this particular incident management event with all of you it's going to give you a bit of an insight on what happens when an actual embassy gets hacked by a cyber terrorist group and some of the ins and outs of what happens with various types of diplomacy and when law enforcement does not apply in certain situations now to give you a bit of an introduction what had happened was in 2014 in The Hague which is the business capital and government capital mainly of the Netherlands it is a very diplomatic City

that's where the International Criminal Court of Justices and a lot of embassies around the world so it's a very unique city in and of itself and what happened was it started with a series of attacks starting with the Saudi Arabian embassy then spread over to over 20 different embassies affecting them as well because law enforcement regular law enforcement does not apply with diplomatic issues it also involved the Netherlands diplomatic police or core and because of the severity of the situation the national terrorism special unit also had to get involved there were three separate law enforcement reports and it got to the point where the Saudi Arabian embassy of the actually had to put a disclaimer on

their website as did several other embassies because of what was going on so he had started there were four major incidents that occurred with the entire event and it began with unauthorized access into the email account the actual business back-end email account of the Saudi Arabian embassy and these things are important because you might have your public email that people can email an embassy to ask questions and so forth but on the back channels you've got a different set of email accounts so that they go state to the ambassador's secretary directly and so forth in addition there was a very interesting rootkit that was discovered with one of my folks that I brought in who was a

forensics person who sniffed the network and found a rootkit and what was interesting was the extortion attempt that Isis attempted was all the way up to fifty million dollars and it reminded me very much of that comedy kind of spy movie right where it's like yes 50 million dollars right but what was even more unusual was the amount of lives that were put at risk at this particular event so it wasn't just someone who was sending some nasty emails there were actually valid threats to kill a lot of people actually over 400 people's lives were unfortunately dangling in the crossfire so this was timeline number one for half of the major incidents now when you're in an embassy local laws do

not count that is the sovereignty of that particular country and so basically the Ambassador has all the say when it deals with anything that occurs at the Embassy it is not say a local police it does not matter at all they have zero jurisdiction and I want to stress that absolutely zero jurisdiction but the only thing that the diplomatic police can do is try to aid in various law enforcement conversations but then again they don't have jurisdiction over an embassy either now one of the reasons why I was chosen for this very interesting incident was because at the time I headed the information protection group also the network and security operations for the Aramco family as well

as being responsible for the iti 18 ICS systems around amia and Latin America and they pulled me in because I had a lot of experience as well with forensics and we had already had our chain of custody checked actually by the diplomatic police at our company to make sure that any evidence beforehand whatever we collected if we had to use for a criminal matter we actually followed all of the local laws to be able to go ahead and hand off evidence so have a lot of experience in forensics and I also I am NOT a law enforcement person but dealing with digital security and knowing that there can be various criminal events that happen I always

establish relationships with various law enforcement so that when and if and it's usually when certain things occur that I can go ahead and call up various parties to get assistance and make sure that I know where I need to go to go to the sate next hop and so forth so these types of things are quite important to have in advance before any sort of incident occurs as well as I do want to stress some sort of chain of custody or understanding that whatever evidence you collect in an incident whether it be for something like a diplomatic issue or regular business issue you have a full understanding of so that you can hand this off because there's no use letting

criminals get away with bad stuff I also have a lot of experience dealing with ministers ambassadors and heads of state as well so I was able to communicate very technical matters because I was a technical executive all the way up to ambassadors and heads of state and ministers so I could speak their language as much as possible because without that they do not understand the severity they do not understand what they need to do and a lot of times they need us to give them advice and if we cannot communicate with them then it's just like speaking some weird language that they will never understand and we cannot show them a packet capture at all

now in addition to this one of the challenges when you're dealing with an embassy is you have to deal with geopolitics and at the time the relationship between the Netherlands and Saudi Arabia was extremely strained as a matter of fact shortly before this event Saudi Arabia cancelled all contracts for Dutch companies and basically kicked out most of the Dutch people out of Saudi Arabia who were working as contractors because there was some something that happened and I'm not going to go into detail because that's not my job but because I am a US citizen they trusted me a lot more as well as I was already trusted within the Aramco family to handle these particular matters and

that's one of the other reasons why I was actually chosen to lead this investigation and do all of the negotiations so it first starts out with I I felt so bad as well I was I was trying to eat lunch and I rarely rarely ever got to sit down and eat lunch and I'm sitting there and I'm eating like this so I walk off I probably had spinach in my I did have spinach between my teeth because I had to be rushed off and I asked the gentleman what's going on and he goes I am NOT at that level to discuss that with you I don't know so I was pulled into a room and I was told we

need to get you to the embassy as soon as possible and when they described a little bit of what was going on I said hey I need to get my forensics person to accompany me because there's probably going to be some sort of evidence and things that we need to collect as soon as possible because when you have an incident you need to then figure out what's going on and then try to contain that as much as possible now here's where it got a little started getting very strange because this was very strange event to me it was kind of mind-blowing so the official business email account for the Saudi Arabian embassy in the hague was using a residential

highest P line not a commercial line and had no security except it had a password that was one two three four five six yay right that's everybody's favorite password right there's nothing like using that for official embassy business cool right so that was a bit unfortunate and was even more unfortunate was the IT person who was there at the Embassy it was his second day he had no security experience and the person before him gave him zero handover as in nothing and they could not get ahold of the former person at all so here this guy's sweating bullets he has no idea what to do and he's like ahhh and I'm like okay okay okay we're gonna you know

chillax cuz he was definitely panicking and one of the things that the initial attack occurred was they attacker had intercepted some emails seeing that somebody wanted a visa and started sending back communications as if it was the ambassador's secretary because the way that it was set up was there was only one person that could read the official business emails and only one system that was supposed to be set up that way and that was only the ambassador's secretary because that's the most trusted person within the embassy and they have to be because they know everything that's going on very intimately and what was was a little odd was there was some attempts to ruin the

reputation of His Royal Highness Prince Mohammed Ben nawaf bin Abdul Aziz which was at the time the ambassador to the United Kingdom of Saudi Arabia and I cannot say those emails but it was initially implied that him and another Saudi national who was married was having some sort of affair which was absolutely not true and so there was multiple things going on with this incident and it was a little bit personal the way it was done as well which we started seeing and going hey what kind of profile with the attacker be because they're using certain techniques not at the time very high-end techniques and looking to damage reputation not only to the country of Saudi Arabia but to certain

key individuals as well so the first extortion attempt was when a rather controversial figure was sent an email stating hey if you want this visa can you just send 200-year over to eight MoneyGram account and we will expedite your visa well a funny thing is the Saudi Arabian embassy had stopped issuing visas about two years previous but that wasn't not everybody knew excuse me knew that at the time but they did not handle visas whatsoever and the MoneyGram thing was rather suspicious so this is one of the things that set it off because it was coming from supposedly the ambassador secretary and the good doctor who got the email contacted the Ambassador himself and said hey what's going on with your

secretary because MoneyGram account seems a little strange of a way to get my visa right so luckily she could recognize that MoneyGram was not the usual way to pay for a visa so that was kind of good so it started kind of low end and that that seemed cool at the time and what we did was because I was unable to have full access to all of their network because I am NOT a citizen of south

yes

[Applause]