BSIDES Cape Town + Hack South April Meetup + lightning talks
Show transcript [en]
yes [Music]
yes
thank you
okay really
[Music]
yourself
uh
[Applause] okay uh welcome everyone uh i think most of you actually just came for the beers so i'm trying to be breathe um
first of all i don't know if any of you remember him from the previous years but a good friend of ours and a filler organizer unfortunately passed away recently so you'll see we've got photos for him around and it's a volunteer run and non-profit organization so all the the hard work and time is is freely given so um it's it's much much worse when we lose someone like that who used to do all the video and networking as well um i'm just going to do a quick intro on uh covert kind of killed us for a bit um what it's going to look like in the future and then um charles is going to tell us a little
bit about hacksaw and then we'll do a couple of liking thoughts um so with covert we tried a couple of things and sometimes we were also just lazy if we're honest about it but a lot of the issues were around venues among people um so i mean this year really anyone allowed us to do anything um so hopefully it means that from here on out it's gonna be much easier to do anything and i think like like myself there is that he also got pretty tired of doing online events and another zoom meeting so we just i didn't do any of that and like i said we needed to get ourselves organized i did um
at least do you have one
uh with the cameraman we did that with the camera and that's 50 of my success in my career as well right um so what we're going to do for the future while this holds is we're going to collaborate a lot more with hacksaw and xerox coffee i forgot to put that up because we're all actually the same people and generally the organizers are in between all of those groups and we're redoing the websites we're gonna make it a little bit simpler and not have it wordpress because we've got a couple of comments about that in the past and then we'll do a lot more of these smaller events every now and then
so i have to say that every time mike's in one of my talks and is giving me a device it always goes bad from now on i blame it on mike and then obviously we're going to do the small events we're going to try hackathons as well with hack the box and those kinds of events as well and then december is definitely on and i'll talk about it a little bit later right of passage is also a little bit difficult in terms of travel [Music] it was difficult to travel and also are sending someone away so we're looking at other ways of maybe sponsoring students locally and doing other things um and then we also need more people to get
involved as always and then you're welcome to give us suggestions so for december i already spoke to the captain science center so they've committed to the 3rd of december we just have to figure out details with them and hopefully in the next two weeks we'll do a call for papers and call for workshops we'll send out sponsorship stuff we've kind of just focused on getting this done and then december is the next one so the intent science center i just got some photos of their website if you haven't ever seen it it's a a space with a whole bunch of experiments for kids to learn about science so i thought uh us hackers invading it would be apt
idea and grant actually had us there before although we were drinking beer in a science lab and assembling gadgets that's a good point mike are we doing a badge in the same way yes um i don't bring some of the older badges if anyone wants to see so mike designs electronic badges every now and then for us so if you want to help him for the next year 2023 he's open um so there's a lot of science exhibits and then they've got a really nice lecture hall as well i mean we we tried dimension data as well in covert times but considering that they'd have to fumigate the whole place it might make more sense
for us to move somewhere else and that's it charles [Applause]
just to be clear in pycon a couple of years ago mike used the sdr right to block the wireless signal to my commit talk
so i'm charles roth i go by angle straightening community and i just wanted to basically talk everyone through hack south uh something we started a few years ago um show of hands who's here he's on hack south yeah that's good okay here we go right uh bulldog and they will come uh so that's obviously what acts out about what got the idea started and then where we are right now let me move around so i can read my own slides okay so obviously i said i'm angry rage hacksaws is a we're about collaboration cyber security we want people that have an interest or a curiosity about cyber security information security and hacking in general we have industry leaders we have the
ceos and the ctos from most of the consulting companies in south africa um i have because of the recruiting that i do in the united states i do a lot of u.s government defense recruiting so unfortunately there's quite a few nsa people up here as well and what it's about it's about sharing inside advice and guidance with our peers and a bit of tech support in between right so where did we start um started in uh 2019 uh following besides cape town uh originally it was on slack because we thought that there's a speaker there we go we thought that it would be better so people could use it during the work day because a lot of companies might block
this board um and then right before covert kicked off uh we decided to go on to uh discord i was a moderator on a community called the mini hats club and i just thought it was the best place for it um we started off with like 15 people megaloran was one of them and then we had a spam raid people were posting nacho propaganda on the main page and we just launched like two days before i was on the way to pick up my brother-in-law at the airport and i just posted in maine and i said hey who wants to be a moderator so very good uh security inventing and megan was one of the guys and i unconverted them
and we kicked everyone off i think roots also helped with that uh with that right so where was it born from so we have lots of little communities in south korea we have b science hex con we have the dev side of things uh we have all these different communities and one of the biggest place where everyone was spoken speaking on was z-a-tec or takes a day on slack i'll be honest i had my own personal greed involved as well i got kind of frustrated on za tech and i thought let's have a space dedicated to cyber security and all the facets within it and that's pretty much what warned it um i read a blog here uh
is that you hacksaw this is me everyone says on the blogs that are right i write dissertations i can't help that i write long it always plans to be something short and it ends up being hella long right so things to do um sorry this was just a joke we changed our block we used me six to moderate the the the server and beautiful stuff and you can customize it so if i have a bad idea oh let's call it the saps and then people are joining the server i was like hey the saps welcomes you the hacksaw so didn't go down very well we changed it to diffie where our mascot is a dusty
uh anyway so let me see where are we okay so this is showing you the different parts of exiles so as you can see if you're familiar with discord this will make sense if not i strongly suggest check it out so this is where we have our announcements we have an events page we have polls and different bits and bobs going on so anything going on in the community where the ctf's coming up whether something's being awarded we're posting announcements and we tag everyone we try to keep the prices as low as possible um but that's a the main area for sort of up-and-coming news and events next we have hangouts so here we have a
main channel which is for main things and random as for a lot of random things we have a bot picking up from two of the twitter pages that are related to infosec history so you know we get tweets coming every day and they're like this is the day metasploit was bought till this day this happened um we also have voice takes if and we have main dc so a lot of people are like oh you know how can i join voice chat well anyone's allowed to join voice chat you just have one rule you have to introduce yourself and you say like hey my name is such and such my id number was just like
hey i'm angry i'm into web apps and then we go okay cool we'll give you a roll and you can you can look there for the rest of your life and if people are on vc and they can't talk but they want to chat we have voice text for them right so what we did is we changed recently that you get very minimal content on how south and then you have to opt into more so we have roles in uh there's a role simon's channel i think from there somewhere like you go there reactionary you'll get something so for instance uh what to see next this is a friend zone so yeah we've got money talk talk about
finance and investments we have music stuff we've got nobody having it like a bride vegetarian non-vegetarian your pictures there and they have lab corn as well so people with good cable management unlike me um and that's so to get that you've got to go to all assignment and you hit friend zone and then you'll get that that's the next um would be lucky inspire monkey as well and think he was here today but ctf zone is quite an important area for me even though i'm not that involved in it so every time a big sort of ctf comes up we'll post about it and if people want to get involved with it whether it's their first ctf or their expert at it
just come join in we set up different areas at the bottom here where you can you'll get a role when you get into that group and we share souls and stuff like that we're not taking the solve nothing happened recently someone's taking the souls and doing in their own ctf you try to keep it you know um keep the educator of a ctf correct so that's where we host all this stuff and we've got to hack the box try acme we've got trace labs there and we've got uh bonehub and proving grounds as well if you want to learn anything the strong suggestion i can give is just just take a stab and just try so that's why i'll
see tf sol next up uh is the aqua education zone yeah so there we have an area for students university students we have paid forward which i'll talk about very briefly shortly um and we have resources so anytime someone finds some free resource online you drop it in there and have a look take advantage right a qr code is safe but i've been warned not to use qr code so there it is so if you're unfamiliar with discord i made a another dissertation for the idiot the skid guides joining hacksaw it's got the whole layout of the server there how to join for some reason people still struggle to get in um sorry see that you can see the stats in the
top left we have what's that 64 fngs we won't define what that means but we have 44 people that have either accepted the code of conduct and haven't introduced themselves so just do the process and you'll get it right so that's i think that's the joining link right so every now we're all over social media we're trying to attract more people to join us for another reason and more people to learn from more people to teach so we're on linkedin instagram twitter facebook recently and we're on youtube as well where 958 total members of which 911 are humans which are people that have vetted themselves and joined properly and we have 330 people on ctf crew we have
about 30 people that do ctf so we'd love to improve those numbers okay where are we now i tried to make a gift and i realized it was it wasn't working so this is the website this is just basically the story of hacksaw from what we're doing we have an events area you can synchronize with our google calendar and we have a ton of blogs i did have a gift for blogs but it didn't work um there's a lot of blogs there's blogs about my first reteam engagement i've done stuff about trace lab which is open source intelligence there's a lot of different information there there it is yeah there they've for it but ocp guides everything
uh the the what we like to do is more people to come blog and say hey you've got a bit of content of something you'd like to tell people about come to us we've got an area called website crew come coming there type up blog will help you put it up and we'll get on the website right so projects uh we host the hacksaw hosts the hacker box meetup in south africa monthly thing that's like the second first tuesday of every month uh that's also about spy monkey and toco they do really really well with it it's actually become a bit of a gold standard for other hack the box meetups uh we have no child left behind we won a
hundred thousand round most of their school in the account while we figure out some stuff it was basically a project done with graphics and no before popcorn training up the road and basically the the people megan was part of the team uh and j function and becca built an application for kids to learn about being safe online um so that was pretty cool we've got quotes in the financial mail very badly swag swaggers are coming we have mission children south africa we haven't got to that a lot but there's a lot of people that do uh open source intelligence looking for missing kids and sexual predators and whatever around the world and passing french to law
enforcement so we partnered with missing children in africa to help find people in south africa paid forward i'm surprised more people didn't take advantage of this we got given 10 pwk vouchers for famous security not aware of that is it is probably the best offensive security certification you can do if you're starting inside though we've got 10 of them we've given away eight of them we wanted to give it purely south africans but we didn't have enough interest so we've actually expanded to the rest of africa there's still two left if people want to apply go for it um mentorships and learnerships as i mentioned everyone's trying to help each other we've hosted hexcon for the last
two years spoken there as well uh we partnered with trade micro they had like an internship training program i can't remember the very very long name thread we partner with them partnering with v signs it is cts we have a whole jobs and careers area if you have questions about careers i'm a recruiter people ask questions i help answer and we post jobs there as well and also we're here for friendship oh easy easy there we go all right a few accolades these are our check these are some of the people we got given pwk bachelor students anyone here that won one of the pwk vouchers you oh respect the monkey there we go next license right they
didn't win it they rewarded it they already didn't earn it uh and we also already saw the cipc as a non-profit or an npc we're trying to get our npo number now but it's it's a quite a complex incredible and there's our half-assed uh quotes in the financial mail about sales oh what can you do right first thing you do is join second is tell people about it um most people that join us find us through referrals some people find us online read our blogs check it out if you like it share it with other people um it really helps get the word out there uh yeah like share subscribe and the last thing is get involved and get your
roles we've got some meme roles or just for the fun of it like horror and summer of managers and trolley liquor and all sorts of weird roles we also have roles dedicated to your specialities and your strengths so if someone's saying hey i have a problem with this or that you can tag the right people to get them the help they need right and that's it thank you there are mods and staff it's a staff members that's a hall of famers retailers here we just ripped it at the bottom uh we've got some cool people on here acids on there andrew mohawk winter here leon oh and elastic ninja where's he yo suddenly and these are all honorable people that
have just put in their hacks house engaged and contributed i believe that is that is it thank you uh i haven't looked at any questions i mean we can but you can speak me afterwards uh if you want to join please come join us have fun and next is i think we think what about five minutes quick five minute drink break kristen yeah 500 and then jared you can get set up okay thank you everyone
[Applause]
is
um
[Music]
[Music]
sorry [Music]
[Music]
oh [Music]
[Music]
[Music] bernie [Music] oh [Music] okay [Music]
[Music]
[Music]
[Music] thank you mommy [Music]
[Music]
my screen goes to like
[Music] let's go
yes yeah
[Music]
what [Music] now [Music]
[Music]
[Music] oh [Music] oh that's a piece of screensaver [Music]
[Music]
[Music]
more [Music]
[Music]
[Music] now foreign
[Music]
[Music]
[Music]
[Music]
[Music] yes
[Music]
[Music]
[Music]
[Music]
[Music] [Music]
[Music]
uh [Music] [Applause] [Music]
[Music] [Applause] [Music]
ah
[Music]
[Applause] [Music]
foreign
[Music] bye
[Music]
[Music] um
[Music]
now [Music]
foreign
[Music] foreign
[Music]
um
[Music]
uh hey everyone i think maybe just grab a seat so we can maybe start
[Music]
cool so uh hey everyone it's great to be speaking in front of people again um so i'm going to present a quick lightning talk about the role of interceptor communications in the uh russian ukrainian version um and how that has affected the war so just a quick introduction of myself i'm a cloud architect i help organizations adopt aws but i also do quite a lot of research into things like surveillance disinformation privacy etc especially as they relate to foreign policy and national security interests so to kind of jump straight into the presentation um the russia ukraine relations really goes back all the way back to the soviet union i'm not going to go through the full history i just want to
highlight a few of the key moments during that so in 2013 ukraine wanted to join the european union and this led to some political battles in the country which then sparked a whole bunch of protests and bloodshed and effectively led to a change of leadership in or political leadership and as a result of that russia then annexed crimea and uh you know there's been tensions ever since in september of last year troops started building up by the ukrainian border and by november of last year we know from satellite images that over a hundred thousand troops were actually stationed around the uh ukrainian border and russia was claiming that these were uh you know military activities um however by um you know
by end of november it was very clear that this was actually something different and by in december vladimir putin uh demanded that ukraine not only be bought from joining nato but that nato should pull out from eastern europe and sensing that uh invasion would be likely um the us and other nato countries started sending weapons into ukraine including military vehicles as as well as weapons and ammunition including the javelin missiles which are anti-tank missiles that are very effective against uh russian armour and nato also stepped up their surveillance activities both in ukraine and the surrounding borders and then as most of us are away on the 24th of february russia invaded ukraine in what they
claimed was a special military operation and during this we really started to see the russian doctrine take place so the russian doctrine is you know how they operate in in warfare so the russian military is organized into five different groups which is the military operations um aerospace operations oceanic operations nuclear forces as well as a group that targets critical activities and what they also do during this is they are known to use electronic and information warfare as part of their doctrine and we saw that during the invasion so one of the very first steps was to say okay let's use information warfare to create this information to justify the war and when kinetic activity starts
let's go after the command and control infrastructure of the enemy which will lead to disorganization and with this in mind a lot of people thought that a large-scale cyber war would actually break out because russia has a lot of cyber capability i personally thought that we were going to see like a not picture 2.0 happening thankfully that didn't happen there was a rapper malware that was discovered in ukraine and started spreading however its impact was fairly limited however we did see an attack on the um bioset case at satellite network which was done by russian actors so access was going through a misconfigured vpn at a provider network and through their production actors were able to
have deploy a wiper malware that wiped out the configuration files that these devices used to connect to the network and at the same time a large-scale ddos attack was launched against viasat to kind of distract the security team the impact of this is fairly significant so about 30 000 satcom terminals uh went offline including 5 800 wind turbines in germany because they use the set home network for monitoring and other operational activities it wasn't initially clear why russia went after this network but it is believed that the ukrainian military uses the bias at network but i think the actual target of this was the turkish-made tb2 drone which has a lot of um surveillance capabilities it can also
fire munitions at targets and we actually recently like two days ago the ukrainian military actually created a song praising uh this drone and its capabilities i think this was really the target that russia was going for but one of the questions that we effectively need to ask ourselves is does this activity that we've seen constitute cyber warfare so we've seen a lot of um state-sponsored groups both on russia and the ukraine side attacking each other's infrastructure and websites etc there's been calls by um by ukraine that all people that support ukraine should go attack russia russian infrastructure in this table yeah you can see all the groups and which side they are taking but in my opinion this is like textbook
activism it's not actually cyber warfare however you could argue that when you have this kind of activity with kinetic activity that constitutes cyber warfare i know there are varying opinions on this but that's my opinion and the reason why i have that opinion is because i think we need to be very careful when we use the term cyber warfare because if you use it too frequently people become desensitized to it so if you for example go around and say you know everything is fascism um when real fascism actually happens it's like well people you know it's a loaded term and people are desensitized to it and if we look at things like electricity generation water treatment
and telecommunications infrastructure those things have been disrupted but not by cyber attacks but rather by kinetic activities that involve conventional weapons so moving on to probably one of the most interesting things for me about the war that has occurred is the fact that russia has been found to be using insecure communication so they're using cheap chinese radios that are dual band receivers that operate on the vhf and uhf frequencies and because it's not encrypted if you have that signal information you can easily go listen to what's actually going on on those frequencies um which a lot of people are doing and a lot of intelligence has been gathered as a result of that so these four groups
operating inside of ukraine that are actively listening into these uh communications and then providing that uh to the um the ukrainian military and that has had a real impact in um the the way the war has uh played out so with that information the ukrainian military can make really important strategic and tactical decisions about where and uh basically the the role in in the war and as a result russia has not been able to get close to kiev as a result of this intelligence but we've also seen from uh transcript intercepts you can really see the disorganization of russian in the russian military and there's also been a lot of people taunting and um trolling the russian
group so for example when they ask for supplies and they'll get the dixie whistle um basically back at them on the radio and then there's also activist groups that will actually answer and talk them for example in this case somebody's asking for a reread and the jammer replies that they should go home it's better to be a deserter than fertilizer groups have also been uh jamming the radio frequencies so um they basically create a whole bunch of hard pitched noises that when you put this through um spectrograph it creates images of pigs troll faces and among us characters russia tried to stop this activity by spreading false frequency information on social media but that was very quickly
shut down as being you know fake um and this has been very interesting because um a lot of you know a lot of intelligence and military analysts are very surprised that russia has been using um insecure frequencies because they actually do have secure radios um they use the ace of frequency hopping radios um however a lot of corruption actually took place during the procurement of these radios and the contract was given to a manufacturer in china the lowest bidder and the quality is not that great because a lot of these ideas have been made with faulty pots but i think the most interesting reason or actually the real reason why we haven't seen a lot of
these radios being used is because when because russia sends its military to the border in a training exercise not enough key material was actually pulled down in order to support these radios in the battlefield and these radios form parts of a larger system and this is the rack mounted unit and then there's also various relay and re-broadcasting and facilities unfortunately that keeps happening and then also they have equipment that does that provides digital trunk lines for communications and these vehicles that you see on this slide um not only facilitates communications but they also do radio and gps jamming so these uh these units these vehicles are part of russia's electronic warfare unit and because of the jamming that they are
doing there's a lot of companies that have satellites that can detect gps jamming when it's going on because it's quite important for aviation and other activities when you paint that on a map you can actually see it correlates really well with russian troop movements um as well which is quite interesting um to shut down this information uh the ukrainian military has actually seized over 10 000 some quarts that we've been used by five uh russian uh platforms to spread this information on social media um which i thought was quite interesting however if we look on the ukrainian side so what other what's the ukrainian military doing they mostly use motorola however they do have other radio systems
that have been provided by various funding so for example they have the l3 harris system that was provided by us funding um and they use a bunch of different models so they have like things like soldiers so soldiers specialists and commanders use different models um due to the number of frequencies that they need to be on and again there is some variance with that however these radios actually they use dmr so they are actually secure and they use rc4 for encryption however rt4 is not great because it's vulnerable to put flipping attacks and because the keys are relatively short they can easily be broken with a lot of modern computers however it's not necessarily always possible to
do this like on the battlefield and then the audio quality of these radios also is fairly limited because the key id algorithm and iv are actually transmitted as part of the broadcast which uses some of the bandwidth that's available in terms of how president zaminsky actually communicates the he uses a free phone so the one on the right is a very old phone that has direct links to other government departments which is not secure the phone to the left of that at the back is a soviet style phone um which is appear operates on a peer-to-peer network so you'll notice that uh it has it doesn't have a keypad so you open you you pick
up the phone and then the other side um rings um it's not encrypted but it is run on an encrypted network by a department in the you know ukrainian government and you will see russia uses the same set of phones this photo was taken in 2012 and then when president zalinski actually talks to foreign leaders he generally uses a commercial voice phone like the of ib419 and then when he talks to the president of the united states he generally uses a cisco unified phone in this example and you can see that this phone is likely connected to the us defense red switch network which is obviously a secure like top secret level kind of network
and this is probably relayed through one of the embassies either in ukraine or in the surrounding area and this has played a really important role in allowing president zielinski to communicate to foreign leaders to address the um the u.s congress and parliament of both britain and the eu as well as well as to address the nation which has had a very impact on a very high impact on the role inside the country obviously keeping telecommunications infrastructure up and running is a very hard challenge especially inside of a war zone and they've actually managed to keep 80 percent of the telecommunications infrastructure up and running and they've done this uh you know through fiber technicians this for
me is probably one of the most striking images of the wall where you have fiber technicians sitting on the front lines in a wall zone preparing for the infrastructure it's just like wow and this has really allowed you know those communications but also for us to actually see what's going on this is one of the first walls where we can actually see what's going on on a day-to-day basis we've seen ukrainian citizens reporting russian troop movement and we've also seen some funny things like ukrainian farmers capturing tents i do want to warn you the next two slides are a little bit gory um but we've also seen war crimes as well so this is russian armor attacking a
civilian car in that that's not um it's unprofit unprovoked so uh this is actually the definition of a war crime and we've also seen uh what's happened in butcher where hundreds of people have been killed a lot of them in execution style with their hands type beyond their backs and then there's a number of telegram channels as well that have been set up to show everybody that is perished in the wall if you want to go look for yourself on telegram if you search rf rf 200 underscore now is the main channel but there's a few other derivatives as well uh just be warned those images are all really uh gory um and i think you know it's really hard to
kind of show the scale of the war and you know human suffering is never a good thing but i really hope that this comes to an end soon whenever that may be and with that that's the end of my presentation and uh yeah thanks [Applause] any questions or comments no awesome so if you look at the radios and also at what what's happening with the tanks and omits columns don't you think just in general they're unprepared it's not necessarily that they're waiting for exercises but that there's been a rocks for a while the corruption that that what you see on the paper when they compare armies and what's the reality is very different i mean you look at the
practice that's like just a lack of discipline and corruption yeah absolutely i think also um you know a lot of them surrender because you know when they like especially in the first days of the war when um they went over the border they're like what are we doing in ukraine and then immediately surrendered after that so i think there's been a lot of misinformation and false narratives to kind of justify the war which is just like uh you know the sickening of this and do you think the special forces or the seven tier teams are innovative if they have encrypted communications i i don't know cool yes what kind of activity
attacking the russian infrastructure so there's a lot of ddos attacks going on there's also but i mean besides the ddos attacks i haven't seen anything more specific than than that um to be to be fair um yeah there has been doxing though so like um you know when these groups formed there's been boxing going on you know exposing members of each of the groups but other than that i haven't seen anything specific
thanks [Applause]
now
is
coming alright
okay
this is
is
okay
[Music]
[Music]
[Music] is
oh
[Music]
i'll connect
um
[Music]
i'm [Music]
um is
[Music] as well
i
you gonna
hey folks so i i'm going to be talking a little bit about luas today um they mentioned earlier how there are a number of groups in south africa that are all kind of the same group of people you know bunch of the same sort of things oh wasp is one of them uh whilst cape town uh used to will still be run by i hope christo at some point again um but obos is a global foundation and we do a bunch of things i'd like to just briefly run through some of those things with you uh so this presentation is called are you bfg well um firstly who i am there's a lot of stuff
on the slide i've been involved in a bunch of things in the community um the primary thing to take away from is probably my hand rooted uh you'll find me on myself you'll find me on twitter reach out to me if your questions um commercial side i work for a company called secure delivery i have a slide like this in every presentation i do because they're the reason i get to do these kind of presentations so i'm very fortunate to do that we do a lot of the stuff that i'm about to show you commercially uh usually in overseas um but we obviously do work with a bunch of people good people oh us um as a foundation
there are two different parts two two big pieces that make up what the foundation is the first is that owasp is all about projects um so we're a project organization a 150 plus open source projects uh ranging from the obos top tens yes there's more than one there's actually a lot now um all the way through to things like uh the wasp zach which i hope some of you guys familiar with world or sam uh so whether it's a list of things that you should be doing the right way or whether it's uh some software that you can use to actually tap to this type of things or whether it's the way that you should
be working as a dft which is what sam is about the other side of the foundation is a community thing there are there should be a oauth chapter in every city that has text there is one in johannesburg there was and there will be again one here in kelta uh curvature has unfortunately been very complicated for a lot of us but there is one in almost every major city around the world um so are you bfg the hell was i turning it well it's red unless blue finds green so this is going to be a talk that i do a lot of coloring we'll talk about different types of information security but let's start with who this is all
about so who are rick well they're the rock stars right they're the guys that we all think about when they think about happening they're the guys who are breaking stuff you know the intersect rock stars do the baddest things and there are a lot of them here in south africa um in fact there's probably a lot of you guys in this room who do this for a little bit um at olas we call these particular individuals the breakers right so they're the breakers in our team and i'm using uh matilda here because of her way of approaching the world i think that kind of you'll notice that there's a lot of bfg style memory in here
but i think matilda kind of represents a pretty good example of what the way team is about the way they think what they try and do i guess it just comes back on its own so in our modern fairy tale um it's their job to break things to break in to breach the walls to see where things can get broken um so what about blue team well blue tune is where a lot of us sit inside information security we're the ones who defend the costs we're the ones who are trying to figure out how we can make things safer these people are called defenders so you're the breakers you've got the defenders and i've used
uh well somebody who looks a little bit like me because this is what i've done most my life i've been involved in this area of security and it's complicated um it is really really really the hardest part of the world primarily is about but who's green team well the green team are the developer rock stars the guys who are building things and unusually in these sides around the world there are a lot of depths here today there are a lot of developers who are involved in the security community in tecton which is great it's unfortunately not the case in most the world will be called the green team the builders and well i need something green so i'm
going to go with the first part so why do i say red why do i say red and less blue fun screen why do i think the great team is going to win well red hat is the best stuff this is a bit of a plug to show you a couple of the uh projects that i'll watch past they have the zed attack box oh what's that if you haven't used it yet please grab a copy of it play with it it's phenomenal they've uh lost my ass there's the projector mask page take a look at it it's a really good tool really useful tool it's the everything is connected to that ospas um we have this web there's three testing
balance both waving the mobile ones if you're doing testing the mobile space use those guides they're going to help you get through it um and if the guides don't do everything that you do feel free to contribute back to them the thing is um red always win they have all the extensive tools they have all the fun and all the budget they could possibly want right they don't need the most expensive tools though because the cost to defend far exceed the cost to attack and red only has to win once
give me just a second fine
so down here at the bottom i know if you can actually see it this is actually an article by dr wendy in 2017 she highlights these two points around attackers being able to win over time the cost to defend back then was about 1.2 billion dollars spent versus the 395 billion sorry 1.2 billion to attack against the 395 billion to defend this is how much we spending on defense of our systems i recently did a talk with nina ali who's the defront biohack village recently it's now a year ago um talking about the evergreen complexities in hospitals because hospitals the infrastructure in hospitals there's a lot of pieces that are just attached to their networks and
then they allow guests to come in and join those guest networks and they're not always as segregated from the same network that the i don't know the cat scan machine is connected to which is also transmitting patient data and uh where the nurses are logging what medications you get anyway in 2019 sammy cam carl uh yes sammy my hero um said this at dt dtacu and he's right right blue only has to win blue has to win all the time for them to win at all reading has to win once so red only needs one uh donnie went at uh the csiac csiac yes reiterated this with this comment uh along with the total cost aspects of
defending attackers need to export a single vulnerability they really only need just one um barcelona to switch from red to blue fairly recently talk about how blue team is being handcuffed by uh no having no real insights into the writings blue team don't talk to red team when they should that's very clearly underlines that it's not a binary exercise right it's not a simple yes or no exploitable itself depends on several factors so what you notice is reaching it sounds like an objective evaluation right um so exponentially how exploitable something is is tied to how much time how much skill how much money or how much blue that an attacker has was going to throw it apart
and they only need a little to get somewhere what about blue team well bleaching had cool stuff too like this is not a talk there's some cool things the os attack surface detector uh threat dragon if you're doing the threat modeling pro dragon is a great tool to do that with um the the attack surface detector is a command line tool that can be used for zap or work as a plugin for those two tools um used to uncover otherwise unlinked and reachable components on your systems um os top 10 which yeah there's a couple i mentioned there the the mobile one the docker one privacy one there's now a serverless one that's being put together
um it's the top 10 things developers should know about and there are different spaces they should be concerned but seriously you can afford the good stuff like all the stuff on the previous page because it's so lost it's free but blue can afford the good stuff item spending for 2019 was 106 billion dollars growth that's about six percent of the entire i.t budget um software publishers internet services had about 8.7 um government services spends about six point seven percent so it depends on what sector you're in nearly twelve hundred dollars per employee spent on ig security software publishing service a little higher than that but this is how it gets broken down so what did they spend it on
well the spent is pretty interesting because they went through operational security which is about half of it and that covers things like network security that covers things like identity and access management uh privileged access management endpoint security things running on laptops vulnerability management the next biggest chunk of the pie which is vulnerability assessments so pen tests so isn't it really blue team spend anymore um then they spent on 16 on governance risky compliance and 18 no 14 on application skill
but why is blue playing catch up well blue has the wrong focus we're spending most of our time our spend 72 point nine percent of exploitable things actually happening implementation this is the list study done on all cves over an eight year period hopefully they'll be doing a new one because this date is now 30 old 2016. but in 2016 almost 73 of all vulnerabilities were code we're spending all our time the 50 of our budget is in the configuration side of things that tiny little portion down here 96 of changes flow straight into production this is a large bank uh i've done some work with because there's not enough people in the blue team to review application security
changes no one's reviewing those application the changes this is a scary amount of of change happening that nobody's even looking at four percent of the people did actually self-select and so yes we'll go through that process and then they spent six to eight weeks in hell waiting for something to happen um the central security team is completely smart there's no there's no way for them to do anything there are many many studies on you know blue getting involved by two days right you've seen this you've seen the shift left concept you know that as things as things get further to the right we end up with much more expensive much more harder much harder to fix
dollars go up as we get closer to the production side of things so blue needs to be involved way way early in the process than they actually are so how does blue actually catch up what can they do well we start with remembering afterwards the giant in the story is the organization itself um we're all here for that right if the company isn't making money then nobody's doing what they need to do nobody's able to continue doing their jobs we deliver we have my customers we have no customers we have our money nobody gets paid we know that blue is better when it works with red and we've all heard of purple teaming so when blue does actually take a look
at red's paper and when red does help blue understand the attacker mentality we definitely get a far more efficient way of working but does purple actually solve all the problems well a little bit more of a plug for more of us tools purpose and cool stuff too uh secure flag if you're an ios member and you have access to the os uh applications because you're gonna offset your email address go check out secure flat secure blog is commercial platform there is the the project itself is the actual platform without any of the exercises in it that is open source but secure flag as a commercial platform provides a bunch of exercises where you can actually run through this is a long
piece of code let's break it down let's see what's necessary in order to sorry my laptop wants to do updates but if you have a and i want to account go check out secure if you do not have enormous account yet why um so secure that's great juice shop is fantastic if you've never played with g-shock it's it's a deliberately vulnerable modern web application take it pull it apart there are a bunch of ctfs built around juicier feel free to make use of them and they've got some really fantastic testimonials which i don't think you can actually see down there um security shipping is also like printing ground of penalty check if you use github
and you're using the github dependency verification you're using dependency chat there are better tools commercially available tools that do better in-depth reviews of is this piece of code actually ever called in your application but at least start with the basics and they're free and it's in github and in github to make you sing so we have red and blue and white now it doesn't really solve our problems because red and blue are outnumbered um this is the picture of the world as it is purple team purple down there in the bottom the tiny sliver that is the red blue team combined and that is the world of people building code 100 to one they're on average 100 developers for
every security person and that's not specific application security that's just security generally so we have to add green right so red purple purple and green this is white this is my very happy coincidence that creates a space for all the white hats right right here we add green by performing security in all areas of delivery process right through the lifecycle of developing and running a service and we make security a question of software quality again this is the iso 25010 software quality assurance model i've highlighted very nicely here where security sits in that model you'll notice that if you've done any work with iso models they're generally left to right most important so functional suitability of software is
obviously key so it doesn't do what it's supposed to do knows you can use it and then as you move further to the right it becomes less and less important to eventually get to things like portability where okay this will run on aws and on azure and only catch because you're never going to move from one to the other right security you'll notice is very carefully put on that nice boundary between things that people do care about and spend money on and things that they don't care about and don't spend money srv sitting right there where liability is just to the left we have tools so many great tools um we build the standards so there's 150 projects
covering all the tools we've talked about and many many many more the standards for software security things like sam asvs literally the way that you build software and what that software looks like when it's finished when you finish building it so measuring quality like there are 200 chapters maybe slightly less now after pandemic because some chapters have gone into hiatus thousands of members worldwide most of whom are green team very willing to join with red and blue to move things how can you help well get involved start with project and as i said there's projects that cover everything if you write code there are lots of projects that can use your help in writing some code even if it's
just running some tests because that's something we never get around to do if you don't write code that doesn't matter there is other things that you do there are things that you know that you can help contribute back to there are lots of projects that are involved with how things get done lots of projects that talk about uh you know blog articles community community articles around specific types of vulnerabilities please get involved get involved with your local chapter keep pushing pressure to get your headphone jack up and running and then come and meet up with them quite often oawas does this kind of style meetups where there's a couple of presentations but it's mostly a little
bit social and that they're good if it's just social that's fine too but get involved with it with your community make sure you go to xbox when it starts running again once conferences happen in real life try and get out tomorrow hopefully these signs will be happening in december the things if the world stays the way it is now he says we haven't um and you'll be amazed by how much oh wasp events look like these items mostly because you know the besides events are generally run by the people who are running the other events join up if you're not a member yet become one there are special pricings for developing nations south african qualifiers
so your membership will cost you twenty dollars a year as opposed to the fifty dollars of costs in the united states with that you get a gmail account with an ask your email address and you get a bunch of other access to other tools like secure flag and other things as well some free training and you always get discounts the equivalent in your your annual cost too so if you spend twenty dollars on your membership you get a twenty dollar discount on whatever conferences you go to and you get that for every conference you went to so if you mention this one we will be meeting up in san francisco that will be the first in person global
conference we'll ask for maybe three years if you can make it san francisco i'd love to see you guys there um
the problem is that there are 40 million developers worldwide 40 million and i say we have thousands of members i should be able to say we have millions of members because every dev can use the tools that os has and every dev should want to make use of the things that are given to your law school members so please do get get involved because you're coming involved that's it that's me if you have any questions again you can find me in either of those places but that's rewtd is probably the easiest way thank you
are there any questions
i've actually switched to a bomb it works much better water is just too damn hard in the uk
training or something yes so so there is so os trainings in person seem to happen with the os conferences um but there are lots of online training sessions that are currently happening there are training sessions with online conferences as part of like every month this year you'll find something access to jim manaco is doing a bunch of trainings this year and probably i'm now going to say this in the live stream when i haven't actually created with my business partners yet but probably security will be giving some free os training with uh threat mode one of my one of my key passions you saw getting involved earlier in the process is threat modeling threat modeling by
security people is fine but they tend to do it very late and they don't tend to do it on the thing that actually gets built or they do it on the thing that's already built in this two-legged threat model so we do a lot of threat modeling using cornucopia which is a car game which dave's play is part of you know like like you do planning poker as part of a story struggling you can use these cards to come up with threats around those things but yeah there'll be there'll be tons of training and again os membership gets you discounts bear in mind nothing everything at airwash is freely available right you can gain access to all the tools
there's you don't need to be a member to use any other projects you don't even need to be a member to contribute to projects but it does give you some additional benefits and helps us do what we do because we are not for profit organization
thank you very much [Applause]
uh just another 10 minute break and there might be more food coming right i do so grab a drink eat something and then we'll do the last one so be social [Music]
[Music] all right
[Music]
[Music]
[Music] [Music]
[Music]
is
[Music] yes [Music]
[Music]
yes is [Music]
absolutely
is [Music]
um
[Music]
[Music] oh
[Music] oh
[Music]
[Music]
[Music]
okay
this is [Applause]
trying to
this is
um
[Music]
[Music]
[Music] me
i [Music]
[Music]
okay [Music]
[Music] questions [Music]
[Music] is
so i wanted to find this stage but um
um [Music]
okay [Music]
[Music]
[Music]
um
it's just me i don't know why [Music]
[Music] cheers [Music]
great [Music]
[Music]
wow [Music]
[Music]
[Music]
[Music]
[Music]
[Music]
uh
[Music] oh [Music]
[Music]
[Music]
[Music] [Applause] [Music]
[Music]
um
[Music]
[Music]
[Music] [Applause] [Music]
[Music]
[Music] foreign [Music]
um [Music] uh [Music]
so um [Music] [Music]
[Music]
oh
[Music]
[Music] thousands [Music]
foreign [Music]
[Music]
you [Music]
[Music]
[Music]
[Music]
[Applause]
[Applause] oh [Music]
[Music] oh [Music]
[Music] [Applause]
[Applause] oh
[Music]
[Music]
[Music]
[Music]
i
[Music]
[Music] [Applause] it
[Music]
oh [Music]
[Music]
[Music]
[Music] [Applause] [Music] [Applause] [Music]
[Music] god [Applause] [Music] [Applause]
[Applause] foreign
[Music]
um [Applause] [Music]
[Music] [Applause] [Music] okay
[Music] is [Music]
[Music] respect [Music] [Music]
like
[Music] thank you
[Music] you [Music]
[Music] [Music] foreign
[Music] let's see
[Music]
[Music] five [Music]
[Music]
[Music]
[Music]
[Music]
[Music] is
[Music]
[Music]
it's got a 40 second delay apparently [Music]
[Music]
uh
[Music]
[Music] [Music]
it foreign [Music] all right [Music]
is [Music]
[Music] [Music]
so [Music] uh [Applause]
[Music]
god
[Music] [Applause]
i [Music]
[Music]
thank you [Music]
[Music] it's more fun
oh
[Music]
[Music]
[Music]
[Music]
[Music] is is [Music]
[Music] right [Music]
[Music]
hey
[Music]
[Music]
[Music] foreign [Music]
yes
yes [Music]
[Music] oh
[Music] yes [Music]
[Music] all right
[Music]
[Music]
[Music]
uh
[Music] [Applause] [Music]
[Music]
you
[Music]
[Applause]
[Music] right
[Music] [Applause] foreign [Applause] [Music]
[Applause] i'm [Music] [Applause] [Music] [Applause]
[Applause] [Music] [Applause]
[Music]
[Music] i [Music] oh [Music] yes [Music]
[Music] is [Music]
oh [Music] [Applause]
[Music] all right [Music]
uh [Music] [Applause] [Music]
[Music]
bye
[Music] um
[Music] all right
[Music]
[Music] oh
other people
[Music]
[Applause] [Music]
[Music]
[Music]
is
i am
oh [Applause] [Music] guys
everything else [Music] my thank you
[Music]
one right
[Music]
[Music]
[Music] five [Music]
uh [Music]
[Music]
hey now
[Music]
okay [Music]
thank you
[Music]
[Music]
[Music]
oh [Music]
[Music]
foreign [Music]
thank you
[Music] [Music]
hey
Related talks
44:52
27:44
38:26
45:10
42:33
39:34