Tales from the Cybercrime Battlefield

no with that we are in tales from cybercrime battlefield now you will notice that this is branded Ladbrokes coral much to the chagrin I'm sure of this guy bet people who are lovely and it we are here and there and they're recruiting so please reach out to them I will be talking a little bit about why Brooks quarrel or in that you probably know about us we're everywhere we have these retail stores that's enough about that I'm more interesting so those of you who have seen me present know that I like to come at this from a criminal perspective I end up being one but actually tracking them down because I had some experiences in that back in

Yonder years and I'm really interested in this whole new emerging area of the cyber crime battlefield and all of these devices that we have improving innocence or guilt and about two years ago I wrote this article about how things like Alexia and your fitness trackers are going to become you know basically the things that reveal whether or not you actually murdered your spouse okay and what was really interesting about this is just recently there was a case where an apple app like this I watch okay was used to convict a gentleman of killing somebody and dumping them down an embankment okay and what they did was they took that biometric data and then they had

somebody do those exact same actions and the Byram biometric data perfectly matched that individual doing that at three o'clock in the morning right so the number one takeaway for that is to ensure oh I have to download a new version of Java not okay so the bottom line to that is if you're thinking about committing murder don't wear your personal fitness tracking device nor asked Alexia how do I murder my spouse okay so we'll just move on here and we can't because we need to do a job apparently now we can okay so first part of some research that I was doing this is pretty cool there's gonna be an article coming out about this this is an

apt group that I called Magdalena Senora not because they're Mexican or Spanish but just because that was the domain that was used to attack a bunch of my customers back in Canada what's interesting about this attack is I thought it might have been a standard ransomware attack but because the targeted vector was medical a medical chain that actually does medicine for actual branches of it um there was no kaboom when I looked at the payload it didn't launch ransomware and I was like wow this is a complete waste of time why would somebody do that and so what I was doing at the time I was working for HSBC on a contract to rule out a bunch of

threat intelligence tools and we took this as an example as a proof of concept and we found that this group was really um had created all of these domains for phishing attacks on medical companies and other companies they would use the domains and then they would throw them away and buy new ones to stay under the radar of all of the kind of barracudas spam house and stuff like that so this was a really interesting tactic and I found it they didn't actually use more than that 25 or 30 IP addresses here they would just rotate the domains so why was this an important find it was because we could do two things with this

information one we could of course block all of those IP addresses at the firewall but more importantly we could see if there was any traffic coming out of the business to those IP addresses thus indicating that somebody clicky Don the linking okay and we have compromised and you can see that there literally were hundreds the tax in the logs on the bottom part there and I have to stay within this box otherwise as you know I'd be route running around I've had like 12 cups of coffee so this was a really interesting attack that we deconstructed and we looked at they'll be an article coming out about these guys this is the killer thing all of those IP addresses it

located in the United States okay there wasn't just single what I think there was one it was like OVH hosting in France which apparently everybody uses for cybercrime but it was all basically US based so that the narrative and one of the first takeaways here the narrative of its Russians its Chinese its Vietnamese its Canadians you know but at least they'll apologize after they hack you the narrative is cybercrime is everywhere okay and you can't play whack-a-mole you can't just because IP address in Vietnam is attacking you doesn't mean you try to ban all of Vietnam from ever talking to your network ever again okay so this is where the present status okay basically internet wants to kill us okay

this really cool thing that we gave birth to has now manifested itself into something that is costing companies that aren't prepared okay hundreds of millions of dollars right now I put up a few folks that have publicly disclosed how much money they have lost as a result of the wanna cry not Patty a bad rabbit type of attacks okay if you as you guys are probably familiar with what those attacks were okay now what's interesting about MERS and Equifax is basically they had to burn their networks down to the ground and Equifax had some other problems that we'll talk about in bed because they're kind of a dumpster fire but Merck is probably the most interesting thing

because they're a pharmaceutical company that delivers medicines to people now let me let me give you a scenario that's a little bit chilling now Merck readily admitted that they were unable to deliver the Gladys ill a Peevy vaccination okay to a bunch of people because of this cyber attack alright but here's the real thing right now there is a major plague like real honest-to-god plague like with the rats and stuff going on in Madagascar had this attack impacted the delivery of the medications to something like Madagascar we are now looking at a scenario where a cyber attack is directly responsible for the loss of human life this unfortunately is our future and I got another article coming out in tripwire

where I talk about the law of cyber war that right now we are playing with stuff that's indiscriminate wanna cry didn't care if you were vulnerable you got infected same was not Patea same with bad rabbit the actors that have created these things and Unleashed them arguably the North Koreans and the Russians are basically perpetuating a situation and moving the ball forward to the point where we are now going to look potentially at suffering and possibly death so on that happy note let's talk about your email inbox because if we are faced with this potential battleground of cyber it's happening in your inbox okay when we crunch the numbers we're seeing 75% of impactful potage were

because of an email attachment okay that's important so if you're starting in security or if you're old grizzled veteran and security look at those emails coming in and start filtering them and start pushing for things like SPF s and D mark for your organization's because this is where the fight is okay now every vendor out there including the antivirus vendors right which we tend to choose the one that we hate the least you don't get this part because they're sitting there dealing with the effects of that vicious malicious attachment or payload already arriving so my view is is that if you want to make a security investment today start pushing out your perimeter and Google

office 365 and those companies are getting better but they're not invaluable okay they're not infallible so certainly if I was going to spend money today for an organization and help it with security I would say are you looking at something to filter all the crop coming in via email because that's the biggest attack vector now let's get into some real criminals because this is the fun part so as I do this presentation you're going to see some pretty scary things that are called indictments right and like Laurie love and and Marcus Higgins have them and hopefully you guys won't at some point these indictments are as a result of US Department of Justice investigations and

they are invaluable for understanding how cybercrime works how it adapts how it changes and my personal favorite grotesque OPSEC fails by the bad guys okay because what's interesting is when you go to cybercrime school or you buy something on the internet on how to be cyber criminal what they don't teach you is how to not get caught okay and so just because you're building ransomware or your firing out spam and phishing attacks doesn't necessarily mean that you're taking the right operational security measures in order to not get caught that's a whole different school okay so in this particular case our first protagonists have been in the business of turning businesses pbx private branch exchange --is so the

telephones inside a business into yes I accept the charges and then using that to have a whole bunch of people do long distance on the dime of the company that was a big kind of hacking attack back in the late 90s early 2000s okay now as you can imagine you now hold in your hands a device that can allow you to pretty much do free long distance anywhere on the planet right so they adopted their game and what they did is they continued to break into businesses but they would also start buying those one 900 numbers and they would get a whole bunch of folks like you to dial that business which would then dial their one 900

numbers thus presenting the business with a giant bill okay and that's making a whole bunch of money for the bad guys I point this out because this investigation moved basically from 1999 it took the FBI about fourteen years to deal with these people okay and so that's the other takeaway is that what you're looking at is kind of a glimpse into the past and not the current state we're gonna get into the current state of cyber crime a bit but I wanted to put this one up as an example of how they adopt and this other group you guys know these people particularly well because as you've been surfing the internet you have probably been got a

pop-up advertisement that says you have a virus you should totally call this 1-800 number and you should totally download this software and pay for it to remove the virus that's what these folks were doing in the second the second thing what's interesting is that was a low-level attack that people would just click through and generally it didn't work and the few people that you know actually were victimized by it did pay some money and there was actual crime but they turned around and sold their ads that did this to the real bad guys that install ransomware through drive-by download attacks so they got on the radar and with us subsequently dealt with now this next slide of these four

indictments I'm not going to go through all of them in detail but I need to underline a point and the point is this is that the Department of Justice in the United States I'm Canadian by the way so I can make fun of my Americans he's down with something called the extraterritorial judicial what does that mean it means that their laws apply to anybody anywhere on the planet welcome that's a problem when you're not an American citizen because you don't get all the rights of an American citizen when you're now finding yourself in the hands of the Americans in this particular case this was a Jamaican citizen okay and he was arrested and dated for having a lottery but he

got to create the watery part so um he basically took money for people and said you didn't win because there was an actually there was no winner it was me uh so this is one of these things where the victims were primarily us okay because he was targeting them and that's fine I can kind of grab that now we move here a little bit further and this one's really interesting with the Indian citizens this was the fake call center that Microsoft you have a virus on your computer I'm calling from Windows yeah anyways lots of arrests lots of people this was done in coordination with the Indian police so it wasn't just the United States showing up in Learjets um

taking people off that happens later on in our story um but in this particular case that primary victims were u.s. people who are told that they need to pay their taxes right away or essentially with gift cards or the IRS was going to come and arrest them and they would be deported okay that's what these guys are doing what's interesting is there's some actual interviews with these people completely unrepentant and thought you know this was this was totally fun like there was like no moral consciousness at all there okay so um in these last two cases this is where it gets a little bit crazy so you might remember trim because probably a lot of you have gone to his services he

ran kickass torrents he in the Ukraine a funny thing but there is no actual digital millennium copyright law okay and in fact you know you can copy files all you want you won't get into trouble the Americans see it quite a bit differently and so he was arrested and faces a very long prison sentence for doing nothing other than copying movies and making them available and the last one you guys are probably pretty familiar with its Kim comm and Kim comm built a great file sharing site unfortunately he didn't really control the content he made a lot of money from ads on his great file-sharing site and it came as a bit of a surprise to him that

what people were sharing was maybe not their own content the interesting thing about this is is that he although the servers were in the United States that were doing this and they were seized he wasn't an American citizen and he's being fighting extradition and I think he actually lost to the United States to face these charges of criminal copyright so this is where we are today in a lot of ways in that if you are participating in something that the United States views as illegal um you can be on vacation and/or DEFCON and all of a sudden find yourselves in there in their clutches so this goes to talk a little bit about the type of actors and the

type of malicious people that are out there and I try to categorize them into what they're doing in terms of an attack and what their affiliation is to you or your business alright and the reason why high visibility non-affiliated actor is like Bouldin is generally speaking in business this is what you're going to encounter pretty much all the time you're dealing with cyber criminals okay but we'll get into some fun stories about people that fit into other categories because it's also worth understanding what the mitigative tactic could be in some of these particular cases and we can start with this gentleman here now in true IT rage fashion when confronted with the firing or downsizing of his supervisor he

completely lost the plot and um he inflicted a lot of damage from a mcdonald's across the street to his employer by deleting 88 servers which accounted for the entire virtual infrastructure of this business now it's alleged that he did about $800,000 and this was because his boss got fired and when his boss got fired I guess his boss just forgot to maybe disable his account because he ran into some behavioral problems and HR was unaware of the fact that he had decided to enact this sort of revenge now what's really interesting about these cases right where you're dealing with a high-visibility affiliated actor the attack is very high visibility trust me when I tell you your bosses will

immediately recognize when the entire virtual infrastructure has been deleted okay it's not likely that you know it would go UNMISS affiliated meant he was part of that business he understood that business okay what's interesting about the psychology of these individuals they a generally take no operational security techniques at all be they want to get caught because they want to tell their story because they're so outraged and they get to tell their story to a judge who sometimes you know I would say has a dim view of are you a criminal are you not a criminal like it's pretty binary at that particular point which is incredibly interesting about this particular attack is that although he could kind of claim

he went nuts one of the determining factors was the fact that he didn't delete all the backups before he deleted the entire infrastructure so they were able to get back on their feet relatively easily although they did suffer that 800,000 loss so again when you start thinking about these types of attacks is it conceivable that a manager in the organization or a director could have sat down with that individual and said hey let's go for a cup of coffee I know you were really close to your boss maybe can we talk about like how you're doing that would have saved the company 800,000 so as much as we want to talk about cybersecurity and all that kind of

thing connecting with human beings especially when there's been massive change in an organization may be the best thing you can do as an information security person so this one is more recent and I just absolutely adore this so this guy hired did not distributed denial versus attacks okay he bought them with his PayPal account he also teased the victim companies from Gmail and Yahoo accounts okay again like no operational security apparently if you read the indictment he did try to use VPN once but he caught but apparently it was like inconvenient so so in the indictment I mean that he bought he tried to buy denial service attack services from seven different companies okay all in his email all like

read at one point he wanted to be the American rep for a denial of service company that was located in like Estonia or something like that he solicited them for a job all right all of this done over his email and you know he was somewhat surprised when he got arrested which is beyond things the fact that he sent the taunting emails to his former employer and had been cooking on this for three years he's incredibly disturbing to me because generally I can't remember what I did half an hour ago or at least that's what I tell that officer but in this particular case this was so blatant and it was just so public that you know clearly they had to act

low visibility non-affiliated actor I like this as an example of what I call a very sophisticated apt group because they did not attack companies head-on they attacked the service providers to those companies and they infiltrated the managed service provider and they used the managed service providers infrastructure to do reconnaissance to take data and to exfiltrate it through the managed service providers infrastructure these guys are an apt group that is using operational security like you would not imagine okay because they didn't use any malware in their attack once they got the MSP they had all the access they needed to the other businesses and they specifically targeted MSPs that had advertised in government and not-for-profit and military-industrial

complex so it's alleged that these might be a Chinese actor of some sort okay and I used the word alleged very carefully so they're called apt 10 I like this because the fact of the matter was is that if you have hired a service provider you need to as information security professionals ensure that their security is probably better than yours okay because if you're outsourcing a whole bunch of work to them you have the responsibility of ensuring that they're conducting their operations in a way that you have visibility on them and the fact that accounts were being made on people's infrastructure the fact that data was being copied and exil traded back those are the kind of things that

should be telltale signs so this is something I think is a future forecast in a lot of ways about how apt groups will be operating in that they will find the weaker link in your organization exploit that and then you know move laterally and there's lots of things you can do about this from sim to behavior based analysis techniques and all sorts of different ways of controlling the levels of access that you've given to your service provider and maybe even putting in some ranges of of work opportunities like when they're allowed to work so low visibility affiliated octor actually incredibly rare in some cases this is a person that takes source code from your organization or something

like that but in this one case this individual woke up every morning and said how can I burn this business that I work for to the ground okay that's a little bit bordering on what I call the psychopathic okay because generally if you're that unhappy you'll quit move on but you don't wake up every morning just like how could I totally [ __ ] this company that's what this guy did in fact the company died as a result of his activities because he actually he did everything he could to compromise their infrastructure and all their clients this was an ISP that basically was a service provider to businesses as well as a service provider to

residential customers and he hacked all the things for three years okay now here's a gentleman that couldn't make it to b-sides this year um I apologize if any of you know him but this is indicative of the high visibility non-affiliated Akhter this is a UK gentleman that was recently sentenced now a couple of really interesting points about this particular person the first is is that he had quite a criminal background and I think what happened is he got pretty fat and didn't want to run from the cops anymore so he said I'm gonna go into cybercrime because I hear there's not as much running so that's cool and all but he basically was a break into a place and try to extort

money because he had broken into that place so he hadn't really moved up to ransomware yeah and quite frankly he just basically brute force stuff okay with probably a tool that he bought you know online so in this particular case he got into a law firm he he broke into the law firm he stole a bunch of their documents and then he tried to ransom those documents back to them the law firm called the police and you know he got arrested but then you know I guess they kind of said listen man you know it was Laufer and they got crappy security anyways we're gonna give you a slap on the wrist go ahead all right I'm not taking into

account his actual past I think right so then what did he do he broke into Pippa Middleton's iCloud account now as you guys probably know there are two categories of kind of crimes in the UK there's your standard types of crime and then there's anything that you do to a run and if a royal is involved or their family there's an entire section of Scotland Yard right that goes there's probably like alarm bells down there and the amount of resources that suddenly become available it's not you know PC what's it's not who you know is normally a traffic guy it's you know detective after detective after you know guy with you know experience doing shoot

east a beer AP so um he gets the full onslaught of investigative power of Scotland Yard and guess what uh he then that goes to jail yay bad guy now what's really interesting is that looking at his background the cop started doing some investigating and they found that it's quite possible he was related to a hack in the United States of an orthopedic clinic okay that's like four feet and stuff right anyways he signed his extortion emails the dark overlord now all of us in the room just probably want to punch him for using such a cheesy like handle but the dark overlords plural are the ones responsible for attacking HBO and getting all of that stuff out of them so

he had sort of decided to take this Marc Montclair if you will and he we don't know if he was affiliated them with or if it wasn't I'm not actually I don't know if on recruiting they have to pit they have to pass a basic physical fitness test not sure but it's unlikely that his style of attacks MIT meets the test of some of the groups that have attacked things like HBO to grab movies because none of his attacks were media related for starters right so it didn't take long for Scotland Yard to pin that one on him as well and the good news is is after he gets out of jail there's some lovely people from the United

States that would like to talk to him afterwards so he thinks is three or four years I think is what he got sentenced to in the UK now he's going to face some real uncomfort in the United States now we're going to change gears a little bit and we're going to about these guys I don't know if you saw my presentation about Peter Romer and the Syrian electronic army anyone here Manchester he said no okay so I want to point this out because this is really interesting where you've got mad hacking skills that a government paid you to do but then you target American businesses using American provider accounts such as Gmail and Facebook to try to extort

money from them and then you're somewhat surprised when you go to jail now Peter wasn't the brightest light bulb Peter was responsible for the money laundering because as you know and you can try this at home get a friend give them a check for like three thousand pounds and tell them to try and deposit it to a bank account in Syria and then you sit back and watch what happens okay this is exactly what Peter Romer was doing in Germany using the awesome alias of Pierrot Marr okay to do it under he was trying to launder the money that the dark shadow or the shadow here again another guy that you just want to hit in the face had extorted from

American businesses so to this day the shadow remains elusive probably somewhere in Damascus and a Peter is facing a very long time in jail because in addition to the computer hacking stuff wrapping yourself in the Syrian electronic army has some potential terrorists the connotations as well so because this is affiliating yourself with guys that nerve gas they're actual citizens it's not going to go well for this individual at all now this one's super fun because there's two pictures and we're going to get into those two pictures in a moment but we want to talk a little bit about the Iranians now as you probably are aware the Iranians had a pretty serious denial service attack

on a bunch of banks and then there was this media headline of SCADA system infiltrated by Iranians and the words were the bowmen damn and everybody went oh my god it's the giant diamond Ohio what they were actually talking about was the small down in upper state or so so okay so first bit of Awesome media flood here because clearly somebody googled Bowman DRAM and boom wow this is totally serious because you open that and it looks like you'd flood you know at least you know a few antelope you open that and probably you'll get an old lady complaining that the date has been left open so and in her backyard is getting a little bit

flooded so this was a situation that was orchestrated that was widely used to say that the Iranians had really escalated their game and it was really a serious thing because they could use their mad hacking skills and open this sluice gate and you know caused massive damage it never happened okay it actually didn't happen what happened was is that a computer system that somehow found itself on the internet with a cellular modem was actually connected to by an Iranian IP address but that gate was not actually attached to the computer okay so this is a great example of how I would say you take a political agenda and you fit a Hawkins on top of that to

paint a picture of real bad guys okay so it's just something to take away because you know we did talk about fake news a little bit this morning now this one maybe not so fake this one's really interesting to me because for 15 years we've basically been after this guy okay now his name is um ugly gorilla which sounds way cooler in the Chinese hacking community I'm sure okay just like Wang dong is probably not the nicest name to have here anyways they tracked him down this apt guy akhter came out mandiant did their bid report and created the atoll cyber threat industry cyber threat Intel industry which was really really cool and exciting the United States was

forced to action and the Pennsylvania DA dropped this indictment on these guys for hacking allegedly pennsylvania businesses but never in the media i never in the Department of Justice did they link the Tudor to tighten reign attacks tighten reign was fifteen years ago and was allegedly the Chinese infiltrating the American dot mil space and the American government okay so this is one of the takeaways from these cases that you hear about that suddenly come again for political reasons because as you know there was a little sit down little meeting Obama and then premier of China and they talked about maybe we should stop the hacking between our two nations for the benefit of trade again

all of a sudden you've got an indictment of Chinese military officers because that's what ugly gorilla was are still is probably and although he's somewhat fallen out of favor because if the one thing the Chinese don't like it's public recognition that they're not behaving appropriately um but again we're seeing hack ins with political purposes and who cannot forget this it was huge headlines Yahoo hacked right like crazy um caused huge repercussions in the industry really birthed the whole senior executives falling on their swords type story and dealing with you know a massive reduction what they don't tell you is the main protagonist in this was a Canadian yeah one of my people one of my people one of my people got

hired by the FSB okay which is the accident it's the equivalent of the mi6 people but for Russia okay and they hired a Canadian I guess they felt you know that was really cool and I'm just gonna throw this out there they did their job their job was to do the Hackett's okay so yeah you can you can get upset all you want but this was Russian who hired a Canadian to go and hack does it see anywhere in the headlines in the media Canadian Fox Yahoo didn't say that right so again for political purposes this a massive spin put on it and again was used to undermine the relationship between the United States and Russia by

indicted intelligence officers for Russia who were doing their job their job is to spy ok so it shouldn't come Wow shocking your job is to spy and you spied on us right now they spied on you yeah Yahoo for a particular reason because at the time with all the old people in the US government a lot of them in senior positions had yahoo accounts okay and you know as the bane to every information security professional who hears the words I'm just gonna email that to my my home email address so that I can work on it awesome yeah and this is one of the reasons why they went after Yahoo's they knew that many of the accounts on Yahoo

were US government senior US government people and just recently there was that wide widely toted headline of the how the fifteen-year-old kid basically social engineered his way into the CIA database took over some major US government people by social engineering his way so 15 year old kid Russian FSB Canadian hire the hack ins are going on right this is the same template that it's always been now I want to kind of change based on all this stuff that you've heard based on the different types of actors and different what they were doing so oh Emily oh my god I got a power on yes good okay we're good I won't run out of power my laptop wait okay I want to talk

a little bit about compliance and security because this is something that's coming at us like a freight train okay the whole gdpr thing but for most people in the UK who have been working under the DPA they're kind of like it's a non-event like we're already pretty important you know dealing with this and etc etc but I'm not gonna downplay it but I will say that this has been picked up upon because it's very confusing and and I'll explain it this way gdpr is a regulation and are interpreted in courts as a result gdpr is pretty vague and there's a lot of uncertainty about what's going on now when you add that uncertainty and you

put it into the vendor blender what you get is a whole bunch of vendor fun as we talked about this morning and what's really interesting is most of what you need to do under gdpr is pretty straightforward in terms of architecture in terms of policies you just have to look like you're trying okay that's the most important thing so every service ticket that security-related every time you buy or purchase a pen test every time you do a vulnerability sweep in your organization is less money that you might have to pay if there's a fine right the number one thing you can do is have a user awareness training program and why is that because in gdpr it

stipulates that if you don't know what gdpr is you're in violation of gdpr so the brussels you can thank them for that little little one so as long as you have some of this documented evidence you're going to be in great shape which leads me to the conclusion that what we're really talking about is not security and compliance but it's due diligence versus negligence all right not giving a crap and being public about it is a great way to get the ico at your doorstep but trying hard and you establishing your duty of care anything connected to the Internet can be hacked we know that right standard of care there are best practices out there the UK government

has given us cyber essentials and if you love it or hate it it doesn't matter but at least it's a standard that you can try to adhere to and you know what is the harm of getting hacked so one of the first things and this is my opinion but one of the first things you need to have on your org chart about how much you want to set your hair on fire is if we have been hacked does it meet the test of a GDP our problem or does it not so as I like to say if the secret plans for the Death Star okay are infiltrated by Boff and cyber criminals and they steal

those it's not a GDP our problem all right so you won't do your 4 percent of annual revenue and 20 million quid fine right but if they also the customer relationship database during their infiltration of your Death Star plans then yes you have a GD GD P R problem so there should be in your incident response do I care or do I not care so much so that's one of this now let's talk about these guys so yeah 400,000 for carphone warehouse I read the entire judgment okay now this one would have been really expensive under GE PR because this is really in that I don't give a [ __ ] category like not even like not even

trying okay because basically I'm I think the thing that blew my absolute mind was that um they got a free vulnerability scan from the person that got root on their Apache server discovered that it hadn't been patched for seven or eight years right and then we're shocked to discover that even though they had crypto on the credit card they stored the certificate for encryption on the machine so yeah I fail all the way right and again this is coming back to this legislation that we're seeing that the ICO pushing forward is and and pentest companies are gonna love this okay it's they're they're really faulting businesses for not getting a simple pen test right and it doesn't have to be the

most elaborate thing in the world but if you have a pen test and they ask you have you had a pen test and your answer is yes here it is that makes the whole situation go one level of escalation but you know lower down right so you know if I was advising a business I'd say get a pen test right tell us where we're at what is the things that we can do to make it impactful and and fix our evil ways what can we do right away here's the problem with that though okay between your first pen test and your second pen test right this is where the rubber is going to hit the road is not

when gdpr comes into effect it's the year after gdpr has come into effect if there hasn't been any change between your first pen test and your second pen test you can be a heap of trouble and what I would recommend is that just or that pentest if you know you guys haven't patched anything you haven't upgraded anything you haven't done any access control projects you haven't done anything that would be a really good time to call a recruiter and say you know I think it's time for me to look at my next opportunity because again it comes down to showing evidence of actually doing something and in that I don't give a [ __ ] about security

category and not only do I not give a [ __ ] I'm gonna cover up not giving a [ __ ] this is where we run into some really interesting allegations the allegations are that uber did nothing and covered up a hack okay now what's interesting is nobody's talking about 18 US Code misprision by felony any people in law here in law or kind of as a hobby okay ultimately what miss person by felony is it's actually from the UK and it is the idea that if you see a crime and you don't do anything about it and you don't report it that you can actually be found guilty of something called miss prison by felony so what's

interesting in this particular space especially in the United States is that the United States judicial authority and the Computer Fraud and Abuse Act is pretty clear that hits a crime and a felony there's a lot of people in jail under that why has not in this been statue had been used in computer crime for covering up data breach specifically right the other thing is is if we talk and we conspire and you talk and I conspire we now have a conspiracy to commit miss prism by felony by not reporting the actual data breach that we had and attempting to cover that up so this is where things are going to get really interesting for companies that

try to cover up data breach because yes they will probably be found out at some point but the ramifications for what they've done and those are two civil lawsuits that use some pretty harsh language so this leads us to the idea of we may be in to a whole new paradigm in terms of cyber security we started cutting in the first area where we were monitoring our stuff and then we moved into the security of things deployed antivirus we deployed firewalls we deployed a lot of stuff now the threat landscape is to evolve where we need to assure our businesses we need to provide evidence that our security is actually working ok no security is

perfect and life is not simple and nor is business but the point is again it's about having your security stock and proof that it's in place and the wins and the losses are important because what's interesting and again it comes back to the types of crime this is a UK stocks ok reported cyber crime versus actual cyber crime we see at the top of the list things like business email compromised confidence fraud and romance non-payment non-delivery and investments counts now it's interesting is is that these are the reported crimes in the United States so when somebody rips you off or it turns out that sweetheart that you met online is actually a 36 year old

person living somewhere else um you get pretty angry and chances are you gonna report that kind of crime but if I throw brick through the window of your car you're getting even report it well maybe not right so what we're finding is is that the policy leaders of our countries do not have good information to base off of where we need to focus our attention we also see that in the top reported cybercrime this comes down to user education because in a lot of cases we don't have a technical solution for those particular problems and this is probably one of the best examples a house this was an email that cost a company forty seven point seven

million dollars let that sink in for a few moments okay now here's how it happened a person was simply asked in an email that they thought was from the CEO to attach all the w-2 tax forms into an email and sent it back now the California Attorney General went mental about this and basically sued Seagate they settled out of court for five point three million but in that settlement CJ agreed to provide insurance for anyone that might fall victim to credit card fraud and the reason why is that within 24 hours of those w-2 tax forms getting into the hands of cyber criminals they had already filed your taxes for you claim to refunds and changed your

address how nice of them now winding down we're going to talk about some future trends and this is where I'm going to get a little bit Randy anyone again kind of a student of the law do they do you know what trespass my chattels yes okay so say we have two fields and we had agreed that we could share our in the UK will be sheep on both of the fields okay but then one night I go crazy and I dig this giant ditch across the fields and your sheep can't get across okay so when you buy a CPU that says 3.0 gigahertz and you expect it to perform like 3.0 gigahertz and it performs now like a 386 you're

going to get a little bit angry and you're gonna get a lot Andrey and you're gonna either subscribe to the view of Specter in meltdown as something that was known about for a very long time and we weren't told about it and it conveniently arrived - boy stur the narrative that every cloud service provider deserves 30% more profit by degrading the capabilities of their CPUs right yeah you see where this is going so the only person that's gonna win here are a whole bunch of lawyers and Intel is going to get sued and I put in the issue with arm here and let's let's face it Apple has had a really rough go with the

whole battery thing the slowing down and all that it's been it's been difficult for Apple but Apple knew back in June 2017 about this problem and nobody was talking about it and nobody was talking about it and this my friends is the tip of the iceberg when it comes to CPU vulnerabilities one of our biggest problems is backward compatibility in 20 I think it was 2014 I heard a refreshed performance if you will a refresh conference presentation on vulnerabilities at the BIOS level of machines from 2009 to Argentinean security researchers okay in that presentation they stated that the BIOS and the CPUs are unknown landscape in terms of vulnerability in terms of code injection in terms of understanding the

architecture versus the operating systems that we have and this is an area where there is way more to fall on this this could be probably the biggest story and continue to be a problem now on the FUD side this is not every other type of attack out there where you have to run the code on a machine in order to exploit the vulnerability okay so it needs to be delivered about 75% of the time in an email as an attachment or as a web link so the threat landscape hasn't changed the only thing is is that we know that this vulnerability exists and here's the real answer the real question that I'm asking is how many

vendors out there especially antivirus vendors have built into this protection against this type of exploit just like we go back to wanna cry and eternal blue which was essentially trying to jam a 32-bit address into a 16-bit register for SMB v1 why can't we detect it and kill it right away what is the complication here now east net who I talked to they took eternal blue when it was published by the shadow brokers ran it against their antivirus and built the heuristics and also built the definitions for eternal blue far before it ever came out again we're into the same category here if we knew about it why wasn't it fixed and what's so hard about it which brings us to the

next generation of hell this is in the ICS space I don't know if you follow Triton or Tris very very interesting research coming out of it especially when three important research firms go I don't know what this thing does but holy that was a quote Schneider Electric to their credit identified that it was using a zero-day attack on their whole hardware and went public with it and disclosed how it worked and what the mitigative strategy was the actual malware reverse engineering analysis is complicated on this bastard it is got crypto under crypto it is doing everything it can and it also detects a VM environment for reverse engineering and blows up so it's it's quite

interesting I put meltdown inspector there because what I think we'll see is meltdown inspector being Kevon can combined into a exploit payload directly for ICS systems because some of those systems cannot be upgraded they can't be turned off they will exist so if they crosses your air gap you could be into real serious trouble and I also put the awesome Apple no root password vulnerability up there as well I like this to think that the future where QA should get better I feel like it's not I feel like we're really rushing this is probably another thing that we're gonna see is that a lot of movement to the cloud those are backup files from Morgan Stanley those

Apache servers and clear texts or user IDs and passwords for their online banking portal probably not something you want to leave public but this is just where we up everyone sis let's go to the cloud us information security professional should be safety safety safety right get into that mentality the cloud is great until it's not right um again a little bit of ranting here these are the kind of things that we can do to get there right it's not hard especially when you look at things like app Locker which is included in the Windows operating system if we start using stuff like this which is given to us in a lot of cases we'll do okay we'll get past this and it won't

matter if it's an apt actor or you know some miserable person that's attacking your network you'll at least be able to get the visibility and at least be able to prevent getting home now in the corporate thing if you are looking for a next opportunity coral is hiring they are looking for all kinds of folks in cybersecurity and I just also want to send a huge shout out to B sides for pulling this off it was my pleasure to sponsor them as my pleasure to be here and I think we have exactly five minutes for questions if you got any thank you questions concerns yes sir so what happened was a lot of botnets got taken down botnets are

relatively easy because their attacks don't really change once you see the botnet it's pretty easy to start putting in mitigations I think there's better communication at the carrier level now and we're scrubbing a lot of that traffic before it even makes it out onto the actual wider Internet the pipes that are responsible for moving the majority of traffic are actually getting faster so what's interesting is even though you can generate these pretty horrific distributed denial service attacks it's something that sets off alarm bells you know across the world and when that happens a lot of the carriers of now God you know okay we're gonna sinkhole this list of IP address is coming from your

country we're gonna sinkhole this list of IP addresses so I think we're getting were reacting better and I think the thing driving that was the dying DNS attack where everybody went holy [ __ ] and then what we saw was somebody did an economic impact an economic impact analysis and figured that it costs the United States about 30 billion dollars for that outage and 30 billion dollars is like a whole lot of money I'm about 29.99 9 billion short so but so when that happens and when you have a massive outage like that that gets on the radar really quickly and so I think I think DDoS will be there for a while but I also think

companies like cloud fire and Akamai are getting more effective at dealing with that type of attack because it is a very visible attachment yeah any other questions all right well we'll see you for drinks tonight yeah party on Wayne