Ed Skoudis Keynote

thank you this value I appreciate it sir ah it's wonderful to see you all here I'd like to thank besides Augusta for this opportunity thank general Fogerty for the wonderful words of opening here and thank you all for attending I'd like to talk with you today about some of the stuff that my team has been working on and I actually want to issue a challenge to you I'm going to come back to besides Augusta next year and see how you're doing on the challenge the talk is embodied in this thing called kinetic pwnage the times they've changed right we live in a world where most of our physical infrastructure is controlled by networked computer systems so what does

that mean that's what we're going to discuss here's a little intro for me mark baguette already set some very kind words but you know I run a little company called counter hack and counter hack builds things like net Wars and cyber city cyber ranges is what we build we also do a lot of offensive stuff in penetration testing and well I see here that this certificate is only valid for today so we should get moving forward here all right so I'm gonna give you a bit of a historical grounding where if we come from in the last 70 years or so i'll give you my central thesis for the talk we'll talk about why this is so

some implications some of the projects were working on and then a manifesto and a call to action how do you like that if you go back to say nineteen forty six or so the hacking movement started now this actually bothered me when I first started researching us in reading this because I grew up in the Bell System I worked at a company called bellcore that helped to make the regional Bell operating companies interoperate and I always thought it was the phone freakers those are the people that created hacking right well in his book hackers Steven Levy talks about this origin of the hacker community and says if you look at it actually kind of predates the phone

network and it goes back to the tech Model Railroad Club at MIT and there some hackers got together and built very elaborate model railroads trains that were computer-controlled and they kept updating it in the 50s the 60s the 70s putting all kinds of industrial control equipment it was awesome they had this building here and you could play Tetris on the side of the building right now since then the Chaos Computer Club is actually implemented at full size over in Germany but this is the source of a lot of this sort of hacker idea and hacker mindset manipulating technology to do amazing and great things in ways that it wasn't originally designed to do it so my central faces here we're

entering the Golden Age of hacking not just software but hacking software to have impact on hardware and physical circumstances I saw a quote it's a couple years ago by Joe grant you guys know Joe grand Rite kingpin back in the day with a loft hacking group Joe grand has done amazing things since then I saw him do a presentation a couple years ago and he said this he said hardware is the new software I'm like dude that's fantastic you're not like in fashion they say you know like green is the new black or something you're like what do I know about fashion yeah exactly i don't know anything about fashion but hardware is the new software or dual core right

dual core the hacking wrapper just fantastic stuff hack all the things is one of my favorite songs of his hack all the things not just the software we've been doing a lot with hacking software over the last couple of decades but now increasingly it's time to hack the hardware embedded systems the Internet of Things jailbreaking your devices rooting them the hobbyist culture the maker movement they all smash together in a really exciting time this is awesome it's also horrifying and scary I mean we all laugh remember when when they hacked into the street signs and say caution zombies ahead all that's funny that's cute and it could actually kill people and hurt people if they did

it to the wrong signs at the wrong time with the wrong messages yeah so this is really cool times but it's also scary times and are we as an information security community up to the challenge here honestly I'm not so sure we are so some recent headlines along this I'm not going to tell you anything you don't know on this slide you've seen it this is just context right April 2015 did you see the GAO report on hacking airplanes now this was a highly controversial report some people said that certain conclusions in it were unrealistic although it does raise the concern of somebody hacking from the ground into an aircraft in the sky and taking action on April 2015 it was a BBC

article about hacking train rail signals so you could divert trains or maybe derail trains may of 2015 we had some headlines again involving airlines with chris Roberts allegedly hacking into airline systems and maybe changing the direction of aircraft although it's been very controversial as to whether that was actually a simulation that he was hacking or a real system we'll see how that comes out have you noticed how curiously quiet that whole thing is gone lately I've been looking for more details on it and met whole thing is very quiet and then of course just last month the amazing work from Charlie Miller and Chris valasek has been released publicly two years ago they did a presentation at Def Con on hacking

cars and it was neat they showed that if you had physical access to the car area network you can take over the card you can change the steering wheel and you can apply the brakes or turn off the brakes or whatever and everybody at that time said oh well you have to be like sitting in the car and if you're gonna cause the car to crash there's a significant downside for you if you're sitting in the car you need physical access to the car air network so Charlie and Chris spent another year plus figuring out how you could get remote access to this and famously they did that and demonstrated it last month where they could take over a car

wirelessly and well do arbitrary things in the car including causing it to crash this is scary stuff so Chrysler had to push a patch and people would have to bring in their car to the dealership although they can't get the patches out fast enough so you know what they're doing now they're shipping a USB thumb drive to owners of these vehicles saying plug this USB Drive into your vehicle and it will fix it it occurs to me that this is another attack surface right when you get one of these USB he's in the mail you're going to plug it into your car to fix it oh yeah good luck with that so it goes back to planes

trains and automobiles doesn't it and when I'm reading about you know the latest hack this or that honestly maybe I've just grown jaded but if it doesn't have physical impact I find it a lot less exciting right oh you can make Windows run code well that's that's that's nice windows love story I mean yeah that's that's good and that's important those are interesting and important hex but you can make windows to run code to cause a car to crash oh now I'm interested you had me at car crashing right so it doesn't have a physical impact I find it a lot less exciting alright so why is this so let's go over some of the the industry

changing trends here I pee everywhere don't quote me on that yeah anyway Internet Protocol everywhere I remember when I was a child I was maybe 10 or 11 years old I live two houses down from Stephen slezak house key and we were tinkerers we built stuff and one of the things that we built was a little Morse code sending and receiving devices between our houses now we didn't have a way to actually well get a signal between houses so we ran a wire between our houses so we could sit in our bed we only live two houses apart but we could sit in our basements and send Morse code signals to each other okay what I wanted

was a global network where I could send messages to anyone anytime for free anywhere in the planet we've got that now right this is awesome could you imagine being 11 now oh yeah and we've wired everything to this baby cams thermostats light bulbs cash registers grocery stores power grids water systems industrial and military equipment Wow interconnectivity everywhere everything online all the time some of its connected directly to the internet show dan thank you for showing us all of that stuff so you could just do a simple search in show Dan the hacker search engine and find out where all this stuff is and it's worse than that something on an intranet is actually on the internet we'll get to

that in a little bit but to see how we get access to stuff that people didn't expect us to be able to get access to even if it's on a separate IP network IP loves routing and that's what it's built for and it loves to move packets back and forth between these things IP loves IP best friends forever but you say air gaps I talked to a lot of people know obviously but you know we air gap that stuff really are you sure do you think air gaps are the solution here I'm worried that if you think that what we've air-gapped that so that one's safe our security there is not as important as its air gap you understand its air

gap if your security model depends solely on your being air-gapped you're going to get owned and you probably deserve to get on you should think of air gaps as merely high latency connections they are connections because you see you come up with this fantastic scheme to have an air gap network good for you but the person who follows you in your job is not as brilliant as you we can all agree on that right and they're going to say you know if I just connect this together it'll be much more efficient will be I don't know why that old guy didn't connect these things because I can connect them and do better and they're going to connect it to your

air gap will disappear that way or somebody's going to take a thumb drive probably the one that they've recycled after they patched their chrysler vehicle they're going to take that and they're going to move it across just because they want to copy something or patch something across the bean counters I guess that you know if we just connect these networks together the accounting people or save a bunch of money your air gaps will dissipate over time especially if you're on critical networks I'm not saying that air gaps don't provide some value look air gap things but you can't nearly have an air gap as you're secure right okay next we've web ified everything most everything's got a

web-based interface on the front of it we've seen this a lot in the work that we've done in the cyber city project on hvac systems power control systems Smart Meters have web-based interfaces on them all this stuff is web-based meaning its ample ground for all these web based attacks cross-site scripting sequel injection process aight request forgery remote file include command ajay should all that stuff now comes up because we've got web-based interfaces to this stuff i remember it was actually several years ago we were doing some hacking paid hacking professional penetration testing if you want to call it that of smart meters and we were doing this on behalf of some of the utility companies we found a

cross-site scripting flaw on one of the smart meters so the web application that ran on the smart muted fing would sit outside your cell house had a head across the scripting flawed it we reported this to the vendor who made the meter we're talking with their their product manager and the product manager said oh that's dumb we don't have a web server on our meter why would we put a web server on our meter there can't be a cross-site scripting flaw on the web server on our meter because there's no web server on the meter I said well actually there is you should really look into this so he looked into it called us back 24 hours later he says you know

what there is a web server on our meter yeah we kind of saw that and it's got a cross-site scripting fly you know and he told us he said one of their customers had asked for it so they put it on the meter and push it into the firmware and now all the meters had it yeah this is the product manager scary stuff so we've web ified almost hmm all right well here's here's here's a plan what if we have these utility networks you know the things that control all of the SCADA systems and they usually call these things you know the operations technology environment the OT environment and we'll keep that separate from the IT environment the IT

environments where the desktops are and people read an email and surf an internet will separate them air gap well you know air gaps are high latency connections but we'll put some firewalls and stuff in between there and we'll be fine and in fact occasionally there will be testimony where you'll have utility company employees talking with Public Utility Commission regulators and a question will get asked is your OT environment directly or is your own environment connected to the Internet and here's the response that you often hear no it isn't directly connected to the Internet what is the most important word of that sentence directly exactly directly but outbound access equals inbound connectivity right I mean for

those of you who do this a lot reverse shell rights as simple as reverse shell and there are plentiful opportunities for dead access to an OT environment by manipulating the IT environment and the IT environments connected to the internet after all for example an industrial control system may be controlling a power grid is sending data to a data historian the data historian is sending that to a common database so it can be analyzed that database is replicated from the OT network into the IT network on the I team at work a workstation accesses it so you can see what's happening right the data historian is pulling data so you can see power flows over time and so forth and

we need people on the IT network to look at that and then of course that workstation is also connected to the Internet so a very ago there is a path from the deepest part of OT all the way out to the internet or another one a friend of mine who works for utility company told me this he was on a tour of one of their facilities he's a security guy working for utility company on a tour of one of their facilities and they're looking around at how everything's set up and there was this workstation sitting there on the OT environment running an HMI human machine interface controlling stuff and the guy who was taking him on a tour said hold

on just a second took out his phone plugged in a USB cable and plugged it in to the machine running the HMI my friend said oh my gosh what are you doing he's a dude I'm just charging my phone it's okay okay so smart phone to HMI pc to pwnage right there right you got a nice cellular connection directly to that phone although not in this room at least if you're on AT&T like me right we are air-gapped yes or ot systems can anything on your OT environment resolve names on the internet try to ping ww-well calm on a machine on your OT environment if you happen to have utility company that you're part of if

it resolves names dude what happened there bad is bad you have a channel of command and control across DNS all the way back in to your OT environment check that out and then of course I won't even bother mentioning Stuxnet and USB right they thought they had an air-gapped environment hmm all right now sometimes when I talk about this people say to this to me is ed ed wait you're making a mountain out of a molehill you don't understand we have physical limitations that we have bill into the physical equipment that will stop really bad things from happening their pressure valve so if the pressure goes too high it'll release the pressure or or there's there's governors that if

it starts spinning too fast the governor's will expand the rotational inertia will kick in and it will slow things down it's okay and then we've got humans in the loop if things start getting matic out of whack the humans will see this and gracefully control things and shut things down this is I've heard this from people these different arguments say this is not that big of a deal but here's the concerns for responses to that first of all your pressure valves going to trigger and release the extra pressure what is the gas that is behind that pressure that itself could be problematic you're just going to release gas good luck with that or the physical controls themselves are

increasingly being replaced with computer controls we have a governor on this thing and it's actually just a computer system checking on how fast it's spinning and then slows it down if it spinning too fast I like the old-fashioned physical stuff myself or for low-cost operations of remote equipment it's increasingly being controlled across an IP network having individual technicians deployed all over the place controlling individual technology that's hard to do and it's very expensive this is especially a big deal in petroleum industry where they have long pipe lines right long pipe lines going through often very uninhabited places and getting people there to control all the equipment that's hard so instead put computers there to monitor things you still mins

that are interacting with those computers using an HMI across the network now giving us an opportunity to manipulate those humans the humans are actually part of the manipulatable loop right there cognitive psychology what are the people seeing and were they making sense of their so by manipulating the HMIS humans might take the wrong action so another question that sometimes people will ask me what are your major areas of concern what keeps you awake at night ed you know hacking cars that's a concern hacking airplanes that's a concern but these are my three big ones the power grid is the mother of all infrastructures it has gotten better over the last four or five years it

really has measurably better and it is still woefully inadequate really this is a big hard expensive problem to secure the power grid yeah arm healthcare environments this one in my experience has not gotten better the last few years it's a mess it's a disaster i'm talking hospital systems themselves the equipment's that are scanning patients and such but also the medical devices themselves this one is a big worry i mean talk about human impact right and then thirdly weapon systems another big concern if somebody could hack into a weapon system and disable it so the people who rely on it to defend our nation can't use it to defend themselves and our nation that's bad just rendering it inert or worse yet

turning it on its owner or operator really scary stuff um in fact there was a report that came out March 2015 about how our weapons supply and weapon systems themselves are constantly under attack and it was reported in various news sources and that there are vulnerabilities there also there's stuff outside of this right these are the big three for me but the chemical production manufacturing the German steel mill incident that was reported on december of last year and then we get into this whole hacking of the internet of things it's almost like we're really trying to make the world completely hackable really it's like we're going out of our way here the company called Pony Express

they do some pretty cool stuff for monitoring and pen testing is over they released a paper it's really a good paper you should read it it's an Internet of evil things calm and the papers and analysis of the Internet of Things used for evil they call the Internet of evil things and they talk in here about self procured IT and bring your own device bring your own whatever it is right it's hard enough for us to to secure our enterprise government and military networks with the stuff that we know that's on there but if somebody brings in additional devices a webcam or or a USB thumb drive or anything else how do you secure that how do you even

know it's there also lots of small cheap devices with many vulnerabilities one of the things that we did at sams orlando guys were there at sands orlando back in april of this year Josh right and Tim madine these are two guys that work for me they spent a few hundred dollars on various Internet of Things devices they bought some wireless routers they bought a couple of door ox they bought a couple of web cams and they brought him in and we invited students and we had 50 students show up and they just did an evening of hacking it was unstructured they won over a couple different tools to hack these things and said we just want to see what

you can find and they did this for two hours they found 40 days most of them local file include and remote file include ok LF I and RFI four of them found in two hours with just 50 hackers sitting in a room just hacking this crap you wonder what the vendors are doing right why didn't the vendors find this is not hard to find things like XSS cross-site scripting command injection local file include remote file include and then the commoditization of malicious hardware things like the Wi-Fi pineapple the USB rubber ducky this stuff is getting dirt cheap so that is an attacker you don't have to spend a lot of money to proliferate this stuff

in the parking lot of your target environment so that some of it might get carried in oh and the air gap goes away right all right and then the internet of toys just talked about the Internet of Things the Internet of toys we had the most delightful project that my team worked on we finished the project of about six months ago the idea was their various toy companies that are introducing new toys they're very exciting but be on the shelves Christmas time this year with Wi-Fi Bluetooth Low Energy infrared custom wireless the toys talk they giggle they interact with you they download firmware updates across the Internet they have adventures so the toys you know a child can like shoot at

the toys and toys explode and the toys shoot back and if you have a child that's particularly allergic you can just set up the toys and the toys will kind of shoot at each other and stuff right um they're all integrate with mobile devices so the kid Villa sergeant kid sitting on the couch can just on his mobile phone kind of control all the toys a web-based interfaces to all this stuff cloud-based services so you could download new adventures if I had this when I was 11 I've probably gone nowhere in my life because I spend my time just playing with that stuff all of these things together this was our project customer came to me said ed you know if

I gave you this project I probably wouldn't have to pay you because you'd want to do it anyway and I'm thinking myself using right now I know he's right anyway he ended up paying a suit still so that was nice all very fun hacking but significant security concerns I should point out that the Barbie that Mattel that's not our customer right I put that up there because i want to put if it wasn't our customers an example here also google has been working with viewmaster to create a virtual reality view master how cool is that and then they've got the talking Barbies and then there's a whole bunch of the things and we got the opportunity to hack them

we've had all kinds of cool stuff now what is what are the attack vectors that that companies like this are concerned about their concerned about somebody corrupting children because the the things talk to kids and if somebody could inject in across the internet little voices and stuff and you could like to swear it the children or poison their minds so that's an attack surface we're concerned about another tack surface is tracking children if the child takes his or her doll around could somebody track them and find out where the child is it's another concern but we came up with another one we found that a lot of these devices don't have simple replay prevention replay we reported

this to our customer and they're like we don't care so if you make the toy say hello somebody could sniff that message it's encrypted but they could just play it again hello hello hello hello who cares who cares so we came up with this idea what if somebody were to find in the protocol exchange that is encrypted a specific message sent at a specific time that causes a lot of CPU on the target machine and then they were to take that message encrypted but they know because of the time it went on the protocol but they can burn CPU with it and they just play that again and again and again and again and again and again

and again with the goal of heating up the toy to the point that it scalds a child or catches on fire that this high mention the customer originally said we don't care about replay attacks we don't need that defense and then we said okay well what about this that seems like a bad thing Spalding children that's bad setting fighters bad so they added replay defense so that's nice so kind of pull in all these ideas together we've been working on a project at counter hack on behalf of sands called cyber city I think some of you have have actually participated in some cyber city missions others of you may have heard about it those of you that haven't cyber

cities idea was to take a lot of these kinetic impacts from hacking computer systems and to model them in an environment with real industrial control equipment so that we could train people on it so we could see what the impacts are so it's not only education piece it's also out of research piece to it and we've had folks from all walks of life participate in it here is a shot of cyber city it's it's six feet by eight feet the city on top of the table is made up of well little buildings that are often associated with train sets it's what's under the table that gets interesting here here's the top of the table and you'll see we

divided into four quadrants lower left quadrant is our military quadrant right we've got a rocket launcher there we've got a landing strip lower right-hand quadrant here here's where we have our residential folks we got City Hall we've got a firehouse there's some houses there upper right-hand quadrant is commercial hospital bank we've got an ISP and so forth up there and top left quadrant a lot of action there that's our industrial quadrant it's got a chemical factory it's got a power station it's got a water reservoir and water tower all of this internet worked under the table we have a complex network design to represent a city so everything you just see has public facing internet but it's the Internet of

cyber city offered by its isp as well as intranets for all that stuff and we've built currently we're at 19 different missions so the central organizing concept of cyber city is to give somebody a mission most of our missions involve terrorists trying to do horrible things and the participants have to stop the terrorists from doing bad stuff so for example in the power grid bad guys have hacked in and it caused a blackout your job is to retake control of the power grid assets and turn the lights back on right or transportation bad guys have hacked in and they've caused all the traffic lights to turn green at the same time your job is to stop that

that's that's bad right yeah a water reservoir this one's a fascinating one in this one the bad guys have not contaminated the water instead they've hacked into the data stream that goes to the HMI that reports on the quality of water and they've manipulated that so the water looks contaminated now if you're a human sitting there looking at the HMI and the HMI is telling you the water is contaminated what do you do you fix it UD contaminated by dumping chemicals into the water the water is not contaminated in fact the dumping of the chemicals that you're going to put in the water will contaminate it and we're trying to model here is if you

can't trust the data integrity or the HMI well what can you trust are you to send people out there every time you got to anomalous reading to actually check maybe that's what you do but this is a big concern manipulating humans through their HMIS train system on this one the trains got a weapon on it it's a it's a it's a dirty bomb and your job is to take control the train and make sure it doesn't get directed into the residential quadrant because the terrorists have threatened to detonate it there so we got hacking trains weapons system here the bad guys take control of a missile launcher and have aimed it at the hospital your job

initially is to riain the weapon system but then in the middle of the mission we got a frag order that gets published automatically it's all in the system and it says actually we want you to not only riain it but fire it harmlessly off into the horizon because it concern is if you merely remit the bad guys may take control of it again riri aim it and shoot it alright so you want to discharge its weapons and we hear some pictures of cyber city here's commercial quadrant here's our military quad or you can see our rocket launcher you're like dude that's like a nerf rocket launcher it is yes but we put an interface on it

that looks like a weapon system we couldn't put an actual weapon system in here well first of all because it could blow stuff up but secondly it would be classified so quickly right all right here is our industrial quadrant I love this view because you can see the train going by you can see our substation I've become something of a kind of kind of sore of substations when I Drive around you know you see those little electrical substations and I look at that one's dirty that was really nice oh look how they laid that out it's kind of a weird thing and I point this out to my wife as we're driving around town look at that

substation that one's even nicer than ours all right okay here's our residential quadrant here's our power grid we got our power grid inside this device is under the table we've got a mixture of Phoenix Contact systems that's on the top row and the second rope phoenix contact is often used for water processing you see it a lot in water plants and then down here we have some allen bradley devices used a lot for power grid and other things and we also have some siemens devices in there as well so we tried to represent a lot of different market share in the cyber city project and one of the most exciting things it's that I've been able

to participate in the last year was the cyber city pride at cyber shield 2015 are you guys familiar with cyber shield what a neat thing they invite many hundreds of national guard soldiers and they have them learned in fact they they had classes on security onion dead classes on bro pretty cool they had classes on industrial control systems fantastic stuff and they also did cyber city missions and we had 240 National Guard soldiers participate in this they were in teams of 10 representing 24 different states and we threw them through for cyber city missions and it was so exciting to watch them battle against terrorists inside the system some of these teams were awesome really

impressive and some worms but we took the best teams who took the four best teams and had a Saturday capstone event where they got to face off against each other it was really fun yes pardon me is it safe to assume the pictures are of the awesome teams one class that sir do you look very familiar very nice nicely done sir nicely done now sometimes people see the cyber city style and they're like why did you build this and why does it make an actual little little city why'd you just simulate everything you could simulate everything our concerns were one costs if we were to make this thing just a giant video game the video game production budgets today

are one hundred million dollars plus and man do they look great but we didn't have that kind of budget to build this thing we thought we could get some pretty good looking imagery by actually having physicality to it and putting it on camera so you can see there's five streaming video cameras inside a cyber city you could actually see it so that was one reason sort of budgetary and realism concerns to build one the second reason was if we had built this entirely as a sim you know that certain people in the military would look at that and say that's just a big video game why do I care now they're actually doing some really innovative things and training

people with video games in the military but still we were concerned that some folks nobody here i'm sure would say that's too not real instead we'd say it Israel there's actual physical device behind it yes your soldier just derailed a train admittedly the train is only six inches long but it's a physical train and it just got derailed right or we're using the same exact equipment the industrial control equipment that is used in real power grids in with real water systems we've learned a lot of lessons in the cyber city deployment the biggest lessons we've learned is everything is far weaker than you'd expect seriously we put stuff in there and it falls over just by itself or once you get it kind

of running if somebody just send some strange packets to it the whole thing just crashes it is crazy how feeble this stuff is and we talked to the vendors you say you know all we had to do was send you know a stream of syn packets to your to your device and it just went offline well don't connect it to the Internet the air gap argument comes back again that's with a vendor don't connect it to the Internet air gaps don't happen hospital systems industrial control systems they're very brittle and it's time for them to stop being that way so where are we headed with all of this what's next we are working very hard in

fact I've got one guy on my team who's assigned full-time to this and I've got other guys on my team that are working on it and that is to take what we've learned in the cyber city project and to go full size there is an amazing facility in Indiana called Muscatatuck the Muscatatuck urban training center and it's actually a town that was created in the late 1920s and it was abandoned in about two thousand six and the military bought it and they use it for training now it's used for training a military personnel some of you guys may have been there training on things yep very cool is it an amazing place awesome it is used by law enforcement

it's used by some of our allies I went and visited it last October the day that I was there there was some Navy SEALs trading there which was awesome to see and there also some Kuwait ease trading there on a dinner banquet that they're planning on hosting and they wanted to see what would happen if it came under terrorist attack it's really fascinating stuff but it currently doesn't have any cyber missions so we're working on building cyber missions to overlay on top of this very excited about it mission design is underway we've been working on it for about five months right now and I put a question mark after this because it's not a hundred

percent sure but it looks like we're going to debut this april of 2016 at cyber shield and what will likely do is take the two best teams and have them do full day missions in this really really looking forward to it yeah cool now another thing that people throw up at this they say okay and let's say it is as weak and vulnerable as you suggest and people can infiltrate OT networks and all that kind of stuff why haven't we seen well big issues there I mean yeah there's a German steel mill thing yeah we saw you know stuff like a have x and b e to infiltrate so but nobody's done anything really big scale and evil why

possibilities include first the lack of an effective business how do they get paid how the bad guys get paid to do that isn't what what if they're not cyber criminal I'm going to talk in nation states they don't need to get well maybe the geopolitics right the geopolitics isn't quite right nobody wants to bring everything down now because well it's not the right time yet or maybe maybe it is harder than anticipated especially do this at a careful controlled in surgical fashion without cascading impacts you can't control nation states tend to want to have some control over those cascading impacts although not everyone would hmm I do believe though the battlefield is being prepared right now it is time

where the various actors are grabbing land they're grabbing space in the infrastructures and we see this i mean look up have x and b e to and see the systems that they have infiltrated including power grid networks and water networks inside the US i think it's a land grab alright so the bottom line over the last 25 years if you look at what our community has done on the computer security network and data side it has been really bad breaches constant breaches rampant information theft PII personal health care information all the stuff I've given the last 20 years of my life to try to make the world more secure and I feel kind of like I failed

and my friends failed we worked really hard when I started inside a full head of hair you should have seen me and we you know and and look at what we've got giant breaches everywhere and and denial of service is always a possibility and now we're putting all this critical infrastructure and our homes on the net and our children's toys if we don't learn the lessons last 25 years and fix this stuff now things are going to get worse the internet will grow ever more militarized not that I have anything against the military but it'd be nice if the civilian internet was a civilian internet and didn't require military intervention all over the place people

may get hurt people may get killed right hmm so now a brief manifesto and a call to action for you we need to vigorously apply the lessons we've learned by getting our butts kicked on the data and computer side of this over the last 25 years right in fact I was very heartened I had dinner last night with some of the b-side speakers and some folks are working through a really cool stuff because they're learning the lessons of all the things that have gone wrong over the last 25 years we all need to be doing that why are these organizations getting owned why are people able to steal 10 or 20 or 50 million credit

cards or all that information associated with gaining clearance in the OPM hat why is that stuff happening and how can we stop that but also to embed the lessons learned in our in our new infrastructure defense-in-depth segmentation filtering strong authentication careful design that is resilient under attack and thorough detest thorough testing so here's my call to action for you please start hacking all the things right it's just like dual-core says hack all the things right I remember in the dual-core song you know the song right it's a rap song you know you're clearly a fan just maybe not yet anyway in in dual cores hack all the things song the refrain is drink all the booze hack all the things and I

remember when I heard the song I thought well that's that's pretty audacious right that's up that's a big agenda drink all the booze and hack all the things we do look we set the booths aside for now because we got all the things to hack maybe we'll have that after we finish hacking all the things we do need to hack all the things you need to hack the toys we need to hack the webcams the baby monitors the weapon systems I mean you guys shouldn't hack them unless you have of course approval to do so right yeah so pick an area to start building your skills here maybe its power grid you can get industrial

control equipment on ebay like a siemens plc that you could learn about our medical devices or water control systems or home automation the home automation stuff is cheap and really you're going to feel like an awesome hacker when when you find your zero data and there's a pretty good chance you just buy anything at home depot that you'll find a zero data it's just it's that ridiculous and that bad now and then learn the foundational control protocols by reading the specs if you're going to go with the power grid side of things Modbus TCP that is a really simple protocol in fact Josh right a guy on my team he says calling Modbus a protocol

is an insult to actual protocols yeah it's used all over the place or dnp3 or profi net or the reason it's a newer protocol just to came out like this was about four months ago now the open spark read protocol OS GP and then look for holes options bad assumptions make some friends right I mean here you are besides Augusta get to know people build your community also go on a mailing list associated with your given technology choice look for a while who's who learn the lingo right have some fun with it learn the protocols and don't be intimidated listen to me carefully here you do not need a degree in electrical engineering to do meaningful work in

this space seriously and then get hacking get real procure some instruments maybe the manuals first that can be nice so you can read up on what it is that you're about to buy before you pay your money and some of the stuff that we have in cyber city we've got a siemens plc starter kit s7 1200 when we first got it was about 300 bucks i look this morning on ebay they're like seven to eight hundred dollars i liked it when it was 300 bucks now are like seven eight hundred bucks allen-bradley l32 ii compact logic processes are getting a little cheaper and in practice sniff the protocols are sending across the network inject make me things likes KP and what

have you and fuzz there's so much to be found in these and then hacking the internet of things what should you do there buy yourself some stuff right you can do this rather inexpensively 50 60 bucks get it door lock maybe it's a hundred bucks get a door lock pull off the firmer or you don't wanna go buy it get the firmware off the internet the vendors distribute their firmware on the other download the firmware and open it in a wonderful tool called bin walk bin walk will let you walk through its file system image finding its code finding things like well all kinds of stuff perhaps etsy password etsy shadow all there inside the firmware image very

helpful and you said I don't want to spend 50 bucks or hundred bucks how about this want to go cheaper forty dollars get yourself a raspberry pi how many people in this room have a raspberry pi raise your hand expect a lot excellent okay we're I got another question for you how many have a raspberry pi that is currently in their home and on nice nice and controlling something in their house I love you guys yeah awesome I'm going to ask that same question next year and hopefully we'll see even more hands go up this is cool get a kid involved I did this with my own son we built a thing my son is 14

years old we built this for months ago we call it the Morse code inator and what it is is it's it's a raspberry pi is running Linux and I wrote some Python code on it very simple Python what it does is it uses the Twitter API to pull my Twitter account and see if I posted in a tweet if I have posted a new tweed it pulses out to a telegraph key that I have from 1861 1861 and it types out my tweet in Morse code so it files mentor than I got a little video here i'd like to show you on that so this is the Morse code inator here i've tweeted you see

what I've tweeted what hath got you know that's what is that it's the first message ever sent via Telegraph it's the first message I ever sent to the Morse code inator and there it is that's from 1861 I don't know what side of the mason-dixon line that particular device was used on but i'm sure some of you guys can interpret morse code just by hearing it what hath god he's here it I can't do that I just making that up right but still this was not a hard project this was for hours with me and my son right and and I encourage you to do that kind stuff too I've I've done some other projects along these lines I did this

one here what I did here is I got a radio Atwater Kent model 10 it's from 1924 and I hooked it up to my computer so that it plays pandora streaming 1920s music across the internet i built a GUI for it so it plays through here this is this is not that hard to do buying old stuff and bringing it back to life now this is silly but it is fun and it gets it kind of involved in this so that's what the Atwater Kent model 10 looks like and it's connected to my Macintosh alright so and it plays that old music and then there's community involvement like the cavalry movement it's still playing the music you can hear it the

cavalry movement right this is this some really brilliant people that are working hard to try to make technology inherently safer right they've got different working groups on medical devices automotive the automotive folks have gotten a lot of attention lately home systems and public infrastructure reach out and get involved okay let's say you don't want to spend 40 bucks get yourself a raspberry pi but you still want to learn more about ICS hacking and defense industrial control systems do I have anything for I do in December 2013 we wrote a holiday hack challenge where we give you a hundred and forty megabyte packet capture file taken from cyber city while it was under attack there's five different attacks against five

different critical infrastructures of cyber city for of the attacks fail and you can analyze them and try to figure out why they failed and one of the attack succeeds and causes a blackout and you get to analyze why that happened and that's all free we call it it's a hacker full life and we do every year for 11 years so far this will be our 12th year we do a holiday hack challenge where we post for free my team works hundreds of hours on this effect this year it's probably over a thousand hours where we work on this thing and we post on the internet some of you guys have done it some of you guys have won it

wait'll you see this year's it's our best ever 2015 sands holiday hack challenge coming the second week of December it's going to be park Internet of Things analysis we're going to take these things and distribute them around planet Earth and you will have to find them and hack them and take them over right part internet scavenger hunt so you can find them and part custom wireless and firmware analysis all built into this little whimsical holiday plot and your oh and there's some attribution to you have to figure out what the bad guys nefarious plot is and who the bad guy is that's the ultimate goal in this challenge you got to figure out who is

the bad guy so it's fun for the whole family please do join us and in conclusion we have built a significantly hackable world I started this discussion by talking about the Model Railroad Club right patek Model Railroad Club over at MIT they were building up an infrastructure using model railroad parts to learn and create the hacker community really and now in the cyber city project we're using biol railroad parts to better understand how hacking happens we kind of come full circle so as an industry we've got some really significant work ahead of us we've got some great people here to do it please follow through on the generals recommendations in networking here and talking with each other and the fact is

well there's a lot of work to do perhaps we were made hackers there's just such a time as this awesome alright so have a great day here at bsides I believe our time is up is there right or do you wanna do some questions or okay he just wants to use the microphone that's it did you notice the microphones r.i.p addressable okay yes whatever you'd like they retract the question okay oh we got a question for this enterprising young man

yep yep I have not but i have i've read about it and I've had my team look at so there's there's a game called hack net and it's on Steam and available via the steam network and it looks pretty cool um I don't know the veracity of their simulation though that's the just not aware of somebody thinks got their microphone on it yeah alright well thank you guys appreciate your