Mission Assurance In Closed, Proprietary Systems - Josh De Boer

over it so one thing I've learned here you might tell by my accident I'm King my accent I'm Canadian so sorry if I apologize unnecessarily the one thing I've learned here is the the British military say no cuff too tough which is Cohen just wing it but that's okay I've got notes so for context yes I am Canadian I'm just over here in an exchange position and I figured I'd take a chance to come to London for free day it's been great so far I'm also in the military so that means two things our primary role is to close with and destroy the enemy but next to that we're really really good at acronyms I've

tried to minimize the acronyms if they don't make sense just throw something at me also I might I so I'm I speak French I speak English I also dropped into our meal English and it's very vulgar so if I slip into that also please just throw something at me I'll try not to do it so I resisted the definition slide but I'm gonna talk about in many ways so first thing first mission assurance that is in military parlance anyways that's your ability to tell your boss the commander that for your part of the mission it's going to go ahead you've got a contingency plan you've thought of every possible reasonable thing that could come up with and you got a plan

for it in my world in the communications world's cut a pace plan you got primary primary coms alternate coms contingency and even emergency comes so if you can do mission if you can do all that you've got mission assurance you get to go you can go ahead with your mission and then the other giant hundred dollar words in there is a closed proprietary systems so for context to this presentation closed system is something that doesn't touch the internet or doesn't touch public networks and proprietary I guess in Britain we'd call it the spoke so it's something that you can't go down to a PC world and buy and then the last definitional here perhaps is risk them

so just be clear when I'm going to talk about risk I'm talking about not just a threat but also a vulnerability so in army terms if you're gonna run across a field at a tank that's very very risky but if you're just running across a field that's not risky because there's no threat and if there's just a tank with no one running at it that's also not risky because there's no one to shoot at so let's bust on so almost two decades ago I joined the army and we had a NPRC 5:24 army-navy personal radio communications 524 very formal it's got large buttons sorry it's about large switches it's got no buttons it's just straight-up hardware it's a very rugged

piece of kit if it didn't break you drop tested it to seat the cards back on the ground and so what that meant is if comms weren't working either the hardware was broken or this amazing thing we call a sudden ionospheric disturbance it just means sometimes the atmosphere is wrong and the radios don't work well as their radio operator that will save you from getting a lot of shouting at but vietnam-era technology were in Canada 1999 technology because military procurement and then we went on to the RT 51 21 and the Army Navy personal radio communications 117 Foxtrot so those are acronyms but they're these two radios here they do a wider range of communications they've

got some software in them you can talk because now there's buttons and not switches right um but it's still mostly hardware so if something breaks it's probably the hardware it might be a battery so it might be some software stuff and you still that sudden ionosphere disturbance to save you if you broke something but then when you stick it all together you can have a couple infantry fighting vehicles throw some canvas and between them remote the radios and when I say remote it's not like a remote like this it's literally just a long wire with a button that you push to talk on it very straight forward but 1999 technology 2001 technology we're calling that a deployed network

however because computers are thing and everybody likes email it does have most of the pieces that you would see in a typical office Network right it's got a printer it's got computers it's got radios they don't usually connect together and they never work well because of sudden ionosphere disturbance don't ever use that a female goes down it's not believable also as the radio technology and all that's two buttons go back

honestly I am in communications inaudible computers most of the time right so instead of just two vehicles back together with a piece of canvas let's add more.that because we like computers and we like having our email right even though it's sweaty and dirty we want email for some reason so you put a whole bunch of vehicles together and you put a lot of tents in between there and then you can have a whole bunch of computers and you can have all kinds of office stuff but it's not Network very well and what's the point of having computers if you can't network them so in this typical setup here this is um I don't remember that exercise but it's

not an actual deployment we're just practicing there and it's called a command post so it's got everything brigade commander so infant ear maybe armored guy in charge or girl in charge of five to six thousand troops and they've got this command post and everything's married together but if something goes wrong because we're still talking about mission assurance then it's probably software or maybe it's hardware or maybe it's power distribution or maybe he didn't patch it or maybe it's my friend's sudden ionosphere disturbance but there's a lot of complex pieces in there and against complex very very quickly so more about my personal story when the button works then I went to Afghanistan and I'm not telling

Veterans Affairs my body hurts all the time but most of my body hurts all the time and I found out there's this amazing planner in the Canadian Armed Forces they'll send you to University for free T's and C's may apply and then you have job security for seven years that's the TNCs you you don't get to choose where you work in the Army for seven years but it's great so I'm I switched over from being what we would call hard field army and then I went to school and they learned about networks yeah so this is an abstract admit work we've got a cloud there as a rule of thumb if you're talking about InfoSec

always be worried when there's a cloud but in this case it's a public cloud so we can email between bases not just between tanks you've got a router you got firewalls DMZ servers laptops all that kind of classic stuff right and there's an industry process for doing mission assurance on that right like Jamie just talked about bug bounty we know how to find vulnerabilities in that and we know how to fix that mostly or at least there's an industry around that but then while I was at school they modernized their radios again so if you're keeping track that's twice in 20 years that's pretty good and now we have these things called communication selector box that's the

one on the left that's the one on the left and that just chooses which radio you're talking on and then you can also configure the radio through that so you can change channels on a radio in somebody else's vehicle by turning this dial and then we have a thing called Al and Ethernet switch which is just a switch with some really overpriced military hardware stuck on to it to make a ruggedized so that's great now we've better utopia of data sharing right so got laptops about printers and servers it's all connected together trucks are talking that's amazing right I we want that I think maybe but actually your network kind of looks like this all right me so when you're left you've

got your your typical office Network so when I'm working in the office we're getting computers ready to deploy out of the field we're on an office Network and then there's this air gap and then we're on a deployed know Rick and the deployed networks safe right because no hackers can get onto that because it never touches the internet right doesn't matter that USBs and CDs and DVDs or tape drives or whatever going back and forth I should see shaking of heads because for one example they were Stuxnet right so we've proven that nation-state actors and if you're the military worried about nation-state actors we've proven that nation-state actors can jump air gaps so now we have

to figure out how to do that so I really liked Jamie's talk I thought it was amazing I very much doubt the military is going to get them to bug bounty on their internal proprietary network with proprietary software and proprietary hardware also we're close with and destroy thing we're very good at smashing things not all of us are very good at figuring out how to break computers on purpose and then fix it again so that's the problem that I left University with how do you fix that another network diagram because network diagrams are great so this is what two vehicles look together so it doesn't matter if it's a command post if it's two inter entry fighting vehicles or

tanks or fuel trucks from a network point it's all the same that's pretty much what they look like so you've got this dashed line across the middle so top is one vehicle bottom is another vehicle you've got the communication selector boxes you've got land Ethernet switches headsets radios everything he would expect to see in a trial that's what our network looks like now so how do we how do we how do we fix that how do we address this problem so uh after I left University I went to that Canadian Forces School of Communications electronics and I was teaching some network defense and servers and routers I wasn't doing most of the teaching I just weighed in and

jumped in there um so that's basically just sans courses but with more shouting and more running and heavy things to carry too it's great so in my spare time at the same time I was doing grad studies on this problem how can we fix it and because I was at the communication school we had a training lab to teach people how to operate this stuff which means we've got all the equipment it all works great because it's a training establishment it has to work you can't train people and broken kit and it's not connected to any real network so if it breaks accidentally it's not a big problem so I I bought the Commandant a few beers

and said I've got a couple ideas can i play on this networking and see what happens like as a start if you're 10 what does rudimentary pentesting look like on proprietary hardware private proprietary software so I read a lot of documentation fortunately I don't like my wife and kids very much I was gone all evenings and weekends reading exciting military technical documents and I Connor came up with this process which is what we're talking about mission assurance for closed proprietary systems if you don't have bug bounties to rely on if you can't really look at all this CVEs you've got to do a holistic examination that's really tiny from back there I'm sorry so step one you do a system analysis you

read all the documentation then you do a vulnerability analysis where the weak points where are the communications bottlenecks on this and then how can I break them so that's the exploit so you look at the system you find the weak points you see if you can break it and then you write a report and that's really really critical so a lot of the times commanders will be told you've got 237 critical vulnerabilities in your network sir you say well I had 230 last year and my email still works so it's not a problem right you need to write your exploits and your vulnerabilities in a way that shows them meaningfully mmm so I'd recommend whether its

industry or in the military pick your top one or two say that's the critical one don't give 230 critical vulnerabilities so I took the documentation I took some ideas and took a laptop with Kali on it and I plugged it into a communication selector box and I told it was a headset and it believed me and then I opened up a full packet capture and then I threw an ether cap and a couple others like low equity scripting tools I am NOT a hacker like I can say O'Day and I can maybe talk the talk but I'm not a high-end hacker but I did manage to break a bunch of stuff I paid some of it out of it so you can't

see I thought it'd be a little bit irresponsible to throw that up there um but I found a large number of sometimes complicated vulnerabilities sometimes really simple vulnerabilities if you're on a an IP network and that network is command and control for a Combat Team you can choose when the commander gets to talk on the radio or not that's a great thing if you're the person the commander is shooting at it's really bad if you're on that commander side so that kind of stuff is what I found I did proof of concepts I had physical access to the system the next step in further research would be to do it through a radio or some other kind of network

access we haven't done that I tricked him into sending me here instead and it's great I do like it being here so I've renamed my my presentation it's not evaluating it's maybe there is no such thing as mission assurance we've we've got a problem but we don't really know what the problem is remember the two parts to risk right we kind of know what the threat is maybe sort of but do we know what our vulnerabilities are no because no one's really looking at it and I think that applies not just within the military but within any enterprise that has proprietary systems that they're not letting external organizations have a look at that's all I have to say about that thanks Josh

anyone have questions okay anyone have concerns okay I've got one so when you said you know how do you figure out what the problem was meeting just google it and see if it wasn't out on the web already that was a joke sorry I have a bad sense of humor okay you like to give them questions all kingside no questions comments thoughts ideas suggestions ideas and suggestions always a good one industry which we work in and we're both pen testers we come from a kind of national infrastructure type background with a lot of proprietary systems so your various non-military what you're talking about resonates there's quite a bit actually so yes that's really interesting enjoyed it

well thanks um when it's relevant the guy from the college that doesn't exist in hello yeah I really enjoyed that talk that was extremely fascinating I'm just quite amazed that you're like the only person who's kind of looking into this like is there no one else working with you or with that equipment that's like maybe we should just check if this stuff is secure or so full disclosure I started this work about three years ago I wrote a master's thesis on it about a little over a year ago so the ball is rolling people are starting to look at it right and when I talked to the designers because that was part of the documentation I went to the people who

built it and designed it and I said what's your approach and one of the things they said was we're going to take public software and put it on this proprietary system because that way we know it's been bug bounty didn't bug tested that's great right how often are you updating it mmm so people are looking at it just not enough in my humble opinion amazing Thanks and here I thought that the comment back would have been I wasn't cleared high enough to get that information other questions comments thoughts okay with that thank you very much