2023 Year in Review: Threads of nation-state dystopia - Jared Naude | BSides Cape Town 2023

hey afternoon everyone um so I'm going to be doing a 2023 year interview threads of nation state dystopia talk um so I think it's very important uh in order to do kind of retrospective so to kind of look back at what has happened and then what we can learn from that going forward um for those of you that have seen my own review talks in the past and this one's going to be a little bit different uh kind of more looking at themes rather than kind of the magic events of the past year uh just a quick introduction um my day job is um uh helping organizations go to Cloud securely I'm a part of the hexcon and beart Cape Town

organizing team um and my research interests are really focused on cyber security topics that intersect with National Security and foreign policy uh issues things like encryption content scanning disinformation and uh nation state uh activity specifically um cyber operations and offensive capabilities of nation state actors um I blog about some of this on on my website critical void.com and you can find me on Twitter at Jared n so like I mentioned in this talk I'm not going to focus on all of the events that happened this year but I would like to focus on some of the concerning themes that I've seen over the past year so for one we're going to start off with the Snowden anniversary

so it's been 10 years since the Snowden leaks will then go into the EU laws that have been passed um the Snowden do documents will kind of be a nice uh kind of pretext to that and then we'll end off talking about uh Chinese hyber operations so 10 years ago Edwin Stodden uh leaked a whole bunch of documents uh revealing the nsa's uh surveillance programs and this really started after the 9/11 attack so after the 911 attacks the US was kind of shell shocked at what happened and they passed several pieces of legislation including the Patriot Act amendments to the FAA 7 FAA program which included a section um 215 and 702 which uh broadened the um foreign

surveillance that the NSA did and what the Snowden documents really showed us is what they were really doing but also kind of the the scale that they were doing it at and why they felt it was kind of um kind of necessary I guess and all of these Revelations really sparked a global debat about Mass surveillance so one of the things that uh one of the things that we learned through the Snowden document is xkeys score which is the nsa's mass surveillance program so there's over 150 sites uh around the world at the time which can ingest over 125 gigabyt of data per second and remember that's metadata right that's not uh necessarily content and an X key

score a subset of that is called tempor which is the UK's uh Mass surveillance program which does a full T so they store everything for 3 days and then they uh can kind of Target that down to 30 days um in some cases and the amount of metadata uh uh recorded by this is quite significant so um boundless informant which is like the program to kind of visualize all of the data that they are getting um you know has 124 billion records over a 30-day period um so that's uh quite significant and then we also from the Snowden documents learned where they were storing all of this data so um in 2014 this is the year after the

Snowden leaks the NSA opened its data center in Salt Lake City Utah it's at least 8 exits obviously the exact storage capacity is classified um it has 140,000 square meters this photo is a little bit deceiving because um it's much larger than any shopping mall or most shopping malls in South Africa um and yeah so it's it's much bigger than what it appears in this photo and it also is super dense so the actual aisles if you've ever been in a data center like the aisles in this facility are much narrower than um what you would typically find in a data center they actually had a problem the Army cor Engineers had an issue where they were

actually having electrical aring between the aisles because of the amount of uh density that they had if you are familiar with the Facebook uh kind of server design uh you'll understand how the oring is possible which I first when I first heard about it I was like I didn't really understand it but one of the things that we also learned from the Snowden document is that the NSA has it problems right so when you collect that much amount of data you're going to have monitoring issues you're going to have hard drive failures you're going to have all of these kinds of things so it was kind of nice to see that in the uh some

of the reports and along with that when they do this Mass surveillance they have a program called turm oil which does de packet inspection and then turbine which does DEET injection and they combine those two programs together um to do oh the slide is wrong oh so they combine those two uh problems two programs together to do targeted attacks against common encryption Technologies such as VPN what they can also do when they combine those two things together um there's a program called Quantum insert and qire which uh basically creates race conditions on the internet so you can go to a specific site and the NSA can have a SSO site that will be closer to you

and they can literally rase the packet to your computer so we actually had a uh as part of the documents also found out that there was actually a SSO site in South Africa actually very close to our stay which is uh always it's always at the back of my mind um on a large isp's Network it's unclear whether that ISP was complicit with the activity or not um but I guess we'll never know and one of the things that they also um from the documents we found out that they have various programs targeting each of the OSI layers so they have programs that find vulnerabilities in each of these layers and if there aren't vulnerabilities that try manufa facture

vulnerability so they will actually intentionally introduce insecure software code into some places in order to exploit it in the future now I do want to mention that this is the old NSA the new NSA is like quite different we'll get to that in a moment um but this is what the programs kind of detailed what we also saw is supply chain interdiction so if somebody ordered a network switch they would intercept that and they would actually implant uh Hardware chip into to the device and then they would uh ship it along and most people at the time like supply chain attacks weren't really something that people cared about so obviously people didn't actually really inspect this um it's unclear how many

devices were actually targeted with us but um it's something to kind of think about what we also found out was uh the NSS an catalog so these are how these are like kind of hidden like James Bond style kind of gadgets that they can used to kind of collect information and um this can also be a net so a network investigative technique as well um so to create like a side channel uh that they can exil trade data out of a network with so in order to enable this broad uh program we also learned from the Snowden documents about the black budget which in 200 uh 13 was $52.6 billion and that actually increased to $6.9 billion in

2015 and one of the interesting things that happened was this is a very famous incident so uh Senator widen was in um uh questioning the James Clapper which is the general of national uh intelligence and Senator wien asked him you know does the NSA collect any data on hundreds of millions of Americans and he replied no sir and then he asked a clarification question saying it does not and pepper replied not wittingly this was before the leaks right and this is one of the things that actually convinced Snowden to actually go forward with the leaks because if you have senior officials in the intelligence Community sitting in Congress under oath committing perjury like where's the

accountability in what's going on here after the Snowden leaks a a a report was commissioned by an independent body as well as the White House and that report found that um the nsa's programs have never stopped a single terrorist attack and actually when the NSA actually does go off to terrorists is actually the exception to what they do rather than the norm I think one of the most uh shocking things for me if we look at Sydney for example um the link Cafe attack that happened a couple years ago the police were actually warned 18 times before the attack actually happened and they did nothing so you know we can talk about Mass surveillance and intelligence

capabilities all day long but until you have like proper law enforcement actions on those kinds of uh tip offs like you know like let's try to do that first before we you know expand our intelligence programs so the Tech Community also at the time created a letter which was signed um uh of asking the government to you know kind of Reform surveillance nothing really came of this and after the Snowden documents I actually published a paper back in 2015 where I made the argument that we in the security Community should see the NSA as an adversarial threat to the internet because they um have programs designed to weaken encryption and internet technology that we rely on as well as

the hoarding of zero day exploits so when it comes to encryption they actually Tred to introduce a back door into RSA security dual EC BG algorithm and then with the Vault s leaks we knew that they were um so this is kind of cyber weapons that were then leaked by um another person and one of those things was called uh Eternal blue which is a SMB vulnerability which was developed by the NSA this was then weaponized by the North Koreans in wry which obviously had a big impact a few years ago as well as not Peto which is kind of the largest ransomware attack that or the most um economically damaging uh ransomware attack that has

occurred uh to date what also then happened in 2020 is the uh us non circuit actually revealed that this Mass avence program exposed by Edward Snowden was actually unlawful and there have been several attempts to do um section 702 reform um so what the what section 702 does is it allows the collection of metadata of non US citizens as well as US citizens when um a a crime is suspected of uh like that that that's foreign however what the FBI has been doing is they've been actually using the 702 program to actually spy on senators and obviously this has made them very unhappy but even with that in place like the reform has never actually happened

so they just keep reauthorizing it every couple of years without any kind of meaningful reform and one of the uh suggestions to reformers is to increase the warrant requirements in order to do this collection but Christopher Ray the FBI director said well if they actually were to do that it would be a Defector band because their requirements in order to get it wouldn't meet the legal standards and you should just think about that carefully right so what they're saying is they don't have under normal due process enough legal uh justification to do this um collection [Music] um and like I said the um NSA um is quite different right so in 2013 they had a completely different structure in

2016 uh Michael Rogers who was the uh NSA director at the time um ordered a new uh NSA structure to be put in place uh to kind of address the uh challenges of the 21st century um what this meant is there were quite quite a bunch of reshufflings new directorates and that collapsed others and one of the things that also happened was as the nsa's elite hacking team tailed access operations so T was renamed uh computer network operations and what they also did is they uh invested $500 million in a new integrated cyber Center and the goal was to work closer with the private sector in order to kind of tackle things like uh ransomware um as well so after

the colonial pipeline attacks Paul nasoni who was the NSA director at the time you know kind of came out and said that you know historically um Ransom we is a criminal thing so the FBI should handle that but because a lot of ransomware is actually now affecting critical infrastructure now it becomes a national security issue and that something needs to be done about that and if you really read between the lines what he's actually saying is the Hound should be released and that uh sber command which is part of the NSA should be able to go tackle uh this R these ransomware groups and this is actually what's now been happening and this is one of the trends

uh that I would like to kind of uh go forward or kind of share with you so over the past 10 years uh the tides have been shifting right so um back in 2013 the FBI did you know law enforcement with a little bit of intelligence um today they do law enforcement and a lot of intelligence as well um the NSA in 2013 pretty much only did Intelligence and now they're kind of going into that law enforcement um kind of Realm which is also a little bit uh problematic because there are problems if you don't have the proper administration of these agencies but there's also some good things so um earlier this year uh the NSA cyber

command and the FBI took out the hi ransomware group so what actually happened was is the Department of Justice offered a $10 million reward for any information on the hi Ransom grip which is a a russian-based um uh group and what actually happened is uh Russia actually blocked the FBI and the cia's websit and their tip websit um after this came out which I think was quite interesting and then just kind of moving back to kind of the document so one of the documents that came out was this document showing at the time how um the NSA was collecting information on Google so um at the time the links between Google's data Sensers were not crypted

so the NSA could actually see what was going on and that smiley face um which I've highlighted there um really pissed a lot of Google Engineers off when they saw this so there was a powder keg like literally explosion at at at Google um with people trying to um you know kind of Harden the infrastructure and I think Google has done a lot of work with the state of encryption that we have today so one of the things that they did was is they announced in back in in 2014 you know that https would become a ranking signal and the year after that uh let en Crypt launched uh which offers you know free certificate in an automated way uh

with the automated request process and as a result of that both uh Pages loaded over https in Chrome has you know increased since the launch of leten Crypt um and this has just you know been climbing steadily we're almost you know in the high 90% of internet traffic is actually encrypted today if we look at the ca market share um you know let's encrypt has about 73% of the ca market share and the number of certificates has also grown exponentially so in my previous talks uh you know in 2019 it was a big achievement to go past a billion certificate there was a little bit of regression during covid and then in 2013 oh sorry this year uh you know

we have 5.9 billion certificates I believe most of those are cetes and container certificates that people you know issue and then kill the something like actively used I mean they are active certificates they are valid certificates but they're not actually being served and then also um the use of eliptic curve cryptography um you know is kind of hovering around 16 um% as well something that I like to kind of track so the next thing I want to talk about is dangerous EU laws right so we've spoken about how the Snowden leaks have kind of impacted the use of encryption and Adoption of encryption around the world um and one of the things that has kind of happened is that

a lot of law enforcement agencies are going dark so in and they have requested constantly that these tech companies actually introduce back doors into encryption standards so that they have a lawful process in order to actually intercept this obviously in the security Community we know that you can't really have a a secure back back door any back door will be abused eventually and so instead what the EU has done is they've actually started going after other regulation um which is kind of adjacent to encryption or kind of get around the encryption issue so one of those things is uh the electronic identification and Trust Services or basically identity as a service in the EU so what the EU wants

to do is they want to create a service kind of like what Estonia house where they want to be leaders in E government and because the EU is kind of a single Market in some places they want to be able to do crossborder identity verification um establishing trust for financial services Professional Services uh tax filing as well as government services so there's a lot of benefits to having an electronic um ID system but one of the problematic requirements is that um the EU wants to force all OS and browser makers to install uh or trust um uh EU certificates Authority however the certificates Authority will not be subject to the same regulations and requirements that other certificates

authorities are uh that have to that they have to adhere to right so the ca browser Forum um controls all of the trust doors in all of the various browsers so this is made up by all of the major uh foundations and they have a whole bunch of requirements in order to be added as to that trust store right so um in some cases certain browser manufacturers might change that trust St but the the browser Forum really sets those standards and one of those St key standards is certificate transparency so whenever a certificate Authority issues a new certificate um that will then actually be logged using this process and without it what can happen is um the EU could go issue a

certificate for somebody else and they could man in the middle of that session and you as the user would have no idea that this is actually happening so in response to this a open letter has been created by um a whole bunch of scientists in the EU um it has been signed by 504 scientists so this includes researchers phds uh professors of many of the leading universities in Europe um over 39 countries many non-government agencies as well and um yeah we'll see what happens because this if this actually does become law I think it's going to be very problematic uh in the future so one of the other things that also has kind of been going on the past while is uh the

Netherlands has introduced a new intelligence and security law which is really an amendment to the uh current law that they have so what this will enable is it will give them a whole bunch of new capabilities to actually intercept uh traffic so over the past few years it's gone through several revisions um but it hasn't actually been passed into law yet um these new powers include data collection interception as well as uh to hack back and and there's two components there so the one is if they suspect somebody of a crime uh typically like a terrorist related crime um they can hack into that person's device they can deploy a net Network investigative technique to be able to

see what the person is doing um however the problem yeah is that there's a lack of due process right so um they can deploy that but there's no notification so if they actually were to break into somebody's phone and that person happened to be innocent uh that person would never know and I think that's like highly problematic and then the second thing which I kind of agree with is um this ability to shut down a C2 infrastructure so if you have a botnet that has infected a whole bunch of systems this law will allow the Dutch police to actually go break into those systems um to patch them or to actually remove the um malware again there are

some problems with that um but you know I think overall potentially a good thing um what's interesting though is in 2018 they actually had a nonbing reform uh referendum on the reform of the the intelligence and services act and 49% actually voted against uh any Amendment um which would uh which would increase their powers and 146% voted in favor uh of the law and one of the problems with the this law is it's not actually a single law it's actually three laws that reference each other and what they try and do with the legal Clauses and constraints is that they refer to each of these laws individually and by by doing so they creat a lot of obfuscation

so even if you are really good with legal kind of documents it's unclear what the actual scope and impact of these various laws are and what happened last year was um one of the intelligence officials actually resigned from the Netherlands in protest and uh to blow the whistle on uh this hacking law and to really show the lack of oversight that that that that this has and you might ask well why should I care well if you use a major Tech uh you know teite or platform um most of the our traffic passes through the Amsterdam internet exchange many of our isps have highlighted two of them there there are others um that are appeared in at the

Amsterdam internet exchange so you know this collection would actually affect your traffic as well and then in the kind of final thing that I wanted to talk about is uh China's Espionage and saber operations um so China's end goal is to actually have strategic uh dominance so earlier this year you might have heard of the you know massive Spa balloon that flew over the US um this photo is taken from a a U2 spy plane it was eventually shot down by F22 jet which is actually the first air-to-air kill uh of the F22 Raptor and once it was actually recovered from the Water by the National Guard um and it was then analyzed both General Millie and the US Pentagon you

know came out very clearly stating that this balloon didn't do any intelligence gathering however most people believe that it did right and I think this is part of the problem that we have with the uh the media that we have so much to the point that it's actually now a running joke so in the military they have the these patches um that they will give out and then it's also a gag at security conference es so this is actually saber walkon they had a balloon and you might notice uh there's a certain animal uh uh when hether po floating underneath that balloon so China has made it very clear that over the next uh you know has

publicly stated that it wants re reunification with Taiwan by 2049 and an invasion if you go read the latest military report could happen as soon as uh 20 2026 and um if you you know the dates are like oh could happen next year but 2026 is really the most realistic date if they were to actually invade Taiwan um you know it's unclear you know none of us are Fortune sellers but if you go look at the posturing that China is doing um I think it's very likely that they're going to invade Taiwan I mean also based on the statements made by xiin ping so um in a re at the year at the 74th anniversary of the founding of

China she shiing ping said that the reun reunification of China with Taiwan um is the common aspiration it's inevitable and will not be stopped by any force and in order to achieve that they have invested heavily into new weapon systems missiles aircraft um it has expanded its Army Air Force uh and various uh intelligence capabilities as well as as its Navy uh and submarines China actually has the largest navy by the number of ships currently however the US has the largest uh Navy when you go by tonnage one of the things that they've also done is they've expanded a lot of their military bases and airports uh to make them compatible with fets um so the

um the military air bases they have created hardened um uh bunkers they've also created ramps for fighter jets as well as extended runways uh for cargo uh or heavy airlift um operations or missions and what they've also been doing is they've been constantly flying into taiwan's air defense identification Zone with the number of aircraft going into the Zone increasing steadily a year over-ear and they also use this for propaganda so they will you know fly into this they see the reaction and then this will actually be shared um by China as you know progress as part of the reunification and the US has publicly come out and said you know that they will defend Taiwan if an invasion in by

China were to actually occur and the US has also sanctioned China from obtaining a v semiconductors um to build Advanced AI which could be used in uh weapon systems and to and what China has done in response to this is it has uh stepped up economic Espionage to kind of trade to steal Trade Secrets uh for economic purposes we'll talk about that in a moment and then they've also stepped up their hun Ford operations to infiltrate us uh critical infrastructure to be able to disrupt any kind of response by the US in in the event that an invasion would actually occur and what they have also done and this goes back many many years when Xi Jinping came into Power he

actually created a policy to encourage the investment into offensive capabilities by various universities they've also created new laws to actually create new um kind of hackers effectively and what they've also done in 2021 is they created a new law requiring Chinese security researchers to report vulnerabilities uh to the government first and then only once the government has approved it then they are allowed to uh release it publicly and then what China does in the background is they use those vulnerabilities as part of the Cyber operations to actually go break into various companies so this SP plan is quite uh significant right so over the past year um there's been over a th000 researchers that have submitted close to 2,000

vulnerabilities and of those 2,000 vulnerabilities about 141 of those are critical severity which is usually oday um kind of vulnerabilities and if we look at Chinese uh cyber operations so they have this vulnerability manage uh vulnerability research program that then goes to a hotly desk so as it gets uh as it gets reported to the government there is uh then tasking for people to actually go find where they can exploit that vulnerability they will then uh a scanning team will go look to find Targets for that once they have infiltrated or identified vulnerable systems that goes back to a hotly desk and then um three things will happen so either that Target will be um selected

for economic Espionage so if they if it's a um any kind of system that would have a a lot of intellectual property um they'll actually go break into that uh environment for economic development purposes and they might also use the network as a forward forwarding point so um let's say you have a vulnerable border device they'll actually break into that device and then use that as a pivot point to go attack some someone else and then they might also use it for signals intelligence um purposes which could include um disrupting uh any kind of um response by the US so that's forward posturing basically and if we look at the attack life cycle um so

after the initial compromise they will establish a foothold maintain presence uh move laterally escalate their Privileges and then once that uh once the mission is complete um obviously they might choose to stay uh you know so once they've stolen the data they won't just necessarily leave they might actually still maintain persistence so that they could use that Network in the future so I'm going to very quickly go through some of the examples so um when it comes to intellectual property theft so American uh superconductor Corp was actually breached by the or Chinese State actors and the company lost its Competitive Edge due to the theft of intellectual property which was used by soval uh which is a win turban um

company and because they were able to undercut what uh American superconductor was able to do they lost their competitive Edge and as a result had to lay of 800 people as a result of this uh breach and then also recently there was reporting around the breach of nxp so nxp is kind of a large semiconductor manufacturer um I think one of the things that they're most not known for is uh if you have yubik keys or a lot of uh kind of smart cart systems um that's actually created by nxp and you can see uh the potential problems uh there and there's also various um chip designs which were stolen as part of this breach

as well um back in 2020 I spoke about uh the vaccine attacks which also tried to steal the ingredient and the kind of um any intellectual property related to vaccine development as uh you know for China to try get ahead with that um there have been uh several investigations as well as charges laid by the um FBI on Chinese MSS hackers that have targeted various Industries including high-tech manufacturing medical devices civil and industrial engineering um as well as many others and then they there's another group ap41 or Chang Du 44 or ap41 um this is a company uh that uh publicly does pen testing but secretly kind of behind closed doors um does uh targeting for the Chinese government and

they have participated in several state sponsored attacks including the United States France Japan Singapore and South Korea and if you've been following the news they were actually quite active this year as well across targeting in those countries that I mentioned one of the uh critical attacks that happened this year um so Vol tun which is another Chinese state-based actor they actually broke into um us critical infrastructure in Guam um affecting uh Communications manufacturing utility transportation and Maritime um kind of Industries and the goal yeah to do forward posturing right so what they wanted to do is break into the network so that in the to establish persistence so that in the event that China were to actually go invade Taiwan

they would then be able to use that access to be able to cause disruptions to the US response and they are constantly doing this this is just one case where they were actually found um um you know out and one of the key things with this attack is the use of living off the land which I'll talk about in a moment um so in this specific incident you know a 40n exploit was combined with the living off the land uh to gain persistence um and then also um once they had got gotten persistence uh that enabled Discovery uh to go attack other things that they could get access to so um as Dom mentioned earlier in the

keynote living off the land is becoming really really uh common for a lot of these attacks so this is when inbuilt system utilities uh can run privileged commands for data access and persistence while evading detection right because these are typically utilities that a lot of system administrators would use and because these are inbuilt utilities it is uh difficult to actually detect this so if we look at this example which is specific to the uh typhoon attack so in the first screenshot you see um a command which is B 64 encoded in the second one you actually see the decoded one so what that is doing is um it's cording uh lasses to uh dump process

memory and then the last one is to actually then create installation media for a domain controller and what China has also been doing is they have been acquiring land uh and constructing buildings near US military bases for Espionage purposes they've also been using violence against Chinese dissidents to silence them as well as launching campaigns to discredit any Chinese dissident living abroad and this is uh concerning the fa countries quite significantly that this year they actually had a joint public briefing to actually warn the industry about all of these attacks and this is like very very significant so you had uh the FBI with leaders of the various int intelligent organizations of the various faas countries so including AO from um

Australia mfi from the UK and GSB which is from Canada and they have also issued you know a warning that people need to be on the lookout for these attacks and then kind of in closing you know like I think we're in a a bit of a tricky situation right so if we look at before 2020 a lot of vulnerability specifically in security Hardware are being used by these ATT attackers not just Chinese actors but other attackers to actually break into networks and these are some of the you know critical ones that happened before 2020 if we look at what happened in 2020 um eight of the 25 most exploited vulnerabilities were vulnerabilities in security gear so the

very gear that we purchased that we hope protects our network is now actually the entry point for these these um attackers and I think we are in a very sorry State when our security solu I are the actual thing that actually gets us breached um specifically when it comes to kind of the smaller companies um they can't necessarily afford you know uh a lot of uh better Solutions I guess um and then if we look at this year you know if we look at the most exploited vulnerabilities um you know most of those things are border devices or border device related and I think this is you know we have to come up with a

solution of how we address this right so fixing this problem is a very complex one but one that we need to get on at the bottom of so that we can start addressing this issue and I think also companies should be held liable in some ways when they introduce these vulnerabilities I know that might be a controversial thing to say but if you do introduce like really bad bugs like surely there should be some kind of repercussion as a result of that yeah and with that that is the end of my presentation thank you very much and happy to take any

questions