BSides Las Vegas 2019 Day Two - Ground Floor

[Music] see everyone made it today to welcome back this is the ground floor for day two of b-sides Las Vegas a few announcements before we get started you guys are old hat with this but we say it we say them every time anyway first of all streaming has started so if you could please remember to turn off your cell phones if you have questions at the end of the talk please use

oh sure

I'm ready you ready are you all ready how op they're hungover this morning you don't count Eva excellent so you are the people that are actually paying attention okay here hang on good morning everyone this is besides Las Vegas I am the cavalry this talk is how to treat your hacker and responsible vulnerability disclosure and it's by the award-winning the award Monta Elkins a couple quick announcements we're gonna make we'd really like to thank our sponsors here at Bayside's Las Vegas specifically our inner circle sponsors critical stack and valley male and some of our stellar sponsors there's just so many Amazon blackberry and the NSA to name a few so thank you NSA and Amazon a blackberry

your support is really appreciated our talks are going to be streamed live and as a courtesy to everybody please silence your cellphone's now so go ahead and set them to silent if you haven't already if you have any questions I'll run over with an audience microphone which I can't find right now but we might have him go ahead and want to go ahead and repeat the question if not so just to make sure everybody on YouTube can hear you that's it I'm gonna read a quick bio of Montana Monta Monta want a month long a long gang yeah or not yeah just reloaded of course it's okay nobody's nobody's watching nobody's watching

so Monty Elkins is the hacker and chief of Fox card solutions which is an ICS patch information provider a security researcher and consultant and US Patent grantee he is considered by many of his friends to be the Chuck Norris of the ICS cybersecurity industry Monta has been a speaker at more security conferences than he then his enormous ego can remember including Def Con besides cs3 GE digital energy ICS jwc tocb ICS it's so many he's also at the Sands ICS summit and was named cyber security professional of year by energy sec in his spare time Monta Monta creates a totally safe for work coke for strippers electronic coke cans token strippers electronic projects YouTube channel yeah yeah it's one you

have to see yeah thank you yeah yeah that was its token strippers you could search for it I wouldn't do it at work but token strippers Monta if it says for diet cooking wire strippers so it's electronic stuff yeah but all right so in any case thank you oh hang on well afterwards I have that was that was so good I have a thousand in cash for you featuring Nikola Tesla right there all right welcome I'm glad you are awake this morning we're going to talk about how to treat your hacker in quotes and responsible vulnerability disclosure so that starts something like this hey somebody just called you up your company up and says we there's some security

issues where you are at that point what would you do if somebody gave you such I notice such a heads-up right are you prepared have you thought about that a little bit ahead of time you don't want to be surprised when that happens so we're going to look a little bit look at it a little bit so of course I play in the in the ICS security space super quick intro for people who who are new to the area perhaps but that's that's manufacturing and it's water and wastewater and pharmaceuticals and and dams and electric generation and transportation that that's industrial control systems in a super small nutshell sometimes when I'm introducing it to new

employees at work I use this book by Rob Lee called SCADA and me it's okay he said I could use it I remember it skated me it's a book for children and management so it's I recommend it I was given the talk once at work in the CEO the company came by and I'm like hey by the way you should probably look at this book it's it's written for children and management anyway the end of the book is sort of the intro to here so a little Bobby is learning about SCADA system exactly so I heard I have to protect SCADA from hackers are all hackers bad oh not exactly but that's a story for another time and this

is that other time so I'm also on a bit of a quest to reclaim the term hacker you know it sort of had its ups and downs over time it went from sort of being a good thing to being a bad thing I think it's it's coming to be a good thing again but we have a couple of definitions just to start white hat and individual users and computer networking skills to overcome a technical problem doing something cool black hat is a person who uses their abilities to gain unauthorized access to do something that they are not supposed to do potentially permit commit crimes at the end of the day this is really the secret of hacking the real hacker asks

themselves not what is this tool designed to do but what is it capable of doing right that's the difference not what did somebody say it's supposed to do but what can I really do really do with this tool and we've we don't see this term too much anymore but instead of black hat crackers sometimes being someone who cracks systems or attacks them so back into hacking along this theme what does it tool capable of doing not what was it designed to do right so these are a couple examples of like you know a couple isn't designed to catch dust when you're drilling in the drywall over your head but it does a pretty good job

you ever do this you will now okay or the little post-it that I be using putting stuff in the wall how to open your bottle that's important skill here if you don't have a corkscrew a hammer not like this like like this all right right not what was it designed to do what is it capable of doing right skills of a hacker all right so what's a vulnerability vulnerability is a weakness which can be exploited by unauthorized folks and then we have like exploit which is a way to take advantage of a vulnerability right a little bit of distinguishing sometimes people don't distinguish between vulnerability and exploit particularly well but so an exploit for this gate system might be oh

look we have an exploit we can drive around this thing to the left well you could fix that right you can block it but it really didn't solve the vulnerability because you can also drive around it to the right all right so that's our intro now back to back to the fault somebody called you up and said there's a problem either in if you could be a vendor and in that case it might be a problem with something that you've created or you might be any other business and something that you use ball set up or configured has a problem your company web server is spilling all your client data out to the Internet right

what do we do with that so I propose this first rule of thumb that if somebody calls you and tells you there's something wrong with one of your systems let's assume that they are the good guy now it's not necessarily true but let's assume they are the good guy there are a lot of other things they could do with this information like I'm most concerned about the person who finds this out and they don't tell you about it right they're gonna keep it they're gonna do something else with it so if they've discovered this and they notify you in some way they call you up right start out by giving them the benefit of the doubt that they are they

are the good guy they're trying to do the right thing instead of hiding it keeping it using it abusing it they want to let you know so you have opportunity to deal with it so what good is this notification well if you're a vendor right that's kind of obvious maybe you will want to create some kind of patch to fix it there might be some other mitigations that are possible instead of a patch or until a patch can be applied and you might document this as a another business a customer a user of a product or service of some kind this notification can still help you of course if there's a patch you can apply

it but if there's not there's still things you can do if you know the bone-building exists and you know something about it so if somebody has documented this fairly well whether it comes from the vendor or a CBE or some place else you can take steps to defend yourself against it even without a patch all right you can add additional firewalls shut down that service change the configuration so that information is valuable of itself even when even when a patch isn't available

so we said that we might consider give them the benefit the doubt if somebody let you know that they are they are the good guy right they might legitimately be able to sell this vulnerability information to somebody either the information that's lost or the knowledge of the vulnerability itself and there are open markets to do that and that's a legal thing to do as a matter of fact some companies will pay lots of money depending on how good the vulnerability is so it could be tens of thousands hundreds of thousands you know you get a good exploit for for an iPhone or or really into you know Windows 10 that could be you know hundreds of thousands

maybe a million bucks so that's a that's one of the alternatives so remember if somebody called you up to let you know this they are they're bringing you a gift right this potentially has has market value elsewhere and they decided not not to do that so who do you think buys these who buys vulnerabilities software vendors why would a software vendor buy it so they could fix it yeah who else hackers yeah because of maybe they want to take advantage of it yeah yeah maybe intelligence agencies who want to use it so there are markets there different people with with the different motivations occasionally maybe security companies because they want to know so they can protect their customers

there are various people that might let you know about a vulnerability in particular Google they have projects zero I don't know if we have any of those folks around so if they have if they find a vulnerability they have a 90 day disclosure policy so that after they find it they're going to let the vendor know and then they will disclose it publicly so we already discovered what's of the value of disclosing it publicly if there is no patch well because there might be other mitigations there's also some some other benefits to that disclosure disclosure can be a motivation for a vendor as well it's like this is going to become known alright so we expect you to continue

work or begin work on fixing this on fixing this item so other people may tell you along the way you may have it your customers might tell you the security consultant that you hire might tell you if you're building some kind of industrial control system plant you often have an integrator putting all the pieces together they may discover a vulnerability along the way you may hire researchers also somebody who has you in their supply chain they may come to ask you do you disclose vulnerabilities do you post mitigations do you have a good process for letting us know if a product we bought from you has some vulnerability and how how we could deal with that right that's useful

information to have so even outside of your voice you know people may be asking you what you what is your vulnerability disclosure policy lying in some places in industry we have requirements like in Newark sip critical infrastructure protection their requirements - when you add a new cyber asset to do a vulnerability assessment on it and then to come back and do vulnerability assessments on a regular basis so I think sometimes companies believe that well we've got this product and we will send it out into the universe and we will sell it and nobody nobody will notice nobody will pay attention that's not true right some people are required to pay attention some people are required to to

test your product if if you're a vendor so those things get discovered and they have good reason to be if you were trying to set up a system to do this there are a couple of ISO standards that can help you believe it or not there's ISO 31 11 and 29 147 the first one is a vulnerability handling process this is your internal how do we deal with the vulnerability for notified and and how do we take care of that the other one is vulnerability disclosure how do we notify people about the vulnerability of what kinds of information do we provide so those are some good reference documents if you're trying to set this up in your organization

you don't have to entirely make this up from scratch picking using a standard has has an additional benefit in that if you kit and there probably other other standards out there I'm not so concerned which one but if you pick a standard then you have sort of one argument in an organization the argument is oh which standard are we going to pick because once you pick the standard now there are a bunch of things that it says to do and you don't have to have an argument about each one of those things your argument was we pick the standard every step you want to take a secure