BSides LV 2023 - Proving Ground - Wednesday

I'm gonna butterfly baby [Music] [Music] [Music] [Music] thank you baby [Music] baby you'll give me yeah [Music] don't leave me alone [Music] [Music] appetite [Music] [Music] tomorrow [Music] [Music] foreign [Music] [Music] everybody [Music] [Music] [Music] thank you [Music] [Music] thank you [Music] [Music] foreign [Music] [Music] [Music] [Music] [Music] thank you [Music] [Music] thank you [Music] [Music] [Music] thank you [Music] foreign [Music] [Music] [Music] thank you [Music] [Music] foreign [Music] happy birthday [Music] thank you [Music] hahaha [Music] foreign [Music] Minecraft foreign [Music] thank you [Music] thank you [Music] foreign [Music] thank you [Music] foreign [Music] foreign [Music] [Music] thank you [Music] thank you [Music] foreign [Music] [Music] [Music] foreign [Music] [Music] okay okay this is great hello it should work is it very low if I no and that's very much how do we make this work hello hello oh come on in good morning Sam Humphries all right everyone good let's press the button at the back are we good are we live we're streaming we're on the internet all right good morning besides Las Vegas hang on I got a script so good morning slash afternoon and welcome to b-sides Las Vegas Proving Ground underground we're proving around this morning I feel with something okay um welcome you want to come and grab a seat we are live on the internet please keep your clothes on please really do that it's early and I've only just eaten okay so we're opening proceedings today with a man who is a pun not actually a pun that's a pun yeah I was going to make up a fun fact about Ian decent but he's you are very fun you're having a little bit to the mind just a little bit then um cool cool so your talk is well it's on the screen but for those of you who'd like me to read it Birds the bees and the cves so um quick couple of things gotta thank the sponsors because they're amazing Diamond sponsor Adobe Gold sponsors uh prismacloud sem blue cat tracks Toyota one I was only supposed to say three of these but thank you to all of them uh it's their support along with the other donors and volunteers that make this event possible um please turn your phones off it's just kind of polite and we're not underground so I think you can you can take photos you write with photos but please just don't take photos of random people without asking them and are you good to go my friend excellent over to you all right thank you so much for that fantastic introduction so again the title of my talk is the birds the bees and the cves or understanding critical vulnerabilities to critical infrastructure um my name is Ian deason so I'm with the United States cyber security and infrastructure Security Agency um specifically why this is for the birds of bees and the cves is because when a security researcher and a product security team love or hate each other that much that is how a cve is born um you may be noticing throughout my presentation there are many many stork images where [Music] thank you [Music] foreign [Music] foreign [Music] the government discloses vulnerabilities just quick raise a hand dealer yep you see yeah so that's actually another way so um and if you can be able to get a lovely sticker package thank you so much that was you thank you Merry Christmas so one thing that's important on why we're trying to so my take as well is one of the reasons why we want to make sure that [Music] thank you [Music] [Music] thank you today so Josh corman's talked about president presidential policy directive 21 a little bit these are some of the authorities that we have be able to work with in critical infrastructure and federal government on how we're able to manage the risk and straight strengthen the resilience of Nations infrastructure we're able to reduce vulnerabilities and be able to hasten response so I'm going to talk a little bit specifically within the context of vulnerability disclosure on how we're able to hasten that response um so there's different ISO standards so this is a very a bird's eye view if you will of some of the of how we are able to conduct our processes there's ISO standards behind this the cert coordination Center has written a fantastic guide but this is a very quick quick and dirty for those folks that might not have heard this before um so the first phase is this is where there's going to be the vulnerability that's discovered whether it's by accident whether it's through research either way that information is there there's some sort of wheat there's some sort of weakness to that particular software Hardware that's documented and is shared um so that would be where we'd go into the coordinated disclosure phase um and at that point we need to there's a validation of that vulnerability whether one researcher finds it in an isolated environment needs to go to that product security team to make sure that yes they are seeing what is true yes this is truly a vulnerability um one of the things behind that coordination as well is um a lot of times it's not a handshake a lot of times people are reaching out with a hand and they're getting a lot they're trying they're getting threatened with the lawsuit um so this is a little bit of reality some of what sizza does in our mission is we are able to be a third party vulnerability disclosure entity what that means is if you people need help we are able to assist um and one thing as well specifically within this this phase is the timeline can vary drastically where some of the cases I've specifically supported have had timelines of about a year to two years where summer within 30 days um so ultimately once there's some sort of agreement between the two entities or three entities there's going to be some sort of patch or mitigation phase so a patch depending on the system so if we're talking critical infrastructure control systems that patch cycle is going to take a little bit longer because they're not going to be having on a rolling basis some patch Cycles are are happening quarterly sometimes you need to be able to bring site on staff on site some of these systems are underwater some of them are in outer space so it's really you have to be able to do a little bit more coordination you have to prepare a little bit better also when it comes to the mitigation phase not all mitigations not all patches will be a mitigation some mitigations are destroy the device buy a new one the firmware is broken so there's other things people need to understand and then finally for the last phase this is something that we're this is where we become instrumental is where we're using our megaphone and we're able to get the word out we are able to get the word out to people that might not have access to a threat Intel platform we're able to get that information out to people that need to understand the risk of what their products are so they can be able to make those decisions to how to be able to best Safeguard their communities how to best be able to safeguard their Enterprise whatever type of operation they're trying to to have we're there to be able to support them um one of them mine takes one it comes to the whole idea of coordinated vulnerability disclosure there's a sense where there is coordination involved with yes with all of them but not all of them are organized so we try to make sure that we're bringing that reasonableness and that organization that it needs so a little bit higher level on the process but like why does this become so difficult so that was a pretty easy well it wasn't really flow chart but it's very why does this become so difficult and why does this become so critical where I want you to kind of think of criticality not necessarily as whether something can be a remotely exploited whether it's a cbss score of a 10 but think of criticality as critical thinking how much time do you need to think about these problems how much how much creative thinking do you need to be able to you need to be able to do when you're tackling some of these problems um because one of the things I'm going to be doing is there are five different examples that I'm going to be sharing with you and in each example I'm going to tell you the fact that you can't really have a set playbook for everything you need to be able to um be creative and you have to be able to think on the Fly all right so I'm going to have a quick example of what if there is a vulnerability that gets shared with you and it's literally everywhere so this was an advisory that we that we released um about a year and a half ago um when we first received this report the idea behind it was this was going to affect billions of different devices so this is going to be affecting different real-time operating systems or rtos's which are used in cyber physical systems some of these products you can see right here um or can't really see but some of the products were products made and maintained by Amazon which one of the largest companies on the planet where others were smaller projects managed by one to two people and this becomes very difficult because if you're thinking of a specific vulnerability that affects a memory allocation function and this number of operating systems are we going to be targeting that operating system during the mitigation and patching phase you have to be targeting where those actual products are placed you have to be able to work Downstream so when we started our coordination we contacted the vendors of these different Technologies not all of them um were based in the United States they're all all across the world and it became really clear that there was a lack of supply chain visibility that really came behind this because what happens is if you have this small rtos that is put into a smaller component which then then gets integrated into a larger product which then gets sold to a system integrator that you know will create an HVAC unit or something that gets integrated into a submarine that gets sold and then there's a maintenance contract that's put on top of that so there's layers and lawyers and layers of obfuscation of where you're trying to understand and enumerate what the problem is behind one vulnerability it becomes near impossible where not all these things are going to be IP based you can't search on showdan for some of these things because a littoral ship isn't necessarily going to have this type of it's not going to be able to show this there is Market data that you can purchase but unfortunately it tends to be really expensive and if you're trying to be able to just simply understand what the what that impact of the vulnerability is it can take lots of time effort and a lot of thinking um this specific case actually took us an over a year from the moment that we received the case to the moment that it went public and one of the things behind it where people start to get a little bit when it's starting to affect OT iot industrial medical and Enterprise networks when it is so many different devices it gets very difficult to understand what it works with um specifically it says that we are working with initiatives within s-bomb and another initiative called Vex to kind of help with some of these issues so I'm not going to get into that within the this talk but there are very smart individuals we have at our organization that can speak to that um second one I'm going to bring up is what if this a vulnerability specifically gets attention so in this case so this is another advisory we wrote for a product called the mycotus MV 7200 which is a GPS tracker so this particular GPS tracker is an aftermarket automotive part that you're able to put into your car and you can be able to track some fuel you can track where the car is it gets integrated within the the greater vehicle itself um when we first received this case didn't see it was it was bad but the use case behind it there wasn't the proof concept available at a specific car so it wasn't going to be at the level of other other particular car hacks that we've seen where they're able to physically stop a car driving on the road um however this got a little bit more spun up when the Associated Press picked it up so what this means for those folks that don't under that have not seen this before when the the Associated Press acts as a larger a larger Seed where smaller news outlets can be able to take the the information behind it um what specifically happened with this one and you might be able to see what the title of researchers chinese-made GPS trackers are highly vulnerable that's not going to be telling the whole story behind you know what what is actually capable of this vulnerability they're seeing the fact that there is another country that is able to try to hack into GPS systems um one of the things I've specifically learned with this case is the fact that there's a many times security research companies and this isn't for any of them for or for all of them but they're able to hire PR firms to be able to do media pushes and this is where there's this context behind where a vulnerability tends to get more attention if it's able to get more clicks so that's just an interesting way to be able to take where the research is being the Fantastic research is being done but sometimes there's that message becomes a little bit different um and specifically with this one there were um I did receive lots of different questions from Private Industry and other parts of government to say how many cars can be hacked right now which I was not able to answer all right here's another here's another one which we heard a little bit yesterday um like what if there's a vulnerability within medical devices so this can be touchy for some people um so this was a medical advisory I don't know how many people have heard of the Hamilton T1 um some people know what this is because this is a ventilator um another thing I want to show is the fact the date is February 16 2021 which was right in the middle of the pandemic so again this is a vulnerability that if you look at so CVS CVSs you know take it or leave it however a very very low not a very critical vulnerability but the fact that this was a vulnerability affecting ventilators during the pandemic where there's supply chain shortages and it's a literal physical harm type of element behind it people are a little bit more cautious of these type of vulnerabilities um so this was something we did get a little bit more questions on just based off of like the type of technology and how it was affected one of the things that we have to be able to help with these types of vulnerabilities is we do have a memorandum of understanding in place with our partners at the Food and Drug Administration also within the U.S federal government where we are able to share our vulnerabilities before they're public with the people that know how to fix them so what that means is they have different capabilities whether it's cardiologists whether it's other people that can test these medical devices which are meant to treat or diagnose diseases or injuries they're able to go in and give that proper patient safety impact that we can't be able to do because I I don't have a medical background I'm not the best person to be able to make that assessment all right one of my another vulnerability that we have is what if it's affecting an open standard um so this was a I had I had to look up this vulnerability before I um before I took this case um so the object Management Group has something called the distributed Data Systems which so this is a middleware component that's going to be used to handle the reliability of control systems over white distances so it's a very it's just kind of a way to link different architectures um so it's a little bit different because um there's already this idea of different locations and this is an open standard how do you be able to fix something when it's you're not telling one manufacturer you're not telling one software developer here's the bug how do you fix it you have to talk to Consortium and people have been working on the standard for years to be able to build other Technologies so we did what we did we ended up writing an advisory behind it um but one of the secondary impacts behind this was not only did it affect multiple Technologies but the fact that if you did it very quick online search you could see that there's very very highly critical pieces of critical infrastructure whether it is a large Dam that's up in the United States or the fact that it's International Space Station happens to be using this type of technology so this is going back to this idea of even if this is a very Niche technology only a few people understand the fact that it's used in very highly critical systems is going to give this a little bit more attention and so as though my last example so like gave different examples of the news we've given different examples but what if it all happens at all at once with exploitation um so yeah we get we have that one we have log for Shell that happened um which for many many entrances not only is it critical on the fact that it was mass exploitation affecting all all Realms of Enterprise as well as critical infrastructure this also happened during the holiday season where many people happen to have time off this is also during The Surge of Omicron virus during or The Omen crime variant of covid which also hindered teams um this was also used in open source which just also made it difficult but I will say after working with several different teams on the response effort was a fantastic job and there's certainly a lot of lessons learned um so we've learned a little bit now so vulnerabilities can really be anywhere they can affect up to billions of devices so one cves could be up to like billions um the media can be able to give attention to things that might normally not have gotten that same attention um the public can be very sensitive to medical devices or things that they understand such as cars Vehicles things that they know tangible items you know how to express harm um standards can really really increase the amount of complexity when it comes to response and it all can happen at once um so what are some things that we can be able to do to help um so I'm going to talk about three different strategies here and some of these things we were discussed yesterday where you can be able to add a vulnerability disclosure a vulnerability disclosure policy you can either become a CV numbering Authority or you can be able to have kind of tailor-made vulnerability response processes um so if you do make products so if you are making code that's being sold one of the things that we highly do recommend is that you become a CBE numbering Authority so what that's going to do is that's going to be able to allow you to assign your own cve IDs it's going to also allow you to be able to tailor what your language is so that way when you're trying to be able to own that vulnerability information own the rhetoric behind it this is the first step they do have a few few different barriers of entries of making sure that you have a public that you're showing your publicly facing vulnerability information which already is something we're already wanting people to do and it also is showing the fact that you're you have a bonus a vulnerability disclosure policy allowing good faith researchers to reach out to be able to provide these services to people to the company because oftentimes if it's not explicitly known organizations and researchers reach out to us to be able to serve as that in intermediary um says that we are able to help with that um Julia's in the audience as well so in the she can also be able to assist you if you have more questions on that um but also something that I had highlighted earlier if you do have a business have a vulnerability disclosure policy because that's going to be one o