BSidesNCL 2020 - Keynote: If History Teaches Us Anything, It's That We Ignore It - The Beer Farmers

War Newcastle virtually who's actually in Newcastle it's Sam you up there close enough close enough I can probably see it if I stood on the roof so it's it's kind of more of a global bid isn't it I think probably one of the first in the UK if not the first in the UK um be please all unmute your microphones we are we are go exting this is pretty cool because it's um one of the very few talks we've given when every member of the bear Farmers is actually here yeah and um so that's really neat we even managed to dust Jon off which is really that's not a euphemism by the way um but we managed

to bring him out of hibernation for an hour this morning which is really super cool right I'm going to share my screen and you're going to tell me it's working whoa you should have killed that URL all right are we good yeah man all right so the title of our talk um that we've lovingly prepared for you for this morning um is if history teaches us anything it's that we ignore it and that can be said of many many things um across history and it's a reflection on the things that have gone on in the past that seemingly still go on today and have never really been Fair despite the fact that we endlessly talk

to each other about them and agree and disagree and come up with Solutions but we don't seem it will ever solve the problem so that's the general idea of your talk it's probably going to run 45 minutes to to an hour but we'll see I think we've got somebody curating questions in slido is it and so if you've got a question to ask use that app or use the site and we'll get to those questions at the end if you haven't got any questions then great fantastic we've we've delivered a perfect present just a quick one the SL code I think hash NCL 20 2020 2020 yeah that's that's HH NCL 2020 just to be clear okay cool

all right let's crack on okay so we are the bear Farmers I think many or most people have heard of who we are we are a troop of infect professionals and up until recently we rocked around the UK delivering talks about topic things um had a good time met lots of friends and now we're doing it all virtually but that's kind of cool all right so onto the obligatory parental advisory so we do occasionally tend to use colorful language in our talks um we don't do it gratuitously particularly now that Andy Gill is no longer a member of the bay Farmers so there are probably going to be virtually no seab bombs dropped So for anybody um

that's offended by the use of that word we'll probably avoid it but we might swear a little little bit but again we'll keep it in context of the talk all right so who are we so we're going to do a quick really quick round Robbin of who we all are um so I'm Mike Thompson app bloke on Twitter and uh you can unfollow me as you see fit block me mute me report me all that kind of thing I've Seen It All Before um I'm uh head of IT head of IT security for an ISP in the north of England I will hand you now to John I I'm John from Belgium so uh yeah far away but uh this makes it

really easy to to join conferences so really enjoy that I could make it uh it's not always that easy um uh yeah from Belgium I'm an absite guy nowadays a security manager over to Ian hey everyone I'm fat hobbit percussionist of the beer Farmers mostly cowbo but sometimes people's faces Scott over to you Scott thanks uh I'm Scott um many of you may have already blocked me on Twitter and that's absolutely fine uh I am the newest member of the beer Farmers I'm kind of on probation so I don't really want to say too much but there will be lots of colorful language from me uh over to you Sean I'm last on the list much to my

delight as always the closest to my heart Sean um I'm Sean uh yeah uh I'm ABAC kind of lead leading up the ABAC in of labs um big fan of application security um and proud to be part of the beer Farmers well said that man all right let's kick off with the the main meat of the talk so anybody that knows who this guy is well they'll tell you that that's a Napoleon bonapart and during his Reign he had a really great idea and his idea was that he will take Russia take its land and its natural resources and then France would have a Empire a huge Empire and be rich the thing is he didn't realize how cold

it is in Russia at the time of year that he invaded and so they went steaming in and then realized it's a bit cold and then failed that's pretty much what the outcome was okay that was a bad idea invading Russia is historically never been a great idea and I don't think anybody's really ever succeeded so winding on to the 1940s and this group of really lovely chaps and you'll notice um Adolf Hitler Joseph Gobles and Herman Goring in the front of shot they devised a similar plan which was we will take Russia own its lands and all of its natural resources and it will build part of the Reich that's going to last a

thousand years and guess what happened they all got froze to death because they picked the wrong time of the year they didn't um factor in that the Russians have got a pretty good idea of how their Winters work and many many German soldiers um froze to death in the process and interestingly a little anecdote guring who was on the left hand side of Hitler or the right hand side of Hitler from Hitler's point of view um was head of the air or head of Lu waffer at the time and he organized an air drop into Stalingrad and the German soldiers were expecting to receive supplies and ammunition but what they accidentally received was um tons and tons of

condoms so that didn't work out too well because what the Russians did was collect the condoms up fill them with petrol and use them as parts of Molotov Cocktails so that didn't work out oh those pesky Russians I know and you're you're a wartime buff do you want to just reflect on some of this stuff sure so um there's a lot of uh things and and this picture you know a little bit controversial but um a bad plan doesn't work without great public relations PR behind it and marketing and one of the reasons why I wanted to have Joseph gurbles in this in this shot was that Hitler's ideas only came came to life when they were Amplified through social

media and if you can't see a parallel between the rise of fascism uh and nationalistic movements and the idea that we would be better off ununified um I think you're failing to see the point to contextualize it in infosec terms and we'll open it up to the rest of the beer Farmers on this one about 2015 we got hit with the first strains of crypto locker and pretty much every journalist every information security specialist was like this is going to be a thing okay uh five years later it's a huge thing and um a a report came out from the company I work uh at is that I believe we've now identified over 39 different uh

professional organized criminal groups uh hitting businesses with uh a version of ransomware uh in a lot of cases a version of ransomware plus blackmail and and so back when we look at 2015 uh we knew that security was be become important because all of a sudden on our computer was flashing up a screen that said you need to pay us $200 and we'll unlock your computer fast forward to where we are today and companies are spending uh literally millions and I'm not exaggerating that to get their data back from what is essentially the same threat in 2015 as it is today so you know I'm almost throwing up my hands in despair because this is the equivalent of you

know invading Russia and not learning from our our our mistakes or even the mistakes previous in history John do do you have some thoughts you want to go for there yes you're you're totally right it's it's it's like yeah the basics totally not covered by companies it's not only ransomware of course but but but we see it over again and what what what's typical for now is is what you notice is the extortion part so not only have we encrypted all your files and your systems we have your data and we will leak it so yes it's not anymore like hey I have the backups and I can recover it's another level now but that's also not new we saw that with

with with with some operators some some groups and companies are still not prepared they know it's going to happen sooner or later but they're not prepared so totally agree about ransomware but yeah it's a lot of things we we keep on making the same mistakes and we literally don't learn anything as it seems some companies do but a lot of companies fail to to learn from mistakes from others or even their own mistakes if they get hit several times I just also want to add like some companies get hit more than once so single companies themselves aren't even learning they get breached and they get breached again and maybe a third time and you think they'll

take the hint but they still don't well let that age old addage of uh it's cheaper and easier to pay the parking F in London than it is to actually pay for parking like they're they're literally just focusing on hey if we get breached and I'm sure we're going to come on to this later if we get breached we'll just pay the fine because it's slightly cheaper than actually patching our systems actually doing the due diligence actually putting things in place and hiring more staff that cost 10 times more than just paying the ico's pissy fine if I'm perfectly honest if they even bothered to do anything that would that pre 2018 Scott in terms

of the Ico that would be absolutely correct you know we look at the um the fine that tort got for their data breach which was £400,000 um wind forward to the fine that ba have been issued notice of intent from the Ico and I think that's 183 million pounds so just no difference really no difference um I want to jump in though with something too because this is sort of like a state of of the art here so you may think that a ransomware attack is a very sophisticated attack uh it is not it's commoditized there's ransomware as a service that is essentially cyber criminals building better and better ransomware that then is basically commercially available to anyone that

wants to uh that wants to Embark upon that road I I wrote an article about probably about two weeks ago that looked at um a uh indictment that was handed down from the Department of Justice and at the time of this guy's crimes he was 14 years old he used SQL uh map to discover a SQL vulnerability in armor games he was able to gain access to uh and then uh exfiltrate the data and convince uh the the the uh armor games to pay him him a ransom when they uh said when they dithered he took their systems down and essentially held them hostage for a couple of days before they restored those systems right with the

same SQL map vulnerability that he had used previously to gain access okay so so this is this is sort of the the whole thing and and really underscores the point that we're trying to make here is that um this cycle of perpetuating the mistakes like you would have you should have learned that you have these vulnerabilities the tools to find vulnerabilities like SQL map are readily available and the fact that it appears more criminals are doing that and finding those vulnerabilities and exploiting them than blue teamers really becomes that demoralizing uh piece I I'd add every single security incident to learning opportunity I meant to that oh yeah high five virtual high five and as this man

said Albert Einstein um insanity is doing the same thing over and over again and expecting a different outcome or a different set of results and that's kind of the whole thing in a nutshell really everything we've just spoken about so Ian yeah these next couple of slides are all you buddy okay so so this is a really interesting kind of situation that has developed um so you you guys may have been familiar with uh the Uber data breach um and back all the way back in 2016 while the slow wheels of Justice uh turn and one Joseph Sullivan who's a senior executive I believe he was CIO of uh of uber um he essentially paid the hackers who had

extrated about 600,000 driver's licenses uh and information from Uber systems he essentially paid them uh a million dollars uh from a bug Bounty um program so facilitating the use of a bug Bounty vendor to pay these guys that have broken into Uber a million dollars and then attempted to put them under ndas okay and the idea was is that basically he was going to conceal this data breach right from from everyone he put his own staff under ndas he was very careful to not give any of the details of the data breach to um corporate Council it was really him and the CEO that conspired to do this right now let's back up a little

a little bit um Uber is a company that is essentially trying to build autonomous vehicles by using human drivers up until the point their autonomous vehicle technology takes flight and they unemploy all the humans okay so they're using humans to eventually replace humans so that's the ethical Center of uber okay now where Joseph Sullivan ran into a foul shall we say was that in the United States when you're a publicly traded company you need to disclose M things that are material to your organization including cyber uh activ uh he did not um and so what essentially happened was we're not sure exactly how this case came to be I suspect it might have been the bug Bounty firm saying hey

you'd originally told us that you had a bug Bounty budget of 100,000 but you just made us pay a couple of dudes a million dollars something ain't right here and they wanted to avoid what happened next which is this indictment and there's another major major point in this indictment so Joseph Sullivan isn't charged Under Computer misuse Act statute or even the traditional wire fraud that we see as a common uh as a common element to cyber crime he's charged by with two things obstructed of Justice okay and something called Mis prison by felony now Mis prison by felony is a very very interesting charge Mis prison by felony is essentially you witness a crime and you don't report it

and so by not reporting it to the SEC or the FTC becomes a criminal matter not reporting the data Beach and attempting to cover it up becomes a criminal matter all right so let that SN in the reason why this is so important this case is is that if the the Court decides that indeed there was uh his actions uh he knew there was a crime he covered up up that crime he obstructed Justice by saying there was no crime you guys don't know what you're talking about and he didn't disclose honestly um to the FTC this will have huge repercussions because uh as a criminal statute which this is under um he ends up potentially

facing three years in jail but the biggest thing is civil forfeiture and restitution so all of a sudden you have these high-flying Executives who have conspired potentially and see to have a conspiracy you need another party other than just him and the CEO interesting to note that the CEO has not been charged that um it's quite possible the CEO turned on Joseph in order to strengthen this FBI investigation which led to this um indictment pure speculation on my part but when you're in the hot seat and you could lose the mansions and the boats and all the cars and quite possibly the mistress and the wife all at the same time you're now in this

position where civil forfeiture is actually more impactful than criminal time uh you know because if you got you know several million dollars stashed away in a bunch of houses and shell accounts three years in jail to get out scott-free and enjoy the good things in life is a small price to play but to have it all taken away and spent three years in jail is maybe this double Sledgehammer wielding Barbarian that we need in order to start having some people starting to conduct themselves accordingly because with all of these Ransom cases the argument could be made it's not a hard argument to make that a crime has taken place and you are not reporting it and that my friends could

be the ball game perfect thank you for that any of the guys chip in there or should we move on we good I just want to say yeah a NDA to criminals yeah and they signed them with their with their hacker aliases too that's the hilarious thing right I mean you're going to try and use a legal tool against folks that are already demonstrably criminals it's insane wow wow all right thanks chaps who loves drama John loves drama John loves drama John talk to us about and and drop and maybe if if if it's not too much to ask John can you drop the latest lame joke live here on the beer Farmers later on on the show I will do I will do

when you guys are talking I will try to post so Twitter drama um you don't you don't see get you can't get through a day JN can you without seeing something happen it depends but but the what what bothers me is is that not that everyone has an opinion but the fact that that's at least that's that's how I I I perceive it it's that sometimes it's it seems that I I post something for me it's trivial innocent and then then I get drama but you get used to that and I can almost predict when I get drama as a big word I get um emotional reactions let's call it like that but but what what

bothers me a bit is about if you get this kind of conversations that people are jumping on and using their for instance their 60,000 followers to to boost something and just turn it into a whole other discussion and and that's when it when when it gets heavy I mean you you get all the feedback your your Tweet was well meant I'm a Bel I'm a Belgian so my English is is okay but not not all the Nu nuances so sometimes I know when I tweet something and then people are really understanding because when I write blogs Etc people almost never criticize me because of yeah wrong grammar whatever but when I write write a tweet and there's one word that's that

is possible to interpret it will be if it gets if the Tweet gets a lot of attention I hate that and and the other drama or or don't I don't know if it's always drama there's a lot of like I said high-profile Twitter users jumping on the bandwagon I try to mute as much certain words that that cause drama certain yeah people that are always like stirring in the I don't know how to say it but you know what I mean always I I try to mute that because it must be yeah pleasant experience Twitter for me is is learning and fun but recently the learning is a lot less but but it's also a bit personal I think because yeah

I'm trying to get as much time of Twitter as possible and one of the things is the lame jokes I started just to bring some positivity and even that even then there's a cultural difference and I that's the last thing I want to say about a joke which is in Belgium people would love about it but has a certain it's about women for instance and yeah you could interpret it as sex IST and then when I tweeted I thought oh no what have I done I deleted it afterwards and here in Belgium everyone would laugh but but it's a cultural thing I can can tweet the same thing about all topics or I can make make

jokes in Belgium that would be possible so sometimes I feel like yeah don't go there even with the jokes uh so it's a thin line between meant to be funny and yeah people that interpret so John in a 24-hour period how many times do you Lo do you leave Twitter and then come back I know what you're referring to but um where where people peace out they call the community toxic and they're like undone and then three hours later they're back online it's true but but when I read it sometimes it's it's like really shitty if people are going to to tell you about that you're not contributing Etc that's regardless of of which which who it is I don't care if if

someone tells me and then yeah you suck because of blah blah blah and there's no no reason or they they call me out about the blog post and they have no real literally no arguments and and then they they're saying exactly all the things I explained in the blog post and they're like giving all these arguments which I try to discuss and a new on to in the blog so I get what the people but but the thing is I I I try to just don't give him attention I think a lot of people should better do that and don't give the attention and when you go offline go offline and take some rest because

saying I go offline you you create even more stress and then you of course they come back because Twitter is a good medium after all I mean just filter out the negativity and en jooy and learn from from great people and that's what's what's about I think yeah absolutely Scott Sean Sean I was gonna let Scott go Scott you go because you haven't talked much well it's because I'm usually the target for some of the drama recently um no drama's nothing new to me and I I get where John's coming from and this is something I'm absolutely trying to do is actually step back from a lot of stuff where it goes on because I'm kind of like the

young version of Captain America I can keep going you know I've got tweet deck running I'm just going to keep responding to people over and over again especially if your point is [ __ ] the problem with that is sometimes and this is what I've noticed recently is people have taken to blocking you then sub tweeting you or quote tweeting you out of context or taking a screen cap tweeting that out of context to their 60,000 followers um not the follower count matters much but when you're being Amplified in a bastardized fashion to the entire world in a different way let's take John's joke for example Wellman was a lame joke of the day just went out wasn't really meant to

cause any offense someone could have just went hey you know that doesn't actually you know Jael well with you know the English speaking community in a DM a DM public line without the public drama we've seen this before with uh Dan card for example where you know it could have all been resolved behind closed doors and I'm sure he would have turned around and said yep not a problem I didn't realize this I was doing it really really quickly job done um unfortunately when it's it's been used to amplify some sort of weird bastardized stigma or point that you have and the the irony for me is most of the people that I end up arguing with

are the people that actually say that infos SEC is toxic in a dumpster fire and we need to be more positive but yet their entire feeds are all just [ __ ] negative [ __ ] and I'm sitting there the entire time going you do realize how ironic this is you are the very people are saying it's a dumpster fire you can change that by not eviscerating me purely because I disagreed with you on a very valid disagreement Point like what happened to the community being all about disagreements we argue all the time we disagree with each other all the time it doesn't make us enemies we don't just suddenly go you are my mortal enemy

block on all social media platforms we go okay don't agree with you there or even better explain where are you coming from what what's your point you know where's your your evidence to that okay cool I don't agree with you but that's fine and then we just move on to talking about something Ian's said or done usually me true I think reflecting back on the on the number of events like has been described just try and calculate you can't but try and calculate the amount of mental energy and physical energy that have been wasted in dealing with these situations I mean it's an unfathomable amount of time that gets wasted and energy that could be used like say Scot in a more

positive fashion discussing real problems so one thing I will say though is when you do have a legitimate problem and you need the community to help bring attention to that problem Community has been very successful you know Oli um uh one of our security researchers and his uh cheap names where we got a lot of amplification we got the attention of uh cheap names and they came to the table and and finally took down a whole bunch of of act uh attack sites that that that they had allowed to be registered and allowed criminal activity to take place so you know that there are some good aspects to the community and I think that should be pointed out that you know

through fundraising uh you know amplification of of positive um things that are going on I think it works really well but then we get to this slide Mike and walk us through this slide because I love it this is exactly what we're talking about so a sanitized example really of what you do tend to see quite a lot of so somebody makes a an honest opinion or declares a preference for one thing above the other and then a random will wander in out of nowhere and and eviscerate to use um Scots word and probably leave the original poster feeling pretty [ __ ] and wondering what the hell it was they did wrong and we do see this a lot and you

can trans you can replace some of the wording in the in this example for infex stuff or View about politics or views about other things and that is the exact result that you tend to find it happens a lot it happens all of the time and sometimes and I'm not the only person here that opens Twitter up in the morning and just thinks [ __ ] it turn it off come back again later in the day yeah I do that a lot and that's what it feels like at times toxic was stump toxic W no this this is a perfect slide though because it's this is this is exactly it that we are putting that [ __ ] into the planet

and then complaining the planet is dying like we are creating our own mountain of [ __ ] like let's just stop I Ian's point about you know some positivity in the community take 10 minutes just stop and think and just go hey do you know what this isn't worth it deal with it via DM sleep on it or just do what M does and just go [ __ ] where for today I'm not dealing with it that is probably the best thing if we're just constantly you I mean you can't be complaining about the environment well you're like literally dumping the orange goop into the atmosphere like it just doesn't work exactly right all right another thing

that we tend to see a lot of is the rise of the vendor bash and um Tik tok's a good example of this so we're all generally a little bit unhappy about how vendors or providers such as Facebook and Google and Twitter and so on and so forth may or may not use your personal data for various different marketing and advertising campaigns um we know that that actually happens um I think John you told a really funny joke about it it was to do with somehow check in your phone to see what you'd been T which brand you'd spoken about yesterday and and that was kind of a really cool joke that's that's not a

joke yes this or is it yeah is it true or not a lot of people I see it I saw it last few days several people were tweeting yeah spoke about something you very typical and then next day it's in in in my ads on Facebook or or Twitter or whatever so I've had that experience too and as we're all aware during lockdown certainly there there has been a significant uptick in the usage of certain apps and this particular platform Zoom is a perfect example of a massive ramp up of usage um during the coid crisis and similarly with Tik Tok and that's for kids and adults alike using Tik Tok to to share information

and communicate um and and guess what happened everybody went ah it's a Chinese company they're obviously stealing all your personal data for various different political military or industrial reasons and we hear it all the time now a good friend of ours Elliot Alderson or F Society you may know him on Twitter he did some extensive research into Tik Tok and actually found that they are operating in no worser fashion that's not necessarily great but they're not operating any worse fashion than some of the American social media Giants so such as Facebook such as Twitter they're only collecting similar types of information there is no evidence to support the accusations mostly on social media funnily enough ironically that um Tik

Tok is somehow mishandling data and again it's a bit of history repeat itself every time a new platform rocks up Zoom being the example again people get on it and trash it oh your security is [ __ ] you shouldn't be using the platform and um who was the company a in that Zoom bought really early do keybase yeah keybase uh because people were demanding entn encryption um and it was really interesting because um as much as uh the audience and and folks wanted to demand endtoend encryption there's a concern that endtoend encryption would prevent uh legal investigations into child exploitation being conducted by Zoom so you know there was an orchestrated effort that you know end to

end decrypt was going to be like we need this because we're the good guys and we want to keep our stuff secret while when you build a feature that feature can be abused right and it's naive to think that that isn't a realistic threat model so Zoom had to be very careful about how they went about um this you know especially when they have a premium offer where you can use a free account um with very little account validation and and or um I would say authent authenticity so I just want to add two zoom and end to end encryption so firstly Zoom the security was lacking initially I will give that but the important thing is they they like

basically took like three months and said we're just going to entirely focus on security and they deserve full credit for that a lot of companies could learn a lot from that and the result of that is they now have a pretty strong strong and secure platform the other thing about end to encryption is it's becoming in a sense marketing gu um take WhatsApp for example endtoend encryption okay great but how do you think your messages get synced when you log in from another device your key is stored somewhere within the platform it has to be so the whole not of an encryption technically it is but there is a way for others to maybe decrypt

yeah absolutely yeah and garming what was the other example with these guys similar sort of story yeah well you know here is a giant company uh making an awful lot of money uh decides to collect a whole bunch of personal data from people uh using apps for running and for outdoor adventuring uh they get pasted uh with ransomware we think it was evil Corp with wasted Locker um they pay a $10 million Ransom and going back to I think it was Sean's earlier Point um about you know it's easier to pay the parking ticket especially when you've been praying premiums to an insurance company for years or months uh it's kind of like buying your parking ticket in

advance it gets better they get tax I think they got a tax rebate from it yeah um it's it's quite possible they did as well yeah um now and and then possibly a bailout under Co um so so here's a problem because Garmin just basically gave the entire internet a [ __ ] you by paying 10 million to a country where these guys are operating in so let's assume it's all it's Russia where 10 million US dollar turns into about $70 million us worth of development for the next version of wasted Locker these people and universities and hospitals that have not learned from the countless warnings and alerts sent out by every government agency about this

threat and how to mitigate this threat which is have backups okay that are stored offline so that the bad guys can't get at it all of a sudden we are continuing to go down the road and because of the Cyber insurance industry we're kind of seeing this uptick in the amount of money available and and I I made a joke in another presentation that part of the new ransomware will be a questionnaire before the ransomware hits saying essentially how much cyber Insurance do you have because we'll now calculate um your Ransom based on your policy holding so so this is a a very sad State of Affairs and and currently again from a Justice perspective from a

regulatory perspective you know we don't have the kind of teeth to deal with this type of scenario to hold the co the the companies accountable we have two systems so far that haven't worked particularly well one is the class action which takes way too long and moves itself ponderously slow and takes an extraordinary amount of money to get any sort of Justice out of these organizations and uh Marriot uh the annual data breach umy company um they they have recently been um subject to class action uh lawsuit but Comm um uh consumer advocacy groups consumer protection groups need to get a hold of this because it's just completely unacceptable there's a duty of care to safeguard this data and

really nothing is being done to ensure that insurance isn't used as a loophole to pay these ransoms not that I have a strong opinion on this [ __ ] at all no of course you don't clearly but the other important point I think around um cyber insurance is it doesn't cover you for any kind of legal or authority action so if you receive a high fine from for example a Financial Services Authority or financial conduct Authority or the Ico you can't rely on your cyber Insurance to pay that fine because it won't cover you for it that's a really important Point John did you want to say something yeah yeah uh the gdpr in certain sense has has the opposite

effect not the it's good that that they get sanctioned but also a lot of Ransom attacks are data breaches now it was debatable before but now all anyway when it's against the big companies bigger companies it's it's with extortion so with leaking the data so we talking about a data breach and then again the the fact that gdpr has certain fines that can be uh yeah given to the companies makes that the criminals will just ask more ask more money as well so it's a good and a Bad Thing mik hion talked about it several years before even before the gdpr um was in place and it's true I think maybe it's only a slight uh increase and then there are

other factors that that make the amounts a lot higher but I think gdpr in certain sense has an impact as well so I'm agreed Sean did you have a point mate yeah I just wanted to like p s to Ian's point but making that clearer um paying Ransom where is literally funding the criminals as soon as you pay pay their Farm guess what I got a bunch of money so hire more developers yeah yeah but but if you pay if you don't pay the criminals and and you don't have a choice you could very well could be end of the game certainly for for some companies but this goes back to a point that you know as ABAC bloke and as Sean

and yourself working in the application space the tools out there to ensure that the code being used for the website doesn't have vulnerabilities that that should be part of a QA process it should be part of a security assessment and review process the I I would suspect and I don't know for sure because I haven't seen a technical report on Garmin we may never see a technical report on Garmin but when we look at The Oaf talk 10 when we look at the lack of CSP and SRI on websites I mean these are just like these services that are being stuck out there on the internet and nobody seems to give a [ __ ] about whether or not they

can be vulnerable and they can be attacked agreed and it's not just the app space either it's infrastructure too you know so the there is still too much infrastructure being built in an unsafe fashion out there a lot of companies are at a very low maturity level uh with regard to security and then you can fix obviously the the big the big holes by doing penetration test Etc vulnerability Network scans but but there's more to it you have to start with the basic Z with a secure development live cycle and and these kind of things otherwise yeah it will happen over over and over again again I just want to make one point on this this last issue so if

you look at the uh AP group that we track at sck um called uh Twisted kitten uh they go by a variety of different uh kitten be referring to Iranian operatives the Iranians have gotten really good from a disclosure of a proof of concept A Pock if you will um for a vulnerability and infrastructure and within s days they are made a commercial exploit for those vulnerabilities that are dropped so they've attacked uh the VPN vulnerability Citrix and currently they're smashing f5's uh load balancers and before that they were doing RDP uh boxes that were unpatched so so the ability of these cyber criminals to exploit these vulnerabilities um kind of makes a joke out of a vulnerability

management program if you're looking at it every couple of months whereas in seven days you know the vulnerability is weaponized and teing across the internet so yeah absolutely right and this slide is not directly connected to what we've just been speaking about but it's an example really of um again where somebody's got an idea in their head about malpractice a global organization the example here is when Bloomberg reported that super micro the Chinese motherboard manufacturer was inserting um in quotes grain of rice sized chip that contained a back door to Beijing and that was absolute nonsense and they claimed that um that Intel were consuming this technology Apple was consuming the technology and the and they are the

obviously the biggest players in terms of Hardware manufacturing and both of those organizations came out and said now that's just [ __ ] it's not even true and correct me if I'm wrong I believe Bloomberg still running this story so yeah they haven't retracted their assumptions and they're not wrong that's the problem um so when you look at um a a motherboard and the BIOS and the idac and and the CPU itself especially an older generation CPU that has Spectre vulnerabilities if if you take the view that the computer hardware stack from the motherboard on OB and if you've got like a broadcom built-in uh network card you can make the argument that there's vulnerabilities that could be exploited

by China or some other actor to take over that computer at the BIOS or at the firmware level or or further up the the boot cycle as we saw about a month ago with this vulnerability in uh the boot firmware um uh ass signing certificates for the boot firmware so so the problem is is that Bloomberg took something and essentially got I think really um needed to explain it in simple terms that the general public could understand um and so they invented the idea that this was like a grain of rice uh you know that that is being physically pushed into every motherboard that's preposterous as we know and it's [ __ ] but us in

information security should realize that vulnerability is is a cross Ross the Spectrum right it goes from you know each component potentially has a vulnerability and and I think where they really [ __ ] the bed was they weren't um clear and attempted to take something and sensationalize it to to gain a lot of social media to gain a lot of like views of the report um when we all know that there's tons of vulnerabilities in the platforms that we use every day ranging from CPU uh predictive stuff like Spectre and uh what was the other one meltdown or is that just me having a meltdown you're um so so you know when you when you contextualize it they're

trying to take all of these vulnerabilities and poke the finger and say you know this is the reason when we all know it's much more complex than that and and so poor journalism poorly executed poor editorializing sensationalizing I think they're guilty of all those charms but they're still at the same time they're not wrong but I think there's a term for it isn't it and it's fud Fair uncertainty and doubt completely yeah and that's what we we tend to see time after time from uh certainly from a lot of the media and government all right yeah let's talk about the the alleged skill shortage in in information security so who wants to have chat about

that I'd like to have a stab initially go so I think people are looking at this as the industry as a whole and you can't do that my view is yes there is a skill shortage in some areas and there's not in others so I know in like application security trying to find someone with a development background as well as security is pretty difficult it it took us a while to get some people in my current role that took a while to find someone um to F that role um but there are other areas out there where there's there's quite a few people um that are available and there's not so we we need to stop saying infos has a skills

shortage it different areas do stop focusing on the industry as a whole that's just my view I agree uh my two cents is that I think less than having a skill shortage we rather more have um a a recruitment competence shortage in so far as organizations that are not necessarily security companies find it incredibly difficult to craft job descriptions and adverts that actually are realistic and I'll take Wan's memory back a year or two when you shared with us an approach I think you received on LinkedIn or some such platform where somebody was looking for um a unicorn and the Unicorn was an analyst um an engineer an architect a compliance officer and a head of security all

rolled into one person here you remember that one oh man yeah it was just the most ridiculous thing that I've ever seen and we've seen um some other stuff I mean IBM dropped a Whopper where they wanted somebody with what was it uh 10 years of kubernetes experience and kubernetes was invented like four years ago so you know it is it is totally true I I'll support both uh with with what Sean has to say and and what you had to say I'm going to go one further and I'm going to say this is a government policy problem this is making the right Investments and encouraging people to go into stem and if there is truly a skill

shortage government policy needs to step up to the table and I'll tell you this right now there are a lot of developers available in other countries and the uh government's uh concerns with regards to visas um and not making um our Tech Market available to those uh developers we've just proved through this pandemic that a lot of us knowledge workers are capable of providing value and staying on track with projects um by working from home and working remotely you don't have to be in the UK the only reason you know we we are stuck Within These geographical boundaries has to do more with tax and um and and understanding you know uh what the various levels of

Education are in the different countries and you know we we see this and it's like the government is is talking at us with two two messages they're saying we want the tech industry to grow we need the tech industry to grow the tech industry is the engine of our modern economy but at the same time it's like hey can we get extra 10 million to um fund uh more computer science classes more Hands-On networking can we subsidize uh testing and certification no we don't have the money available for that right so it's like guys either put up or shut up because we're in an era now where those jobs can go somewhere else companies can

be located in the UK and Outsource all of their development to Poland Estonia Iran anywhere well not Iran I'm in Indian yeah Iran would be a bad idea Scott John anything to add uh my my two sents are just literally I've seen someone tweet about this only two days ago about getting through the HR barrier to get to an interview with a technical person and be able to explain the skill set they can bring and what they can do and it is very much like and I've worked at companies as well where you have either an internal HR department or even worse an external one that is using copypaste templates based on other companies with other criteria and

they've just they've just meshed all this together and all of a sudden you're looking for unicorns and when you actually show up to the job interview you're going this isn't actually what I was promised as a candidate but also the hiring manager sitting there going wow you actually have experience for a role we wanted did you not apply for it yeah but I got the Outback from the company well why well because I didn't have 25 years experience in kuber that's a shitty manager though Scott and I see this all the time this is where you know what if you're hiring a technical role and you're the hiring manager you tell HR send me all the resumés and spend the

time and go through them to get the skills you want HR doesn't know the technical nuances they probably don't even know whether you're an open Source shop or or a Microsoft shop right and and so if you're that manager you need to take charge of this because you'll get exactly what Scott said you'll get somebody that's either completely overqualified or completely unsuitable yeah all right we should go to John for this one man John I mean what the [ __ ] is an influencer the thought leader himself um yeah what is it actually is an influencer someone who tweets and mentions like 10 people and hashtags every word you know first of all influencers to me are

a good thing the real influencers talking about people that influenced me into diving deeper into application security the Troy hunts of this world and and others so that's a great thing but the good thing about these guys is that they're not yeah they share a lot but they're not looking to influence and and and just get to retweets and then likes and they build a profile they post good stuff where you can learn from there was I think it was last year I when your following grows a little bit you get a lot of emails for can you promote this and this and blah blah blah one of the things was uh Lenovo Lenovo uh think shield and it was a sec

security solution and uh the point was I mentioned these influencers probably if you uh active on Twitter you know notice these patterns they they're like a retweet machine and they're starting to mention you as well in the hope that you start retweeting and it's like they have 50,000 followers but they also follow 50,000 people and it's just all about the numbers and about yeah one bunch of yeah blur I I never read it I never click on these links because obviously that's the opposite effect with me and then with the think Shield thing they got an email there was the new yeah magic solution if you have Lenova think Shield yeah you're unhackable uh but it's not that you

could test it or write a review and they approached me and it was like yeah we uh it's a paid um yeah promotion and and then I was like I didn't even react and then few days later I saw these people just tweeting that I knew they couldn't have tested it they were like tweeting they recorded videos where they say how amazing it is just probably all instructed by Lenovo and it was not even yeah you could from C it you know that they they not doing it for free but it's never no one they don't say it's a paid promotion we do for L and it was so shady and then they were called out by

some some real high profile followers and that that's my entire point about that just be genuine don't retweet things you don't know about and if you don't know just say you don't know you you are not you can't be an influ yeah you can be an influencer but you can't create that just learn and if you influencing for me is is two people that tell you well you block that was amazing and I learned something from that I like that that's influencing and a really small scale and if that's influencing yeah that's great but and if you reach more people the the more the better but not like this so that was my rant about

influencers between that's great John I think I think what you've you've covered pretty much everything there we're inside our last 10 minutes of the talk so we'll we'll move on but thanks John for that I think that was pretty cool um yeah you know we see this year in year out again you know vendors and you just kind of spoke about it there with think shield and it's the next thing that's going to fix everybody's problems and you should love it because it's next gen or artificial intelligence I'm going to say Quantum proof just because it's Sean's idea um we we still been unhackable there haven't been too many claims of unhackable this year which has been good I think quite a few

vendors have perhaps learned from the bit F of previous years and decided not to use the word um we see the word entropy being used a lot and I think I wouldn't even want to dream of describing entri to a nontechnical person so we should probably stop bandying that term and others like it around um and that that's really my take on it year in year out we see the same thing our product will fix every problem that you have even the ones that you haven't thought of yet and it does become a little boring after a while so I don't know anybody want to quickly add I still think artificial intelligence uh versus machine learning uh two

completely different things um marketing has decided that AI is the future um AI has a really really tough time in a lot of scenarios and a lot of learning scenarios um so you know I don't think there's um a a uh a a entity uh out there that we can truly point at and say this is artificial intelligence um I don't think it's been invented yet and I think it's completely overused and abused agreed and because you would think that any any that's claiming to be artificial intelligence in today's world would have have to have taken its initial instruction from a human a Shameless plag I've started a GitHub page page on GitHub um that

contains all these terms and why they the rubbish and my my whole idea behind this is let's let's try help some of these marketing departments so they can look to this and see hey why is this a bad idea um we're going to we were going to use it maybe we should think about it before we actually do it so rather than just trying to do a dumb Pyon and that let's see if we can help them so that's the idea behind it Shilling Shilling yeah but on the subject of entropy though I mean that brings us on nicely to the next slide whereas we're just all fighting about the same [ __ ] constantly

how many Twitter experts have you seen fighting about password entropy and a user thread with they're like hey use three random words to a random a total what I would call a Normy who does not give a [ __ ] about entropy and they're using their dog's name PH2 as their their bloody password and someone says hey you should probably use three random words which is a good step forward and and then there's all these experts coming in arguing the toss about enty [ __ ] off it's totally useless yeah it's interesting isn't it and and we see it with passwords we see it with um https certificates TLS um should we patch shouldn't we patch if we should patch

which I think we should do then how frequently should we do it um and then and then recently I put a tweet poll out around which certificates as in certifications are the right ones for a a security Prof professional to be looking at and I did it kind of cheekily because cissp sisp just about won that that poll um but two years ago everybody was hating on it it was pointless and nobody should get involved with it and people should do the cont tier stuff um and then once upon a time the C the certified ethical hacker thing was new and everybody thought it was a great entry point and then three years later everybody hated

on it and said it was is a complete waste of time and that that does two things really one is it kind of it takes a [ __ ] on the people that have spent a lot of time and in some cases a lot of money in doing these courses because they had it on good um good information that they were the right thing to do and the second thing is it leaves them completely confused that they're they've completely focused a years of their life on the wrong s on the wrong learning path and I think we need to get better at deciding on what the right approaches are um very quickly and I know you're a

comper faculty member do you want to just say a quick 20 seconds on something it's it's really simple in fact um uh Trident search who is a great um uh partner in the community um always looking for CTI people for us and and stuff like that um they asked me Ian what do you think CS I said c plus experience equals success experience alone can bring you success but it actually Narrows where you can take your uh career but the most important thing about the CT is understanding the language I if you tell me that you've been on three certification courses but you never got around to writing the exams that's okay I mean sure I maybe

you should have written the exam but life happens [ __ ] happens people run out of money whatever but at least I know that when I talk to you about a technical subject like a firewall or a proxy or DNS you'll know what the hell that is right and so I think the C maybe just gives you a commonality of communication and language and it's not necessarily like you know I I it shouldn't be treated in my opinion as an exclusivity just because you don't you don't have a cissp doesn't mean you can't do a security role right in an organization and getting back to Scott's point is that um you know if HR is

screening and has pile one cissp and pile two no C ISP then that's a huge problem because you might miss some really valuable really experienced people in that pile that never got around to doing the CT or never had the economic uh capabilities of doing the CT yeah cool okay we're into the last few slides now and uh this is just a quick example of uh companies that think that they're bulletproof and they've spent a large amount of money on the security posture and it couldn't possibly be broken through and through the front of your your helmet yeah fatal and we are still arguing about the same issues and that really slide is just to remind everybody of everything

that we've just said okay you know Mike I think invading Russia is a great idea it's coming up to winter but there is some good stuff happening okay so we want to end the the presentation really on a on a on a high note communities do continue to thrive and new ones spring up all the time and you know I can think of security Qui que been a great example of that um the many hats Club have been around for a long time I think they've got about 8,000 members now in there and that's a quite broad spectrum of people across all disciplines of security um you may have well you may be familiar with infoset Capia which is a a little

thing that Sean came up with back in March and we kind of took it on to the next level and turned it into a weekly Friday evening virtual Pub which was brilliant and it really made it gave people an opportunity to come together that wouldn't normally have got any time with each other and Forge friendships and really lasting friendships and I think that's been the real the real win for infc happy hour the bear Farm has stepped away from it last week as a thing it's now in the hands of a capable bunch of people that are going to run forward with it but we hope follow them on Twitter they have a Twitter account

they do we never had a Twitter account for happy hour there is one now we'll continue to be involved in it but it's it's gone from strength to strength and Scott kindly produced that graphic which gives you an idea of the kind of numbers of people that we had involved in that and it was great and again you know unlikely friendships are made crossborder of friendships you know friendships around the planet have been made and that's been incredibly heartwarming for me at a time when people have been really down and struggling with maybe mental health issues even physical health and happy hour and things like happy hour and other things do exist have just made

life a little bit more bearable in the time that we've been you know in things like lockdown and stuff like that and we do need to break out the echo chamber we've talked about it a lot about the arguing and the fact that we we all agree with each other or we all disagree with each other but we need to break out of the bubble and start taking the information out to the people that matter which are the users out there and whether that's your Enterprise users or your friends and family using social media we need to be getting these messages to those people and that's something we all need to take away and think about going forward is to how we

we stop patting each other on the back endlessly and actually go out there to the world and make the internet a more secure place for the average person that's making use of it and act as exemplars yeah shout it from the rooftops let's get out there and spread the good word yeah and actually add value to what it is that we're here to do so yeah pay attention and learn from the things that have gone in the past we've given you plenty of examples of where history's repeated itself and we've not moved on from it be really careful and so social media if it's a battle you don't want to get involved in then don't be tempted to get involved in

it because it can ruin your day do what I do and what John's increasingly doing which is take a break from the social media come back when you're feeling a little bit fresher um be respectful of others there are people that know a shitload more about things than you do so be mindful of that and there are and you know a shitload more about things than other people do so everybody knows nobody's the same we're all different and we've all got different anxieties and aspirations let's try and bring break out of this cycle of talking about the same things all the time and start innovating with some of our thinking and action and then again remember who it is

that we're dealing with we're dealing with people that are out there that are not necessarily technically Savvy but have got every right to be secure and have every right to privacy when they're operating online and we just about kept it in time guys just about um so thank you very much if you if you were here and listened and watched on our various channels thank you very much indeed to um Sam and Ben and Phil the organizers of the conference for having us on it's been a real pleasure and um if you want to follow us or unfollow us mute block and reporters on Twitter then that's the way you go about doing it and thank you

very much for your time I think we haven't got time for questions but if you want to contact us and you know use our Twitter handles and drop us a line I'm sure we'll be more than happy to answer any questions that you've got so thank you very much and I'll hand you back to Sam