Responsible Research

well good morning it's a huge honor to be here especially doing a keynote for such a cool conference I am a self-proclaimed old fart of the industry I've been hacking since 1992 and it's quite cool to see this many conferences and this many people involved and passionate about an industry that was really really small where we started and even more so because you know over the last couple of years Hollywood really has gotten into the whole hacking scene and we have amazing movies that depict hacking today because everybody today writes worms like this you know Hugh Grant and we tap away at the keyboard and it's quite cool but the dark reality is is that hacking as an

industry has become so mainstream now when my mother-in-law who is 64 old gets hold of me when she gets a fisting message to say is this legit or am I going to be attacked so Mike this is quite a cool experience for us to be in and just have a show of hands how many of you are quite new to the industry less than two years so a fair chunk so welcome and Portugal has quite a closer space in my heart in the early days of South Africa when I started to learn to hack South Africa has a very large Portuguese community and there are a few hacking groups from Portugal that really did some amazing stuff back in the days

the first was full house I'm doubt there's anybody here from full house but full house were really cool because they were kind of one of the first major exploit groups out there and they did a lot to really advance the whole exploit world and it was quite cool to be able to come and speak in Portugal because I knew that they were doing it you then had toxin and what was interesting about toxin was toxin with for me was one of the first politically motivated hacking groups out there at the time east tumor was being evaded and they decided that they were going to go after anybody doing bad stuff against that country and I bear in mind this was 1994 that they

were doing it and then finally it wouldn't be an industry without trolls and our industry does really well with trolls and for that we had four packs four packs at the time were a very annoying group and but they were very good at trolling a lot of people on the internet back in the day their ultimate you know downfall was that they decided to hack a US military organization which is possibly not the best thing to do if you're a small group there are a few countries in the world you generally try not to piss off US military is one of them but what kind of happened is that like I said hacking has become really

bigger mainstream and we now have amazing TV shows that actually do depict what it's like to hack now a lot of you will realize it's it's not the most glamorous thing in the world we are sitting looking at screens tapping the way wondering why stuff doesn't compile damn it it worked yesterday why is it not working now but the cool thing is is that every still thinks it's quite an intriguing industry and actually it is if you look at it now there are still some instances where Hollywood gets it wrong NCIS spins it because I think we all do double hacking right definitely a thing and and it's quite interesting to see that that's how a lot of the

insiders a view our industry and no more so than the last couple of years there's been a whole wide range of incidents that kind of happened to our industry that's made hacking and hackers quite predominant in the way that we shaped the world this gentleman his name is Marco Ramos he is the San Bernardino's District Attorney and I think was last year year before lost when the San Bernardino terrorist incident happened where an active shooter went around shooting people they gained access to his my phone sorry and he came up with a quote that has never left me he said that there might be a lying dormant to cyber pathogen on the phone and that

sums up for me what a lot of outsiders think about our industry they think that we create chemical weapons without code and in hindsight the more I've thought about this quote the more of it actually runs true because we live in a time now where through our keyboards we can control companies we can control continents we call curse shape how history is made all through keyboards and if you look at the FBI they sum this up quite nicely because they now have their own ciphers most wanted now this is the infamous GRU hacking team for those who you don't know Russian spies who become hackers not the best hackers because if you're gonna go and hack the you know companies

that look for say doping you generally don't do it with a pineapple outside of a rented car sitting looking really dodgy because for burly Russian men with leather jackets they are we gonna do some hugging though doesn't it really fit in upset bro but still they got caught but the fact of the matter is we still have the FBI who now has a dedicated cyber page and this is fascinating we've come a long way so how many of you here remember the old dancing baby was wild back in the early days of the internet that was cutting-edge and for those who don't you missed nothing trust me this is what we thought we were cool but the irony is we now have 5.1

billion mobile phone users 5.1 billion people now use the internet today for practically most of their digital life WeChat was launched the other month WeChat is a great way of paying for money using WeChat it's a phenomenal thing in the first week they gained a hundred and thirty million customers a lot of the stuff that we built and we engineer and we pen test and we hack today impacts more people than we've ever imagined so that asked the question surely security is getting better right not sure about that and this is a report from Accenture understanding how some of the breaches are happening and some of the stuff is quite telling as somebody who's been involved

in security for a very long time it's also a little bit embarrassing because malware is it up web-based attacks up dalila servers up the fact of the matter is it's never been easier to hack we now have the likes of YouTube we have more information being shared before and ever and yet seemingly we're still struggling with making stuff quite secure and that moves into the next one you can't talk about hacking that talking about politics the fact of the matter remains our weapons are our keyboards I know that's a very cliche thing to say on a Friday morning in Lisbon but the realities is quite true because organisations and government units are now using a lot of our research to

seriously start impacting normal human life so it's a known fact that the Saudis are not the nicest players in the world and this story came out excuse me the other week where it turns out that they were going against human rights activists and owning their devices and forcing them to say nice things about His Royal Highness they managed to do so from a company that I will happily call the internet cancer NSO group a company that loves to peddle misery on to lots and lots of people around the world and they do so to the highest bidder then last week we learned about the tonic cables now the China cables was quite interesting because we finally got

insight through a lot of leaked documents as to how China is creating the biggest mass surveillance system this planet has ever seen surveillance of we Gers the Weger Muslims against people who go against the Chinese government and they do so through a massive complex networks of surveillance infiltration exfiltration and tracking of people and that is facilitated by a large our industry and our industry helps all of that but the good thing is we also have a lot of internet cyber sleuths and no there's a talk later about scanning the Internet and it's because of stuff like this where Victor givers managed to find this company who was working with the Chinese you know a communist party called sense

net who struggles with security just like everybody else and they somehow managed to leave a lot of databases online those databases showed how big this problem was six point seven million location points linked to people tagged with descriptions such as mosque Hotel internet cafe and other places where surveillance cameras were cameras were most likely installed we've helped facilitate such an industrial surveillance system through a lot of our research and I think that's one of the things that's concerned me as a researcher as to how much we're helping these countries do really bad stuff but at the same time human beings also helped us along so this is an app on the left could sale it is the most

downloaded free app and the Chinese app store as of September this year and I'm sure many of you have tried it did anybody else try the Facebook app where you manage to age yourself show of hands nobody tried it phenomenon and this app might seem quite innocent you can pretend to be your favorite Chinese movie star or anybody else the harsh reality here on this app is that it was actually used to train machine learning models to do surveillance of persecuted minorities because how else would you manage to train models on millions of people without saying his acute app run it oh you look like Leonardo DiCaprio that's great the reality is is that we're hoping a

lot of these regimes do ugly stuff and then you have companies that shape democracy itself now unfortunately I live in a country called England and England is full of weird racists who think that exiting the United Union was a good thing now it's a bit of an embarrassment but the reality was is that the brexit campaign was not a free and fair campaign it was manipulated by a company called Cambridge analytical Christopher Wylie was one of the data scientists and they had a simple idea what happens if we bring big data and social media to an established military methodology the methodology of psyops psychological operations and what they did was they targeted individuals in regions of the

United Kingdom where they knew that they could subvert their thoughts and force them to vote for something they never really thought about and do so by constant lombardi of images of messages and so on and that's effectively how Cambridge annulled the word they used sort meant they use humans they used second they used a lot of military terms and they managed to sway an entire population to vote for something that was incredibly stupid but they also did against the US electric all using technology and ideas that was spoken about a conference as years before so it's really hard to go through and do what we do without understanding the impact that we have in the world and

from a personal perspective that's impacted me eight times now this is apt 33 the Iranian National Guard and as with all countries out there they've made use of hacking techniques to gain access to information and ideas that wouldn't necessarily be part of what they would normally access Iran has plenty of sanctions on it so the only way they're going to get access to information is through breaking in and we learnt last year that unfortunately Iran used a tool that I helped push out onto the internet called ruler and that was how they gained access to a lot of large scale industrial enterprises and it's it's quite an easy with you when you realize that something that you help

build your proof of concept the stuff that you thought was good in trying to change the world was actually being used for evil but it also made me realize that you can't be naive in this industry do not think that we are being watched quite heavily that wasn't also the first time there's plenty more as this tool going to then finally the juggernaut in the room everybody here's aware of kim yeongman probably built the greatest hacking team ever known to man loves to ride horses and takes long walks and forests but what he did do was weaponized north korean aspects so that when they target companies or countries there was not much you could do to give an example if

North Korea is attacking your network what do you do you can go to local law enforcement who will probably look at you and go I don't know what you want me to do it's North Korea you then go to your politician and your politician will probably say it's North Korea it's tricky there sanctions but they also have nuclear weapons and they're pretty big that was the effectiveness of North Korea and what Kim managed to do was do something that a lot of smaller criminals wanted to do for a very very long time and that was break into banks and he did so in Bangladesh but what was interesting about the whole process was his team adopted very similar agile

approaches and techniques that had been spoken about for a very long time prior to that so here are two pieces of malware on the left it was the samples submitted from the Bangladesh Swift attack right on the right this was a relatively new sample that's been pushed in and the one thing who people who can't wrote a simile is that you'll see that the code is very similar but it has small modifications and that was key to how North Korea does a lot of their intrusions they never stopped morphing they never stopped changing their code right because the one good thing that came out of the Bangladesh hack was that the global Swift network finally realized they had

to make stuff a lot more secure and they did so but that didn't stop the North Korean unit one-to-one or Lazarus or any of those small groups inside the industrial machine that is North Korea from adapting modern techniques that they saw at conferences and they saw online they saw and github go how do we stay one step ahead now instantly that sample on the right would break Sierra and a lot of other signature based detection moon booties so for all casein matters North Korea was very good at keeping up to date with what the security industry was doing but they also learnt a lot from what we did as I said Kim Jung has got some

fantastic taste in horses and you know photo photography I wouldn't like to be the photographer who was told to take a picture of kim yeon and you know if you get it wrong your whole family's wiped out but the key thing is if you look at any of the breaches that have happened from North Korea there's key things that we can learn one the attackers had access to companies for a very long time in some cases over 180 days which means we as defenders and we as the security industry are very bad at detecting when stuff is happening inside our networks to the malware was compiled days or hours before actually being used and this was really interesting because a

lot of the times when you do a red team you don't necessarily do it on the fly the North Koreans realize that by doing it on the fly often they were able to bypass a health road protection mechanism only they made use of innocent Decrypter often stuff that was found scraped from github these were innocent projects that somebody might have pushed outline thinking who's going to be using this when in reality it was being used to break into banks finally they did something that we've been doing for a long time they didn't work in office hours they didn't keep in scope these are attack is breaking into stuff to see lots of money so they were

learning a lot from what the red team pentesting industry has been saying for a long time but it's just we weren't very good at acting about it but all of that pales in comparison to the real master hacking crew and that's China one thing you have to hand it to China China is that they've managed to industrialize a weaponize hacking like I've never seen before interesting story Beijing decided and predicted that the demand for air travel in its growing middle class Chinese communities would outstrip demand and supply so what they needed to do was build a turbine engine that could facilitates the Chinese movement across the world and part of that was they wanted to make sure that the China

approach of being an advanced manufacturing leader was in operation and to do so they decided they were gonna build a plane and that plane was the c919 now what was different about this plane was that it was going to be half the price of any Western equivalent now for any of you who built had been involved in the aeronautical industry it's a very complex industry a single plane is made up of many many companies with many many different parts alright you don't have a single plane built by one country or company so what the Chinese did was they thought between the period of 2010 and 2015 they would use their amazing hacking teams which was a

combination of Chinese underground hackers and the Ministry of State Security MSS and they would breach most of the companies in this picture and they would become sleepers in the network that was the first thing the second thing that they did was they partnered with a company called CFM International which was a joint venture between France and the USA and that is the leap ex engine that's a phenomenal turbine engine which could be used for both the airplane and the ministry at the military in the industry they signed the agreements but what happened a couple of years afterwards was China said we need to make our own so making use of underground hackers and MSF's they came up with this amazing engine

that had multiple similarities with the leap engine stuff that was damn near identical dimensions for turbofan blades how it operated now the cynical person and you might think maybe it was just your thing you know two designers working on an engine separated by an ocean it must be the same the reality is China made use of the most powerful weapon that we've ever seen in hacking humans now for those who are not military based humans is the art of the human what China did was they managed to put a whole lot of insiders into a lot of key important companies and use those insiders to help feed and grow the Chinese drive to become the most advanced manufacturing

country in the world and they did so by using exfiltration by using covert comms by steaming lots and lots of data and this is a fascinating story because what MSS did was they attended conferences they attended black hat and DEF CON and b-sides and they looked through github and they looked at people pushing out proof of concepts and they used that information to really push forward the main goal and that main goal was exfiltration of data so it's a deadly I said on The Blackout Review Board and we review thousands of thousands of submissions every year three years ago we noticed a complete drop of any submission from any Chinese researcher and it was interesting because at the

time we would get a lot of very good research from Chinese researchers but that all pretty much stopped and it was due to Chinese government saying all your research now belongs to China you do not publish it anywhere else in the world so we could see the control that a country would have on the hacking community and we're now as we started to dig further and further we start to understand the impact of that research and then finally like I said you can't talk about the internet without talking about its cancer there'll be here familiar with the NSO group couple NSO group is a charming company based in Israel and effectively they are a lord of war they will for a

considerable amount of money sell you access to people's mobile phones and digital devices in order to exfiltrate data now unfortunately they don't care who they sell it to unlike you know normal countries but we don't generally go after those who try particular rights and a so group will go after anybody for you and they built this amazing framework called Pegasus and Pegasus is effectively a c2 malware delivery framework on steroids the average costs is about fifteen million and it works really well because it has all the things that you'd expect from a commercial weaponized c2 framework we've got our installations we have data collection data transmission and presentation and analysis but what Pegasus managed to do was make it

point-and-click easy for any operator to go off to people to deliver malware now with us undetectable and then use that against those people and this framework managed to collect a lot of data effectively everything in your mobile phone will full game now in recent months there has been reports where the NSO have managed to have a finger put into their eye notably from Natasha at Google Project zero with the whatsapp bugs their reach was like something I'd never seen before because you now had regimes like the Saudis and the Bangladeshis and everybody else who you would never want to have a weapon like this have access to this to go after really key people NSO group managed to do this through a

lot of our research and they made use of a lot of the concepts that we talked about the ideas and the proof of concepts that we push out to do this kind of damage and to give you an idea of how bad it was in Mexico they decided that the sugar in soda drinks was a bad thing and rightly so so there was a sugar tax coming in and you know child obesity is getting worse you know we know for a fact that sugar in the likes of coke and Founder and so on is not the best thing well it seems that certain organizations would have lost a lot of money about this so what they did was they targeted

the politicians who were trying to bring in this law and they did so using NSF capability but they took it one step further out of interest how many people in this room do pentesting or red teaming sir fairview what they did was for the individuals that they knew that they could subvert and they wanted to keep tracks on they sent sms's now this SMS basically said mr. Simon your daughter was in a grave accident really bad condition you need to come to the hospital now here's a link now it might look really really lame to a lot of the red teams and pen testers but this was really effective because I'm a father of two boys and if somebody had to send a

message to me saying hey one of your kids has been a bad accident you kind of do lose the ability to think clearly and they sent hundreds of these messages to everybody involved in the sugar tax thing and this was all facilitated by NSO technology but it's not always been like that so the early days of hacking like I said I started in the early 90s and that was a phenomenal time for me to be in the research world because the internet was kind of growing up we were starting to see this thing called the World Wide Web yes to those who've never imagined it we didn't have the World Wide Web it was really bad but we also used a lot of

creativity and so in 2001 I helped build a project called smooth wall smooth wall was a firewall and at the time I was working at a company called Pierce on it and I'm Pierce on it my main job was hoping to build the first generation Internet now hosting was really really expensive and we also needed to put out a patch for vulnerability that we found in SSH so what we did was well what I did was using my hacker mindset was that the one four six one oh one one 26.9 IP address' was actually a hosting server ride commandeered to push patches out because I couldn't afford hosting it was really expensive so I thought well

let me just borrow somebody else's at the time that was the hacking mindset you know we built stuff we explored stuff and we did lots of interesting stuff and now when we were finding bugs we did share it among other people so earlier I mentioned Paul has you know there were a lot of shouts going out you would find a bug you proved that it was an issue you'd write exploit code for my sins I wrote it in Perl don't judge me it was a different error and when you were bored of the exploit you were either moving on to a Friends group or you do a trade just like pedro talked about yesterday trading hardware we used

to do the same with exploits now you would be an idiot to do that because you'd make a lot of money so no beat trades exploits anymore at least that way but there was one incident that kind of started a massive movement against this and that was CV 2002 Oh 392 I'm sure a lot of you probably would remember this one but that was a chanting coding vulnerability for Apache 1.3 now I'm really showing my age but effectively if you sent a payload to an Apache web server bad things happened but it's fine because we had in we had experts all right so we had this company called Internet Security Systems Picross rueland and these experts decided it was

not exploitable right they were strict about that cannot exploit it thankfully there was a group out there called gobbles gobbles were phenomenal they were a breath of fresh air and they decided you know what actually we're gonna look at the code and they said that the experts have said it is not exploitable on 32-bit NICs variants it's only invoke exploitable 132 and what gobbles did was now the infamous Apache nose job exploit that targeted both Sun Solaris 6.8 FreeBSD OpenBSD and Linux effectively 99% of the internet this single exploit was used a lot it was used against Theo de Raadt they took down a server called monkey org monkey dog was a server for a lot of

the big security researchers of the time Doug song k2 a lot of people their server got out in fact Apache nose-job who was used to break into so many servers then it wasn't even funny anymore because if you won the Internet there was no patch you were being rampaged I'm mad now that kicked off a massive amount of discussion and instantly this happened yesterday so zero is a friend of mine and she managed to tweet out saying responsible to slowed bugs published with the proof of concept to doing more harm than good since they're being weaponized and used by attackers this is not a new argument this argument has been going around for a very very long time actually 20 years

20 years ago a very very annoying at the time group called el8 published a series of scenes here late was the start of the anti security movement and what they wanted to do was eliminate the entire security industry that did reports about news about exports about proof of concepts and at the time it was quite annoying because they termed it Project Mayhem and this couples logged experts how they had was the basis of them saying enough now by us releasing the research that gives attack as the skills and the tools they need to do we're not doing anything good for the Internet and it was pretty good because you know at the time I was on the receiving end of

this and a lot of people I would expect to read this but effectively they wanted to stop people pushing it out there's one site there that you might notice called hack Koza that was probably one of the first exploit sites that I was involved in and help run we used to give away exploits very similar to mill one now but effectively we were hey one-stop Google for him when it came to exploits bear in mind this was 1999 and we used to host it and we used to get owned a lot and we used to move it around in hindsight probably not the best thing to do but we were young and naive and it

served the purpose that we thought but it was a key part of the scene back then here late took a lot of offense against this and their message now if you look 20 years later is quite important because you know for those who remember bug track bug track was effectively the place you'd go to disclose all all the bugs you had it was also great as an attacker to understand what I could own and what I could weaponize and they went against it this kind of made me realize that I know my Portuguese so terrible that something had to drastically change now like I said I've had a lot of personal backed where people were using

our research for bad so I used to run a company called sense post and we used to put a lot of offensive weapons out there one of the weapons was called quit sir quit sir was an idea by Chris to take a android apk and easily backdoor it where you didn't require any skills so you could push it out and have a backboard version of an application sounds good it was used to highlight the fact that Google Play Store and Android itself wasn't very good at detecting this what we didn't expect was the hundreds of YouTube tutorials by so many people that were now using this to own a lot of people and the ramp up from

proof-of-concept to weaponize code was something like I've never seen before then in 2011 a colleague of mine Glen and I had a research idea to build a thing called Snoopy Snoopy was a distributed master bail system that maids use of the floor that we found in the Wi-Fi stack and we did so by doing a proof-of-concept in two places one we did it in London we built our drones and we went through all the major hotspots in London during rush hour and caught about a hundred thousand people in our dragnet this was pre Snowden and we were able to track where that person was coming from where they lives their common places of interest and so on

but there was an element to Snoopy that we wanted to try out there was a lot more evil and that was the malicious full active exploitation and we're best to try this out and blackhat because if you go to the blackout conference and you are not doing good security on your mobile phone or you're an idiot so I spoke to Jeff and ping I said listen here is our idea we want to put up a dragnet of malicious drones all over the place and pone the crap out of everybody connecting into it they're like sure it's black out go ahead and we did tens of thousands of people had their devices owned we proved the point a cake or

picked up we worked with Google and Android to fix the flaw what we didn't expect was how the Snoopy technology would be used in a malicious way and it was only years afterwards did we get insight that there were companies in Israel selling Snoopy based technology to spy on Palestinians where our research was being found in the Middle East or parts of Eastern Europe where they didn't care about who they went after and even closer to home a company decided to use the stupid technology to spy on people via the bins we never imagined this to be happening but we were incredibly naive at the time so the whole anti SEC movement actually had a point because we were helping

people do nasty stuff now I thought it quite fitting that 20 years after the policy came out and not many people knowing about it it was probably maybe the good time to start reading thinking about that and the policy itself is quite simple right it's also very controversial do not tell the world about security bugs you find how many people here have found bugs in the last year and publicly told people about them how many have managed to find those bugs and do responsible disclosure with the vendor it's quite a few it is a very frustrating process to do vendors do not want to listen there is an argument for proof of concepts there's not an

argument for taking a proof of concept and put it on the internet and I think that's one of the biggest things that I'm starting to see that this industry needs we need to become a little bit more responsible we have responsible drink-driving if ever there was such a thing we have responsible drinking so why don't we have responsible research because as I showed earlier we do have the capability of really impacting how this world works through code through our keyboards and Maggie stone who is part of Google project zero obviously has a counter-argument Google project zero very good friends of mine do an amazing thing for this world they really do what Ben and professor have done is

phenomenal but she also has a point by providing proof of concepts it does help they're stubborn vendors understand that it's not really acceptable for you to push out bad college quality code anymore and I think that's where this industry needs to grow up a little bit we still accept poor code and that's something that needs to change but it's not all bad things the hacking community is still very very well alive so last week finneus Fisher who is he/she/it were not sure it could be a group a phenomenal hacker decided to do something quite interesting they hacked a bank in the Cayman Islands and they managed to see a lot of money and they've put together a bug bounty for

hackers to go after companies that do bad things the NSO's of the world the halliburton's and so on so the hacking community is still there we're not all corporate shills some are not all dangerous anymore because we don't do anything cool but I still think we have an amazing thing to shape this fourth Industrial Revolution that we're going through because we can collaborate a lot for those who don't do that as that is the ledger any white rapper called Vanilla Ice very misunderstood so my call to you today after you see all these amazing talks is we do cool stuff we learn we share but there's an element of responsibility we also need to start

thinking about now because you are being watched it's inevitable so thank you very much enjoy the rest of the conference

[Applause] so any questions hello Daniel so I have a question regarding conferences because I think that as I talked about yesterday I think there's some sort of glamorization I think of security research there's this special status that we give to researchers and for some people that motivation is to go public at some point with their research right so how does the industry then move to a position where we support a different sort of framework of working because the ideas that you're talking about can't exist in the current structure though the way that we talk about ideas with each other it's a good question one of the things that we're trying to drive it's a black hat is previously you would

idolize and call somebody releasing expert code that made say this pop a root shell as a rock star and I think that's been the wrong attitude to have because I'm gonna be very controversial now it's not hard to hack anymore I'm sorry it really isn't what's really hard to do is to stop stuff like this being exploited and I think we've put the wrong emphasis on the rock stars the mega security researchers who do that kind of stuff rather than celebrate those who are actually protecting you know critical infrastructure protecting ATM networks protecting pacemakers from being owned and I think we need this massive shift where we the industry go you know that's just not that cool

anymore like you managed to get a internet-connected dildo to do something cool bro we need to move away from that but I think it's gonna take a lot more than just idiots like me rambling - a lot of you go that's just not cool anymore so I don't know have an easier answer and I think it's it's a very hard problem that we can have to try and fix but I'm hoping we're gonna try at least talk about it else always a good sign with this no questions you know okay so thank you very much Daniel [Applause] [Music]