Cyber Skeletons in Davey Jones Locker: Is legacy tech truly a cyber security problem? - Ian T-T

The sooner this is done, the sooner I can embibe. >> Excellent. >> All right, >> flip it over to my deck and we're good to go. Ready?

>> 10 AP and by the powers bars the powers >> are Hey, there we go. Legacy Tech, >> right? Well, um, my pronouns are the dread. Um, so I am the dread fat hobbit. Uh, for this exercise I work for a MSP. Um, and I do the fractional CISO uh, work for about four customers right now. So, um, tons of fun. Uh, that's me. I put out a lot of content. I added a pirate just for flare or a parrot just for flare uh, for this presentation. And I do have an update in my biography because I am now a failed international arms dealer as cats saw fit to seize my flint lock pistol uh due to the fact

that they thought it was as they said a dangerous item in my checked luggage. So not in my carry-on bag cuz I didn't want to get shot. But my point being is that um the ridiculousness of security theater pervades um once again. Now, the background to this is growing up, I really enjoyed these pirate movies. In fact, that might explain why I have an actual full pirate costume uh because I enjoyed the movies. And yes, I do enjoy watching the movie while in pirate costume as well. So that might make me but interestingly enough I want to talk a little bit about h how we got here as ransom back in the pirate days of the

let's go with the 15th to 16th century um was a thing and there were celebs back in the pirate world as well um specifically Mary Reed and of course Anne Bonet and interestingly enough they're the ones that have color pictures or color paintings of them back in the day. Whereas the rest of the pirates were pretty much just the woodcuts or etchings that were out there. One of the most popular books at the time, no, not Nicola Pearles, this is how the world ends, but Captain Charles Johnson, oops, what happened? >> Oh, it does. It's It just comes back. I was just little jarring there. Um, but Captain Charles Johnson, interestingly enough, one of the most popular books

didn't actually exist. It was uh it was a basically an invented tale which captured the imagination of the audience um and led to a whole bunch of interesting stories that permeated uh about the myths of pirates to this day. But also, interestingly enough, there was a healthy amount of threat intelligence back in the day. So I want to talk about 1573. Uh that is Sir Francis Drake. Uh Sir Francis Drake was a pirate privateeer. Really pirate by one description. If you are French or Spanish, you considered it a pirate. If he was if you're English, which is generally what this audience is, I'd imagine um he was a privateeer. So his thing was really interesting because he

pro he practiced a few things that we've seen in modern cyber security uh deception tactic when he was attacking the uh Spanish um in uh in Panama. Uh he did a frontal attack and the Spaniards were like, "Oh, hey, you know, we don't have any of the silver. The silver is already being delivered to the Spanish ships." Well, that drew the response force away from Panama and so his other force that he put on the ground stole all the silver and that's how he made a lot of money. Um, and that is very similar to what we see today where a denial of service attack happens on your network and while that is going on the

bad guys get in and exfiltrate all your data for profit. So, we can see a thing. Now, Sir Walsingham here is a really interesting cat. He would probably be one of the first intelligence professionals working for Queen Elizabeth the First and was the guy that basically detected the Spanish Armada. Right now, he um was the guy that basically said, "Look, Spain's got an Armada. We should probably do something about that." Um, and then he put together a whole bunch of people and stuff like that and made a big enough kind of deception announcement of how the UK will fight to defend itself. England at the time will fight to defend itself and put out a lot of positive PR

about how awesome the British Navy was. So that's really, really good. Um, as a result of that, the Spaniards hesitated in their overall attack of the giant armada that they had. they ran into some bad weather and actually rather than military naval action uh he won because of a giant storm that showed up and wiped out all the ships. So he had a lot of luck and that was also something for folks working in cyber security. Never underestimate your ability to attract bad luck or good luck. Right? So this is one and I call this the Will Thomas slide because this is the distance between criminal and state actors is shrinking. Okay. And this is somewhat

deliberate on the side of both the infosc and the media and governments in general because the distance between cyber criminal actor being harbored by another nation state, cyber criminal contractor, cyber criminal activist is all blurring together. And this actually makes for some really interesting reading. Now in information security, we always kind of thought for quite a long time that there was a distance between cyber criminality, right, for profit activities and foreign nation states. But as a result of the Conti leaks, as a result of the Trickbot leaks, as a result of some of Will's research into the Ioon um contractor data breach, all of this is coming to light, especially with this new information that dropped

at Black Hat this year on um an interview essentially with the guy that fell for CASSA, Mr. Robotnik. um it paints a picture of intelligence services having actively involved the cyber criminal element and vice versa. And in fact, not to be sympathetic or or spoil the story because it's a pretty long uh story, um this guy was essentially manipulated by the Russian FSB to conduct the CASSA ransomware attack. And it's interesting, we call it the CASA ransomware attack, but it's actually a destructive attack deliberately perpetrated out by the Russians. And this, of course, has massive geopolitical ramifications. But I wanted to point this out because we are starting to see some very disconcerting activity in cyber security

in general with that combination. So this is a cyber attack that very little was given very little press but it was extraordinarily effective. This is the hackings that a lot of people didn't really follow but the magnitude of the damage that this attack did. So this was yet another attack on the US government. You can see in Mandian's report the concentration of pwnage, right? It's pretty obvious. Some interesting additional pwnage, but this was as a result of the Barracuda appliance. Now, the Barracuda appliance for it's called the ESG um email secure gateway. It's hardly that. Um the problem with it is that it used a tar file for updating. For those of you way back in the day, that's not necessarily

a problem, but there was no checking to see if any of it was valid. The threat actors believed to be uh Chinese um in this particular uh case, was it Chinese? Uh yes, PRC. Yes, our good Chinese people there. They figured out, hey, we can own this thing so badly that even a patch can't fix it. Now, that of course gets my conspiracy theory going here because they actually said once this thing has been hacked by the bad guys and we have all the IOC's, please send it back to the manufacturer. And as I speculated um that I believe that there might be some technology in terms of the hackings that the Chinese used that they

didn't quite understand. So, they wanted a bunch of samples to try and figure out how this was being done. But if this is a great example of edge devices that were insecure, exploited by the PRC in a targeted manner to basically read all the email of multiple US government departments at all levels. Anybody that had one of these was affected. When the news broke, it was really interesting because it wasn't really widely covered and it certainly wasn't the big stink that we've seen as a result of Volta Typhoon or any of the previous hackings. But I just wanted to say it seems like at least from the US government perspective, there is an annual hacking

of the US government almost every year, right? North Korea. Well, this is a huge topic that many of us in cyber security have been talking about for quite some time. I don't think again we're being given the whole picture on this one. Um I think it is way more pernitious and way more embedded than we thought. So let's go through some of the highle things. In 2022, there was an FBI warning. Again, it wasn't really covered broadly in the press saying North Koreans had entered the chat. Okay. and in and the North Korean remote workers had basically used things like deep fake technology or uh perlloined um IDs and essentially infiltrated as developers. But the story has unfolded a little bit

more to indicate some really disconcerting things. Perhaps the most dis discerning thing was that Russian firms who had offered technological support to Western firms had hired a whole slew of North Koreans. So, not only did it show that the North Koreans and the Russians were working happily together, and this was even prior to the 2022 announcement of North Korean troops and North Korean construction uh workers helping the Russians. This was again the Russians and the North Koreans working together to infiltrate Western Tech. And I truly believe that Western Tech has been far more compromised than we're being told as this comes out in drips and drabs. And we saw the Chapman and the Coot indictments. Um, these were the folks

that ran all of the laptops in their houses. Clearly, I don't know how they would do that on a single 10 megabit DSL connection, but you know, power to them. The reality here is this one group, which I believe had about 140 laptops, all right, generated over $12.7 million, okay, on behalf of the nation state. And for her um her help, Chapman was paid about $170,000 uh uh dollars. Okay. She was just sentenced to I think it was 13 years in prison as a result of facilitating this. This is one person 140 laptops and I think there's probably hundreds of these throughout the throughout the globe. And I think as time goes on and I've had some

conversations with other people in infosc who have basically told me that places like the large bank of America for instance may have had an encounter with North Korean remote workers as contractors. So I think this is a much bigger story and I think as time goes on and researchers get involved we'll see more and more revelations which actually leads me to the coincidence or conspiracy part of my talk. This is where I have a problem with a couple of things, especially this story. So, on Wired, it was revealed that Sofos had fought this 5year campaign where they were monitoring the Chinese contractor's efforts to reverse engineer and create zero days for their product. Okay. So, let me put my hat on

for a moment here, my pirate hat, and suggest to you that if you have one of the most talented reverse engineering nation state contractors working on your product, you're telling me that these guys kind of like were monitored for 5 years without knowing that they were monitored, right? So, there's something that the sniff test on this doesn't quite sit well with me. So I think there's a lot more to this than what was portrayed in that wired um wired mag uh wired article. Now I've come to two conclusions here. One is that the source code for edge devices is riddled with vulnerabilities. Okay, some devices yes, some devices no. But maybe there's a connection between North Korean remote

workers, the stealing of intellectual property from cyber security firms, and then reverse engineering a lot of the zero days we're seeing on almost every single VPN and firewall vendor that's out there. It is remarkable because all of these exploits and we're talking about CVS scores sometimes as high as 9 and a half and 10 are being released on almost a weekly basis against the infrastructure. I can't tell you how many Sonic Wall and Foret vulnerabilities have been disclosed in the last month. It's it's almost uncountable. So here we are. The question is, is there some sort of hidden agenda where western tech has comp has been completely um essentially intellectual property stolen and is being placed in

the hands of nation state to reverse engineer or are we just seeing the results of the fact that vulnerabilitywise we are not doing well folks. Okay, there are way too many of them in clo in and the problem here is the concentration. So if we look at Debian Unix up at the top there with 9,11 CVEEs okay Linux, Debian specifically runs a lot on a lot of those appliances that we just talked about. Okay, so when we talk about the Linux kernel, which is in at 8,526, so maybe it just is that bad and there's no actual conspiracy of tech being taken by others. I always look at two extremes. As an intelligence analyst, you take a hypothesis, you try and prove

that hypothesis. When you can't prove that hypothesis, you have to go with either the middle ground or the other extreme. So I think we're somewhere in the middle. I think some companies have been pawned by the North Koreans and they have stolen that intellectual property. Others, however, we're just dealing with the nightmare of software that has vulnerabilities in it. So, but Russia, so this is the interesting thing that I alluded to. It seems that Russia has been involved with the North Koreans for quite some time in terms of tech and money laundering and all of these things. This has not been talked about probably because of the political realities in the United States um because of the coziness it appears to

have between Russia. Although after the summit yesterday, we wonder exactly where that's going to leave us. But the reality here is that there has been a relationship between North Korea and China as you folks probably already know. Um there's only two ISPs uh in for North Korea. One is controlled by Russia and one is controlled by China. It's not surprising to see China and Russia working together and using North Korea as their idiot stepchild to do um their bidding. Oops. Okay, let's go. Little Taylor Swift action mandatory. And here we are. So, is there really an excuse is the question I'm asking. So this is the move it appliance right which is essentially if you took the IPS switch FTP server

and you put an outofdate Linux kernel and then you ran it as an appliance and you made it secure by putting the label secure on it. You can plainly see that this is really bad. Now I I asked the question SQL map who who here are my Cali folks or my reverse engineers. Yeah. So SQL map is a utility. It's a free utility. Anyone can download it and use it. But it literally searches for SQL injection attacks. So my question is when the majority of the pwnage of this particular move appliance is SQL injection cross-sight scripting, why wasn't anyone ever checking that? Right? All of a sudden it shows up and it's a major gaping problem. And that's

how you get the kop. Okay? Because the KOP were the guys, or is it the Clap? No, that's something else. The KOP were the guys that were busy exploiting this and causing ransomware attacks and stealing a whole bunch of sensitive data because many organizations use this secure file transfer solution to upload sensitive documents, right? Sensitive documents. And I'm just going to go out on a limb and suggest that if your appliance supports HTTP and FTP, it is far from secure. Okay? We all know better that it should be with that little S thing, right? The security piece. So, I'm going to leave you with the words of Dual Loopa. As you go forth into the world, success to me is just

doing things that I'm really proud of. So, thank you very much, Bournemouth. Um there will be no questions.

Thank you guys. Love you. Right.