Tim Krabek-Getting Involved to Better the Future - BsidesOrlando 2015

so as you can see tim graham beck can reach me at twitter just google t cravaack and you'll find me online

Chris talk today is a little bit about getting involved with community greater than your local area greater than just our community and more specifically I've been doing a lot of work with the cavalry over the past couple years who's heard of the eye of the cavalry movement no okay so I am the cavalry basically came about when a group of guys were staying at a conference drinking and having fun and they realized that nobody is going to send the cavalry in for us and solve art and for all of our info SEC problems we have to do it we have to help other industries we have to help people solve these problems ourselves so we have to become our own cavalry so as

I am the cavalry

so the problem statement know where the slide came from this is weird because it's not the one I'm seeing down below which is nice but our society is adopting connected technology faster than we're able to secure it you know who's heard about that little buzzword IOT Internet of Things you know everybody now is on the internet everybody is like wow wouldn't it be cool my thermostat was connected so I could do it over my phone what about my toaster so I could go to sleep put my brighter so i could go put my bread in the toaster go to sleep and then well my alarm goes off and whatever else it tells the toaster to start toasting

might ocean when i walk out the kitchen my toast and coffee are done so you know can't hold the tote you can't program toaster to probably you know keep the toast in there until it catches on fire I don't know so the mission statement of I am the cavalry that's right here you guys can read it we're focused a lot on medical automotive the connected home and the public infrastructure medical is easy it's the medical devices all the stuff related to hospitals it's easy to describe hard to secure automobile is a lot about the sensors the wireless sensors in the cars the can bus which basically connects everything together and the connected home is about all the

IOT that everyone just throws in her house and doesn't care what's going on with it who's heard about the synology NASA's they had a small problem where you can mow din to them take over them without credentials and then someone put a Bitcoin mining bot net on there so now I'm using your computing resources to get me Bitcoin much better than putting a virus on there because i make money directly and then public infrastructure vez que des the ICS systems the you know the cameras at tried the traffic lights not the cameras of the traffic laws because the traffic lights themselves in a lot of places they may not be connected to each other but a lot of

times you can get over there to the boxes nearby or sometimes they'll run a serial cable or something down from the pole so you can connect it and do diagnostic or walk up a little hand thing and control them from there so you can't cause habit with that either one of the biggest things over the past year that the cavalry has done is created this five star automotive cybersecurity framework see that five times real fast they're moving toward self attestation here so if you're a car company you say I want to be five star automotive cyber safety framework compliant you go through and say you know we're doing safety by design we're working third-party collaboration we're working

with our vendors and our suppliers and everybody else our onboard computer does evidence capture in a forensic least sound manner so if it's tampered with you can tell that it was tampered with and there's not necessarily exactly what was recorded at the time provide a mechanism for doing security updates and they do segmentation isolation of the can bus you know basically make it so you can't plug a USB into the radio and update the firmware or Jack with someone's car remotely through the ODB Porter there's a picture of a Ford camera as you can see they've got a ton of sensors and stuff built into it now and we've got blind spot rear camera lane-keeping

system Driver Alert System adaptive cruise control our sips of parking the whole drift compensation you know there's a lot of stuff that while you may not necessarily be able to kill someone you mean will across the crap out of them while they're driving and make it very difficult for them at least yeah maybe cause them an accident or something distances for some of these things the passive anti-theft system is 10 meters Bluetooth is 10 meters radio data systems 100 meters in car or Wi-Fi well you know Def Con wireless shoot was pushing over a hundred miles with antennas and stuff like that so think about being the top of a skyscraper in a sit in a city you could probably take

care of every single car on that road that you can see tire pressure monitors are about a meter I was talking with Kevin of pardon Kevin Johnson thank you I've secure ideas just before this talk and he's like you can't really do anything with a tire pressure monitor you just say tires low the light comes on the dashboard so again you can't necessarily kill somebody with this you can harass the crap out of them you know you can make someone stop and pull over you know you know imagine you're driving down the road in the middle of the night Jordan I know there's a there's a woman in the car next to me two times flat you pull

over on the side of the road now a stranger comes over to help you do you want that do you not want that gia risk driving up to someone there's light when your tires you know obviously report is flat there's a lot of stuff you can do that's not necessarily kill the person in the car but you can cause a lot of traditional standard you know crime type stuff by exploiting this and then you're smart keys can unlock your car from anywhere between 5 and 20 meters away medical devices on the cavalry is getting ready to announce a new medical device like 5-star safety rating in the next few days to few weeks those working

on that right now but this is our manifesto basically about the medical device in the health care industry you want to take time to read it now go ahead if not it's on the IM the cavalry org cider so there's a few little things that I've posted here about what medical devices have been actively researched you know get the insulin pumps they're vulnerable to hacking you know you know little bit more instil in a lot nothing Celyn change the reading on there saying you're not getting enough insulin you're getting too much insulin you can either kill somebody depending on how bad their insulin dependence is or at the very least causes a very bad day and or send

them to the hospital depending on how paranoid they are so you know again you may not be able to kill them but if I send you to the hospital to the ER you don't have insurance because your insulins going too high you know you've at least got a very high medical bill and you're out for you know several hours while they trying to figure out what's going on death by defibrillator and talked about this earlier in the first keynote today Chinese a pacemaker hack so they disable all remote code updates on that one wouldn't it be nice to be the vice president to have the Secret Service taking care of your equipment and securing it for you I

don't have that kind of money IOT devices we talked about toaster a little bit earlier refrigerators are IOT etc everything under the Sun is I OT these days you know I'm just waiting for the day that someone goes hug you know we can put a webcam on the toilet and when the person gets up we can immediately snap a picture upload that's all I you know rape my poo calm no no I'm calling crapper white glove to approve that's good you know great web who's already out there isn't it older it's Paul and already have mark toilet so yeah you know make your life horrible make your life annoying you know automatic the day connected to the internet you don't have

to touch the buttons on this plate which is great but you know someone gets in there and automatically starts the process for you while you're sitting on the toilet might not be too good yeah you don't have to call in sick to work your boss already know exactly public infrastructure these are some of the things are classifying as public infrastructure you have the aviation systems rail systems public transport airplanes traffic monitoring utility service waste and sewage and then a couple years back a couple guys I know doing some research on farm equipment the farm equipment is pretty cool they've got in the newer combines and stuff that they use to process all the brain fart vegetables and corn

grains in the field they're automatically pulling that over analyzing the quality of that on the field determining is this you know three dollar a bushel corn for animals is it $12 bushel corn for people what have you now imagine if you knew this information before the stuff got off the field so you know you can go through and say great as a farmer this is awesome I want to run two or three trucks out here I get into lower grade corn I'm gonna pull in one hopper they're going to take this or affair that over to you know three dollar a bushel they're gonna feed it to the animals I'll get the more expensive stuff over there I pull another loader

in there we take that and send it over to the people we get twelve dollars a bushel now a little bit affairs I say you know what I think a nine dollar spread would be worth me going through buying some of this so I'm going to inject on the radio hear that uh-oh to look at this corn coming off its not that good for people you know what it might not even be that good for analyst but you know what we'll still take it because we're doing ethanol because we can produce it that way we'll buy it even cheaper now we get it back to our lab and we reevaluate and go this quality is nowhere near as low as we

thought it was this is fit for consumption by people now I can take that maybe I bought it for about $52 of motion and now i'm selling it for 10 or 12 because my lab has verified it's now good wasn't as crappy as i told the farmers equipment it was and bought it for really cheap so there's a lot of stuff that's becoming computerized but if you think nefariously you can get in and make changes and do things that not necessarily kill people but benefit you in a good or bad way who's this Gregory Evans does anyone know who he is or what he did several years of 30 rock yes he is the ultimate media hacker what he did

is he presented himself to the media in the Atlanta area as a security expert and because of that he was able to get on TV and spent all sorts of really interesting stuff about computer security hey this is one of the pictures on these lobes on one of the websites I found him so what happened was he became available the medium knew him when they picked up the phone and said hey Gregory we've got this this virus thing happening can you give it can you come in and give us an interview or a little little piece on this because sure I'll show up there so he shows up they interview him of course he's the expert

in the field so they go out and say everything he's done is truth because they don't know any better so now he is their expert what can you do about something like this sit on twitter facebook and go home I god I can't believe that guys on TV again that a good solution the popular one POC the one yeah we do that a lot about a lot of things what you can do is you can get involved get involved with the cavalry get involved with other groups that are trying to go out and talk infosec and risk to people who are not in our community you can get media training I am the cavalry does media

training at some of the larger b-sides conferences like be such Las Vegas besides San Francisco go there get free media training they've got two amazing reporters who come in and teach you how to talk to a reporter you know reporters have their end goal they need to get there they need to get their story out they need to get their 30 seconds or their 15 second sound bite you if you want to get out there and talk about the latest heartbleed virus which wasn't a virus but that's where all the media found out and ran with because it sounded good you know we have our set of information we want to get out about these things so understanding what the

media want and what you need to get out there you can sit down and have a conversation with them you know you know what is off the record mean versus on the record you know what is background you know what questions are they going to ask what information do they want to know you can get a lot of this stuff before you get in the interview if you don't know about it then you don't who here has argued with an attorney who thinks it's a good idea in court to argue with an attorney okay are you an attorney place officer okay but you know attorneys in love themselves they they argue for a living so unless you're practicing arguing for

a living you're not going to come out ahead most cases they don't always know what they're talking about but they argue for a living so they can wear you down and you can get frustrated and say the wrong thing at the wrong time because you're frustrated the media is the same way if they have an agenda when they're interviewing you and you're not aware of that they can kind of take you and lead you over this week come on buddy yes we knew we talked about this so so why don't you have that you know why are you colonel in this case you know if you don't realize you're nearly led somewhere you look stupid or to make

you look like a fool then you don't necessarily know it's coming sometimes I not necessarily reporter the procore could be the best guy in the world he could be literally your best friend that you grew up with but then they get that information over to the editor the other goes you know we were going to do a story about X but now we've got this great sound bites from this guy here we can really make these guys look like complete jerks what's wrong with that you know that maybe you know 15 seconds out of a 45-minute interview but that's the 15 seconds they run with so get some training understand what the people you're trying to you're talking to you

want to get out of things where you want to go become a resource in your local area or your regional media say I don't want to be on TV you know what if you've got a question about computer acai berry' whatever IOT stuff give me a call I'll answer it I'll give you 15 minutes I'll give you some background information on there so at least our community and some people who are more educated about this you don't look like a fool you know will that work I don't know it might since a lot of you guys haven't heard about the cavalry when you do you might not like the group you might not like the people involved you know Sapna Kevin

Johnson again before this a lot of the cavalry stuff is going out you know we're focusing on automotive right now we're focusing on media kevin was asked me he goes yeah but what good is this what is it going to do you know I can't kill someone fat tire sensor I said yeah but a lot of the work the Cavalry's been doing over the past couple years has been laying the groundwork to do you have these conversations the automotive companies you know some of the automotive companies when they were first talking to them they're like whoa you guys are here to extort us you just want to get money from us you know why are you doing this like no our motives

aren't to say all right you know we've got this great hat for the for 2017 you know give us money and and and we'll make it go away it's more about laying the groundwork with the auto manufacturers laying the groundwork with the medical manufacturers laying the groundwork with you know firkin earth and all of the other agencies out there that says when we've got a researcher who has found a legitimate problem you know however they may have found that and they come to you or they come to us and say hey we need a hold of these guys here and talk to them about this that they've got the connections and the first part that the first reaction isn't

going to be oh my god hacker sue or send the FBI into their house and you know and blow em up or whatever so having connections is very good having you know spent the time laying the groundwork is amazing that way who here does how to talk business who hears knows how to talk risk do you think people outside of our industry speak a different language than we do I guarantee you walk up to almost any manager the business and say ha gosh you know the Wi-Fi we've got a problem here you know we're out of dhcp leases and we need to extend the range by doing a super net they're gonna go huh go or

wireless isn't working when the customers come into the store they can't get online here and they're leaving and going down the street there I need you know I need to spend about a half hour fixing this will you let me do that right now our customers are leaving yeah you fix it how much money do you need you're learning how to explain things that in ways other people will understand is is a great way of doing so if you've got the opportunity you're still in college like a couple you guys here look like you are take a couple business classes maybe a couple classes on risk the basics of that so you understand at least from outside of our

community what people are looking for it help you communicate the problem we're having your having to the people who can either say here's money fix that oh my god take the time fix that you know we need to do that another option here is get an MBA it's quite a bit larger and quite a bit you know takes a lot more time but you know supposedly when you get MBA you're a management of Business Administration you really at that point would have a really good grasp of what other managers would be looking for in communications to and from the business and you go through and say hey we can't launch this website you know we've got

to hold the back for another another month because there's all these horrible things here if an attacker gets in here then you know no one's going to use our site again and the business may look at this ago we launched this website tomorrow Roy Lee making a million dollars an hour so every hour we delay is a million dollars you want to take us down for a week which is a 168 million dollars you have to show me that the day we turn this on our customers are to look at it and they're going to get killed or maimed or something to not bring in that money right now you have to be able to sell the problem

you have it so realize that people are experts in their own domain and you probably are not like exactly I suck it's gone an even spell checker looks at me and goes oh my god what are you thinking about so when you're talking to other people regardless of what domains their aunt

so look at things try to try to understand you know if you've got a computer problem and you're going over to you know an engineer or they may not understand everything about computing you do with the engineering stuff they're working on they understand you know if you're talking to yes it's spelled wrong so you know i suck at spelling and i don't always catch spellcheck that's my story and I'm sticking to it so the solutions we've got going forward technology isn't always about technology it's about the season making and semantic thinking cooperation among stakeholders you being an IT and IT security you are a stakeholder in a larger group you know if we're always crying wolf oh my god

the cdss score and this is 9 we've got to do something about it right now well yeah it's a nine on that system that's in the room not connected to anything that three guys use with USB key to print stuff out who cares if it's got a five and it's directly on the HRM network and some of the scanning and actively looking at it because there's a worm out there that one takes priority you know be open to people outside of our echo chamber basically means talk to people outside of IT you know if I sit down with anyone over here and say God management just does not understand security and will overhear them nod their heads my manager doesn't

know anything about is that a clip we're spelling yes so when you sit down and talk to people that way with your peers they're going to agree a lot with what you said when you start talking outside of the group of peers you've got you're going to get a lot of different different opinions you may find a lot of stuff that's like really cool and interesting and prepare for reaction and work against overreaction you know how many times have you guys heard you know when you finally get through you know you've got you got the sales going through fud fear uncertainty and doubt or you've heard of a manager and exactly the flying on the airplane they're

reading the airplane newspaper and all of a sudden they've got something in there that is you know all this ntp reflection is going to ddos the entire internet they come in you know from their flight from vacation to the Barbados again you know third time this month like oh my god i just read about this on the airplane you guys have to fix this right now okay ntp reflection doesn't affect us it affects other people when our servers were bouncing out to them you know but we've got this critical vulnerability in the HR system that you know we kind of need to patch this right now because we just fired Sally because she was stealing this

stuff and printing it out now we need to go through and make sure that her passwords are locked down you change all the accounts here we call and notify all the banks and we do all this other stuff this is a real problem right here right now if we don't handle it you know she's right now driving home she's got 38 more minutes when she gets there she's going to log into the system and during our accounts that's a little bit more important than the ntp reflection that may affect us but probably will affect somebody else that you know pissed off the lizards go out or something like that they're going to use us to attack

them any questions so far public outreach um what do you mean

yep they don't say anything well okay so the question was on public outreach if you take the latest one of the latest things on the webcam is being vulnerable to everything under the Sun as a hacker can come in and take over all these webcams the media does a really great job of coming out and going oh my god if you have these webcams your hackers can come in and look at your babies when they're sleeping in their cribs and the whole world is going to end media does a great job of putting out that information there but that's part of the media training I think you know when we've got people out there talking to the two reporters and saying

look if you've got anything on technology I'll be glad to answer those and they come out and say just webcam thing what is this about oh ok so the ass hackers can come in and they can do this here's two things you can do on your home network to protect yourself against that do you have a hackerspace really give a jet face before you leave Jim a hackerspace where you live yes

so we're things i've done is i've partnered with the Tampa hackerspace and we're going to start trying to put together security 101 training for people outside of the general that we get older folks are a little afraid of computers that kind of stuff that's the type of community involvement you can get involved in you know go your town hall Emily's yeah I think Amazon v she's on Twitter at amazon be she's done a couple classes at her local library you know its people going and saying there's a need for x let me spend a half hour 45 minutes writing a little class on this or writing down the five questions my mom just asked me and then since I was

at my mom's how she drove me over to her neighbor's house and she asked me two or three more questions on this and now I've got eight questions that if I set their own wrote you know a 15-minute powerpoint presentation and I did this for another two weeks I now 45 minutes I can go to the public library and give a basic class on questions I know people are asking outside of our community go to library I have a free class on how to do X people are going to come maybe maybe five or six maybe not you never know with those a couple I take a look at as access to so that you can cooperate

with that yet like Amateur Radio Club for instance semi relevant library stuff friends of the library groups are you guys involved with Boy Scouts Girl Scouts any after-school activity soccer stuff you know if you're down you can tell you at I stuffing this down it's great you know if you guys are you know soccer moms or soccer dads and you're out at a soccer event you know you're talking to other parents out there you know yeah I noticed your kids were on facebook and they've sharing a lot of information out there we don't spend five minutes have two or three points you can tell them look the out of your kids your own Facebook you're

probably never going to kick them off there without you know making a move out and become you know circus clowns or whatever but you know run away enjoy the circuits but definitely go out and have two or three talking points you can sit down with them and say hey you know you guys are going on vacation next week yeah I know that's we're close friends we've been talking about this for a while but do you realize your daughter and your son we're talking about oh my god is so awesome we're going to be going to the Caribbean for a week they're posting that all over you know Facebook criminals acting look at this information and then they go up you know Debbie and

Java to be out next week so let's go to their house while they're gone I know that they're friends with Bob Bob works from eight to five so you know he goes over there eight maybe a 30s we stop by about nine rob the house no one's going to know anything talk about five thirty six o'clock at night were set I had a couple friends on Facebook actually had one friend on Facebook recently she posted about going on vacation somewhere I messenger I'm like hey you really need to take that post down telling people that you're going to be gone for a week kind it says you know please rob me and I link to that website 30 seconds later

I saw the indicator on Facebook post deleted so you know we can have a big impact even talking to just a few people locally and then that grows your network of people you know and your your expertise in that Network you know don't always trying to be selling the stuff but definitely give some information out for free I think that really helps out a lot any other questions

that is it for my talk short not too sweet but short thank you guys for coming to be sad for later I have no idea like I said I sold the presentation in my skyline Emma Skye hey I like that dot does anyone want to get involved with the cavalry or any other groups like that it's not a church yes it's not it's not the cavalry church no