BSidesNCL (Newcastle) 2022 - Main Stage

[Music] we're waiting on you morgan morgan [Music] testicles [Music] how's everyone doing hi on the stream hey people hey scott do you reckon he's up already no no not a chance all right day two you made it actually only some people made it we look a bit lighter yeah it's better though feeling it yeah seriously the people in the breakfast at the hotel this morning look like corpses i think they're here for the football breakfast clearly i like eating come on all right we've got one change for you today unfortunately uh sean wharton is poorly bad face that was um so the talk that was going to be in track 2 at 11 something is now going to be in here broadcast to you live through the power of the internet um anything else we should add diamonds week stan's first day everyone say hi dan hi dan john's back saying hi john hi john making people speak to a blanket [Laughter] of a dead guy maybe maybe who knows that's that's for later on we've got some surprises today there is a mystery guest there is mystery cast it's not uh like and then sue us later for it mystery guests no no no no no no no no no there will be no litigation involved no not for that reason anyway true so coming up next correctly moving on yes dave you are legally trained correct sure good yes all right we've got loads of cool stuff today loads of cool stuff loads of things happening out there not a few folks on the stream it's your own fault um yes lots of things happening workshops battlebots battlebots at lunchtime yeah um everyone signed the disclaimer they seem to be multiplying bends near them take from that what you will [Laughter] uh we've got some amazing talks amazing talks please go and see the sponsors upstairs shout out to the sponsors quorum cyber xp room mimecast whoever's on my back who's on my back uh kasich yep jumping rivers yep dependence partners them someone else we've missed one wait a minute who's on the market well we've got cyber fest emphasis governance let's give a woo for governments um seriously thank you very much to our sponsors we love you so much this couldn't happen without you indeed i would be without tea right now which would be and without you i would be without tea thanks dave for the tea all right we should get this thing on the road really rather than just we should start uh wait a minute speaking of uh litigation [Laughter] chris quebec come to the stage woo all right you marked up you ready to go we turned chris on come on hang on morgan's out the booth this is serious mommy t yes there we go here we go hey i can hear myself it's like chris goes to places nowhere no one wants to go to talks about things that no one should know about and it's generally brilliant so um the floor is indeed the stage is yours my lovely all right all right so before i start this talk i got to give you a brief disclaimer one of the reasons why we we kind of decided not to put the title of this talk up on the website was because the first time and last time i did this talk uh there were some very angry people angry people associated with the iranian government who threatened the facility and myself so yay who doesn't like pissing off governments like the iranian government right come on now so this is revenge but is best served over iot uh if you don't know me i do a lot of weird wonderful things i like to hack lots of stuff i've been involved in some of the largest cyber warfare incidents uh i also do some policy analysis as the distinguished child of the middle east institute um and also yeah i i end up going to a lot of weird and wonderful places uh yes somebody's got to do it why have a boring infosec career when you can get shot at by the wagner group right awesome so give you a bit of background i think we all realize that there's been a lot of back and forth going on with iran and nuclear ambitions and cyber stuff and they've got cool names such as charming kitten and things like that which is fantastic if you follow the news iran loves nuclear whatever their ambitions might be it could be just electricity even though they have been caught enriching uranium to almost weapons grade back in the day gosh 11 years ago now god feels like forever they got hit with something called stuxnet i heard maybe a western government did that to take out their enrichment um they like to disrupt a lot of things around the world uh even as far as earlier this year i was going to be in burkina faso to investigate and talk about the fact that the iranians are selling their operational playbook when it comes to propaganda to an islamic extremist group and terrorist group that they have been supporting with arms and now they seem to be supporting them with cyber weaponry so they like to do a lot of this kind of stuff they also want to be a big player in the middle east and northern african region and want to make sure that they stay relevant it kind of reminds me of this other country that wants to stay relevant on the world stage while doing some very awful things so this this is an interesting journey because it started in 2016 somewhere around there and i got this uh linkedin message they were like hey i'm so and so and we are looking for penetration testing training at the time i was doing a lot of training you know in the before times before the plague and i was like oh this this kind of sounds like a vanilla request yeah no big deal right let me get some more information um and it was quite funny because at the time i was getting uh interesting offers for illegal drugs one of my cvs is in chinese so you would not believe how many chinese folks were trying to get me to participate in the fentanyl trade over linkedin amazingly linkedin still has a terrible reporting process for going hey linkedin somebody just offered to sell me drugs they're like we have no way for you to report that um and still they have kind of denied that they have a proper reporting process when this was reported over and over again the activity that i'm going to talk about to linkedin so one of the things i did a few years back because part of my background is in control systems i kind of like the fact that you can use digital technology to move things right that's pretty cool right we got the battle bots and everything going on but on a larger scale my background is also the nuclear industry so i've been to every british nuclear industry excuse me power plant or enrichment facility that i'm aware of to do lecturing for gchq's cpni which is center for the protection of national infrastructure i love all these acronyms and what they were looking for was a hands-on course for penetration testing and ics i'm like oh well you know i could do that too you know no big deal you know i've already done it before then as the relationship was lasting um the term that they use is an agent handler so this particular person tried to act as an agent handler to start recruiting me and he was like well actually what we really need is we would like you to come to iran and teach us how to hack critical infrastructure with a focus on nuclear facilities sounds exciting right yay not really right because then you know found out that this person worked for the iranian government as these things started to get a bit dodgy they were like by the way we will throw you a chunk of money now who doesn't want a hundred grand a month that that's a lot of money right that's life-changing money i got bills man i can so use that money right now uh it was pretty good offer you know however um you know with that offer uh the likelihood is that i would never be able to leave iran they even offered to take me on a vvip tour and meet and greet some of the iranian revolutionary guard and have pictures taken shaking their hand sounds like a good deal for a hundred grand takers on the stream many takers so during this time luckily or unluckily i had gotten very very ill uh from visiting an a country um and so i had to do a lot of surgeries something like 19 major surgeries and you know four year time period was not pleasant and this agent handler kept on with this relationship trying to be very nice to me trying to form a friendship while little did he know i was taking down all the names the people that i met with and i was sending that to someone in the fbi unfortunately that person in the fbi did not do their job and they were an idiot so with this particular campaign of trying to come off very friendly they for the benefit of myself set up a bunch of fake websites that was nice of him after this was done and dusted and an investigation was started i kind of felt like i was i was loved i mean who doesn't want to be loved by the iranian government right uh they set up a whole bunch of what we call sock personas so fake social media and so forth and all of these not valid ids and so forth and they could pick up my background both from the news and from various conference websites because i had spoken at a nuclear cyber uh conference in the past as well so it wasn't like it was secret knowledge at all which is not a big deal unless you're dealing with the iranian government so over the years that this was going on i had tried to reach out to various governments and government entities and got hit with a lot of government bureaucracy unfortunately right when i tried the cia tip line it had a recorded message saying that it was actually instead of the tip line but the pr and comms department of the cia then with another message giving you a number so i kept trying to follow up i heard nothing from the cia uh i had tried with the fbi the particular agent that i knew um didn't do his job at all and never followed up uh because of the fact that i was dealing with a sanctioned country i tried the department of the treasury and they just ignored me i had mentioned the activity while i was trying to contact the authorities in two different presentations and it was only by chance i was at one of my friends retirement ceremonies as west point academy and i get this message on my phone from whatsapp because they love using whatsapp and it says you know hey chris hope you're doing well listen i want your home address so i can send you a gift who wants a gift from the iranian government all right nobody here put their hand up streamers if you put your hand up it's okay you never know if that's ticking that that particular gift so at this point i thought oh well this just must be normal must not be a big deal because no one in the u.s government seems to give us stuff right so i start laughing and next to me we're having drinks and a guy's like oh what are you laughing at thinking that i'm gonna show him a funny meme right you know maybe a dog on a skateboard or something and i'm like nah the iranian government wants my home address so they can send me a gift and he wasn't laughing and it turns out that he worked with a bunch of three letter agencies and got his team to start investigating i heard back shortly that due to everything going on the fbi finally reached out to me and were very nice informed me while i was at a conference uh where actually this whatsapp message was included that the iranian government had murdered several exiles and the netherlands and they thought that my life was in danger and to not engage in any sort of communication with them again so with this again they love whatsapp um so i brought up the fact that you know doing business dealings how is my ass going to get paid he's like well you know we can't do business with you directly or eu companies directly but we still do business with these eu companies um and alluding to the fact that uh they openly skirt sanctions to the iranian government who wants to skirt sanctions and end up in jail again nobody that's just not my thing so i unfortunately turned down this gift we even looked at trying to arrange uh something to be delivered with another address but they could not get the fbi and the netherlands dutch government to agree to a potential you know exploding gift to be delivered because of security reasons uh so that was interesting still wonder what that gift was i have gotten gifts from uh various uh intelligence agencies from other governments that had to get checked through make sure that wasn't poisonous or ticking or a surveillance apparatus so and 2020 and the before time still oh i remember those times i ended up going public with this and going hey you know iranian government been trying to recruit me journalists checked it out sean gallagher shared all the messages with him that i had and so he uh wrote up an article because it was kind of unusual i mean they were trying for years to recruit me um it's really not the type of love that i want or need i'm just putting that out there so once this article came out someone took pictures of where i live and doxxed me on several we'll say extremist islamic websites in europe and had to contact those countries computer emergency response teams and they actually removed the content from the websites and by the way great tip make friends at conferences because that's how i met most of these people who helped me through this journey to try to keep me safe so i'm like oh can i curse yeah you want to [ __ ] with me i'm going to [ __ ] with you right all right so i have a background in the middle east right i work for the middle east institute i've spent a lot of time in the middle east and so i read up on a recent law that they had passed in iran and it said that all mixed gender entertainment and restaurant facilities had to have a camera pointing back at the religious portion of their police now i'm thinking hmm cameras at all these restaurants all these entertainment facilities going back to one source i wonder if they have security because the s in iot stands for security right i also realized that because of sanctions they could only purchase hardware from certain places like china we had the chat from rapid seven yesterday describing some of the modules some of those in there are for some of the chinese technology that i found because that's all they can use so i'm like well you put me under surveillance i will put you under surveillance so i created a census dork if you haven't used census uh i do believe it's kind of like showdown on steroids uh they do not pay me i wish they did and um so i created some ways to find over 10 000 cameras all over iran and of course they were all exploitable credentials what is that come on now and um i could even adjust the resolution turn on the audio you know little things so at another conference that i attended uh it's called the joint services academy cyber security summit uh the top 75 people in the united states get invited so uh i i get invited and i met the chief strategist to the director of the nsa and we became friends his name is george that's all i'll tell you that might not be his real name and so i gave this information over to the us government and to my friend george because you know quite frankly it's a perfect opportunity for the us to track people to do facial recognition all sorts of things again [ __ ] with me i will [ __ ] with you so i i do perhaps look at iran a lot and this is just an overview of some of the more we'll say exploitable things that are hanging on their uh internet except accessible devices so i just picked the ones that are very open and as we can see a lot of embedded devices they are also and many times iot devices they can be printers they can be anything like that usually they have little to no security if they have a log on page they've never been tested for cross-site scripting or anything like that they're very easy to pop ftp i would not recommend ftp rdp means i own your system all the way down to some of the control system protocols like modbus and s7 s7 is from siemens and that was some of the equipment that was hacked in stuxnet they're actually not allowed to have s7 because of sanctions or any siemens equipment so i found those and modbus um the reason for its popularity in the control world is when it was put out it was basically their version of an open source you could use it without license but also will take a command and hexadecimal if you know what you're doing um from anywhere without authentication fantastic protocol to hack yay lots of smb dns open resolvers there was a talk uh track two on dns taking over you didn't even have to bother with uh his way of doing it you could just you know grab their dns so fantastic and so uh they they uh tried to persist so i started getting other threats because they got pissed that their their stuff was taken down from the website my personal information contacted a good friend up in scotland used to be a private investigator for uh some of your interesting intel agencies and interesting places um i will say uh always try to go for best friends when you're doing this type of stuff and you think that uh a government wants to possibly kill you uh you have to make sure that you have trust in that individual um and last year uh after i thought okay this is this is finally died down because i'd already had to flee my house on several occasions on a previously um so this business insider uh news article came out and i think it was february last year where i was quoted in it saying revenge is best served over iot uh talking about how i turn their surveillance state against them and then on whatsapp i get an angry message and they put the link i'm not clicking the link in their whatsapp message to the story uh trying to say oh well um in the story you mentioned that we were asking about saudi aramco i know about saudi aramco i helped them recover from a very devastating cyber warfare attack that the iranians did ten years ago uh we have nothing against them oh blah blah blah blah blah we don't like you i'm pissed off that was suggested the conversation so um contacted the authorities they took the messages as a credible threat and so uh last year i spent seven months away from my house uh between various types of police protection uh staying with friends in the middle of nowhere uh trying to uh keep myself safe uh speaking with the dutch police the fbi et cetera et cetera and wherever i traveled i am the dutch police would uh speak with those folks like i had to go to london and so they suggested i stayed a hotel right next to scotland yard they were notified that there was a risk um last year when i had to go to nato's southern operations and naples they had to pick me up and drop me off at the airport with an armed guard and when this talk was announced whilst i was leaving naples to go to vienna uh the viennese police had to be notified as well and again [ __ ] with me i will [ __ ] with you so i had some friends look at the phone number that the angry messages came from and they determined that that phone number had been used to purchase a domain i looked up the domain and the ip address where it was hosted in germany and it was an entire operation of iranian fake news sites and propaganda so i contacted the fbi and it got taken down and the guy [ __ ] an entire operation by sending me ex angry messages over whatsapp yeah so just before my um my talk in vienna at deep sac and if you haven't heard of deepsea uh they have two conferences one for regular folks like us and also deep intel which is only for intel folks i have to tell them that i'm willing to do a talk there later this year and just before my talk i started getting some interesting uh tweeted death threats uh and also there were threats against the conference hotel and the conference they had arranged for me to be put under another name for the hotel all you know super secret squirrel all this kind of stuff and while i was on my way to vienna uh and i was waiting at the airport the police got contacted by an israeli friend who said one of my friends just got doxxed on iranian national tv with his home ad