Nothing is Secure
Show transcript [en]
Hello. Last year I was here at the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office
of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office
of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office
of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Office of the Unfortunately, I'm not. I'll skip the presentation slide, or rather I'll skip it very quickly. Last year I was a minister for a short time, then I was a national representative. Trying to pass on some technical knowledge and perspective on things in the parliament is not
very easy. At the moment we have reached the application of asymmetric cryptography when sending signals for their anonymization, but somehow this has not found understanding in the colleagues. Which is my problem, I haven't explained it well enough, but there are technologies in the state administration for a long time.
I will start with an explanation for the fact that everything we do is very difficult. We need to protect systems that are extremely complex and our job as people who protect them, even those who deal with the offensive part and I hope their role is to do it with the whole discovery of things to protect later. First, network security as a basic First, when we go in and write in Google what network security is, there are various definitions that include basically everything in one. The definition includes network connectivity and all hosts connected through the network and their protection. But let's say we are limited to a more conservative definition and it is actually difficult to keep the networks because we need to understand
a lot of things. We need to understand how these networks work, the whole stack, the protocols and a lot of tools to configure and use to discover potential misplaced actions. These are network firewalls, these are web application firewalls, there are different vendors, they look different, although very similar in functionality. We need to understand from network segmentation what is DMZ when we talk about standard setups, that is, not cloud. However popular the cloud is, there are still standard networks and will continue to be. Here I will give an example with the segmenting of the networks. Intrusion detection, intrusion prevention, such systems still exist. Some consider them to be legacy, but like Snort, for example, are still being used. How to configure VPNs and access to people,
to factor authentication in VPNs or the more modern Zero Trust Network Access, how it compares with the entire organizational culture and structure, How to make the DNS secure, so that someone doesn't filter data through DNS applications. How to protect ourselves from DDoS, because DDoS is a totally separate topic. The easiest thing is to buy an appliance, to put it there, and say "this protects us from DDoS". But in fact it doesn't protect us from DDoS, because if the cable is not wide enough, DDoS will just blow it up. That's why the DDoS settings that we need to make actually go through This is to set up the BGP so that it passes through the service centers that clean DDoS attacks and then reach
us, that is, our network is not presented to the outside world. This is again a totally different skill, a different knowledge. When a person explains it in words and pictures, it seems very easy. Yes, we will set up BGP settings, we will put Cloudflare or Arbor, and they will clean our traffic. We will put in some tech-appliance if needed, which will do these switches automatically or semi-automatically. But when we get to the trenches, it turns out that it is not that easy. Here we have some broken settings, here the vendor has not thought of anything, there is a bug, 12-hour meetings on the middle of the night because the attack is running and the appliance
is not working and so on. And all this needs some people to understand and do it every day. Email security for both incoming and outgoing users. Something that the administration has been working on for a long time. It's a very complex task. To configure things like SPF, DMARC, DKIM, etc. These are relatively trivial things, but a few years ago I had a scan of the main administrations to see if they had these DNS records and it turned out that at least half of them don't have them. In my blog there was a lot of inbound traffic from the internal web email of many administrations, which apparently someone had sent them and told them "Look, we are in the wrong list,
fix it, use SPF, use such things." In the incoming part, we can buy an email security solution, but how to configure it, false positives, Some people put it in two, in any case. When we use cloud solutions, it sounds trivial, but my experience with setting up DKIM with Microsoft Office 365 was a total pain. Part-time conversations with the Indian support, who doesn't understand that they have a BAT. But in the end, the engineer told me that we have a undocumented part and a bug in the rotation. But here, do these three things through PowerShell and it will happen. In theory, you have to change some records. In practice, it's a fight with a pumpkin for every little
thing to make an idea more secure. you can do it without signing your emails. People might think that someone is typing in front of their computer and they are already signing their emails. I hope there are no people who think that someone is signing an email and then they leave. But there are probably people like that. But this is also difficult. A separate topic is the honeypots that I wrote for some reason. I know they are honeypots. I have written honeypots. There, again, in theory, you have a tool, you install it and it starts collecting useful information. But there are also many questions. First, how much is this? What are the ports we need to open? Is it externally facing to collect information from the wide Internet, where every
IP appeared publicly and every Chinese, Russian and all possible IPs that are trying to do it, are pouring in. Is there a PRP My Admin here? Is root root on 22.0 port? This is useful information to collect some lists of IPs, but it is something that is like noise. After a month or two we can check if there are any changes in the trends, if someone is more interested in it than us or not. Or we can add an internal honeypot, which should be absolutely silent all the time, unless someone has already entered and is trying to find their way with lateral movement. Or we can add both, which can also be easier. By the way, last year As you have
heard in the media about the 45,000 blocked Russian IPs, which I agree with, and it sounds a bit stupid to experts, because what does this mean in general and what is the benefit? But I couldn't communicate enough clearly that these IPs are collected from thread feeds and from honeypots and we actually gave them to ISP to block them such semi-automated attacks against non-dosing organizations outside the country. Because we can take the APT and put it on Firewall, but the one that doesn't have Firewall or the one that we won't reach at all, it's good for it to have some kind of basic protection. Yes, we won't stop the hacker groups of GRL from going through 2 VPNs and attacking us
again, but it was some kind of basic step. There are many points because I haven't done everything and each of these things is difficult. Then we move on to the endpoints. There are a million things there, from the knowledge of technology, through the knowledge of specific instruments, through the choice, buying specific instruments. or there is a category in Gartner "Next Generation Antivirus". The interesting thing is that the Next Generation Antivirus is older than EDR, for example, or at least that's how I imagine it. Endpoint Protection Platform, XDR, which is Buzzword, which includes everything in itself. There is an endpoint part, there is a non-endpoint part. The question is to first focus on the whole landscape of such instruments, to choose which combination
of them to use. DLP, so that we don't run out of things. Some of its functionalities are covered by EDR, i.e. DLP is more of a logical functionality than a variable solution, but there are solutions like that. We have to compare the data sheet and say that the XDR we are looking at now covers 60% of the DLP functionalities. The other three can be covered in any form. So, especially considering the budget we have, we may not buy DLP. We will think about it. But we also have to take such decisions and they must be informed. We have to know what each of these things means when we go through this data sheet. We have policies for bring your own device, mobile, laptops, what to
do with USBs, we insert them, we allow them, we don't allow them, we allow them to certain people. We have a special computer for USBs that can be infected, we sandbox them and then we put them somewhere. There are possible solutions that we need to have again, informed and expert, but all this is difficult. The setting up of the Active Directory, yesterday my colleague Velichkov probably told you about the post offices and the Active Directory. Even such stupid mistakes are harder to make. But setting up the Active Directory is also not trivial. Auditing such a thing requires a specific expertise. I opened the laptop in front of me at a meeting of the Ministry of
the Environment, because I didn't remember what it was, but it was boring. and I decided to check the structure of the Active Directory. It turned out that the minister, who is no longer a minister, continues to have access to an account. We fixed it and that's it. Azure Active Directory It sounds like something that works great in Cloud and gives us additional functionalities, two-factor authentication, integration with Office 365, everything is great. But for example, Microsoft asked us how much of this information can be on-prem and only in Cloud we have some anonymous identifiers. Because if the state has to use Azure AD, it has to upload data of all state employees in one place, 120,000 people. And the answer was: "Not for now. Everything must be there, at
least the emails and the names. And this is tricky. Mobile devices are a separate topic. Mobile security, what viruses are there, what zero-day is there. We need to buy mobile device management, of course, and it costs money. Or to take some open source. There are other tools, because there is no vendor to call and say: "Fix this bug." Sometimes the open source community does it faster than the vendor, don't get me wrong. Internet of Things is a buzzword, but it has its own challenges. How do we collect logs from IoT? These devices, being non-standardized, strange, all-encompassing, don't speak whatever they want. Some speak CISLog, others don't. If we have a piece of the infrastructure that is IoT, or
we are in a factory, This is a totally different universe that we have to go in and dig. The printers are also endpoints. There is a very interesting example. A bank in Bangladesh. North Korean hackers almost managed to extract some millions from there to the bank, I think it was in Macau, from there to North Korea. hacking the printer's firmware, which prints the note that someone has to sign in order to authorize SWIFT translation over a certain amount. And they just let him print something different from what he has given, so that he can sign it and not see that it is a source of money. Fortunately, this transaction was stopped before we reached North Korea, but even the printers with a lot of research from the nation state
attacker is a very interesting topic. And now someone wants to say, "OK, on-prem everything is complicated, because everyone has to take care of everything by themselves. Now we will go to the cloud and everything will be automatically secured by default." Unfortunately, it is not. Infrastructure is for service, AWS, Azure, Google Cloud and others like that require a lot of configurations. The good thing is that they can be scripted well enough to We describe all open portals, all networks, all subnetworks and so on, but we have again specific knowledge and this is specific for each one separately. Yes, there are things like Terraform that allow us some abstraction over the whole thing, but it is not
a perfect abstraction and we always need vendor-specific things to describe. The bad thing is that sometimes these configurations are not made with the security people involved in the conversation, but they are made by some people who are sysadmin or even developers. And then it turns out that these ports are for what? This network here, because it needs access to the other network, let's limit it and so on. When we get to Identity and Access Management, tokens for access to apps, because all cloud services represent many apps, and when you need something, you generate a token, you throw it to someone, how he controls it, how he records it, whether he crypts it or not, Again, there are many questions about knowledge, written procedures and the maintenance of these
procedures, so that it doesn't turn out, as it has happened many times, that some API token has leaked somewhere and someone has leaked the data, because the access to this token has been too wide, not for what the specific user needed, and through such a token some S3 bucket is dumped or even worse things. The management of containers is completely separate from New Universe. There are almost every cloud provider, there are separate security centers that you let them scan and perform some magic and they give you a report. Here you are 60% compliant with PCI DSS, here you have a potential to control in this network segment and in that network segment. Some of them, however,
in order to be fully effective, require the installation of an agent. Quite a bit, very little, just because you put agents on top of agents and they start to prevent them from fighting and fighting and they need to be controlled. To be controlled, people need to be which understand the whole thing. How you collect logs from all of this is also sometimes not trivial. When your servers are, yes, in a standard way, you are a log agent or not, but when you have some ready services Then it has to spit the logs into the corresponding CloudWatch or CloudTrail or something like that. But when we look at the reality, we see that they are not
always in the right level of detail, sometimes they come late and this doesn't work for us. And this makes it even more difficult. When it comes to SaaS, it is a very wrong thing to do, because many SaaS services do not have a dual-factor authentication. In our great policies, we can have dual-factor authentication for every service with a certain criticality, and when the SaaS solution is not like that, we will not be able to put it in. In theory, there are some ways to do it, but they are more theoretical. And all the other things I've mentioned so far, how they manage their security, how they manage their tokens, S3 buckets, network configuration and so
on, the position is: trust them. We are certified, we have 1, 2, 3, 5 audits that have been made by my former colleague Eric Adesi, who is currently an auditor and he signed something here. and we believe that SaaS delivery will really save our data. And besides accepting some kind of assurance from it, there is nothing else to do. Also, service software services are a wonderful way to create a shadow IT. Some employee likes a service somewhere, registers, starts using it, pours corporate data into it and IT department and security department have never heard of this thing. Maybe some day when they see it, in DNS applications that this address is open, from the description
they can open it and see that half of the company's data is there, but this may not happen if we are not lucky. And when we say SaaS, okay, let's not be SaaS, we will do it with us, we are a big organization, we have the capacity, we have the resources, we will write software from scratch or almost from scratch. And we are working on that. I am originally a developer and I have done all of these things. First we have to print out all the ASP recommendations and vulnerabilities of some lists around us. and to be careful at every moment with the configurations of CSP, CSRF tokens, XSS protections to be as they should be, because we can set them at the beginning from some tutorial
and then new endpoints and configuration files appear and suddenly something came out the wrong way. The filters sound something obvious, we should not upload files that are not the type we expect, but this is not trivial either. In my former company we had something like a pen test, which fortunately found nothing but a serious vulnerability and it has a feature that is absolutely useless, that is, every user has to upload a photo. so that there is a profile picture. The admin can look at the entire list of users and say: "I give him more rights, I don't give him rights, I exclude him, I put a time limit on his rights." The question is that you can upload pictures, only that you include SVG. When you want
to use SVG, there is of course an active part of the scripting, which when you upload it back, can be a JavaScript, which when the admin opens this page, to do privilege escalation, to give yourself more rights and thus to own the whole organization. Even such small things that are in the first sight harmless, the developers have to be careful about them, because no one else should be. The web application firewall won't be so smart before the application that it will filter the script from the SVG and then block some script in the output, because it doesn't know what that script is. Access control for each HTTP endpoint, because the developers like to make their
own apps, and just that access control for these apps with which token, when it expired, sometimes they forget some annotations on top of the method and it turns out that it is suddenly public. They think it's not, because all the others in the same class are not, but this one is public and it turns out that it is one from which information can be obtained. Dependency management, which is vulnerability management in practice, all dependencies, all their dependencies and so recursively, must be checked regularly, automatically of course, for certain vulnerabilities. And to have some action if you find a vulnerability, to assess what it is, to see if it really is an obstacle or if it is false positive, i.e. not applicable in the
case. If you have a smart firewall that does hotpatching, it can be for certain vulnerabilities that you can't patch at the moment for a number of reasons. Because when you raise the version, you will break the real functionality. It blocks certain applications that exploit this thing. For log4j vulnerability, there are such patches in practice. Of course, the whole development has to be in accordance with the Secure Development Life Cycle, which very few organizations apply to. And everything we build has to be planned. We see that it is not easy to write something, to give it to some boys who understand it very well and they have to make a system. Things are complicated even in this case. and you
say, "Okay, the system is difficult, we can't control the cloud, let's buy something off the shelf, something ready and we'll put it together." Well, we have the same software problems, but they are already beyond our control. We don't know if they have applied SLDC, checked the dependencies, if all the methods are correct, if they are accessible and so on. Which ports does it use, how to collect the logs from this system, because when our system generates some logs and they are not ingested very well by CMA, then we can change them a little. If CMA can't do it, we can't parse them. With ready systems we can't. My favorite example is SAP. You know, my
previous company was doing CMA, so we had to parse logs, whether or not. And so here we have a client who says we have SAP, we want the logs from SAP. I say great. We have generic parsers for text files, database files, whatever you can think of, so there is no problem. But the sub logs are something that is absolutely unheard of. The whole log is in one row. And it just keeps on writing, sticking to the end of the row. And you will ask what the delimiter is, how do you know that this is one record, this is another record? The delimiter is the length of the row. The first 200 symbol, the second
200 symbol, 400, 600, 800 and so on. And when you have a generic parser that just tails the log and parses every nofret, you realize that there is no parser that doesn't look for nofret, but for a fixed length. And we extend the Open Source Tailor to a patch, we write that it should parse the SAP 200 Symbol Log. Then we have the next system that has decided to write the log directly gzip. not to rotate it and gzip it to keep it in place, but to write the gzip logo directly, so that we can't open it. That's why we extend the Tailor once again, create gzip on the fly to read it and parse
it, and actually all of the shell systems create, being non-standardized and all of these things, create a lot of problems. At the moment we are starting to hear how to hide these problems for firewalls, because we know them, they are known, the vendor doesn't manage them and we are making some firewall magic with which to try to cover them, so that no one can dig them with virtual patching. There is another problem with off-dash off-software, the vendor fails. Or they buy it. Or they stop the support. All of this has the same result. We stop getting security updates, they stop doing things that break. And then over time, more and more vulnerabilities are discovered, of course, on this thing. And the solution
is to bury it deep inside our infrastructure so that no one can exploit it, which we know is exploitable, or to throw it away, to break half of the business processes and find something new, which will have the same problem in five years. And the certainty of these solutions is not trivial either. And yes, we are looking for all these solutions, all these problems, and we say, "Okay, but we will now take the cutting edge fancy security software, we will go to the distributor with a big basket and we will say, "Here, give us everything, a lot." Only that it is heavy and it is difficult. I was a vendor, so I have some insight into the market. We often buy something that is on a
datasheet, but in practice it is not exactly what we need. and we need to add it, to write a shell script to make it, to write custom regexes to add something. But to say that, apart from the fact that some knowledge has been developed, is achievable. There are cases where these conservative solutions are blocked by the normal use of the annoying consumers. At the same time, the bad ones pass through the door. Another personal example: in a large organization there were some solutions that did not allow binary things to be thrown away from anywhere. Just when you open it, it says: "This is binary, you can't throw it away." And this stopped some people from downloading some relatively legitimate things. Yes, they had to pass approval and so on.
But this didn't stop me because I had to transfer binaries to the machine with which I had to install things. But in order not to wait two days for approval and someone to download it instead of me, I just encoded it in B64, downloaded the text file and then with PowerShell I turned it back into binary and it worked. So these solutions stop good, normal consumption. Someone who makes one additional step, not some genius student who today is a miner in B64, suddenly stops working. The price is not for neglect, this is a completely separate complexity, because we work in a limited environment. We do not have the endless budget in the world with which
to buy all the solutions, all the people who work with them. and the entire hardware they need to work on. And we need to prioritize this. These solutions are already integrated, the big integration between vendor solutions, but we need to have at least 10, maybe more, but quite different things that are hard to talk about, which we need to make additional integration scripts, layers, recipes and all sorts of other things. And always the problem with false positives. At the moment people are turning into false positive dismissers. Which is this and that and this and that. When I was in the Ministry, there we have EDR on my device, which was mine, but it was enrolled in the
Ministry's policies. And of course EDR discovered very bad things on my computer. All false positives, of course. One of them was that there was a test on a project that tested whether a ZIP bomb was being exploited. That is, there was a ZIP bomb archive. that will test whether the application will explode when it is installed and will not be misused. There is a bomb archive that was discovered for test purposes. Probably, because a normal user would not need such an archive on a computer, but mine did. So with all these difficulties, a lot of attack service appears, a lot of attack tools. Supply Chain attacks became popular recently. The most famous is the software SolarWinds, which was hacked by SolarWinds and
from there through their feedback program they put Backdoor into the main software that runs on the Microsoft network of state agencies in the States and so on. And how it stopped It's very difficult. You believe in SolarWinds, a big vendor, trading on the stock market and so on, that they have adequate policies. The fact that some junior has put a password for some FTP somewhere is beyond your control. You can't audit all the vendors and make pen tests on them and read their audit reports and see what the recommendations are. A few months ago, the news actively caught my attention. a really shameless status for the validators in the metro. And for people who are not security minded, this sounded a bit paranoid. Yes, there are some Russian validators
in the metro. Vendotec, the Russian company, and our metro has bought such things, it is stored in all metro stations, and when you go with a debit card, credit card, phone, it takes your money or takes things from your card. What a problem.
There is still no such problem, but since the vendor is Russian, this creates a risk. Because if it has over the wire updates or just security updates that it sends regularly and installs here, in some regular security update a found functionality may appear. Not because the vendor wanted to attract his clients, but because the GRO knocked on the door with two machines and said: "Put this vulnerability here or you are not doing well." And what did they do? They put it. I am of course criticizing the scenario, but it is not impossible. These validators are connected to the network. the network, they have to go out, to connect with Mastercard, with Visa, to make these transactions happen. I don't know how the network of the Metropolitan and the City
Center for Mobility is organized, but I suspect that there is a possibility that this is not a fully isolated channel. From there on, imagine if you can jump from this segment of the network to another segment of the network, to the neighboring segment of the network, which, for example, controls the metro lines, we already have a problem. It sounds paranoid, it sounds incredibly incredible, but when it comes to nation state attackers and national security, it's something we have to review, to consider, not necessarily to catch them, to expose them and to throw them away, but at least to check how they are segmented on the network and to assess this risk. Air-gapped OSH systems, again,
for critical systems, when it comes to a very popular lecture, I think it's on DEFCON, about a jeep I forgot that there was a presentation about Hyundai. The question is: hackers jump from the entertainment system to another bus that actually drives the car and at the moment they can clean the pedals instead of you. Which is not good and it's nice when someone says that something is air-gapped. It really is air-gapped, and you can't jump from one to the other. because someone had to connect something there. It's a small piece of paper, hardly anyone will use it, but here it is, someone uses it. Or in an institution I ask them: "Okay, are these networks connected?" And they say: "Yes, yes, they are separate networks." "But how are
they separate?" "Well, they are separate VLANs." "Okay, how do you manage these VLANs?" "Well, through a machine that has no connection to the Internet." The one that manages the VLANs has no connection to the internet, no Wi-Fi, nothing. And it even has antivirus. I said, "Okay, how do you update the antivirus definitions?" "On a flash drive." The recommendation was to put them on a disk, but either way this is not a real air gap setup. This bottle creates a risk. If someone doesn't go deep enough with the questions, they can continue to sell the bottle. At the moment you know about the Iranian centrifuges and how Stuxnet entered the bottle. It's not some news. For example, unverified, unaudited
companies or external experts who ask us to make a configuration, to audit something, to install something, which we don't believe, we don't know where they come from, they are not verified by DANS. And at the moment it turns out that there is something there that works, we don't necessarily see it, but at the moment it starts to filter data through DNS, through some the channels are thinner, so they are not quite obvious, but no one can argue that this is how Firewatch can be set up, so that it does not allow any exfiltration. If the one who puts things is smart enough, this can happen. And physical access. And it is a very interesting attack vector. Another institution, MyFire Classic, And yes, someone
can just go to work, with his wallet in his pocket or in his pocket, someone can clone My Fair Classic. Something terribly trivial. And then enter his name. And especially if there is no integration, for example, between the access system and the HR system, so when you are on vacation, in fact, it does not let you in. But this integration is not easy. It is not by default. These systems are usually small vendors, which are not integrated with some serious HR systems. And at some point, with little effort, you clone a My Fair Classy map, you see when the person doesn't go to work, but goes straight to the airport and you enter his place. If you reach the big organization, no one will even understand. And it depends
on what you have access to. A lecture on social engineering, which is the next topic, that the person is the weakest link, I will tell you the exact same example. A client hired me to test whether I can enter the innermost part of the organization where there are some serious secrets of the company. And of course, the person hacked some external facing application, from there jumped to the control system, made access to the He enters the room and the security guards wait for him with the card. The security guard is a visitor, he receives a card and he says: "I am Eric Oysi, John Smith, give me the card, take it and enter the room." The security guard is in a position
to have access to all high security areas. What is interesting is that entering the higher security area It's a bit strange. You don't go there to hack something, even though you have a contract with the company. And there are some people working, sitting on some computers and doing something. And some stranger comes in, who is also overdressed, with a strange outfit, because he doesn't know exactly what people are working there. and slowly, slowly, he approaches the man, walks somewhere to the server and at some point, out of frustration, he hits a metal bucket, he throws it and shatters everything and makes a terrible noise. Everyone turns around, looks at him and then turns around and
continues to do their job. Because it's not their job, it's obvious that Security has done his job, this man has left, someone has approved him, he's probably gone to do something routine. And even the fact that he has raised the loudest noise in the world doesn't interfere, the attack was successful. And not last but not least, the Zero-Data attacks are also quite a complicated landscape. My favorite is Pegasus, this spy software that is installed on phones and is called Zero-Click. I mean, you just receive a message and you already have a virus. A wonderful story. There, in iPhone specifically, they are exploiting the GIF parser, that is, they are sending some kind of emoji. A GIF. Which... It claims to be GIF, but
it's not. There's some code inside. But since they know how to use the iPhone, they tried to parse it as if they could. And it turned out that they could parse PDFs. And they actually do it as PDF. But because of some legacy requirements from Xerox, there were some commands that I won't tell you the whole Google project for Zero Day, but in the end they generate an overflow in a GIF parser that parses it as a PDF and they create a state machine from the overflow part and there they start to make a whole phone with a GIF that is not a GIF, but exploits a parser. It is better described in the Google blog for
Zero Day. read it, but you just can't protect such things. That's why all this is so difficult. And it's so difficult even when we have all the people in the world trained to deal with this. Here I have created dozens of different types of systems, attack scenarios. policies, not just on the level of someone who writes scripts and configures systems, but also policies for the budget, the whole organizational complexity. Even when there are suitable people, this is quite difficult and close to impossible. Many organizations do not have such people or have one and it is quite crowded and at the moment it is starting. The administration, I will not surprise you, also does not have such
people. There are again individuals who are starting at the moment. Not only because of the payment, but also because of the atmosphere, the packaging. We built something that is quite complicated. The whole IT ecosystem is something terribly complicated. It consists of a piece of silicon, a few cables, and zeroes. We have built systems that must be safe for all kinds of bad experiences and influence, and this certainty is not built anywhere. Neither in the cable, nor in TCP protocol, nor in the processor. I exaggerate, of course there is a secure key and so on. But by default, by design, by design, initially, the protocols and standards, the certainty is always added from above. It is there, in a step. And this makes things especially difficult. And so
difficult that we actually have no certainty that something is safe. When someone comes and asks us if this is safe, we can't say yes, it is safe. Yes, we have to manage the risk. This is something we actually do. We manage risk. We address the most risky things. We assume that the Zero Day that will discover the nation state attacker is not something that we can do this way or the other way around, but it is not something that will probably happen to us. Now, I can say nothing is safe in front of such an audience. But in front of another audience it turns out that I can't. Despite all the disclaimers I make and
talk about the time of risk. I don't usually have conversations with other people, but since this was taken out of the National Tribunal, Kornelia Ninova came out and said: "We are in the Ministry Council, behind the booth, we had a conversation with Mr. Bojanov and he said that the machines can be hacked." The conversation was actually: "Can the machines be hacked?" And my answer was: "That's a theory, everything can be done, but with these measures, everything has nothing to do with the Internet, signed, there are disputes, etc. So, we can be practically sure that the vote cannot be manipulated. But Kornelia Ninova remembered that machines can be manipulated. That's why I went out on the tribune and said that the parliament's ceiling can fall on
theory. But it will fall, we are all here and we are waiting for it to fall because there are architects who have done the work, there are recent repairs, there are checks. We are managing the risk of the ceiling not falling. And the ceiling does not fall and we are sitting there. You know that nothing is certain, but this is difficult to explain to people who do not know what this risk is, they are not internalized as a concept and do not know the whole complexity that is below. What is the state doing at the moment? It creates some regulations, they have their advantages, of course, but it says, it throws the organizations and the state and itself with a single blow, it says, "come on, become safer."
I'm not saying this is wrong, I'm saying it's insufficient. And in fact, the state has some long-term policies in front of it, in which it can invest. They are 3+1, I added the last one at the end because it has a special expression. But the first thing is the people. We just don't need more people. ChatGPT won't be able to replace all these things I said. We won't be able to decide who is the IDR to take and whether he covers DLP functionalities. And actually, when something breaks in DDoS protection, to stand on a 3-hour call with a vendor and determine where the problem is. We won't be able to do it. It has to
be people who are well trained, experienced, have seen these things and have done them. This is educational policy. It is not something that happens overnight, but after 5, 6, 7 years we need to have more people who understand this. The other thing is standardization. The more standard protocols and formats there are, the easier the integrations are, the less they are in the field. If there was a standard log format for a long time, we wouldn't have to make these mugs with sub-logs. and we wouldn't have to skip 20% of the logs of some systems simply because the parser can't deal with them because they are absolute. This is just one example. There are many more examples
in which state or state organizations and institutions can impose some standardization together with the business, of course, to make things safer. The third thing is responsibility. At the moment, every vendor has no responsibility if something breaks, which is okay for most cases, but when it comes to critical infrastructure, for example, someone can't just do something very expensive for you and when it turns out that it was broken in an elementary way, he has to say "ah, you did it". And for that, at least for critical infrastructure, it may be good for vendors to have some responsibility. This has legal aspects. It is not, as we will understand in the contract, it must be legally assumed. And the last thing is something that the services do, ours not
necessarily, but American, Israeli, German, British, that they store zero-dose substances, so that they can use them like others. This sounds maybe practical, but zero-dose substances are running out. This creates a market for zero-dose substances. Some people are looking for them, to give them there, to sell them. or someone starts hacking the computers of people involved in this process, of people from the services, to take these zero-deal activities and use them. So the fact that the good ones are being stored in zero-deal-illness is also not necessarily good and we need to limit this storage, limit the search for such. When there is such illness, the vendor is directly reported, you do not keep it, you do not lock it so that you use it one day
against the bad ones. This is a difficult conversation with the services because they have their own arguments, But it is something we need to think about, because in my opinion it will not only increase the overall security. In the end, I will end with what I started with, that nothing is safe. We know that, but our job and the job of the state is to become less and less unsafe after some time. Whether it will be 100% safe at some point, there will be no way. But to become less and less unsafe. Thank you.
Related talks
55:20
34:59
34:16
36:47
26:33
33:45