GF - Next Generation Enterprise Security

hello everyone uh good evening and welcome to bides Las Vegas this is our last talk for the session and uh so my name is Hasan nikar and this talk is being presented by Josh bres um and the topic is sorry my screen turned off next Generation Enterprise security uh before we begin I have few announcements to make I would like to thank our sponsors especially our Diamond sponsor Adobe and our gold sponsor Prisma Cloud blue cat toota and it's with their support along with other sponsors donors and volunteers that make this event possible these talks are being streamed live and as a courtesy to our speaker and audience we ask that to for we ask you to make sure that your cell phones are on silent mode and if you guys have any question please use the audience microphone so that YouTube can hear you as well and with that let's hear our last Talk of the session please welcome Josh awesome thank you thank you be care for some what TR what is TR oh wait that's the um um original Star Trek it's the one with the little kid right if you're offering I would love one thank you okay so for everyone who can't hear what just happened those of you in Internet land uh I was offered a drink called tro which is from the Star Trek the Original Series which I am not talking about today because this is obviously Next Generation but let's see holy cow that's strong okay all right Next Generation Enterprise security this talk I feel like will be the high point in every presentation I give from this point forward because I I thought of the title before I realized what I got myself into so let's start with who I am my name is Josh bressers I work for company called Anor we do what we call Next Generation supply chain analysis and our open source tools are sift and gripe which some of you may have heard of it's a sbom generator and vulnerability scan they're very fun but I also have two podcasts I host one is called the open source security podcast and the other is the hacker History Podcast now the hack oh thank goodness the hacker History Podcast is a podcast where I invite a guest and I say to them tell me your hacker story I'll get to this in just a minute uh I say tell me your hacker story and then people tell stories everyone has an amazing story to tell every guest I've had said no one wants to hear my story so please if any of you would like to be a guest on hacker history get in touch I would absolutely love to hear your stories it is the most amazing thing I do and I absolutely love it so a Gentleman Just Walked In in a Star Trek uniform not everyone knows this but when you submit a talk to bsides there is a text box that says please request a ridiculous speaker well request that whatever and I said I would very much like someone in the front row in a Star Trek uniform to Heckle me throughout the talk and so I totally got it and you have made my day sir so thank you so much I'm very excited about that okay now now and this this slide speaks most to you is many of us have spent our lifetimes watching Star Trek memorizing lines memorizing obscure details and the people in our lives have said you are wasting your time none of this is ever going to be useful until today so this is it nerds this is your data shine and because of that point I have a ridiculous number of slides more than I'm going to get to and that's on purpose there will be no questions at the end if you have questions either go to the microphone and just talk or yell them out and I'll repeat them this is the slides you're looking at right now they're open to everyone if you want to use this deck ever in anything please do like you have my permission consider this public domain except for all the copyrighted images all over the deck so but by all means it's a fun deck it was fun to put together so what did I do I watched a lot of Star Trek so I thought of the talk and I thought okay how long could this really take and it turned out it took a really long time I'm probably three or four years in at this point because you think you can just watch an episode and maybe write down some notes except you realize you have to watch things again and something happens later and then you go back and you start writing the presentation you're like oh I don't remember exactly what happened and so this I I I suspect I probably watched 3 or 400 hours of the Next Generation just to put this talk together and the question I always get from people is will you do this for Deep Space 9 or Voyager or something else absolutely not no just Heckle no no don't raise your hand just Heckle you married yes I'm the question was no the question was if I'm married and yes yes awesome yes I am married my my wife is is lovely and I have made her watch a lot of Star Trek and now she I basically there's a rule that when I turn on Star Trek she leaves the room and we're all cool that's fine that's the way it is and that's okay I I understand I understand why you do this with some of the why wouldn't I do this for the better Star Treks because there aren't better Star Treks and also it just takes too long like it was so much more work than I expected because at first I thought oh I could do it for other things but no and honestly the other things won't have a good title right Next Generation Enterprise security come on that's as good as it gets right do you like strange new worlds okay the question was do I like strange new worlds I am I find it pleasing up to this point but I'm going to hold my judgment until the end because sometimes they get better sometimes they get worse but at the moment I find it acceptable so we'll seeyon 5 is my second favorite world uh Babylon 5 is very good but this is a talk about Star Trek okay all right we'll just skip this part yes all right so here's what I did I watched all the Star Trek and I noted threats and mitigation right and and oh we'll get to that I the miter attack framework is in all over this thing it's fantastic but basically I recognized 178 threats uh 54 of them were insiders everything from the robot to the intern to the actual ship itself Dr Mor Ari there's a ton of them and there's Nine episodes like those horrible bottle episodes we all hate that I couldn't identify anything reasonable as a threat but there's probably data missing here's the part I like so I put all this data into elastic surge cuz I'm a data nerd and this is the it's hard to read what this is so the top is just alien this is where you have a bucket there's tons of threats in Star Trek that show up one time and only one time right and so that's why that looks like that but then we've got Romulan second Klingons third and data the robot is basically the third most dangerous thing in the Star Trek universe and we'll we'll we'll talk about him a lot lot a lot a lot but then the other one I really like is Wesley Wesley's way down here right with the actual ship itself and the Kardashians so basically data and Wesley are by far the two most dangerous Insider threats would you say for the Kardashians uh how do you break that down between Courtney and Chloe and well like fantastic or are they just all lumped under like and and and and how about the Jenners or are they just lumped together under alien I have a confession I have to make I literally don't know any of the names of the Kardashian you're talking about but I that's that's well done though sir well done all right all right so we'll start out with some quick observations right the ship has no authentication apparently there's a next slide we talk about that there's a reason for it uh no two Factor off sand boxing doesn't work at all and Warf I don't know what warf's job is that that is uh from Twitter which it may be gone now I don't know but I love that so much like that made my day when I saw it well actually that one's pretty easy uh warf's job is to be an early detection mechanism it's uh you know basically he he's uh like a a human Honeypot or actually a Kling on Honeypot could be you know that's how you know that you have an actual threat is somebody beats the snot out of Warf and they like oh this is a credible threat we should might be able to do something that that could be that could be awesome okay so why does the ship have no authentication right in the episode the last episode of the first season the neutral zone this guy in the blue he calls the captain at one point because he's getting annoyed that the captain isn't talking to him on the computer screen and then the captain's like who is this why are you talking to me and then the guy's like well if you don't want people using it you should put authentication on it and the captain was basically like we don't need authentication because we're future dwellers who don't need such trivialities and that was a lie okay so what you're telling me is that we're still going to be running passwords Con in the 24th century sadly maybe well no they just aren't passwords right passwordless they solved it they cracked it it's fine okay so now is this relevant that's the other thing I thought of is this Star Trek's from 1987 right like what from 1987 no that's from 1987 like that's how old this is right but but but it's very relevant even today in 2023 right they have a primary focus on running an Enterprise and no one knows how to secure it they have generative well done generative AI right right right now this one as well in this episode the blind man taught the robot to paint so that's extra cool virtual reality right with paint or hate I couldn't hear what you know paint paint paint we have social networks additive manufacturing right 3D printing they have those fancy replicators which I would die for reusable launch Vehicles like it's relevant completely relevant okay now here's the meat of it here's where we start tablet topping our examples and here's what we're going to talk about so I'm starting with this one because I'm very proud of the title so for for Star Trek nerds right yeah yeah yeah you got to think about it for a second so for Star Trek nerds this episode has a supply chain attack but it is the most convoluted ridiculous attack in the history of the supply chain so the guy there that's commander data for anyone who doesn't know and the guy next to him is a fellow named fjo so fjo wants to steal data and he creates this scenario that will bring data to him so there's a planet called B and I can't pronounce any of this stuff correctly so you like Heckle away man so there's a planet called beta Agy 2 which has the water contaminated with something called tricin Thank tric cinate has to be treated with something called Hyrum this is all very real and then Hyrum thank you thank you see this is why the heckling is important Hyrum but Hyrum can't be transported so the Enterprise cuz because plot because why not right because your story is bad and no one wants to watch it that's why like so they can't transport it so they have to move it in a shuttle and they of course decide that the one-of aind Android they have on the ship should be the one to move it because obviously why not and so this guy basically knocks Theta out puts his stuff like the things he's made of his bill of materials as we would say bill of materials and then they put it in the shuttle shuttle explodes and Enterprise is like oh no data dead what are we going to do now and like that's a pretty someone has set us up the s bomb but that someone has set us up the set us up the s bomb that's right they did okay so now here's the other thing I did um this is the miter attack framework under Lessons Learned so every one of these I apply miter attch framework too and the datal exfiltration over physical medium I thought was like chef's kiss that was really really good and then obviously a supply chain compromise and then I have suggested mitigations for everything obviously you could fill your own in if you ever wanted to do something like this and I have a lot of these a lot of them to go through so that's what we're going to do we'll start at the beginning I'm not going through them in order okay so encounter at Far Point this is the first episode of Star Trek the Next Generation it's not very good if you watch it but that's okay and they run into a guy named q q is an omnipotent being in the Star Trek universe he's not the first he's probably not the last and my favorite scene from this is when Q is like kind of giving them a hard time on the ship peard says every everyone should use printouts to communicate so their adversary can't detect what is being sent and that amuses me to no end that first of all it's not the paperless office so we escape that travesty but then like why would printouts be any better or worse than a screen I don't know whatever and then they Save the Alien and that's a typical CEO move right there anyway right just I don't want to read my just print my email for me is yes exactly that's right exactly exactly okay so I couldn't find anything about I'm impotent threat actors I I couldn't map this one to anything but they are there are more than one omnipotent thread actors in The Star Trek universe so for anyone who likes it Dr morard so there are two episodes with this guy in them he's a holiday de character that becomes self-aware and then takes over the ship so this is why the holc needs sandboxing because it obviously doesn't have any they let him do it twice because they're not smart people you think after the first time they do something anything to solve this but no they never solved their problems they had a really bad prompt engineer they they had a really bad prompt engineer that's true probably that's true that's true he says can he beat data that's true and he does technically beat data I suppose if you look at it that way that's a good point I love it I love it okay now now I mean putting something in the backlog is doing something it's just not effective that's true they they never got back to that epic right yeah yes put it in my back I'll get to it later yes okay what did you say already he did fish him yes yes and and so I I I actually ran out of there's there's so much he does and his attack is so brilliant like I I just basically stopped writing them down because I was going through threat framework or attack but like if you look at the way morot actually attacks a ship it is fascinating the writers did a good job of detailing like good real attacks and a brilliant threat actor so this one like specifically I I truly adore for like real honest to God security measures right and then for my suggested mitigations uh obviously sandboxing is a big one but then also I think like in the Star Trek Field Guide they they really need like a your so your Starship has become self-aware this happens more than once right this is not the first time or the last it will keep happening uh this one is one of my favorites there's an early episode called Evolution Wesley is doing a science experiment and he doesn't clean up after himself as no children ever do and then his science experiment becomes life because yeah I mean we've all seen our kids' rooms right that that's not surprising at all but then my favorite part is they're trying to communicate with this unknown life form and what do they do they let it take over the robot so they can talk to it Android Android yes you're the first one to correct me on that like I was waiting for it it doesn't sound too different than some of the stories I've heard about Kevin mnik actually where like oh let's just maybe we can talk to the guy on the system you know it kind of it it definitely feels like that for sure so yeah they they they let the life form talk through the Android and so this one I I struggled with the attack framework like is that a hardware edition if you have the life form like take over the robot I don't know maybe it is you got Andre well done yes yes thank you I think it's actually just a Microsoft update is what that is it could be I mean that's right no it installed too fast it wasn't from Microsoft all right yes so like in internal spear fishing I don't know you figure you had a a an internal adversary that tricked them into doing something incredibly stupid of course it then squandered its attack status but that's okay uh is it software deployment I don't know but I think fundamentally like whatever the Android safety manual is like it's not very good and I think this is definitely something they should cover because it happens again I mean all this stuff happens more than once it's insane okay this one is special for the arrow there is an episode called Brothers where data suddenly like something happens to him he takes over the ship that's probably what warf's email was about to Jordy he takes over the ship and he locks the ship with a password a pretty good password that's his password on the screen right there like that's not bad right that's not I bet if you type that into your password prompt it would say pretty good password right and so like this is one of the few times we actually see passwords show up in the Star Trek universe which I think actually would say it needs a symbol and maybe uh a couple of letters it does not no it's long we all know now long is better than symbols it's fine and he has he has number he does have but that's not what the prompt would say maybe okay maybe it depend it depends which prompt I won't argue make your password worse to comply I think that's too long vcry I think vcry would actually trun at like half it okay it okay so Jonathan just said it's too long for bcrypt because vcpt has a maximum what like 80 some characters or something I think maybe it's notso but but now here's a question so it says like 163 does the computer treat that as a word or does it turn the one into the numeral one I don't know you Star Trek Heckler what do you know I know nothing just like you so anyway anyway so much longer than the self-destruction I that's true because those are usually like three characters long absolutely and and I should also add as part of this data mimics the captain's voice so obviously this is one of those situations as well that if you have an Android on your ship like maybe voice prompts aren't the answer to your security because it turns out like they can abuse that so like this is where like just if they bought everyone yubi keys they could solve this problem you know like that would have that would have totally it it solved a lot of their problems honestly if they did that maybe I mean they're obviously not did you say use the sensors to see who's speaking yes well but unfortunately that violates gdpr which is why you can't find anybody on the Enterprise with the sensor is Because unless you've consented as a Starfleet officer you have to have uh the ignore that person now on on that note if they take off their Communicator they can't find them on the ship and which is a hilarious plot point because they can they can detect an alien spaceship light years away but they like right they can't find like the intern running around without his communicator on so got that's that's that do not track setting that's right maybe yeah that's right probably that's what star star regulations say you have to honor that I I get ites data have a robot. text file does data have a robots. text file that is an don't want to know where he keeps it brilliant brilliant okay I'm also very proud of this particular description where in there's an episode called The Best of Both Worlds it's two-parter it's very good two-parter for those of us who lived through the Next Generation they ended it on a cliffhanger and we had to wait for the next season to come out before we knew if everything would go back to normal at the end which it did thank goodness but so in this one the uh Borg social media Network run by Mark Zuckerberg probably they they capture captain peard and they wanted to use him as their spokes