daniel lance - what "you've got mail" taught me about cyber security
TRANSCRIPT
WHAT “YOU’VE GOT MAIL” TAUGHT ME ABOUT CYBER SECURITYHawaii Security Sessions
2
Reintroduce Ideas Break old ones.
What the Heck?!
TOM HANKS
NY152
MEG RYAN
Shopgirl
What is a researcher?
What do they do?
5
WHAT IS A “ZERO-DAY”
01 02 03 04 05 06 07
Su Mo Tu Th We Fr Sa
FEBRUARY
08 09 10 11 12 13 14
15 16 17 18 19 20 21
22 23 24 25 26 27 28
29 30 01 02 03 04 05
It’s easer then you might think but you might be looking in the wrong places, the
wrong way and if you blink you could miss it in some special instances.
Can you find one?
Not the 29th
Too busy, 5th
9th Monday ehh
21st seems good
”Who cares thats just a defcon term”
Above is the list of reasons why anyone might not be familiar with a cyber
security researcher, there are few of us and we don't get introduced until people
put on sad faces.
”Think the news was using it”
”Was part of stuxnet and we’ve scanned for it”
”Why did all of the PLC’s go offline then back?”
6
@DanielCLance
Twitter to Hacking
Step by Step
Miami to Phoenix PLANNone
PROCHEDUREEhh Not really
SCHEDULENone
7
@DanielCLance
Start to no2ce a trend in the technologies developers are using to
promote new products.
The Tech
I wasn’t Looking but found something ”“
8
@DanielCLance
Event-Horizon
The go-no-go point for any good guy or bad the moment you can’t pass
something up that you know or have a great feeling about
Funny feeling
I wasn’t Looking but found something ”“
9
@DanielCLance
Approach Tactic
Analogous Path CompleRon
Company Who Uses
Company Who Adds To
Company Who Works On
Customer (Enduser)
Service Provider
Company Who Dev
Weighing AnalysisThere isn't a right answer or a wrong one. But
picking the lesser evil path if possible is advised and more oXen easier.
9
10
@DanielCLance
Is there a way of telling all par2es involved what the issue is and what milestones will escalate this effort?
Planing
Is this going to be something loud? What is the current reputa2on of the
target and how will a vulnerability force change.
Promotion
Who are we really looking at and why? You can waste a ton of 2me contempla2ng who and what to peek into.
Research
Bounce ideas off other people in the industry. Use the kinda detail that protects the idea from harming the public.
Review
11
@DanielCLance
Knowing the target “size” can tell you a liZle about possible reac2ons to your findings. They might not be a
good target.
SizeIs there a win-win that can be found
in working with one target over another. Customers demanding
change works.
Relationships
Is this issue going to only effect one major player or will it effect all of
them, and in what way?
Industry Target
12
@DanielCLance
StrategicIs this really the best use of Rme, how mission criRcal is the issue? Ask this throughout research.
LoyalDo we have a way to see the issue through to the end. Is the body of work going to require any longterm funding?
HonestCan the data collected about the target be a risk to the researcher and when do you stop.
RespectfulAre there relaRonships at play that might effect the
company you work for and the target?
AccomplishmentWhat do we show to the
public when we show the capability of working on a
parRcular set of equipment.
EnergeticWhat is the speed of
approach based on any possible past experiences
with the target
13
@DanielCLance
Respectful
Accomplishment
Approach Speed
Industry
The End User
The Company
Weighing should be interlaced ”“
14
@DanielCLance
CERT Use
Repor2ng Method
Public Disclosure
Personal Risk
Mi2ga2on w/effected
Private Disclosure
Weighing AnalysisThere isn't a right answer or a wrong one. But
picking the lesser evil path if possible is advised and more oXen easier.
15
@DanielCLance
The two forks are op2onal but the center in the integrity of approach and must always be done
Approach TacticRequiredOptionalOptional
16
@DanielCLance
This can all be very useful later if you have to write a vulnerability report
INVESTIGATE
What all are they showing on there website. Are they talking about the
technology as a new innova2on.
Websites
What did they saw the public in the past. Can this be used against them.
Way-back Machine
See how people are using the technology and if it already shows up in the public space.
ShowDan
Many companies use video as a training tool. How can this be used against them.
YouTube
17
@DanielCLance
This is a very light assessment on the public percep2on of the company and isn't always needed at this point in the process. This informa2on can be used to help the vulnerability report.
FISHING IN THE DARK
Service ProcessWhat tools are used to service the
technology itself. What service do they do
RMA ProcessHow do they handle returned product. Can I get an exploit in to them that way
Carrer CenterHow do I stack up against what they are
looking for. Build an account apply.
Photos of ControlsEveryone wants to show off. Show me your (NOC) network operaRons center
You would be shocked how much you will find. Hardcoded passwords lee in, default passwords lee in with no way to change them in the manual.
18
@DanielCLance
\When an engineer writes the manual they tend to over inform you for the task at hand. Us this to your advantage.
READ THE MANUAL
a
19
@DanielCLance
Why wait so long?
DOWNLOADING LOOKING
There wasn't a password to download manuals and firmware, the manuals had direc2ons to all of the tools needed to service and break the device. Even had direc2ons on how to build the parser they use and that happen to be a stock parse. Then they showed you how to upload new calibra2on files, even gave me fake telemetry to test with.
WEBSITE
20
@DanielCLance
Collect all of your findings and package them up so it is easy to understand to anyone reading. Then encrypt the hell out of it, and at this point it should be clear you have something that could be cri2cal to humans on
the other end of the technology
CLARIFY
BASIC SECURITY PRACTICES
SUGGESTIONS
This aZack was done without having the
physical device. If they had protected some of the things we covered
this wouldn't have been possible to uncover.
FULL NETWORK SEGMENTATION
SUGGESTIONS
This is really more of a mi2ga2on and not a
long term fix.
RECALL ANY DEVICES THAT ARE USED FOR
MISSION CRITICAL
SUGGESTIONS
Rarely done in the real world but serves as a way of saying this is a
major issue.
UNAUTHENTICATED COMMAND AND
CONTROL
VULNERABILITY
The sweetest words. You could remotely blow
away the firmware on the device and even install applica2ons of
your own.
NETWORK LEVEL COMMAND AND
CONTROL
VULNERABILITY
Not a worst case scenario most of the
2me this is a quick fix. But in this case the
device could be spoofed on the network. So it
was a big issue.
21
@DanielCLance
This is the easiest part to mess up, you want your work to be taken seriously so write it up professionally say what you mean and mean what you say or the report wont be taken seriously by any developer
SEND TO THE CORRECT PARTIES
SubmitICS-CERT and US-CERT both lack a forma`ng rule for submi`ng new reports.
FormatStart with company background and the industries effected. Then a narraRve explaining the issue at a high level. Close with technical detail.
Proof-of-concept is always good to include. This is where that pre-research will come in.
www.inspirasign
I am contac2ng you both as this product is used in both consumer products and ICS the vendor claims.
Velodyne LiDAR, Inc.
Velodyne’s three flagship products the HDL-64E, HDL-32E, and the PUCK suggest they are used for:
Automo2ve
UAV
Mapping
Automa2on (ICS)
Robo2cs
Security (Ironic)
Urban Planning
Agriculture
Mining
R&D
Topography
Geology
HDL-64E, HDL-32E, and the PUCK (AKA VLP-16) All make use of packet captures to relay in plain text, telemetry from the sensor to server. The server will make a logical determina2on based on the telemetry this could be leveraged to, in the case of an automobile tell the
server (CPU) in the system that the sensor or vehicle has a wall in front of it. They’ve employed an embedded web server that doesn’t require authen2ca2on to access and update both firmware and calibra2on files for the lasers. If an aZacker can gain network level access at
any point they can modify the firmware and calibra2on files and remove any forensic evidence in the process. With very liZle effort an aZacker could access the GPS data also collected in some configura2ons of the sensor and launch a replay aZack replaying telemetry from
the sensor itself at plus or minus a given la2tude and longitude. Sample .pcap files can be found at hZp://midas3.kitware.com/midas/community/29 for tes2ng. Some of the documenta2on that is public also shows you how they parse the data.
Addi2onally if an aZacker is on the network, all they need to do is launch an aZack at a given telemetry and control what the vehicle (for our example) can see live thus allowing them to steer the vehicle if an aZacker has commend and control of a network enabled device.
The official vulnerability of this system:
Unauthen2cated command and control with network level command and control lacking basic security prac2ces.
Sugges2ons:
Full network segmenta2on. Recall any devices that are used for mission cri2cal, or could present a health and welfare risk to users, and/or bystanders. Un2l basic security prac2ces can be implemented.
hZp://velodynelidar.com
hZp://velodynelidar.com/downloads.html
Firmware, Manuals, and soeware are all free to download. Suggest user authen2ca2on here.
P.S. hZps://www.youtube.com/watch?v=wUfHadExvs8 (Proves a good deal of the claims above in the promo video)
You can give them my name, our goal at Archer is to strengthen cri2cal infrastructure through a collabora2ve effort with effected venders. Please keep me updated so I may be of service when needed.
Thank you,
Daniel Lance
22
@DanielCLance
As of 1 Sept 2011 the other elements of our disclosure policy, see below, are no longer in effect. We will decide what we want to do with any vulnerability. We may disclose it to the vendor; we may disclose some or part of it publicly; we may disclose only to our affected customers; we may keep to ourselves for future use; or we may do something else.
OTHERS Our goal at Archer is to strengthen cri2cal infrastructure through a collabora2ve effort with effected venders. Please keep us updated so we may be of service when needed.
ARCHER LABS
Iden2fying a vulnerability is easy; taking care of the vulnerability so your work beZers the overall health of an industry is the hard part oeen 2mes. And reading vulnerability disclosure policies around the industry proves
how most aren’t cut out for the job of security research.
VULNERABILITY DISCLOSURE POLICY
23
@DanielCLance
MALWARE IN A NUTSHELLMalicious SoXware
“ Generally, software is considered malware based on the intent of the creator rather than its actual features.“ -pctools.com-
Dynamic Attack Surface “ Code should be classified from its behavior alone.“ -Daniel Lance-
24
@DanielCLance
Where do these people come from?
Becoming a security researcher?
Former coder, a hacker, a programmer, a developer, and a computer scientist.
25
@DanielCLance
Venn Diagram
26
White, Black, Gray, and everything between? Hat Trick
BAD GUYSTypically use there skill for some type of personal gain or agenda.
GOOD GUYSUse there skill for penetra2on tes2ng and implement.
GRAY GUYS They are everywhere you want to be, and typically where you need them.
27
@DanielCLance
HACKING/RESEARCH BACKGROUND
COMPUTER SECURITY HACKER HISTORY
28
@DanielCLance
Nevil Maskelyne1903 Disrupts John Ambrose Fleming's
public demonstraRon of Guglielmo Marconi's purportedly secure wireless
telegraphy technology, sending insulRng Morse code messages through the
auditorium's projector.
A family of portable cipher machines with rotor scramblers. Broken by Polish cryptologists Marian Rejewski, Henryk Zygalski and Jerzy Różycki
The Enigma cipher machine Finds a frequency of 2600 Hz would interact with AT&T's implementa2on of fully automa2c switches.
Joe Engressia,
1932
1943
1957
French computer expert René Carmille, hacked the punched
card used by the Nazis to locate Jews.
IBM Punchcard
Used to interact with automated telephone systems
Phreaking boxes
1960s
Na2onal CSS employee revealed the existence of his
password cracker
1980
29
@DanielCLance
MORAL HAZARDYou have to wonder if we are major enough
for the technology we choose to use
Movies The Net and Hackers are released.
Pop Culture
1995
1981
The New York TimesDescribes hackers for the first 2me as we all have come to know them.
Hundreds of advisories and patches are released
Windows 98
1999
Stuxnet, The first Malware Conference, MALCON. Intellectual property thee from Google.
Malware
2010
Hospital pays ransom to get computers back.
$17,000 ransom
2016
WHAT DOES SUCCESS LOOK LIKE?
Great, now your in who cares. Is finding nothing good.
Is there an obvious difference?”From the Rme you get in your car for your morning
commute, to the Rme you walk through your door at the end of the day, you make decisions about your security”
-Daniel Lance (Ripely Stole This)-
\Forensic vs Clinical
32
@DanielCLance
The Best We've Got In ICS
Working with ICS-CERT
ReportComplete report gets sent-in via
encrypted email, some2mes other encrypted files get sent as well
Weighing analysis done, report is done. Everything in the report is now TLP RED to us
33
@DanielCLance
Report ReviewedThe good folks at ICS-CERT review and send any comments back with a 2cket number
This next part takes forever, you wait for a whole Siberian winter to pass before gexng
another email
VenderICS-CERT will let you know your report is in the hands of the vendor.
34
Learn To Play Darts Then you get another email saying
they are “s2ll working to verify claims” or maybe get a ques2on or
two [but s2ll learn darts]
35
@DanielCLance
DisclosureZero-days maZer because we are all effected in some way. Picking the appropriate 2ming can be key to a effec2ve disclosure
Patch or quit 2me. If aeer an appropriate 2me period you’ll
know the kinda ac2on the vendor will take
36
patch or quit
Timeline For Disclosure
NovDec
JanFeb
MarApr
MayJun
JulAug
SepOct
2015
Disclosure Requires VenderTo follow a proper disclosure path the vender must take the time to work with research and want to fix the issues. If they don't want to play kick ball we play dodge ball.
Report Sent
Assigned Ticket
Vendor Verification
Drop Dead Date 100%
Full DisclosurePUBLIC WITH CUSTOMER OUT REACH
Vender, Customer, Public and I
Disclosure role play
Right side of the room: How would you handle escala2ng the process or would you?
Lee side of the room: Would you want to know about the issue from the vender or from me the researcher.
Public Everyone whom has an opinion.
”Cybersecurity Researchers Are Hunted
from All Sides”-Motherboard-
Image: Shutterstock
39
Hacker MotivationsWhite Hat Hackers
State Sponsored Hackers
Spy Hackers
Security Researcher
Black Hat Hackers
Script Kiddies
Hacktivists
Cyber Terrorists
40
@DanielCLance
DEGREES OF HACKING
State Sponsored Malware
Militarized code
Think OS level attack code. This is the
stuff most real “Zero-Days” are made of.
Custom attack
They’ve installed something and left
default passcode in or a port open
Implementation
Tools are already made they are just
making use of whats around
Penetration
41
Free research given to critical infrastructure
ARCHERS CONTRIBUTION
All will publish before the end of the year
Could Represent
2015 the number of reported vulnerabili2es was 142*
21%
29+
3
6
13
Applications SensorsPLC’s Industries
Of all advisories for ICS-CERT in 2016
*Based on Advisories By Vendor coded as a “15”
@DanielCLance
CLOSING PATH
Build an ArkGo medieval on malicious code
You’ll be hackedAccept that and move on
Hire blue teamStart using firewalls how they were
meant to be used.
Hire a researcherFind problems not solutions
Use carrier pigeonsStop using email
Isn't everything ownedGo with the masses pay bounties
Hold BEER-ISACHave a beer and talk about those dam
hackers
Baseline everythingBlow away everything and always start
from scratch.
Where do we go from here?