Paul Fleming: "Taming the Personal Cybersphere" · Cannes Lions 2016 · Workshop 22.06.16
Cybersphere - Threats & Risks...• Your perimeter: –Accept it, you don’t have one –The...
Transcript of Cybersphere - Threats & Risks...• Your perimeter: –Accept it, you don’t have one –The...
Cybersphere - Threats & RisksJohn SynnottManager, Flight Operations Information Technology,IATA
Cybersphere - Threats & RisksRisk Assessment – Data/ Information/ SystemsDoron Bergerbest-EilonFounder and CEO,ASERO
Cybersphere - Threats & RisksAirline Vulnerabilities to HackingChris RobertsChief Security Strategist for Attivo, Advisor for Cympire, Virsec, OverWatch ID
Aviation Threats & Risks…
Chris Roberts, Chief Security [email protected]
Sidragon1 (LinkedIn and Twitter)
Yes…You Invited a Hacker…
The Blue Goatee…• In the InfoSec/Cyber industry for too many years...• Broke Nigeria, ISS, Mars Rover, airplanes, trains, etc.
– Researched a whole lot more…
• Now Chief Security Strategist with Attivo Networks.– Why? Because the deceptive space gives us asymmetric defense for once.– Why? Because change comes from the inside…
• Currently researching humans, consciousness computing and shipping.– Because there’s better ways than passwords!– Because the future’s not already scary enough☺– Because it seemed like a good idea to make a ship roll over…
• Might also have a whisky collection that borders on the obsessive…– Occasionally travels with the whisky football (thanks Inbar!)
And For Those NOT Awake…
This is why I can’t fly on a number of airlines…
Agenda• Quick intro
– You invited a hacker, specifically this one…
• History lesson– And where we are today
• Complexities…– What does that mean for us?
• Let me count the ways I love thee…– How MANY different ways can we attack you?
• All done here, time to change…– Breaking things summed up
• Lets fix things– Back to basics, removing the blinky stuff AND working together!
• Wrapping it all up– Some wise words from someone else
Quick History Lesson:
History Of Avionic Research2010: Began researching avionic systems2011: Presented ground based findings at conferences2012: Presented updated research (ground/air) at conferences2013: Talked with Boeing’s red team2013: Talked to, and was put under NDA by Panasonic2014: Talked with Airbus2014: IOActive also presented issues with Satcom2015: Went very public, and got banned by airlines2017: DHS and research teams validate findings2018: Same as above, research teams validate issues
Reaction From Aviation Industry?
So, Where Are We Now?
And…When It All Goes Wrong…Lawyers:• A team of lawyers gets involved…ALL the time.• A team of lawyers never lets us apologize.• A team of lawyers never lets us discuss our faults in public.• A team of lawyers doesn’t allow us to share our experiences
with our peers (in a timely manner.)• A team of lawyers hinders our ability to affect change.
• And if we ever DO say anything another team of ambulancechasing lawyers is ready to sue us out of existence.
Complexities:
HOW Complex?• Data!
– GE’s engines collect 5,000 data points per second– Boeing 787 collects 500GB of data per flight– Airbus A350 generates 2.5TB of data a day– Airbus 380 has “around” 25,000 sensors– Modern wings can have 10,000 sensors EACH
• 104,000 flights a DAY (globally)– ADS-B (in/out) spoofing
• Next generation planes will TRIPLE the data flow– How do we handle data integrity?– How do we detect data manipulation or modification?
Quick Reference!• 2.5TB of data is the equivalent of:
– 2 human brains worth of capacity
– 520 DVD’s
– 3,800 CD’s
– 200,000 phone books
– 1,000,000,000 typewritten pages of paper
OR
– One A350 flight…
The Simpler Days…
Dear gray haired people, I know this is what you remember…
Today’s Avionic Networks
Technology Has Moved On, We’ve Been Left Behind
Let Me Count The Ways I Hack Thee…
Supply ChainI’d always equated building a plane as being able to get 101 suppliers together…
Apparently Lego also decided that it takes 101 suppliers to build a plane too…
How Many Of You KNOW How Secure Your Vendors Are?
Attack Surfaces - GroundGround maintenance laptops:• Delivered from factory with defaults enabled
• No password OR basic one…• Why do we find them connected to the Internet?
• Updates, I get it, but then disconnect!• Games on them…seriously?
• I know, it gets boring…READ a bloody book!• Congratulations on customizing it…
• Now we can ALL access it via your WiFi/BLE
Worst case, social engineering:• Yellow/orange safety jacket• Correct boots• Blue overalls• Copied ID badge….
Or…
Techsat software (one among MANY of the vendors)Upload site vulnerable (WordPress), software is in default build (reverse engineer.)An hour of OSINT work shows code, developer passwords and account intelligence.
All your configurations now belong to me.
Attack Surfaces - Air
How?• Research (lots of it)
– So much of what everyone does IS on the Internet
• Access to a maintenance laptop AND certificates (security things)– Not hard, social engineering and a USB stick– Accessed at same time as tour of facility
• Right place to access on both ground AND air– Ground systems rarely secured, air systems more social engineering
• Time…– This IS the one thing it DOES take!
• Open source intelligence AND a lot of phone calls– Calling all the suppliers and getting code, configurations, etc.
• Built out testing lab (thanks to all YOUR suppliers)– Back to going in prepared….
A Bad Day, For Everyone
The inertial reference system (IRS) is used for airplane position, acceleration, track, vertical speed, ground speed, true and magnetic heading, wind speed and direction.
It also supplies altitude data for the displays, flight management system, flight controls, engine controls, and other systems.
Remember Those Sensors• Supply chain attack:
– Accessing supplier computers and modifying the firmware (e.g., preinstalling back doors,malicious code, etc.) (Acer, Cisco, Android and others being very prominent examples.)
• Data injection:– injecting false data in computer-driven data analysis process through compromised system.
• Jamming:– Transmitting high power signals to impede reception of RF/EO signals (i.e., degrading accuracy
and continuity).
• Spoofing/replay attack:– Building and transmitting false signals to deceive a target RF/EO sensor’s positioning and/or
tracking data.– Capturing legitimate RF/EO signal and rebroadcasting with alterations (e.g., time delay),
affecting the RF/EO sensor estimation accuracy, continuity and/or integrity (GNSS, etc.)
• Malware infection:– Injecting software into the system with deliberate harmful intent including viruses, worms, back
doors, ransomware, etc.
ADS-B
• Automatic Dependent Surveillance Broadcast (ADS-B)
– Message corruption
– Message denial
– Message delay
– Message replay
– Message ghosting
• Tell me again, how much do you rely upon it?
It’s Ok, You’re Not Alone…
Transportation & Intermodal
Cars And Lorries
Volvo – Bluetooth – Engine Management
Hacking cars on the groundOR
Hacking planes at 35,000 feet
YOUR CHOICE
Ships Through The Front Door…
Open RDP to a few container ships??
Make It Roll Over…
RDP to ship then Maintenance system scan to:Ballast control module…May 2018
And…Over Again
SATCOM – Navigation – RDP – Maintenance – Ballast Control
Locomotives:
What to do when you get banned from several airlines…
Trains, Signals And Rail Yards…Rail yard, run by 3rd party, manages freight across the entire country.TELNET access, ID=Admin PWD=Admin1
GE-EMD LocomotiveCellular, rail-line or network
access to trainID=Admin PWD=000000
ElectroLogIXS switch (scattered ALL over the USA.)Allows signals to be interrupted AND changed…Man NOT Present, bypassed. PWD=passwordCan change signals from RED to GREEN Etc.
We’re Broken
So That’s It…
• I’m done talking about breaking things.– We ALL know it can be done
– We ALL know how easy it is
– We ALL realize that things are not getting better
– We ALL know aviation is a target
– Heck, we should ALL know that everything is a target
• So, what the heck DO we do about it?
Stop Complaining, Let’s Fix Things:
Not The Solution
Fix The Basics!
Back to Basics
• The human:
– 1 hour of awareness training PER year
– ½ session of “don’t click shit”
– ½ session of “don’t send shit”
– No understanding of balancing work and life security
– P@ssw0rd1 used at work and on Facebook etc.
– Thinks the “S” in HTTPS is for wimps
Fix the humans
Change the conversation
Safety NOT Security
Back to Basics (2)
• Your computers:
– The ones on the FLAT network running W2k
– The ones in the warehouse running XP
– The ones the vendor said don’t touch
– The ones on the Internet with RDP!!
– The ones on the Internet with 1433/3306/Etc.
– The ones you don’t even know about!
Remove the easy ways in!
Back to Basics (3)• Your perimeter:
– Accept it, you don’t have one
– The laptops, iPhones, IoT took your control away
– Computer No1 on YOUR network is hacked
– 2018’s NGIPS/UBA/NGFW isn’t going to help
– Reactive, static defenses suck and don’t work
– There is NO cake, no fairy and NO simple answer
– Start building deceptive, asymmetric defensive tech
Get eyes inside your world!
Back to Basics (4)• Passwords (still)
– Stop the re-use!
– Teach pass phrases and password vaults.
– Teach separation/segmentation
– 2FA, it’s NOT hard to integrate
– All your users DON’T need to be admin!
– All your admins NEED to be separated
– All your developers DON’T need to hardcode
– AND , taser the vendor who leaves defaults!
Education and simpler integration
Back to Basics (5)
• Get a plan– Face it, shit’s going to hit the fan at some point.
– Be prepared, simpler to reach for the IR forms than wonder WHAT to do…
– Have the communications plan in place ready to go…
– Have the humans prepared. (No, not cannibalism)
– Practice makes perfect, headless chicken mode is NOT needed…
– Know the steps (OODA or NIST IR)
Get a plan!
Or, In Our Language…
PS: Duct Tape Does NOT Fix Everything…
Security, Safety OR Risk?
Safety vs. Security
• Human’s have evolved over thelast 50-60,000 years.
• Humans have always beentargeted, depending uponvarious circumstances.
• We UNDERSTAND safety.
• Security is NOT part of ourlanguage.
There is NO such thing as security.
There is just the measurement of RISK.
• Arguably there is nothing that can be totally secured.– Therefore, does a state of security really exist?– If yes, then HOW do you measure security?– If no, then WHY are we going round in circles trying to tell folks
what exactly?!?
• Change the conversations, talk about risk.– NOT “cyber risk” but simply business risk.– We know that companies have quantified risk for as long as
someone’s been willing to sell insurance.– If we can’t beat them…join them!
Risk Not Security:
Existential Crisis For InfoSec…
Replace The Blinky Stuff…
Static Defense…
Static Defenses (Mk2)
Walls… Fire, Brick, Etc.
“Walls for the last 4,100 years have provided temporary relief at best, but a fools folly for the most part. They are nothing more than a willy
waving exercise designed to attract MORE attention and innovation in how to circumvent and bypass.”
Assets!
How many of you KNOW what assets you HAVE
Let alone where they are…
Blunt• You don’t have a perimeter:
– You lost that when you allowed email to become mobile and the cloud took it to a wholenew level, let alone your 3rd parties and supply chain have access everywhere...
– When the coffee machine talks to the fridge and Alexa answers…you don’t have a perimeter!
• You haven’t fixed the basics:
– Patches done ALL over the place (on stuff you can find) hopefully…ish
– You have an SDLC for developers and all those teams are managed correctly?
– You have shared code ALL over your apps, and don’t know it.
– Defaults in place, passwords not separated, local admin for users?
– You train your users annually and expect them to remember? (never mind PPC’s)
• I’m here..
– And you are not watching all your logs ALL the time OR you’ve tuned me out?
– You think that antivirus is effective or rely upon endpoint protection.
– You think your firewall’s going to save you…
Assume Breach
Adversaries WILL get in, we can’t stop them. (if they’re not already there)
The question is simple…
HOW will you know, and WHAT are you going to do about it?
Preventative, Proactive, Deceptive!Asymmetric Defense!
To Me, This IS Your Network
Let’s Change The Picture!
Let’s ADD More Doors…
Remove The Welcome Mat…
Add Some Surprises…
AND, Put It All Back Neatly…
THIS Is Now Your Network…
Behind those doors are traps and lures and WELL camouflaged deceptive technology
Can YOU tell the difference?
Wrapping It All Up…
Our History
Our Future
All Of Us…• Irrespective of your background.• Irrespective of your race, creed, color, faith, or eye color.• Absolutely irrespective of your orientation!• Change takes ALL of us.
– This isn’t securities problem, it isn’t the researchers fault, weneed to stop blaming the hackers.
– This isn’t the C-Suites blame to carry, nor is it the users issue tosolve. Developers need to be out of the firing line as doesEVERYONE in the business.
• We ALL take some of the responsibility, therefore we ALLhave to solve it…together!
Collaborate Or Die
5 million apps, 6 billion connected people, 26 Billion devices, 3 million shortfall in InfoSec…
Breaking things is easy…
…fixing them is a whole lot harder
“We may have all come on different ships, but we’re in the same boat now”
Martin Luther King, Jr.
119
I will fail
We will succeed
“So long and thanks for all the fish”Douglas Adams, you are missed.
Thank you to IATA and everyone here!