I'm looking forward to the talk from our first speaker, the @kiwicon alpaca (or is it a llama?).
#Kawaiicon @kawaiiconNZ
#Kawaiicon @kawaiiconNZ
And @Metlstorm gets hooked off the stage and replaced by @Sputina!
Long live @kawaiiconNZ!
#Kawaiicon
Long live @kawaiiconNZ!
#Kawaiicon
Its the #Kawaiicon @kawaiiconNZ intro!
Hmmm, it seems to be cut short, I'll post a longer one later...
#Kawaiicon
#Kawaiicon
Everyone has a different path to where they are today.
Just because your path doesn't look like others doesn't mean you're not a hacker.
#Kawaiicon @runasand
Just because your path doesn't look like others doesn't mean you're not a hacker.
#Kawaiicon @runasand
Investigative reporting is a similar problem set to hacking.
You're both trying to solve hard problems in inventive ways.
#Kawaiicon @runasand
You're both trying to solve hard problems in inventive ways.
#Kawaiicon @runasand
Certain careers (doctors, lawyers, etc) follow a very set career path.
InfoSec doesn't have that. There is no set path or the right way to get there.
#Kawaiicon @runasand
InfoSec doesn't have that. There is no set path or the right way to get there.
#Kawaiicon @runasand
Its ok if you don't end up on that set path in life that you think you're supposed to follow.
Do the things you find interesting, the things that excite you, the things that make you happy.
#Kawaiicon @runasand
Do the things you find interesting, the things that excite you, the things that make you happy.
#Kawaiicon @runasand
If something doesn't work for you in life, then you pivot.
We can create the jobs that we want.
#Kawaiicon @runasand
We can create the jobs that we want.
#Kawaiicon @runasand
You can't just give someone tools (like Tor) without providing them with an educational foundation in information security.
The idea that they needed to provide reporters with this training wasn't something that anyone was asking for.
#Kawaiicon @runasand
The idea that they needed to provide reporters with this training wasn't something that anyone was asking for.
#Kawaiicon @runasand
Car hacking wasn't a thing that existed until some folks started hacking cars.
By identifying that gap they created new and interesting jobs that didn't exist before.
And a couple other examples
#Kawaiicon @runasand
By identifying that gap they created new and interesting jobs that didn't exist before.
And a couple other examples
#Kawaiicon @runasand
NYT complained about being able to setup SecureDrop and other issues in the newsroom and Runa said "you should hire me to solve that"
Nek minnit...
#Kawaiicon @runasand
Nek minnit...
#Kawaiicon @runasand
Runa built rapport with the newsroom team via competitive phishing exercises (who was getting pwned).
They loved it!
#Kawaiicon @runasand
They loved it!
#Kawaiicon @runasand
You have to create solutions that don't block the work that is happening.
You don't want your pedantic security demands to block the story going on page 1.
#Kawaiicon @runasand
You don't want your pedantic security demands to block the story going on page 1.
#Kawaiicon @runasand
If you believe your story is a Pulitzer Prize winning story, you're going to be open to taking a lot more risks.
How do enable that but still maintain security?
#Kawaiicon @runasand
How do enable that but still maintain security?
#Kawaiicon @runasand
Previously there was no way for someone to contact the NYTimes (as a newsroom), so they built one.
#Kawaiicon @runasand
#Kawaiicon @runasand
You can replace "journalists" with "hackers" or almost any other profession.
We often strongly identify with the work that we do.
Is what I'm doing now in line with what I want to achieve? Does it make me happy? If yes, great! If no, reconsider.
#Kawaiicon @runasand @mjenkins
We often strongly identify with the work that we do.
Is what I'm doing now in line with what I want to achieve? Does it make me happy? If yes, great! If no, reconsider.
#Kawaiicon @runasand @mjenkins
Runa wants to know what you're up to.
Please share with her over the next couple days and share with each other.
#Kawaiicon @runasand
Please share with her over the next couple days and share with each other.
#Kawaiicon @runasand
Primary goal is dependability.
Trust is different in automotive systems.
Dependable system can fault, but is mitigated.
#Kawaiicon
Trust is different in automotive systems.
Dependable system can fault, but is mitigated.
#Kawaiicon
Only when fault = failure means there is s visible error.
Many fault mitigations in place.
#Kawaiicon
Many fault mitigations in place.
#Kawaiicon
Gutmann!
#Kawaiicon
#Kawaiicon
Current status:
#Kawaiicon
#Kawaiicon
Now its @pink_tangent talking about Endpoint Security.
At Honda they had a ransomware incident. She was involved with remediation - it was a 5 day recovery.
#Kawaiicon @pink_tangent
#Kawaiicon @pink_tangent
Remediation cost approx quarter of a mil...
Remediation isn't cheap. And it happens repeatedly.
#Kawaiicon @pink_tangent
Remediation isn't cheap. And it happens repeatedly.
#Kawaiicon @pink_tangent
Some vendors will try and guarantee that if you run their product, you won't get cryptoed.
"If you just put the endpoint security on the file servers, that'll solve the problem!" Nope.
#Kawaiicon @pink_tangent
"If you just put the endpoint security on the file servers, that'll solve the problem!" Nope.
#Kawaiicon @pink_tangent
Preparation:
Can they support legacy applications?
What about virtual environments?
#Kawaiicon #KawaiiconNZ @pink_tangent
Can they support legacy applications?
What about virtual environments?
#Kawaiicon #KawaiiconNZ @pink_tangent
Via Powershell the vendor missed everything. Vis batch script they caught everything... 🤔
#Kawaiicon #KawaiiconNZ @pink_tangent
#Kawaiicon #KawaiiconNZ @pink_tangent
Ransomware makes a great test sample because it's very visible.
#Kawaiicon #KawaiiconNZ @pink_tangent
#Kawaiicon #KawaiiconNZ @pink_tangent
Test Case 4: Business Compatibility
Deploy to your environment and just see what it comes up with over a few months.
Test it in silent mode so you get reporting but it doesn't kill your apps
Needs asset archiving
#Kawaiicon #KawaiiconNZ @pink_tangent
Deploy to your environment and just see what it comes up with over a few months.
Test it in silent mode so you get reporting but it doesn't kill your apps
Needs asset archiving
#Kawaiicon #KawaiiconNZ @pink_tangent
So, here they were blasting the tarmac off the top of this bridge.
They were told not to allow waste water to flow into the lake, so the stored it in the hollow bridge.
But then there was a storm. One pontoon sank & dragged down others...
#Kawaiicon #KawaiiconNZ @hashoctothorpe
They were told not to allow waste water to flow into the lake, so the stored it in the hollow bridge.
But then there was a storm. One pontoon sank & dragged down others...
#Kawaiicon #KawaiiconNZ @hashoctothorpe
"We've determined that concrete pontoons don't float when they're filled with water" 🙄
#Kawaiicon #KawaiiconNZ @hashoctothorpe
#Kawaiicon #KawaiiconNZ @hashoctothorpe
But this isn't what actually happen:
They had problems keeping up with the pumping schedule.
Some pontoons had more water which caused torsion and the winds twisted the pontoons more. This caused cracks to open and the pontoon to sink.
#Kawaiicon #KawaiiconNZ @hashoctothorpe
They had problems keeping up with the pumping schedule.
Some pontoons had more water which caused torsion and the winds twisted the pontoons more. This caused cracks to open and the pontoon to sink.
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Why did the pumping schedule get fucked up? We'll never know.
#Kawaiicon #KawaiiconNZ @hashoctothorpe
#Kawaiicon #KawaiiconNZ @hashoctothorpe
No one does things they think will blow up the world*
(*mostly)
#Kawaiicon #KawaiiconNZ @hashoctothorpe
(*mostly)
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Facilitation: a crash course:
Keep the conversation blame free.
Don't make bad jokes
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Keep the conversation blame free.
Don't make bad jokes
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Miller's Law:
The key to understanding systems and people with different perspectives than you do.
No two people have experience of the same incident.
#Kawaiicon #KawaiiconNZ @hashoctothorpe
The key to understanding systems and people with different perspectives than you do.
No two people have experience of the same incident.
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Let's talk about blame.
Things to avoid:
"you"
"why"
And more...
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Things to avoid:
"you"
"why"
And more...
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Example:
This isn't compassionate and it's not helping to identify the problem
#Kawaiicon #KawaiiconNZ @hashoctothorpe
This isn't compassionate and it's not helping to identify the problem
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Better things to say.
What questions can we ask to get the longest answer. Different from what we normally want in business.
We are looking for a remediation item.
#Kawaiicon #KawaiiconNZ @hashoctothorpe
What questions can we ask to get the longest answer. Different from what we normally want in business.
We are looking for a remediation item.
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Human error is not a root cause.
How were people able to make that error?
#Kawaiicon #KawaiiconNZ @hashoctothorpe
How were people able to make that error?
#Kawaiicon #KawaiiconNZ @hashoctothorpe
How to have a great meeting:
- Stay on time and on topic
- Practice interrupting (for a good reason)
- Who is talking and who isn't?
- Let's talk about humour (or please don't)
#Kawaiicon #KawaiiconNZ @hashoctothorpe
- Stay on time and on topic
- Practice interrupting (for a good reason)
- Who is talking and who isn't?
- Let's talk about humour (or please don't)
#Kawaiicon #KawaiiconNZ @hashoctothorpe
If someone makes a bad joke just say:
Then move on & never bring it up again.
#Kawaiicon #KawaiiconNZ @hashoctothorpe
Then move on & never bring it up again.
#Kawaiicon #KawaiiconNZ @hashoctothorpe
In 2019 we don't need more ways to be separated and divided from our peers. We need to move forward and make better mistakes together
#Kawaiicon #KawaiiconNZ @hashoctothorpe
#Kawaiicon #KawaiiconNZ @hashoctothorpe
WTF is Gargoyle?
Hiding malicious code in bit of memory that is not executable.
#Kawaiicon #KawaiiconNZ
Hiding malicious code in bit of memory that is not executable.
#Kawaiicon #KawaiiconNZ
Automation can get over the top. Otherwise you can end up just handing people a "magic box that stops the hackers"
#Kawaiicon #KawaiiconNZ
#Kawaiicon #KawaiiconNZ
Now, lunchtime!
Who let this old guy on stage?
Apparently there is a code brown?!
A risk register line item that has never been activated before!
#Kawaiicon #KawaiiconNZ @Metlstorm
Who let this old guy on stage?
Apparently there is a code brown?!
A risk register line item that has never been activated before!
#Kawaiicon #KawaiiconNZ @Metlstorm
Verifiability isn't just to demonstrate correctness, it's to ensure a peaceful transfer of power.
The loser can be show that the results are false.
#Kawaiicon #KawaiiconNZ
The loser can be show that the results are false.
#Kawaiicon #KawaiiconNZ
The thing that most government departments do not want to happen is to become a hashtag.
They will do almost anything to avoid it.
#Kawaiicon #KawaiiconNZ
They will do almost anything to avoid it.
#Kawaiicon #KawaiiconNZ
Two kinds of voting:
Supervised (the government is responsible for the validity of your vote) vs remote (you're responsible for validity of your vote)
#Kawaiicon #KawaiiconNZ
Supervised (the government is responsible for the validity of your vote) vs remote (you're responsible for validity of your vote)
#Kawaiicon #KawaiiconNZ
Supervised vs remote voting
Should responsibility be on the state or the individual?
#Kawaiicon #KawaiiconNZ
Should responsibility be on the state or the individual?
#Kawaiicon #KawaiiconNZ
Postal vs internet voting
Difference is in the scale of the require conspiracy.
#Kawaiicon #KawaiiconNZ
Difference is in the scale of the require conspiracy.
#Kawaiicon #KawaiiconNZ
But that doesn't dissuade the push for internet voting.
Argument is it will cause increased turnout. But that hasn't played out in reality.
#Kawaiicon #KawaiiconNZ
Argument is it will cause increased turnout. But that hasn't played out in reality.
#Kawaiicon #KawaiiconNZ
No evidence that internet voting will increase turnout.
More likely your disenfranchise a cohort without easy access to the internet.
#Kawaiicon #KawaiiconNZ
More likely your disenfranchise a cohort without easy access to the internet.
#Kawaiicon #KawaiiconNZ
What verifiability do we need from electronic voting?
Need individual verifiability & universal verifiability (so everyone knows that all the votes were correctly counted).
#Kawaiicon #KawaiiconNZ
Need individual verifiability & universal verifiability (so everyone knows that all the votes were correctly counted).
#Kawaiicon #KawaiiconNZ
Internet voting conceptually:
Doesn't offer what we want.
So why are we still deploying it?
#Kawaiicon #KawaiiconNZ
Doesn't offer what we want.
So why are we still deploying it?
#Kawaiicon #KawaiiconNZ
Internet voting deployments.
These are all done by Scytl - but nobody knows who they're owned by and people who look into it get shut down quickly. 😳
References to @SarahJamieLewis
& @VTeagueAus
#Kawaiicon #KawaiiconNZ
These are all done by Scytl - but nobody knows who they're owned by and people who look into it get shut down quickly. 😳
References to @SarahJamieLewis
& @VTeagueAus
#Kawaiicon #KawaiiconNZ
Lots of security concerns...
They opened up the central voting system to Scytl because there were "performances problems".
Please. No.
#Kawaiicon #KawaiiconNZ
They opened up the central voting system to Scytl because there were "performances problems".
Please. No.
#Kawaiicon #KawaiiconNZ
When they went to deploy it in Western Australia...
They were sharing a SSL cert with... Lots of orgs.
Lots of bad bad not good.
#Kawaiicon #KawaiiconNZ
They were sharing a SSL cert with... Lots of orgs.
Lots of bad bad not good.
#Kawaiicon #KawaiiconNZ
Just setting a session cookie that profiles the browser.
And they broke the separation principle.
#Kawaiicon #KawaiiconNZ
And they broke the separation principle.
#Kawaiicon #KawaiiconNZ
Private key was responding from lots of places...
Auditor says its ok because the vendor is reputable.
But... They were breached over that period.
#Kawaiicon #KawaiiconNZ
Auditor says its ok because the vendor is reputable.
But... They were breached over that period.
#Kawaiicon #KawaiiconNZ
For 2019 the Auditors got better.
27 findings, some very critical. And weird redactions.
#Kawaiicon #KawaiiconNZ
27 findings, some very critical. And weird redactions.
#Kawaiicon #KawaiiconNZ
Now its @vashta_nerdrada talking us about how to prepare for the unexpected.
#Kawaiicon #KawaiiconNZ
#Kawaiicon #KawaiiconNZ
"Black Swans" - basically a saying for something impossible.
Now its something impossible that is actually happening
#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Now its something impossible that is actually happening
#Kawaiicon #KawaiiconNZ @vashta_nerdrada
A 🦃 has a black swan experience. It's happily living its life - getting randomly killed is totally unexpected.
#Kawaiicon #KawaiiconNZ @vashta_nerdrada
#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Don't try and predict black swans - you make make yourself more vulnerable to other black swans
#Kawaiicon #KawaiiconNZ @vashta_nerdrada
#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Quick recap:
Build for resiliency, don't try and predict black swans.
#Kawaiicon #KawaiiconNZ @vashta_nerdrada
Build for resiliency, don't try and predict black swans.
#Kawaiicon #KawaiiconNZ @vashta_nerdrada
In which @Sputina forces us to all get some exercise by making @Metlstorm badger dance.
#Kawaiicon #KawaiiconNZ
#Kawaiicon #KawaiiconNZ
We don't have s lot of data on marginalised groups, but we still try and use it even though our results are bad.
#Kawaiicon #KawaiiconNZ @SophiaFrentz
#Kawaiicon #KawaiiconNZ @SophiaFrentz
How do we do open science but protect end users?
Even if you consent, you're providing info on your immediate family.
#Kawaiicon #KawaiiconNZ @SophiaFrentz
Even if you consent, you're providing info on your immediate family.
#Kawaiicon #KawaiiconNZ @SophiaFrentz
Genetic discrimination is illegal but so is murder. And it still happens.
#Kawaiicon #KawaiiconNZ @SophiaFrentz
#Kawaiicon #KawaiiconNZ @SophiaFrentz
Electronic medical records vs physical medical records.
Its not all bad! And electronic medical records provide quick access to information.
#Kawaiicon #KawaiiconNZ @SophiaFrentz
Its not all bad! And electronic medical records provide quick access to information.
#Kawaiicon #KawaiiconNZ @SophiaFrentz
There are plenty of breaches, but nobody is attacking these. It's a design issue.
#Kawaiicon #KawaiiconNZ @SophiaFrentz
#Kawaiicon #KawaiiconNZ @SophiaFrentz
Where is eHealth going?
We have to consider social issues when creating technical solutions.
With technical solutions we're just amplifying existing social problems.
#Kawaiicon #KawaiiconNZ @SophiaFrentz
We have to consider social issues when creating technical solutions.
With technical solutions we're just amplifying existing social problems.
#Kawaiicon #KawaiiconNZ @SophiaFrentz
Why can we do?
- Make responsible individual decisions
- Educating non-sector friends on needs, requirements & values
- Be the squeaky wheel!
#Kawaiicon #KawaiiconNZ @SophiaFrentz
- Make responsible individual decisions
- Educating non-sector friends on needs, requirements & values
- Be the squeaky wheel!
#Kawaiicon #KawaiiconNZ @SophiaFrentz
The choice about whether to care if other people see my medical information is MY choice.
Nobody else should be able to make those decisions without the patient's explicit consent.
#Kawaiicon #KawaiiconNZ @SophiaFrentz
Nobody else should be able to make those decisions without the patient's explicit consent.
#Kawaiicon #KawaiiconNZ @SophiaFrentz
Now its Matt Daley talking about Access Control on Sesame Street
#Kawaiicon #KawaiiconNZ @SophiaFrentz
#Kawaiicon #KawaiiconNZ @SophiaFrentz
The Gallagher Controller 6000, now known at @kawaiiconNZ as the "Controllagher"
#Kawaiicon #KawaiiconNZ
#Kawaiicon #KawaiiconNZ
Thanks FCC for putting all this info online.
With photos.
And internals.
And... Dave's details.
#Kawaiicon #KawaiiconNZ
With photos.
And internals.
And... Dave's details.
#Kawaiicon #KawaiiconNZ
"Breaking into the roof"
This should be fun! Basically incrementing a field on the card.
#Kawaiicon #KawaiiconNZ
This should be fun! Basically incrementing a field on the card.
#Kawaiicon #KawaiiconNZ
Let's see how Gallagher is using MIFARE Classic.
Known vulnerability where you can use one key to calculate other keys.
#Kawaiicon #KawaiiconNZ
Known vulnerability where you can use one key to calculate other keys.
#Kawaiicon #KawaiiconNZ
Does Matt know? Yes.
Will he tell us? No.
So Gallagher won't do electro-product testing on him.
#Kawaiicon #KawaiiconNZ
Will he tell us? No.
So Gallagher won't do electro-product testing on him.
#Kawaiicon #KawaiiconNZ
Use Bluno beetle in reader to brute force facility code then play it back on demand.
#Kawaiicon #KawaiiconNZ
#Kawaiicon #KawaiiconNZ
Now looking at cards.
Old cards just scream out their secret the second they're powered up.
#Kawaiicon #KawaiiconNZ
Old cards just scream out their secret the second they're powered up.
#Kawaiicon #KawaiiconNZ
Forms of Rf-based attack.
Try and intercept the communication between a legit card & reader.
#Kawaiicon #KawaiiconNZ
Try and intercept the communication between a legit card & reader.
#Kawaiicon #KawaiiconNZ
What happens if some data gets corrupted in the transaction?
Reader says do it again.
#Kawaiicon #KawaiiconNZ
Reader says do it again.
#Kawaiicon #KawaiiconNZ
And.. Matt built a massive antenna to read cards from 3 meters...
Not very subtle...
#Kawaiicon #KawaiiconNZ
Not very subtle...
#Kawaiicon #KawaiiconNZ
So none of these are secure unless they're using DESFIRE with a non-default key.
#Kawaiicon #KawaiiconNZ
#Kawaiicon #KawaiiconNZ
Only one site was using a non-default site key.
And... The NZ Government department didn't appreciate Matt scanning their RFID readers and seized his laptop... 😱
#Kawaiicon #KawaiiconNZ
And... The NZ Government department didn't appreciate Matt scanning their RFID readers and seized his laptop... 😱
#Kawaiicon #KawaiiconNZ
Now its @lady_nerd talking about securing people who don't look like you... yet.
#Kawaiicon #KawaiiconNZ
#Kawaiicon #KawaiiconNZ
Being security people we tend to judge how people handle their security.
But for other people our advice can be because that advice would be physically difficult or impossible to follow.
#Kawaiicon #KawaiiconNZ @lady_nerd
But for other people our advice can be because that advice would be physically difficult or impossible to follow.
#Kawaiicon #KawaiiconNZ @lady_nerd
If all the advice I give is coloured by my knowledge and experiences, it's not going to be effective for people from other experiences.
#Kawaiicon #KawaiiconNZ @lady_nerd
#Kawaiicon #KawaiiconNZ @lady_nerd
We almost completely dissociate from our one future selves.
If we can't protect our future old selves, how do we protect our elders today?
#Kawaiicon #KawaiiconNZ @lady_nerd
If we can't protect our future old selves, how do we protect our elders today?
#Kawaiicon #KawaiiconNZ @lady_nerd
We need dynamic security controls in an ever-changing environment to protect us as we age.
#Kawaiicon #KawaiiconNZ @lady_nerd
#Kawaiicon #KawaiiconNZ @lady_nerd
Should we be digitally active if we can't be independent?
Being digitally active is kind of a human right. It is a substantially increasing part of the day-to-day for all demographics.
#Kawaiicon #KawaiiconNZ @lady_nerd
Being digitally active is kind of a human right. It is a substantially increasing part of the day-to-day for all demographics.
#Kawaiicon #KawaiiconNZ @lady_nerd
We need all of these to be happy.
How many of these do we do in the digital space?
Most of them.
#Kawaiicon #KawaiiconNZ @lady_nerd
How many of these do we do in the digital space?
Most of them.
#Kawaiicon #KawaiiconNZ @lady_nerd
How do we measure independence?
Diagnostic Frameworks for Daily Living
#Kawaiicon #KawaiiconNZ @lady_nerd
Diagnostic Frameworks for Daily Living
#Kawaiicon #KawaiiconNZ @lady_nerd
Instrumental Activities of Digital Living - Laura's new framework
#Kawaiicon #KawaiiconNZ @lady_nerd
#Kawaiicon #KawaiiconNZ @lady_nerd
Power of digital attorney and digital guardians are very legally unclear.
#Kawaiicon #KawaiiconNZ @lady_nerd
#Kawaiicon #KawaiiconNZ @lady_nerd
Answers we get can lead to domain specific or holistic solutions.
#Kawaiicon #KawaiiconNZ @lady_nerd
#Kawaiicon #KawaiiconNZ @lady_nerd
Where next?
Mass collection of data!
Lets do a digital independence assessment for a country.
Refine the assessment.
#Kawaiicon #KawaiiconNZ @lady_nerd
Mass collection of data!
Lets do a digital independence assessment for a country.
Refine the assessment.
#Kawaiicon #KawaiiconNZ @lady_nerd
Will be linked into opensecurity.nz - a place to find open source information security projects & tools.
#Kawaiicon #KawaiiconNZ @lady_nerd
#Kawaiicon #KawaiiconNZ @lady_nerd
And... The Badger Dance featuring @Sputina @Metlstorm and a late appearance by @rafaelmagu:
@kawaiiconNZ #Kawaiicon #KawaiiconNZ
@kawaiiconNZ #Kawaiicon #KawaiiconNZ
