Last month, Wallarm Cybersecurity Strategist Kavya Pearlman interviewed cyberwar fare expert Chris Kubecka via a webinar session that was well attended and very timely discussion. If you missed the webinar, worry not! Here is a quick recap of the discussion around “Application Security in the age of Cyberwar”.
These days we must be prepared to fight off not just hackers in search of simple financial gain, but malicious actors funded by hostile states. Asymmetry is the keyword of war in the 21st century, because the enemy is harder and harder to identify, and we no longer have an army against another in a large field. This is even more true when we move to the cyber domain. So, right after 9/11, the world faced this new warfare with a reactive approach.
But how can we proactively face asymmetrical threats and prevent wars? This was the key question Pearlman and Kubecka focused on application security through the lens of cyberwar.
Who is Chris Kubecka?
Chris is a Founder and CEO of HypaSec. Previously she established and led the network security operations, privacy intelligence and information protection group for Aramco overseas, part of Saudi Aramco. Chris speaks several languages including Chinese, Dutch, English, Russian and Spanish.
Passionate about offensive defensive and new methods of exploitation in IT, IoT, ICS, embedded systems and recently Virtual Reality, Chris’s deep technical knowledge stems from childhood misadventures and professionally on-air mobility command and space command serving honorably on the US air force. The author of several books, Kubecka is also a military veteran of multiple humanitarian and combat missions as aircrew with degrees in Information Technologies and computer science.
Based in Northern Europe she is an advisor and subject matter expert to several governments and industries on cybersecurity and incident response for cyber warfare and a recognized expert in financial, oil and gas, water and nuclear industry digital security. Chris dealt with one of the top ten hacks in the decade, the Shamoon attack, and since Saudi Aramco’s world’s largest is world’s largest oil production company, 10 to 25 percent of global production of oil worldwide, she literally saved us from a potential economic downturn.
Chris Kubecka – One on One with Kavya Pearlman
Kavya: What are your thoughts on the United Nations getting hacked that we just learned about this week?
Chris: Well, the United Nations is very much like any other large organization that is spread out internationally where you’ve got a lot of various assets that are plugged into the Internet. Sometimes one can forget about these systems called orphan systems. And just before this broadcast, I went ahead and used census.io to see the footprint of the U.N. or domain. And there still seems to be a few problems where I would not expect to see so many ports and vulnerable applications exposed to the Internet at this time, including databases.
So this is one of the big failings with most of these larger organizations is they may be doing part of security, but many times they lose track of everything and they’re not looking at their exposure using what I would call simple or basic open source intelligence gathering tools to do so.
Kavya: We also just heard about F-35 aircraft guns can’t shoot straight and bunch of other design flaws. Since you are close to this domain, please share what might be going on?
Chris: Lockheed has been dealing with a lot of things with that aircraft. They’re still trying to work out a lot of things. It’s a very, unique aircraft, the way that it was designed. They’ve had to make massive engine changes to accommodate additional requests from the Department of Defense (DOD) here in the United States. I’m sure all of us on this broadcast have heard of scope creep.
And that is part of the problem where when you are developing an aircraft that can take a while and somebody wants to add something, somebody wants to take something out. And the development time could be several years. And that also means that frequently there will be design changes because there’s new discoveries or new realizations and technology or the shapes of the aircraft.
For example, I was learning aeronautical engineering. It changed to more fluid dynamics. And so, it completely tilted that world of aircraft design almost upside down. So, you also have the challenge that aircraft nowadays manufacturers are also what they call e-enabled aircraft, which means they are potentially gigantic IOT devices where you have data feeds that are coming into view. Fighter jets are basically flying computers nowadays with IoT like risks associated with it.
Kavya: And so, Chris, you’ve been going around the world and, you know, trying to enlighten everybody about all your knowledge with things that you are observing offensively, defensively. When did you realize that you are fighting sort of an asymmetrical war?
Chris: Well, I was when I was in school in the military, I was in an organization in the school system called JROTC, where I began to study more about war and more studies. And one of the things that fascinated me about something that happened last century was guerilla warfare in Vietnam and the success that guerilla warfare had. So here you had the United States with this massive force of weaponry and people.
However, with guerilla war and asymmetric warfare, you’ve got a much smaller group. And they were able to be very, very successful. And at the end, the United States had to leave Vietnam and Vietnam basically won by using asymmetrical warfare and very creative means. I might add. So, I began to get fascinated with how a smaller group can leverage what they have. That is something that is unique to them and to be able to take on a very large fighting force.
And nowadays we’re seeing the same things where an asymmetric warfare, but electronically, digitally. And smaller groups with very fancy knowledge in the digital space can take on countries that are much bigger than them, that have a bigger fighting force, but they may not have that bigger digital defense force.
Kavya: What is the meaning of this asymmetric threat? What does it mean, asymmetric threat and how does it apply to application security?
Chris: Asymmetrical threat and asymmetrical warfare – What you’re dealing with is an uneven force. So, you might have a smaller group. Let’s call it even a criminal syndicate that is able to be quite successful against a police force or the legal system or in the case of cyber warfare, you may have a highly motivated and skilled nation state that is able to repel or attack a much larger force. And in this century, what we’re also seeing is that there are some very surprising actors in space.
Now, one of the more surprising ones is, for example, Ethiopia. They have developed an offensive capability because they’ve been more back and forth with war and peace with Australia for a few years. And that is a highly independent country that might not have the money for a whole bunch of brand-new fighter jets, but does have the money and the people. Teaching them cyberwarfare skills to be able to be offensive or red team at a nation state level for their countries makes sense.
Kavya: In terms of application security, there is disbalance, the idea of somebody knowing the vulnerabilities and just sort of hiding them and then at some point timely using them against nation states, that is happening more and more. Is that right?
Chris: Well, sometimes that happens. But also, there is something that has a bigger chance of occurring. And what that is, is most of the world nowadays uses various open source libraries and that that’s for a cost benefit; it saves you time. A very good return on investment because usually it’s free. And so, these open source libraries get widely used both in software and hardware. But it also can be to a detriment if, for example, these open source libraries are not maintained, or somebody can reach them through a back door because they’re so widely used. Then an attacker can take advantage of an exploitable vulnerability at a much larger scale.
Kavya: Chris, there are no silver bullets. But I want to ask you, what can we do to prevent these kinds of threats or IS there something that we CAN do?
Chris: Well, one approach is having a more proactive security team vs. a reactive security team. And what I mean by that is tracking your asset inventory, whether that be hardware or software, and seeing what your organization’s exposure is to the Internet. And, the exposure of key targets within your organization, such as the executive board, the personal assistant of an executive. These are higher value targets.
Also, human resources, for example, because those systems and people will have access to a lot of information that goes on within the organization. So, understanding some of these things and also understanding supply chain security, because we’ve had a lot of different suppliers and they’re giving a lot of given a lot of information, whether that is data or insight into the companies that they work for. If their security is not on par with yours, they could be that weak link that actually leads to some sort of major compromise. So just be aware of the risks, the vulnerabilities and the key players that could be targeted.
Kavya: Let’s say I’m building an application. Would you say the proactive means we should try to get into the CI/CD pipeline and try to prevent vulnerabilities before it’s too late?
Chris: Yes. One of the challenges I’ve seen within many organizations in many different markets is when you’re working on a development project, you’ll have a project manager who may or may not recognize that security and privacy needs to be dealt with at the beginning of the project, not at the end.
Or I’ve seen many cases where project managers do not have a lot of time for designing security within the systems. There’s also pressures from the management and the executive boards of if we keep going at this for too long and we are going to have to invest more money to incorporate security and privacy. This means that the costs for development are going to be much higher. So, they don’t initially see the return on investment for any of that. And this is very difficult to get across, especially to a forward that it is much, much less expensive to use software development lifecycle techniques ahead of time than it is when you’ve got a breach or you’ve got something that’s widespread or your company is taking a reputational hit when you move from proactive to the reactive. It costs much, much more money and time and effort.
And that’s so noticeable. And that’s why it seems like more and more tools are being widespread for, you know, allowing people to proactively address these things.
Kavya: What are the main threats that you think we are facing now? Mainly, what are the key threats that we should be aware of and be cognizant of when we talk about application security?
Chris: Well, unfortunately, the main threat we still face is what I would call the ability to breach an organization using low hanging fruit. There are so many things that should have been changed, fixed, patched, updated or thought of that. Still, you can use very small scripts and what I would call low level exploits and get to a wide variety of assets and software. And we’re still, unfortunately not going back to the basics. And those are still the biggest impact threats right now. I mean, if you deal with a nation state, that’s something a bit different. But I shouldn’t be able to find database servers open to the Internet which belongs to the United Nations, for example. Or, here we are in 2020. People have telnet enabled.
Kavya: What advice would you give to other security professionals and organizations when it comes to dealing with these cyber-attacks?
Chris: Well, I would advise, at least at a minimum, some types of automated testing of the software that’s being developed for your organization and for additional organizations if you’re working with a third party. Another one is having a vulnerability disclosure program. You want friendly, nice ethical hackers like me to be able to report major issues.
For example, when I worked on the Boeing issue, Boeing at the time had no disclosure program. Here is an organization that handles classified and unclassified systems, did not test development servers for flight control software and it was wide open to the Internet. And this should not have happened. If you do not have an internal apparatus to deal with adequate defense, try to get your organization to sign up with an external party that can jump in. If there is a problem and get to know your computer emergency response team, whether that’s by state or at a federal level or even sometimes like New York City has their own search. I believe San Francisco does as well. And these organizations can jump in and assist and try to advise you where to go from there, because you must plan for these types of things.
I think every place that we all work with, who I work at, who are listening to this, they’ve got fire detectors, but they also have fire extinguishers and they have the ability to call 9-1-1 for a fire department if a fire occurs. But somehow that is left out of a lot of disaster recovery and business continuity planning organizations. When you’re dealing with digital issues, we need to get to that point.
Kavya: Please tell us more about your experience with Boeing vulnerability disclosure. What was going through your head and what have you found so far?
Chris: Well, Ethiopian Airlines Flight went down in a Boeing aircraft 737. Max, initially Boeing’s response was to place the blame on Ethiopian Airlines. Because I’m involved in the aviation industry, I knew that that was not very cool because Ethiopian Airlines has one of the best safety records in the entire aviation industry. They take safety very, very seriously and they do a lot of training for their pilots and aircrew. Prior to the news coming out, there was a coding issue in one of the sensors on these aircraft. I began looking around basically to see what the external exposure was. Whether there was any way that I could see any general bad coding practices because I had my suspicions of what may have happened. And right away, going to the Boeing Website, which houses the aviation I.D. system, which is where a technician, for example, would download flight control software to a maintenance laptop and then plug into a physical plane and actually upload and update the flight control software, which includes the coding for the various sensors which failed. And immediately just looking at the html page source. Simple right clicks a developer left in a comment. I have no idea what this does. It only prints. And that was both funny but scary because it means that they didn’t know how to escape special characters, which is something I would think is somewhat kind of basic.
In addition to that, the Web site which had a log, it wasn’t even using encryption. Almost every single phone, Web site, including Boeing dot com, didn’t even use a certificate. And we’re talking about Logins into different areas as well. Whether you’re a Boeing employee or a third party or maintenance technician or what have you. And this also means that all these Logins were being sent in clear text with no encryption. So, if Internet traffic is rerouted by a country which happens frequently, they can collect all of that unencrypted stuff. They don’t even have to try to do any fancy schmancy decryption. They’ve got Logins to be able to get into various Boeing systems.
And Boeing also houses a lot of intellectual property that they would not want a frenemy or an enemy nation state to get. Intellectual property theft costs the US taxpayer billions of dollars every year. And so here was this company that wasn’t even using, what I would say, the most basic digital security. In addition to that, I’m looking around more only using nondestructive known exploitative testing. I was able to find their test and development servers for the aviation I.D. system as well. And because I frequently visit web sites without running JavaScript, the only thing it said on the Web site was you are not using JavaScript. Press this button. Press the button. And I was able to be right there inside with no authentication either into the R&D section of the test aviation I.D. system. And this is not where you want anyone at all to be. And Boeing’s response to the exposed test servers was, well, it’s operating as intended. Wow. So, this is extremely problematic.
And again, unfortunately, Boeing did not have any sort of vulnerability disclosure program at all at the time. They also have a bad reputation of threatening and ruining researchers’ reputations for anyone that wants to disclose something in any public manner. I ended up working with the Department of Homeland Security’s search function to do the disclosure beginning in July of last year, 2019. And I face a lot of pressure from Boeing because firstly, they’re a very large company. And I am a very small company, ME right now. Secondly, I’m not a lawyer.
Third, they have this reputation of basically silencing people. And then, while I was doing the disclosure with the Department of Homeland Security, I was also contacted by the U.S. Aviation ISAC. And they are run by Boeing employees. So, there is a third there’s a bit of a problem there.
While it was in Las Vegas last August for BlackHat/DefCon, besides a person from the U.S. aviation, ISAC, who was a Boeing employee, came to my hotel and asked me to sign a nondisclosure agreement, which I would not sign. They also repeatedly wanted a copy of the report. The 59 page report I’d written up about it that I had sent to the Department of Homeland Security, and I stressed that DHS insisted they wanted to deal with the matter because if it had just gone to the ISAC, nothing would have been fixed and they would have just disappeared under an NDA.
So there was a big challenge after the disclosures and when DHS gave a copy of the report, with my permission to Boeing, there were a lot of questions Boeing have that they kept throwing back and forth to the U.S. government, basically trying to infer that I had a criminal intent and was trying to extort them. So being the person I am, I sent them a picture of the national security director that I took at a closed conference at the U.S. Air Force Academy last April. And I commented, if you want it, I could probably get you an autograph because I don’t really like being accused of these things. And, this is a way for them to try to bring down my reputation by trying to say these things or to infer them. And there’s nothing further than that from the truth.
So, there was pressure on the media organization that handled the case. A legal department contacted the legal department of IDG Media and also directly contacted the journalist’s editor and senior editors applying pressure, which, of course, if you do that with a media organization, the first thing they’re going to claim is freedom of the press. Are you trying to censor us? They even tried to pressure parts of the US government as well. Just before I gave the first version of the talk, which was about aviation digital security in general.
So, Boeing did not quite understand, and this is something that was relayed to me by DHS that after a certain period of time had passed, an acceptable time, that I could make things public. And I believe the comment to paraphrase was that’s not how it works. That’s not how any of this works. And that was from the U.S. government.
After they accepted the report and came back with some questionable responses, they started, based on my report. Boeing’s very first vulnerability disclosure program.
Kavya: I do want to ask you about this book that we have been hearing about. Would you mind giving us a glimpse into what this book is all about? And yesterday you were at the book launch party. How did that go?
Chris: It went very well. I’m going to be doing two books fairly soon. One is about penetration testing across I.T. and ICS systems. And the other one, I’m playing with the title still, but I’m thinking of Hack the Galaxy with open-source intelligence gathering. And it will take you across land, space, sea and air. Because I also work in the Maritime Industry Monthly Advisory Board for Serious Inside A I. A UK company who has various contracts with the United Kingdom’s Ministry of Defense and with my aviation background and. As of last June, I worked doing the first space hackathon in the United Kingdom that was funded by Oxford, and that was to show people there is this thing called new space IAPT, even satellites are IAPT devices and we need to plan accordingly and case these things are hacked again, leverage by criminal syndicates for malware like CHIRLA, again packed for nefarious purposes by another nation state again and what to do when these things are directly connected.
Kavya: DO you think nation state actors are utilizing emerging threats offensively?
Chris: That’s another thing that I’ve been working on. So as subject matter expert for multiple organizations and one recently was the European Union, I was very concerned with how various forms of artificial intelligence can be used in modern and future warfare. I participated with that, because I’ve handled some of those things already in the past for various agencies and organizations. And another thing that we must be concerned with is emerging technologies.
So last year you had some of the pictures of me being in Madrid. And so, I was in Madrid for an organization called Pre Fetch. And what the organization does is they pull in subject matter experts from several domains. And we voted on what we thought were going to be the most useful emerging technologies from 4D printing, for example, two different types of quantum computing, things that affect the healthcare industry with the next generation of 5G. No, it’s going to be 6G as Dr. Meesha Dolar with Kings College, prefers to call it. IoT devices directly in our bodies for various sensors. And so, the final lists are the ones who get funding from the European Union for these emerging technologies, but with just about anything, they can be turned into a dual use device or dual use situation where we think that they may only have in is it means.
But how can they then be misused? I highly doubt people who first developed modern type satellites thought that they could be weaponized and used against other satellite systems, for example, or for crime where coming out of Russia or they definitely when they thought of the International Space Center, they never thought that it could be hit with the malware infection, which it had already been because somebody brought up their music on a USB stick. Yes. So, we must think about that. Not every emerging technology is for the benefit of humanity and it can bring problems.
So, it’s up to our community to change how governments and companies treat privacy. Some can think privacy isn’t up to our community. Well, I think it is, because if we don’t speak up about it, then it’s going to continue to be misused.
I’ll give a brief example. I live in Amsterdam. I live within walking distance of the Anne Frank house and with the Netherlands, who at the time was a neutral country when World War II was kicking off. Germany was able to take them over quickly because they had no real say modern planes or weapons, because they had also been neutral during World War I. But the country of the Netherlands had an extensive data registry, and coupled with the fact that many people had been refugees escaping Germany and they went to the Netherlands, especially people who were Jewish, Anne Frank’s family actually had fled Germany and sought refuge in the Netherlands. And what happened was when that database of sort obviously wasn’t electronic, was taken over by an enemy force, then the Nazi regime was able to pinpoint every single Jewish person, every single person who could be Jehovah’s Witness. All what they would consider undesirables. And that information was misused. And it’s great that we have a lot of functionality with different apps and so forth. But what happens if that information is misused and you never know who might oversee the government who has access to that data tomorrow?
Kavya: Can we win this cyberwar?
Chris: I think NO. Because I live in Europe and I have for a long time, our attitudes towards privacy because of things like World War II, is drastically different than the attitude towards privacy as a fundamental right here in the United States. It’s a very different perspective, especially in places like Germany. We need to understand, at least from my opinion, that privacy is a fundamental right and can lead to a lot of misuse which can cause security issues for us all.
Kavya: Thank you Chris for all your time. I highly recommend following Chris, she is @secevangelism on twitter or myself @KavyaPearlman. You may also connect with us via LinkedIn. If you have any questions regarding Wallarm products and services, please send those to request@wallarm.com
Check out the complete webinar recording on Wallarm Youtube Channel
Attribution
Kavya Pearlman, Global Cybersecurity Strategist, Wallarm
Well known as the “Cyber Guardian,” Kavya Pearlman is an award-winning cybersecurity professional with a deep interest in immersive and emerging technologies. Kavya Pearlman is the cybersecurity strategist at Wallarm, a global security company that uses artificial intelligence to protect hundreds of customers across e-commerce, fintech, health-tech and SaaS via their application security platform. She is also the founder of non-profit, XR Safety Initiative (XRSI). XRSI proactively addresses the cybersecurity risks and challenges by discovering novel cyber-attacks and establishing baseline standards in emerging technologies. Connect with Kavya via Linkedin or follow her on twitter via @KavyaPearlman.
Chris Kubecka, Founder and CEO of HypaSec, Cyber Warfare Expert
Based in Northern Europe, passionate about offensive defensive and new methods of exploitation in IT, IoT, ICS, SCADA, embedded systems and fairly recently Virtual Reality, Augmented and Mixed Reality. Chris Kubecka is the Chief Hacking Officer for XR Safety Initiative (XRSI). Previously, she established and led the network security operations, intelligence, privacy, and information protection group for Aramco overseas, part of Saudi Aramco. Re-establishing international business operations, helping to stabilize the oil market and implementing digital security after the company suffered from the world’s most devastating Shamoon cyberwarfare attacks which wiped out 85% of computer systems and over 35,000 Windows systems which deeply affected the countries of Saudi Arabia, Qatar, and Bahrain.
