 2020 trying to kill this pandemic really hit. I went ahead and scanned the internet and took the top 10 countries with assets that say hello to the internet. And that's in the yellowish. I'm not sure how much you can see because of the big DefCon logo. And in the orange-ish bar, those are remote only access protocols that I was looking for and also certain versions, like older versions of SSH, FTP, remote desktop protocol, etc. So what I found was, for instance, the United States has 47,500,000 assets. Out of those assets, when I was looking only for known exploitable remote access vulnerabilities, there were almost 12.5 million ones that I could find for the United States, which is not a great ratio. However, I will say that some of the assets that I scanned, they can have multiple vulnerabilities. Looking at between the U.S. and China, China has almost 8.5 million, but almost assets on the internet that say hello, but almost 5 million of those are remote-able with known exploits and vulnerabilities in them. The one country that did fairly well was actually the United Kingdom with their ratio between assets and exploitable vulnerabilities. And one of the reasons for that was several years ago, they did something very fantastic. They instituted this thing, a cyber program for anyone doing business with the UK and also critical infrastructure, had to really take a look at their stuff and go ahead and pass an audit. In most cases, it's self-audit depending on your level of access with the government and also critical infrastructure. And they were able to get a head start. And so they actually are doing fairly well in comparison to the rest of the top tenors. So another thing that we have to consider is because things are now industrial IoT devices or IoT devices, this means that you can have a control system that is IoT enabled. Now in this case, I like to take a look at Tesla stuff because I just do. And you can actually use census.io when I call a census.org to find various Tesla power walls. And what's interesting about this is even though Tesla has some security, it's still single factor authentication. There's still a web interface. The customer doesn't necessarily have to set up any real security. So there's admin, admin kind of stuff depending on the version of the software. Tesla does not force down updates like Windows 10 or their cars. So there are a lot of old versions. And what you can actually pull back is the configuration of the power walls, the versions, time stamps showing the last log in, how long it's been up, if it's updating or not, and a bevy of other diagnostic information. And what's unfortunate is if you're able to get into some of these systems, which you can, you can do more nefarious things like imagine a region of power walls that suddenly all of their electricity got dumped on the energy grid, that would be a very bad thing. Or if it was connected to some sort of crucial hardware, that would be a bad thing. And in this particular case, this one was connected to a crane. Who doesn't want to own your own crane? Well, you can too. So you have to understand that if it's running web server, I don't care if it's power bank or piece of industrial equipment or whatever, you can hack it like a web server. Remember that. So I do a lot in aviation. Sometimes that's good. Sometimes they hate me. So either way, you know, so there are various ways to get into various things. And one of the dangers that we have is a lot of remote desktop protocol. You can actually buy exploited systems on the scary dark web from $1 to $10 apiece. If they have RDP, $10 is for typically US military assets that are found. In this case, this one belongs to Airbus, where luckily the admin happens to be logged in. I wonder what the password might be. And the CN is actually the certificate, which I could match up to absolutely belonging to Airbus. Another fun fact is depending on the aircraft, some Airbus aircraft actually use Windows CE in their aircraft. Yay. So I'm not sure you may or may not have heard much about Boeing other than some of their planes like to fall from the sky because they have software issues. And starting last year, one of the things I did, and by the way, high Boeing, I know you still want to put me in jail, was that I took a look around some of their infrastructure and found that it was incredibly bad. For instance, at the time, Boeing.com and its websites didn't even use HTTPS or any encryption for their websites. And this included login systems. Yay. I was able to get into the R&D section of their flight control software, which also included the 737 MAX aircraft, because to authenticate, I was using Firefox with no script running. And the website had a message, you were not running scripts, please press this button. Press the button. I was in. How awesome is that? There were, you know, six cross-site scripting vulnerabilities in the live in production flight control aviation ID system, right? And the interesting thing about this is if you can get into the flight control system or software, and you know what you are doing, the process is a technician will download what's needed for their aircraft, put it on a maintenance laptop, that maintenance laptop then plugs into the aircraft itself into the flight control system. So imagine some of the mayhem that you could do because Boeing had zero effort and zero knowledge in security. Funny enough, they do sell cybersecurity services as consultants to the US government. However, I guess they never ate their own dog food and looked at their own stuff. There were even hard-coded credentials in an older version of SAML that you could easily decode. The response from Boeing was your criminal harassment, no bug bounty, and it was only after my 59-page report went through and it got media attention after a disclosure period that they were forced to start their first vulnerability disclosure program, which they said it was based on my report. However, as far as I'm aware, Boeing still gives zero bug bounty awards. So agriculture is nice because I think all of us like to eat and this is an instance where it's a control system that is now an industrial IoT system that is hanging on the internet that has a web server that has never been security tested with no authentication. And it happens to be a European fish farm, a salmon farm to be exact, and you can actually in real life like press the buttons and you can modify the operations of this. So we like water. Mexican is actually a major bottled water provider manufacturer amongst other things in Latin America and South Africa. I do a lot of stuff. So I was looking around because I get curious and bored and I was very quickly able to find because they allowed LDAP to be exposed to the internet. I found 24 pages of assets from the IT side on the business level all the way down to on the control level for their windows based SCADA systems. And this was rather unfortunate because some of the systems that I was able to find was this wonderful what's called HMI human machine interface. The same exact version that was vulnerable to some of the black energy attacks and didn't actually have to log in because it was never set up correctly. I could access the drives that it was attached to. I could import and delete recipes which is actually the the production recipe of what the machinery will be doing. And I could just click as many buttons as I wanted to. I could even export the administration data all at the touch of my fingertips from my comfortable small Amsterdam house. And Mexican also produces various different types of chemicals some of which are more controlled so that they don't fall in the hands of really bad people who want to make things go boom. So another thing to consider is we're talking about IoT systems. They can be anywhere. They could be inside a hospital. They could be on sensitive networks. They could be at nuclear physics labs in Russia. And they could also be inside control systems so that you can actually use a printer. And so I was able to have a bit of fun, again being bored, don't ever let me get bored, and use a census and a few other scanning tools to quickly find as many particular printers as possible. It stemmed from the fact I was having a problem with my printer and I downloaded the Brother admin tool which covers almost all of their models and I noticed that it had never been security tested. So I went ahead and flipped it around and turned it into a dual use weaponized piece of admin tool. And a lot of these printers will have web interfaces. So I had a lot of fun with cross-site scripting but most of my fun came from using the admin tool. See, once you find one of these printers, it's not that difficult to find, you can use the free Brother admin tool, go ahead and put in the IP address, and then connect to somebody else's printer anywhere in the world. You can see how much ink they have, you can even order if it's set up in their printer. Ink and toner supplies because hey, toner is worth more than platinum. And you can also send files directly to the printer. So I had a lot of fun with this, but unfortunately Brother, like most printer manufacturers, do not have a vulnerability disclosure program nor did they ever think that you could use this lovely free tool available now to download and you can weaponize it and really make printers lives uncomfortable. Bonus item, if it's a multifunctional printer that's more of the commercial variety that has a hard drive installed and say human resources uses it as a scanner for different types of identification systems, you can even access the hard drive where it saves those scans and get all sorts of personally identifiable information and health data just by using this tool. So I like space. And one of the things that is a bit problematic is just like regular industrial systems, once you put something in space, it's expected to last a while. There's even a space satellite that is in a very interesting orbit that is up there for over 50 years. There's a lot of legacy stuff. Once you put something up there, it's not like you can go, hey, guess what? We've got this new type of encryption. You know what? It needs a chip to be able to process it. Bruch is going to replace that chip in the satellite. That doesn't happen. And what we did last year was in the United Kingdom, thanks to Oxford who funded it and Demontford University, we held the first space hackathon at Royal Holloway University to discuss these things with cleared PhD students who were given a lot of information by myself and others on some of the problems with current and new space assets because they're really industrial IoT devices and how to combat some of those problems because encryption might not be there. I believe it was only the year before last that the FTC mandated that new space asset actually had to have the ability to use encryption. And we've seen some satellite systems being used in various cyber crime attacks and malware because if you can put one of your hops and traceability on a satellite, it kind of makes it a bit hard to see who's actually behind different things. So a lot of cool stuff came out of this hackathon. PhD students were absolutely fantastic and energetic. They listed a lot of very pertinent risks that we had to consider, such as the current UN space treaties do not cover private companies when it comes to warfare. It only covers nation states and the fact that some major players in the market, if you want to watch a great older movie, I believe it's called Moon Raker, it's a James Bond movie, where a really rich guy with way too much money decides to go into space and then try to take over the world by going to war in space as a private company. And so some of the risks listed were, for example, Elon Musk and his program because anyone can turn evil and he already thinks that the pyramids were created by aliens. So to give a brief example, you can actually find some of these systems. Now, there's different ways you can find various space IoT systems. A lot of them you'll find are actually land systems that then communicate up, but those land systems, they can actually unfortunately be hacked. In this particular case, I was able to find a really connection up to a satellite. And I didn't want to give away too much information because they have not gotten back to me. I was able to find this particular device was running my favorite protocol Modbus with no authentication. It could give the device ID, function codes, and all sorts of information about it. And by looking into various user manuals that are freely available, I was able to find that it was called a sunny string monitor that was attached to the satellite. And what it does is it looks for sun and goes ahead and opens a solar array on a satellite system to give a power or closes it down when there's nothing available or can move it around a little bit. So imagine what you could do with that. So why is this kind of important? Last month, the United Nations Institute for Disarmament Research asked me to give a presentation, a closed dialogue session to permanent member states with other member states as observers. And I brought up the fact that we need to be a lot more proactive. And although the United Nations in 2015 established that member states are responsible for securing their ICT cyberspace that also includes space assets and also includes industrial systems, etc., they agreed to establish a computer emergency response team. And that's well and good. It's fantastic. It's much needed. But that also is very, very reactive and constantly you're putting out fires. So it's very difficult for you to be proactive. So I brought up with them that I'm currently working with part of the European Union to actually establish their first proactive computer emergency protection team, ASEPT. And cert step one, step two, to try to alleviate some of the burden and also try to catch things as quickly as possible before they become major incidents. Now back in 2009, this is also another reason why it's kind of important is I detected a cyber warfare attack, the second wave of such attacks caused by malware that the North Koreans created. One of the things they did was they leveraged higher speed bandwidth in Northern Europe to go ahead and have those various devices aim at the South Korean infrastructure and also part of the infrastructure of the United States. So they attacked the South Korean version of the White House and also the U.S. version of the White House. They tried to affect the New York Stock Exchange and a lot of other very important places. And because we were also monitoring in my shop ICS systems that had Internet connectivity, we found that some of the Windows based stuff actually was also affected and was trying to take down part of South Korea and the U.S. So you can actually unfortunately weaponize with various types of malware, IT, IoT and ICS as we keep seeing. But even in 2009, 11 years ago, we were seeing this type of stuff. So we need to take it much more seriously with the vendors as well as the critical infrastructure operators and get the tech community involved because academia is great. Government experts are fantastic, but it's us and you watching this that have that hacker mentality and can actually express it and find ways in and out that others can't. So with that, I will be available on Discord for questions. Hopefully I get the right Discord channel. I wanted to give a huge shout out to Omar at Santo Omar and the Red Teen Village for inviting me. If you also would like to contact me about things that are going on in the Middle East, I believe my contact information is now on the Middle East Institute's website and feel free to contact me on Twitter and I take DMs, just no weird pictures, no weird sexy time pictures. Let me stress that I love pictures of cats. So thank you very, very much, Red Teen Village. It is greatly appreciated. Thank you so much for supporting us and for the great presentation. You are getting a lot of kudos in Discord. So talking about Discord, if you're joining us, you can see the link in the bottom of the screen. There's a link to a website where it has a lot of other information about the speakers along with all the activities that are happening in, of course, in DevCon. So with that said, we're going to go in and break for a few minutes and then the next presentation will be up in probably about 15 to 20 minutes. So thank you again, Chris, great presentation. Have a nice one. All right, cheers.