 Welcome, everyone. I'm glad that you all could get up this early to attend a talk today, right, the DEFCON crowd. And my name is Chris Kubekka, and I am a security researcher out of the Netherlands and CEO of my own company called HypoSec, and I want to share some wonderful research that I've been doing because I like to hack just about anything, everything, actually. And this talk is Hack the World in Galaxy with open source intelligence gathering. Now, to give you a little bit of background about myself, I started pretty early as a 10-year-old, and when I was allowed to use a computer again at the age of 18, I went ahead and joined the U.S. Air Force where they took me under their wing and taught me all sorts of lovely, jubbly things, and now my concentration is in cyber warfare. In my first career field, I was actually in U.S. Space Command and did a whole bunch of stuff with securing the cyber space and dealing with space warfare as well. And before that, I was a military aviator, and I was in a function called a C-5 loadmaster, the person who does all the weight and balancing calculation of the U.S. military's largest cargo plane and also the ground commander for physical security. So I see this isn't completely lined up, but that's okay. You can read most of it. At least you can see the lovely archer meme because that's the most important thing, right? So along all of the systems, land space, sea and air, and I.T. systems, I.O.T. systems, and I.C.Scotta systems, we have a lot of challenges because there are a lot of legacy devices. There are also issues with the fact that there are many different vendors in the space, and they don't necessarily sell the most secure products, nor do they necessarily sell products that have actually been tested for anything. So we also have some other big challenges, the fact that when we're dealing with things like critical infrastructure, the vast majority of those assets are actually privately owned. So you can't just walk into a company and say, hey, you have to do what we tell you to do. That's not actually how it works in most cases, in most cases. And we all know about bolt-on security. That happens a lot, unfortunately. The first thing that people are thinking about when they're developing a product is not, hey, let's make this super-secret squirrel secure. Most likely not. They're thinking about how much money can I make, how can we get this produced as quickly as possible, and how can I cash out and get me some private yacht money because I want some private yacht money, right? So these are a lot of things that we have to deal with. On the other side, when we're also dealing with different types of critical infrastructure, not everybody can afford the services that come from them. So whether it's the old-fashioned cable theft, but nowadays it's more likely to be electricity theft, water theft, and things of that nature, especially when we're dealing with Bitcoin mining and other cryptocurrencies. Because the one thing that actually drives up your cost and pushes down your profit margin, if you are mining cryptocurrencies, is do I have to pay for this electricity? If not, can you pay for my electricity? And that's the best way to do it. So when we're talking about critical infrastructure, we're thinking about things to make sure that the lights stay on, making sure that the water that we drink is actually good water and not bad water. And you also need a certain level of good water and filtered water to actually use for things like production and producing automobiles, for example. We also have the other items like, hey, how many of us like to eat? So we have agriculture, and that's very important. I'll give you a good for instance, the country I live in right now, the Netherlands, it's actually the second largest food exporter in the world, even though it has 17 million people. And the reason why is they've got the most advanced automation when it comes to agriculture. The vast majority of things are grown under glass. The farmers, called the boars, they produce, for the most part, most of their own electricity. I'm sure you've heard of Dutch windmills. Well, we've got a lot of wind power and a good deal of solar power as well. And in addition to that, a lot of things are grown without soil, so we don't have to use a lot of pesticides. And that's kind of groovy, right? Then we have to worry about both water and electricity management at the same time, so the electricity that we are enjoying right now is actually from a hydroelectric dam, not too far from here, called the Hoover Dam. And then when we want to get around, we're dealing with public transport in many different modes, which also rely on these particular systems. Two days ago, there was a major power outage in the southern part of the United Kingdom, which actually affected London and a very large station called Kings Cross that I go to on a fairly regular basis. And it interrupted basically all of the train service throughout the country. And everyone was told, sorry, you shouldn't really travel today. Are you stuck at Kings Cross? You're one of the, hmm, close to 100,000 people affected in London? Well, we can give you water, but you're going to have to walk. So we're quite reliant on these systems that provide the support function for all of these different types of things. And so I'm going to show you some examples because pictures speak a thousand words. This is part of my collection from China. China is a rather unique country in the way that their electricity is produced. They also have a lot of open systems, which is a bit unfortunate for them. I have a collection of 398,000 systems that I keep track of in China that deal with electricity production in some way, shape, or form, whether production or transmission. Another thing, this is actually a European one. And this is electric production as well. And what happens with a lot of these systems is they aren't all in one location, so they'll have remote systems attached, whether it be by radio frequency, by Wi-Fi, by line of sight, or by internet. And when you're dealing with manufacturers of these systems, like Honeywell, Siemens, whomever, they want to be able to maintain the systems and make sure that there is interoperability with them. So what they do is they say, hey, you purchased my stuff. But as part of the warranty, you have to allow us remote access 24 by 7. And that might be VNC with no authentication. So one of the biggest problems is the remote management portion and a lot of critical infrastructure. You typically do not have a choice as the customer of these vendors to actually choose how they connect. And also in many cases, because they've got a lot of different customers, they're going to be using the same credentials for all of those customers for ease of use for their engineers back in their shop. Now, this is a bit of an unusual one. I actually showed this during some European Union and NATO sub-a-warfare exercises to warm up a whole bunch of ministers and ambassadors, the kind of decision makers who hopefully won't press a button. And I was showing them the fact that, I'll try to use a laser thing. This is Modbus, which is an industrial protocol that's quite old. It's not directly TCP, but it will take a command from anywhere, at any time, with zero authentication. So if you can find one of these and you can translate your command and you read the protocol, which is actually available on Google, and you put your command into hex, you can then send a command and it will take it. And that could actually be a power plan. But one of the other problems with this is this is critical infrastructure. And this is the banner of a particular type, 3.6 of extreme rat. This particular rat is a bit commercially available, but this particular version was easily crackable by other hackers. So then they didn't actually have to buy extreme rat, they could just crack it. So that's always nice, why pay for it even as an evil criminal hacker, right? So in this case, this was actually on a rather important power plant somewhere in Europe. And it was actually being controlled by an entity behind an ISP in Russia called Vimple ISP. And the same exact version and the same people, I'll say, were controlling this, were also controlling several other pieces of critical infrastructure throughout Europe. So it was a network of surveilling power plants, certain types of agriculture, and banking. So they were sitting a lot on banking, but only on the high end private banking logins. So this is an actual aqueduct, which if I showed you more, I was able to press buttons if I wanted to, it was actually in Italy. And they rely a lot on different aqueducts. They've modernized the whole aqueducts from the Roman times. And this produces electricity as well. So I like clean water. I want to make sure that when I take a sip, it is intainted with some sort of chemical or an imbalance that will make me sick. Or leaching lead out of pipes because it wasn't buffered correctly, like in the case of Flint, Michigan. You have to be quite careful with how you deal with water. This is an interesting one. This is a logistics company. And what we found in Europe is they deal a lot between Russia and Germany and went shipping. And we found a criminal entity had gotten into their very weak logistics system and was able to modify the entries so that they could smuggle things in and out using those cargo ships and the manifests. And the things that we found that they were moving in and out were actually weapons. And some of those weapons were actually used in two terrorist attacks in Europe. And we were able to trace it directly to this logistics company who had left their stuff wide open. And so this also shows you dangers of the fact that it isn't all just a scary hoodie hacker, but there are some serious players in this game when we're dealing with moving things around and manipulating information in this particular manner. This particular one was a salmon farm that was found in Norway. This was also being controlled by the same entity behind Vimple ISP in Russia. And in Norway, salmon farming and agriculture is highly automated, and it is a large part of its GDP. A lot of salmon comes from that area. It's because of Norway and a delegation from Norway to Japan about 30, 40 years ago that the Japanese started putting salmon on their sushi. Now, here is a mod podge put together by the London Underground. And I've dealt with these fine folks before. I used to lecture for a part of GCHQ to their engineers for a two-day course that I'm certified for to teach them about cybersecurity with some hands-on things. Some very good friends would transport for London. And when we deal with a lot of these railway and old infrastructure, this is the oldest metro system in the world from London. We're dealing with a lot of different legacy systems now. And one of our latest scenarios with the EU NATO cyber warfare exercises that we did was in the very last part of the very deadly scenario where we had to get the ministers to decide on what they would do. The last part was someone was able to get into the London Underground and during rush hour was able to manipulate the signaling and the remote control of the trains and made them smash into each other, causing tens of thousands of deaths and even more people harmed. So this is actually a very realistic scenario because unfortunately they've got a lot of systems and a lot of systems with problems that can still be remotely managed. And they have a lot of legacy systems and they don't necessarily know how to control all of them. And last but not least, because this happens to be legal here right now and it's quasi-legal in the Netherlands, but marijuana growth is now a major part of certain states' GDP. Think about Colorado. Think about California. They're getting a lot of money for taxes out of this. So whether it's a small-grow operation in someone's closet to a major-grow operation, there's a lot of automation in it. And unfortunately, I'll see if you can see that, this doesn't even have authentication on it, so you can just go right in. And you can then adjust the amount of chemicals, the water, shut it off, for example, shut off the fans so that the plants heat up and they die in Wilton things of that nature. Now imagine if you did that on a wider scale basis and then, hey, you don't have a crop for part of the year. How would that affect the tax base of certain states? So these are some of the things you have to think about when you're thinking about, hey, is this a tiny vulnerability or something that can actually affect people on a larger scale? So in Europe, we've got this really big push for renewable electricity because we also want to end our dependence on Russia, especially due to various geopolitics. We're trying to cut down on natural gas and things from those particular pipelines. And we also want to make the world a better place. And we like the Paris Accord. So when we're dealing with solar and wind, we would like to keep that going. Now, before Russian troops took over the Crimea region, we'll just call it a crisis, not a war, the Ukraine was actually on their way to meet their goals. But when they lost both part of the East, which is still in dispute in the Crimea region, they lost the majority of their renewable power, and they actually had to fire up a coal power plant late last year. And I was very disappointed when I spoke to their energy minister in April. So it's pretty easy to find some of these things. I use various alternative search engines. In this particular case, it was census, and they happened to tag things like solar panels. Their API is a lot more useful than their web interface, but still it's quite usable. And you can go ahead and pull up things. This is one where it happens to be in Germany, and it's the controller for solar panels. And you can do a lot of things with this. So if you can get into the system, you can then start doing what's called electricity dumping and not feeding into the system. And what if you did that on a larger scale? Because that's what I like to do. I advise governments on strategy of how technology can be used to kill people on a very large scale, and then how to defend against all of that. But I like to use practical examples. And so in Denmark, they've got a whole bunch of windmills. And they have a lot of wind power. Now when I did this exercise for a part of GCHQs several years ago, we found that about 80% of the wind turbines in the United Kingdom were still using default credentials that you could find in the user manuals. When I gave that private demonstration to that particular, we have four letter agencies or two letter one number agencies there. They decided to privately go to all of those operators and get that change as quickly as possible, because they were trying to end their coal usage. As a matter of fact, they just basically turned off their last coal plant. I used to also lecture there as well to give them some advice, because they were not only at risk from a nation state, but also for eco-terrorists. And another thing that you can find with this stuff is they're not just going to be attached to, say, a wind turbine. They're going to be attached to a few other things behind there. So we've got Modbus. Here's that no authentication. There's a building control system, a little bit of FTP. There's a web server down here. We've got a database, some DNS, some MySQL, and this is another industrial protocol. So you can actually use these devices, which are weakly configured, to go ahead and pivot into other areas. And as a hacker who's a curious hacker, not a naughty naughty hacker, not all the time, I love databases, because that is juicy, lovely information. So if I can already see it, then I can pivot to it. And I notice, hey, what else can I find? There's a lot of information that ends up being attached to these things. We even see printers. Yay, printers, because I like those. But what if they're attached to a business network, and the printer happens to be one of those larger scale printer copiers that HR uses, which has a hard drive that they scan everybody's passports, and ID systems, and medical information, and that ends up being stored on those hard drives? I can resell that information, because medical information and identity information is still a hot commodity, especially in large numbers. You can get a buck to $10 each. And if you get hundreds of thousands of those in a day, you are very, very close to private yacht money, because I want a private yacht. So these are pretty widespread in the European Union. They are trying to make the electricity as efficient as possible. And it sort of works, but many of these devices have not been properly security tested. And in the Netherlands, they actually made it a law that you can refuse a smart meter, because they have not been properly tested, and there are concerns. So in my house, I do not have a smart meter, because I refused it, because I did not want it to expose any of my particular information. So they can be found. This is one of the ways. This is a particular manufacturer, where you can go ahead and find some of these. And many of the manufacturers, what happens is with a tool like Census, it will actually scrape all the HTML. So you can change, say, Google Dorks into a Census Dork. And you can go ahead and directly find the manufacturer names and logins, which are going to be in the HTML source code, and find a really large number of these things, which is great. If you're an evil hacker or a curious hacker, or you want to scare the hell out of ministers, so that maybe they're going to change things. Now, some of these slides and some of these images I actually showed at a place called the European Union Commission. And that is the equivalent of the US Senate. And I gave evidence for this very late last year to show them some of the issues. So they're actually looking at changing some of the policy and regulations to require that the smart meters from now on, they've actually drafted legislation since, must undergo both security and privacy testing. So we'll see how that works. So if you can go ahead and get into one of these systems, this one happens to be in Poland, you can see a lot of information on the back end. You can see electricity usage. You can adjust things as well. That's quite nice. So this actually had what's called a directory transversal vulnerability. So I didn't actually have to log in. I just used dot, dot. And I was able to get in to the directory. And I could go ahead and see the entire energy consumption report. And also times, days, I could then tell when people were home and when they weren't. So let's say you're a criminal entity that likes to burglarize homes. Wouldn't that be nice to have a whole bunch of information in a neighborhood and do that recon first and then know typically when people or their neighbor will be around and then hit the location at a prime time for you, right? So here in North America, to try to make all of these various protocols, old protocols and new protocols work on an industrial level, they have decided to invent something called the Open Automated Demand Response System. And it's basically a front end that's web-enabled to then control all of the back protocols. And in the notes in the user manual, it says, do not connect this to the internet. There are no security controls on this. So I was able to find in 138 milliseconds, 75 of them connected to the internet. And this is not necessarily a good thing. The reason being is, here's a hydroelectric dam in Quebec, Canada. And it's actually attached to live systems. Now, some of the things that they can be attached to is, oh, they also have very no certificate, is things like smart water heaters. So if you're having a problem doing electricity load balancing, basically, a lot of electricity providers, if you have a smart water heater, especially in Europe, is during the day, in the middle of the day, they'll actually shut it off so that they can then balance and harmonize the electricity grid. It's just a very common thing. But what if you're doing that as an apharius person in the middle of winter? Because that would suck. Because I like hot water. And it gets cold in Amsterdam. It's not like here. So again, these are all connected directly to power plants. So only power plants would have access to run the front end of the open automated demand response system. And attached to these things are, hey, look at some SQL, look at an email server, some FTP for some remote management. Here's a little embedded system who knows what it is. And so it isn't individually these particular systems. It's also the systems that they're actually attached to. So I was able to actually get into the system. And I could adjust the peak and off peak prices if I wanted to, and turn things on and off if I wanted to. And that's not a very good thing. Now since then, the United States government, after I presented this, they have also introduced legislation to actually end this particular program and start scaling it out. And they're looking at a different type of program to use. So since we all like planes, well, I don't know if I like a plane. Unfortunately, on my way here, when they were opening the aircraft door, the door fell apart, smacked me in the face with the rubber seal, and door parts fell on my head. Yeah, go, whatever that airline manufacturer is, I can't mention it. So many of us fly here, and many of us can find, unfortunately, this is a Russian airport where the flight controller system is actually connected to the internet. That's a bit of a shame. It also has SMB version one, which you probably shouldn't have in NetBios, which you don't actually need anymore. But many of these systems are really, really old. To give you an example, there are two major airports in Paris. Charles de Gaulle and the other one is Paris Orly. And Paris Orly's system is entirely run on one Windows XP metal box. And they are going to be replacing it next year, because the one person who knows how to turn it on and off and maintain it retires next year, yep. And because of it, it goes down often, and it causes mayhem in the skies around Paris, and the rest of Europe, because it has a knock-on effect, all because of Windows XP. Yay, Windows XP, right? Yeah, I used to have this Windows XP security shirt. I wish I had brought it. Would have been perfect. So here is a RDP session over at another airport in Russia. And this one's quite interesting, because basically if you can find RDP, you can hack RDP. There's a great tool called Free RDP, because we all like free information. And also this particular version of Windows Server, you can also do things like pass the hash. Here's a login for an inter-traveler system at another airport, which is a bit problematic, because there's no encryption or anything like that. Then we've got a bit of a higher value target airport in Iraq, which you don't actually want to expose, because there's a lot of military operations around there. Unfortunately, this particular software system, I tried to get a hold of them. They've got a whole bunch of exposed stuff. Here's another one. This particular airport was actually drone attacked a couple of months ago. There have been some explosive drone attacks throughout Saudi Arabia in the past few months, actually. And here is Ethiopian Airlines. This is part of their ticketing system. So if I wanted to, and I really wanted to go to Ethiopia, I guess I could make myself a ticket. And hey, I get a free trip, or I can get someone extremely naughty in and out without authorities knowing or understanding that this particular person is moving around internationally. And it isn't just developing nations. This is actually Vienna Airport. And this definitely, this is the data hub system for Vienna Airport, where they get a lot of information in internal systems. And unfortunately, this was also exposed to the internet. They have since fixed this. But these types of systems are a bit everywhere. So unfortunately, I had to change this particular slide under litigious circumstances. Let's just put it that way. I poke bears sometimes, or in this case, aircraft manufacturers, because they're fun and their door hit me. So back in April, I was talking to a friend who's a pilot, who hopefully I'll see him around the aviation village, and I was like, hey, I'm on this login website where you can get the flight control software for both military aircraft and civilian aircraft once you have an ID to get into it, because planes nowadays are just flying gigantic computers, well, depending on how big they are. And so in the code, the part, you can't really see that well, circled in purple, what they had done was they left a code comment that says, I have no idea what this does. It just prints null, right? And you're like, that maybe is not the best comment to leave. Because what it means is the developer didn't do what's called escaping special characters. And ampersand does not always mean an ampersand when it comes to coding. So he's joking. You probably shouldn't extrapolate from the website to flight control software. So right now, that's being covered by the DHS. So when we go to maritime, they've got a whole bunch of radio stuff, a lot of Windows XP, Windows 7, and industrial IIoT. And sometimes tankers spoof themselves and end up in Persian waters. So these systems can actually be modified and manipulated, so you have to be aware of that. And this is actually a VSAT system that is wide open. And the larger ships are actually controlled by GPS as well, so there's very little manual control anymore. And of course, Telnet. And this is what a typical layout will look like. And it looks very much like a production plant. But on a ship. And these particular industrial routers, the vast majority of them already have a known private key. And you can find hack devices as well. This is a line to site device. So in space, because I like space, ISP and space command, there are a lot of challenges. And so what we did was we ran a hackathon in June from the University of Oxford for some fantastic students, PhD students, that's some of them. That's the best picture ever, I think. And they came up with some real challenges. And we also have to think not only is it the vendors, it can also be very wealthy individuals or aliens. So definitely be aware of aliens. So we've got a lot of different challenges when it comes to new space IoT as well. And you can absolutely discover a lot of these systems. This one was found on census. And these are, again, older industrial control protocols. So if we get a little bit more personal, we've got home alarms, washing machines, hubs, hard-coded usernames, and an entire smart house. So I hope you enjoyed it. Landspace CNER, IT, IoT, and ICS, because I believe in hacking everything. Thank you very much.