 DE you can learn more. Here in the virtual chaos studio Hamburg I am meeting Manuel Aetuk, alias Honkhaze, who will give us the highly interesting talk about war in the Ukraine bombs instead of cyber or is the cyberspace itself a warscape. This talk will also be transmitted on the internet. Dear radio listeners, you may also be interested in the following Moin Moin in the chaos studio Hamburg on day two of Divock 2022 Bridging Bubbets. This talk, if you have any questions, there are multiple possibilities for you to post them. In the announcement of this talk you will find a link to the Q&A pad for questions and answers where you can put your questions. Maybe you want to change into the edit mode before warranty. The hashtag for Twitter and master done and also the link for IRC you can find in this video frame in the tab chat. Our signal angels will then find the appropriate tweets and questions for the talk and then at the end of the talk the speaker can answer them. Manuel Aetuk has a cybersecurity professional and IT professional. He is known in hacker circles as Hongkase. Since over 23 years he's involved with IT security and concepts himself with Kritis which is hacking back and ethics and protecting from catastrophes. Hongkase is the speaker for the AG Kritis involved with critical infrastructure. He is currently in Egypt which is why we will firstly play a video and then he will be connected live and answer your questions from the pad. Hello all together. We'll come at Divock Bridging Bubbles for the third time as the replacement for Easterhack. Today we will talk about Putin's war in Ukraine, the bombs instead of cyber. I will give you a small overview of cyber war and critical infrastructure and protecting civilians in wartime. Now I'm of course not a professional and expert for war but the cyber part and critical infrastructure part and protecting civilians is something that I do here and there and will ideally start professionally annoyed with these bunny ears. So this cyber war was announced a lot with the sabotage of civil infrastructure as a military operation but maybe cyber war and critical infrastructure will be cyber by the way even in Germany apparently. But maybe what do we actually see in this war? The BMI are saying that there are massive cyber attacks and then maybe that's there's also there's some website defasements some DDOS attacks some data leaks isn't bad. But actual tactical focused and persistent takedowns of water communication systems or blackouts not really but the Karzad attack maybe can be seen as collateral damage and it had the the result of lots of satellites being not active and many wind power plants were not able to be maintained properly anymore. So what else is used for these kinds of modems? Yeah the Ukrainian government and the police which was the attack goal in this case and were taken out for a few hours. What else was involved? RWE2 the the fleet management of for example firefighters and THW in Germany and especially the the traffic control of all of these. The satellite uplinks using the same satellite uplinks in combat areas has become a bit of a problem because suddenly there was no communication available anymore. It was just taken away. The result of this didn't really stick around for long but the damages stuck for a while. The wind power plants were out of order for a while not just in Germany but out of also in other countries. But what else can we see from this massive cyber war in air quotes that can be seen in colorful PowerPoint slides from consultants to the military and many of those mostly male that often maybe provide their IT security solutions as the ultimate way for all of the nations to cyber each other away. That can't really be seen anywhere just like some straw being loan over street but we can see that water plants, water reclamation plants in the Ukraine are disabled and power supplies not being guaranteed. All of these PowerPoint slides that maybe show the coming cyber war haven't really shown what can actually be seen now. All of these slides promise everything and anything a bit like scamming or fishing and why is it like that? Well because as an old white responsible person it sounds amazing that if you don't really know the entire cyberspace also here mostly males involved. So what would a persistent attack on critical infrastructure actually look like? Well Stuxnet basically showed this in 2010 with the uranium enrichment centers you can actually attack skater components of industrial plants and that it require a lot of research and a lot of resources from the US and Israel and also some Dutch research scientists that were introduced as spies there and also you had to rebuild the original factory building one to one and that also might be something where Putin brings his personal leadhexers on horses and the same thing where maybe you can create more pressure and disable safety systems and increase pressure and gas pipes if maybe there is a mechanical over pressure safety valves there then there can't be any cyber attack just one pressure let off valve can prevent this and so yeah so there might be some offensive but there's nothing but collateral damage and there some parts of steel so what's that could be given but all of these people that prevent this they are not really well known so now a long-standing failure of critical infrastructure these is improbable but all of this collateral damage can't really be considered in risk analysis and therefore it's easier to not take them into account but that of course is only possible with a small system that can be easily considered but with anti-populations these collateral damages that can happen that was of course calculated as risk but we are not living in Hollywood where you maybe type around for five minutes on a keyboard and then the progress bar does the hacking but with long prolonged failures of critical infrastructure that is where the stops and all of this kind of stuff the digitalization of this kind of infrastructure is coming and it's coming soon and it actually makes sense because with the automation with lots of these processes more people can be supplied and just because all of this maybe maybe has gotten less expensive more people can be supplied and that means less people have to think about and worry about a lack of water we have even in Germany people that live at or below the minimum existential income so well let's say the unlikely the unlikely case of a lack of pressure is actually taking place like Putin is not delivering gas anymore let let's just think about it it's it doesn't seem likely but so even though Germany is not really the critical infrastructure in Germany is not really a good goal for Putin especially because not just because all of this collateral damage that might happen Putin might actually have to bring the data packets himself because lots of Germany isn't even connected properly at all but what kind of critical infrastructure in Germany is actually relevant here what what kind of critical infrastructure well if tomorrow there's still power and water for everyone if if not what what's then if the the power doesn't care if it gets cybered away in this case with critical infrastructure well let's look at the art our train to until 2025 if you we will probably need to restore the train train tracks there so what do we need do we need to hack back of engines well please let's not I don't want to see these slides but what do we actually need well we need some information from the BSI and the BBK and so we need the combination of physical and cyber resilience we need a resilience of IT infrastructure against all forms of attacks and threats so in that case all of this prevention because it's not just all of the hacks from the hackers and pen tests and hackbacks and cyber cyber no we don't need that these continue on these first slides you can't see anything so why is the cyber space no war place well yeah it is it but just like war always was information warfare as hybrid warfare propaganda fake news by spy fair that's warfare now in cyber like it always was it's all tactics that just happen in our common cyberspace now yeah there's just this one cyberspace conventional war with weapons and rockets and bombs in Ukraine might mean that his kinetic weapons only hit the Ukraine and Ukrainians have to come here have to flee while we are 200 kilometers away and drink our coffee some something else happened as well we are always getting information from Ukraine it doesn't happen in silence the world can only watch like this critical infrastructure like that is also being able to watch but we also have to learn to live and work with propaganda and that's a very very critical chapter we'll have to live with and learn to handle it's not that simple and how all those participating state actors non-state actors who are they we have military we have cyber combatants we have secret services we have hackers and apparently some of the hackers are working together with the armies critical infrastructure part of the state government we are science in their civil societies in there there are civilists there are teenagers who are not quite developed morally yeah we have people who just want to destroy but we have hacker collectives like anonymous you see it's a very colorful field but do we have any defenses and what would they look like well powerpoint slides are knotted hex or offensive cyber war that doesn't help us what's left yeah the rabbit gets boring again backups and proper it security processes boring things like the boring thing bsi basic protection everybody wants security but nobody wants to create it everybody wants a backup but nobody wants to make it there's engineers and IT security experts properly educated administers computer emergency response teams all these people those who help the ones back up if they drop and we fostered org or on the ccc cert we need more resilience cyber resilience and yeah it's possible so let's do the boring IT security what what what else would we need well well randomly our random number generator says for again so the thw we already have German group for catastrophe protection but we would need we have a concept three from three years ago and the ccc helped with this and thanks again for the great input so we have concept for three years and it was published 2020 so the concept is two years five years old now so civic society could help with the reaction and there's a lot of know-how with industry machines and all that and the society civic society can really help out and scientists also pensionists who have a lot of know-how because they have been working for years decades so much unused potential under potential is out there and yeah those groups and they ask to help and people want security know-how is there everything is there we could secure everything so we can be preventatively secure and able to react quickly the coalition contract and from 2021 also had this but everyone is waiting for others to do something and someone else to start it yeah we have to leave hackbacks be and proactively start hardening our hardware and software processes yeah I am done thanks for listening have fun with the following talks here soon dear honkase thank you very much for your talk that we just heard and saw you are listening to radio downstairs though if you can hear this you are hearing the translation right from the internet but right now there is a lot of information for those listening via radio as you know this is the devog bridging bubbles and there's the website di dot vo c dot de just more information the speaker is in Egypt and now he is here live to answer some questions in our Q&A if you want to ask a question you can find a link to the pad in our schedule your home cousin welcome and hello to Egypt so you are at the pool but yes just hit a talk and when you think about the talk it's it's scary I have a first question for you so other than the bad internet connection in Germany how can we create more resiliency more media competence and more learned cyber competence in our civic society so not just within some agencies but modern spy agencies to put all well hello first and thank you for this very big question which is a lot about cyber competence and cybersecurity and even espionage 2.0 so it's maybe even four questions so let's get to how do we get more resilience it's not like just pressing one button or activating an AI or a blockchain somewhere and tada but one has to think a lot about the the core question as I already said in the talk what are really the the threats for the critical infrastructure how can we properly answer the question will there be power and water in the pipes tomorrow if we have to say no because there is some sort of threat then we have to really also think about the scenario what are the measures against that what are the most likely ones to actually take place and what are the very easy solutions that we can have for it maybe the pressure release valve I mentioned so we can't just talk about the the hackbacks or maybe cyber vengeance attacks to that really doesn't fix the the water our power supply that's just a thing for that resiliency is is before that resilience is defense I always like to say parenthesis cyber defense resiliency and this is something where you can get by to say very easily to write the base requirements and integrate them into the system to have this base resilience against the standard attack and that is something where one has to also look at how you can find further measures to become this bit more more resilience and every bit more resilience also usually means more stability in the supply for the population and now get now let's get to media competency so how can we can we get there I have already talked a lot lot about this and I can't do it again so for decades now and we have said media company can't can't just be created that has has to be strewn across the population and it can't only happen in college it should happen earlier in in school maybe or even in kindergarten and so kids really have to be introduced at the earliest post point what does it mean to be on the internet what does it mean to do research what does it what does IT research and IT security how do you use algorithms and data structures if people would learn that now maybe people are confronted with autonomous cars now let's say lethal autonomous weapon systems maybe even actual AI and questions concerned with that and that's where like we currently are with machine learning and not really but mostly statistical AI but this is something that we really need to do with media competency and media literacy give me a second I need to do something here so the third part of the question was learned cyber security yeah well you talked about cyber security and not just malware but also espionage 2.0 basically which is not just maybe not reinvented in the cyberspace but the same techniques in some ways so if we come to espionage there is something that a high military officer from the Netherlands said well this is espionage is of course very easy and very normal and maybe even it's something that it even happened a lot in the Democratic German Republic the DDR East Germany and there was a lot of fake news and that was distributed and there you you can't just only tap one telephone but you have to actually write on everything maybe you log everything even encrypted connections so maybe you can decrypt them later and also stuff like that so if it comes to cyber war and all of the possibilities involved with that for espionage it really becomes a sort of wild west of cyber espionage and it's really become way too big and way too ubiquitous that is definitely something that we have to do we can see that in the Ukraine war as well a lot of espionage and cyber warfare we have information warfare not really cyber war but we have deep fakes we have fake news we have something that really worries me is that even the Ukrainians aren't really working cleanly anymore they say that they have like thousands of soldiers with face recognition recognized with the face recognition from clear view yeah the truth was really hard to find and it's never been more up-to-date than now and yeah that is something that really like for example finding the mothers of the captured Russian soldiers stuff like that and that is definitely information warfare and psychological warfare that is definitely methods coming from espionage and this underground warfare and there are lots of different things that we have to think about there's of course diplomacy that has to be done a lot and also there's the the cyber peace decepticon which is a sort of cyber digital arms control maybe how much the espionage is happening and how much warfare is happening and stuff like that maybe so are we and I'm talking about Germany now are we even able to to resist or to survive if we see the options or possibilities of the capabilities of Russian or American Chinese cyber attacks hackback sounds good but maybe not realistic so well that might sound sort of good but maybe also only on the colorful PowerPoint slides by from the consultants but you can usually say that an attack on a foreign system can never be really done without certain guarantees you can't really say that there's control all the way that is always suggested but it's not really true it's a bit like this this Nigeria scam but it sounds way too nice but yeah that's what it is in truth we need other capabilities we need to uncover these kinds of attacks we need to steer against them and that's that's where we get back to resiliency if you have resilient systems that are resistant against these kinds of attacks then nothing really can't happen and but of course the Germans are also very active in espionage and for example the BND is allowed to hack foreign communication providers and ISPs I find it hard to be happy about that okay next question is addressing this as well so the next question so what are the concrete ideas we have so in the GDPR it's very open and neutral maybe we want to have more concrete options here can we allow ourselves to be this open yes yes we have to and we under all circumstances so in 2019 I started with my worldwide consulting on these kinds of things and I recognize that all of the things that proceed were really vague and not very clear but there's of course a bad solution to this which is for all of the people that have this that don't know a lot about media competency and we have to define what are the goals what do we actually want to reach what kinds of measures do make sense and what has to be changed in all of these systems because it's always a mix for the threat scenario because maybe if a certain scenario can't happen then it doesn't really make sense to invest in different things because then the money goes into things that you don't even really need instead of the things you do so you always have to keep this path open of what exactly do you do against the concrete threat that you're trying to protect against and it isn't bad to not really know these things beforehand but discovering these things that is a big part and many of these systems in critical infrastructure are very complicated of big systems that are very closely integrated between switches and relays and lots of subcontractors here and there you can't just say that we're taking the infrastructure offline like yeah it's not easily possible how do you want to take a power system offline or a communication system and how are they supposed to be the frequencies how that this is supposed to be kept up we do need that in like a high-level scenario we need to define the goals of what needs to be achieved okay to try it differently are we maybe really naive I mean in as an immune system well we're not just naive we're also kind of incompetent so if we look at the the kinds of military involvement and what some of them are doing if we really consider what the German government did for years for example Mr. Seehofer there are things where a face palm isn't enough so it's it's kind of bad slapstick but that is basically how they see the world and they actually mean the things they they do seriously and now we need to teach these people how to treat these things so the next question fits are there any things we can do against a targeted cyber attack that is going further than what we have to do anyway to circumvent nature catastrophes and big accidents so maybe we don't really need to talk about this all the way but I will refer back to the threats and that are involved so I have to look at the threats from afar and then I have to decide what actions I take so there's a lot of overlap of the steps to take the resiliency things that can be done that are also very good for stability and maybe also help with sustainability but of course that doesn't really help if my backup is really old and I can't properly restore it so either have a measure that I really considered a lot and implemented properly or I maybe have a solution that doesn't really work and bad solution unfortunately is not a solution we have lots and lots of bad solutions and that's our problem so the solutions exist we have to take them well there is the joke when people just laugh it away you can't hack my water line back home but yeah the municipal water supply you can be heck maybe so can you maybe illustrate the difference between short middle and long term blackouts yeah so what we have seen a lot was short term shutdowns so maybe there was a deers attack here or there against the website or another and so yeah those were just switched over or something and that's it so that's basically something that interests no one it's really bad if this kind of stuff happens against critical infrastructure and then this because if it's just the small stuff it can be compensated for easily but if we have larger attacks then that is more like stuff that is also persistent and it can also produce stress in certain scenarios that involves maybe both of these scenarios as well maybe there won't be water for an hour or maybe just like brown soup because the pipes were damaged so for these long term persistent things because for example if we have blackouts and powerless then because these kinds of blackouts take a long time and it's also maybe in a big area big region maybe even a country wide and then you often have damages that are cascading between different components so with power for example it doesn't just stop with power because if the power fails then maybe also the water pumps fail because water pumps use power and the and the diesel generators that are the backup generators are also sometimes empty so for example we have like 15,000 gas stations how many of them have backups well like power backups maybe 150 so after like two or three days with a lack of diesel then something like a water power might not run anymore and then we have a power and a water loss but then of course maybe you can fix the water the power thing and then you can just turn on the power for the pump again but of course as soon as the water stands you have to there is material growth and then you have to run the water for at least two weeks before you can use it again so the water is contaminated now and this is something where maybe like a big bakery there's like factory level bakeries and maybe like they are collecting them maybe if you buy your by your bread from a local bakery that's easy but the maybe their hospital has a problem or something but and but the big factories have lots and lots and lots of dough that they're processing and then they can't cool it for a while maybe and then you need months months until you have the dough processing back up to the levels that need to be there that's like these production cycles are a big problem so for example also chemical processes as well it takes really long to be up to operational speeds and those kinds of things can actually have do proper damage so cyber physical attacks that are attacking actual physical things where basically the only example is tax net because of all of the other ones failed because like actually make an attack persistent in a way that can keep this up is really difficult okay so using heck back and thinking further I got a question how do others protect other countries protect themselves could we maybe copy their resilience maybe not copy but learn from them how are those predicting themselves well yes we can and there is an institution that is supposed to prevent these kinds of catastrophes in Germany like protection against catastrophes in general is usually a bit of a different thing but let's think about a different topic let's say getting food to the population maybe during a blackout or something in Germany we have mostly reduced all of the storage spaces to an on demand system and so the way individual people can do something about this is very very small so ask some sort of neighbor maybe where's the next emergency water distribution point and in Germany nobody knows it's really bad if you ask somebody in Turkey maybe they can tell you it's down there maybe that pump but if you want the good water it's somewhere else maybe there's a really good pump there for water and they just always have 20 to 30 liters of water ready for them just in case and in Germany that's not really the case and Germany really really reduced the distribution for these kinds of things and other countries usually say that maybe we need to provide more storage space at the discounters maybe and the supermarkets and they just store more food than they would usually do just just in case but then the government says that it has a primary priority access to this kind of storage and can distribute it so there's nothing you have to like lose or waste but so yeah all of these concepts are there but they aren't really applied in Germany at all yeah probably there was also a lot of redundancy that was reduced probably for efficiency when I think of ISDN or voice over IP because it wasn't worth it to run it at the same time for cost reasons so not only between people it became more that people talk to each other but also between company countries and yeah we need more redundancies you were talking about storage space but all of the systems need to be more in parallel because I think the DHW has more of these than police right yeah definitely redundancy is very good for redundancy we don't really need to think about all of this in a capitalist efficiency maximization point of view but we can also say that maybe we really want this 10 or 20 percent backup and this kind of level of redundancy needs to be maintained and maybe also inspected because this kind of redundancy is definitely something that these kinds of resiliency are needed in these kinds of cases we to have it and to not need it is really bad to need it and to not have it is really really bad and yeah the politics will have to adjust it as well because market place cannot handle this on their own and politics has to use their and create those mechanisms to create redundancy and if it's worth it to recreate it I think that's interesting yeah let's I want to say one thing for that at least there's now a new government that is maybe considering some of these things because for a long time there was absolutely no chance so I do have a bit of hope well that's that's a nice statement I have a last question I'll just read it do you think that the new version of in destroyer in destroyer if that also will roam in Germany will it also get out of Ukraine do you know that in destroyer well you in destroyer was a thing I think six years ago and in destroyer 2 which is the new thing that's making the rounds was analyzed and that also was a cyber physical attack on the power supply and that was also something that didn't succeed also something where the cyber was like junkies really spread the scam but the actual actually producing a blackout is really really difficult I think the new version well it's basically already through and gun at it's been analyzed and yes there was an attack but you can of course reverse engineer parts of that and maybe misuse that against German systems and that is something that the secret services are probably going to research a lot and look into it and probably use in their stockpiles of weapons of digital weapons but there is something that we know since Snowden where everybody was shocked for a while and then everybody else thought yeah well we want to do the same instead of thinking that well that has to be dismantled so that is I think definitely something that the industry are in destroyer 2 and this kind of software is definitely supposed to do this kind of thing and will probably in at some point also be used against Germany and distribute itself which is which we always really have seen with not petty as well which was an attack against only a specific country but then spread around the world and really got out of control and because yeah the attack has can't really be determined beforehand that's what I'm trying to explain all the time because like you this kind of risk assessment is really hard to do because you can't really calculate the thread because yeah we can't just retaliate with cyber attacks so yeah in destroyer and such things will come to Germany we have of course the possibility to have something that maybe the my company I get hit is can say that is like if the shit does hit the fan which is not really a question of if but rather when so yeah then we have to be prepared and we we can say that we have the thw and we have the firefighters and everything and all of them can cooperate it and be cooperative and organize together do a cyber physical attack maybe and prevent it and also mitigate the results because if the attack was coordinated in such a way then maybe the response also needs to be coordinated maybe actually like the thw the the catastrophe response needs to actually go where the attack happened and fix things even on a digital level maybe similar to abc weapons so atomic biological chemically maybe we need d for digital and maybe the danger is that if we leave it out like biological weapons that it just becomes part of nature in science fiction there are nanites that they just barely got back is there maybe a real danger like this that a digital weapon already got out and is waiting out there to reawaken well I don't really think so maybe for the sci-fi authors but that's something something that we do have to think about defining digital weapons and thinking about what that means and also maybe whether digital weapons are actually weapons in the sense of conventional weapons and also like for example the the hoarding of zero-day exploits can be equated to a weapon locker and which is something that I did so that is something where the for example with these kinds of whistleblowers this weapon locker was emptied so the question is who else can do this when even they with their big budget couldn't do it so back to like cyber policing and cyber war so this this kind of weapons control is needed and more research need to be done into like what is the proper storage of these kinds of weapons for example and that is really we're basically at the first step of like back when atomic weapons first came up where some people said like we have to regulate it and some people were saying like it's impossible to regulate but no we did like and we have actually brought a couple of insane governments to take down a bunch of nuclear weapons and that that's a good start and that's where we also need to arrive with digital weapons as well okay so maybe we should destroy digital weapons okay thank you very very much for this scarily interesting talk and thank you for doing this from Egypt we hear some life from your holiday and how your holiday is calling for you and yeah I want to close with a small but very intense thank you to all the angels