Acronis Global Cyber Summit 2019 - Keynote: Keren Elazari

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

in the financial times her TED talk has been seen over millions of times and she's been translated into the 30 languages so excited for this session Karen are you here ladies and gentlemen welcome Karen all sorry I got my own so the deal is I'm such a hacker I wouldn't agree to use the shows computers so this is why I have to spend a couple minutes telling you about my beautiful morning looking at the Miami Beach sunrise and asking you how is this summit been for everybody good morning are you here with me hello make some noise yeah that's great it's very good to see that you here with me so it's an honor and a privilege for me to be here with you today I'm going to take you on a tour if you will a journey a journey into my world the world of hackers and this is your opportunity to buckle up because it's going to be a fast ride and join me on the tour for this cyber world and we're not just gonna look at the cyber world in the hackers world from the defenders point of view now we're gonna look at the future of cybersecurity from the hackers point of view now I happen to be a hacker I'm very proud to call myself a hacker I've called myself a hacker since I first discovered how to write HTML code and how to use other people's HTML code to get on other people's computers that was more than 25 years ago so I feel pretty good saying that but you must be curious okay what does it mean do we have a hacker amongst us aren't we supposed to be protecting the world from hackers well it is my perspective that there's actually quite a lot of friendly hackers out there that can help us so when I talk about hackers I want you to think not just about this sort of image the hacker in the hoodie you know I grew up in beautiful sunny Tel Aviv Israel where it's very much like the Miami weather and you don't spend your time wearing a hoodie I was very warm and very humid so instead I spent time where we had good air conditioning where did we have her go there conditioning in the school library and in the school's computer lab so I looked more like this young girl and I was very curious I spent a lot of time on those computers learning about the internet learning about this digital world teaching myself and in fact because I want you to trust me as your tour guide this morning let's pull up a real photo not that beautiful nice little girl but let's pull up an actual photo this is from the yearbook of my school taken just moments away from the beautiful Mediterranean beaches of Tel Aviv you're looking up at me you're looking up at the screen you're looking up at me and you're thinking the Karen show up to school that day hmm was she arrested by cyber cops just moment before for hacking no I did show up to school that day I was there it will be a little bit tricky for you to find me though in the photo I hope you're ready for it here it comes that's me that's the truth I was so much of a nerd that I look like a little boy and even for my school photo I wore my state-of-the-art 1993 Sony Walkman because that technology was the best I had to help me get in touch with that digital world that I was imagining I listened to my music and I imagined I was living in a science fiction story the truth is I was so inspired by science fiction stories because I did spend a lot of time in the library I didn't have a lot of friends my age and even the kids playing Dungeons and Dragons wouldn't let me join their team so I had to find myself other hobbies and other friends thankfully in 1995 I met somebody who changed my life and I blame her for all of my career choices good and bad hopefully you'll recognize her in the coming photo although it's from 24 years ago her name Angelina Jolie in 1995 she portrayed a fierce Hollywood hacker in the movie simply called hackers has anyone here seen the movie I hope you have I certainly helped contribute a lot of my career choices to that film in that story the hackers were not the bad guys those high school kids weirdos like me with short hair that enjoyed listening to the same kind of music that I did for actually the heroes they were the ones who showed though the FBI where the real cyber criminal was hiding they were the ones who prevented an ecological catastrophe in fact if you remember that film it was perhaps one of the first cases of ransomware in history if you're for those of you haven't seen the movie a virus called the da Vinci virus in the film created by cyber criminal to cover his tracks that virus actually threatens to take over an oil tanker and capsize it to turn it off over so that the oil would spin unless it is paid 1 million dollars so perhaps one of the first cases of ransomware in history and those hackers stopped it so that was the type of hacker that I wished to become ever since then I've dedicated my career my life's work to learning everything we can from hackers from friendly hackers and from the bad hackers as well these are some of the organizations companies and technology developers that I've worked with in my career I served my time in the Israeli military working on information and security challenges and now in the past couple of years I'm an academic researcher spending most of my time at Tel Aviv University and some of my time in California was singularity University so that's some of the pieces of my puzzle but a very important piece of my puzzle is also that I host Israel's largest hacker event it's called b-sides TLV besides just like the site B of your cassette tape or vinyl album if you're of that generation it's the alternative it's where the real hackers of Tel Aviv get together and share their work and I hope you join us Monday perhaps next summer in sunny Tel Aviv for the next besides Tel Aviv and chapter or event meeting more than that in 2014 I became the first Israeli woman to share my message on the International Ted stage and when I got that opportunity when I received that invite I realized it's a chance to share my point of view the hackers are not always the bad guys in fact I claimed sometimes hackers can actually be the immune system for our new connected reality but not a lot of people feel that way still I understand I still need to convince some people that hackers can teach us in the years since my TED talk that has been viewed by many people I realized a few more things it's not just that friendly hackers can help us there's also a few important lessons about the future that hackers of all kinds can teach us and sometimes the bad hackers the criminals the spies the terrorists the government agencies out to get us that kind of adversary can teach us a lot about our future so that adversary can be our teacher so today in this journey we're going to go through five stops five lessons that we can learn from those hackers and what would the first lesson be this is probably the biggest trickiest one of all from my point of view at least cybersecurity these days and cyber protection it is about protecting information and its integrity but more than that it's about our way of life it's about the trust that we have come to place that trust that we really rely on in every digital system that made it possible for all of us to be here in this room the airplanes the transportation systems the electricity systems the health care providers of course the past couple of years we've seen many attacks including ransomware specifically on health care systems and know that in Singapore the national healthcare system was also affected by a cyber attack which certainly caused a loss of trust in that system and the ability to protect it which is a problem we need to solve more than that if you remember from two years ago that a wanna cry virus we cannot spend time in a cyber event without talking about this virus because it didn't just disrupt the UK's national health care services and caused 30 percent of their clinics and doctors offices to be unavailable to patients let's put it in a human human perspective imagine you're going into the doctor's office imagine you have an important MRI appointment you've waited for that appointment three months six months your insurance paid out for it the MRI machine is infected with a virus how do you feel about going into such a device that is bombarding your body with radiation think about that as well as security professionals and technology evangelists we understand that perhaps a virus like a ransomware virus may not change the radiation levels of an MRI but is that going to be the case in the future one a cry of course disrupted a lot of other systems as well I heard that in a factory in France it completely stopped the manufacturing of new cars it was a Renault Nissan Factory because this was a factory in France and it was the weekend they were not working very hard to begin with you think this is a joke I'm actually quoting the work manager from that factory however what if it happened on a Monday or a Tuesday different story it also disrupted the services for a telecom operator telefónica which operates telephone operations for many people across Europe and it made its way all over the world the thing about the wanna cry virus this is the one that really got me this is the information screen in a German train station train still left on time but how would you feel if you see this as you walk into an airport or train station or you see this in the traffic light system in your morning commute how does that impact your trust in the systems we rely on and that is the point I'm trying to make here that this trust is so crucial for our way of life now just recently cities and local state organizations all across the United States have started to get hit with ransomware this is from the offices of the city of Baltimore you'll notice in the far right lower corner that's the punch line a handwritten note computer systems are down for two weeks people couldn't buy or sell new houses because they couldn't register them for two weeks people can't pay their water bills for two weeks people couldn't get basic services from their City Hall and this didn't just happen for Baltimore in fact according to a recent report more than 600 local state organizations and that includes municipalities schools health care providers emergency providers like a fire fire service or even police stations were all disrupted by ransomware and that is in the last year alone so this type of attack on the integrity of data also impacts people's trust in the services that they rely on this is a report that recently came out stating the details in the statistics if you want to learn more about the impact of ransomware in the United States I suggest you check out this report from Amy soft however the report and the attention the ransomware attacks have created it'll also cause the FBI to issue a public service announcement this is from just two weeks ago a public service announcement warning local state organizations helping them were giving them some information what to do and what is one one of the number-one recommendations backup your data protect your information that is one of the number one recommendations to mitigate the threat of ransomware the Department of Homeland Security here in United States just last week passed a bill in Senate to set up incident response teams all across the United States to help local organizations deal with this rising threat so this is what we're discussing when we're talking about threats to our way of life but it's not of course just happening in Europe or in the United States it's happening all over the world take for example this company norsk hydro I don't know if you've ever heard about norsk hydro but they happen to me one of the world's largest manufacturers of aluminum a very important commodity when their factories are hit with ransomware they go to manual production when they go to manual production they don't produce as much aluminum the global cost of aluminum goes up by several points for that period of several days so this is something that is impacting global markets and supply chains in fact who here has ever heard about the Taiwan Semiconductor a manufacturing company raise your hands if you have only a handful of people maybe less than I would say estimate 10% of you anyone who's never heard about them I can guarantee you I'm willing to put some digital money on the line that you probably have a device in your pocket that has a component made by Taiwan Semiconductor Manufacturing Company near the single largest provider of an electronic system on a chip components that go into every new state-of-the-art iPhone device so when that company is hit with ransomware and they were last year when their factories all across Taiwan and Southeast Asia are disrupted they cannot manufacture the state-of-the-art chips that go into the state-of-the-art new iPhones and they suffer 300 million dollars in damages all because of out-of-date end-of-life operating systems this is this is a sterile is seriously the type of operating system that you can find on manufacturing floors now you're looking at this and you're thinking oh come on Karen nobody still uses Windows XP hahaha very funny those who are not laughing do you know how many people are still using Windows XP and you know what let's leave Windows XP alone it's not nice to pick on somebody such a veteran let's look at so many more popular windows 7 37% of operating systems in the world which are Microsoft operating systems Windows 7 Windows 7 goes to end of support in hmm about three months a little under three months so all of those Windows 7 machines all over the world are going to become targets for potential attacks that will look for those unpatched and secured operating systems as soon as they go to end of support that means Microsoft will no longer be pushing patches to them so if you or your clients and the people that rely on you still have Windows 7 machines time to think about migrating onwards I've been saying it for two years and every time I say it I have to update the timeline it's coming it's coming very soon so that was our first lesson a big lesson the trust that we place in our digital life relies on all of these out-of-date systems it's not just about well protecting the data that's on them it's about protecting everything else that we rely on that runs on that furthermore we're dealing was very sophisticated very innovative very motivated at hackers and they're not just out for our credit card numbers or our money or even our secrets sometimes they're out to disrupt our way of life sometimes that's their goal case in point this state-of-the-art data center at least their cooling solution is state-of-the-art you can argue with that very humble data center that was actually the patient zero for the devastating not petia wiper virus if you haven't heard about the not petia virus you may have been living in a non digital environment because according to Wired magazine not petia is the world's most devastating cyber attack in history and this clever virus pretended to be ransomware so whilst it was destroying wiping the Master Boot Record section of hard drives all over the Ukraine and then in all over the world it was actually claiming to ask people for money it was pretending to be ransomware but instead it was just deleting files that will never be recovered again for an organization like musk which operates some of the world's largest shipping terminals when their computers all over the world were infected with this virus that meant that those shipping terminals that rely on computer technology to run these big cranes and machines to move those containers around that meant that for several days they could not move anything they had to go to manual pen and paper they had to the first shipments they had to tell people who relied on them to get their shipments elsewhere now for that company they've come out very heroically their CIO came out to the DeVos Economic Forum in Switzerland and said it took our team two weeks to recover back from that damage and we needed to find one server that wasn't infected with the virus that server was in Africa there's an incredible story about how they got that one server that included important information for them to recover their entire network think about how different that story could have been if they had cyber protections in place and if they had backups in place that that company certainly learned the lesson and in their own financial documents they've said once again 300 million dollars in damages you might think that's a high number but many analysts have estimated this to be a low ball figure because it doesn't take into consideration all of the other organizations that were relying on the goods in those containers think about pharmaceuticals drugs medicines foods that were going bad cars consumer electronics every good that you might buy in a shop somewhere probably makes its way around the world in a container like that in the container port and terminal like that so think about that potential disruption to our way of life now the attackers behind this we mentioned not ransomware remember they also went after something very near and dear to my personal well-being anyone here has ever been to Casa mania down under in Australia so Tasmania is not just the kingdom of the Tasmanian Devil it's also the home for this factor it makes something which is really important for my well-being this is a cocoa and chocolate manufacturing facility very important for my personal well-being is my family members now so when this facility all the way down under gets infected with that virus with no octavia virus that means they're not producing their goods and this is a facility that's owned by mandalas one the less is one of the world's largest owners of candy brands if you like the Oreo cookies they own that if you like the Cadbury chocolates they own that as well so when their factories around the world are impacted with this virus what do they do well of course they send the Incident Response Teams there they try to restore from backup they try to really get back as as access to their systems they also turn to their cyber risk insurance provider Zurich insurance and they come to them and they say listen this terrible virus has disrupted our systems we have a cyber risk insurance policy in place please help us cover the costs we believe it's a hundred million dollars that's a very you know very traditionally low estimate for that type of damages all over the world what does their insurance provider tell them no we are not paying yes you had a cyber risk insurance policy but we we believe this virus this attack is an act of global conflict between nation-states therefore it is exempt from your insurance policy just imagine that moment so of course mandalas are not taking it standing there taking Zurich insurance to court this is a case that's now being debated in the courts I believe in Illinois in the state of Illinois here in the United States that case and the resulting perhaps even precedent that will come out of it would be really important for the future of the cyber insurance and cyber protection industry so stay tuned not petia is still with us and it's impacting our lives now what else is happening out there when we're thinking when we're seeing these attacks when we're seeing these devastating wiper attacks we also have to ask ourselves what are we not noticing it's not just the fires that are disappearing what is the end game for the attacker in the country of Chile a wiper attack on the bank system the Bank of Chile wiped out 9,000 servers as everybody was running around trying to backup to get back systems online to assure customers their money is fine the criminals were actually hiding behind on a Swift servers launching their Swift transactions getting away with ten million dollars so sometimes a devastating attack a wiper attack that creates all of that chaos and that fog of war is only a distraction for something else that's happening as well what is our third lesson today what we can learn from hackers we live in an expanding digital universe to hackers that means an expanding attack surface more and more systems that we can rely on in fact no one plans earth we have more digital devices than ever before but you don't have to take my word for it let me ask you with a hand on your heart what do you have at home more digital devices or family members and pets think about that unless you have a flock of sheep in your backyard or an ant farm in which case I congratulate you for your life choices however for most people many digital devices will share our lives last yesterday the shark said that an iphone has replaced a camera a fax machine a digital music player that's right but the iPhone is not alone and there are so many digital devices that are joining our life not just a lot of them and not just more connectivity they're also getting smarter the amount of computing power on the planet has risen that means all of these devices can now run code they have sensors they talk to one another don't take my word for it though this is a report from the Munich Security Conference together with the Gartner analysis firm and according to them last year 2018 that was the year where it changed on planet Earth that was the year where where it became home to more devices than human beings and that trend is only going to continue exponentially as we walk into the future more people will be connected yes many more devices will share our digital lives again don't take my word for it don't take the Munich Security Conference word for it look up something called show them shorten is a search engine for connected devices it's almost like a Google but with it you can find servers coffee machines and sometimes even power plants that have been made connected and available over the internet and the people who made them available did not secure or do not configure their connectivity in a proper way oh then dot IO this is a service I absolutely recommend learning how to use it it will shed a lot of light on your digital life let's give you some examples so this is something a couple of hackers found through show them this is the control mechanism for a very unique mode of transportation some of you might read German for the others I'll give you a few clues with this mode of transport you can change the speed of travel you can change the direction of travel and you can stop the vehicle in its tracks or up in the air this is a cable car that goes up to the beautiful Tyrolean mountains in Austria this cable car had a remote maintenance system installed a secure remote maintenance system installed which is how the hackers were able to get on it also turns out it's not enough to call your system a secure remote maintenance system also not enough to put in little lock icons on your presentations that's not enough turns out you know it's science what can I say if you use out-of-date operating systems if you use well known vulnerabilities in your web applications if you disregard the previous reports of hackers that system is not that secure after all thankfully for these Austrians it was a couple of friendly hackers they call themselves the internet Watchers they found it another James Bond criminal so they reported it to the Austrian cert computer emergency response team the Austrian cert and they managed to fix the problem in another case a security researcher I follow online used Showdown to find something a little more interesting this is a public toilet system I believe it's in the Netherlands via this remote maintenance tool you can lock the toilets unlock them you can clean them you can do all kinds of nasty things so this reporter just published all the details online I blocked out some of the IP address information in there but you can see which ports were open and he has actually gone out to call it the Internet of toilets or the Internet of pardon my french I didn't make it they did so this is what people are connecting to the Internet and that is our lives if you remember several years ago an attack called Mirai which means the future in Japanese took over 300,000 devices all over the world and in people's homes including web cameras digital video recorders routers office copying machines what all of these devices were doing was not spying through the cameras they were actually creating a massive network a bot a network of infected devices that can take over websites and they did they took over so many websites at that time it was the largest denial of service attack in history at that time it also happened to be November 2016 about two weeks before the American elections so it took out major media publications and that certainly had some sort of an impact if you remember that attack Mirai one thing that stood out to a lot of people is that all of these devices were hacked by the code the Mirai worm automatically added itself to more devices because it already had built into it the default username and passwords for so many of these devices and this is the actual password for several thousands of those there's a list of all of the 63 different vendors and passwords are being used Brian Krebs did a fantastic report on that if you want to learn more the reason that I bring up Mariah attack from three years ago is because just recently regulators took note three years that's a reasonable time for regulators and actually in the state of California as of 2020 state bill 327 says that it is illegal to have a device with a default username and password combination in the state of California also in the state of Oregon and you cannot market it or sell it to residents of the states of California and Oregon now this may seem like a small thing to you but remember California is also the home to Silicon Valley an Oregon is also the home to many technology companies that make these devices so this kind of regulation is going to impact our future as well a couple years too late but it's still making some progress our lives are becoming more digital different before these devices are becoming smarter than ever before whether it's in transportation with drones or with our car services and our self-driving cars perhaps our energy systems Alexa what are you doing there get out she doesn't belong there sorry it gets everywhere doesn't it and even in our bodies technology is going to become part of our lives whether we like it or not who is the CIO or the protector of all of these devices for the devices that you have at home that you confessed to me just earlier today that you have more devices than family members who's running those who secure those who's backing up that information if it's not you it might be a bad guy so think about that as well our next lesson lesson number four what can we learn from hackers everything has value and sometimes that value can be found in unexpected places and this is one of the more creative clever innovative things that cyber criminals have been doing recently and it wasn't so criminal I would do it myself check it out so sometimes value can be found in your cup of coffee customers of Starbucks in Argentina we're getting a little bit more than Java in their cup of coffee they were actually getting some Java Script so what was happening there is that as people logged onto the free Wi-Fi as you know you walk into Starbucks what do you do you order your half-caff half decaf tall strong mocha latte on soy milk of course and then what do you do you log on to the free Wi-Fi as they logged on to the free Wi-Fi their computers were being used to mine for crypto currencies a small piece of JavaScript that's all it took this javascript is called coin have let me punch it up for you so it's bigger coin hive this is a script somebody very clever managed to put that on the Wi-Fi landing page so that once every time somebody connected to the Wi-Fi they were running the landing page on their phone or on their computer it was running that code of course this was two years ago and running that kind of code to mine for Bitcoin would be impossible on people's computers and phones it wasn't mining for Bitcoin it was mining for Manero which is an alternative digital currency that is actually designed for this sort of distributed mining on a lot of lightweight devices and in fact it's not just happening in Starbucks some of you in the room may have never visited a Starbucks certainly not in Argentina perhaps you've visited a small website it's not very popular in the US but maybe you've heard about it the Pirate Bay oh sorry this so this is coin hype this is what the website looks like for the people who make coin hive and they actually said we monetize your business with your user CPU power this is exactly what the Pirate Bay did three times in the past two years oh of course you've never heard about Pirate Bay what am I thinking you're all States this is a very popular website where people go to acquire content that they may not wish to pay for let's describe it like that for those ones with it for others it's a very popular torrenting website and people have it on their computers all the time usually open because it's running the downloads and it was running those cryptocurrency mining operations on people's computers but you must be thinking oh come on Karen we know all about Bitcoin and blockchain and digital currency you can't really mine a lot on people's personal computers you're right you've got to go to the cloud where powerful computers exist with servers and big CPUs and maybe even GPUs that you can use to generate all the cryptocurrencies that you like especially if somebody else is paying the electricity bill and this is exactly what happened to none other than Tesla their cloud servers were used by criminals to generate cryptocurrencies this happened recently as well now in that particular case the reason I bring up this story is because when this happens it happens not because of a vulnerability a bug or virus it happens because of a security Mis configuration it happens because of the way the AWS cloud servers were being configured with the kubernetes Google software for managing cloud instances so it was somebody's mistake now these types of mistakes can cost you a lot of money in fact according to the OS the open web application security project there is top 10 web applications security risks or mistakes that people make and that particular case goes under the category of security miss configuration security miss configuration that can cost you a lot of money so security miss configuration which is a fancy way for saying a developer was ill-advised or made an error or somebody connected something they shouldn't have this also happened to Ober do you remember uber had several data breaches recently back in 2015 they store the credential an important password in the public server which made it possible for bad guys to get access to the information it also happened 2017 so they actually made the same mistake more than once and that caused them access to data of 57 million riders and drivers that was the uber data breach may have heard about that a global event a lot of people heard about that well now regulators are paying attention so for that small security misconfigure if you will uber now has to pay a fine or they've already agreed to pay it in a settlement with the Federal Trade Commission of 148 million dollars and this settlement is going to be divided up between the American states in proportionate size to how many drivers and passengers were in each state similar things have happened for other companies so British Airways experienced a data breach last summer if you recall for two weeks their website actually allowed criminals to get people's credit card numbers once again I don't know if this was a security mask in this configuration or very very creative criminals that got over some of the protections that were in place however they now have to pay a fine two hundred and thirty million dollars to ICO that's the Information Commissioner in the UK so the change that we're seeing in the past couple of years not just the security industry generating a lot of money and generating a lot of profit there's also regulators that are now really fining companies so when there's such a risk at play that also means companies should be more motivated to invest in security technologies to prevent terrible attacks and terrible bosses like that from happening moving on to the fifth almost final lesson that we have today well the fifth lesson is the final lesson but then we have a few more ideas of what we can learn from hackers to do better in the future final lesson is that hackers are very good friends with automation and innovation and these are not just buzzwords for the technology industries they are very very common tools for attackers case in point remember wanna cry that ransomware virus we started this conversation with forget wanna cry that's old news now there's one of mine so somebody took that ransomware he took that same code and they recycled it they repurposed it specifically for cryptocurrency mining and specifically for that currency Manero which I mentioned what else are clever hackers doing well do you remember shorten that I just mentioned how many people here are familiar with Metasploit Metasploit quite a few some of their security professionals maybe 10% of you so Metasploit is one of the world's most popular penetration testing platform it's a platform that ethical hackers and friendly hackers use but also bad guys to automatically identify when a system has a specific vulnerability Metasploit can launch the right exploit the right weapon to take advantage of that vulnerability so today good news you don't need to know showdown you don't need to know Metasploit meet your new friend a new friend of every hacker Auto stroyed a clever hacker took shodhan & Metasploit and he put the two together it all only took him 400 lines of Python code to do it and he shared his work on social media and on github so all the code is actually publicly available with this system that has a quite simple to understand user interface you can actually use that scanning capability of show them to identify servers and targets all over the world and then launch the correct vulnerabilities or the sorry the correct exploits against those vulnerabilities in fact I'm doing it at this service this is just the first version look at the upgrades there's also version 4 already out there so hackers are innovating they're putting one and one together to create a new capability they're sharing their work I don't think the people who wrote Auto sploit are necessarily evil I do know that bad guys are using this sort of capability and if you wanted to learn about how to use it there's no excuse not to because it's very easy to find online it's very easy to understand so now is script Kitty a very basic hacker like I was when I was growing up can use a tool like that to identify servers and targets all over the world and go from zero to an attack in a hundred seconds or less so that's another thing that's happening today I heard you played soccer this morning so how well did the European team do so ok I'm sorry to hear that here's a football player or he's a soccer player from European team I don't know if anybody here recognizes him Stefan de vrij he played for the national dutch team i believe he also helped them win the world cup the year that he played on national team is that right my friend you're the only fan of soccer in the room no ok there are many fans are stuck in the room but you know this soccer player so as soccer players go is a very valuable player after he won the World Cup another team from Italy wanted to get this player so he was traded from her team to Lazio Lazio was the Italian team that acquired or that got traded in this soccer player about seven million pounds which in today's exchange rate is probably five million dollars no I'm kidding it's probably more like seven million I'm just making fun of the British currency don't don't that they don't think you know banned me out of the United Kingdom please I'm talking to the people on the livestream I like God Save the Queen okay moving on moving on from that embarrassing moment they paid about seven million pounds or at least they were supposed to pay about seven million pounds they paid about five million pounds and then they oath another two million pounds in another payment that was due so a couple of months ago the Dutch team called up the Italian team and they say hey do you remember that great player we traded to you yeah you still owe us about two million pounds you remember that oh and the Italian says oh come see you know okay I can't do anything on accent yes of course we paid we already paid the two million pounds don't worry about it we sent it according to the instructions in the email what email AHA that email you sent us with the wire transfer details so of course they were victims of business email compromised they received an email that they believed to come from the original Dutch team however they send it two million pounds who knows to whom unfortunately or two million euros so that makes it so much easier of course it actually makes it worse so this was something that happened to the business to this particular business the soccer team however this is happening all over the world I know that you also had a NASCAR car outside a NASCAR race cars so the home or one of the homes of NASCAR United States is North Carolina and I believe specifically the county called Cabarrus County so even the home of NASCAR recently experienced a social engineering scam or a business email compromised instead of paying I believe it was two and a half million dollars to a contractor vendor building out and you school in that district they paid it out to criminals now you may have heard about these business email compromises you may need not be so impressed with them but I want to show you something that I personally was very impressed with this recently happened just I think it was just three weeks ago so this next story is about a company in the UK and once you focus on me while I set up the story so this company is an energy company in the UK and they have they have a boss and the boss got an email from his german uber boss the boss of the parent company that sent him an email that said we have to pay out very urgently to this provider in Hungary because otherwise the deal cannot go forward please pay out a quarter of a million dollars two hundred and forty three thousand dollars immediately so of course this British chap was a little bit suspicious he heard about these stories he heard about these emails he said why don't I give that German boss a call and see if he couldn't actually confirm the details so yes indeed he gave them a call and he spoke to his german uber boss who said yeah of course yes do the transaction and unfortunately this was a deep fake voice so it wasn't the actual CEO he was talking to an algorithm generating the actual voice of the German boss so the deep fake videos you've heard about those maybe you've seen Obama rap or whatever other types of deep face fake videos you may have seen out there deep fake voices are now available and as soon as the new technology is available what will the clever hacker criminals do they will find a good use for it and they have so this is the point I'm trying to make about automation innovation in fact another story about automation innovation comes from here so this is a beautiful ballroom imagine you're in a ballroom like this only twenty times bigger six thousand people in Las Vegas and what you're seeing is a competition the first ever competition of its kind seven computers competing against one another on hacking specifically they are competing on finding vulnerabilities and exploiting vulnerabilities autonomously computers that were created by humans but are operating autonomously to hack one another and the winner of this competition the winner of a grand prize two million dollars right here now I'm kidding this is your soccer trophy for those who can't see it the million the winner of two million dollars the grand prize mayhem that's the machine that won the cyber Grand Challenge sponsored by DARPA to years ago today if you wanted to see mayhem you have to visit it in Washington DC in the American History Museum so that's where technology that was the state of the art two years ago that's where it resides today in the History Museum this is how fast the pace of change is so today we are experiencing an actual arms race but not between machines and machines an arms race to find the talent the people the humans that can create and design these machines and these new technologies technologies that will use all of those you know AI buzzwords that you've heard of algorithms and machine learnings and neural networks but without humans to create them to run them to manage them and to keep them in check we don't have a future so today there is actually an arms race between my country Israel between China Russia United States on getting the people the smart people that can create a technology and it's similar arms race that's also happening in the security ecosystem as well so hackers love anime innovation they love moving away into the future they love using new technologies what about you just putting it out there think about that so I've shared with you five lessons five lessons from hackers should we keep calm and carry on should we be doing the same things that we were doing five years ago when Taryn 10 years ago I think it's time for some new ideas for the future so very briefly I'll share some of my ideas for the future with you because I don't want to just scare you and give you all the problems of the side wall without giving you some ideas of what you can do differently one of the main things I always say to the people who I'm speaking with is that we all make thousands of security decisions each day whether it is you know logging onto the Wi-Fi at Starbucks or reusing a password or maybe not installing the latest software update or just not moving away from an antiquated technology we make thousands of security decisions every day as do the people who rely on us to protect them the people that we serve those people are not standing in the trenches they are right there with us on the front lines it's each and every one of us and the people in our homes or companies or offices in our communities that we actually need to empower and to protect and to provide cyber defenses and tools and capabilities to so we have to think about the humans in the equation and yes we can talk until the cows come home about security technology how can we find the best return on security investment I believe it's not just in tech it's in the combination of tech and talent or in other words cybersecurity will always be a combination of the science the technology the automation and the art the human element and we have to keep that combination in place or as I mentioned earlier in other words the tech and the talent don't forget the talent that's something I'm personally really focused on and sometimes that talent can come from unexpected sources sometimes your best defense is a friendly offense so those friendly hackers that I mentioned are out there not just in Hollywood movies but in reality for the past five years I've dedicated my time at Tel Aviv University to researching the phenomena of bug bounty programs this is the program or these are the programs that allow hackers to directly and indirectly work with big companies and help them find bugs receiving a bounty or a reward for their findings companies that you know and rely on all have bug bounty programs these are just a few examples from United Airlines to Starbucks Verizon and Intel but for example let's take a company has had a program for many years this is Tesla and this is a Tesla flagship car at the world's largest convention of hackers in Las Vegas and this is a photo taken five years ago as early as now they decided to bring their product to meet the hackers and to invite the hackers to test our product last summer they did something even more spectacular they didn't bring a Tesla they brought Elon Musk so the founder of Tesla came in person to the hackers convention to meet and hire hackers for Tesla and for SpaceX I know because I was there I took that photo I was very excited I asked him a lot of questions about Mars I also discovered that Tesla was giving out challenge coins awards these types of challenge coins that only go to the top hackers that help them find vulnerabilities there's only 20 of these in the world now you can't buy anything with this coin in the store but its intellectual and reputational value in the hacker ecosystem is worth its way in more than gold this is the type of innovation that's allowing companies to work with hackers another organization learned about it it's called the Pentagon the Department of Defense decided to start a hack the Pentagon program from the moment they started the program back in 2016 from the moment they open it up to reports until they received their first valid report of a known vulnerability it only took 13 minutes 30 minutes now we're laughing but what about the years months weeks that criminals bad guys and spies had access to those vulnerabilities on this nation's Defense Department's systems they also give out challenge coins to help work with hackers hack the Navy hack the Air Force hack the Pentagon all of these programs have seen amazing success who wins these challenge coins what is the type of talent who is the type of talent that these programs are creating access to this is Jack Cable who wants all three of these in his senior year of high school before turning 18 and according to him I've spoken with him several times winning that program and participating in it has changed his life and now he's teaching at Stanford showing other hackers how to be hackers for good like him that is phenomenal indeed the reality is that we are going to need more people like it the security industry needs millions more professionals all the work force reports agree on that and when I go out into the world I want to see more friendly hackers this is why I'm personally very hopeful about the fact that the Girl Scouts are now teaching girls about cybersecurity skills arguably more important skill for the future than making cookies or selling cookies whatever it is that Girl Scouts do I was never a girl scout because that wasn't an alternative that was available to me but if now I could be a hacker and be a Girl Scout if I was a young girl maybe that would have been cool when I go to the world's largest convention of hackers called Def Con when I go to Las Vegas I don't see 30,000 criminals I see talented clever innovative individuals I see kids kids that go there with their parents because they think being a hacker is a good idea for their children's future and you know what I absolutely agree so the only thing left for me is to ask you are you willing to step up and wake up to the hackers world now that we've been through this journey that I've shown you everything whatever you decide to do that choice is in your hands alone thank you for your time today thank you thank you you

Info

Channel: Acronis

Views: 1,750

Rating: undefined out of 5

Keywords: AcronisSummit, CyberFit, CyberSecurity, CyberSecurityAwarenessMonth

Id: 05DYhsH36yw

Channel Id: undefined

Length: 47min 44sec (2864 seconds)

Published: Tue Oct 15 2019