Transcriber: Shihwan Go
Reviewer: David DeRuwe So today's talk is going
to be a little bit more conversational, and I hope that it doesn't scare you. That's actually not my intent. So really what I want to do
is sort of educate you. I want to kind of present things
that you can do, ways that you protect yourself, ways that you can protect your country,
your company, your community. Interesting stuff. The Roy Batty quote,
he's from Blade Runner, [HACKING] so for those of you
who get it, thumbs up. [INTRO] So I'd like to ask you what you
really think you know. Unfortunately, there's way too much
Hollywood education in hacking. So I want to describe
how average people - you, me, everyone - gets hacked. And then we're going to talk
about the real ways that companies get hacked, and we're going to talk
about how governments hack, and if we have time, we'll talk
about how governments get hacked. And I want to actually leave you
with something positive. This is something that I feel
very, very strongly about, and it is the epistemology of security. And so for those Philosophy 101 people, yes, it's going to be
as bad as you remember. (Laughter) We're going to go in reverse order, right? So here's the reverse order. [COUNTRIES] What's the most common way
that governments hack their citizens? And I want to be interactive,
and I want someone to shout out what they think is the most common way
a government hacks their citizens. (Audience) BioRICS. That's good. Not the right answer, but good. (Laughter) So that is such a can of worms,
I'm not even going to comment on it. (Laughter) Anybody else want to try?
We're not going to do this a lot. We'll go a couple answers
and then I'm going to go - Yes? Pen registers, phone tapping -
the audience member said phone tapping. That's not a hack, that's the law. Yes? (Audience) Credit cards. Government's can't do that because
there's ambitious federal prosecutors. Ambitious federal prosecutors
save us more than they hurt us. (Audience) Tell us why? Governments can't do "things"
with your credit cards. I mean they couldn't hack - What's that? (Audience) DMV. Oh, the DMV is torture. That's not hacking. (Laughter) But good! Good. So I'm going to tell you,
I'm going to tell you. It's surveillance. It's surveillance, but it's not the surveillance
you're all thinking about. It's not the surveillance of the NSA. It's not a three-letter agency. It's petty surveillance,
and it burns my ass. So I'm going to tell you that I am a guy
who's pretty powerful, in my own way. Throughout history, individuals like me
have never held this much power. I run a group of the best
hackers in the world. I'm not bragging,
and I'm not selling to you. They're the best in the world. I heard this story three years ago
about a school district in Pennsylvania, installing software on the laptops
of middle school children. And the story developed
that there was someone using the software at the school district
in an unauthorized way. And that unauthorized way
manifested itself by photographs being taken of children in various stages of undress
in the privacy of their own homes. I'm a powerful guy. That burns my ass. I get two engineers
to tear that software apart, and then we call
"Wired" magazine for a demo. That's a powerful thing. What we found was that software
was hackable by anybody on the capital-I Internet
that could figure out the password to generate the packets
to authenticate to the application. The password was -
and I swear to God this is true - a line from a nihilistic German poem. You cannot make this shit, a stuff up. (Laughter) So this is an example
of petty surveillance, the kind of erosion of your property that happens and starts
in places like middle school? That gives somebody the ability
to surveil you in your home? That's not good. Those little petty surveillances
happen infinitely more times than the NSA is going
to intercept your phone call. The only time the NSA is really going
to get your phone call is it's from the US to outside the US, and trust me,
they have a lot of people to watch. I don't think they're going
to be interested in, generally speaking, you and I. So that's an example
of how a government hacks you, and the power of distributed hackers to kind of make a point of hacking back. You're going to hear a lot more of that
in the talk that's coming up next. So next, we're going to spend
some time on this one. [COMPANIES] So how does a typical company get hacked? There's way too much Hollywood. We're going to dispense with swordfish. We're going to dispense with sneakers. We're going to dispense with any animated
GUI on a screen you ever see, like the things sweep in and stuff. That does not happen. I am going to tell you how
my company hacks companies, and what we've found of companies
that have gotten hacked. So moderately frightening hacks - October of 2001, the World Trade Center
is still a smoking ruin, we are requested by a government agency
in the executive branch to evaluate energy companies
for vulnerabilities because they had
what they called "shatter." They wanted to see if someone could
break into an energy company in a major American city
and what kind of damage they could do. Ah - The way this company got hacked was they had a cafeteria
with network drops in it. We actually doing, this is fantastic, so during the meeting where we described
what we were going to do to this company, the head of security engineering actually, and he did it in a high, weedy voice, he said, "It would be inconceivable." I swear to God, he used that phrase. (Laughter) It would be inconceivable
that we could break into their networks. And we most literally walked
out of the room, walked downstairs, walked through the little turnstiles,
right into their cafeteria, jacked into their flat network -
I can explain that - were given a IP address, and we ran through them badly, badly (Laughter) At the end of day, what we did
was we turned on a ventilation fan. We simply turned on
a ventilation fan in a building, but we could have
closed a switch, opened a valve. We could have done anything. And it wasn't inconceivable. It was trivially easy. Um ... That's an example
of relatively sophisticated hacking because once we did get on the network, we had to go through things
that were vulnerable, and we did have to actually
write some software, and we did have to actually intercept
some packets and stuff, sophisticated stuff but kind of fun. You know you walk into the cafeteria, you have your coffee, you get a danish, you could own a power plant - this is the stuff that really is good. OK, so that's kind of mythical;
that's kind of mystical. These are really difficult hacks. How about easy hacks? How does the typical company get hacked? So the typical company
gets hacked this way. They go onto Facebook, and they see the CEO of the company,
and they look at his kids, or they look at his wife,
and they get the name, and then they look for email addresses
attached to that name. Then they might pop your kid's computer because the odds are that your kid's
computer is going to be way less secure than the computer that the company
IT department gave to the CEO. That's not always the case,
by the way, right? So then they pop your kid's computer, and they make a very
plausible sounding email. Very plausible. I once got a permission slip. I once got a permission slip, personally, but that was not a gym
that my kid went to. But somehow the People's Liberation
Army thought it was. But figure this now. What if you get, say,
your kids sending you, I don't know - same thing, concept -
your wife sending you a shopping list? OK, all of these things
I've actually seen happen. I would say what you need to know
is that better than 80% of the time - Let me back up. If someone pops your kid's computer, the email appears to come
from your kid's computer, the headers are correct, the mail agent is correct, your spam filter's not going
to run on that one. It's from your kids! Even if your whitelist! Pretty bad stuff. So, let me continue - when we hack companies, we find about 80,
80-plus percent of the time, that works. You open up a PDF document, if you're not
a hundred percent patched, right? If you're back a couple of Revs, one Rev,
you open up that PDF file, (Finger snapping) your box is owned, like that! "Owned" is really cool hacker parlance
for, you know, broken into. (Laughter) So yeah, that happens all the time. Every single professional attack
that we've seen, all the big ones that you hear on TV - APT, Night Dragon, all these fancy names - all that is is cyber espionage. Every single one that I've ever seen, the final investigative report, all began with a PDF. There's a lawyer in Los Angeles
who did not get beat. He said, "I've worked
with my partner Bob for 15 years. That message wasn't how he sounded." That's cool. Tone and voice,
things that humans are great at. You're great at listening to tone. You're great at intonation,
voicing, and the written words. Pay attention to that. If something sounds off from Bob, don't open it, don't open it. How do you survive in this age
where one Rev back on a patch, one client-side vulnerability, screws the pooch
for your entire enterprise? Turn on auto-update! I use auto-update. If your IT department says
we can't turn on auto-update, get a new IT department, (Laughter) or something. That's how companies get hacked:
social engineering and spearfishing. What's the most common way,
and this is a shout out, [PEOPLE] what's the most common way
people get hacked? Shout! Anyone? (Audience) Fishing Fishing? Yep, true. (Audience) Sharing passwords. Bingo! That's a good one. Sharing passwords, true! Let's take a sidebar here. How many people, and be honest,
you can pan this if you want, how many people use
the same password for multiple services? Don't do that! (Laughter) Jesus Christ! (Laughter) Don't do that! Did you get that? You all need to stop that! Here's why. You've just extended your trust boundary
from you to Living Social. Living Social got popped, you're popped. You've just extended your trust boundary
from you to LinkedIn, LinkedIn got popped, you've got popped. See what I'm saying. Don't express that boundary
to someone you can't trust. Your password changes could be anything
you want as long as they're different. Make them mnemonic. If you need to use phoneticized
characters and Chinese, do it. If you need to use the international call
sign alphabet to spell things out, do it. But do not, don't do that anymore. You make my life meaningless
when you do that. (Laughter) Okay, the most common way that people
get hacked is by automated bots. The average person gets hacked
by an automated bot. They don't want you personally. If someone wants you personally,
and they're capable, you are screwed. There are powerful people in this audience
who are very, very likely to be the targets of intelligence
gathering operations - you must be extra vigilant. Average people, yes, you, average, (Laughter) turn on an auto-updating. You will not get owned by a bot. And I'm going to take the last
five minutes of this talk, and just to be clear, I don't have to talk more
about the way common people get owned. You get owned by bots.
Turn on auto-update, you're done! We're done! We'll never
have to talk about it again. But this is what I want to talk about. [BONO PASTORE] Bono Pastore is a Catholic term. Epistemologically,
it means being a good shepherd because you are actually responsible
for your little technology flock, and you have to be a good shepherd. Your tablets, your phones, your PCs, your laptops, someday your car, someday your house, someday your fill-in-the-blank, right? You need to be a good shepherd
because the internet is a rare and precious gift. And if you are in what's called a botnet, in other words, your computer got owned, and some computer program somewhere
in Romania is pushing, you know, organ enlargement pills on your behalf, you are officially part of the problem, and you make it bad for all of us. So that's what I mean by Bono Pastore. Be a good shepherd to your devices,
and we get to have nice things. Be a member of a botnet. Grant that I get paid either way, but like we really do want
to keep the internet. And I'll say this. It is a rare and precious gift because it spreads knowledge
and understanding throughout the world. We did that Joi - I have 3/4 of a thumb, so it's really cool
with the "Joi Ito" thing - Where were you on the internet? I'm right here on the internet for me. I think the only thing that's ever
solved problems in the past has been knowledge and understanding
spread the widest possible. The internet is the best thing
that humans have ever designed to do that since writing. So I think that everybody
has to be a good shepherd, take care of their thing. Let's just go over this one more time. Don't click on the link. No one in Nigeria actually knows you. That's just a fact, right? Keep your systems updated. Microsoft has worked very, very hard
to ensure that auto-update, and Apple's worked very hard to do this. Mozilla could work harder though. But turn on auto-update for your packages,
the things that you use. And be a good shepherd. Understand where your bandwidth is going. Put a password on your wireless. Don't be part of the problem;
be part of the solution, and we'll all get to have nice things. So thank you very, very much. (Applause)
