State Sanctioned Hacking - The Elephant in the Room: Frank Heidt at TEDxMidwest

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi well this is either going to be the longest 18 minutes of my life or the shortest so and I'm also handicapped I only have 3/4 of a thumb so that's going to be really hard to do this would so that's my elephant and it's a none-too-subtle jab so for the better part of the last two decades the story is behind me the ones that you've been hearing about for the last couple of years I've been dealing with these for a little bit longer this stuff has been the soundtrack of my career so in that time nearly 20 years I'm pretty sure that I've been considered a cassandra when I worked for Uncle Sam and now that I'm in the private sector I guess I'm considered a little bit of a visionary I know so I'm not sure if I've either arrived or like you've all caught up so I can moving on so I've been watching this train wreck well I've been watching this train wreck for most of my professional career I've been in computer security long enough to remember when hacker wasn't a pejorative and that they didn't like prepend the word cyber to everything from sex to warfare so for a long time I promised myself that I had this forum I would rock it I would give you the talk of your lives on technical espionage I was going to tell you you know motivations actors countries involved the stakes you name it it was going to be awesome then Mike told me I have 18 minutes so instead of that talk you're basically getting this one we're advanced a little bit further here's what I want to say finally you've been hearing about this stuff the stuff that I've known about for 20 years the last two years you know about it it's pretty clear that the White House knows about it because they not only demand but they've actually urged China to stop hacking us I have it on good authority that the next step is a strongly worded so so just moving on here one of the things that I'd want to talk to you about is the targets involved with who who is like China going after what you have here is a chart courtesy of the New York Times I don't please don't blame me for this this is this is their art department but I do I do want to show you some stuff on this every one of these is an industry vertical that is suffering serious attacks you know if you were to ask me who they are I think my flippin answer to you would be everyone and the more nuanced answer would be like you know more nuanced so in the beginning in the mid 90s what they did was Chinese companies the People's Liberation Army targeted our large defense companies and the military and to a degree the three-letter government agencies over time that kind of shifted and changed to those plus high tech industries and then really oddly enough law firms and I'm going to explain the law firms reference in a bit with an old Russian hacking adage so I know they actually have them so in in 2003 this morphed into this free-for-all the free-for-all you see so everything today is fair game what you see here loading from left to right top to bottom these are some name-brand companies who there's one that actually sponsored TEDx Midwest and another one what you have here what I'd like you to look at are the superlatives get the world's biggest defense contractor you have the world's largest search engine you have the world's largest provider of software world's largest provider of micro trips world's largest social networking site highest market cap superlatives everything's fair game everything those you saw there less than 5% I know that there are more than 500 other companies that I can't tell you about I can't tell them about it because we reverse engineer command and control systems and find these targets I can't tell them I said I can't solicit work forget it like that would be very unethical that should sink in a little bit all those superlatives are picked the cliche tip of the iceberg you name it China does this for a reason we would have to kind of wonder why there's so much effort involved they have done remarkable things they've lifted 400 million people out of poverty in the last 20 years they've expended tremendous effort and energy to build their economy they've expended a tremendous energy into espionage though and I'm going to give you in like keeping with the kind of Ted fascination with three things I'm going to give you the three main reasons I think that they're doing it China is in a race this data and by the way I need to you know talk about this data right this is supplied by a statistics height from the People's Republic the people's live Republic of China what you see here this hockey stick there's just one little mark on it that's actually a little bit incorrect they forgot an event over here that you might recognize that actually really did sort of lift them give them impetus to reform their economy much faster I don't dispute anything other on this chart but other than saying this the PRC is in a race at that level of expectation no economy grows that way so I'm going to touch on why it's happening and you're going to adventure when I tell you this you're going to learn how to avoid getting screwed with your pants on if you do work in the PRC or if you're in a business on that last set of slide reason number one elevated expectations okay so demographics so if you want to know what scares the living stuff out of me there's a demographic time bomb ticking in China there are so many terrifying facts around this topic I'm just going to stick to three of them again there's that three thing there's this upcoming retirement bubble there's the potential consequences involved with a cohort of what they call bear branches these are men who have no chance of getting married by 2040 there will be more single men in China between the ages of 18 and 36 then live in the entire state of Texas it's actually never happened before wage inflation China's wages are going up by double digits so I have to actually stop on the demographics thing this topic would need a dozen talks of this length to address it is terrifying they're in a race China to shift their economy from manufacturing an export to internal consumption one waited appropriately between manufacturing and services not all manufacturing and export in order to win this part of the race that they're in they need all their indigenous innovation and they need ours and that's why they do what they do that's reason number two this one is really bad so it's newman nature when faced with an insurmountable horror like you're either going to react by shutting down or you're going to react by trying to do humor this is my attempt at humor beijing on a good day it's like i'm you know is comparable to Mordor on a bad day listen this is what might one of my ideas worth sharing China's economy is a Ponzi scheme it burns the environment as their capital that needs to be heard they're in a race to change this fast and I don't think they have the slightest clue and that's reason number three that they're in a race so Mike asked me to scare you guys a little I have to scare you this is my job when I was first asked to do this one of the one of the organizers of the conference said has anyone ever died from a hacking incident and I actually didn't hesitate I was like yeah sure yeah maybe kind of so proximate cause you know causality and facts proximate litigators in the room litigators know anyway what I'm going to give you right now is a little bit of reasoning that sort of follows from want of a nail the horseshoe was lost one of the horseshoe the horse was lost etc but first how bad could it possibly be this was Mike's question to me how bad could it possibly be so what I'd like to do is talk about a creature that escaped the lab in China we're going to present a talk conversation that's in the Congressional Record between Donna and Jerry but first a word from our sponsor I'm not a lawyer this last line post hoc ergo propter hoc after this therefore because of this take what I say to you you know at that and these are my views please don't sue anybody whatever this is the conversation they say never read the slide to a savvy audience I'm going to break that rule right now me so Midwestern system operating authority Gerry snick me is an operator at a power plant in Ohio called first energy this conversation was recorded on August 14 2003 I want to just direct you to the world before time passes Gerry we have no clue our computer is giving us fits too we don't even know the status of some of the stuff around here about ten minutes passes me so operator calls I called you guys like 10 minutes ago I thought you were figuring out what was going on well we're trying to our computer is not happy it's not cooperating either that's in the Congressional Record August 14 2003 how many people in this room know what happened August 13th 2003 anybody nobody the blackout on the East Coast that's not a coincidence it's not a coincidence if you read the Congressional report it pretty much states in very weaselly language that certain energy management systems were not affected by blaster EMS blaster the worm that attacked Microsoft computers at that time but it never mentioned that alarm systems weren't affected without an alarm system you get things like we have no clue it's not cooperating you got an alarm system going up and down like crazy you got energy operators that don't have insight into their networks you've got a worm running around the internet that by the way was written in China by the way how bad could it be people died people died during that blackout that's how bad it could be there that is my I had to I had to scare you so I'm sorry Mike am i okay okay I'm going to go back to targets this is my Russian adage it talks about how the Chinese target and and get to senior executives in our business and our intelligence agencies and our military the most telling aspect you cannot scale hacking for the you can't scale it because it's based on the talent of individuals and people in order to scale it well let me go back to the adage everybody gets this you never attack the powerful person you attack the powerful person's people so here's where the adage comes from in order to be effective powerful people need a powerful number of assistants ask yourself if you needed to learn everything you could about a target a powerful business person wouldn't it be great to have their lawyers mail school and it's not just lawyers right so it's accountants financial advisers therapists paramours I was actually going to say mistresses but we're so modern here that I figured we have to you know gender appropriate the primary attack vector used by the Chinese today is this exact thing they find out who you are they find out who your assistant is they get a spoofed email from you to your assistant and that's how it works Mike wanted specific advances so I asked my lawyer right he literally had an aneurysm I hate when people use literally and figuratively wrong my lawyer literally had an aneurysm I was bright enough to take that as a no you don't get examples but I will tell you this my eldest daughter has received spear phishing emails from the People's Liberation Army with zero-day PDF files embedded in them because they desperately want to be in my network and my eldest child has an internet presence I don't have a very big internet presence so that's real methods this is it spearfishing far away the most effective vector the term probably needs some explanation right a spear phishing attack is a targeted attack that comes from a perfected imposter we have three classes strangers imposters perfected imposters so for the sake of this talk strangers they can be ignored they're like the canonical Nigerian oil minister looking for venture capital you can just ignore that one an impostor is what you get when your maiden aunt gets her AOL account pop and she starts sending you email about being stuck in London with no suitcases and desperate need of a few grand by-and-large imposters you can find them by like voice or tone right I've had clients explain to me like various phishing messages that they just don't sound right right so it doesn't sound right it's also like super unlikely that your maiden aunt is in London all that stuff so right so the final case is the perfected impostor and this is the type of targeted attack used by the PLA it's the way they scale their espionage right to the size they are today all it requires and this is key it doesn't require elite hacking skills right you get some elite hackers they make you zero day vulnerabilities then you get a group of people that can do this all they need is an idiomatic understanding of the language of the victim right and you're halfway there so I'm supposed to leave you with something uplifting you know to give you options like to help you understand where you can go and and what you can do about this so I would say this at my company we periodically test the resilience of our clients ability to its and sophisticated phishing attacks and we have we're a very large company and we we do a lot of big gigs not one of our clients has ever passed so not one which is sad so not doing work in China or limiting connectivity for the rest of the world electronically is clearly not an option right I know I know so what can someone do so it turns out you can actually do a lot so the muscle memory stuff the axiomatically true stuff right you know this into our kid the common sense thrown us this is what you do you don't talk to the guy in the white panel van right no one does that no one does that you'd never piss in the well that one transcends all cultures you know in some cultures it's okay to talk to strangers in some cultures it's perfectly okay to take food from a stranger in no culture is it okay to piss in the well do not do that there is no royal family in Nigeria that's it there are certain neighborhoods you should not be in and if your prospective partner in China needs your code or your design documents they need your Vera Log find and let your partner Chinese big I have a talk coming up tomorrow on three things that you can seriously do to limit your effective you know vulnerability and the People's Republic of China if you're going to be around I invite you to come to that talk and if you'd like to ask me any questions I'm going to be here today so thank you very very much [Music]

Info

Channel: TEDx Talks

Views: 149,246

Rating: 4.7458453 out of 5

Keywords: Tech Security, ted x, TEDx, Frank Heidt, TEDxMidwest, Systems Penetration, tedx talk, Information Warfare, Hacking, ted talk, United States, ted talks, State Sanctioned Hacking, ted, Information Assurance, English, Technology, Network Security, Computer Security Expert, tedx, tedx talks

Id: z-A2MxHmnU4

Channel Id: undefined

Length: 18min 10sec (1090 seconds)

Published: Sun Jan 05 2014