Event Recording

Francisco Z. Gaspar - The Unpatchable Element


So hi everyone. My name is Francisco, as, as was announced, I've worked in many companies like IBM, Microsoft. I work for one of the biggest banks in the world right now. I'm in Germany. Although I don't speak German. Sorry for that. I work as said, I work for telephonic at Germany. My job basically is to find technologies and implement them on a big provider. I can say talking about technologies. And before I start this topic, the untouchable unpatchable element, I'll just post this video. This one. Yeah. So you can see, it will take two minutes,
Something for a pit stop, time to refuel and change tires. Little more himself changes the tires. Only four crew members, including the driver are allowed to work on the car. It's time stays in his seat, anxious to get away. Let's watch
Takes a while.
The tires are changed to glass, a crewman polishes, the windshield as Holland moves away just 67 seconds after stop
50 seconds.
So this was 2.1 seconds. This was the road record until few months ago. Now it's down to 1.8 something. Now you are wondering, okay, I'm on a cyber event. Why am I seeing a pit stop? Well, I like cars. So that's, that's the whole point. Now, Jo aside, this is the status of technology. We came from a few guys taking 50 seconds to change the wheels to a bunch of guys, highly specialized changing wheels in two seconds. And before going into deep, what I, the message I bring today, I, I want to go into the past to explain where I'm going way before. In the past we had this, we had a king, we had a castle. We have the nights, whatever, trying to attack, testing defense and trying to bridge into the walls, breach into the castle, kill the king, whatever they try to do on the cyberspace. We have the same methodology. We have our servers, our walls are replaced by firewalls. Everyone heard of it. Our king is now our data and we have the Knights or the attackers trying to do the same thing, testing, testing, and testing.
This is pretty much being all, all around since the preci, the first times ever, we just now change from walls to physical walls. To cyberspace. We have become extremely good doing walls around stuff. This is not a joke about term, but yeah, we have become really good about building walls, but we always have this guy. We will always have this guy and we keep spending and spending thousands of euros dollars, whatever you want to use as your currency into our best technology ever. And we will always have Dave and Dave is human error. Dave will always break the system. Dave will always find a way to breach the system or to leave an attacker to breach our system. Today. I heard a lot about technologies and I only heard one person or one company that is into this space. That is, that is the Dave space. And this the that's my point. My job is to find technologies that will lead us to 90%, 99% safe. But those 99% says make us a hundred percent vulnerable. 1% that is Dave. The human error will lead us to an attack or to a breach. We all I'm this guy. Okay. I can say it is about my company, but we always have those guys around in the office with posts and our passwords laying around. I've seen it.
We, as I said, we've become obsessed about technology. We forget about the untouchable element, cybersecurity BES us. And not only about technology technology enable us to secure some systems. Technology will never enable us for now. If you ask the Tesla guy, he will say, we'll put an implant in our brain and we'll secure everything. But for now, cybersecurity is also about us
And humans. We always find a way to trick the system. These guys, these guy, some guy, some, someone, some of you are laughing. You know what happened? This is an SQL injection. If the guy gets a ticket, injects the table on the system, drops the table. Okay? No ticket. So good, good for speeding. And with great bypasses. Of course, with that human error guy, you'll always have these kind of problems. Ransomware. That's where technology helps, but never at the point that we need, you'll always find stuff like this. This is BMW website. A few years ago, it was hacked by a bridge too. Allegedly someone made a mistake. This is the CIA way before, of course, but this was the CIA website again by human error. And this led me to the, the, the film I showed before. Talking about technology. You see the difference. You can see a few guys, take 50 seconds. We now have highly specialized guys a lot, as we can see around the boxes, the pit stop. There's there's a few guys changing the tire, took 50 seconds in fifties in the two thousands and tens to two seconds with a lot of specialized guys. And these guys are the problem. These guys are the risk.
And with these guys, this happened to give a background on this picture. Can anyone understand what happened here? So I like to play around on LinkedIn. I, I am approached all the time, recruiters, whatever. And I like to play around to see if the company is secure enough. So what I do, I send this word is, looks like my CV. And it is my CV, but my CV has some macros. And I ask the lady, Hey, enable your macros because my CV is super fancy and you need to see the stuff. And this is the code that is, this is a extra, a small portion of the go. Basically the CV will pull up power shell that will give me access to the person's computer. See what happened here? Human error, that person wasn't prepared to deal with an attack just like that. On LinkedIn. I had someone, of course, I'm not the only one doing it. There's some Chinese guy saying there's a super fancy company that wants to hire me. I always say no. But then just out of curiosity, I ask how much you're paying a bunch load of money.
And of course we all know this is fake, right? So if you guys are approached on LinkedIn, be careful, cuz they will try to get us on human error from desk assistant. This is another hack I did. I've worked as a consultant a few years ago and I did this one. Robert ducky. Everyone knows what it is. It's a small device that we put on our computer and we'll inject code no matter what, it acts like a keyboard, but keeps strokes code into the computer. So the story is, this is something I did as a consultant for a company. I went on the front desk of the person I told her, please let me print my presentation. I just throw coffee on my presentation. Here it is. Can you please print it out? Put the pen into it and print the presentation. What happened is I hack in the computer? So something like this, I could, I see computers laying around. I could put this thing onto your computer. I will inject code with a three second code and I will have remote shell access to your computer.
And now let's talk about statistics because you guys are all cybersecurity guys and you are aware of problems, smartphones. How many of you have, I'll say everyone right? Working my own, the smartphone. I have home banking. I have I'm stupid. I have. How many of you connecting to wifi today? Because the, the 4g signal here sucks. So yeah. How many of you connected have you heard of this attack? It's a simple attack, right? Something like this, between the wifi, the access point and the network cable or something like this, more advanced, I own both or something like this, try this one, something like this, just plug into USB, fake wifi, done passwords all over.
This is not today's by the way, just, I don't want to get arrested today. So as you can see, bunch of people connected to wifi today, you really think you are secure. That's my main message today because the question is not. If, is when, and that is the message I will drop you today because we can spend a lot of money in technology and someone will get in a conference, has poor 4g signal and we'll connect to the first wifi you can see. And with that, I'll leave you today because we are the untouchable element. Thank you.

Video Links

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00