Welcome ladies and gentlemen to the write up of my BeerCon2 talk, "Tokyo Takedown: How 10 seconds can change the world?". So before we dive into the talk, let's have a quick look at the event itself.
BeerCon2 - Rise of The Rookie was the brainchild of the amazing infosec group known as The Beer Farmers. This idea came about since so many physical information security conferences have had to be cancelled, with just a handful being hosted online due to COVID-19. This meant many rookies didn't have the chance to do talks so the Beer Farmers came together and formed BeerCon2 - Rise of The Rookie. "The aim was to attract folks from all walks of life, provide a safe environment and give them a great opportunity to gain some confidence in delivering information to new audiences." The event is being run on Thursday 29th October and Friday 30th October 2020.
The start of it all:
The idea of this talk came about when I was doing CTI (cyber threat intelligence) on critical infrastructure in Japan, in the summer of 2019. What I learnt from that summer led me to do even more research into Japan cybersecurity situation. It was only when Sophia (@spookphia) and Sarah (@G1nGe98) had spoken highly of BSides London (@BSidesLondon) that I started forming the idea and then the final push was when Morgan (@_mormaid) tweeted out that she was thinking about submitting a talk to BSides London 2020. (These three lovely ladies are the Security Queens who write amazing blogs for anyone interested in Cyber Security!).
But as some of you may know, that arch of my story didn't go to plan as COVID-19 caused BSides London to be cancelled. Although the gods had other plans for me though, to be exact the rock gods of infosec, The Beer Farmers had a plan which was BeerCon2. So when it was announced, I was jumped at the chance to show the talk that I and my mentor Stuart Coulson (@SPCoulson) had been working on for months.
The bit everyone has been waiting for! But before we sink our teeth into the juicy content, let's just prepare our mindsets for it with the talk extract!
"Ben Ellis takes you on an international tour to Tokyo, the land of electronics where culture and technology collide. However, what do you do when culture overtakes the technological revolution? You expose a weakness. In that weakness, cybercriminals come out to play. Follow a Sarariman on their daily routine whilst Ben takes apart their world, component by component, using real-world incidents to highlight the weaknesses caused by the over-reliance on old traditions and the Bushido code. Tokyo, and Japan, is slowly waking up to the new dawn of cybercrime and the need to secure Nihon."
Here is a list of some of the songs that I listened to while writing the talk:
· Tokyo Drift - Teriyaki Boyz [ MUSIC VIDEO ] HD: https://www.youtube.com/watch?v=iuJDhFRDx9M
· Grits - My Life Be Like/Ohh Ahh (Remix ft. 2Pac & Xzibit - Tokyo Drift video version): https://youtu.be/3shMD13Y2uU
· LEFT BOY – Dangerous: https://www.youtube.com/watch?v=_h9V94b4R2g
· Moe Shop - Owarini Liveshow Tokyo (1 hour long): https://www.youtube.com/watch?v=_1rF38MjpHE
· Moe Shop - Pool Osaka Liveshow (1 hour long): https://www.youtube.com/watch?v=4YLsk9CmTkM
Let the show begin!
The goal of first three slides was given people a small window into Japan and Tokyo from my experiences which allowed me to set the scene to break down the day of Han and how it could be ruined by hackers.
ATMs! I go on about ATMs all the time in my blog posts but I have a good reason for it. As I said in the talk, Japan is still predominantly a cash-based society so ATMs are needed everywhere. This is a great opportunity for anyone who wants to make a lot of money illegally, just like how Lazarus targets Japanese and South Korean crypto exchanges to gain funds illegally. So it isn't surprising that the Yakuza have targeted ATMs in the past.
One other thing that I also go on and on about is Pasmos! There are other smart cards in Japan like a Suica card but I chose to do Pasmo as it is the one I use. Now Pasmos might not seem that special as most countries have their own smart cards like London has oyster cards. So why do I talk about it? Well nowadays I don't know anyone who has an oyster card but I know lots of people who have a Pasmo. So what makes them so special compared to other smart cards? Well, the fact that you can use it to pay for public transport, parking, buying things from vending machines, and stores. All functionality means there are multiple attack vectors for one single piece of plastic, that's why I talk about it. Apart from skimming attacks, I want to find out if I could use it in other attacks, for example, I would love to see if I could make an unlimited Pasmo that would steal funds instead of paying. As Pasmo is based on Sony’s FeliCa system, it is certified for ISO/IEC 15408-1 as it is also used in other things like phones.
The eightieth slide came about from the story of three past colleagues of mine who were three hours late to work due to a fire on the metro. After travelling through Tokyo for a couple of years, I could quite easily imagine the chaos that would occur if the metro was shut down. Luckily that day, I didn't need to go on the metro but there have a couple of cases where the metro has been forced to shut down like Tokyo subway sarin attack in 1995.
So why did I talk about a convenience store in the middle of a cybersecurity talk? As I said 7-Elevens are very important places for everyone in Japan. To show this, you just have to look at how many are in Japan! There are 20,904 7-elevens in Japan in 2019, which is about 31% of the total 7 – elevens in the world. 31% might not seem that much but when every single one of those stores offers services that allow you to pay your bills, buy tickets for events like baseball games and concerts, and to order home food delivery on top of you being able to buy food and other necessaries, you start to understand why they are so important. The thing is, this part of the talk didn't originate from the 7-eleven's mobile payment service hack, it actually came about because someone at the British embassy asked me how I would make money in Tokyo in terms of malicious cyber activity. One of the answers that came from the discussion was targeting 7-elevens, via hacking the 7-eleven app and taking down the 7-eleven delivery schedule which is 5 deliveries per day. Funny enough, this discussion occurred around the time that the 7-eleven's mobile payment service hack occurred.
The last three slides of Han's bad day came about from my research. Hacking traffic lights is a classic hacker cliche from video games and films but it is possible which is the scary part. When I reached this part of the talk in earlier versions of the talk (the final version was version 12.2), I had many options that I could have followed, hacking taxis, hacking restaurants, etc. But hacking the ticket gates came about when I was talking to someone about how busy Tokyo can get during rush hour and tricks on how to get around the chaos of rush hour. But why did I decide on 10 seconds, why not 20 seconds or a minute? Well, the idea of the attack is to have a knock-on effect that would occur without people noticing it too soon. If people took a minute to get through the gates, the metro staff would eventually manually let people through and the attack would not have the planned knock-on effect. As the story needs to have an ending, I wanted to finish it with a bang! So I went with something that most people have never experienced, EARTHQUAKES! But you can't hack the earth geographically to cause an earthquake so the next best thing is to use the fear from one of the greatest natural disasters as a weapon. And I am not the only one who has had this idea before as hackers did actually hack Dallas's 156 emergency sirens in 2017 and the sirens were turned on and off for over an hour. Now to the final point, flooding Tokyo! As I said, it doesn't seem realistic but with the old catching up with the new, things are being put at risk like dams. During my research, one piece of research that made me want to mention this was the case of a teenager who had hacked his local dam in America and flood his local town. Now that isn't major, but at the time when I discovered that, I went up to the mountains to go stand up paddling on a lake with a dam at one end of it. Standing on a SUP board in the shadow of that dam made me realise that at any point, the water behind it could come flooding out and swallow me up in seconds. An interesting point about me wanting to talk about hacking dams was I was told multiple times that I shouldn't talk about it because "who would hack a dam?". But that's my point, if I thought about hacking as many dams as possible, and release as much water as possible which would lead to mass flooding, death, destruction, etc. What stops a malicious threat actor from having the same thoughts?
One concern that came from the dry runs was how people would receive the phrase "hacker scene" as most of that slide I talk about the bad guys, the cybercriminals but as there are people out there who don't like people using the word hacker when talking about cybercriminals, therefore it came up as a concern. But in this case, the phrase is used to cover all three hats: black, grey and white.
The whole point of the talk is about showing people the state of the Japanese cybersecurity scene. Now doomed might seem over the top but from the viewpoint of someone who is coming from the UK scene and being surrounded by cybersecurity professionals from the west, Japan is still quite behind in terms of its domestic and national level of cybersecurity when compared to America and UK. But don't worry, changes are happening! The Japanese government are really pushing a better national level of cybersecurity for 2021 and the Olympics but in my opinion, it is too late, although it should happen late than for it to never happen. And there are the professionals on the front lines, who are doing great work. I am very fortune to be on the back lines of this situation as I am still inexperienced compared to my colleagues and other contacts in Japan, but it does mean I see and hear a lot about what is happening and I can tell you now, it is going to be a very interesting journey which hopefully everyone else will be able to join me on.
My experience of BeerCon2:
The things you might have heard about BeerCon2 are not wrong! It was a blast, it is something that I hope other conferences around the world look at, and think "wow, that con worked and it worked well!" But why did it work so well? Well, to explain it, I will quote one of the roadies and the final speaker of the whole conference, Lennaert (@lennaert89): "A big part of the aforementioned success was not simply giving the rookies a platform to speak, but also offering them guidance and coaching in delivering their first talk." With the assistance of the five amazing mentors, the conference allowed for the rookies to have some help, not just from mentors but from other rookies. With the use of a mentoring channel within a slack server, the rookies were able to ask questions and practice with mentors and other rookies, while the organizers had no involvement in the development of the amazing talks that would be produced by every single speaker. It meant an environment perfect for rookie speakers was produced, where there would be no judgement on sharing any doubts or concerns that anyone might have had.
So what was my experience of actually doing my talk? Well, I don't really remember. Now that isn't a bad thing, it's a sign that I fully focused on just the talk. Not my nerves, not the fact that there could be a LOT of people watching, just a topic that I am very interested in and want to share with the rest of the world.
And somehow I got results! If anyone wants to talk down a rookie who is thinking about doing a talk, remember this: Because of one rookie talk, the world's biggest toilet manufacturer got contacted by a BT director to talk about hacking toilets! If one rookie can have an impact like that, then anyone has the ability to do something like that. So if you are a rookie, reading this and thinking "I wish I could do a talk", my advice is this: go for it, pick a topic you are invested in and talk about it. And if you are still worried about doing a talk, then find a mentor. There are so many awesome people in our community who would be more than happy to help. And maybe one day, I can be a mentor for a young rookie who is ready to dive into one of the most interesting sectors in the world, like how I was when I started writing this talk.
Now I should end this before I write a whole book. But before I end, I want to say thank you to people who helped me on this journey.
The Beer Farmers:
Also a big thank you to Stuart Coulson (@SPCoulson) who helped me every step of the way!
Oh yeah, one last note: this isn't the end of the story. There is a lot left to tell. As I said, "as a young man who with so much to say with so little time and NDA on his head", the journey is yet to finish! So it is time to say a big thank you to everyone reading this week's blog. So, until next week, arigatou gozaimasu and sayōnara!