Sunny own a company that is a consultant si and a Contract Services and try to help clients on a range of different sectors, making their devices more secure. We do that by looking at a couple of Different Things on the device side. System side, and do the hard Square Software engineering. Host quite a bit of competition in this field today. Guest yes. It is kind of a carve out a niche for showers and go, i specifically work with a lot of crypto graphic devices. Host which is what. Guest devices that need to use cripping toography to embiid a secret and if win uses it today. If you buy on amazon. Com you use crip crypt otography. Do you work with the first government at all . Guest currently i work in the commercial seconder. Why didout get into this field . Guest start ted naval academy. Was one of group of midship men, the try cant scholar, let you do research. Wanted to research cryptow graphic protocols and interested huh to protect communications using crypt otography. I was a crypto officer, got more into it. And then kind of kept getting kept getting deeper down into that. Host we have talked to several people here at black hat, a lot of military backgrounds. Guest uhhuh. Host why is that . Guest i think the military has a unique kind of has a unique mission in that it knows the importance of protecting information and community security, and comsac is imbued in you, and on a submarine especially, because some of the places a submarine will go, the Communication Security is very important. Think that kind of environment leads to understanding those threats and how to protect those threats, and im seen a lot of people take that forward outside of the military. Host how does cryptography work. Guest based on mathematic principles. Different aspects of cryptography work differently, but if theres one area owl aseptember mitt trick cryptography, also known as the publicprivate system and works basically by having hard mathematical problems and the interesting property of these problems is that in one direction, theyre easy to compute, but then if someone got the answer, its hard to reverse it; so, simplifiesed but if try to take two prime numbers and multiply them together, thats easy. But if you were giving a number and had to figure out the prime factors just from that number, thats a harder problem. Host do you create the crypto graphic questions . The devices will depends on the device, but the device, if it has the capabilityes, could selfgenerate the could or a manufacturer may depending on they want to do they may decide to put a device in all the keys. The first typically is more secure because not even the manufacturer would have access to those keys. Kind of like what we have heard about with apple and the fbi in the last year or two. Host you mentioned amazon, do people use crypto graphic devices every die like na if you look into your bank, do online banking, that is that crypto graphically sneaked yes. On anyones phone its running a web bruise are with security which encrypts your communication over the win and if you talk to google or go to facebook, its using cryptography, so its a built in transparently. Most people dont know theyre using it but they use it and rely on it to protect their communications. Host how is it what is another form of communication protection that is used . Guest well, you could use it if you have a message can app and you are theres a couple of different messaging apps but you could be texting somebody and those could be increpted and the bert ones are encrypted end to end, which means not even a third party, like the Service Provider of the application, could intercept your communication. So only you and the person you sent the message to can decrypt it. Host is is more expensive to crypt something . Guest well, its expensive witch most modern phones theres not an expense in processing time. Its an expense on developing side to make tot protocols and the engineering. Thats where you pay the expense to design the system us. Once you have those in place, on Something Like a modern phone, theyre not expense sniff time or power to use. Host as we move into the internet of things world, is that going to be more and more crypto keys . Guest yes. This is going to be more important. I say that because internet of things us a unique even from another imbedded devices like phones because theyre typically used autonomously so no Human Interaction like your thermostat or an central controller and we have seen some attacks where theyre able to exploit, like web cams. Absolutely different but the idea is those devices need to have a secure way to get firm ware updates and neat if theyre send ought data, mary temperature data, censor data, czeched to sensitive machines. Wouldnt want that data to be intercepted bay third party for competitive reasons or a hacker. Host so theres a lot of different door warps into doorways into a system, correct . Guest absolutely. Crypto is not the first choice of attackers attackers and say t because theres usually easier lefts to go be in. Perhaps they have the same password or the password is on the web site or Something Like that. So those are typically the first means of attack. However, the flip side is you dont implement the crypto properly you could have a false sense of security. There attacks that could make that not the case. Host what do you do to protect your own devices . Guest so, my best tip is i generally try not have them. I will good sometimes i go into client meetings with a pen and paper and thats but im a little old school. Thats not feasible all the time, and so on my phone i number one, make sure i have all the firm ware updates, the kind of thing is patch, patch, patch. You want to have cue you having thises like a vpn service on your phone which protect you on using the hotel wifi, virtual private network, and basically encrypts the the immediated inwork. The number one thing is get a device, make sure the firmware updaters are applied as soon as i they happen. Host do all modern phones come with a vn. Host typically dish think apple theres a way. Android devices, its like a fished party app. Some of these are paid services you can go and install the application. Host what kind of attacking are you seeing . On the devices theres a range of attacks. The easiest ones are the kind of the kind of the Gold Standard of attack is to gate Remote Access into a device. So not typical internet of things deployment you have a one gateway device that is more advanced processor, talking to a bunch of censors and the censors are small powered. So the Gold Standard attack is to attack the gateway through a web protocol, either something wasnt set up and then use that gateway device to jump to attack different censors. Those are the biggest attacks that would have the best bang nor buck for the attacker. Some thing is focus are on the hardware, physical attacks. If i can get my hand on the gateway device and atrap probes or debuggers, i have a lot closer access to the hart square do mow sophisticated things and then the more dangerous thing about that, its a physical attack but the information see from that attack i can turn that attack into a software attack and so you take one attacker, he looks at the hardware then publishes it online for a software attack, and then you have a hybrid attack, which is quite powerful. Host are these debuggers available to the layman . Guest more expensive ones are geared to professional engineers so these would cost maybe 100, 200, some of the devices have been commodityized to be in the 20 decide for decide range. Theyre not as fast or reliable thats professional tool us but sirly available. Host do attackers leave fingerprints . Guest the good ones, think, try not to. Its helped to avoid the attribution, but sometimes you cant help it, so sometimes youre using a tool or something and maybe that will leave some dish dont do so much on the forensic side so i dont know exactly that area as well, but from what understand you generally try to not do that to make it harder to come back to you. Host do you presume youre under attack, cyberwise . Guest yeah. Its less i think more of a paranoia, less of a heightened sense of awareness, my wife thinks im paranoid but i think thats the military training happening, heightened sense of awareness, heightened sense of surroundings, and more about getting the attacks into a threat model. If youre doing something online, knowing theres these category attacks and they could have impacts and bucketing that information into otherwise if you were paranoid all the time you wouldnt be able to live your life or go and buy coffee and wouldnt be worrying if somebody put something in your coffee. You have to internet online. Host what is your role at black hat and at def con. Guest im hing with the training on applied physical imbedded attacks led by joel fitzpatrick, were teaching 30 people in each class how to take a piece of hardware, connect with the debugger, with tools, learn about what the howard ware hardware is doing and then maybe use that hardware knowledge to construction an attack. In def con im giving a talk only bitcoin, a digital currency, and a hardware wallet is like a smart card for using bitcoin. Its basically an imbedded device custom made to help protectot they call your wallet you private key. Its how you would send money or its what you need to send money. Host crypto currency is come snag yeah. So, its here. I dont know if its its here and its being used. So, the reason i started looking at that talk is that as more people start to use it and as the value of bitcoin gets higher, was cureout the hardware level protections on these devices which are recommend as more protect eddie to use crypto currency. Host josh datko, thank you for being on the communicators. Guest thank you. Host now on the communicators, more of our interviews from the black hat convention. Joining us, daniel cuthbert, coo of a Company Called sense post. What does that company do . Guest a lot. We have been around 17 years and were in essence penetration testers. So hackers for hire. We get asked by clients, who are numerous to effectively become adversarial targeting. So what happen if an attack targets you, whats the worst that could happen and how to do you react. All the millions you spent on hardware and software and secure and training, is it work . How do you fit in on the internet. Host call them pen tester. Guest yes, people who test pens. Yes. Host penetration. Guest yes, penetration. Host how did you get started . Guest ive been fighter long time. They year of hacking. Mine was curiosity. We moved to south africa during apartheid, and the internet started, and connelling from lon do to a country where strict restrictions were happening and censorship and had the first stage of the internet with dialup and Bulletin Boards and it was curious and started to fedle and moved from there. Host you reverse engineer. Guest no. It was basic back then if liken tot stories when my dad talked about using to walk to school, barefoot, nicked in the snow backwards. Think now its the most exciting time to start hacking. The wealth of information is unbelievable. It takes very little to hack today. You have youtube, tutorials, 20 years ago, just wasnt much. It was a true wild, wild west and nothing out there. Now this is really exciting time. Host should that information be on the internet . Guest its a good question. I liken it to a knife. You can use a knife to cut an orange or you can also do real ya bad things. In london we have bad problem with knife prime. That done make other knife really bad. Just how you use it. Theres a definite need for penetration testing, these skills. Just take it one step further. Host do you have suspectty specialty with your company . Guest we are very good at redteaming, the top end of testing. We try to gain access to you, your data, your employees no matter how. Its a fully encompassing service. Just say an application test or a Network Level test. Its about as close to the bone as you can get. Host when you go into a red team testing, are you trying to, lets say, break into ibm. Guest could be however the client wants could be the client saying, we think were security. We have developed this new application or we have this really great new phone coming occupy soon. We want to make sure that, a. , everybody is involved, b. , we can detect it, c. , our people are doing the right thing, and then, finally, like how do we stand up . Does the board say, all right, probably going to bet breached tomorrow and need to make sure were not on the 6 00 news and we look good or we have done everything we and can we think were in a good place. Host are attacks happening every day . Yes. Sadly i think its easier the bad side of all this information being made available and freely available is that the attacks have just gone through the roof. Its now commonplace for us to hear about breaches. A couple of years ago youd maybe hear of every company, every now and then getting breached. Now its common place. People are popped left, front and center and thats not a good thing. Host where are how base snead london. Host can you do your work from anywhere nell world sunny can. Its an amazing career. Ive had the luxury of living in 17 countries. So, yes, you can if you are dedicated and you do this job really well you have the benefit of being able to live anywhere as long use have Internet Access. Host if you have a laptop and Internet Access could you breach all the phones in the room. Guest its ease you to say we can target the home. I think hollywood glamorized a lot of hacking. But its still quite easy to tarring a forge gain access, such as an android device, older android device. If its apples latest device, thats pretty security. Its annoying, annoying to good hackers and annoying to Law Enforcement who are trying to get access. It takes time. Host could you break into this room . Guest physically . Host no. Electronically. Guest with the door locked . Yes. Host easily . Guest yes. Host and im going back to the question i asked before. Should that information be out there and available . Guest good question. So, you can take two parts of this. On the one hand, the manufacturers should make this stuff more secure. A bit like autonomous cars. We expect stuff to be built properly. When i buy a kettle or microwave i dont expect it to zap and kill everybody in the house. I think were at the likes of internet of things that were seeing with a terrible track record of security. They have to be tested. So the information that somebody uses to maybe test that kind of stuff could be a benefit when they find a vulnerability and our industry is built upon that, and they work with that vendor say, found this vulnerability. I was able to gain access to the room. Heres how you fix it. Lets Work Together to make more secure. Host from your point of view is it important to know the motives of the black hat hacker. Guest yeah. Im nervous about colors. I think ive been doing this long enough where i think the white hat, the gray hat, the black hat, the meanings have been diluted. You have those who are criminally minded and have criminal intentions, you have then got those who genuinely want to help and if you look at those who are vulnerable, you say, hey, use your product, im a customer but also found it to be quite secure. Heres how you can make it better. Motives are really important. Host do hackers leave a trail . Guest bad ones do. Bad ones do. Host the good ones. Guest if youre a really good attacker and you know what youre doing, it becomes hard. Attribution is not an easy thing to to do right. Host so, what do you do there . Guest i am a security analyst and also the head of training. Host what does that entail saginaw get to active and also manage our training. Host what exactly is hacking . Guest hacking. So, traditionally hackings more around building and making stuff, and more recently i think society has seen it as people breaking into systems, attacking systems in an offensive manner, but traditionally its approaching problems and solving problems in various different ways. Host but if you wanted to go into and hack something, how would you do it . Where would you start . Guest you want to give me an example . Host break into the las vegas internet airport which is right behind us. Break into their security system. Guest into their security systems. So, firstly, theoretical scenario because id loaf to live in the states some day. What i would first do is probably Research Stock members that work at the airport because humans are normally the weakest link. Often easier to convince to click on something which will open a document than actually targeting systems. Host a social engineering guest yeah. Social engineering and not necessarily trying to lie my way in but go on to linkedin and find out who is work there compile a list of miami work there, then i will research those people so i go to their facebook, their twitter, whatever social Media Networks they have and start enumerating those and then find out what their interests are and then starting if i can get information on the technology they use, so that might be then posting a picture of their new phone or their laptop or Something Like that, or figure out what sites they frequent, perhaps i can go after one of those sites and learn about the technologies theyre using, and the more information i have, the more likelihood i would have at succeeding in an attack. So, if i wanted to send a malicious document to them, if i researched them on facebook i know their interests, i can write up something nat would be interesting to open and try to convinces them to open the document, once they hoped the document i have control of their compute jeer their compute sneer yes. From their computer, lets say its theline top. Maybe the laptop is at home. I access and when the go do work might have access to the internet at the airport. Host how would you break into this room . Guest into this room. Host through the electronic lock. Guest so, the easiest way is probably rent a room here first so i can get access to a key card, then investigate the technology that is being used on the key ward. Id probably spend a couple of days doing that. And then either see if i can write my own key ward with a different room number, defending on the technology. Otherwise ill follow you around and if i can have a card cloner, see if i can clone a card and come in. Host how would you chlorinate you can either bold or purchase card cloners but thats depending on the technology being used for the key cards. Host there is anywhere safe anymore in the Digital World . Guest not really. So, that old african saying that if a lion is chasing you, you dont need to outrun the lion. You just need need outrun for friend. This same applies to security. If there are enough defensive measures in place attacker goes for a weaker target. Host where are you based. Guest out of south africa. Host again, can you, like your coo, do your work anywhere . Guest yes. Host in the world. Guest anywhere the world. Host as long as you have a laptop. Guest laptop, internet connection. Host standard laptop. Nothing special. Guest nothing special. Off the shelf computers. We generally run a lot of different operating systems on our machines. I think most hackers are either a mac or a pc that runs destroys the host and were quite paranoid about security so see like to segment our systems. Have what you call Virtual Machines on 0 host os and that is a separate system and we try to segregate what we do with those. For example, if im writing reports for clients, im probably doing nat a Windows Virtual machine because i need office. But i wont use it for anything else. I only use that for reporting. There will be nothing else installed on it. Wont browse the web of that machine. Completely isolated. Host has fence post been hacked. Guest has not well to at the best of my knowledge . A. No were pretty paranoid people. We constantly investigate our own machines. We monitor our networks. Its a high risk server. We take a lot of care. Host would you know if you have been hacked . Guest i think were pretty good at what we do. We know, figure it out. Its hard to conclusively say that, yes, we would notice. You look at the breaches over the last couple of years, with nation state capability being put out there on the internet for the public to see, its really scary, like if you have enough budget your capability is exponentially above what is publicly known. Host your web site says you specialize in track us down internet jihaddists. What are they. Guest enumerating real jihaddists and terror groups their social media presence. Finding those terrorist cells bus they have recently been using social media to get their message across. Theyve joined the hightech world. But at the same time theyre spew ought information about themselves just like all of us, personal information on the internet, their connections, friends, associates, whereas their where theyre logging in from and when its on theishing its there forever. Even if the try to delete it. Youve know where to lock and how to do some basic link analysis, its quite easy to track down a lot of bad information. Host how often do you change your password . Guest me . Depending on which password. Most of my passwordded change gosh every two or three weeks probably. Id say that i quite often fret midnight of them passwords imuse a password manager but quite often its easier to reset passwords than go into any password manager and get it. Have multiawe then indication. Host what is the best thing for lay man can do who want to feel protect snead regarding email security, id say be a little bit paranoid. If one is sending documents you xl spread shed be careful what you open. Make sure you trust where its coming from. Look at the grammar and wording, make sure is it from the sores youre expecting. If anything pops up after you open a document asking for additional permission, that should end up a red flag. Send that to someone who might be able to investigate it. Basic security on the internet, dont click on all those links that pop up on the saved web sites. They can send you to dangerous places. Regarding password, using a password manager is a very good idea to save your passwords securely, and probably the most important thing for password is to have unique passwords per site. Something long, dont weve been trained to years and years to choose passwords that are easy to crack for machines and hard to remember for people. So, good example of a password would be a phrase. I like to go swimming in the sea. And not get attacked bay shark. Something like that. Its incredibly long,ese to remember, very hard to crack for hackers, but incredibly secure. But once again, having that different on each site because we have seen a lot of size getting breached over the years and that information on the internet and then bad people making use of that. Host what is your role here at black hat. Guest so, im currently training eye. Giving our black hat master course which is modeled around the russian underground, the capability they have and ensuring security people who are interested in it and what that capability is so they can better defend against it. Host is the russian underground specialized in this area . Guest i would say it would be, yes, theyre probably leading the criminal syndicate, the game inside a fence at the moment. Host sam hunter, of fence post, thank you for your time. Guest thank you. Host and now joining us on the the communicators is dr. Melissa kilby of invincea labs. What is your role here at black hat . Guest im here on two mission us the First Mission is to engage with the Cyber Security community, and my Knowledge Base and my second goal is to teach data signs to Cyber Security professionals. Charles, Austin Taylor and i cofounded gtk cyber bridge the gap between Cyber Security and data signs and bring more art facial intelligence, Machine Learning and more advanced data wrangling skills into the Cyber Security community. Host so what is the gap between cyber and data science . Guest in Cyber Security theres a lot of different tools people use and know how to use, but it takes a lot of time. Then people from data science, they use other tools that are pretty fast at manipulating data and getting the data into the correct format, and also perform advance analytics on it and theres a large gap currently. People in Cyber Security, theyre domain experts and know cyber and out but dont know how to do more advanced predictions, advanced analytics with their data. On the other hand, dat scientists come in and dont know anything about Cyber Security so its bridging the gap, explaining the gap in terminology and technology and and jojo who are the type outfields people attending your conference. Guest all different sort of people. Cyber security experts, systems people, reverse engineers, software engineers, and also people that are just interested in learning more about data science. Host now, what is your background . Guest my background is in biomechanic. Started in Cyber Security a year and a half ago and its super exciting to be in Cyber Security. Host when you say biomaybe can makes. Guest about biomechanics. Guest about the human body, mode tote control, how humans evolve and learn and how to control our motions. Host is there a connection between that and cyber work . Guest yes. You also have very high dimensional data, very complicated data, and its the same question. We want to understand something that is deep within data and we dont know how to go about this. This is very recurrent them i encounter in Cyber Security. People ask me, have all of this dat but what die do about it . How die find the next malicious activity on my network, on my computer. Its always the same question people ask. Host is there a social engineering aspect to your work . Guest yes. The social engineer is one field of Cyber Security where they data science and Machine Learning is not too developed, so other areas like Network Security or enopinion security where Machine Learning is much more advancement my personal opinion is that people should zoom out a little bit and approach Cyber Security as a whole and not just different silos and fixes, kind of like, yeah, get the bigger picture. Host you talk about Machine Learning. Where are we . Advancements there . Guest im asked what is Machine Learning. Instead of defining what it is, its much easier to say what does. Produces smart machines. So, now your computer can make decisions on its own. Wow. Isnt that crazy . Guest and theres another term thats called Artificial Intelligence. This is taking it even one step further. We as a human dont even have to intervene anymore with the computer, just give it people call it raw data, think of any type of data source, just pass it over to the machine and the machine on its own learns how to make useful predictions and i also think that Artificial Intelligence with not replace humans or Cyber Security analysts. It will augment their capabilities, because the current state of the art is that a lot of processes in Cyber Security are very manual so the Cyber Security analyst has to sit down, look at the data and it also heavily depends on the skill level of the analyst, whereas the Machine Learning or Artificial Intelligence you can take the whole process to the next level. We can find malicious activity that no one knows about yet, because Cyber Security is a very dynamic field. Tomorrow its not necessary lie like today, unfortunately. Host are we using Machine Learning in ai right now . Cyber security . Guest yes. So, im very pleased to observe that people are using it more and more and more, but, yes, its very few startups, few groups that know how to apply it to the private security domain. I would like to see that everyone could use Machine Learning and data science and this is what our course is about, to bridge that gap so Cyber Security analyst knows how to quickly manipulate the data, get into it the right format, and then make the machine smart so they dont have to do the job. Again, its not about replacing the analyst. Its about augmenting their capabilities. Host all right. Your ph. D from the university of georgia . Guest yes. Host what is your specialty . Guest i was working on control and the direction of and it was really a completely different field. Was researching comparing old people to young people and see how post steur and motor control changes over time, and i was also performing realtime streaming experiments. So, just think of you have a space in front of you and try to balance your body out and see how you perform, and that feedback helps you perform better. We took a step further to Virtual Reality so you have the goggles on and suddenly a whole new world opens up. Understanding how we as a human learn to control our bodies and how our bodies functions and how to take that knowledge to Cyber Security is, again, the same problem. Theyre researching something that we dont necessarily understand very well. We dont even know what were looking for. So this is that mindset that i would like to see a lot of of people tackle even more. Right now its more okay wishes want to look for something bad happening on our network, on our computer, that we know well before but we should be looking for something that we dont expect to find. In Cyber Security theres term called zero days, and zero days are things that we dont know today. Explores vulnerabilities that can cause the next worldwide cyber acuter. Host dr. Kilby was there a lying bulb moment that made you switch into Cyber Security . I wish there was. Just really just happened by accident. Slipped into Cyber Security and im so happy about it. Its such an exciting field. Its challenging and its very fastpaced. Technology changes very fast over time, and i couldnt be more fortunate to be a Cyber Security data scientist. Host what is invincea lab do. Guest provide services for the u. S. Government and im also a very excited to announce that our company will change their name to 26 lab this week. Host 26. Guest 26 lab. Host where did that name come from. Guest i just joined a company a week and a half ago but i know a little secret that on the 26th of january the Company Became independent from invincea, so this is how the name evolved. Host you mentioned at the beginning of our talk here that you were here also to learn and to interact with other Cyber Security experts. What are you hoping to learn, what do do you have a goal here at black hat . Guest yes. Hope to over time become a hacker myself, to learn more about how Cyber Security analysts go in their manual approach so that i update my Knowledge Base and i can transfer it to the Machine Learning, Artificial Intelligence domain and advance that field to, again, see that machines are smart, they learn by themselves, they help us humans to make better predictions. Host youre originally from frankfurt, germany. Guest yes. Host are similar efforts going nongermany that you see here in the United States do you know . I probably dont know but i can just assume, yes. Day that da science worldwide is becoming bigger and bigger and also becoming a big thing in sign Cyber Security. Host dr. Melissa kilby, thank you for being on the communicators. Guest thank you for having me. Host the cspan bus is traveling across the country. On our 50 capitols tour. We recently stopped in charleston, West Virginia, asking folks what is most important issue in their stay. My name is isaiah something i and im a prelaw major here at the university of charleston. I think most important issue for West Virginia is twofold. I think its an issue of poverty, which also ties into our drug epidemic. Lack of jobs, lack of community, just make this drug epidemic worse, and it is just a cycle that builds upon itself. My name is karissa and im a senior plate science major at the university of charleston and one of the biggest issues in West Virginia the to the governor pushing a road bond for a special elect thats going to seedily pump million snead infrastructure which sounds really nice but when you lookty big picture its going hurt my generation and millenials. They aits so the going to raise tax but if you look down the road, its just going screw West Virginia longterm ask thats not something we need right now. Im tim armstrong, speaker of the house of delegates. In West Virginia hey had some very difficult Economic Times over the past five or six years, particularly in our coal industry and one of our top priority is is to improve our economy do and be able to put people back to work win. Hey taken a great deal of different steps to do that, and thats what our priority is. Im lauren, im a senior here at the university of charleston. I am double majoring in english and political science. I actually did my senior project on west West Virginias what wed consider to be a wellknown issue, our opioid dependency issue. The determining a perspective whether it be a larger perspective or a more individual privilege, and determining an issue that would be more effective individually for patients. Im danny jones, the mayor of the capitol si of West Virginia, charleston the most important issue for us is keeping young people