Host and now joining us on the communicators is saumil shah. Mr. Shah, what does netsquare do . Guest netsquare tries to help its customers secure themselves. We are a very Small Company in india. We do whats call penetration testing, testing your defenses by attacking them. Thats what weve been doing for now 16 years. Of. Host so its kind of a prodefense or an active defense . Guest yeah. Its an active offense and see how well your defense stands up to the latest and greatest of techniques. Host so are you a hacker in. Guest yes, i am. Yes, i am, if i were to say that myself. Host how did you get into that . Guest its a long story. I think i was always interested in taking things apart. If people ask me when ive built, ill say ive only broken things in the past 20 years. Ive rarely built anything. I have been playing around with microcomputers since the 80s along with my dad to see how it worked. Theres little or no help available. Youve just got to try it until things fall apart to see how things are built, how theyre put together. So i didnt know this was going to be a viable career option until i graduated out of purdue, and companies were looking, hey, can you hack unix systems . I want that job, itll keep me out of trouble. So thats how i got to attacks and penetrations host so you would be hired by a company, and they would say come hack our system. Guest thats right. Thats precisely how its done. Theyd set a target saying here are the assets of value, and see what a reallife thief can do or reallife, focused attacker can do. How fast can they get through, what kind of monetary loss will be suffered and whats the impact to our organization or our customers. And then we give them a reality check, as i would call it. Testing, rattle the cages, probe the systems, get in and actively steal stuff. Host how easy was it . Guest so let me say my track record is very close to 100 . Easiness is totally dependent upon the time you have. How well you scout out the perimeters, how well you know the organization. How well you know the technology. And most importantly, how well you know the mindset of the people who are behind this technology. What are the daily challenges, what will they fall for. Hackers dont hack computers, hackers hack humans. Computers are just a way of getting to the humans. Once you get into the human mindset, making a human do stuff at your will turns out to be rather easy. Host whats a common way of hacking . Guest theres several ways. The simple ways would be just what we call a social engineering. We trick people into doing what you want them to do. Theres some sort of an enticement. Youve herald of phishing heard of phishing attacks, people downloading Free Software from the internet just because its free. You just get them to install what you want, thats the easiest way. And that is still a very successful technique, even though its been 20 years that the world has seen these techniques. People still fall for it. Because on the internet its very easy to trust a bunch of fixtures instead of characters. Who knows its really you. Youre just whoever you want to be. And its easy to entice people into doing things you want them to do. Thats the easiest vector. The harder ones are to kind of take a product that is well used or a technology that is well used, find a bug in it. We call that a zero [inaudible] and once you have it, its like you have power over that entire deployment of this technology. Say, for example, a browser or a camera or a smart fridge or an enterprise class storage device. If its widespread and its common, then your infections can get everywhere. Weve seen those campaigns, two recent campaigns like wanna cry and happened two months apart not too long ago. Host did they begin with somebody simply opening an email . Guest no. This was a very so there was no emaildriven attacks in wanna cry. These were, essentially, Windows Computers that were left unpatched. A bug was discovered, its known for a long time. A few proactive organizations patched themselves, and they were able to escape the problem. A few organizations were falling behind, and they didnt attribute the importance of this bug simply because there was no fires breaking out. And the first fire that broke out was a bad one, and it spread like an uncontrolled forest fire over the internet. Its a little bit like populations and the genetic makeup. If you think of human diseases, you have common genetic trait. And if you have these common genetic traits, you are prone to an illness, and an illness can become an epidemic or plague rather quickly, and thats how its spread. The only way you can avoid it is by vaccinating yourself so you dont get hit by this weakness again. But the true defense to such a plague is a high dodge now population so the infections kind of stay curtailed to a group and dont spread across an entire community. Thats kind of what weve seen with the digital landscape. Theres too much skew of a very similar type of Technology Used globally across enterprises. Host so to put this in technological terms, if a company has one Computer System all connected with each other,s that can be more dangerous than having different systems . Guest so let me rephrase what i said. Be and this is kind of like a paradoxical area. If the organization has the same type of computers or same type of operations system on all their desktops and all of them are not patched, even a few of them are not patched, these become an entry point. Now, what wan ma cry did wanna cry did was they would find a beachhead on one of these systems and try to spread true the internal network. Once theyre inside the network, its very easy to spread laterally. They can move across connections to other computedders. They simply piggyback on the of maximum use, and then they go from one computer to the other. The paradox is to manage a Large Organization you need hoe knowledge anity. You need standard deployment. One bug hits all n a way. Host was Something Like wanna cry, was that a financial incentive to burrow into the system . Guest theres always a motive. Attacks are rarely done without motive. Attacks arent done for the fun anymore. I believe the smoke screen was just ransom ware. So you can lock up computers en masse and just demand extortion money saying, here, pay me 300, and i will send you the keys to unlock it. But i believe that was a smoke screen. I believe the real purpose was something else. Maybe there was some targeted attacks, maybe some key organizations or individuals that were being targeted and there was a deeper wave of attacks. I personally havent analyzed the deep mechanics of worm or seen the back traffic, whats going on, so i wouldnt be able to comment. But it seems to be too much, too sophisticated of an operation for just ransomware. Host whats your recommendation to companies, such as a company that might be infected with Something Like this . Guest so its kind of time that we move away from the very reactive nature that were seeing. Were seeing a get infected and patch cycle. Theres always a fire breaking out, and theres always people scrambling, organizations scrambling to put out the fires. We have the duty of this ourselves, because we tell all our customers keep on patching, keep on patching. This is advice that used to work ten years ago, it doesnt work anymore. Its not easy to patch a very Large Organization and keep on patching it month after month. Yes, thats what the recommended thing is, but today we have to really think of proactive defense. We cannot keep reacting to attacks anymore. We have turned the whole concept around. You have to set booby traps, you have to create customized environments. We have to engage in threat hunting. Ill give a simple example. Set up a honey pot, set up a credit card that is never used. Program the credit card number into all your banking systems. The minute that number is pulled up, you know something funny is going on, because nobody knows of that number other than you. Why should this number be accessed . Why should somebody be making a Balance Inquiry into this account . Why should it be seen on a point of sale system at a gas station . Youre actually looking for the threat, youre putting out the bait, the attackers take the bait, and then you figure out their tactics and figure out a strategy. Thats how you defend yourself tomorrow. Another thing is weve seen a paradigm shift, the weight of the internet has shifted from the desktops to the mobile environment from an end user perspective. Common users are using mobile operating systems way more than theyre using a desktop for their daytoday needs. We need to bring that into the enterprise. We need to say that, hey, we want to create a custom deployment of our own operating system specifically for our own organization. Why do we have to keep a general purpose windows to do daytoday business when we can take a customized android environment, deploy it across species, manage it consistently and be resistant to common attacks . We support it going ahead and we control everything. We create custom use pieces x. This would be the way to go forward. Change your genetic makeup and be resistant to the disease rather than vaccinating yourself and scrambling all the time and playing catchup and getting infected with a new strain every time it comes out. Host are mobile devices inherently more dangerous or conducive to hacking . Perhaps than a desktop . Guest on the contrary. Mobile devices are way more resilient to attacks than a general purpose desktop. You cant pull in a printer or an ipad to a phone, not that easy. You cant Download Software and stick it into your phone unless youve jail broken. But mobiles have been designed with a very different approach. Groundup, you can say, theres containers, theres compartmentalization, theres privacy features, theres automatic updates, a lot of stuff is built in that doesnt exist on a general purpose operating system. The environment is tuned for personal use. And general purpose operating systems are tuned for multiuser use. Or we all came from unix which is a server environment which is able to support any type of computing activity. So its like the least common denominator. You can do anything you want, and thats whats not working on a desktop model. You need a well designed personal operating system, and thats what android and ios and other mobile operating systems offer. Its time we take this and create an organizationcentric computing environment derived of these voices, and that would be the new way of looking at things. Host can somebody be unaware that theyve been hacked . Guest thats my host for a long time . Guest thats something that gives me a knot in my stomach. Am i already hacked . Even though i practice good computing health, so as the speak . I dont know if im really owned or not if my phone restarts in the middle of the night, if my browser screen flickers. I dont know if its just a glitch, its just a bug in the software or is it, like, something thats already there . I can never be too sure. But, you know, just live under that threat. Host what else is out there . Whats coming . Guest whats coming . Whats coming is big data. What scares me, what terrifies me is the ability for organizations with deep pockets to manipulate populations en masse. You can manipulate a nation. You can manipulate the thought process of an entire continent simply by playing games with big data analytics. You can make people happy or sad at will if you control the social media network. Facebook got caught doing an experiment where they were tweaking users timelines with populating a set of users with just happy news, bubbling that up to the top, populating another set of users with depressing news and see how each population racketed. And the happy news react. And the happy news people started being happier, and the reason they got caught, i dont know what didnt get caught. Thats what terrifies me. Today we believe we are a free society, we have deming contact control in most developed and upcoming nationsings. But nations. But are our thought processes being daily monitoredded and influenced by us giving up information to social media at will . Were being tracked, were being analyzed, were being monitoredded. What terrifies me is we are also being predicted upon. What will i do next, what will i do after the interview, where will i go . The googles and the facebooks have already made their predictions where im going to head next. All they have to do is verify whether i really went back to my apartment or whether i went to my favorite restaurant to have a feel meal. The predictions match, they can call what im going to do next. And they can do it for a population end mass. Because en masse. Because today Computing Power is dirt cheap. Its easy to predict whats going to happen to a Large Population in the next 4 hours. 24 hours. And if most of it can come true, this is activity that you can monitor. And this is activity that you can use to influence. Thats whats coming next. Host what do you do on your personal cell phone to protect yourself . Guest i follow the practice of minimum use. If i dont want to use it, i dont have it. I dont want to download the whole internet. I keep my use for that specific purpose. To my friends and family, i say avoid digital gluttony. Take what you need. Dont use it beyond what you really need to use the device for. Get stuff done, unplug, stay analog, listen to music, paint, go out, have fun. Lets not stay connected to the screen 24 7. Keep your lives, lidgeal digital life and personal life separate. Theres no need to tell the world that youre going on a vacation. Its not that your friends respect going to arent going to appreciate it, just dont advertise yourself. We lead very different lives digitally and nondigitally. In our house were wired about privacy, we dont want people snooping through the windows. On the Digital World, we live in a glass house and walk around naked. Its a hypocritical situation that individuals dont realize, but they dont see whos looking at you. Its the distext that the screen and the disconnect that the screen and the Technology Offers which gives you a false sense of safety and security, but its really not. Its way more intrusive than a stalker lurking around your neighborhood. So thats what i do, i just minimize my use and unplug. Basically, i just trust that my other friends or colleagues are trusting things. So if they trust something, i value them and i trust. If you tell me install this app, i probably wont unless i get this validated from several others that, okay, this is safe to use. And, of course, the geek that i am, i try to install it and take it apart and find out whether its safe to use or not. Host what are some of these apps doing under the radar . Guest several activities. They, one of the most insidious things they do is geolocating. They just track your geographical movements. Theres a lot of stuff they can do. Now theyre giving you the ability of voice command which means they can enable the microphone 24 7 and listen to everything that youre saying. Potentially there are manufacturers that have been caught with this, tv manufacturers and Home EntertainmentDevice Manufacturers that have kind of listened to families in the living room and even watched them on camera. There are promises to store your photographs for free, but what theyre doing is theyre just becoming the eyes in your pocket. If you go to Yosemite Park and take a photo, the Company Knows youre there, and they see what you seen already what youve seen already. Theres nothing thats free. Free is a myth. Theres always something thats being taken in order to give you a free service. And whats taken is your own freedom for the exchange of the word free. Host has the cloud made it worse . Guest the cloud has enabled mass scale computing and mass scale analytics at a staggering rate. Whether its worse or good, i dont know. Definitely connected a lot of people together. The if youre working for an ngo, it makes it easier for you to do work across the globe and help your mission. If youre spying on nations, it makes it very easy to control a population. So its a doubleedged sword. The cost of computing and the cost of storage has plummeted according to moores law, and i believe in 2007 that somebody can own a supercomputing Cloud Infrastructure of 1999 on their desktops in 2011. And with in 2007. And if you trace the progress of the Digital World from 2007 onwards, the past ten years, things have been ramping up. 90 of the data generated on the internet has been generated in the past 11 months. By the time were having this conversation, 31 11 months rolled by, the data on the internet today will only be 10 of what it is next year and nine times as much data will be added in. So the rate at which storage is going is astronomical. Its not an exponential curve. It went this way and then just shot up into space. With this amount of data and Computing Power, realtime analytics is getting closer to reality where the machine will be able to keep the machine will be able to feel the pulse of humanity 24 7. Host whats your role at black hat . Guest ive been at black hat now for, this is my 18th year. I came as a visitor in 1999. I was fascinated with the culture, the openness, the research, the global melting pot of geeks who come together and just share knowledge. They thrive on it. In 2002 i started speaking at black hat, i started teaching at black hat, and i have not stopped. Ive done for several conferences around the world. This is where i learn new things, this is where i meet some of my best friends, some who i consider family. This is where i exchange information, i validate myself. I enjoy mentoring a few people. Is now my role at black hat is more of a veteran. I enjoy teaching the classes. It keeps me sharp, it keeps me focused. I enjoy interacting with other speakers. I dont get to research into new things on my own as much. I force myself to research new things by coming to these events. By teaching, i have to stay ahead of the curve, above of the students. By meeting other speakers and picking up the talks, i get to know whats the latest and greatest around. And then, of course, its sort of like a pilgrimage. Every year ive got to be here this time of year. I hope i can make it to 20 years of black hatting. Host are individuals and Companies Investing enough in cybersecurity . Guest theres a lot of money in cybersecurity. Theyre investing more than enough, but lets pause and think about whether this investment is in the right direction or not. Theyre investing in technology. And technology can only help you secure your organization to a certain extent. The investment in people is missing. The greatest lack of investment is in the mindset of board members. They need to empower these people in the organization to proactively defend the organization and not just do security by regulation, but security by compliance. If a board member doesnt buy into the process, no amount of money that you spend is going to save you in the end. Security has to be visible and accepted and has to be a core value at board level. Only then will it be effective. If not, we can keep trying and keep spending tons of money without the desired outcome. Host saumil shah, were on the verge of the internet of things. Guest yes. Host what are your thoughts when it comes to security . Guest i want to begin with a little story, an an mall fable that was animal fable that was narrated. There were four very smart students who learn about all these magical arts, be theyre walking through a forest going back home. They see the remains of a late animal. One of the students says, hey, i have the knowledge to put its bones together. The second one says skin and fresh. The third one says i can make it come to life, and the fourth guy says, hey, look, are you really doing the right thing . Youre using your Knowledge Beyond your means. And the other three scoff at him. He gets a head start and runs away. The lion comes to life and eats these other three students. Are we really building that sentient machine one click at a time, one like at a time, one bill at a time . With devices proliferating around us, i think security is another, securitys a side seat here. I would believe the invasion of Digital Technology in human life is most terrifying. The matrix is no longer science fiction, as i would say. Its probably a matter of when the machines have an equal footage in this world as human beings. Host saumil shah is the ceo of netsquare, and hes been our guest this week on the communicators. Cspan, where history unfolds daily. In 1979, cspan was created as a Public Service by americas Cable Television companies and is brought to you today by your cable or satellite provider. Today a discussion on the impact of the new u. S. Sanctions imposed on russia, how they will affect relations between the two countries as well as u. S. Interests and businesses abroad. Live coverage from the center for the National Interests beginning at 12 30 p. M. Eastern on cspan2. Cspan has been on the road meeting with winners of this years student cam video competition. In laramie, wyoming, we gathered with family and School Officials the accept the first place prize of 3,000 for the documentary on wyomings dependence on fossil fuels. In golden, colorado, Ethan Cranston of golden i view Classical Academy accepted a second place prize of 1500 for his documentary on cybersecurity. Also in denver, the third place award of 750 went to dunham perry and max of Mullen High School for their documentary about digital theft and hacking. St. Thomas Moore High School in rapid city, south dakota, is where audrey cope, grace wittenberg and carolyn won the third place prize of 750 for their documentary on racial inequality in america. In sioux falls, south dakota, seventh grader caleb miller at Patrick Henry middle School Received a third place prize of 750 for his documentary on the national debt. And classmate aidan alvine won Honorable Mention and a prize of 250 for his documentary on marijuana. A number of students won Honorable Mentions and a 250 per grape. Sarah won or her documentary on the national debt. Joe, brady and sean baker won for their documentary on terrorism. And lauren, nia and haley also received Honorable Mentions for their documentary on global warming. Thank you to all the students who took part in our 2017 student cam documentary competition. To watch any of the videos, go to studentcam. Org. And student cam 2018 starts in september with the theme, the constitution and you. Were asking students to choose any provision of the u. S. Constitution and create a video illustrating why the provision is important. Now, House Science CommitteeRanking Member idahoan don beye outlines the potential impact of the trump administrations decision to withdraw from the paris Climate Change agreement. This is 90 minutes. [inaudible conversations] good afternoon. Welcome. Thank you very much for your attention. Im steve mosley, recently elected president of the una, United NationsAssociation National capital area chapter, and im just pleased and tickled, frankly, to see on an august day, maybe because its a