1. Home
  2. Live Updates
  3. Transcripts For CSPAN The Communicators Black Hat Cybersecur

Transcripts For CSPAN The Communicators Black Hat Cybersecur

CSPAN The Communicators Black Hat Cybersecurity Interviews October 7, 2017

Embedded device. A car, locomotives, airplanes, drones, everything around you is an embedded device. It is a device with a computer inside of it. Everything that runs the world that we live is essentially a device with a computer and it. Some of those devices talk to each other, we are interested in those interactions. Host what are you finding are the vulnerabilities of embedded devices . Guest i have been doing security for a long time. A lot of the vulnerabilities we have seen from 15, 20 years ago that we thought were extinct, they actually have come back in embedded devices. Phone, or a modern even a computer takes a high level of sophistication now. To exploit embedded devices is pretty easy. Host give us an example. Looked atusion that i a few years ago had no password. You could just connect to it and make the infusion do whatever you want. Device, yet. The device of that is controlling the amount of drugs a patient is getting when they are laying in a hospital bed. Literally have no password, you could connect however you wanted. You can let it do whatever it wanted, including high rates of drugs. We were able to demonstrate that to folks like the fda. They looked at some of these former abilities and were pretty appalled. They issued a Cyber Security safety advisory for some of the things we talked about. Generally speaking, you usually do not find those things and modern software. But you tend to see those in and that it devices, for some reason. Host you have also tested pacemakers. Aest we have looked at variety of pacemakers. We have looked at pacemakers from four different manufacturers to see what the commonalities where. Ofre are a lot commonalities, some of the things we saw indicate that there is probably a lot of cross polymerization in sharing amongst the engineers who make those devices. Some of the things we saw is surprising as well. Host 20 do find . What did you find . Guest we went to places like ebay and bought pacemakers, isemaker programmers, it easy to get a hold of, if youre willing to spend a couple hundred or couple thousand dollars. And then, one of the first things we looked at was the amount of software that were on these devices, for example, a pacemaker programmer, a device that a doctor is going to use to set the parameters for the pacemaker inside of your body, is really just a computer. In fact, one of the programmers we looked at was literally running windows, an old version of windows. Windows xp. Microsoft no longer supports that operating system. But it was still being used in this pacemaker programmer. System you are running on your laptop 10 years ago is the operating system that is running a pacemaker. Why do drug infusion pumps and pacemakers need to be online . Guest right. It is a question i ask myself every day. There is some benefit to this. Curedt want to make it doom and gloom. Having these devices being able to talk to each other, being able to get the right information to a physician at the right time, that is a valuable thing. I can save lives. That is why these devices are being connected. There are inherent risks you connectn you cannot a device. If a device is talking to the internet, there are some inherent risks that are involved. Regardless of how well you engineer the device. Regardless of what your intentions are. That is what we look at. It is really hard. It is not easy to create a secure device. I think right now, the benefits probably outweighed the risk outweighed the risks. Host why would somebody want to hack a drug infusion device . Guest that is a good question. I try not to answer the question why, because to be honest, the technology is pretty complicated. By trying to understand why a human being would do something is even more complicated. I china to play that game. It is technically possible. If someone wants to do this for a variety of devices, they can. Whether they are mentally unstable, whether they are emotionally unbalanced, whether they have a vendetta emma or a message, whether they are a government trying to do toething and present harm somebody, i do not know. That is not something i try to answer. What i know is technically, it is possible. Whether or not someone has a motive or means or whether someone wants to do this is a totally different question. I cant answer that question as to why. I can tie your that they can do it. Host we are moving into a world of internet of things. Embedded devices everywhere. What does that mean . Guest one of the things we will be talking about this week are safety issues associated with internet of things. Internet of things, they are all around us. If you think you can live in a World Without being exposed to a connected device, you are really naive. When you go to the grocery store, those are computers that are doing that for you. When you get on an airplane, that is a flying computer. Devices are all around us. Internet of things is all around us. It affects your life, whether you wanted to or not. That is an interesting situation for a lot of people. It is interesting to take a look at how these devices impact of the daily lives of people and whether or not there are risks because of these connected devices. Host when you work with a company, do you go in, do you try to penetrate their defenses . Guest buy depends on what the organization wants. Some organizations hire us to take a look at their devices, to help them secure their devices. Some organizations are more operational. They have a facility or a building or data center or stadium, and they know that these devices are there. And they want us to help demonstrate what can be done if those devices are hacked. It depends on what the organization wants. We do a variety of services. Host are you a hacker . Guest at the end of the day, we have to find vulnerabilities. In most cases, we have to find exploits. That is what a hacker would do. I do, itself a hacker because there is a difference between what we do and what a real hacker would do to we find vulnerabilities and we may demonstrate to you what those old abilities might be if they are exploited. Whether they can hurt someone or cause physical effects like a fire or explosion. But we will never do that to really hurt somebody. We wont do that to damage your equipment. That is not something we will do as a researcher or company that is hired to do something. A real hacker would. A real hacker would ask what a device to hurt or kill someone. A real hacker would exploit a device to take down an organization or send an organization a message. That is a line we do not cross. Host you mentioned you have been in this field and security for quite a while. Where did you start and what were you doing . Guest i had a pretty colored career. I was in active duty officer in the marine corps. I served in an Intelligence Unit in hawaii. You learn the foundational pieces of operational security. I spent times at the agency doing detection, which is a nice way of doing of saying catching hackers, doing what we call penetration testing. Where Companies Hire you to break into their systems and tell them where their problems are. A startups started that was acquired. This is my second startup in the Cyber Security world. I have been doing this for a while. It is something i love. If tomorrow all the resources and money dried up in Cyber Security, i would probably still be doing. The leadthe military agency in protecting americans against Cyber Attacks . Guest i think that is something the government is struggling with, to be honest. Probably the hardest problem in Cyber Security is not a technical problem. The hardest problem is a workforce problem. And inworked at google Silicon Valley, it was basically us trading security engineers to other companies backandforth. There is a shortage of Cyber Security professionals. The amount of money and resources and freedom that is given to a lot of these individuals that know what they are doing in Cyber Security, it is pretty astounding the salaries and the things they can ask for. Find that the was military, they are having a hard time keeping up and retaining that power. They may provide foundational skills and training and then they will find themselves losing twotop talent they have places like microsoft and google or facebook. Which all have a great top security teams working for their organizations. It is a struggle. It is very much a struggle for the federal government. Would you be an example . Trainedsomeone who was by the military another your outcome you are doing a privately. Guest i still keep ties with folks in the federal government. I still work with folks in dod. I can tell you now, they are very much struggling. They understand to train someone to do this is an investment. There is a level of aptitude that is acquired. Even if you invest money in training, you may not get an individual to the level you want them up. Those folks who have demonstrated the capability of understanding the Cyber Security pieces really well and take it to the next level, they are accrued by other places. If that individual is motivated by money or more stability or a better lifestyle than the federal government, or dod, they will be recruited by those organizations. It is a tough place to be. The biggests problem in Cyber Security which is workforce. There is a tremendous shortage. Everyone is fighting over the same pool of people. That makes it a tough proposition for folks who are not as agile as a Silicon Valley company. It is going to be something they will be struggling with overnight next decade. Host do you need at least a masters in Computer Science . Guest definitely not. I have three masters degrees. I know people who have no degrees who are much smarter than i. I know people who never went to college you know Cyber Security really well. Formal not say you need education to enter Cyber Security. I personally know people who are in that situation. It could certainly help. I am not saying that is the path he will want to take is not going to school. Having a Solid Foundation in Electrical Engineering is a good thing. It is not a requirement. Host what is your role at black hat . Guest i am giving a talk later this week. We are going to show exploitation of a connected device. Going to causally connected device to physically attack somebody. Host can you tell us what the connected devices . Guest we will reveal that during our talk. We had three criteria for the device we are looking up your number one, it had to be connected to the internet. We will be able to control the device from anywhere in the world. Control the device in the united states. It had to be publicly accessible, which means an average person walking down the street would be able to see one of these devices. We dont want it in a secure area. We wanted in a public space that will be used by the public. The last piece of the criteria we wanted was we wanted to demonstrate a safety issue. I know that a lot of Cyber Security issues are connected with privacy and things like that. Those things are important, dont get me wrong. When you lose your credit card information, it is a bad day for you. When your hospital gets breached and you lose your health care information, that is a bad day for you. Devicesthese connected have safety implications. We are going to show what their safety implications can it be by causing these devices to attack a occupant. Rios, founder and security researcher for white scope, thank you for being on the communicators. Guest thank you for having me. Appreciate it. Us on thening communicators from the black hat convention, las vegas is robert lee ally. What do you do for a living . Guest i hack cars. Host what is the name of your company . Can bus is the name of the network that is found inside of vehicles. And hack for hacking. Host our cars rolling computers . Call they are hard to them rolling computers. They are a fusion of mechanical and electronic components. A lot of those are very small computers. That control the mechanical aspects of the vehicle. Host on a typical american car, how many socalled computers are in their . Guest between 15 and 30. Host what do they control . Guest they control everything from the engine to the displays, to the lights, to the door locks, to the suspension, ride handling, really every component nowadays is controlled with computers. Host is security baked in to a cars computer . Guest sometimes. Security is a word they are starting to use in terms of Electronic Security. A lot of times when oem is referred to security, they are talking about securing the passenger seat belts. Making sure that they do not get into accidents. Securing the person when they hit a wall with their backs. Now they are talking more about the Electronic Security of the systems. Host is it a growing problem . Guest it is more noticed, if that makes sense. The issues have always been there. But now, because of recent tax has become a lot more noticed. Host a year or two back, a couple of gentlemen from wired magazine hacked a car on the road. Did that send up flares for people . Guest yes. I think that really awoke in a sleeping beast in a lot of ways. Very, very well put together hack. What to the gentleman at wired did was very novel. Host if we went down to the parking lot at mandalay bay, could you hack into any car down the . Down there . Could i find or do i are ready issues with those individual vehicles . Yes. There is a lot of preparation that happens behind the scenes when you are doing a hack. You have to spend a lot of severalr maybe even weeks, if not months in order to figure out how these systems work. Once you figure that out, you can do certain things across one thatle or another vehicle might be unlocking the doors, or it might be shutting the vehicle it mighty, mib be making so the vehicle cannot start. It depends i you define hack. Host if we went down there, could you unlock its doors . Guest absolutely. Host how long would it take you . Guest it depends on the vehicle. Some vehicles and a matter of seconds, some vehicles it would require me to have the person who owns the vehicle hit a button on their and then i could capture that information and replay it back to the vehicle later. Host who hires you . Guest whoever wants to. [laughter] guest it is a tough question to answer. I get hired by companies who are looking to integrate Electronic Devices into vehicles. I get hired by Automotive Companies who are looking to secure their vehicles. I am also hired by lawyers looking to make sure that their vehicles of their customers are secure. Host how did you get into this business . Guest i have been doing it since i was 16. Host breaking into cars question mark guest hacking cars. When i say hack, i am self trained. When i say hack, i mean figuring out how the Electronic Systems work and using that to my advantage. Host is it a reverse engineering . Guest reverse engineering is a big part of the process. It is the first part of the process. Figuring out how the system works, and after that, we use that information that we learned on the vehicle. Whatever our target is. Maybe unlocking the doors, maybe turning on the windshield wipers, turning the lights on, something benign like that. Or turning the car off while it is driving. It depends on the application. Host has that happened behind besides the wired story that came out . Way . T happened in a bad has the 8 has a carbon hacked in a bad way . Guest not that i am aware of it we have done hacking before and since that. In a controlled environment for different customers, whether they are government customers, whether they are state, local customers, whether they are oems aftermarket. It depends on the Different Levels of the requirements and you ever is contacting us and hiring us to do the job. Guest what does host what does oem stand for question mark. Host how is it you train yourself to do this . Guest it has been so long. A lot of internet resources help. In the past, a lot of good websites described individual systems. I used to work for a Company Called intrepid control systems. That Company Supplies tools to the Automotive Industry for vehicle interfaces. I worked a lot with the oems in detroit to train the manufacturer on their own systems. I learned a lot about their individual systems, how they work, i learned about the vehicle networks. It was just a learning process over the past, i guess, 12, 13 years. Host what is your role at black hat . Guest i am doing the training for the car hacking at black hat. Host what kind of training do you do and who is in the audience . At black hat, we do not ask the onions who they are. Sometimes they do not answer. A lot of times you do not answer. If you read a name tag, and they will have a simple name, and Something Like that. We have learned over the years to not ask them who they are. Either they are coming from military, they are coming from private industry and they do not want to know they do not want the rest of the class to know who they are. Aren, these people interested in keeping their anonymity because they are either in the security profession or in military or after military applications. Host are people from chrysler there . Guest they are. I have met some suppliers, some oem people that work at oems. Frome met a lot of people industry and our classes. Host as we move into the internet of things world, what are your thoughts . Do not keepng as we making the same mistakes, i think security is possible. It can be improved. People like me, hackers, we can actually make these systems better by doing responsible disclosure, by making sure that the companies we are working with know how it is their systems can be more secure. I think we are in a good path. They are heading in the right direction. That gm hasct onstar and can unlock and start cars remotely, is that a security issue . The onstar systems typically do not send that information over the wifi, that i am aware of. A lot of that stuff works over the Cellular Network. The cell Cyber Security<\/a> safety advisory for some of the things we talked about. Generally speaking, you usually do not find those things and modern software. But you tend to see those in and that it devices, for some reason. Host you have also tested pacemakers. Aest we have looked at variety of pacemakers. We have looked at pacemakers from four different manufacturers to see what the commonalities where. Ofre are a lot commonalities, some of the things we saw indicate that there is probably a lot of cross polymerization in sharing amongst the engineers who make those devices. Some of the things we saw is surprising as well. Host 20 do find . What did you find . Guest we went to places like ebay and bought pacemakers, isemaker programmers, it easy to get a hold of, if youre willing to spend a couple hundred or couple thousand dollars. And then, one of the first things we looked at was the amount of software that were on these devices, for example, a pacemaker programmer, a device that a doctor is going to use to set the parameters for the pacemaker inside of your body, is really just a computer. In fact, one of the programmers we looked at was literally running windows, an old version of windows. Windows xp. Microsoft no longer supports that operating system. But it was still being used in this pacemaker programmer. System you are running on your laptop 10 years ago is the operating system that is running a pacemaker. Why do drug infusion pumps and pacemakers need to be online . Guest right. It is a question i ask myself every day. There is some benefit to this. Curedt want to make it doom and gloom. Having these devices being able to talk to each other, being able to get the right information to a physician at the right time, that is a valuable thing. I can save lives. That is why these devices are being connected. There are inherent risks you connectn you cannot a device. If a device is talking to the internet, there are some inherent risks that are involved. Regardless of how well you engineer the device. Regardless of what your intentions are. That is what we look at. It is really hard. It is not easy to create a secure device. I think right now, the benefits probably outweighed the risk outweighed the risks. Host why would somebody want to hack a drug infusion device . Guest that is a good question. I try not to answer the question why, because to be honest, the technology is pretty complicated. By trying to understand why a human being would do something is even more complicated. I china to play that game. It is technically possible. If someone wants to do this for a variety of devices, they can. Whether they are mentally unstable, whether they are emotionally unbalanced, whether they have a vendetta emma or a message, whether they are a government trying to do toething and present harm somebody, i do not know. That is not something i try to answer. What i know is technically, it is possible. Whether or not someone has a motive or means or whether someone wants to do this is a totally different question. I cant answer that question as to why. I can tie your that they can do it. Host we are moving into a world of internet of things. Embedded devices everywhere. What does that mean . Guest one of the things we will be talking about this week are safety issues associated with internet of things. Internet of things, they are all around us. If you think you can live in a World Without<\/a> being exposed to a connected device, you are really naive. When you go to the grocery store, those are computers that are doing that for you. When you get on an airplane, that is a flying computer. Devices are all around us. Internet of things is all around us. It affects your life, whether you wanted to or not. That is an interesting situation for a lot of people. It is interesting to take a look at how these devices impact of the daily lives of people and whether or not there are risks because of these connected devices. Host when you work with a company, do you go in, do you try to penetrate their defenses . Guest buy depends on what the organization wants. Some organizations hire us to take a look at their devices, to help them secure their devices. Some organizations are more operational. They have a facility or a building or data center or stadium, and they know that these devices are there. And they want us to help demonstrate what can be done if those devices are hacked. It depends on what the organization wants. We do a variety of services. Host are you a hacker . Guest at the end of the day, we have to find vulnerabilities. In most cases, we have to find exploits. That is what a hacker would do. I do, itself a hacker because there is a difference between what we do and what a real hacker would do to we find vulnerabilities and we may demonstrate to you what those old abilities might be if they are exploited. Whether they can hurt someone or cause physical effects like a fire or explosion. But we will never do that to really hurt somebody. We wont do that to damage your equipment. That is not something we will do as a researcher or company that is hired to do something. A real hacker would. A real hacker would ask what a device to hurt or kill someone. A real hacker would exploit a device to take down an organization or send an organization a message. That is a line we do not cross. Host you mentioned you have been in this field and security for quite a while. Where did you start and what were you doing . Guest i had a pretty colored career. I was in active duty officer in the marine corps. I served in an Intelligence Unit<\/a> in hawaii. You learn the foundational pieces of operational security. I spent times at the agency doing detection, which is a nice way of doing of saying catching hackers, doing what we call penetration testing. Where Companies Hire<\/a> you to break into their systems and tell them where their problems are. A startups started that was acquired. This is my second startup in the Cyber Security<\/a> world. I have been doing this for a while. It is something i love. If tomorrow all the resources and money dried up in Cyber Security<\/a>, i would probably still be doing. The leadthe military agency in protecting americans against Cyber Attacks<\/a> . Guest i think that is something the government is struggling with, to be honest. Probably the hardest problem in Cyber Security<\/a> is not a technical problem. The hardest problem is a workforce problem. And inworked at google Silicon Valley<\/a>, it was basically us trading security engineers to other companies backandforth. There is a shortage of Cyber Security<\/a> professionals. The amount of money and resources and freedom that is given to a lot of these individuals that know what they are doing in Cyber Security<\/a>, it is pretty astounding the salaries and the things they can ask for. Find that the was military, they are having a hard time keeping up and retaining that power. They may provide foundational skills and training and then they will find themselves losing twotop talent they have places like microsoft and google or facebook. Which all have a great top security teams working for their organizations. It is a struggle. It is very much a struggle for the federal government. Would you be an example . Trainedsomeone who was by the military another your outcome you are doing a privately. Guest i still keep ties with folks in the federal government. I still work with folks in dod. I can tell you now, they are very much struggling. They understand to train someone to do this is an investment. There is a level of aptitude that is acquired. Even if you invest money in training, you may not get an individual to the level you want them up. Those folks who have demonstrated the capability of understanding the Cyber Security<\/a> pieces really well and take it to the next level, they are accrued by other places. If that individual is motivated by money or more stability or a better lifestyle than the federal government, or dod, they will be recruited by those organizations. It is a tough place to be. The biggests problem in Cyber Security<\/a> which is workforce. There is a tremendous shortage. Everyone is fighting over the same pool of people. That makes it a tough proposition for folks who are not as agile as a Silicon Valley<\/a> company. It is going to be something they will be struggling with overnight next decade. Host do you need at least a masters in Computer Science<\/a> . Guest definitely not. I have three masters degrees. I know people who have no degrees who are much smarter than i. I know people who never went to college you know Cyber Security<\/a> really well. Formal not say you need education to enter Cyber Security<\/a>. I personally know people who are in that situation. It could certainly help. I am not saying that is the path he will want to take is not going to school. Having a Solid Foundation<\/a> in Electrical Engineering<\/a> is a good thing. It is not a requirement. Host what is your role at black hat . Guest i am giving a talk later this week. We are going to show exploitation of a connected device. Going to causally connected device to physically attack somebody. Host can you tell us what the connected devices . Guest we will reveal that during our talk. We had three criteria for the device we are looking up your number one, it had to be connected to the internet. We will be able to control the device from anywhere in the world. Control the device in the united states. It had to be publicly accessible, which means an average person walking down the street would be able to see one of these devices. We dont want it in a secure area. We wanted in a public space that will be used by the public. The last piece of the criteria we wanted was we wanted to demonstrate a safety issue. I know that a lot of Cyber Security<\/a> issues are connected with privacy and things like that. Those things are important, dont get me wrong. When you lose your credit card information, it is a bad day for you. When your hospital gets breached and you lose your health care information, that is a bad day for you. Devicesthese connected have safety implications. We are going to show what their safety implications can it be by causing these devices to attack a occupant. Rios, founder and security researcher for white scope, thank you for being on the communicators. Guest thank you for having me. Appreciate it. Us on thening communicators from the black hat convention, las vegas is robert lee ally. What do you do for a living . Guest i hack cars. Host what is the name of your company . Can bus is the name of the network that is found inside of vehicles. And hack for hacking. Host our cars rolling computers . Call they are hard to them rolling computers. They are a fusion of mechanical and electronic components. A lot of those are very small computers. That control the mechanical aspects of the vehicle. Host on a typical american car, how many socalled computers are in their . Guest between 15 and 30. Host what do they control . Guest they control everything from the engine to the displays, to the lights, to the door locks, to the suspension, ride handling, really every component nowadays is controlled with computers. Host is security baked in to a cars computer . Guest sometimes. Security is a word they are starting to use in terms of Electronic Security<\/a>. A lot of times when oem is referred to security, they are talking about securing the passenger seat belts. Making sure that they do not get into accidents. Securing the person when they hit a wall with their backs. Now they are talking more about the Electronic Security<\/a> of the systems. Host is it a growing problem . Guest it is more noticed, if that makes sense. The issues have always been there. But now, because of recent tax has become a lot more noticed. Host a year or two back, a couple of gentlemen from wired magazine hacked a car on the road. Did that send up flares for people . Guest yes. I think that really awoke in a sleeping beast in a lot of ways. Very, very well put together hack. What to the gentleman at wired did was very novel. Host if we went down to the parking lot at mandalay bay, could you hack into any car down the . Down there . Could i find or do i are ready issues with those individual vehicles . Yes. There is a lot of preparation that happens behind the scenes when you are doing a hack. You have to spend a lot of severalr maybe even weeks, if not months in order to figure out how these systems work. Once you figure that out, you can do certain things across one thatle or another vehicle might be unlocking the doors, or it might be shutting the vehicle it mighty, mib be making so the vehicle cannot start. It depends i you define hack. Host if we went down there, could you unlock its doors . Guest absolutely. Host how long would it take you . Guest it depends on the vehicle. Some vehicles and a matter of seconds, some vehicles it would require me to have the person who owns the vehicle hit a button on their and then i could capture that information and replay it back to the vehicle later. Host who hires you . Guest whoever wants to. [laughter] guest it is a tough question to answer. I get hired by companies who are looking to integrate Electronic Devices<\/a> into vehicles. I get hired by Automotive Companies<\/a> who are looking to secure their vehicles. I am also hired by lawyers looking to make sure that their vehicles of their customers are secure. Host how did you get into this business . Guest i have been doing it since i was 16. Host breaking into cars question mark guest hacking cars. When i say hack, i am self trained. When i say hack, i mean figuring out how the Electronic Systems<\/a> work and using that to my advantage. Host is it a reverse engineering . Guest reverse engineering is a big part of the process. It is the first part of the process. Figuring out how the system works, and after that, we use that information that we learned on the vehicle. Whatever our target is. Maybe unlocking the doors, maybe turning on the windshield wipers, turning the lights on, something benign like that. Or turning the car off while it is driving. It depends on the application. Host has that happened behind besides the wired story that came out . Way . T happened in a bad has the 8 has a carbon hacked in a bad way . Guest not that i am aware of it we have done hacking before and since that. In a controlled environment for different customers, whether they are government customers, whether they are state, local customers, whether they are oems aftermarket. It depends on the Different Levels<\/a> of the requirements and you ever is contacting us and hiring us to do the job. Guest what does host what does oem stand for question mark. Host how is it you train yourself to do this . Guest it has been so long. A lot of internet resources help. In the past, a lot of good websites described individual systems. I used to work for a Company Called<\/a> intrepid control systems. That Company Supplies<\/a> tools to the Automotive Industry<\/a> for vehicle interfaces. I worked a lot with the oems in detroit to train the manufacturer on their own systems. I learned a lot about their individual systems, how they work, i learned about the vehicle networks. It was just a learning process over the past, i guess, 12, 13 years. Host what is your role at black hat . Guest i am doing the training for the car hacking at black hat. Host what kind of training do you do and who is in the audience . At black hat, we do not ask the onions who they are. Sometimes they do not answer. A lot of times you do not answer. If you read a name tag, and they will have a simple name, and Something Like<\/a> that. We have learned over the years to not ask them who they are. Either they are coming from military, they are coming from private industry and they do not want to know they do not want the rest of the class to know who they are. Aren, these people interested in keeping their anonymity because they are either in the security profession or in military or after military applications. Host are people from chrysler there . Guest they are. I have met some suppliers, some oem people that work at oems. Frome met a lot of people industry and our classes. Host as we move into the internet of things world, what are your thoughts . Do not keepng as we making the same mistakes, i think security is possible. It can be improved. People like me, hackers, we can actually make these systems better by doing responsible disclosure, by making sure that the companies we are working with know how it is their systems can be more secure. I think we are in a good path. They are heading in the right direction. That gm hasct onstar and can unlock and start cars remotely, is that a security issue . The onstar systems typically do not send that information over the wifi, that i am aware of. A lot of that stuff works over the Cellular Network<\/a>. The cell Europe Network<\/a> has the Cellular Network<\/a> has been exploited, as well. As long as these systems use proper encryption, they can secure it correctly. Not every manufacturer does it correctly. We are helping we are working with the manufacturers to help them make their systems are little more secure. Host if somebody is listening to this end is wondering if their car can be hacked, is there anything they can do . Guest that is a really challenging question. Every car canel, be hacked, anyway. Maybe that is a good thing. If you want to add features to your car, if you want to do something extra to your car, maybe you can hack it to yourself. But as far as some malicious hacker breaking into their car, easily asnot work as as far as someone breaking into the car, it does not work as simply as waving a wand and you can open the door. There is a lot of investment in time and effort and tools in order to figure out how car hacking works. Are a target, you probably do not have to worry too much. But, as with of the past, the wired hack you were talking about. One of my favorite quotes from the guys who did that was, it was easier to hack all of the cars than one of the cars. They found an issue that was in a massivel out scale than it would have taken extra work to target a specific person. In that scenario, if somebody or a bug orlem security hole with a particular vehicle, and they just feel like pressing the red button and making everything not work anymore, turning peoples wheels to the right as they are driving, it is actually easier to go after everybody, not one person. That was a big take away that i learned. Host the communicators has visited and city as well where connected cars are being worked and developed. What kind of dangers are there in connected cars that are connected to stop lights and roadsigns . Guest there is quite a bit more this is a big sick big concern. We are currently working really hard on catching up with the technology. It is just being released now. Density and a lot of these other vehicle to Vehicle Infrastructure<\/a> type of radios you know,ening stop lights, and roadsigns, is very new. It has not been tested in a security setting yet. At least not in the real world. Cost of tools become less peoples, more and more can access these tools. As more and more people have to communicate with vehicle to Vehicle Infrastructure<\/a>, radio connectivity, i think we are going to find a lot more problems with it. I think it is a good idea that ony try to keep their mind security as they roll these systems out. I am a little bit nervous but that is not happening yet. Security is very difficult. It is difficult to have security it is difficult to maintain it and integrated a across a lot of different manufacturers. We are going to have growing pains. Initially. I hope it does not cause a slowdown in the promise of vehicle to Vehicle Infrastructure<\/a> technology. Our Car Manufacturers<\/a> working together to such regulations and Safety Standards<\/a> . Guest as far as im aware, yes. Committee,teering is an automotive Cyber Security<\/a> initiative. It still has not been released yet. The actual paper is not available. There is a Steering Committee<\/a> to try to make it a little more streamlined so that security can become part of the process of designing and developing a vehicle. Host robert has been our guest on the communicators. Now on the communicators, we want to introduce you to aaron roust who is the special agent in charge of las vegas for the fbi. What does that entail . Guest it means i will run the fbi operations for the state of nevada. Host what is the major focus here in nevada for the fbi . Unfortunately, the fbi has to be good at everything. Our focus has to be in the Top Priorities<\/a> that the fbi has set out on what we can do the most with. For us, our number one priority is always going to be counterterrorism, pete keeping people safe. You areere attending black hat, why . Guest i think it is important for us to know what technologies are out there and what people who are involved in the industry for good or not so good, what they are involved in. And what kind of things are interesting them and what kind of things are the latest and greatest that they see up there. And what kind of discussion groups do they have. The fbi wants to be a part of that. Host are you welcomed here . Guest most definitely. Host 20 you spend your time doing . Guest a lot of it is outraged. We want to make sure that the fbi is seen as a partner in protecting people. We want to understand what is important to them and see how we can plug and play . Big is cybercrime in las vegas and nevada . Guest cybercrime is big everywhere. As we are seeing, the best part about the internet is also some of the worst things about it. We see it from everyone with infected emails that they get from somebody that they thought was a relative or a friend, and they click on the link or the attachment and they see that, now i am subject to ransomware. Or now my identity has been stolen because i am sharing a lot of information. For my business computer has been compromised. Those things are of keen interest to us because it is our job to protect that. Host is there a unit within the fbi that works on these issues . Guest the Cyber Division<\/a> has the task with making sure we are all focused on the right things. Host what about the casinos . You an fbi perspective, do work with the casinos to protect them from Cyber Attacks<\/a> . Guest we have great relationships with of the casinos. All of them. They want to be good partners with us because they do not want to be the victims of crime or the conduit by which the people that good to their casinos are victimized. They want to work with us to make sure that when people come , and if to recreate necessary, gamble, but they are doing so safely. Can you learn things from how the casinos protect themselves . Guest absolutely. The best part about the fbi for our Outreach Program<\/a> is we are industry. Rning from we are always learning from private citizens. Every interaction we have allows us to learn that much more, because you cant be the master of everything. There are people out there that will spend their entire lives preparing for the worse Case Scenario<\/a> for their particular industry. The casinos are no different. We partner with them to learn what are they seeing . What are the threats they see . And then, how can we prioritize that in the fbi response . Host is the cybercrime aspect of your job growing . Guest always. We are seeing that cyber is a part of absolutely everything we do now. The amount of data that we collect would probably shock your audiences. Host hoover dam is close to where we are now. Does that keep you up at night . Guest no. We have great partnerships with the state, local, and federal agencies around here. We are focused on the same thing. Americano protect the people. When we see Critical Infrastructure<\/a> pieces like the hoover dam, we focus on that, just like a laser beam. We make sure that we are doing everything we can that comes in the form of tabletop exercises. A lot of interactions between the department that come through the river dam, and we are always looking at the intelligence. Both domestically and with our foreign partners. And how do we stop them. Does section 702 assist you in your work . Guest it is a critical part of our work. Section, 702, is allowed to expire at the end of this year, america will be less safe. The fbi will not have access to information that we critically need to protect the united states. Host essentially, that is allowing you to listen in to phone calls made from overseas . Guest yes. But i want to mention to all of your viewers, the fbi does not do anything without judicial review. A judge will look at it and give us a warrant to do so. Host when we were talking with jeff moss, the founder of lack hat, he was telling us about an estonian operation where the estonians were trying to get money and trying to get trade sick trade secrets from ceos, and it is very cloak and dagger. Guest it is. We will see, not just through business email compromises, but we will see that people will do a lot of their homework on the suspected on the target they want to go after. They will know about their social media habits, they will know everything they can. And many cases, what they are able to do is mimic through subverting their email system, being able to get in there and send out any mail pretending to be somebody else to allow for wire transfers. From company to company. Way of very ingenious subverting the safeguards of a corporate entity. It is something we have to help people be on the lookout for. Billion in 1. 3 cyber losses last year, according to the fbi . Guest i think that is a conservative estimate. Host agent rows, would you go into black hat on the convention floor, do you bring your phone . Guest no. Host why not . Guest i think it should be apparent. But not everyone is here with the same reasons. Doing allne is here legitimate work. Karen rouse is a special agent in charge in las vegas. This is the communicators. On cspan. Cspan, where history unfolds daily. In 1979, cspan was created as a Public Service<\/a> i americas Cable Television<\/a> companies. And is brought to you today by your cable or satellite provider. Announcer cspans washington journal, live every day with news and policy issues that impact you. Coming up sunday morning, the latest and the Senate Intelligence<\/a> Committee Russia<\/a> investigation with todd shepherd of the washington examiner. A look at the fbis newly released Violent Crimes<\/a> statistic. Statistic. Thomas apt will join us to discuss that. Also, an examination of u. S. Cuba tensions after the socalled sonic attacks on u. S. The comments in nevada. With frank more of Florida International<\/a> university. Cspanso watch washington journal, live at 7 00 eastern sunday morning. Join the discussion. Announcer sunday night, on afterwards. Radio host and contributor Charles Sykes<\/a> discusses his book how the right lost its mind. He is interviewed by fox news and a host. Donald trump represented something. He certainly represented what the big middle finger from voters to the establishment. Wantedyou really, really to deal with some of these issues, the public electorate would have gone with marco rubio or ted cruz, and they didnt. In terms of communication, yes, he is a master of twitter. But he is crude, rude, he was a serial liar, he is a thinskinned, he is a fraud. This was relatively wellknown. Conservatives, who not that long ago used to argue that character matters, but the president was a role model, has somehow found a way to rationalize the behavior of somebody who insults women, mocks the disabled, mocks pows, paid a multimillion dollar fine for defrauding students who just wanted to get an education. Watch afterwards, zen and night, at 9 00 p. M. Eastern, on cspan twos book tv. Earlier today, louisiana governor John L Edwards<\/a> briefed reporters on hurricane preparations in his state. Forecasters say Hurricane Nate<\/a> could make landfall in that area overnight as a category two hurricane. This is 20 minutes. Gov. Edwards good afternoon, everyone. Thank you for being with us today as we talk about Hurricane Nate<\/a>. We just completed a briefing with the unified command group here. As many of you may know, Hurricane Nate<\/a> is gaining strength and is now expected to make landfall with as a category two storm. In addition to that, it is moving at an extremely fast rate, a speed of 26 miles per hour. Almost","publisher":{"@type":"Organization","name":"archive.org","logo":{"@type":"ImageObject","width":"800","height":"600","url":"\/\/ia904508.us.archive.org\/9\/items\/CSPAN_20171007_223000_The_Communicators_Black_Hat_cybersecurity_interviews\/CSPAN_20171007_223000_The_Communicators_Black_Hat_cybersecurity_interviews.thumbs\/CSPAN_20171007_223000_The_Communicators_Black_Hat_cybersecurity_interviews_000001.jpg"}},"autauthor":{"@type":"Organization"},"author":{"sameAs":"archive.org","name":"archive.org"}}],"coverageEndTime":"20240629T12:35:10+00:00"}

© 2025 Vimarsana