Sunny own a company that is a consultant si and a Contract Services and try to help clients on a range of different sectors, making their devices more secure. We do that by looking at a couple of Different Things on the device side. System side, and do the hard Square Software engineering. Host quite a bit of competition in this field today. Guest yes. It is kind of a carve out a niche for showers and go, i specifically work with a lot of crypto graphic devices. Host which is what. Guest devices that need to use cripping toography to embiid a secret and if win uses it today. If you buy on amazon. Com you use crip crypt otography. Do you work with the first government at all . Guest currently i work in the commercial seconder. Why didout get into this field . Guest start ted naval academy. Was one of group of midship men, the try cant scholar, let you do research. Wanted to research cryptow graphic protocols and interested huh to protect communications using crypt otography. I was a crypto officer, got more into it. And then kind of kept getting kept getting deeper down into that. Host we have talked to several people here at black hat, a lot of military backgrounds. Guest uhhuh. Host why is that . Guest i think the military has a unique kind of has a unique mission in that it knows the importance of protecting information and community security, and comsac is imbued in you, and on a submarine especially, because some of the places a submarine will go, the Communication Security is very important. Think that kind of environment leads to understanding those threats and how to protect those threats, and im seen a lot of people take that forward outside of the military. Host how does cryptography work. Guest based on mathematic principles. Different aspects of cryptography work differently, but if theres one area owl aseptember mitt trick cryptography, also known as the publicprivate system and works basically by having hard mathematical problems and the interesting property of these problems is that in one direction, theyre easy to compute, but then if someone got the answer, its hard to reverse it; so, simplifiesed but if try to take two prime numbers and multiply them together, thats easy. But if you were giving a number and had to figure out the prime factors just from that number, thats a harder problem. Host do you create the crypto graphic questions . The devices will depends on the device, but the device, if it has the capabilityes, could selfgenerate the could or a manufacturer may depending on they want to do they may decide to put a device in all the keys. The first typically is more secure because not even the manufacturer would have access to those keys. Kind of like what we have heard about with apple and the fbi in the last year or two. Host you mentioned amazon, do people use crypto graphic devices every die like na if you look into your bank, do online banking, that is that crypto graphically sneaked yes. On anyones phone its running a web bruise are with security which encrypts your communication over the win and if you talk to google or go to facebook, its using cryptography, so its a built in transparently. Most people dont know theyre using it but they use it and rely on it to protect their communications. Host how is it what is another form of communication protection that is used . Guest well, you could use it if you have a message can app and you are theres a couple of different messaging apps but you could be texting somebody and those could be increpted and the bert ones are encrypted end to end, which means not even a third party, like the Service Provider of the application, could intercept your communication. So only you and the person you sent the message to can decrypt it. Host is is more expensive to crypt something . Guest well, its expensive witch most modern phones theres not an expense in processing time. Its an expense on developing side to make tot protocols and the engineering. Thats where you pay the expense to design the system us. Once you have those in place, on Something Like a modern phone, theyre not expense sniff time or power to use. Host as we move into the internet of things world, is that going to be more and more crypto keys . Guest yes. This is going to be more important. I say that because internet of things us a unique even from another imbedded devices like phones because theyre typically used autonomously so no Human Interaction like your thermostat or an central controller and we have seen some attacks where theyre able to exploit, like web cams. Absolutely different but the idea is those devices need to have a secure way to get firm ware updates and neat if theyre send ought data, mary temperature data, censor data, czeched to sensitive machines. Wouldnt want that data to be intercepted bay third party for competitive reasons or a hacker. Host so theres a lot of different door warps into doorways into a system, correct . Guest absolutely. Crypto is not the first choice of attackers attackers and say t because theres usually easier lefts to go be in. Perhaps they have the same password or the password is on the web site or Something Like that. So those are typically the first means of attack. However, the flip side is you dont implement the crypto properly you could have a false sense of security. There attacks that could make that not the case. Host what do you do to protect your own devices . Guest so, my best tip is i generally try not have them. I will good sometimes i go into client meetings with a pen and paper and thats but im a little old school. Thats not feasible all the time, and so on my phone i number one, make sure i have all the firm ware updates, the kind of thing is patch, patch, patch. You want to have cue you having thises like a vpn service on your phone which protect you on using the hotel wifi, virtual private network, and basically encrypts the the immediated inwork. The number one thing is get a device, make sure the firmware updaters are applied as soon as i they happen. Host do all modern phones come with a vn. Host typically dish think apple theres a way. Android devices, its like a fished party app. Some of these are paid services you can go and install the application. Host what kind of attacking are you seeing . On the devices theres a range of attacks. The easiest ones are the kind of the kind of the Gold Standard of attack is to gate Remote Access into a device. So not typical internet of things deployment you have a one gateway device that is more advanced processor, talking to a bunch of censors and the censors are small powered. So the Gold Standard attack is to attack the gateway through a web protocol, either something wasnt set up and then use that gateway device to jump to attack different censors. Those are the biggest attacks that would have the best bang nor buck for the attacker. Some thing is focus are on the hardware, physical attacks. If i can get my hand on the gateway device and atrap probes or debuggers, i have a lot closer access to the hart square do mow sophisticated things and then the more dangerous thing about that, its a physical attack but the information see from that attack i can turn that attack into a software attack and so you take one attacker, he looks at the hardware then publishes it online for a software attack, and then you have a hybrid attack, which is quite powerful. Host are these debuggers available to the layman . Guest more expensive ones are geared to professional engineers so these would cost maybe 100, 200, some of the devices have been commodityized to be in the 20 decide for decide range. Theyre not as fast or reliable thats professional tool us but sirly available. Host do attackers leave fingerprints . Guest the good ones, think, try not to. Its helped to avoid the attribution, but sometimes you cant help it, so sometimes youre using a tool or something and maybe that will leave some dish dont do so much on the forensic side so i dont know exactly that area as well, but from what understand you generally try to not do that to make it harder to come back to you. Host do you presume youre under attack, cyberwise . Guest yeah. Its less i think more of a paranoia, less of a heightened sense of awareness, my wife thinks im paranoid but i think thats the military training happening, heightened sense of awareness, heightened sense of surroundings, and more about getting the attacks into a threat model. If youre doing something online, knowing theres these category attacks and they could have impacts and bucketing that information into otherwise if you were paranoid all the time you wouldnt be able to live your life or go and buy coffee and wouldnt be worrying if somebody put something in your coffee. You have to internet online. Host what is your role at black hat and at def con. Guest im hing with the training on applied physical imbedded attacks led by joel fitzpatrick, were teaching 30 people in each class how to take a piece of hardware, connect with the debugger, with tools, learn about what the howard ware hardware is doing and then maybe use that hardware knowledge to construction an attack. In def con im giving a talk only bitcoin, a digital currency, and a hardware wallet is like a smart card for using bitcoin. Its basically an imbedded device custom made to help protectot they call your wallet you private key. Its how you would send money or its what you need to send money. Host crypto currency is come snag yeah. So, its here. I dont know if its its here and its being used. So, the reason i started looking at that talk is that as more people start to use it and as the value of bitcoin gets higher, was cureout the hardware level protections on these devices which are recommend as more protect eddie to use crypto currency. Host josh datko, thank you for being on the communicators. Guest thank you. Host now on the communicators, more of our interviews from the black hat convention. Joining us, daniel cuthbert, coo of a Company Called sense post. What does that company do . Guest a lot. We have been around 17 years and were in essence penetration testers. So hackers for hire. We get asked by clients, who are numerous to effectively become adversarial targeting. So what happen if an attack targets you, whats the worst that could happen and how to do you react. All the millions you spent on hardware and software and secure and training, is it work . How do you fit in on the internet. Host call them pen tester. Guest yes, people who test pens. Yes. Host penetration. Guest yes, penetration. Host how did you get started . Guest ive been fighter long time. They year of hacking. Mine was curiosity. We moved to south africa during apartheid, and the internet started, and connelling from lon do to a country where strict restrictions were happening and censorship and had the first stage of the internet with dialup and Bulletin Boards and it was curious and started to fedle and moved from there. Host you reverse engineer. Guest no. It was basic back then if liken tot stories when my dad talked about using to walk to school, barefoot, nicked in the snow backwards. Think now its the most exciting time to start hacking. The wealth of information is unbelievable. It takes very little to hack today. You have youtube, tutorials, 20 years ago, just wasnt much. It was a true wild, wild west and nothing out there. Now this is really exciting time. Host should that information be on the internet . Guest its a good question. I liken it to a knife. You can use a knife to cut an orange or you can also do real ya bad things. In london we have bad problem with knife prime. That done make other knife really bad. Just how you use it. Theres a definite need for penetration testing, these skills. Just take it one step further. Host do you have suspectty specialty with your company . Guest we are very good at redteaming, the top end of testing. We try to gain access to you, your data, your employees no matter how. Its a fully encompassing service. Just say an application test or a Network Level test. Its about as close to the bone as you can get. Host when you go into a red team testing, are you trying to, lets say, break into ibm. Guest could be however the client wants could be the client saying, we think were security. We have developed this new application or we have this really great new phone coming occupy soon. We want to make sure that, a. , everybody is involved, b. , we can detect it, c. , our people are doing the right thing, and then, finally, like how do we stand up . Does the board say, all right, probably going to bet breached tomorrow and need to make sure were not on the 6 00 news and we look good or we have done everything we and can we think were in a good place. Host are attacks happening every day . Yes. Sadly i think its easier the bad side of all this information being made available and freely available is that the attacks have just gone through the roof. Its now commonplace for us to hear about breaches. A couple of years ago youd maybe hear of every company, every now and then getting breached. Now its common place. People are popped left, front and center and thats not a good thing. Host where are how base snead london. Host can you do your work from anywhere nell world sunny can. Its an amazing career. Ive had the luxury of living in 17 countries. So, yes, you can if you are dedicated and you do this job really well you have the benefit of being able to live anywhere as long use have Internet Access. Host if you have a laptop and Internet Access could you breach all the phones in the room. Guest its ease you to say we can target the home. I think hollywood glamorized a lot of hacking. But its still quite easy to tarring a forge gain access, such as an android device, older android device. If its apples latest device, thats pretty security. Its annoying, annoying to good hackers and annoying to Law Enforcement who are trying to get access. It takes time. Host could you break into this room . Guest physically . Host no. Electronically. Guest with the door locked . Yes. Host easily . Guest yes. Host and im going back to the question i asked before. Should that information be out there and available . Guest good question. So, you can take two parts of this. On the one hand, the manufacturers should make this stuff more secure. A bit like autonomous cars. We expect stuff to be built properly. When i buy a kettle or microwave i dont expect it to zap and kill everybody in the house. I think were at the likes of internet of things that were seeing with a terrible track record of security. They have to be tested. So the information that somebody uses to maybe test that kind of stuff could be a benefit when they find a vulnerability and our industry is built upon that, and they work with that vendor say, found this vulnerability. I was able to gain access to the room. Heres how you fix it. Lets Work Together to make more secure. Host from your point of view is it important to know the motives of the black hat hacker. Guest yeah. Im nervous about colors. I think ive been doing this long enough where i think the white hat, the gray hat, the black hat, the meanings have been diluted. You have those who are criminally minded and have criminal intentions, you have then got those who genuinely want to help and if you look at those who are vulnerable, you say, hey, use your product, im a customer but also found it to be quite secure. Heres how you can make it better. Motives are really important. Host do hackers leave a trail . Guest bad ones do. Bad ones do. Host the good ones. Guest if youre a really good attacker and you know what youre doing, it becomes hard. Attribution is not an easy thing to to do right. Host so, what do you do there . Guest i am a security analyst and also the head of training. Host what does that entail saginaw get to active and also manage our training. Host what exactly is hacking . Guest hacking. So, traditionally hackings more around building and making stuff, and more recently i think society has seen it as people breaking into systems, attacking systems in an offensive manner, but traditionally its approaching problems and solving problems in various different ways. Host but if you wanted to go into and hack something, how would you do it . Where would you start . Guest you want to give me an example . Host break into the las vegas internet airport which is right behind us. Break into their security system. Guest into their security systems. So, firstly, theoretical scenario because id loaf to live in the states some day. What i would first do is probably Research Stock members that work at the airport because humans are normally the weakest link. Often easier to convince to click on something which will open a document than actually targeting systems. Host a social engineering guest yeah. Social engineering and not necessarily trying to lie my way in but go on to linkedin and find out who is work there compile a list of miami work there, then i will research those people so i go to their facebook, their twitter, whatever social Media Networks they have and start enumerating those and then find out what their interests are and then starting if i can get information on the technology they use, so that might be then posting a picture of their new phone or their laptop or Something Like that, or figure out what sites they frequent, perhaps i can go after one of those sites and learn about the technologies theyre using, and the more information i have, the more likelihood i would have at succeeding in an attack. So, if i wanted to send a malicious document to them, if i researched them on facebook i know their interests, i can write up something nat would be interesting to open and try to convinces them to open the document, once they hoped the document i have control of their compute jeer their compute sneer yes. From their computer, lets say its theline top. Maybe the laptop is at home. I access and when the go do work might have access to the internet at the airport. Host how would you break into this room . Guest into this room. Host through the electronic lock. Guest so, the easiest way is probably rent a room here first so i can get access to a key card, then investigate the technology that is being used on the key ward. Id probably spend a couple of days doing that. And then either see if i can write my own key ward with a different room number, defending on the technology. Otherwise ill follow you around and if i can have a card cloner, see if i can clone a card and come in. Host how would you chlorinate you can either bold or purchase card cloners but thats depending on the technology being us