Host and now joining us on the communicators is saumil shah. Mr. Shah, what does netsquare do . Guest netsquare tries to help its customers secure themselves. We are a very Small Company in india. We do whats call penetration testing, testing your defenses by attacking them. Thats what weve been doing for now 16 years. Of. Host so its kind of a prodefense or an active defense . Guest yeah. Its an active offense and see how well your defense stands up to the latest and greatest of techniques. Host so are you a hacker in. Guest yes, i am. Yes, i am, if i were to say that myself. Host how did you get into that . Guest its a long story. I think i was always interested in taking things apart. If people ask me when ive built, ill say ive only broken things in the past 20 years. Ive rarely built anything. I have been playing around with microcomputers since the 80s along with my dad to see how it worked. Theres little or no help available. Youve just got to try it until things fall apart to see how things are built, how theyre put together. So i didnt know this was going to be a viable career option until i graduated out of purdue, and companies were looking, hey, can you hack unix systems . I want that job, itll keep me out of trouble. So thats how i got to attacks and penetrations host so you would be hired by a company, and they would say come hack our system. Guest thats right. Thats precisely how its done. Theyd set a target saying here are the assets of value, and see what a reallife thief can do or reallife, focused attacker can do. How fast can they get through, what kind of monetary loss will be suffered and whats the impact to our organization or our customers. And then we give them a reality check, as i would call it. Testing, rattle the cages, probe the systems, get in and actively steal stuff. Host how easy was it . Guest so let me say my track record is very close to 100 . Easiness is totally dependent upon the time you have. How well you scout out the perimeters, how well you know the organization. How well you know the technology. And most importantly, how well you know the mindset of the people who are behind this technology. What are the daily challenges, what will they fall for. Hackers dont hack computers, hackers hack humans. Computers are just a way of getting to the humans. Once you get into the human mindset, making a human do stuff at your will turns out to be rather easy. Host whats a common way of hacking . Guest theres several ways. The simple ways would be just what we call a social engineering. We trick people into doing what you want them to do. Theres some sort of an enticement. Youve herald of phishing heard of phishing attacks, people downloading Free Software from the internet just because its free. You just get them to install what you want, thats the easiest way. And that is still a very successful technique, even though its been 20 years that the world has seen these techniques. People still fall for it. Because on the internet its very easy to trust a bunch of fixtures instead of characters. Who knows its really you. Youre just whoever you want to be. And its easy to entice people into doing things you want them to do. Thats the easiest vector. The harder ones are to kind of take a product that is well used or a technology that is well used, find a bug in it. We call that a zero [inaudible] and once you have it, its like you have power over that entire deployment of this technology. Say, for example, a browser or a camera or a smart fridge or an enterprise class storage device. If its widespread and its common, then your infections can get everywhere. Weve seen those campaigns, two recent campaigns like wanna cry and happened two months apart not too long ago. Host did they begin with somebody simply opening an email . Guest no. This was a very so there was no emaildriven attacks in wanna cry. These were, essentially, Windows Computers that were left unpatched. A bug was discovered, its known for a long time. A few proactive organizations patched themselves, and they were able to escape the problem. A few organizations were falling behind, and they didnt attribute the importance of this bug simply because there was no fires breaking out. And the first fire that broke out was a bad one, and it spread like an uncontrolled forest fire over the internet. Its a little bit like populations and the genetic makeup. If you think of human diseases, you have common genetic trait. And if you have these common genetic traits, you are prone to an illness, and an illness can become an epidemic or plague rather quickly, and thats how its spread. The only way you can avoid it is by vaccinating yourself so you dont get hit by this weakness again. But the true defense to such a plague is a high dodge now population so the infections kind of stay curtailed to a group and dont spread across an entire community. Thats kind of what weve seen with the digital landscape. Theres too much skew of a very similar type of Technology Used globally across enterprises. Host so to put this in technological terms, if a company has one Computer System all connected with each other,s that can be more dangerous than having different systems . Guest so let me rephrase what i said. Be and this is kind of like a paradoxical area. If the organization has the same type of computers or same type of operations system on all their desktops and all of them are not patched, even a few of them are not patched, these become an entry point. Now, what wan ma cry did wanna cry did was they would find a beachhead on one of these systems and try to spread true the internal network. Once theyre inside the network, its very easy to spread laterally. They can move across connections to other computedders. They simply piggyback on the of maximum use, and then they go from one computer to the other. The paradox is to manage a Large Organization you need hoe knowledge anity. You need standard deployment. One bug hits all n a way. Host was Something Like wanna cry, was that a financial incentive to burrow into the system . Guest theres always a motive. Attacks are rarely done without motive. Attacks arent done for the fun anymore. I believe the smoke screen was just ransom ware. So you can lock up computers en masse and just demand extortion money saying, here, pay me 300, and i will send you the keys to unlock it. But i believe that was a smoke screen. I believe the real purpose was something else. Maybe there was some targeted attacks, maybe some key organizations or individuals that were being targeted and there was a deeper wave of attacks. I personally havent analyzed the deep mechanics of worm or seen the back traffic, whats going on, so i wouldnt be able to comment. But it seems to be too much, too sophisticated of an operation for just ransomware. Host whats your recommendation to companies, such as a company that might be infected with Something Like this . Guest so its kind of time that we move away from the very reactive nature that were seeing. Were seeing a get infected and patch cycle. Theres always a fire breaking out, and theres always people scrambling, organizations scrambling to put out the fires. We have the duty of this ourselves, because we tell all our customers keep on patching, keep on patching. This is advice that used to work ten years ago, it doesnt work anymore. Its not easy to patch a very Large Organization and keep on patching it month after month. Yes, thats what the recommended thing is, but today we have to really think of proactive defense. We cannot keep reacting to attacks anymore. We have turned the whole concept around. You have to set booby traps, you have to create customized environments. We have to engage in threat hunting. Ill give a simple example. Set up a honey pot, set up a credit card that is never used. Program the credit card number into all your banking systems. The minute that number is pulled up, you know something funny is going on, because nobody knows of that number other than you. Why should this number be accessed . Why should somebody be making a Balance Inquiry into this account . Why should it be seen on a point of sale system at a gas station . Youre actually looking for the threat, youre putting out the bait, the attackers take the bait, and then you figure out their tactics and figure out a strategy. Thats how you defend yourself tomorrow. Another thing is weve seen a paradigm shift, the weight of the internet has shifted from the desktops to the mobile environment from an end user perspective. Common users are using mobile operating systems way more than theyre using a desktop for their daytoday needs. We need to bring that into the enterprise. We need to say that, hey, we want to create a custom deployment of our own operating system specifically for our own organization. Why do we have to keep a general purpose windows to do daytoday business when we can take a customized android environment, deploy it across species, manage it consistently and be resistant to common attacks . We support it going ahead and we control everything. We create custom use pieces x. This would be the way to go forward. Change your genetic makeup and be resistant to the disease rather than vaccinating yourself and scrambling all the time and playing catchup and getting infected with a new strain every time it comes out. Host are mobile devices inherently more dangerous or conducive to hacking . Perhaps than a desktop . Guest on the contrary. Mobile devices are way more resilient to attacks than a general purpose desktop. You cant pull in a printer or an ipad to a phone, not that easy. You cant Download Software and stick it into your phone unless youve jail broken. But mobiles have been designed with a very different approach. Groundup, you can say, theres containers, theres compartmentalization, theres privacy features, theres automatic updates, a lot of stuff is built in that doesnt exist on a general purpose operating system. The environment is tuned for personal use. And general purpose operating systems are tuned for multiuser use. Or we all came from unix which is a server environment which is able to support any type of computing activity. So its like the least common denominator. You can do anything you want, and thats whats not working on a desktop model. You need a well designed personal operating system, and thats what android and ios and other mobile operating systems offer. Its time we take this and create an organizationcentric computing environment derived of these voices, and that would be the new way of looking at things. Host can somebody be unaware that theyve been hacked . Guest thats my host for a long time . Guest thats something that gives me a knot in my stomach. Am i already hacked . Even though i practice good computing health, so as the speak . I dont know if im really owned or not if my phone restarts in the middle of the night, if my browser screen flickers. I dont know if its just a glitch, its just a bug in the software or is it, like, something thats already there . I can never be too sure. But, you know, just live under that threat. Host what else is out there . Whats coming . Guest whats coming . Whats coming is big data. What scares me, what terrifies me is the ability for organizations with deep pockets to manipulate populations en masse. You can manipulate a nation. You can manipulate the thought process of an entire continent simply by playing games with big data analytics. You can make people happy or sad at will if you control the social media network. Facebook got caught doing an experiment where they were tweaking users timelines with populating a set of users with just happy news, bubbling that up to the top, populating another set of users with depressing news and see how each population racketed. And the happy news react. And the happy news people started being happier, and the reason they got caught, i dont know what didnt get caught. Thats what terrifies me. Today we believe we are a free society, we have deming contact control in most developed and upcoming nationsings. But nations. But are our thought processes being daily monitoredded and influenced by us giving up information to social media at will . Were being tracked, were being analyzed, were being monitoredded. What terrifies me is we are also being predicted upon. What will i do next, what will i do after the interview, where will i go . The googles and the facebooks have already made their predictions where im going to head next. All they have to do is verify whether i really went back to my apartment or whether i went to my favorite restaurant to have a feel meal. The predictions match, they can call what im going to do next. And they can do it for a population end mass. Because en masse. Because today Computing Power is dirt cheap. Its easy to predict whats going to happen to a Large Population in the next 4 hours. 24 hours. And if most of it can come true, this is activity that you can monitor. And this is activity that you can use to influence. Thats whats coming next. Host what do you do on your personal cell phone to protect yourself . Guest i follow the practice of minimum use. If i dont want to use it, i dont have it. I dont want to download the whole internet. I keep my use for that specific purpose. To my friends and family, i say avoid digital gluttony. Take what you need. Dont use it beyond what you really need to use the device for. Get stuff done, unplug, stay analog, listen to music, paint, go out, have fun. Lets not stay connected to the screen 24 7. Keep your lives, lidgeal digital life and personal life separate. Theres no need to tell the world that youre going on a vacation. Its not that your friends respect going to arent going to appreciate it, just dont advertise yourself. We lead very different lives digitally and nondigitally. In our house were wired about privacy, we dont want people snooping through the windows. On the Digital World, we live in a glass house and walk around naked. Its a hypocritical situation that individuals dont realize, but they dont see whos looking at you. Its the distext that the screen and the disconnect that the screen and the Technology Offers which gives you a false sense of safety and security, but its really not. Its way more intrusive than a stalker lurking around your neighborhood. So thats what i do, i just minimize my use and unplug. Basically, i just trust that my other friends or colleagues are trusting things. So if they trust something, i value them and i trust. If you tell me install this app, i probably wont unless i get this validated from several others that, okay, this is safe to use. And, of course, the geek that i am, i try to install it and take it apart and find out whether its safe to use or not. Host what are some of these apps doing under the radar . Guest several activities. They, one of the most insidious things they do is geolocating. They just track your geographical movements. Theres a lot of stuff they can do. Now theyre giving you the ability of voice command which means they can enable the microphone 24 7 and listen to everything that youre saying. Potentially there are manufacturers that have been caught with this, tv manufacturers and Home EntertainmentDevice Manufacturers that have kind of listened to families in the living room and even watched them on camera. There are promises to store your photographs for free, but what theyre doing is theyre just becoming the eyes in your pocket. If you go to Yosemite Park and take a photo, the Company Knows youre there, and they see what you seen already what youve seen already. Theres nothing thats free. Free is a myth. Theres always something thats being taken in order to give you a free service. And whats taken is your own freedom for the exchange of the word free. Host has the cloud made it worse . Guest the cloud has enabled mass scale computing and mass scale analytics at a staggering rate. Whether its worse or good, i dont know. Definitely connected a lot of people together. The if youre working for an ngo, it makes it easier for you to do work across the globe and help your mission. If youre spying on nations, it makes it very easy to control a population. So its a doubleedged sword. The cost of computing and the cost of storage has plummeted according to moores law, and i believe in 2007 that somebody can own a supercomputing Cloud Infrastructure of 1999 on their desktops in 2011. And with in 2007. And if you trace the progress of the Digital World from 2007 onwards, the past ten years, things have been ramping up. 90 of the data generated on the internet has been generated in the past 11 months. By the time were having this conversation, 31 11 months rolled by, the data on the internet today will only be 10 of what it is next year and nine times as much data will be added in. So the rate at which storage is going is astronomical. Its not an exponential curve. It went this way and then just shot up into space. With this amount of data and Computing Power, realtime analytics is getting closer to reality where the machine will be able to keep the machine will be able to feel the pulse of humanity 24 7. Host whats your role at black hat . Guest ive been at black hat now for, this is my 18th year. I came as a visitor in 1999. I was fascinated with the culture, the openness, the research, the global melting pot of geeks who come together and just share knowledge. They thrive on it. In 2002 i started speaking at black hat, i started teaching at black hat, and i have not stopped. Ive done for several conferences around the world. This is where i learn new things, this is where i meet some of my best friends, some who i consider family. This is where i exchange information, i validate myself. I enjoy mentoring a few people. Is now my role at black hat is more of a veteran. I enjoy teaching the classes. It keeps me sharp, it keeps me focused. I enjoy interacting with other speakers. I dont get to research into new things on my own as much. I force myself to research new things by coming to these events. By teaching, i have to stay ahead of the curve, above of the students. By meeting other speakers and picking up the talks, i get to know whats the latest and greatest around. And then, of course, its sort of like a pilgrimage. Every year ive got to be here this time of year. I hope i can make it to 20 years of black hatting. Host are individuals and Companies Investing enough in cybersecurity . Guest theres a lot of money in cybersecurity. Theyre investing more than