tv The Communicators Black Hat - Cybersecurity How Hackers Work CSPAN October 14, 2017 6:31pm-7:12pm EDT
campaign contributors. our job now is to stand up, fight back and defeat this for rent budget. -- horrendous budget your thank you. >> c-span, work history unfold daily. in 1979, c-span was created as a service by america's cable television companies and is brought to you today by your cable or satellite provider. the blacks visit to cat convention in las vegas continues. we want to introduce you to the founder of a company called cryt onics. what do you do? >> it is a consultancy and services, we basically make their devices more secure. we look at a couple of different things on the device side,
system side, hardware and software engineering. >> there's quite a bit of competition in this field, isn't there? josh: yes, you have to carve out a niche. i work with a lot of cryptographic devices. host: which are what? they need cryptography typically to embed a secret in the device. --everyone uses it every day if you use amazon.com, you use it to protect that information. this is the equivalent on a device level. host: q work with the federal government at all? josh: the short answer is no. i was in the navy academy. but currently i work in the commercial sector. host: why did you get into this field?
it started, i think at the naval academy it started with a group of midshipmen, we were able to do research, i wanted to research cartographic protocol. i was interested in how you could protect communications using cryptography. i was the submarine officer in the navy. i got more into it. deeper into it. to severalve talked people here, a lot of military backgrounds. why is that? has ai think the military unique mission in that it knows the importance of protecting information and communications security. the military is definitely an viewed in you. -- embued in you.
i think that environment leads to understanding threats and how to protect from those threats. i think a lot of people take that out of the military. peter: how does cryptography work? josh: it is based on mathematica and schools. different aspects work differently, but there is one area called a semester -- called asymmetric cryptography, and it works basically by having a hard mathematical problem. an interesting part of these problems, in one direction they are easy to commit -- to compute, but it is hard to reverse it. this is simplified, if you try to take to prime numbers and multiply them together, that is easy, but if you're given a
number and trying to figure out the prime factors, it is a harder problem. peter: do you create cryptographic keys? josh: the devices, it depends on the device. if the device has the capabilities, it can self generate the key, or a manufacturing -- manufacturer may decide to put a device and all the keys. the first is typically more secure because not even the manufacturer would have access to the keys, like what we've heard about with apple and the fbi in the last year or two. peter: you mentioned amazon, is
everyone cryptographically protected? josh: yes. if you talk to google or facebook, is using cryptography. it is built and transparently, most people probably do not realize they are using it, that the use and rely on it to protect communications. peter: what is another form of medication section that is used -- communication protection that is used? josh: if you have a messaging there are a couple of different ones, but you could be texting somebody, and that could be encrypted, and the better ones are encrypted end-to-end, which means even -- means not even a third party, like the owner of the application, has access to that.
only you and the person you sent it to. peter: is it expensive? josh: the expenses not the processing, it is the development. to do that engineering, that's where you pay the extents, -- the expense, if you will. in placeyou have that on something like a modern phone, they are not expensive in time or power to use good peter: as we move into the internet of things, will there be more in more crypto keys? josh: it will be more important. i say that because the internet on items liken phones, they are typically used autonomously. attacks whereome they are able to exploit, like webcams, for example. slightly different, but the ideas that those devices need to
secure way to get from our updates, if they are sending out data, maybe it is temperature data, sensor data, maybe they are connected to sensitive machines, you would not want that data to be intercepted by a third party for competitive reasons or maybe a hacker. peter: there are lots of different doorways into a system, correct? josh: absolutely. the crypto is typically not the first choice of a hacker. there are usually easier methods to get in. it could be they have a password that is the same password everywhere, or is on the website. that is typically the first means of attack. notflipside is if you do implement the crypto property -- properly, you can think you're safe, but attacks could make
that not the case. peter: what do you do to protect your devices? josh: my best tip is i try not to have them. sometimes i going to client meetings with a pen and paper. i am a little old-school. that is not feasible all-time. number one, make updated.ve everything you can have things like a vpn service on your phone, as can protect you if you are using a basicallyi, it encrypts through the immediate network. the number one thing is get a device, and make sure the firmware updates are applied as soon as you have them. peter: do all modern phones come with a vpn? josh: typically. apple, i think there is a way to have a built in.
android, you can use a third-party app. some are paid services. peter: what kind of attacks are you seeing? on the devices, there is a range. the easiest ones are the kind of , the best gold standard of attack is to get remote access into a device. in the typical internet of things deployment, you have one gateway device talking to a bunch of sensors, and they are smaller powers. the gold standard tactic is to attack the gateway through a web protocol, and you can use that gateway device to jump to attack the different sensors. those are the biggest attacks that would have the best bang for the buck for the attacker. some of them focus more on the hardware.
if i can get my hands on the gateway device, i can attach have closerggers, i access to the hardware and can do more sophisticated things. the really dangerous things about that is that even know that is a physical attack, the information i would see from that, i could turn it into a software attack. you take one attacker, he looks at the hardware, he publishes it online for a software attack, and then you really have a hybrid attack, which is quite powerful. peter: are these debuggers available to lehman? -- to laymen. professional ones are more expensive. cheaper versions, they are not as reliable as the professional ones. peter: do hackers leave
fingerprints? josh: the good ones try not to. sometimes you cannot help it. sometimes you are using a tool, maybe he will leave some -- i don't do so much on the forensic side. i don't know that area as well. from what i know, you generally try to not do that. peter: do you presume you're attack, all, cyber the time? josh: yes. and ak it's less paranoia heightened sense of awareness. my wife six i am paranoid. i think it's a military thing. it's more about getting the tax into a threat model. doing something online, knowing these category of attacks could have these impacts and bucketing that information into -- if you are
paranoid all the time, you could not live your life. you could not go in by coffee. you be worried something was in your coffee. it's the same thing in the cyber realm. you need a healthy sense of paranoia that you need to interact online. peter: what is your role here at black hat and def con? josh: i'm working on an embedded attack with joe fitzpatrick, we are teaching 30 people in each class how to take a piece of hardware, connect with the tools, learn what the hardware is doing him a -- is a doing, and maybe use the hardware to prevent an attack. doing a class on bitcoin and hardware wallets. it is basically an embedded
device to help protect what they call your wallet, it is basically your private key, it is how you would send money. peter: crypto currency is coming, isn't it? josh: yes, it is here. and being used. the reason i started looking at that talk, as more people started to use it and the value of the coin is higher, -- bitcoin gets there, i was curious about the hardware. datko, thank you for being on "the communicators." and now, more of our interviews from the black cat convention. company,s, coo of the what does it do?
>> it does a lot. we have been around 17 years and we are in essence penetration testers. hackers for higher. what happens is, if an attacker target you, what is the worst that could happen and how do you react? there's the millions you spent on hardware and software and training, is it working? penr: and you call them testers? yes, penetration testers. for 25en doing this years. we moved to south africa when the internet started, as opposed to london, where there was dial-up andnd
bulletin boards. it was curiosity. i started to fiddle and moved from there. peter: you reverse engineered? daniel: not at the time. i liken it to studies -- two stories my daddy's tell about walking barefoot to school backwards. the wealth of information out there is unbelievable. it takes very little to hack today, you have youtube and tutorials. 20 years ago, there was not much. it was a true wild west, nothing out there. now is a very exciting time. peter: should the internet -- that information be on the internet? daniel: i liken it to a knife. you can do really good things with a knife but you can also do really bad things. it depends on how you use it.
there is a definite need for integration testing, that some take it a step forward -- step further. red teaming.ood at peter: witches? -- which is? access,we try to gain is a full service. bone as you can get. peter: when you go into red team testing, you're trying to say, break into ibm? daniel: it could be whatever the client wants. the client can say, we think we are secure, have a great new phone coming out and we want to detect it, that our people are doing the right thing, and how do we stand up?
does the board say, we're probably going to be breached mark, to be want to look really good? peter: are attacks happening everyday? daniel: yes, sadly i think it is easier. the bad side of the information made freely available is the attacks have gone through the roof. it is commonplace for us to hear about breaches. a couple of years ago, you would maybe hear about a company every now and again getting breached. now it is commonplace. i think that is part of the world we live in today. peter: where are you based? daniel: london. peter: can you do you work from anywhere? daniel: i can. yes, you can, if you are dedicated and do the job well, you have the benefit of living anywhere with internet access. peter: if you have a laptop and internet access, could you breach a lot of phones in this
room right now? thatl: it's easy to say yes, we get target the phones. i think hollywood has glamorized hacking. but yes, it is still quite easy to target a phone, especially in older android device. apples latest device, it is pretty secure, it is annoying to hackers and to law enforcement trying to get access. peter: could you break into this room? daniel: physically? peter: electronically? daniel: yes. peter: easily? daniel: yes. peter: going back to what i said earlier, should that information be out there and available? hand,: on the one manufacturers should make the stuff more secure. a bit like autonomous car spirit we expect stuff to be built properly. when i built -- when i buy a
microwave, i expected is not going to kill everyone in the house. with the internet of things, there is a terrible track record of security. they have to be tested. the information that someone may be uses to test that stuff, it could be benefit when they find a vulnerability and they use -- ,nd they work with the company here is the vulnerability, here is how you fix it. peter: is it important to know the motives of the black hat hackers? daniel: yes. i am nervous about colors. think the meetings have become diluted. i think you have those who are criminally minded. then you have those who genuinely want to help. if you look at those who reports on her abilities, -- report vulnerabilities, here is how you can make your product better.
i think motive is important. peter: do hackers leave a trail? daniel: bad ones do. peter: good ones? daniel: if you are a really good attacker and you know what you're doing, it is hard. attribution is difficult to do right. peter: what are you currently doing? >> i get to hack stuff and manage training. peter: what exactly is hacking? >> traditionally, hacking was more around loving and making stuff. -- around building and making stuff. now, society sees it as breaking into systems. traditionally, it is approaching problems and solving them in various ways. peter: if you wanted to go hack something, how would you do it?
where would you start? sam: do you want to give me an example? peter: break into the las vegas international airport, which is right behind us. rake into their -- break into their security system. what i would first do, i would probably research staff members who work at the airport. humans are normally the weakest link. vince often easier to con to click on something. peter: this is social engineering? sam: yes. not necessarily lie my way in, but i would compile a list of people who work for the company, then i would research those people, go through their facebook, twitter, whatever social media they have. find out what their interests
if i can getg information on the technology they use. them -- be them posting a photo of their new phone or laptop or something like that. learn about the technologies they are using. for more information have, the more likely would -- likelihood i could succeed in an attack. if you want to send a malicious document to them, if i have researched them on facebook, i can write up something that would be interesting to them to open and convince them to open the document. once they have opened the document, i would have control of their computer. say it is a laptop, maybe the laptop is at home, i have the system to access, when they go into work the next, i might have access to the airport. peter: how would you break into this room?
?hrough the electronic lock to thewould get access key card, then investigate the technology. would probably spend a couple of days doing that. write myee if i could own key card with a different , i woulder, otherwise see if i could clone a card. peter: how would you clone it? sam: you can purchase card cloners the spinning on the technology -- depending on the technology. peter: is there anywhere safe anymore in the additional world? -- in the digital world? sam: not really. there's an old african saying, lien is chasing you, you don't need to outrun the lion, you just need to outrun your
friend. peter: where are you based? sam: out of africa. peter: can you do your work anywhere? sam: anywhere in the world. peter: as long as you have a laptop. sam: laptop and internet connection. peter: standard laptop. nothing special, off-the-shelf. we generally run a lot of different operating systems on our machines. i think most hackers are on a mac, sometimes of pc. we are paranoid about security, so we segment our systems. environments on our machines. we try to segregate what we do. i am writing reports for clients, and probably doing that on a windows virtual machine, because i need to use office, that i would not use it for anything else.
only for reporting. nothing else will be installed on it. it will be completely isolated. has sensepost been hacked? sam: not as for as i know. we are preparing annoyed. we monitor our networks pretty well. we take a lot of care. peter: would you know if you have been hacked? sam: i think we're pretty good at what we do, we would know, we would figure it out, but is hard to conclusively say. if you look at some of the breaches from the last couple of years with capability put out there for the public to see, it is scary. if you have enough budget, it capability is exponentially above what is publicly known. peter: your websites as you specialize on tracking down internet jihadists.
what are they? be enumerating real jihadists and terrorist groups, their social media presence, finding the terrorist cells. recently they have been using social media to get the message across, the have joined the high-tech world. at the same time, they are spewing information about themselves just like all of us, personal information on the internet, their connections, friends and associates. where they are logging in from. once it is on the internet, it is there forever, even if they try to delete it. there are a lot of places it gets indexed and saved. if you know where to look and how to do some basic link analysis, is quite easy to track down that information. peter: how often do you change your password? sam: depending on which password. gosh,st of them i change,
every two or three weeks probably. i quite often forget my passwords. i choose very long passwords, i use a password manager, but often it is easier to reset passwords. i have multi factor authentication on all my important services. peter: what is the best thing laymen can do who don't work in this field but want to feel productive? sam: i would say be paranoid about email. if someone is sending documents to you, be very careful what you open. make sure you trust where it is coming from, look at the grammar and working, nature it is from the source you are expecting it. if anything pops up at the open upocument, that should send a red flag, send it to someone who can investigated. with your basic security on the internet, don't click on links
that pop up on websites, they can send you to dangerous places. regarding passwords, using a password manager is a very good idea to save your passwords securely. probably the most important thing for passwords is to have unique passwords for each site. something long. we have been trained for years to choose passwords that are easy to crack for machines and hard to remember for people. a good example of a password is a phrase, "i like to go swimming in the sea and not get attacked by a shark." very long, hard to crack for hackers but incredibly secure. having that different on each site. we have lots of sites getting preached over the years, that information on the internet, and that people making use of that. peter: what is your role here at black hat?
sam: am currently training. i am giving our black ops master course, which is modeled on the russian underground, the andbility they have, showing security people interested in it what the capability is so they can better defend against it. peter: is the russian underground specialized in this area? sam: i would say they are probably leading the criminal syndicate, the gang of cyber offensive at the moment. peter: sam hunter, thank you for your time. sam: thank you. peter: joining us from the black hat convention, dr. melissa kilby. what is your role here? the first mission is to
engage with the cyber security community, and my second goal is to teach data science to professionals. cofounded a company to bridge the gap between several security moreata, and bring advanced data wrangling skills into the cyber security community. peter: what is the gap between cyber and data science? melissa: there are a lot of different tools people use, they know how to use, but it takes a lot of time. people from data science is admintools that are fast deleting data and getting data into the correct format and perform advanced analytics. there is a large gap currently. people in cyber security, they
know cyber in and out but they don't really know how to do more advanced predictions and advanced analytics with their data. on the other hand, data scientist come in and i know nothing about cyber security. gap, bridging the explaining the gap in terminology and technology. peter: you are the types of people who will attend your conference? melissa: all different sorts. cyber security experts, business people, reverse engineers, software engineers, and also people that are just interested in learning more about data science. peter: what is your background? what is your specialty? melissa: biomechanics. i started in cyber security a year and a half ago, and it is super exciting to be in cyber security. peter: when you say biomechanics, what are those? melissa: it is about the human body, motor control, learning
how we as humans evolve and learn, and how to control our emotions. peter: is there a connection between that and cyber work? melissa: yes. you have high dimensional data, complicated data, and it is the same question. we want to understand something that is deep with data and we don't know how to go about it. it is also a recurrent theme in cyber security. me,ople -- people approach i say they have all of this data, what did they do about it? it is always the same question. is there a social engineering aspect to your work? melissa: social engineering is one field of cyber security, where data signs and machinery -- data science and machinery are developed. machine learning is much more advanced in insecurity.
my feeling is people should zoom out a little and approach cyber security as a whole. get the bigger picture. peter: you talk about machine learning. where are we in advancements with that? melissa: instead of defining what machine learning is, it is easier to say what it does. it produces smart machines. now your computer can make decisions on its own. isn't that crazy? calleds another term artificial intelligence, taking it one step further. we as humans don't have to intervene anymore, people call it raw data, think about any kind of data, it passes to the machine and the machine magically on its own learned how to make useful predictions.
we do not think that artificial intelligence will replace humans, but augment the capability. the current state of the art is that a lot of processes are very manual. cyber security analysts have to sit down, look at the data, and also heavily depends on the skill level of the analyst. you use machine learning or artificial intelligence, you can take the process to the next level. we can find malicious activity that no one knows about yet. cyber security is a dynamic field. tomorrow is not necessarily like today, unfortunately. peter: are we using machine learning and ai right now in cyber security? melissa: yes, i am pleased to observe people are using it more and more. yes, a few startups know how
to apply it to sever security. everyoneike to see using machine learning and data science. this is what our courses about, to bridge the gap, so that every cyber security analyst knows how to quickly manipulate the data, did it into the right format and make the machine smart so they don't have to do the job. again, it is not about replacing the analyst, it is about augmenting the capability. peter: your phd is from the university of georgia. what we working on their? -- there? complicatedwas a field, i was researching and comparing all people to young people to see how posture changes over time. i was also performing real-time streaming experiments. just think if you have the space
in front of you and you try to balance your body out and see how you perform. your --took a set for further come into virtual reality. world open whole new up understanding how humans learn to control our bodies and how they function. to take that knowledge to cyber security is, again, the same problem. they're researching something we don't necessarily understand very well. we don't even know what we are looking for. i would like to see a lot of people tackle this even more. right now it is more, we want to look for something that happening on our network, our computer that we know well before. we should be looking for something we don't expect to find.
in cyber security there is a dayscalled zero days, zero are things we don't know today. exploits, vulnerabilities that can cause the next worldwide cyber attack. peter: was there a lightbulb moment major switch in the cyber security? melissa: i wish there was. it just really happened by accident. i slipped into cyber security and i am so happy about it. it is such an exciting field. it is challenging, very fast-paced, technology changes very fast over time, and yes, i cannot be more fortunate to be a cyber security data scientist. peter: what does your company do? melissa: we provide services for the u.s. government, and i'm very excited to announce that nameompany will change its
to two-six labs this week. peter: where did this come from? melissa: i just started the company, but i know a secret that on the 26th of january, the company became independent from invencia. peter: you mentioned you were also here to learn and interact with other cyber security expert. what are you hoping to learn? do you have a goal? melissa: i hope to overtime to come a hacker myself. to learn more about how cyber manualy analysts do process, so i can update myand transfer it -- so i can update my knowledge base and transfer it to other fields. smart, theynes are help humans make better predictions. peter: you are originally from
frankfurt, germany. our similar efforts going on in germany that you see here in the united states? melissa: i probably don't know, but i assume yes, data slants worldwide is becoming bigger and bigger and also a big thing in several security. peter: dr. melissa kilby, inc. you for being here. -- thank you for being here. >> c-span, or history of. it. in 1979, c-span was created as a public service by america's cable television companies and is brought to you today i your cable or satellite provider. >> c-span's "washington journal," live every day with news and policy issues that impact you. sunday morning, tea party patriots co-founder discusses her groups call for mitch
mcconnell to resign. a politico energy reporter on the epa's decision to roll back the obama administrations clean power plan. and former cbs and nbc chief diplomatic correspondent talks about his new book on russia and communism. be sure to watch "washington 7:00 a.m.live at eastern sunday morning. approvedeek, the house $36.5 billion in disaster relief to help those affected by recent hurricanes and wildfires. nearly half of that funding will go to fema, and another portion will go toward debt relief for the national flood insurance program. the senate is likely to consider the measure next week. here is a look at some of the debate from the house floor. for what purpose does the gentleman from new jersey seek reit