System side, hardware and software engineering. Theres quite a bit of competition in this field, isnt there . Josh yes, you have to carve out a niche. I work with a lot of cryptographic devices. Host which are what . They need cryptography typically to embed a secret in the device. Everyone uses it every day if you use amazon. Com, you use it to protect that information. This is the equivalent on a device level. Host q work with the federal government at all . Josh the short answer is no. I was in the navy academy. But currently i work in the commercial sector. Host why did you get into this field . It started, i think at the Naval Academy it started with a group of midshipmen, we were able to do research, i wanted to research cartographic protocol. I was interested in how you could protect communications using cryptography. I was the submarine officer in the navy. I got more into it. Deeper into it. To severalve talked people here, a lot of military backgrounds. Why is that . Has ai think the military unique mission in that it knows the importance of protecting information and communications security. The military is definitely an viewed in you. Embued in you. I think that environment leads to understanding threats and how to protect from those threats. I think a lot of people take that out of the military. Peter how does cryptography work . Josh it is based on mathematica and schools. Different aspects work differently, but there is one area called a semester called asymmetric cryptography, and it works basically by having a hard mathematical problem. An interesting part of these problems, in one direction they are easy to commit to compute, but it is hard to reverse it. This is simplified, if you try to take to prime numbers and multiply them together, that is easy, but if youre given a number and trying to figure out the prime factors, it is a harder problem. Peter do you create cryptographic keys . Josh the devices, it depends on the device. If the device has the capabilities, it can self generate the key, or a manufacturing manufacturer may decide to put a device and all the keys. The first is typically more secure because not even the manufacturer would have access to the keys, like what weve heard about with apple and the fbi in the last year or two. Peter you mentioned amazon, is everyone cryptographically protected . Josh yes. If you talk to google or facebook, is using cryptography. It is built and transparently, most people probably do not realize they are using it, that the use and rely on it to protect communications. Peter what is another form of medication section that is used communication protection that is used . Josh if you have a messaging there are a couple of different ones, but you could be texting somebody, and that could be encrypted, and the better ones are encrypted endtoend, which means even means not even a third party, like the owner of the application, has access to that. Only you and the person you sent it to. Peter is it expensive . Josh the expenses not the processing, it is the development. To do that engineering, thats where you pay the extents, the expense, if you will. In placeyou have that on Something Like a modern phone, they are not expensive in time or power to use good peter as we move into the internet of things, will there be more in more crypto keys . Josh it will be more important. I say that because the internet on items liken phones, they are typically used autonomously. Attacks whereome they are able to exploit, like webcams, for example. Slightly different, but the ideas that those devices need to secure way to get from our updates, if they are sending out data, maybe it is temperature data, sensor data, maybe they are connected to sensitive machines, you would not want that data to be intercepted by a third party for competitive reasons or maybe a hacker. Peter there are lots of different doorways into a system, correct . Josh absolutely. The crypto is typically not the first choice of a hacker. There are usually easier methods to get in. It could be they have a password that is the same password everywhere, or is on the website. That is typically the first means of attack. Notflipside is if you do implement the crypto property properly, you can think youre safe, but attacks could make that not the case. Peter what do you do to protect your devices . Josh my best tip is i try not to have them. Sometimes i going to client meetings with a pen and paper. I am a little oldschool. That is not feasible alltime. Number one, make updated. Ve everything you can have things like a vpn service on your phone, as can protect you if you are using a basicallyi, it encrypts through the immediate network. The number one thing is get a device, and make sure the firmware updates are applied as soon as you have them. Peter do all modern phones come with a vpn . Josh typically. Apple, i think there is a way to have a built in. Android, you can use a thirdparty app. Some are paid services. Peter what kind of attacks are you seeing . On the devices, there is a range. The easiest ones are the kind of , the best Gold Standard of attack is to get Remote Access into a device. In the typical internet of things deployment, you have one gateway device talking to a bunch of sensors, and they are smaller powers. The Gold Standard tactic is to attack the gateway through a web protocol, and you can use that gateway device to jump to attack the different sensors. Those are the biggest attacks that would have the best bang for the buck for the attacker. Some of them focus more on the hardware. If i can get my hands on the gateway device, i can attach have closerggers, i access to the hardware and can do more sophisticated things. The really Dangerous Things about that is that even know that is a physical attack, the information i would see from that, i could turn it into a software attack. You take one attacker, he looks at the hardware, he publishes it online for a software attack, and then you really have a hybrid attack, which is quite powerful. Peter are these debuggers available to lehman . To laymen. Professional ones are more expensive. Cheaper versions, they are not as reliable as the professional ones. Peter do hackers leave fingerprints . Josh the good ones try not to. Sometimes you cannot help it. Sometimes you are using a tool, maybe he will leave some i dont do so much on the forensic side. I dont know that area as well. From what i know, you generally try to not do that. Peter do you presume youre attack, all, cyber the time . Josh yes. And ak its less paranoia heightened sense of awareness. My wife six i am paranoid. I think its a military thing. Its more about getting the tax into a threat model. Doing something online, knowing these category of attacks could have these impacts and bucketing that information into if you are paranoid all the time, you could not live your life. You could not go in by coffee. You be worried something was in your coffee. Its the same thing in the cyber realm. You need a healthy sense of paranoia that you need to interact online. Peter what is your role here at black hat and def con . Josh im working on an embedded attack with joe fitzpatrick, we are teaching 30 people in each class how to take a piece of hardware, connect with the tools, learn what the hardware is doing him a is a doing, and maybe use the hardware to prevent an attack. Doing a class on bitcoin and hardware wallets. It is basically an embedded device to help protect what they call your wallet, it is basically your private key, it is how you would send money. Peter crypto currency is coming, isnt it . Josh yes, it is here. And being used. The reason i started looking at that talk, as more people started to use it and the value of the coin is higher, bitcoin gets there, i was curious about the hardware. Datko, thank you for being on the communicators. And now, more of our interviews from the black cat convention. Company,s, coo of the what does it do . It does a lot. We have been around 17 years and we are in essence penetration testers. Hackers for higher. What happens is, if an attacker target you, what is the worst that could happen and how do you react . Theres the millions you spent on hardware and software and training, is it working . Penr and you call them testers . Yes, penetration testers. For 25en doing this years. We moved to south africa when the internet started, as opposed to london, where there was dialup andnd bulletin boards. It was curiosity. I started to fiddle and moved from there. Peter you reverse engineered . Daniel not at the time. I liken it to studies two stories my daddys tell about walking barefoot to school backwards. The wealth of information out there is unbelievable. It takes very little to hack today, you have youtube and tutorials. 20 years ago, there was not much. It was a true wild west, nothing out there. Now is a very exciting time. Peter should the internet that information be on the internet . Daniel i liken it to a knife. You can do really good things with a knife but you can also do really bad things. It depends on how you use it. There is a definite need for integration testing, that some take it a step forward step further. Red teaming. Ood at peter witches . Which is . Access,we try to gain is a full service. Bone as you can get. Peter when you go into red team testing, youre trying to say, break into ibm . Daniel it could be whatever the client wants. The client can say, we think we are secure, have a great new phone coming out and we want to detect it, that our people are doing the right thing, and how do we stand up . Does the board say, were probably going to be breached mark, to be want to look really good . Peter are attacks happening everyday . Daniel yes, sadly i think it is easier. The bad side of the information made freely available is the attacks have gone through the roof. It is commonplace for us to hear about breaches. A couple of years ago, you would maybe hear about a Company Every now and again getting breached. Now it is commonplace. I think that is part of the world we live in today. Peter where are you based . Daniel london. Peter can you do you work from anywhere . Daniel i can. Yes, you can, if you are dedicated and do the job well, you have the benefit of living anywhere with internet access. Peter if you have a laptop and internet access, could you breach a lot of phones in this room right now . Thatl its easy to say yes, we get target the phones. I think hollywood has glamorized hacking. But yes, it is still quite easy to target a phone, especially in older android device. Apples latest device, it is pretty secure, it is annoying to hackers and to Law Enforcement trying to get access. Peter could you break into this room . Daniel physically . Peter electronically . Daniel yes. Peter easily . Daniel yes. Peter going back to what i said earlier, should that information be out there and available . Hand, on the one manufacturers should make the stuff more secure. A bit like Autonomous Car spirit we expect stuff to be built properly. When i built when i buy a microwave, i expected is not going to kill everyone in the house. With the internet of things, there is a terrible track record of security. They have to be tested. The information that someone may be uses to test that stuff, it could be benefit when they find a vulnerability and they use ,nd they work with the company here is the vulnerability, here is how you fix it. Peter is it important to know the motives of the black hat hackers . Daniel yes. I am nervous about colors. Think the meetings have become diluted. I think you have those who are criminally minded. Then you have those who genuinely want to help. If you look at those who reports on her abilities, report vulnerabilities, here is how you can make your product better. I think motive is important. Peter do hackers leave a trail . Daniel bad ones do. Peter good ones . Daniel if you are a really good attacker and you know what youre doing, it is hard. Attribution is difficult to do right. Peter what are you currently doing . I get to hack stuff and manage training. Peter what exactly is hacking . Traditionally, hacking was more around loving and making stuff. Around building and making stuff. Now, society sees it as breaking into systems. Traditionally, it is approaching problems and solving them in various ways. Peter if you wanted to go hack something, how would you do it . Where would you start . Sam do you want to give me an example . Peter break into the Las Vegas International airport, which is right behind us. Rake into their break into their security system. What i would first do, i would probably Research Staff members who work at the airport. Humans are normally the weakest link. Vince often easier to con to click on something. Peter this is social engineering . Sam yes. Not necessarily lie my way in, but i would compile a list of people who work for the company, then i would research those people, go through their facebook, twitter, whatever social media they have. Find out what their interests if i can getg information on the technology they use. Them be them posting a photo of their new phone or laptop or Something Like that. Learn about the technologies they are using. For more information have, the more likely would likelihood i could succeed in an attack. If you want to send a malicious document to them, if i have researched them on facebook, i can write up something that would be interesting to them to open and convince them to open the document. Once they have opened the document, i would have control of their computer. Say it is a laptop, maybe the laptop is at home, i have the system to access, when they go into work the next, i might have access to the airport. Peter how would you break into this room . . Hrough the electronic lock to thewould get access key card, then investigate the technology. Would probably spend a couple of days doing that. Write myee if i could own key card with a different , i woulder, otherwise see if i could clone a card. Peter how would you clone it . Sam you can purchase card cloners the spinning on the technology depending on the technology. Peter is there anywhere safe anymore in the additional world . In the Digital World . Sam not really. Theres an old african saying, lien is chasing you, you dont need to outrun the lion, you just need to outrun your friend. Peter where are you based . Sam out of africa. Peter can you do your work anywhere . Sam anywhere in the world. Peter as long as you have a laptop. Sam laptop and internet connection. Peter standard laptop. Nothing special, offtheshelf. We generally run a lot of different operating systems on our machines. I think most hackers are on a mac, sometimes of pc. We are paranoid about security, so we segment our systems. Environments on our machines. We try to segregate what we do. I am writing reports for clients, and probably doing that on a Windows Virtual machine, because i need to use office, that i would not use it for anything else. Only for reporting. Nothing else will be installed on it. It will be completely isolated. Has sensepost been hacked . Sam not as for as i know. We are preparing annoyed. We monitor our networks pretty well. We take a lot of care. Peter would you know if you have been hacked . Sam i think were pretty good at what we do, we would know, we would figure it out, but is hard to conclusively say. If you look at some of the breaches from the last couple of years with capability put out there for the public to see, it is scary. If you have enough budget, it capability is exponentially above what is publicly known. Peter your websites as you specialize on tracking down internet jihadists. What are they . Be enumerating real jihadists and terrorist groups, their social media presence, finding the terrorist cells. Recently they have been using social media to get the message across, the have joined the hightech world. At the same time, they are spewing information about themselves just like all of us, personal information on the internet, their connections, friends and associates. Where they are logging in from. Once it is on the internet, it is there forever, even if they try to delete it. There are a lot of places it gets indexed and saved. If you know where to look and how to do some basic link analysis, is quite easy to track down that information. Peter how often do you change your password . Sam depending on which password. Gosh,st of them i change, every two or three weeks probably. I quite often forget my passwords. I choose very long passwords, i use a password manager, but often it is easier to reset passwords. I have multi factor authentication on all my important services. Peter what is the best thing laymen can do who dont work in this field but want to feel productive . Sam i would say be paranoid about email. If someone is sending documents to you, be very careful what you open. Make sure you trust where it is coming from, look at the grammar and working, nature it is from the source you are expecting it. If anything pops up at the open upocument, that should send a red flag, send it to someone who can investigated. With your basic security on the internet, dont click on links that pop up on websites, they can send you to dangerous places. Regarding passwords, using a password manager is a very good idea to save your passwords securely. Probably the most important thing for passwords is to have unique passwords for each site. Something long. We have been trained for years to choose passwords that are easy to crack for machines and hard to remember for people. A good example of a password is a phrase, i like to go swimming in the sea and not get attacked by a shark. Very long, hard to crack for hackers but incredibly secure. Having that different on each site. We have lots of sites getting preached over the years, that information on the internet, and that people making use of that. Peter what is your role here at black hat . Sam am currently training. I am giving our black ops master course, which is modeled on the russian underground, the andbility they have, showing security people interested in it what the capability is so they can better defend against it. Peter is the russian underground specialized in this area . Sam i would say they are probably leading the criminal syndicate, the gang of cyber offensive at the moment. Peter sam hunter, thank you for your time. Sam thank you. Peter joining us from the black hat convention, dr. Melissa kilby. What is your role here . The First Mission is to engage with the Cyber Security community, and my second goal is to teach data science to professionals. Cofounded a company to bridge the gap between several security moreata, and bring advanced data wrangling skills into the Cyber Security community. Peter what is the gap between cyber and data science . Melissa there are a lot of different tools people use, they know how to use, but it takes a lot of time. People from data science is admintools that are fast deleting data and getting data into the correct format and perform advanced analytics. There is a large gap currently. People in Cyber Security, they know cyber in and out but they dont really know how to do more advanced predictions and advanced analytics with their data. On the other hand, Data Scientist come in and i know nothing about Cyber Security. Gap, bridging the explaining the gap in terminology and technology. Peter you are the types of people who will attend your conference . Melissa all different sorts. Cyber security experts, business people, reverse engineers, software engineers, and also people that are just interested in learning more about data science. Peter what is your background . What is your specialty . Melissa biomechanics. I started in Cyber Security a year and a half ago, and it is super exciting to be in Cyber Security. Peter when you say biomechanics, what are those . Melissa it is about the human body, motor control, learning how we as humans evolve and learn, and how to control our emotions. Peter is there a connection between that and cyber work . Melissa yes. You have high dimensional data, complicated data, and it is the same question. We want to understand something that is deep with data and we dont know how to go about it. It is also a recurrent theme in Cyber Security. Me,ople people approach i say they have all of this data, what did they do about it . It is always the same question. Is there a social engineering aspect to your work . Melissa social engineering is one field of Cyber Security, where data signs and machinery data science and machinery are developed. Machine learning is much more advanced in insecurity. My feeling is people should zoom out a little and approach Cyber Security as a whole. Get the bigger picture. Peter you talk about Machine Learning. Where are we in advancements with that . Melissa instead of defining what Machine Learning is, it is easier to say what it does. It produces smart machines. Now your computer can make decisions on its own. Isnt that crazy . Calleds another term Artificial Intelligence, taking it one step further. We as humans dont have to intervene anymore, people call it raw data, think about any kind of data, it passes to the machine and the machine magically on its own learned how to make useful predictions. We do not think that Artificial Intelligence will replace humans, but augment the capability. The current state of the art is that a lot of processes are very manual. Cyber security analysts have to sit down, look at the data, and also heavily depends on the skill level of the analyst. You use Machine Learning or Artificial Intelligence, you can take the process to the next level. We can find malicious activity that no one knows about yet. Cyber security is a dynamic field. Tomorrow is not necessarily like today, unfortunately. Peter are we using Machine Learning and ai right now in Cyber Security . Melissa yes, i am pleased to observe people are using it more and more. Yes, a few startups know how to apply it to sever security. Everyoneike to see using Machine Learning and data science. This is what our courses about, to bridge the gap, so that every Cyber Security analyst knows how to quickly manipulate the data, did it into the right format and make the machine smart so they dont have to do the job. Again, it is not about replacing the analyst, it is about augmenting the capability. Peter your phd is from the university of georgia. What we working on their . There . Complicatedwas a field, i was researching and comparing all people to young people to see how posture changes over time. I was also performing realtime streaming experiments. Just think if you have the space in front of you and you try to balance your body out and see how you perform. Your took a set for further come into virtual reality. World open whole new up understanding how humans learn to control our bodies and how they function. To take that knowledge to Cyber Security is, again, the same problem. Theyre researching something we dont necessarily understand very well. We dont even know what we are looking for. I would like to see a lot of people tackle this even more. Right now it is more, we want to look for something that happening on our network, our computer that we know well before. We should be looking for something we dont expect to find. In Cyber Security there is a dayscalled zero days, zero are things we dont know today. Exploits, vulnerabilities that can cause the next worldwide cyber attack. Peter was there a lightbulb moment major switch in the Cyber Security . Melissa i wish there was. It just really happened by accident. I slipped into Cyber Security and i am so happy about it. It is such an exciting field. It is challenging, very fastpaced, Technology Changes very fast over time, and yes, i cannot be more fortunate to be a Cyber SecurityData Scientist. Peter what does your company do . Melissa we provide services for the u. S. Government, and im very excited to announce that nameompany will change its to twosix labs this week. Peter where did this come from . Melissa i just started the company, but i know a secret that on the 26th of january, the Company Became independent from invencia. Peter you mentioned you were also here to learn and interact with other Cyber Security expert. What are you hoping to learn . Do you have a goal . Melissa i hope to overtime to come a hacker myself. To learn more about how cyber manualy analysts do process, so i can update myand transfer it so i can update my Knowledge Base and transfer it to other fields. Smart, theynes are help humans make better predictions. Peter you are originally from frankfurt, germany. Our similar efforts going on in germany that you see here in the United States . Melissa i probably dont know, but i assume yes, data slants worldwide is becoming bigger and bigger and also a big thing in several security. Peter dr. Melissa kilby, inc. You for being here. Thank you for being here. Cspan, or history of. It. In 1979, cspan was created as a Public Service by americas Cable Television companies and is brought to you today i your cable or satellite provider. Cspans washington journal, live every day with news and policy issues that impact you. Sunday morning, Tea Party Patriots cofounder discusses her groups call for Mitch Mcconnell to resign. A Politico Energy reporter on the epas decision to roll back the obama administrations clean power plan. And former cbs and nbc chief Diplomatic Correspondent talks about his new book on russia and communism. Be sure to watch washington 7 00 a. M. Live at eastern sunday morning. Approvedeek, the house 36. 5 billion in Disaster Relief to help those affected by recent hurricanes and wildfires. Nearly half of that funding will go to fema, and another portion will go toward debt relief for the National Flood insurance program. The senate is likely to consider the measure next week. Here is a look at some of the debate from the house floor. For what purpose does the gentleman from new jersey seek reit