Basically make their devices more secure. And we do that by looking at a couple Different Things on the device side, systems side and do hardware and Software Engineering to help them to that. Host theres quite a bit of competition in this field today, isnt there . Guest yep, yep. Youve kind of got to carve out a niche for yourself. Specifically, i work with a lot of crypt graphic devices host which is what . Guest these are devices that need to use cryptography typically to embed some sort of secret in the device. And if everyone uses it every day, maybe without realizing it, and this is the equivalent thing but on a device level. Host do you work with the federal government at all . Guest short answer is, no. I was in the navy for ten years, went to the naval academy. A lot of my background and training is with military and navy, but currently i just work in the commercial sector. Host why did you get into this field . Guest is it started, i think, at the naval academy. I did, was one of this group of midshipmen that was called a trident scholar, i really wanted to research protocols. I was just interested in how you could protect communications with using cryptography. In the navy, i was a submarine officer, kind of got more into it. And then kind of kept getting, just kept getting deeper down into it. Host now, weve talked to several people here, a lot of military backgrounds. Guest uhhuh. Host why is that . Guest i think the military has a unique kind of well, it has a unique mission in that it knows the importance of protecting information and communication security. And so comsec, that acronym, military acronym is very much imbued in you. And on a submarine especially, because some of the places a submarine will go the Communications Security is of very high importance. So i think that kind of environment leans to understanding those threats and how to protect those threats, and ive seen a lot of people take that forward outside the military. Host how does cryptography work . Guest so fundamentally, its based on mathematic principles. So different, different aspects of cryptography work a little differently, but if you theres one area called asimilar met trick cryptography which is also known as a Public Private system, and it works basically by having hard mathematical problems. So you and the interesting property of these problems is that in one direction theyre easy the compute, but then if someone got that answer, its hard to reverse it. So this is simplified, but if you take a, if you try to take two prime numbers and you multiply them together, thats easy. But if you were given a number and you had to figure out the prime factors just from that number, that turns out to be a harder problem. Host do you create the crypt graphic keys . Guest so the devices will it depends on the devices, but the device, if it has the capabilities, can selfgenerate the key. Or a manufacturer may design, depending on what they want to do, they may decide to put a device in and all the keys. The first ones typically more secure because not even the manufacturer would have access to those keys. Kind of like what we have heard about with the apple and the fbi in the last year or two. Host you mentioned amazon. Do people use crypt graphic devices every day like that . I mean, if you log into your bank, do online banking, is that crap to graphically protected . Guest yeah. On everyones phone its running a web browser that is using transport layer security which is just the name of the protocol to encrypt your communications over the web. And if you talk to google or go to facebook, its using cryptography. So its built in transparently. Most people dont realize theyre using it, but they rely on it to protect their communication. Host whats another form of communication protection thats used . Guest well, you could use it so, for example, the if you have a messaging app and you are, so theres a couple different messaging apps, but you could be texting somebody, and those can be encrypted, and those are some of the better ones are encrypted end to end which means not even a third party like the Service Provider of the application could intercept your communications. Is so only you and the person you sent the message to can decrypt them. Host is it more expensive to crypt something . Guest well, its expensive, with most modern phones theres not an expense in processing time. Its an expense really on the Development Side to make those kind of protocols and to do that engineering. Thats where you pay the expense, if you will, to design those systems. But once you have those in place on Something Like a modern phone, theyre not expensive in time or power to use. Host as we move into the internet of things world, is that going to be more and more crypto keys . Guest yeah, this is going to be more important. And i say that because internet of things is a bit unique even from other embedded devices like phones because theyre typically used autonomously. So theres no Human Interaction with, like, your thermostat or maybe an industrial controller. And weve seen some attacks where theyre able to exploit like web cams, for example. Slightly different, but the idea is those devices need to have a secure way to get firmer updates, they need to be able to if theyre sending out data, maybe its temperature data, sensor data, theyre maybe connected to sensitive machines. You wouldnt want that data to be intercepted by a third party either for business competitive reasons or for an attacker who may be wanting to try to exploit your system. Host so theres lots of different doorways into a system, correct . Guest yes, absolutely. The crypto, typically, is not the first choice of attackers. And i say that because theres usually easier meds to get in methods to get n. It could be that they have a password, or that passwords on the web site or Something Like that. Those are typically the first means of attack. However, the flip side is if you dont implement the crypto properly, that can also you could have a false sense of security. So you could think youre safe, but there are very subtle attacks that could, unfortunately, make that not the case. Host what do you do to protect your own devices . Guest so my best tip is i generally try not to have them. So i will go, sometimes i go into client meetings with a pen and paper, and thats but im a hid little old im a little old school. But, you know, thats not feasible all the time, so on my phone i, number one, make sure that i have all the firm updates applied. The kind of thing there is patch, patch, patch. You want to have, you could have things like a vpn service on your phone. So is if you this protects you from using the hotel wifi, you could have a virtual private network, and it basically encrypts through the immediate network. But really the number one thing is get a device, make sure the firmware updates are applied as soon as you have them. Host do all modern phones come with a vpn . Guest typically, i think apple has a builtingin, i know with the Android Devices its usually a third party app. Some of these are paid services that you can go and install this application. Host what kind of attacks are you seeing . Guest so on the devices, theres a range of attacks. The easiest ones are the kind of, so the kind of best Gold Standard of attack is to get a Remote Access into a device. So a typical internet of things deployment you have a one gateway device thats a more advanced processer talking to a bunch of sensors. And these sensors are smaller powered. So the kind of Gold Standard attack is to attack the gateway through a web protocol, maybe something wasnt set up, and then you can use that gateway device to jump to attack all these different sensors. So those are the biggest attacks that would have, like, the best bang for the buck for the attacker. But some of the things i focus on are more of the hardware physical attacks. If i can get my hands on that gateway device, i can start attaching probes to it, debuggers. I have a lot closer access to the hardware to do more sophisticated things. And then the real dangerous thing about that is even though thats a physical attack, but the information i would see from that attack i can turn that attack into a software take. So you take one attacker, he looks at the hardware, and then he publishes it online for a software attack, and then you really have a hybrid attack which is quite powerful. Host are these debuggers available to the layman . Guest they, the more expensive ones are geared to professional engineers, these would cost maybe 100, 200, but some of these devices have been commoditizedded to be in the 20 30 range. Yeah, you can certainly get them on the cheap. Theyre not as fast or reliable as the professional tools, but theyre certainly available. Host do attackers leave fingerprints . Guest the good ones, i think, try not to. It helps to, like, avoid the attribution. But, you know, sometimes we cant help it, right . Sometimes youre using a tool or something, and maybe that will leave some i dont do so much on the forensic side, so i dont know that area as well. But from what i understand, you generally try to not do that to make it harder to come back to. Host do you presume youre under attack cyber wise at all times . Guest yeah, its less, i think, more of a paranoia, its less of a heightened sense of awareness although my wife thinks im paranoid. I think thats just the military training, having a heightened sense of awarenesses, heightened sense of your surroundings, and its more about getting the attacks into a threat model. If youre doing something online knowing that theres these category attacks and they could have these impacts and kind of bucketing that information into because otherwise if you were paranoid all the time, you wouldnt be able to live your life. You wouldnt be able to go and buy coffee. Youd be worrying if someone put something in your coffee. Its the same kind of thing in the cyber realm. You need a healthy sense of paranoia, i think, but you still have to kind of interact online. Host whats your role here at black hat . Guest so at black hat im helping with the training on applied physical embedded attacks led by joe fitzpatrick. Four days of training where were teaching 30 people in each class how to take a piece of hardware, connect with the debugger, connect with tools, kind of learn about what the hardware is doing and then maybe use that hardware knowledge to construct a software attack and vice versa. At def con im giving a talk called breaking bitcoin wallets. Its a digital currency, and a hardware wallet is a smart card for using bitcoin, basically an embedded device thats custom made to help protect your, what they call your wallet. Its basically your private key. Its how you would send money or its what you need the send money through bitcoin. Host cryptocurrency is coming, isnt it . Guest yeah, so yep, its here. I dont know if its its here, and its being used. So the reason i started looking at that talk is that as more people start to use it and as the value of bitcoin starts to come, get higher, i was curious what are some of the hardwarelevel protections on these devices which are recommended to people as a more secure way to protect their cryptocurrencies. Host josh datko, thanks for being on the communicators. Guest thank you. Host and now on the communicators, more of our interviews from the black Hat Convention. Joining us, daniel kurtbe cuthbert who is coo of a Company Called fence post. What does that company do . Guest fence post does a lot. Weve been around for 17 years and were, in essence, hackers for hire. We get asked by our clients to effectively become adversarial targeting. So what happens if an attacker targets you, whats the worst that could happen, how do you react, you know . Is all the millions you spent on hardware and software and security and training, is it working, you know . How to you fit in in the internet. Host and you call them pen testers . Guest yeah, people who test pens, yeah. Host penetrations. Guest yeah. Host howd you get started in this business . Guest ive been doing it for a long time. This is my 25th year of hacking. Mine was curiosity. We moved to south africa during apartheid, and then the internet started. Coming from london to a country where strict restrictions were happening, there was censorship, and we had the first stages of the internet with dialup and bulletin boards, it was curiosity. And im quite curious and started to fiddle and moved from there. Host you reverse engineered . Guest no, no, not at the time. It was really basic back then. I liken it to stories my dad used to say when he used to walk to school barefoot, naked in the snow and backwards. I think now is probably the most exciting time to start hacking. The wealth of information out there is unbelievable. It takes very little to hack today. Youve got youtube, youve got tutorials. Twenty years ago there just wasnt much. It was a true wild, wild west, and there was just nothing out there. But now this is a really exciting time. Host should that information be on the internet . Guest thats a good question. I liken it to a life. So you can use a knife to cut an orange, you can do Amazing Things with a knife, you can also to really bad things. In london weve got a really bad problem with knife prime. That doesnt make a knife really bad, its just how you use it. There is a definite need for Penetration Testing these skills. Its just some taking it that one step further. Host do you have a specialty with your company . Guest we are very good at red teaming host which is . Guest probably the top end of testing. So we will try and gain access to you, your data, your employees no matter how. Its a fully encompassing Service Rather than just say an application test or a networklevel test. Its about as close to the bone as you can get. Host and when you go into a red team testing, are you trying to, lets say, break into ibm . Guest it could be however the client wants. It could be the client saying, do you know what . We think were secure. Weve developed this new application, or weve got this really great new phone thats coming out soon. We want to make sure that, a, everybodys involved; b, we can detect it; c, our people are doing the right thing. And finally, how do we stand up . Does the board say, all right, were probably going to get breached tomorrow, we need to make sure that were not on the 6 00 news and we look really good or, actually yeah, weve done everything we can, we think were in a good place. Host are attacks happening every day . Guest yes. Sadly, i think its easier the bad side of all this information being made freely available is that the attacks have just gone through the roof. Its now common place for us to hear about breaches. A couple of years ago youd maybe here of a Company Every now and then getting breached, but now its common place. People are getting popped left, right and center, and i dont think thats the good side host where are you based . Guest london. Host and can you do your work from anywhere in the world . Guest i can. Its an amazing career. Ive had the luxury of living in 17 countries. So, yes, you can. If you are dedicated and do this to be. Really well, youve got the benefit of being able to live anywhere as long as youve got internet access. Host could you breach all the phones that are in this room right now . Guest its very easy to say that, yes, we could target the phones. Think hollywood has glamorized a lot of hacking but, yes, its still quite easy to target a phone, gain access, especially an older android device. If its apples latest device, no, thats pretty secure. Its annoying. Its annoying to good hackers, to Law Enforcement who are trying to get access to. So you can do it, it takes time. Host could you break into this room . Guest physically . Host no, electronically. Guest with the door lock . Yes. Host easily . Guest yes. Host and im going back to the question i asked before, should that information be out there and available . Guest good question. So you can take two paths with this. On the one hand, the manufacturer should make this stuff more secure. A bit like autonomous cars. We expect stuff to be built properly. When i buy a kettle or a microwave, i dont expect it to zap and kill everybody in the house. I think with the likes of the internet of things that were seeing with a terrible track record on security they have to be tested. So that information that somebody uses to maybe test that kind of stuff could be a benefit when they find a vulnerability and, indeed, our industry is built upon that. And they work with that vendor to say, do you know what . I found this vulnerability, i was able to gain access to the room, heres how you fix it. Lets Work Together to make it more secure. Host from your point of view, is it important to know the motives of the black hat hackers . Guest yeah. Im nervous about colors. I think ive been doing this long enough where i think the white hat, the gray hat, the black hat, i think the meanings have become more diluted. You have those who are very criminally minded and have criminal intentions, youve then got those who genuinely want to help. And if you look at those who report vulnerabilities, hey, i use your product, im a customer, but ive also found it to be quite insecure, heres how you can make it better. So i think the motives are really important. Host do hackers leave a trail . Guest bad ones do. Bad ones do. Host the good ones . Guest if youre a really good attacker and you know what youre doing, it becomes hard. Attribution is not an easy things to do right. Host so sam hunter, what do you do at sensepost . Guest currently, im a security analyst and also the head of training at sensepost. Host what does that entail . Guest i get the hack stuff and also manage our training. Host what exactly is hacking . Guest hacking, so traditional hi hacking was more around building and making stuff, and more recently i think society has seen it as people breaking into systems, you know, attacking systems in an offensive manner. But traditionally, its approaching problems and solving problems in various different ways. Host but if you wanted to go into and hack something, how would you do it . Where would you start . Guest do you want to give me an example . Host yes. Break into the Las Vegas International airport which is right behind us. Break into their security system. Guest into their security systems. So firstly, theor