Tag: hacking

What’s New in the Cybersecurity World With Adriel Desautels

January 22, 2019 / Hannah / 0 Comments

On Episode 83 of The Edge of Innovation, we’re talking with hacker and security expert, Adriel Desautels of Netragard about what’s new in the cybersecurity world!

Sections

Introduction
Netragard’s New Product: A Breach Detection Solution
Netragardian BDS
What’s Going on at DEF CON and Black Hat?
Hacking Medical Devices
Vendor Hostility Toward Researchers
Government Networks & the Vulnerability of Voter Information
Why Do People Feel Threatened By Research Hackers
Security Researchers Are Experts at Breaking Software
Finding Flaws in Software
More Episodes
Show Notes

What’s New in the Cybersecurity World With Adriel Desautels

Introduction

Paul: Hello.

Adriel: Hey, Paul.

Paul: Hey, how are you?

Adriel: Doing quite well. I love the fact that even in this day and age we have continual technical difficulties.

Paul: Yeah, well, it keeps people like us in business, so…

Adriel: It does. Yeah.

Paul: So, where are we finding you in the dark, unreached places on Earth? Are you from your secret lair or…?

Adriel: Right now, yes. This is very much my secret lair, which is a library with a ladder that’s been converted into an office.

Paul: Alright. There you go. We’ll cut that out or encode it in way so that only certain people can listen to that.

Adriel: There you go. Yeah, it’s pretty cool.

Paul: So, how are you doing now? How’s security in the world?

Adriel: It’s doing incredibly well. We’re becoming more and more and more well known for the level of service that we provide, the depth, the quality, and really the aggressiveness of it. We’ve also launched a product, and the product is selling faster than we can sell it. So it’s really quite remarkable.

Paul: Well, we’re talking with Adriel Desautels from Netragard, and we’ve talked with him once in the past, and he’s a great resource for technology and security, and we’re going to talk about that a little bit day.

Netragard’s New Product: A Breach Detection Solution

Paul: So, tell me about this product. What is this? Is it a shampoo or a floor wax or…?

Adriel: It’s a security shampoo.

Paul: There you go.

Adriel: It prevents malware from getting into your hair. No, no, we call it Netragardian VDF. It is a breach detection solution, and it is based on our own experience in breaching networks over the past two decades, really. What it is does at a very high level is it exploits the methods that hackers use to breach a network, whereby enabling you to identify their activity before they actually have a chance to move laterally throughout the network. So, it doesn’t prevent a breach, but it provides you with a false positive free method of detecting a breach. So, when you get an alert the alert is, in fact, real. And it’s so incredibly effective that you can use it to generate positive indicators of breach and respond to those positive indicators and quite literally completely avoid damage.

Because in this day and age the name of the game is no longer breach prevention. That’s just a known impossibility. The name of the game is damage prevention. So what the solution does from a higher level, is it allows you to see that people are breaching your infrastructure, and it allows you to respond to that event and block it before it has a chance to escalate into something damaging. The response window is minutes to seconds, depending on how fast you can move.

Paul: Wow.

Adriel: So it’s, it’s pretty cool.

Paul: So where do I find out about this product?

Adriel: We would have to tell you about it. You can contact us or website.

Paul: Well, that’s an interesting way to sell something.

Adriel: Yeah, yeah.

Paul: I have something you don’t know you need but you might want, but I’m not going to tell you about it.

Netragardian BDS

Paul: So, alright, so hold on. What’s the name of it? Spell it.

Adriel: So it’s Netragardian. It’s N-E-T-R-A-G-A-R-D-I-N. And then BDS. Bachelor, David, Simon.

Paul: Okay. Cool.

Adriel: Yep.

Paul: So, it’s a secret product. Only people with an invitation can buy it? Or, how does that go?

Adriel: Sort of. So right now, it’s a product that our clients are able to purchase. e don’t advertise it at all yet. We will be in the fairly near future, I think, mid-to-late 2019 when we start advertising it. But right now, we’re trying to push it out to our clients specifically, or they’re really picking it up from us.

Paul: Oh, very cool.

Adriel: That’s the first line. As soon as our clients have this up and running, then it’s going to be the next stage, which is to publicize it and really get people aware of this.

Paul: Well, excellent. Well, we’ll have to talk about that some more.

Adriel: Definitely.

Paul: Really, I’d be fascinated to talk about that.

Adriel: Yep. Absolutely. When we do talk about it and you hear about how this works, it definitely follows the keep-is-simple-stupid rule. It requires virtually no maintenance whatsoever. There’s no patching, no updates that are required. The agents that are associated with it do absolutely nothing of value, as far as the business is concerned. And so if there’s any kind of an outage or, or anything like that, it has zero impact on the business’ ability to function.

Paul: Cool.

Adriel: It is not an intrusion prevention system. It was not a network intrusion detection system. In fact, it has nothing to do with analyzing network data. So it’s a super-efficient and lightweight system that works.

Paul: Very cool.

What’s Going on at DEF CON and Black Hat?

Paul: So, I thought it would be cool to talk about what’s been going on recently. I imagine, just because I saw it on your feed, that you went to DEF CON and Black Hat.

Adriel: Yep. Absolutely.

Paul: How was the weather?

Adriel: It was hot.

Paul: So that’s about all we want to cover today. We heard lots of different things about hacking, voting machines and a few other little things — some drones stuff. What was the interesting things that you saw there?

Adriel: So, when we were at DEF CON and Black Hat, honestly, not a lot of the presentations that were there this year were particularly interesting. What was more interesting were the side conversations that were going on and sort of the private parties that we got ourselves invited to. There is a lot of research that’s been going into not just voting machines, but the government infrastructures that house voters’ data, the State of Kansas and things like that.

Hacking Medical Devices

Adriel: Particularly interesting too is the medical devices and critical infrastructure. There’s actually a pretty big emphasis on doing research against those things as well.

And the, the good news is that largely, it’s the good guys doing the research right now, but as the trend would be, if the good guys are looking into this, then you can rest assured that the bad guys are also looking into this.

Paul: Yeah.

Adriel: To kind of give you an understanding of scale and impact, hacking medical devices is something that can be done from afar. So, if you end up using pacemakers from specific vendors or insulin pumps from specific vendors, it’s entirely possible and realistic to cause those things to malfunction in lethal ways from as much as 90 meters away. There’s right now a general consensus that, oh, you have to be close to the device so you can program the device. But that’s not entirely true. There has been research done that demonstrates that fact.

And then, looking more into the medical devices too, these devices are running operating systems that are the equivalent, when it comes down to security, of a Windows desktop or a MacBook Pro. Their operating systems are buggy. In fact, if you look at the vulnerability databases that exist, you could find vulnerabilities that are perfectly exploitable for these.

Then, to make matters even worse, a lot of the manufacturers that are producing these devices are, frankly, hostile to researchers rather than embracing research and researchers, and saying, “Hey, we really like the work that you’re doing. Thank you for doing this. We realize you’re doing it, probably for free…” They’re saying, “Why would you look at our device? What’s your angle? Let’s quash you, and let’s threaten you with legal action and so on.”

So, the general consensus around researchers in general is, yes, we want to do this because we care about this, the big problem, but we’re very nervous about the approach with the vendors and how to handle the vendors and so on. So there’s that.

Vendor Hostility Toward Researchers

And then, of course, when it comes down to critical infrastructure, the approach is very similar. When it comes down to critical infrastructure, we see the companies who make SCADA technologies and other kinds of similar technologies, we see them also respond with hostility as opposed to sort of “Yeah, come do the research. Help us find things” —that welcoming embrace. That bug bounty-type mentality.

What that tells me is their mindset is antiquated. Right? They’re stuck back in the late ’90s, early 2000s when most vendors were really hostile, and they had yet to realize the researchers aren’t there to hurt them. They’re there to help. So I think, that one of the things that I’ve seen is that that still exists, and I think these vendors really do need to move forward in that capacity.

Government Networks & the Vulnerability of Voter Information

Now you look at government networks. Kris Kobach in the State of Kansas. We actually offered — I believe it was Kansas. It was a free penetration test because we were called out by Gizmodo, and we were asked to do a quick reconnaissance project against the state network. And we did, using open source intelligence technologies. Nothing intrusive and all that. And we found that their network was massively vulnerable. We found that they didn’t have two-factor authentication anywhere. They had VPN endpoints that were very likely brute forcible that were exposed to the internet. They had printers that were exposed to the internet. All kinds of things were just publicly accessible. And these networks were the networks that contain voter data!

We offered, we said, “Hey, guys. You know, we recognize that this is…” This was in relation to Cross Track, actually. This was the Cross Track Network. And so we said, “Hey, guys, we recognize that there’s some really sensitive information here, and we recognize that this approach of being really called out by the media about your vulnerabilities is not that great. So we’ll offer you a free test to help you harden these things.”

They never responded to that offer, despite the fact that it was being pushed by various different people. There was somebody from the Democratic side that called. We created a proposal. We issued a proposal to them. Never heard anything back, even though it was free. They said, “Hey, we were going to go with the Department of Homeland Security and gets things hardened,” but according to the sites like Census.io and other kinds of open source sites, their network hasn’t really changed posture at all. So, when it comes down to the voting information, voter information is massively vulnerable because the people that are responsible for it are not taking their security seriously. What they’re doing is they’re saying, “Hey, yes, this is hardened. This is secure. This is safe.” But it isn’t.

Paul: Right.

Adriel: And that’s really, unfortunately, the way things are on a lot of fronts when it comes to security.

Why Do People Feel Threatened By Research Hackers

Paul: So you sort of talked about the old-school mentality and the mental approach to things or the way people think about things. Let’s try and put ourselves in their shoes and why they feel so threatened by these hackers that are out there who just do all this stuff. Now, I think it’s helpful to role play this a little bit because this is the issue. So, go ahead. What do you think of that?

Adriel: Yeah. So, I think it comes from a variety of things. First off, researchers are there to identify problems or faults in something. Or identify security issues with regards to…security researchers do that anyways. And these security issues are emotional for some people because we’re effectively saying, “Hey, your baby is ugly,” or, “You didn’t do a good job,” or, “You screwed up.”

And, and rather than hearing that and saying, “Wow, okay. That’s good. Thank you for the help,” what they’re saying is, “What are you attacking me? Why would you insult my capabilities?” Or maybe it’s, “Why are you threatening my job? What are you threatening my business? Why are you trying to make me look bad?”

And so the approach that a lot of the researchers have, especially today, they no longer take that kind of thought into consideration. And if you were to approach somebody else through a bug bounty program or Facebook, Google, whatever it might be, and you were to say, “Hey, there’s a vulnerability here,” what they say is, “Great. We understand that everybody is vulnerable. Everything is vulnerable. We understand that we’re going to make mistakes. So thank you for bringing this to our attention so that we can fix it,” as opposed to “Why are you trying to make me look bad.”

Paul: Sure.

Adriel: And the reality of it is we’re not trying to make anybody look bad, but we find critical flaws in technology. And the people that created those flaws are the vendors. They are the manufacturers, and they are the ones through deliberate mishap, mistakes, or maybe accidentally, most likely they’re the ones that create the vulnerabilities that are inevitably exploited that lead to damage. So they’re the ones that are, in the end, responsible for fixing the code and becoming aware of these vulnerabilities.

But I think that what’s happened is some companies have begun to realize that they really have to embrace the hacking community and allow hackers to do this research and say “Thank you” because it’s effectively it’s elevated quality assurance.

Paul: Oh, of course. Yeah.

Security Researchers Are Experts at Breaking Software

Adriel: And it should have been done. Right? But instead of, instead of doing that, they’re offended. I think a part of this comes into play. It’s not to say that software developers are imbeciles, because they’re not. But software developers are experts at developing software. Security researchers are experts at breaking software. So, we can’t expect every single software developers in existence to also be an expert when it comes to security. And that’s where the issue comes into play, because as a security researcher I can tear networks apart. I can tear technology apart. I can find vulnerabilities in almost — with the exception of one thing — I can find vulnerabilities in everything with the exception of one piece of technology. And that’s my job. That’s my expertise. I couldn’t go to a developer and say, “Hey, find vulnerabilities in all these different things.”

They’re going to say, “Well, that’s not what I do.”

And likewise, I couldn’t go and develop something that a developer could build. I mean, sure, I can write code. I can make something work, but it’s not going to be a professional-grade product if I develop it. It’s going to be a site that’s kind of hacked together. So, it’s a different expertise.

And, and I think that that is something that is somehow missing in the communication or the thought process. When a researcher approaches somebody, that somebody, in an ideal world, would think “Oh, great. This is an expert that’s trying to help me by telling me that I have a fault in this piece of technology.” But instead, they’re saying, “Who are you to come and tell me that I got this problem? I pay my developers a lot of money, and they do a really good job. And you want to insult their work?” And that’s just not helpful.

Finding Flaws in Software

Paul: Well, and then the counter question to that is, is that “Would you rather not know that this has a flaw?”

Adriel: Right. Well, actually, what we’ve seen in some cases with some vendors — not just critical infrastructure and medical but we have seen that they would not only rather not know that there is a flaw, but we have seen that after we tell them that there is a flaw that they would rather not tell their customers and just hide it altogether. And, that is terrifying. When you see a vendor that knows that vulnerabilities exist in technology, and they continue to sell that technology, they’re quite literally putting their clients at risk. And they’re doing it at some level, knowingly.

Paul: Well, sure.

Adriel: And then, of course, then you have ethical questions that come into play there and things like that. And we’ve seen this blow up. In the past, there have been instances. In fact, we were involved with a very first instance way back in the day with HP and Tru64 where, where vendors have tried to quash research, and then later, the research became exposed, and the community said, “Hey, what’s going on?”

And their clients say, “Wait a second. These guys come to you telling you about a critical vulnerability, and you try to hide it from us? What’s the deal?” That doesn’t make clients feel particularly good either.

The, the appropriate approach would be, like I said initially, “Thank you for telling us about the vulnerability. Let us fix this. Let us coordinate how to notify our clients and how to tell the world. And let’s do this in a way that really helps everybody.” And if they take that kind of approach, that’s great because clients get notified, patches get produced, and so on and so forth.

More Episodes:

This is Part 1 of our interview with Adriel Desautels. Be sure to listen to Part 2 here! We’re talking with Adriel about why hackers hack!

Show Notes:

Cybersecurity: For Better or For Worse?

March 20, 2018 / Hannah / 0 Comments

On Episode 61 of The Edge of Innovation, we’re talking with security expert Adriel Desautels, founder and CEO of Netragard, about whether cybersecurity is getting better or worse.

The Farce of Cybersecurity

March 6, 2018 / Hannah / 0 Comments

On Episode 60 of The Edge of Innovation, we’re talking with security expert Adriel Desautels, founder and CEO of Netragard, about the farce of cybersecurity!

The Art of Hacking: Cybersecurity With Adriel Desautels

February 20, 2018 / Hannah / 0 Comments

On episode 59 of The Edge of Innovation, we’re talking with Adriel Desautels, founder and CEO of Netragard, about hacking and cybersecurity!

Show Notes

The Netragard Website

Get in Touch With Netragard

Find Netragard on Facebook

Find Adriel Desautels on Twitter

Find Adriel Desautels on LinkedIn

Find Netragard on Twitter

Follow Adriel Desautels’ Blog on Netragard

Netragard in the News

“Is Your Data Safe From Hackers?”

“This Year, Why Not Take Your Data Seriously”- Netragard’s Guide to Finding a Vendor

“Cars: The Next Hacking Frontier?”

“How to Find a Genuine Penetration Testing Firm”

“What Is Penetration Testing? Here’s the Right Definition”

“Is Your Data Safe From Hackers?”

“How To Hack A Company With A Trojan Mouse”

“Don’t Become a Target”

Link to SaviorLabs’ Free Assessment

Sections

What Does Netragard Do?
Hacking: Making Things Do Things They’re Not Supposed To Do
How Adriel Became a Hacker
Starting a Business Using Real Hacking Methods
Is Hacking Complicated?
The Art of Hacking
Pricing Based on IP Addresses is Not Ideal
Real Time Dynamic Testing
What is Penetration Testing?
What Should You Do About Cyber Security?
What’s the Big Deal with Online Profiling – Social Engineering
Internet Abstinence Won’t Protect You

The Art of Hacking: Cybersecurity with Adriel Desautels

Paul: Hello, everyone. I’m Paul Parisi here with the Edge of Innovation, and our guest today is Adriel Desautels from Netragard. Adriel, are you there?

Adriel: I am.

What Does Netragard Do?

Paul: So, Adriel, you are with a company called Netragard. What in the world does Netragard guard? Or what does it do?

Adriel: So just like our slogan says, we protect you from people like us.

Paul: I love that slogan. So, “people like us.” What do you do? Are you hackers? Or are you light-head hackers or what?

Adriel: So we are hackers in the very real sense of the word. We have roughly 35 guys on the team right now, that are all vulnerability researchers and zero to exploit developers. So we really specialize in tearing apart technology, understanding how the technology works, and then finding ways to make the technology do things that it’s not supposed to do. And we apply this skillset to anything from automobiles and cellphones, all the way into large corporate networks or government networks and so on and so forth. The end product is we breach something, we hack something, we break something, and then we provide you with a solution to prevent other people like us from being able to do the same thing.

Paul: So basically, you guys sit around and try and break things. Or, I mean, because you said, you used very select words there. “Make things do things they’re not supposed to do.”

Hacking: Making Things Do Things They’re Not Supposed To Do

Adriel: Right. Absolutely. So, a prime example, right, with cellphones, for example. When you receive a text message from somebody, you expect the test message to display the message. If you receive a text message from us, our text message, you might never actually see it come in because it will be designed in such a way that rather than displaying a text message, it gives us complete control over your phone. So maybe when we send you a text message, the payload, or the contents of the message, will allow us to listen to your microphone, turn on your camera, track you via GPS, read the emails, look at what you’re browsing, etc., etc., etc.

And the way that we do that is by leveraging flaws that exist within that specific piece of technology. And the same would be for anything. You know, we did research on cars a while ago, we were in the news for the research there. And we found that it was possible to do things with the cars, like take control over critical systems such as the accelerators, the braking systems, seatbelt tensioners, other kinds of security things in cars. And so you can literally hack a car and turn a car into a weapon.

So we look for the different avenues of those kinds of things can be done and then we build solutions so that the people who are responsible for making these technologies can prevent those kinds of things from happening, hopefully.

Paul: Okay. Alright. Well, that sounds scary and interesting all at the same time.

How Adriel Became a Hacker

Paul: Let’s take a step back. So now, what’s your background? Did you go to school for this? Did you just figure out one day, “Hey, I want to be a security person”?

Adriel: Yeah, so, when I was about eight years old, my father picked up a Tandy 1000 and maybe I was even six. I was young. And I wanted to know how this computer worked, and I played Load Runner. I played with the word processor that he had, the big old disks you used to have to stick in there. And I became more and more curious. So I began picking up Basic, I think it was and just trying to figure out how things worked in that respect. And then, you know, I saw well, if I put in this text with this, the computer would beep in this way, or the computer would do this kind of thing.

That evolved and then I was gifted with a modulator demodulator and I thought to myself, so if I dial this telephone number, I get a connection. What happens if I try a bunch of different telephone numbers? Most of the time, it would be people that would pick up and be mad that they were being called by a modem. But sometimes I would be calling other modems, and I’d find that they connect to systems that I wasn’t supposed to.

And then from there I discovered the real satisfaction. Curiosity. You know, hackers are driven by curiosity. And there’s a saying that I hear all time, curiosity killed the cat, satisfaction brought it back. So, it kind of evolved from there.

When I went to college, I was studying a combination of computer science and philosophy. I ended up dropping out of college in my second year because I was already working in the industry. I was making more money than most people with a degree, and I was learning stuff in school that I had already learned and that was really antiquated. And so I thought, well, I don’t really need a degree to get me, nothing.

And so I dropped out of college and started my first business. Sold that business, worked in the industry for a bit, which is how I you met initially, I think. And then I started up my second business and here we are. And through the interim, the point between the two businesses, I realized that I do not work well for other people. I work much better for myself, with my team. And so here we are. And it’s been a great adventure, but it’s been a pretty successful one too.

Starting a Business Using Real Hacking Methods

Paul: Excellent. So what is that business that you started? It’s Natragard. But, I mean, what was your intent? And how long ago was that?

Adriel: Yeah, so back in 2006, really 2005 to 2006, right after we were running SNOsoft, or Secure Network Operations was the full name, we were approached by a bank. And the bank said to us, “Hey, we’re looking for penetration testing that will deliver a real hack. We really want to get hacked.”

And we said, “Well, we don’t really do this kind of stuff. My team is really into reverse engineering and zero-day exploitation and things like that. Right now we’re doing vulnerability research and exploit development, but we’ll try to find a company.”

And so we scoured the internet. We looked and looked and looked, and we could not find a penetration-testing firm that would actually do what they said they were going to do. They all said that they would do manual testing. They all said that they would use a research-based methodology. They all said they were going to do these incredible things. But when it came down to really talking about the technology, they were all going to effectively deliver a vulnerability scan, vet the results, and produce a report, which is not what our customer wanted or our friend or associate wanted.

And so they said, “Well, why don’t you guys deliver this test?’

And we said, “Alright. We’ll give it a shot.” And so we took our vulnerability research and exploit development methodologies and we created a methodology. It was called Real Time Dynamic Testing. In about 2006, we used that methodology to test this bank, and we managed to breach the bank and take the domain in four minutes flat. And the reason why we were successful in doing that was because they had a critical system that was exposed to the internet but it was configured in a way that the traditional scanning technologies wouldn’t detect it. I don’t know if it was delivered. But the scanners didn’t recognize the system.

We began to look at the network, and we said, “Hey, what is this glaring hole? Let’s play with this,” and boom. You know, we were right in.

And so the bank said, “Wow, this is incredible. Not only did you take our domain in four minutes, but we didn’t see you do it. And, you know, how did you do it?”

And we said, “Well, we just used real hacking methods.” Right? We didn’t depend on scanners, and that was that. So they began talking about us. Other banks began calling us, pharmaceutical companies and so on and so forth. And we just kept on testing and kept on evolving and methodologies continually evolved.

And on the side, for the longest time, we were also doing the zero day vulnerability research, zero day exploit development, and we were catering to the zero day market. So the business was running on two fronts.

Today it’s strictly offensive. Today we are strictly hacking people and breaching people using the same kinds of methodologies and the same kinds of threat as you’d experience from nation states or from real world hackers.

Is Hacking Complicated?

Paul: So now you mentioned there that you were able to break into this. And this sounds complicated. Is it complicated? Or is it not complicated?

Adriel: No, it really isn’t. The most complicated part of breaching a network is doing the research upfront to identify the points of weakness. Once you identify a point of weakness, it’s generally pretty simple to exploit it. For example, if it’s going to be a local file inclusion vulnerability in a web application, right? You have to understand how an application is constructed. You have to be able to apply a path so that you can include a file from the local file system and just really were to paste or write a simple string. And that one simple string enables you to call a file.

So a really simple example would be an ISP that we were working on back before cloud computing was a really big thing. These guys were kind of like your pre-cloud computing hosted environment.

They had an infrastructure set up with a management interface, and the management interface had a glaring local file inclusion vulnerability in it where you could see the path, and you could see the file that was being called right in the URI. So what we ended up doing was we ended up generating a bunch of PHP based error logs by dumping PHP code directly into the server, and that would get a recorded in the error log, and then we directed the path in the URL, the URI, to the error log for Apache, because we knew they were running Apache. When it loaded the error log, it interpreted the PHP, and we got a shell in the system.

Paul: Oh my gosh. Wow.

Adriel: Yeah, so it’s pretty simple stuff.

Paul: Well, once you say it, it’s simple.

Adriel: Yeah.

Paul: That’s very important, I think. It’s like, I would not have thought of that, but now that you say it, it’s obvious.

The Art of Hacking

Adriel: Yeah. It’s funny because even the most complex hacks become trivial once they’re discovered. And so the real talent and the real art is in the discovery, and it’s being able to think in such an obscure and different way that you almost… It’s not really out-thinking other people, but you — for a lack of a better term — you out-art the other people.

Paul: Well, it’s almost out-thinking reality because you’re not just taking it for what’s in front of you. You have to look behind it and around it and under it.

Adriel: Yeah, exactly. And sometimes you have to build an entire ecosystem or environment for this thing to exist in to break it. Because certain pieces of software are meant to exist in certain situations. They’re meant to do certain things. So put them in a different situation that’s designed specifically to make it break, make it uncomfortable, you know. Doing that’s really what hacking is all about.

Paul: So it sounds like the kind of work you’re doing is finding the — I don’t want to say “esoteric” but… I didn’t know. Is that fair? Esoteric? Because I’m wondering now, you must offer something or do something that, checks for the run-of-the-mill things.

Pricing Based on IP Addresses is Not Ideal

Adriel: Oh, yeah. Absolutely. So, when we offer our services, there are three different levels, and the higher level includes the lowest two levels. So there’s silver, gold, and platinum — the whole packages that we offer. The silver level package is the industry standard package. It’s what you’re going to get from 90% of our competitors or 90%, 99% of the industry. And it’s really how many IP addresses do you have? I’m going to price based off of the number of IP address. Right? So you say you have 10 IPs at 500 bucks per IP, $5,000. We don’t price that way. This is the competition.

And then we’re going to take the IP addresses that you give us. We’re going to give them to a vulnerability scanner like Nexpose or Nessus. And then we’re going to run the scan. The scan is going to find what it’s going to find. We’re going to pass the results of that off to a team of engineers. The engineers will exploit whatever is exploitable, and then they’ll produce a report. Right? So that’s sort of the entry level penetration testing service.

It’s not ideal for several for reasons. The first is, when you price based off of the number of IP addresses, you’re not actually pricing based off of workload. So, suppose you have the 10 IPs, and they’re all running complex web application, maybe 40 man-hours per IP, $5000, that’s $12.50 an hour roughly. Nobody can work for $12.50 an hour, so you have to compensate with automation.

The second reason why it’s not ideal is automated vulnerability scanners only identify the low-hanging fruit, which kind of goes in the question that you were asking. Right? So they only identify the, the basic stuff that exists — maybe 30%, 45%. Someplace in that range, anyhow, is configured of the vulnerabilities that exist with a network. So if your methodology depends on automation, you’re going to be leaving a major gap. You’re going to be leaving a lot of exposure, which is part of the reason why businesses are suffering breaches left and right. Right?

Real Time Dynamic Testing

So then you escalate up into the gold level of service, and the gold level of service will include that low-hanging fruit type thing, the basic checks. But then we bring in Real Time Dynamic Testing, which is the methodology that we use for doing research based penetration tests. It incorporates major components of our vulnerability research and exploit development practices. So Real Time Dynamic Testing and it gets you close to a 90, 95% point of coverage as far as technology is concerned. We don’t just use — and sometimes we don’t even use— vulnerability scanners, but we really depend on our own experience, expertise, hands-on digging. Right? And that coverage you get the low-hanging fruit, the basic stuff. You get the really advanced stuff in there.

And then you go for the platinum. Platinum is realistic threat. We will cover the gamut — social, physical, electronic — and there’s no limit to what we’ll do. We have zero day malware that we use. It’s called RADON. We have different variance of RADON. The social engineering practices that we use have been written about in The Economist, Bloomberg, Forbes. We built a mouse that was fully weaponized that breached networks for us. I mean, all kinds of things. Yeah. So that was a very long-winded answer to a very simple question.

What is Penetration Testing?

Paul: No, I appreciate that. So let’s roll back a little bit. And first of all, for our listeners — because we have a fairly wide range of listeners. So you mentioned the word “penetration testing.” And I know that’s generally referred to as pen testing, and it’s not testing whether your pen works. Is that breaking into a network? What is penetration testing, very simply?

Adriel: Yeah, it’s a test that’s designed to identify the presence of points where something can make its way into or through something else. And then when applied to network security or applied to networking, it’s the same kind of thing, but it’s a test that’s designed to identify the presence of vulnerabilities, in an infrastructure that can be breached by an adversary.

Paul: Okay. So you figure out how to get in.

Adriel: Yes.

Paul: Whether you do it or not, you, you know that now there is a door that is ajar or a window that’s not locked.

Adriel: Yes. So we, we figure out how to get in, and we do get in. We demonstrate by exploitation. So we demonstrate by proof.

Paul: Okay. So you go in and put something on their coffee table.

Adriel: Yep or, if it’s a physical point of entry, you know, one of our treasuries, we literally walked into a data center and walked out with a computer.

Paul: Really?

Adriel: One of the state treasuries. Yeah. In other cases, we’ve turned on web cams and microphones and recorded entire conversations in businesses. And in one case, we actually took a video of a guy picking in nose, playing solitaire, and drinking coffee.

Paul: Wow. Well, I know that can’t be me because I don’t drink coffee.

What Should You Do About Cyber Security?

Paul: So, okay. Good. Alright. So now, we hear about cyber security, network security, security all over the place, all the time. And, general citizens have no idea what to believe. Is it good? Is it bad? Is it getting worse? Is it getting better? Is there risk? Give me an answer, it’s some point. We’ll put in some stakes in the ground here. But what would you tell the ordinary, average person? Should they be using a computer? Should they not? Should they not worry about it? Who cares?

Adriel: Yeah, there is no such things as security when it comes down to corporate security or commercial security. There is just a market. And it’s a self-perpetuating market. And that market really does provide, in many cases, a false sense of safety. When it comes to help people should be using their computers, they should think very carefully about the kinds of data that they want to store on their own computers. And they should also think very carefully about what they put out into the cloud, you know, social media. Anything like that. Because that moment that information is out there, it’s no longer their information. It might be protected by contracts. It might be protected by privacy policies. But as we’ve seen with Equifax, and as we’ve seen with Target and Sony, Hannaford, Home Depot, Ashley Mad—, you know, I could go on and on. The information is no longer their information.

Paul: Well they don’t have control over it.

Adriel: Right. And one of the things that has really surprised me about people is people think, “Well, Facebook is private. That’s my Facebook page.”

Yeah, well, you know, it really isn’t. If you’re a private person, you shouldn’t put it out there. There is no control.

What’s the Big Deal with Online Profiling – Social Engineering

Paul: Okay. So let me just unpack that a little bit. That seems to be, well, when you are doing something — whether you realize it or not — you’re explicitly sharing information. You go and you put on Facebook that I like the color orange. Okay, so the world knows that. So what’s the big deal? So people know I love the color orange.

Adriel: Yeah. So the big deal is profiling. One of the things that we do when we hack businesses is we, for the platinum level stuff, we socially engineer people. To socially engineer people, we have to be able to understand what they like, what kids of pets they have, who they’re married to, who their children are, what the last meal was they ate, anything like that. Any of that information that might seem benign. That information can help us to build a false story around a false persona that meshes very well with them. And then that enables us to befriend them on Facebook or befriend them socially in the business.

Once we befriend them, we can begin to build a trust relationship. And once that trust relationship reaches the point where I can send them content by email, a document, or I can get them to click on a link, I can breach the network. So any information that they put out there is going to be useful for me to help leverage them or breach them. Or maybe even just create a falsified story, you know, and, and extort them.

I saw something really interesting recently. We have a friend here that’s going through a divorce and she received a letter in the mail. And the letter was sent to her house but it was addressed to her husband, her ex-husband, or soon-to-be ex-husband. And it said, “Hey, you know, I have really dirty information on you. And I’m not going to share it here because I don’t want your wife to know what this is but I think this is worth some hush money,” effectively. And “If you give me $2000 in bitcoin, I won’t tell anybody about this kind of thing.” Right? So the reason why they figured out this divorce was going on was because of information that was disclosed in public. It’s actually a fairly common scam. So any information that you put out there is stuff that can be leveraged by people looking to extort you or breach systems. Or, if we get hired, we’ll use it to break into whatever networks you have.

Paul: Okay. Alright. So the point here was that my use of technology as an ordinary citizen, you’re telling me I shouldn’t share things on Facebook.

Adriel: Right.

Paul: Without understanding the risks and if I’m okay with those risks. Is that fair?

Adriel: Yes.

Paul: What do you tell your close friends? Don’t use Facebook— don’t even use the internet? That seems like the safest thing.

Adriel: Yeah, it would be. Don’t trust anything on the internet is what I would say.

Paul: That’s fair. But now Equifax, I could have never used the internet, and Equifax, all of sudden, let all my information out.

Adriel: That’s right.

Paul: So I have been foregoing the enjoyment of the internet — because it’s a pretty cool place. I can do lots of stuff. I can learn lots of stuff. I can have great relationships and get to know people and see what my friends from high school are doing. And I’ve foregone all that. And then Equifax does something stupid and so I basically said, “Oh, I’m going to abstain from the internet.” How do you speak to that? What do you think of that?

Internet Abstinence Won’t Protect You

Adriel: So your abstinence doesn’t necessarily protect you.

Paul: Well, but there was no way to protect me there. There was no way to protect me.

Adriel: Right. There isn’t.

Paul: So why not just use the internet? I understand your argument.

Adriel: Yeah. That’s what a lot of people do. It comes full circle.

Paul: I understand that you’re saying that the more information I get, the more exploitable I am. The more I give, the more exploitable I am. But then it’s sort of like Chicken Little. It’s sort of like, “Well, I’m never going to use the internet, so I’m safe.” And then Equifax does something, and it’s like, “Well that was a waste of time.”

Adriel: Yeah. That’s exactly right. And that’s where this conversation always inevitably ends up here. Is, well I won’t use it. Well, even if you don’t think you’re going to use it, you’re still using it. Your bank is online, period. You’re living in this country, and this country is in its financial system, uses these ridiculous things called credit scores. Your purchases, everything you do, are online. You own a credit card, that’s online. You own a cellphone, you’re online. And you don’t have to have a social media presence, you’re there. The only thing that you do with your social media presence is you feed the engine unnecessarily.

Paul: Okay. Good. That’s great.

Adriel: Yeah. So I mean, that’s really the best way to explain it.

Paul: There’s a lot of stuff, we could do this a couple more times I’m sure. We’ve been talking with Adriel Desautels of Netragard. He’s a security expert. And we’ve been exploring security and penetration testing and security testing and all of the different things that coalesce to mean security, what is security and what isn’t security. There will be a tremendous amount of links that will be in our shownotes, that I think will be worth looking at. Many of the articles that Adriel mentioned and many of the sites and of course a link to Netragard as well, and ways to contact Adriel.

So Adriel thank you very much for your time. We really appreciate it! It’s really been fascinating and I think a lot of people will learn a lot today and I really look forward to doing it again.

Adriel: My pleasure, any time.

Paul: Thank you Adriel.

Staying Security Smart

November 14, 2016 / Paul / 0 Comments

Today on the Edge of Innovation, we discuss how to be put safeguards on your computer to be safe from hacking.