Tag: internet

The Farce of Cybersecurity

March 6, 2018 / / 0 Comments

On Episode 60 of The Edge of Innovation, we’re talking with security expert Adriel Desautels, founder and CEO of Netragard, about the farce of cybersecurity!

Show Notes

The Netragard Website

Get in Touch With Netragard

Find Netragard on Facebook

Find Adriel Desautels on Twitter

Find Adriel Desautels on LinkedIn

Find Netragard on Twitter

Follow Adriel Desautels’ Blog on Netragard

Netragard in the News

“Is Your Data Safe From Hackers?”

“This Year, Why Not Take Your Data Seriously”- Netragard’s Guide to Finding a Vendor

“Cars: The Next Hacking Frontier?”

“How to Find a Genuine Penetration Testing Firm”

“What Is Penetration Testing? Here’s the Right Definition”

“Is Your Data Safe From Hackers?”

“How To Hack A Company With A Trojan Mouse”

“Don’t Become a Target”

Bitdefender’s Website Where You Can Buy Bitdefender, recommended by Adriel Desautels

The Hands Off! Mac Update Download recommended by Adriel Desautels can be found here

VMware Fusion, also recommended by Adriel Desautels, can be found here

Download for Little Snitch

“Honeypots: The Sweet Spot in Network Security” – An article about Honeypots

The Frank Abagnale movie, “Catch Me If You Can”

Link to SaviorLabs’ Free Assessment

Sections

Internet Security is a Farce
Security Technologies That Work
Traditional Hackers: How They Think
Why Internet Security Matters to Small Businesses Too
I Feel Safe! And Why You Shouldn’t
Listen & Learn: Making the Right Decisions About Security
Tech Surface Mapping
Security Testing: Be Proactive
Why Patching is Critical
Authenticate Files

The Farce of Internet Security

Internet Security is a Farce

Paul: Hello, everyone. I’m Paul Parisi here with the Edge of Innovation, and our guest today is Adriel Desautels from Netragard.

Adriel: The security industry as a whole and the businesses that are being “protected” I mean, it’s really just a farce. People have this understanding of businesses having good security or they entrust them to have good security. “Oh, this business won’t be hacked. I trust them with my credit card.”

On what grounds? You know, why do you trust them? I mean, is there any reason to trust them? There isn’t. It’s just because they said they could do it. They’re a big business. They have a lot of money. They have a lot of financial power. They have a lot of exposure, so we trust them. The reality is that none of these businesses are really secure. I mean, we have yet to encounter a business like an Equifax or like a Home Depot or any of these retail shops that we couldn’t breach with relative ease. You know, the businesses that tend to be more challenging to breach, we still get in. But the businesses that tend to be more challenging to breach are the ones that have to do with storage. Storage of information because they’re really required to care about it, or communication, to a degree. You know, they’re required to care about it. But businesses that serve the consumer they’re generally really vulnerable.

The vulnerability is partially their fault. I mean, Equifax’s case, gross negligence, the word just keeps coming into my head. But it’s also the fault of the security industry. And here’s why.

The majority of vendors that do provide penetration testing services and security services, they sell snake oil. Right?

A case in point. Antivirus solutions. If antivirus solutions really worked, if they really prevented malware and ransomware and all this and that, there would be no malware or ransomware. They only work partially, but they market themselves as saying, “Hey, you know, we solved this problem.”

Intrusion prevention systems. They don’t prevent intrusions. They just prevent what is detectable. And by the way, what is detectable are most of the commercial, off-the-shelf tools that are used by penetration testing firms. So, they buy technology to protect their networks, and then they go and they hire a vendor, a commercial vendor, who doesn’t have real hackers on staff. They effectively have glorified script kids on staff. They use third-party tools. This other vendor comes in and tests the security of their network, but the defensive technology that they bought is designed specifically to defeat the commercial technology that’s being used to test them. So they pass with flying colors.

Hacker Joe comes along. Hacker Joe is not going to use any of these commercial, off-the-shelf tools. I don’t know about you, but I’ve never seen a hacker use a commercial scanner to breach a network. Hacker Joe is going walk right in the front door and then just like all the businesses, thousands of the businesses that have been breached, they’re going to say, “Well, I don’t get it. How were we breached? We tested all the time.”

Well the reason why you were breached is because you didn’t get a real test. The reason why you were breached is because you didn’t do what was actually required to make you secure. So kind of rewinding and going back into people, people assume that these businesses are doing the right thing, and they’re not.

Part of the reason why they’re not doing the right thing is because some of them just simply don’t care. They’re focused on budget. They’re focused on just the political aspect of security. The other part is, they really do care, but what they’re being told and taught by the security industry is just a bunch of marketing fud. Right? You have to do it this way. You have to do it that way. But these things are not actually effective.

Security Technologies That Work

Adriel: I mean, in our experience, there are only — what? I think there are three technologies out there that have ever slowed us down or even given us a run for our money. One of them is produced by a company called Cylance. So Cylance is a business that we’ve followed for a while. We have no affiliation with them, but their technology works, and it’s a brand new way of doing things. It works very well.

The second one is Carbon Black, Bit9. And I know that Carbon Black and Cylance look at themselves as competitors, but I look at them and I say, wow, these guys really complement each other. Those two technologies alone make the job of breaching a system with malware or exploits very, very, very difficult, almost impossible.

So then that leaves you with the social avenue, social engineering. Well the third thing that you can do is you can deploy internal honey pots but low interaction, not high interaction. That’s a waste of time. Low interaction honey pots. Things that are just there to detect a breach, detect lateral movement.

You deploy those three solutions or two of those three solutions, you’re going to make the job of a hacker, like my team, the guys on my team, very difficult. But most people don’t have that. What most people have is they might have Carbon Black. They might have a Cylance technology, or they might have a honey pot. When you have one of those solutions open or just one of those solutions deployed, we’re going to leverage those other gaps. So, yeah, a lot of depth for a simple question.

Traditional Hackers: How They Think

Paul: Well, no, absolutely. So let me ask you this. So for a traditional hacker, if they hit these things, unless they’re being paid to go after a certain company, are they just going to give up and move to the next target?

Adriel: Yeah. So traditional hackers these days, it’s not like in the ’80s and the ’90s anymore. Hacking the scene has become much more criminalistic and much more about making a buck. And so you’ve got to think about making money as efficiently as you can with as little risk as possible.

So as a hacker, if you go and you breach a network, and you notice that they have these kinds of things deployed, you’re going to think, “Well, why would I go after this retail company when I could just go after this retail company, because they don’t have it?” You know? And then you still get your pay out. You maybe charge a little bit more per credit card, or maybe you sell the network to somebody else that wants to use the resources of the network to do something. But you, you can still find a way to make your money off of that kind of a breach, and you don’t have to spend quite as much time doing it.

A great example of a soft network would be the Equifax network. Or even Target, the way that Target handled their breach was, was just as silly. And actually, speaking of technologies, that have proven to really miss things that are sold as end-all-be-all solutions, FireEye. FireEye was used by both Target and by Equifax. And FireEye, in their favor, they did notify Target about a lot of the activity that was going on. Didn’t prevent it but they notified them, and Target didn’t really do much of anything about it. But they completely seem to fail at detecting a known vulnerability or at the stress vulnerability, which affected Equifax.

So, how can you be this incredible solution that does everything and, and fail like that? You can’t.

Why Internet Security Matters to Small Businesses Too

Paul: So let me peel this back a little bit. So we’ve been talking about businesses and we’re talking about some fairly big businesses that are doing lots of volume in dollars. I mean, Target is a huge company. Equifax is a huge company. How do you apply this methodology or this thought process to small- to medium-sized businesses, somebody with 50 employees or 100? And does it matter? Because I’m sure I’ve heard from them that, “Oh, it doesn’t matter. I’m a small guy. They’re not going to go after me.”

Adriel: Yeah, it doesn’t matter at all. We hear that all the time and then months later they come back to us because they’ve been breached. In fact, there is a hotel chain that I can’t name. They came to us. They said, “Hey, you know we need to have the test.”

And we said, “Great. Here’s the price for the test.”

And they said, “Sorry, that’s way too much money.”

And we know it was not a lot of money. And then they went and they found another vendor to deliver a test, and they said, “Hey, we found this other vendor that will do this test for us for $5,000.” It was a $5,000 test.

And we said, “That is many, many times less than what you should be paying given the volume of work that has to be done to test you properly. But, okay.”

About four months after their test had completed, they suffered a breach, and they made the news. And we reached back out to them, and they refused to respond to us because it was you an “I told you so,” but they were of the mindset where they didn’t think that they would be breached because it had never happened before. They had no indication that it was going to happen, so they felt safe.

I remember them saying, “We’re using antivirus technology. We’re using intrusion preventions systems.” They felt safe. They shouldn’t have felt safe.

I Feel Safe! And Why You Shouldn’t

Paul: Who is it in the organization that is spouting this “I feel safe”? Is it the CEO? Is it the CFO? Is it the lower levels, VPs of technology? Who is saying that? Who believes that?

Adriel: It really depends. In some businesses, it’s the C-level executives. In other businesses, it’s the security staff that are feeding false information to the C-level executives because they’re concerned about their jobs. They have this fear of losing their jobs. So in many cases, there is this ego. There is this ego. You get a kind of game going on where it’s “Well, I’ve got to look good, and I can’t afford to admit this because if I admit this then, that’s a big problem.”

In other cases, it is executives that, frankly, just view security as a nuisance. They don’t understand what security is. They look at it, and they say, “Well, you know, I don’t want to spend all this money because we could put this money someplace else and a breach will not happen to us. It’s never happened before. There is no indicator that anything like this is going to happen. I’m not overly stressed out it,” you know.

Paul: Okay. Well that’s a gamble. That is definitely a gamble. So now when someone articulates that, what is your counter to that? Because, okay, it’s never happened before. I mean, it sounds good on the surface. It’s like, “Well, I’m a small company. I’ve got 50 employees. It’s never happened before. It’s not going to happen.” I can say that it’s not going to happen. It’s not going to happen. It’s not going to happen, but how do we bring them back into a more realistic view of things?

Adriel: You can’t. And that’s the hardest thing. I mean, we have tried. We have spent hundreds of thousands of dollars in marketing campaigns and all sorts of things trying to educate people. Not market, but trying to really provide people with good information about this, and it just doesn’t sink in. We have had detailed conversations with businesses that have later suffered breaches, saying, “This is what you need to do. Here is why you need to do it. Here are the measurements. Here are the metrics that show the workload. This is your exposure.” We break it all down for them in the sales process. We show them exactly what it is that’s going to happen during engagement, what things cost, and they just, they still… It doesn’t matter how much you teach them, they don’t care until it happens. And it’s truly unfortunate.

Listen & Learn: Making the Right Decisions About Security

Of the few customer we have that really do care, they either cared from the get-go because they understood the risk associated with it or they came in saying, “You know what? I don’t know what I don’t know and I want to know. I want to learn.” And when they come in with that kind of a mentality, and they say, “I want to learn,” we can provide them with the truth. And we can provide them with facts and evidence and information. And if they’re willing with listen to that and learn from that, then they can begin to make right decisions with their own security.

Paul: We were talking about different companies. So let’s talk about the 50-user company. They don’t have the deep pockets that somebody else might have, a Target or somebody like that. So what do you do? What do you there? They’re a typical business. They’re a manufacturer. They manufacture semiconductors, let’s say. And they have 50 employees. And they’re United-States-based. They have one office, one building where they build the things, ship them from, etc. And what are you going to say to them?

Adriel: So for them, we would give them the fact sheet. Say, “Hey, let us come in, and let us diagnose the work load. Let us see how much work actually has to be done.” So we get in. We literally diagnose their entire infrastructure, which is a long process. But we do this because we want to make sure that it’s an accurate quote that we provide them with. And then we say, “Hey, based on…”

Paul: By diagnose, what do you mean by diagnose? I mean, you don’t take a stethoscope and put it up to each computer. Do you inventory the computers or what? Tell me about that.

Adriel: So that’s kind of our secret sauce.

Paul: Okay. No, that’s fair.

Adriel: Yep. And the reason why… I’ll tell you right now. The reason why we don’t talk about it, it’s not because we’re afraid of talking about it. It’s because what we’ve found historically is that the competitors that do the vetted scans will say anything.

Paul: Of course. Oh, yeah. I’ve seen that.

Adriel: If we come in and if we explain this, they’re just going to say, “Hey, we do this,” and it’s going to… The track for actually doing it and then, you know…

Paul: Of course.

Adriel: But, but the analogy that I can give or the example or what I can tell you is, when we’re done with the diagnostics, after we’ve actually come in and we’ve done this work, we generally know more about our customers network than they do. We know about literally everything that really exists in that environment that we’re looking at. And we’re able to do really good sampling and really good reduction of your sampling of work to come up with pricing that is not necessarily competitive with what everybody else is doing, but with pricing that is very real based on what actually has to be done.

Interestingly enough, in our experience, our prices often come in less than some of the larger companies and, obviously, more than the scanner shops. But they come in less. An example. We were doing work with a part of the government of Trinidad. And they had received quotes from other vendors, and their quotes were all based off of this understanding that they have 64 external IP addresses. And the quotes were coming in anywhere from $100,000 to $60,000. The best competing quote that they had as far as price was concerned was actually a $60,000 quote from a firm here that sells in Massachusetts that sells scanning software, and they also do penetration testing. And we came in, and we looked at them, and we said, “Well, yeah. You’re about 11 grand.” And we gave them a proposal for 11 grand, and they immediately they came back. They said, “No, you made a huge mistake.”

We said, “How did we make a mistake?”

They said, “Well all these other vendors are coming in at this price, and you’re coming in here? And our budget is this, but you’re coming in at a fraction of our budget.”

And I said, “Well, you know, there’s no mistake. It’s because you have, of those 64 IPs, 11 are actually running. Right? And these 11 map out in this specific way, so here’s the work load.”

And they took a step back, and they said, “Okay. This makes sense. So why is everybody else charging us so much?”

And my answer was, “Well they’re charging you because you told them you have 64 IPs.’

And they said, “Well, yeah. But they asked us all kinds of questions about our environment.”

And I said, “They did that to look good. They don’t actually use that information. They just say 64 IPs times a dollar value, a dollar per IP and a number per IP, and there’s your price.”

They kind of stepped back again. They said, “So, you know, we’re basically being tested to have a whole bunch of non-existent things tested? Or being charged to have a whole bunch of non-existent things tested?”

And I said, “Yeah.” That equates to like zero seconds worth of work, and you’re paying the money for it, you know.

And so, so, you know.

Tech Surface Mapping

Paul: Fascinating. Okay. So we’re talking about a small business. You’d come in and you would do your discovery, I guess. You had a word for it. What do you call it?

Adriel: Tech surface mapping.

Paul: Okay. And so you would then give the small business a quote, and they would choose to do it, and then you would come in and find all the exploits, hopefully. So you do that. And you deliver your report, and then their network goes on and things change. Do you have to do that again?

Adriel: It depends on the customer. So almost all — I’d say 95% of our customers are multi-year customers. And so what ends up happening is you engage us. You engage us on year one. We come in. We deliver the test. We deliver a free re-test after you’ve fixed everything. We maintain you throughout the year, with basic checkups, effectively.

Paul: Well that’s nice.

Adriel: Then when you come in on year two, we do the same thing. We measure your progress. So you do repeat the process because networks change. Networks evolve. But through the multi-year, you actually end up, very quickly, as we have seen, reducing your overall risk and exposure profile because you’re continuously being exposed to something very real. So yes, it’s something that they come back, and they do repeatedly.

Security Testing: Be Proactive

Paul: Would you say you’re doing security assessment, security testing? Would that be fair, what Netragard does?

Adriel: Yeah, I wouldn’t say assessment.

Paul: Okay. Security testing.

Adriel: Yeah.

Paul: But it sounds like you’ve thought about it. And it doesn’t sound like you have one test and you’re done. It sounds like you have to have proactive, continuing testing.

Adriel: Absolutely. And it’s because of the rate at which new vulnerabilities surface. So when you look at Windows for example, six months ago, you could have fully-patched Windows system as of six months ago. That fully-patched Windows system, from six months ago is not going to be up to par today. And it’s because vulnerabilities, really what are they? They’re programmatic errors, programmatic mistakes. So when developers make software, they make a mistake, or they rush through something because they need to meet a specific deadline.

When they make this mistake, the mistake is something that we can exploit or something that we can leverage to facilitate penetration. As systems grow older, those mistakes become uncovered more and more. Researchers spend time looking at systems, finding these mistakes. All computer systems will always have mistakes. All software is fallible. And so if you patched something six months ago, and then you give hackers another six months to look at finding new system flaws, new vulnerabilities, new mistakes, they’re going to find them. They’re going to uncover new ones. And if you don’t patch currently, you don’t maintain your current patches, you’re not going to be eliminating those current mistakes.

So security is something that is continually evolving. It’s something that you need to continually test. Like penetration testing, you need to do. But you also need to stay up to snuff with regards to the defenses and the latest kinds of attacks that are coming in, and not just the attacks that you hear about in the news, but the attacks that are really focused on you. Because the attacks that you hear about on the news or you read about in articles and things like that, those are generic. Those are attacks that have affected a large number of people. But every single network is different, and I could tell you first-hand, every single network that we breach is breached differently. So you have to also understand how it is that you’re going to be breached. And you do that, again, by continually doing realistic threat penetration testing but also paying attention to what’s going on in your environment.

So yeah, it’s a continual process.

Why Patching is Critical

Paul: Okay. So it sounds like basically we sort of wandered a little bit into how you protect yourself here. You said patching is, is critical. Is that true? So I’m thinking about the ordinary person, home user or a small business user. What do they need to pay attention to?

Adriel: Well, patching is probably the number one thing. If you look at, I think it was the Verizon data breach incident report from 2015, maybe 2014, when it actually used to be a really good report, they pushed out some nice numbers on that. And it was 99.98% of all breaches back then were attributed to the exploitation of known vulnerabilities that had been in public domain for over a year. 0.01% were attributable to zero day exploitation. 0.01%.

So when you look at those numbers, it tells you a lot. I mean that’s very telling. It says, hey, people just aren’t patching. And we know people aren’t patching. A bit of another tangent but ridiculous story, our infrastructure —water, power, all that — they are afraid to patch because they think that if they patch, it’s going to render a system unstable.

I remember having a debate with this guy. I won’t give his last name. His first name was Jake, and he runs a major water treatment facility, is responsible for the security of this facility. I said, “Jake,” I said, “You’re running systems —Windows 95, Window NT still. You need to make sure that you do something and mitigate this. Get newer systems, update, patch, whatever.”

And he said, “No, no.” He said, “I can’t afford to patch.”

I said, “Why not?”

He said, “Because patching might make something unstable, and if it makes something unstable, nobody has water, or people get poisoned. I can’t patch.”

And I said, “Well, yeah, but anybody can just walk in the front door with these vulnerabilities, and they can do the damage that way anyways.”

And he said, “Yeah, but to me that’s less of a risk than patching because I’ve never had that happen before.”

Paul: Wow.

Adriel: So it’s scary. But, but patching is something that has to happen.

Paul: How do you counter, the person who says, “But doesn’t it automatically patch?”

Adriel: You can’t because you’re dealing with emotions.

Paul: Well no. Is that true? Doesn’t the system automatically patch itself?

Adriel: Some of them do, but they disable that. A lot of people disable that.

Paul: Okay. So, in a Windows world… I know in Windows 10 they’ve need it a lot harder to disable that. But I know in Windows 7 you’d go to somebody’s machine — I’ve done that helping somebody out and looking at it and say, “Oh, you’ve got 342 patches that haven’t been installed.” So that is true. That rings true. Microsoft’s trying to do that. I know that I’ve seen many times when I boot up my Mac, it says, “Oh, you’ve got five updates you have to install.”

And I sit there, and I say, “Well, I don’t use iMovie. Should I install the patch or not?”

Adriel: Yeah, absolutely. If it’s installed on your computer, you should absolutely install the patch. iMovie is a great example of a helper application. Maybe I send you a file somehow. You never use iMovie, but this file requires iMoive to open it. And you say, “Oh, I trust this source,” because I built up a good trust relationship with you. When you click on the file, the file may be a specially crafted file that will exploit an old vulnerability in iMovie, and then I’ve hacked your system.

So we call any application that exists on your computer, it can be used to open something that is sent to you. We call those helper applications. And those applications are major targets. A great example is Adobe Acrobat. You look at the zero day market, and you look at Adobe Acrobat, you can sell an ideal Acrobat vulnerability for 2—, $300,000. There, it’s worth quite a bit of money, and it’s quite a valuable target. So, yes, patch everything if you can.

Paul: Okay. So patch everything.

Authenticate Files

Paul: What else should I do? Is there something else I should be doing? Now you said we built up a trust relationship. You send me a movie. Should I open it? Or you send me an Acrobat file. Should I open it?

Adriel: No. You should authenticate and it seems kind of weird to hear people say this, or to hear me say this. Everybody says, “What do you mean?” But if somebody sends you a file, and you don’t have some kind of a cryptographic signature or some way of authenticating that that person is who they say they are, don’t open the file. If you have a friend that sends you something, send them a text message, a side channel through your phone. Send them a text message and say, “Hey, did you just send this to me?”

And if they say, “Yes,” then go ahead. It’s safer because you verified that it came from a trusted source. But if I know that that’s your friend, and I’m Hacker Joe, I might pretend to be your friend and send the file just to breach your system.

Likewise, there’s malware out there that will mimic friends. Way back in the day the ILOVEYOU worm. That was a great one. It didn’t use any exploitation other than exploiting humans. But it was a basic piece of malware that sent a love letter from you to the people in your contact list, using Microsoft Notebook. And I forget the scale of the infection but it was millions, and it was because people would receive those emails from a trusted source. They wouldn’t verify that this content was real. They would open the attachment and boom. They would be infected with ILOVEYOU, and then they’d send it to the next 40-some-odd people on their list, and it just kept on going.

Paul: Interesting. Alright.

There’s a lot of stuff, we could do this a couple more times I’m sure. We’ve been talking with Adriel Desautels of Netragard. He’s a security expert. And we’ve been exploring security and penetration testing and security testing and all of the different things that coalesce to mean security, what is security and what isn’t security. There will be a tremendous amount of links that will be in our shownotes, that I think will be worth looking at. Many of the articles that Adriel mentioned and many of the sites and of course a link to Netragard as well, and ways to contact Adriel.

So Adriel thank you very much for your time. We really appreciate it! It’s really been fascinating and I think a lot of people will learn a lot today and I really look forward to doing it again.

Adriel: My pleasure, any time.

Paul: Thank you Adriel.

Also published on Medium.

The Art of Hacking: Cybersecurity With Adriel Desautels

February 20, 2018 / / 0 Comments

On episode 59 of The Edge of Innovation, we’re talking with Adriel Desautels, founder and CEO of Netragard, about hacking and cybersecurity!

Show Notes

The Netragard Website

Get in Touch With Netragard

Find Netragard on Facebook

Find Adriel Desautels on Twitter

Find Adriel Desautels on LinkedIn

Find Netragard on Twitter

Follow Adriel Desautels’ Blog on Netragard

Netragard in the News

“Is Your Data Safe From Hackers?”

“This Year, Why Not Take Your Data Seriously”- Netragard’s Guide to Finding a Vendor

“Cars: The Next Hacking Frontier?”

“How to Find a Genuine Penetration Testing Firm”

“What Is Penetration Testing? Here’s the Right Definition”

“Is Your Data Safe From Hackers?”

“How To Hack A Company With A Trojan Mouse”

“Don’t Become a Target”

Link to SaviorLabs’ Free Assessment

Sections

What Does Netragard Do?
Hacking: Making Things Do Things They’re Not Supposed To Do
How Adriel Became a Hacker
Starting a Business Using Real Hacking Methods
Is Hacking Complicated?
The Art of Hacking
Pricing Based on IP Addresses is Not Ideal
Real Time Dynamic Testing
What is Penetration Testing?
What Should You Do About Cyber Security?
What’s the Big Deal with Online Profiling – Social Engineering
Internet Abstinence Won’t Protect You

The Art of Hacking: Cybersecurity with Adriel Desautels

Paul: Hello, everyone. I’m Paul Parisi here with the Edge of Innovation, and our guest today is Adriel Desautels from Netragard. Adriel, are you there?

Adriel: I am.

What Does Netragard Do?

Paul: So, Adriel, you are with a company called Netragard. What in the world does Netragard guard? Or what does it do?

Adriel: So just like our slogan says, we protect you from people like us.

Paul: I love that slogan. So, “people like us.” What do you do? Are you hackers? Or are you light-head hackers or what?

Adriel: So we are hackers in the very real sense of the word. We have roughly 35 guys on the team right now, that are all vulnerability researchers and zero to exploit developers. So we really specialize in tearing apart technology, understanding how the technology works, and then finding ways to make the technology do things that it’s not supposed to do. And we apply this skillset to anything from automobiles and cellphones, all the way into large corporate networks or government networks and so on and so forth. The end product is we breach something, we hack something, we break something, and then we provide you with a solution to prevent other people like us from being able to do the same thing.

Paul: So basically, you guys sit around and try and break things. Or, I mean, because you said, you used very select words there. “Make things do things they’re not supposed to do.”

Hacking: Making Things Do Things They’re Not Supposed To Do

Adriel: Right. Absolutely. So, a prime example, right, with cellphones, for example. When you receive a text message from somebody, you expect the test message to display the message. If you receive a text message from us, our text message, you might never actually see it come in because it will be designed in such a way that rather than displaying a text message, it gives us complete control over your phone. So maybe when we send you a text message, the payload, or the contents of the message, will allow us to listen to your microphone, turn on your camera, track you via GPS, read the emails, look at what you’re browsing, etc., etc., etc.

And the way that we do that is by leveraging flaws that exist within that specific piece of technology. And the same would be for anything. You know, we did research on cars a while ago, we were in the news for the research there. And we found that it was possible to do things with the cars, like take control over critical systems such as the accelerators, the braking systems, seatbelt tensioners, other kinds of security things in cars. And so you can literally hack a car and turn a car into a weapon.

So we look for the different avenues of those kinds of things can be done and then we build solutions so that the people who are responsible for making these technologies can prevent those kinds of things from happening, hopefully.

Paul: Okay. Alright. Well, that sounds scary and interesting all at the same time.

How Adriel Became a Hacker

Paul: Let’s take a step back. So now, what’s your background? Did you go to school for this? Did you just figure out one day, “Hey, I want to be a security person”?

Adriel: Yeah, so, when I was about eight years old, my father picked up a Tandy 1000 and maybe I was even six. I was young. And I wanted to know how this computer worked, and I played Load Runner. I played with the word processor that he had, the big old disks you used to have to stick in there. And I became more and more curious. So I began picking up Basic, I think it was and just trying to figure out how things worked in that respect. And then, you know, I saw well, if I put in this text with this, the computer would beep in this way, or the computer would do this kind of thing.

That evolved and then I was gifted with a modulator demodulator and I thought to myself, so if I dial this telephone number, I get a connection. What happens if I try a bunch of different telephone numbers? Most of the time, it would be people that would pick up and be mad that they were being called by a modem. But sometimes I would be calling other modems, and I’d find that they connect to systems that I wasn’t supposed to.

And then from there I discovered the real satisfaction. Curiosity. You know, hackers are driven by curiosity. And there’s a saying that I hear all time, curiosity killed the cat, satisfaction brought it back. So, it kind of evolved from there.

When I went to college, I was studying a combination of computer science and philosophy. I ended up dropping out of college in my second year because I was already working in the industry. I was making more money than most people with a degree, and I was learning stuff in school that I had already learned and that was really antiquated. And so I thought, well, I don’t really need a degree to get me, nothing.

And so I dropped out of college and started my first business. Sold that business, worked in the industry for a bit, which is how I you met initially, I think. And then I started up my second business and here we are. And through the interim, the point between the two businesses, I realized that I do not work well for other people. I work much better for myself, with my team. And so here we are. And it’s been a great adventure, but it’s been a pretty successful one too.

Starting a Business Using Real Hacking Methods

Paul: Excellent. So what is that business that you started? It’s Natragard. But, I mean, what was your intent? And how long ago was that?

Adriel: Yeah, so back in 2006, really 2005 to 2006, right after we were running SNOsoft, or Secure Network Operations was the full name, we were approached by a bank. And the bank said to us, “Hey, we’re looking for penetration testing that will deliver a real hack. We really want to get hacked.”

And we said, “Well, we don’t really do this kind of stuff. My team is really into reverse engineering and zero-day exploitation and things like that. Right now we’re doing vulnerability research and exploit development, but we’ll try to find a company.”

And so we scoured the internet. We looked and looked and looked, and we could not find a penetration-testing firm that would actually do what they said they were going to do. They all said that they would do manual testing. They all said that they would use a research-based methodology. They all said they were going to do these incredible things. But when it came down to really talking about the technology, they were all going to effectively deliver a vulnerability scan, vet the results, and produce a report, which is not what our customer wanted or our friend or associate wanted.

And so they said, “Well, why don’t you guys deliver this test?’

And we said, “Alright. We’ll give it a shot.” And so we took our vulnerability research and exploit development methodologies and we created a methodology. It was called Real Time Dynamic Testing. In about 2006, we used that methodology to test this bank, and we managed to breach the bank and take the domain in four minutes flat. And the reason why we were successful in doing that was because they had a critical system that was exposed to the internet but it was configured in a way that the traditional scanning technologies wouldn’t detect it. I don’t know if it was delivered. But the scanners didn’t recognize the system.

We began to look at the network, and we said, “Hey, what is this glaring hole? Let’s play with this,” and boom. You know, we were right in.

And so the bank said, “Wow, this is incredible. Not only did you take our domain in four minutes, but we didn’t see you do it. And, you know, how did you do it?”

And we said, “Well, we just used real hacking methods.” Right? We didn’t depend on scanners, and that was that. So they began talking about us. Other banks began calling us, pharmaceutical companies and so on and so forth. And we just kept on testing and kept on evolving and methodologies continually evolved.

And on the side, for the longest time, we were also doing the zero day vulnerability research, zero day exploit development, and we were catering to the zero day market. So the business was running on two fronts.

Today it’s strictly offensive. Today we are strictly hacking people and breaching people using the same kinds of methodologies and the same kinds of threat as you’d experience from nation states or from real world hackers.

Is Hacking Complicated?

Paul: So now you mentioned there that you were able to break into this. And this sounds complicated. Is it complicated? Or is it not complicated?

Adriel: No, it really isn’t. The most complicated part of breaching a network is doing the research upfront to identify the points of weakness. Once you identify a point of weakness, it’s generally pretty simple to exploit it. For example, if it’s going to be a local file inclusion vulnerability in a web application, right? You have to understand how an application is constructed. You have to be able to apply a path so that you can include a file from the local file system and just really were to paste or write a simple string. And that one simple string enables you to call a file.

So a really simple example would be an ISP that we were working on back before cloud computing was a really big thing. These guys were kind of like your pre-cloud computing hosted environment.

They had an infrastructure set up with a management interface, and the management interface had a glaring local file inclusion vulnerability in it where you could see the path, and you could see the file that was being called right in the URI. So what we ended up doing was we ended up generating a bunch of PHP based error logs by dumping PHP code directly into the server, and that would get a recorded in the error log, and then we directed the path in the URL, the URI, to the error log for Apache, because we knew they were running Apache. When it loaded the error log, it interpreted the PHP, and we got a shell in the system.

Paul: Oh my gosh. Wow.

Adriel: Yeah, so it’s pretty simple stuff.

Paul: Well, once you say it, it’s simple.

Adriel: Yeah.

Paul: That’s very important, I think. It’s like, I would not have thought of that, but now that you say it, it’s obvious.

The Art of Hacking

Adriel: Yeah. It’s funny because even the most complex hacks become trivial once they’re discovered. And so the real talent and the real art is in the discovery, and it’s being able to think in such an obscure and different way that you almost… It’s not really out-thinking other people, but you — for a lack of a better term — you out-art the other people.

Paul: Well, it’s almost out-thinking reality because you’re not just taking it for what’s in front of you. You have to look behind it and around it and under it.

Adriel: Yeah, exactly. And sometimes you have to build an entire ecosystem or environment for this thing to exist in to break it. Because certain pieces of software are meant to exist in certain situations. They’re meant to do certain things. So put them in a different situation that’s designed specifically to make it break, make it uncomfortable, you know. Doing that’s really what hacking is all about.

Paul: So it sounds like the kind of work you’re doing is finding the — I don’t want to say “esoteric” but… I didn’t know. Is that fair? Esoteric? Because I’m wondering now, you must offer something or do something that, checks for the run-of-the-mill things.

Pricing Based on IP Addresses is Not Ideal

Adriel: Oh, yeah. Absolutely. So, when we offer our services, there are three different levels, and the higher level includes the lowest two levels. So there’s silver, gold, and platinum — the whole packages that we offer. The silver level package is the industry standard package. It’s what you’re going to get from 90% of our competitors or 90%, 99% of the industry. And it’s really how many IP addresses do you have? I’m going to price based off of the number of IP address. Right? So you say you have 10 IPs at 500 bucks per IP, $5,000. We don’t price that way. This is the competition.

And then we’re going to take the IP addresses that you give us. We’re going to give them to a vulnerability scanner like Nexpose or Nessus. And then we’re going to run the scan. The scan is going to find what it’s going to find. We’re going to pass the results of that off to a team of engineers. The engineers will exploit whatever is exploitable, and then they’ll produce a report. Right? So that’s sort of the entry level penetration testing service.

It’s not ideal for several for reasons. The first is, when you price based off of the number of IP addresses, you’re not actually pricing based off of workload. So, suppose you have the 10 IPs, and they’re all running complex web application, maybe 40 man-hours per IP, $5000, that’s $12.50 an hour roughly. Nobody can work for $12.50 an hour, so you have to compensate with automation.

The second reason why it’s not ideal is automated vulnerability scanners only identify the low-hanging fruit, which kind of goes in the question that you were asking. Right? So they only identify the, the basic stuff that exists — maybe 30%, 45%. Someplace in that range, anyhow, is configured of the vulnerabilities that exist with a network. So if your methodology depends on automation, you’re going to be leaving a major gap. You’re going to be leaving a lot of exposure, which is part of the reason why businesses are suffering breaches left and right. Right?

Real Time Dynamic Testing

So then you escalate up into the gold level of service, and the gold level of service will include that low-hanging fruit type thing, the basic checks. But then we bring in Real Time Dynamic Testing, which is the methodology that we use for doing research based penetration tests. It incorporates major components of our vulnerability research and exploit development practices. So Real Time Dynamic Testing and it gets you close to a 90, 95% point of coverage as far as technology is concerned. We don’t just use — and sometimes we don’t even use— vulnerability scanners, but we really depend on our own experience, expertise, hands-on digging. Right? And that coverage you get the low-hanging fruit, the basic stuff. You get the really advanced stuff in there.

And then you go for the platinum. Platinum is realistic threat. We will cover the gamut — social, physical, electronic — and there’s no limit to what we’ll do. We have zero day malware that we use. It’s called RADON. We have different variance of RADON. The social engineering practices that we use have been written about in The Economist, Bloomberg, Forbes. We built a mouse that was fully weaponized that breached networks for us. I mean, all kinds of things. Yeah. So that was a very long-winded answer to a very simple question.

What is Penetration Testing?

Paul: No, I appreciate that. So let’s roll back a little bit. And first of all, for our listeners — because we have a fairly wide range of listeners. So you mentioned the word “penetration testing.” And I know that’s generally referred to as pen testing, and it’s not testing whether your pen works. Is that breaking into a network? What is penetration testing, very simply?

Adriel: Yeah, it’s a test that’s designed to identify the presence of points where something can make its way into or through something else. And then when applied to network security or applied to networking, it’s the same kind of thing, but it’s a test that’s designed to identify the presence of vulnerabilities, in an infrastructure that can be breached by an adversary.

Paul: Okay. So you figure out how to get in.

Adriel: Yes.

Paul: Whether you do it or not, you, you know that now there is a door that is ajar or a window that’s not locked.

Adriel: Yes. So we, we figure out how to get in, and we do get in. We demonstrate by exploitation. So we demonstrate by proof.

Paul: Okay. So you go in and put something on their coffee table.

Adriel: Yep or, if it’s a physical point of entry, you know, one of our treasuries, we literally walked into a data center and walked out with a computer.

Paul: Really?

Adriel: One of the state treasuries. Yeah. In other cases, we’ve turned on web cams and microphones and recorded entire conversations in businesses. And in one case, we actually took a video of a guy picking in nose, playing solitaire, and drinking coffee.

Paul: Wow. Well, I know that can’t be me because I don’t drink coffee.

What Should You Do About Cyber Security?

Paul: So, okay. Good. Alright. So now, we hear about cyber security, network security, security all over the place, all the time. And, general citizens have no idea what to believe. Is it good? Is it bad? Is it getting worse? Is it getting better? Is there risk? Give me an answer, it’s some point. We’ll put in some stakes in the ground here. But what would you tell the ordinary, average person? Should they be using a computer? Should they not? Should they not worry about it? Who cares?

Adriel: Yeah, there is no such things as security when it comes down to corporate security or commercial security. There is just a market. And it’s a self-perpetuating market. And that market really does provide, in many cases, a false sense of safety. When it comes to help people should be using their computers, they should think very carefully about the kinds of data that they want to store on their own computers. And they should also think very carefully about what they put out into the cloud, you know, social media. Anything like that. Because that moment that information is out there, it’s no longer their information. It might be protected by contracts. It might be protected by privacy policies. But as we’ve seen with Equifax, and as we’ve seen with Target and Sony, Hannaford, Home Depot, Ashley Mad—, you know, I could go on and on. The information is no longer their information.

Paul: Well they don’t have control over it.

Adriel: Right. And one of the things that has really surprised me about people is people think, “Well, Facebook is private. That’s my Facebook page.”

Yeah, well, you know, it really isn’t. If you’re a private person, you shouldn’t put it out there. There is no control.

What’s the Big Deal with Online Profiling – Social Engineering

Paul: Okay. So let me just unpack that a little bit. That seems to be, well, when you are doing something — whether you realize it or not — you’re explicitly sharing information. You go and you put on Facebook that I like the color orange. Okay, so the world knows that. So what’s the big deal? So people know I love the color orange.

Adriel: Yeah. So the big deal is profiling. One of the things that we do when we hack businesses is we, for the platinum level stuff, we socially engineer people. To socially engineer people, we have to be able to understand what they like, what kids of pets they have, who they’re married to, who their children are, what the last meal was they ate, anything like that. Any of that information that might seem benign. That information can help us to build a false story around a false persona that meshes very well with them. And then that enables us to befriend them on Facebook or befriend them socially in the business.

Once we befriend them, we can begin to build a trust relationship. And once that trust relationship reaches the point where I can send them content by email, a document, or I can get them to click on a link, I can breach the network. So any information that they put out there is going to be useful for me to help leverage them or breach them. Or maybe even just create a falsified story, you know, and, and extort them.

I saw something really interesting recently. We have a friend here that’s going through a divorce and she received a letter in the mail. And the letter was sent to her house but it was addressed to her husband, her ex-husband, or soon-to-be ex-husband. And it said, “Hey, you know, I have really dirty information on you. And I’m not going to share it here because I don’t want your wife to know what this is but I think this is worth some hush money,” effectively. And “If you give me $2000 in bitcoin, I won’t tell anybody about this kind of thing.” Right? So the reason why they figured out this divorce was going on was because of information that was disclosed in public. It’s actually a fairly common scam. So any information that you put out there is stuff that can be leveraged by people looking to extort you or breach systems. Or, if we get hired, we’ll use it to break into whatever networks you have.

Paul: Okay. Alright. So the point here was that my use of technology as an ordinary citizen, you’re telling me I shouldn’t share things on Facebook.

Adriel: Right.

Paul: Without understanding the risks and if I’m okay with those risks. Is that fair?

Adriel: Yes.

Paul: What do you tell your close friends? Don’t use Facebook— don’t even use the internet? That seems like the safest thing.

Adriel: Yeah, it would be. Don’t trust anything on the internet is what I would say.

Paul: That’s fair. But now Equifax, I could have never used the internet, and Equifax, all of sudden, let all my information out.

Adriel: That’s right.

Paul: So I have been foregoing the enjoyment of the internet — because it’s a pretty cool place. I can do lots of stuff. I can learn lots of stuff. I can have great relationships and get to know people and see what my friends from high school are doing. And I’ve foregone all that. And then Equifax does something stupid and so I basically said, “Oh, I’m going to abstain from the internet.” How do you speak to that? What do you think of that?

Internet Abstinence Won’t Protect You

Adriel: So your abstinence doesn’t necessarily protect you.

Paul: Well, but there was no way to protect me there. There was no way to protect me.

Adriel: Right. There isn’t.

Paul: So why not just use the internet? I understand your argument.

Adriel: Yeah. That’s what a lot of people do. It comes full circle.

Paul: I understand that you’re saying that the more information I get, the more exploitable I am. The more I give, the more exploitable I am. But then it’s sort of like Chicken Little. It’s sort of like, “Well, I’m never going to use the internet, so I’m safe.” And then Equifax does something, and it’s like, “Well that was a waste of time.”

Adriel: Yeah. That’s exactly right. And that’s where this conversation always inevitably ends up here. Is, well I won’t use it. Well, even if you don’t think you’re going to use it, you’re still using it. Your bank is online, period. You’re living in this country, and this country is in its financial system, uses these ridiculous things called credit scores. Your purchases, everything you do, are online. You own a credit card, that’s online. You own a cellphone, you’re online. And you don’t have to have a social media presence, you’re there. The only thing that you do with your social media presence is you feed the engine unnecessarily.

Paul: Okay. Good. That’s great.

Adriel: Yeah. So I mean, that’s really the best way to explain it.

Paul: There’s a lot of stuff, we could do this a couple more times I’m sure. We’ve been talking with Adriel Desautels of Netragard. He’s a security expert. And we’ve been exploring security and penetration testing and security testing and all of the different things that coalesce to mean security, what is security and what isn’t security. There will be a tremendous amount of links that will be in our shownotes, that I think will be worth looking at. Many of the articles that Adriel mentioned and many of the sites and of course a link to Netragard as well, and ways to contact Adriel.

So Adriel thank you very much for your time. We really appreciate it! It’s really been fascinating and I think a lot of people will learn a lot today and I really look forward to doing it again.

Adriel: My pleasure, any time.

Paul: Thank you Adriel.

Latest Podcasts

Archives

Categories

© 2026 Paul Parisi

Theme by Anders NorénUp ↑