June 16, 2021 • 28 mins
With an onslaught of ransomware attacks disrupting our supply chains, cybersecurity is more important than ever before. The best way to strengthen your defenses is to hire hackers to discover your weaknesses. I spoke with veteran pen tester and owner of Black Hills Information Security, John Strand about the industry, how to get into it and more.
Learn more about your ad-choices at https://www.iheartpodcastnetwork.com
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Prodigy is a production of I Heart Radio. Pretty Much,
anytime you have something of value, someone will try and
take it from you, so you need to secure and
defend it. The defenders are known as the Blue Team.
Attackers are constantly innovating and devising new and improved methods
of attack, so in order to strengthen security, defenders need
(00:21):
a team to think like the attackers do. This team
is called the Red Team. It goes back to military training.
They stage mock battles to practice their defense. It's not
just in physical warfare, it's cyber as well. I'd even
argue that wars are no longer fought with bullets and bombs.
They're fought with mice and keyboards. Corporations and governments hold
(00:41):
information with immense value, so they're constantly attacked. So in
order to strengthen their security, they hire professionals to figure
out their weaknesses. I don't know are we using camera
at all? No? Just audio. I went through all of
this work today, like combing my hair. John Straight is
the owner of Black Hills Information Security, which is something
(01:03):
called penetration testing. The joke is we break into places
so that other people can't break into those places. So
companies hired John and his team to penetrate their security
and tell them how to improve it so they're better
defended against real attacks. If you're looking at the concept
of let's just say a red team, it goes all
the way back to kind of some of the early
(01:24):
days in the military, where if a military group was
going to see what their adversaries could do, they would
basically bring in another group in the military or sometimes
without from the outside of the military to emulate what
an adversary would do. Right, So in the old days,
you have the United States Army, they had read team
and they would say, okay, what would the Russians do
(01:46):
in these situations? Well, that chronology has really kind of
carried forward into computer operations where you have companies that
are trying to defend their networks and then they hire
companies like ours to come in and emulate what hackers
will do. So hackers breaking in via websites, hackers breaking
in via social engineering or spear fishing. We will emulate
(02:10):
those tactics that you would see like the Russians, the Chinese,
and various other um various other you know, legal organizations
trying to break into companies we emulate what they do
to help make sure that organizations are defended against those
attacks and also can detect those attacks when they're incoming.
There's two basic ways to attack or steal physically, and
(02:32):
virtually the vast majority of cyber crimes are actually online
cyber crimes. Right. You absolutely have social engineering where somebody
breaks into a place. That's something that does happen, but
it's far less than the other types of attacks that
you would see. UM. An example would be business email compromise,
where an organization is attacked and the attacker is trying
(02:55):
to get people within that organization to give bank account
routing information, use ideas passwords, or trying to get someone
to act on the attackers behalf and do something they
shouldn't do, like transfer thousands of dollars to another account
that then immediately evaporates into thin air. So the vast
majority of the actual attacks that you see are cyber
(03:15):
in nature, and that percentage pretty much matches up with
what we do with a lot of our customers. So yeah,
we do absolutely do physical break ins, right. Um. He
mentioned Jack and the Darknet diaries. That was a physical
pen test that my mom did to break into a prison,
and we've had a number of different other places where
we've broken into classified locations, broken into banks, broken into
(03:38):
research facilities. So basically, if there's a way to break
into a place, we will do that type of activity. Okay,
so penetration testing is definitely the coolest job there is.
We've all thought of rubbing a banklets or twice in
their life. These people get paid to do it. Oh dude.
I mean you get to talk to people and sometimes
whenever they ask you what you do for a living,
(03:59):
you can say I robbed banks for a living, and
it's always kind of neat to see people get uncomfortable,
like what what do you mean you you rob banks
for a living? I mean I literally get to break
into places for a living. So it makes it just
this really cool dynamic field, and you know, it's just
it's just I mean, I've been doing this now for
(04:20):
twenty years. I've never gotten board. I've never been like, well,
I'm to do the same thing today that I did yesterday,
because it's constantly changing and the techniques are constantly evolving.
John also started a thing called Anti Piphon Training. They
teach people how to become security operations Center personnel, which,
to put it plainly, is a kick ask job in
high demand that pays really well. I don't know how
(04:42):
to code or hack, but with anti Piphon training you
can get started with little or no previous knowledge. Not
only that, but they implemented a pay what you can
system to train people who have the desire but maybe
lacks some of the funds to learn the necessary skills.
John and his team really are the good guys, but
they're every bit as sharp as the bad ones. Black
Kills does physical penetration testing, meaning they do get hired
(05:03):
to break into places like banks, but the majority of
the tax are virtual and one of the most common
tools that hackers use is Klie Lennox. You've probably heard
the word Lennox before. It's an open source operating system
that all types of things are built on top of.
Kelly Lennox is a version of Linux that comes with
a bunch of applications for hacking already installed. You can
(05:24):
download it for free right now and be up and
running in less than an hour. It's gonna have password
cracking tools, password spraying tools for trying to break into
places remotely. It's a collection of all those different tools. So, yeah,
we actually do use Collie because it's a very quick
distribution that we can just stand up. You mentioned off
stack UM, and off Stack is one of the main
(05:46):
developers of the Collie Linux distribution, and almost every pent
tester in the world and hackers, to be honest, are
going to be using Collie. UM. We also write a
whole bunch of our own tools as well for breaking
into place. Learning to code might seem like a pretty
big mountain to climb, but when you break it down,
it's just instructions that a computer can understand. I'm fascinated
(06:08):
by the unknown things you could accomplish. So I researched
what computer language is best to learn for hacking, and
I kept coming across one called Python. It almost begins
and ends with Python in the industry, and I'll give
you a quick survey, right, So Python is probably the
most heavily used language because it's very easy for people
to learn and pick up this language, and you can
(06:30):
become proficient and writing a tool very very very quickly. UM.
The other language that you see a lot in this
industry is Ruby, and the main reason why you see
a lot of people learning Ruby is because Ruby is
the language that met disploit is written in, and met
disploit is a tool for creating payloads to deliver to
(06:51):
compromise computer systems. It's a tool for writing and executing
exploits against services and misconfigurations, and it is also a
tool for doing just basic security checks. So there's a
lot of people that use Ruby, and if you're gonna
learn Ruby, I recommend why the Lucky Stiffs Guide to Ruby.
It's a great way to learn Ruby with cartoon foxes
(07:12):
and things like that. But we also have a large
number of people that are learning going from Google to
get into coding as well. So if you're gonna get in,
I recommend honestly Python or go link to get started.
But if you really like that whole exploit area and
you really like what the metasploit project is doing, Ruby
is a great option too. The cool thing about Python
(07:33):
is it's not just for hackers or computer nerds. You
can use it to do nearly anything. For example, one
thing my job of senior sound designer requires is ordering
equipment for new podcasts. Then I have to download the
invoice PDF, rename it, upload it to our expense tracking system,
then fill out and submit a report. Doing this over
and over every single day is tedious in time consuming.
(07:55):
With Python, I can write a simple script to automate
almost of that, which will end up staying me a
ton of time in the long run. If I'm trying
to break into an organization, one of the common techniques
the pen testers, red teams and hackers use is they
will try to gain access through week passwords. So there's
a ton of people out there that use a password
(08:17):
like Spring season in year is great because you have
to change your password every ninety days. The seasons tend
to change every ninety days and the year rotates, so
you always can remember what your password is without having
to like write it down or anything crazy. So if
I was going to try that password against let's say
a thousand user accounts, I could type it in one
(08:38):
at a time to like an email portal or a
web portal, or I can automate it. And with that,
there's a ton of tools, many of them written in Python,
and some modules in the met disaploit framework that you
can use as well against different services where you can
automate trying that single password let's say Spring against the
thousand user accounts, so I can write a script to
(09:00):
search the RSS feed for every podcast on Apple or Spotify,
find the contact email addresses inside those feeds, then organize
it into an Excel doc for easy access. Another benefit
of Python is that it's relatively straightforward language to learn,
and like the Romance languages, once you learn one, it's
not nearly as hard to learn another. At that point,
it's basically just learning the different rules of the languages.
(09:21):
They call those different rules syntax. I'm gonna give you
a hint if you're if you're ever stuck and you're like,
I've got to automate something, you just have to close
your eyes, wish very hard for someone else to write
that tool for you, and then go to GitHub and
look around and somebody's probably already written a tool that
does it. Get Hub is a platform that host code
(09:41):
so you can collaborate with others. There's tons of code
on there for all types of functions and applications. All right,
we'll hear more from John right after a quick break.
Welcome back to Prodigy. For more info or to get
in touch with me, visit Prodigy podcast dot com. So
John's company has grown a lot. He doesn't do much
coding anymore. His time is better spent training. UM. So
(10:03):
years ago whenever I first started was around two thousand
one time frame, and I started while I was working
at the Department of Interior with it was Anderson Consulting
in the next centure consulting. And if there was anything
that I did back then, right, it was all like
C and C plus plus. That was it, right, because
(10:23):
you would go to like packet Storm and you would
find exploits. None of the exploits would work, You'd have
to read, you'd have to change the code, recompile. It
still wouldn't work, and you'd recompile it. So a lot
of my early days was in it was in C
and C plus plus. Over the years, now that I
have a company, we have about like seventy employees. Um,
I'm spending most of my time doing training. So I'm
(10:45):
doing a tremendous amount of time and power point. So
I actually don't develop much of anything anymore. In fact,
i'd be hard pressed to probably write a program that
just prints out how low world these days. But no,
we It's just kind of one of those transitions that
happens in the industry where when you start your coding,
you're writing things, you're writing exploits, you're writing tools, and
(11:05):
then eventually this horrible thing happens to you called management.
Since John has built a successful security company, I was
curious to know what type of qualities he looks for
in a potential security professional. So I have this webcast
it's called your five five Year Plan to Information Security,
and I spend an hour talking about learning networking, learning
(11:26):
operating systems, learning coding and developing tools and getting out
to the community and if anybody wants to get involved,
anybody at all, that's listening. One of the most important
things you can do, no matter what level you're at,
is start releasing tools, start writing blogs, start doing videos.
And it honestly doesn't matter. It's not like you're gonna
be the next huge Twitch streamer by using n map.
(11:49):
But what you'll discover in this industry that's so critical
is there's so many people out there trying to find
anything to do with the basic skills. In this industry,
we have way too many whizard words trying to impress
other wizards. And there you know, I don't want to
give a talk unless it's a super advanced talk. On
a new technique for hooking the Windows kernel for doing
(12:10):
root kit style attacks. Um, but honestly, really what we
need is people understanding the basics and fundamentals. So even
if you create a blog post it's like the basics
of running NESSUS or end map or something really really
really basic, you're actually gonna get some hits on that.
And then the other thing that it does for you
once you start getting back to the community is whenever
(12:31):
you get resumes, like we're right now interviewing for positions
at Black Hills Information Security for pen testers and security
Operations Center staff, I have resumes that look really good.
They have good work experience, they have good education experience,
but they haven't done any talks, they haven't released any blogs,
and they haven't released any tools. Those are second tier resumes,
(12:52):
whereas we have resumes of people that have been releasing tools,
people that have been writing a blog posts and doing videos.
That really causes those resumes to rise to the absolute
tippy top. So you want to be a penetration tester,
a red teamer, and you've learned some stuff, it's a
terrible idea to practice this against real networks. So how
do you practice your skills. There is a tremendous like
(13:18):
plethora of different cyber ranges online. Uh, the best one
and probably the one that has the most prestigeous hacked
the Box. So if somebody is trying to get involved
in computer security or pent testing or offensive security, hacked
the Box, hands down is the best and most well
regarded cyber range um and it's also the most accessible. Right,
(13:39):
It's not going to cost you thousands of dollars. It's
very very very approachable, and you can work up in
levels and then they're specific challenges and badges and things
that you can learn and you're basically practicing against real systems.
So that's another thing I look for in resumes. If
somebody has hacked the Box and they've been going through
it for a while and they and they've scored fairly,
(14:00):
I'm absolutely just kind of in awe of those people that,
you know, they get done with their eight hour day
job and then they go home and they work on
something like that. But those opportunities do exist. You can
also google the Sands Ultimate pent Test Poor poster, and
a couple of years ago Sam's had this poster and
on the back of it it listed out a whole
bunch of cyber ranges and practice doctor images that you
(14:23):
could school up to practice web application attacks. And there's
literally hundreds of them on this uh, on this poster,
and they're amazing and you might have to plug around
for a little bit. It's it's yellow, it's on one
half of one side. Um. But there are many of
those posters on that website. But there are so many
places for people to practice and learn. Um, there's really
(14:43):
just no good excuse for not taking advantage of them.
And also, to be completely blunt, there's no excuse for
like going and trying to hack into somebody's website just
because your quote unquote trying to learn. Jones Company teams
out with Meta c ETF to build their own way
to learn and practice. It's called the Kills Information Security
Anti Syphon Cyber Range and you can find it on
(15:03):
their website, Black Hills infosec dot com. I'll link it
on the website. John has been doing offensive security for decades.
He's a legend in the industry. If you want to
hear some really interesting stories about his past experiences, then
check out the episode that Jack Resetter did on him
for a show Darknet Diaries. It's episode number sixty seven
titled the Big House. There's a funny story John tells
(15:23):
about how his mom helped them break into a prison.
By the way, I recorded an episode with Jack Resetter
as well, so look out for that. The thing with
Darknet Diaries with my mom breaking into a prison, And
one of the only reasons I could talk about that
is because you know, my mom is no longer with us,
and the prison is closed, has been closed for years.
So it's not like I'm putting, you know, a prison
(15:45):
complex at risk and telling those particular stories. But we
you know, like we do about six hundred and forty
assessments per year as far as breaking into places, and
it's just it's just crazy. Give you an example. One
of our testers right now, Derek is testing a mobile
application and this one company hired just some third party
(16:09):
mobile development company to write this app for them, and
there's no authentication like once you well, there is authentication,
but there's no like authorization on the back end. So
like if you log in as a user, let's say
John Strand with a password of password one to three four,
I log in with my credentials. If you know how
to like modify the customer I D. You can jump
(16:32):
into any other customers account, make purchases and you know,
change things around. That's bad, right, That's that's really not
something that ever should happen ever, but yet it does. Right.
We have organizations that are still running like server two
thousand three in their environment, something that hasn't been patched,
(16:52):
updated and over ten years, right, and they're always confused
when we break in and they're like, well, how did
you know to do that? It's like, seriously, the system
should have been retired a decade ago. So you see
a lot of those really really kind of dumb mistakes.
But then you have these companies that are really super secure.
(17:13):
We had we had one financial organization that we were
breaking into and they used Octa and they used two
factor authentication and they had really good spear fishing protection.
It was it was a tough nut to crack, and
we've been testing these people for a long time. When
we discovered you could spin up an Octa thirty day
trial account and then you could send an email to
quote unquote invite users to enroll an Octa for your organization.
(17:38):
But it gave you full access to the HTML to
the invite link, so we were able to actually go
in and modify the HTML to turn it into a
spear fishing attack against our organization that we were going
after in this particular assessment, and we were able to
have Octa send the spear fish on our behalf, so
(17:58):
immediately it shows up in their box with like an
urgent flag next to it, and we were able to
get an administrator that we were able to fish, get
their two factor authentication and and able to gain access
to their systems, which is like billions of dollars. So
you have this huge range, right you have people that
are just doing very little in the way of computer security,
(18:19):
and then you have these really advanced organizations that you
have to get super duper creative in order to break
into those organizations. And that's that's a concern that I
have in the industry. If you look at the industry
as a whole, the industry itself is not improving. You're
just seeing a greater spread and disparity of organizations that
are utilizing really good security practices and organizations that are
(18:42):
still saying things like, well, what would a hacker ever
want with my company or my network? Anyway? So it's
all over now. Honestly, we would rather break into the
more secure organizations because they're by far and away more fun.
But still, all these organizations need to have some semblance
of security, no matter where it starts. We have to
meet them where they're at and help them lock down
(19:03):
their systems. Another story John tells on darkknet Diaries is
about a kidnapping. Late one night, John got a call
from law enforcement. They needed his help to track a
missing girl. The suspect was actually um was actually using Skype,
and at the time, Skype just honestly wouldn't listen to
you at all, Like if you were law enforcement and
(19:24):
you said, hey, I need to track back this particular
Skype user, they would just tell you to pound sand
And so we had to find a way to basically
communicate with this individual and then find where they were at. Well,
one of this individual's friends we had actually gotten a
hold of, and we were able to send a document
to this particular suspect individual that believed had the girl.
(19:47):
And when that individual opened that document, we were able
to get the IP address, source port, and time stamp.
And if you're dealing with the United States based internet service, provider.
If you have the source IP address, the date, time
st happen, the source port, you can get a warrant
and you can actually get exactly where that specific IP
address was, and they were able to with law enforcement.
(20:09):
They were able to actually get that little girl girl
back in very short order. Um once they got the warrant,
they got that information. So that would be an example,
and that's pretty rare, right, you don't see those types
of things all that often, but it is something that
does happen, and we do have the ability as defenders.
Something I've been thinking about a lot since I started
working on these episodes is the Internet of Things. We'll
(20:30):
get into that right after a quick break. Welcome back
to Prodigy. For more info or to get in touch
with me, visit Prodigy podcast dot com. The Internet of
things are devices that collect and transfer data security cameras, refrigerators,
light bulbs, microwaves, slow cookers, grills, thermometers. The expression is
if it needs electricity, it will eventually be connected to
(20:52):
the internet. All of these devices are potential weaknesses in security.
One of the bigger problems that you run into with
the Internet of things thing is if you have a
computer system at home, You're logged into that computer system
and it pops up and it says it has updates
to install, and sometimes with some applications and some operating systems,
(21:14):
it just updates. It doesn't even ask your permission to
just updates. If you have let's say I've got an
arcade cabinet here, right, and my arcade cabinet needs an update,
it just doesn't let me know. If I have a
coffee maker that's connected to the internet, it's a very
strong possibility that it won't let me know that there's
a specific update. If you look at your edge routers
(21:35):
at home, your soho routers for connecting to the internet,
many of those don't really get updated because you have
to log into the device itself to get a notification
that there is an update. How many people regularly log
into their router at home that just doesn't happen. So
this gets into more of a complexity issue, right, And
it's also a cloud computing issue where you have so
(21:57):
many devices that are all interconnected, they are all connected
back up to cloud services, and they're based on things
like Linux and BSD and you know, some Windows devices,
and you're really just kind of getting into a more
interconnected world. And as that world gets more interconnected, just
by the fact that it's getting more inconnect interconnected means
that it's inherently going to be more complicated. And when
(22:19):
you're looking at security, the more complicated something is, the
easier it is to hack that thing. So just by
the nature of the explosion of Internet of Things and
the explosion of cloud computing systems and a p I s,
it's actually making the whole space a lot easier for
bad people to break into these things and take advantage
(22:41):
of that complexity. I hate updating software because I'm always
worried I'm gonna mess something up that was working fine before,
and that's always a risk. We updated of vulnerability and
open SSL a couple of weeks ago and we were
running an ELK stack and it just completely destroyed our
ELK stack. Um, so yeah, that is app reolutely a concern. However,
(23:03):
what I like to tell my customers is if you
if you look at your risk right, if you balance it,
it's like sharks and and vending machines. Right, you're really
worried about sharks, right, So people are like, I don't
want to get in the ocean because I'm afraid I'm
gonna get attacked by a shark. But your odds of
getting attacked by a shark are far less than having
a vending machine land on you and hurt you, So
(23:24):
we don't ever think of that as a risk. Where
you have something like Solar Winds that came out a
couple of months ago, a whole bunch of organizations got
really worked up and they started saying, we should probably
hold off on patching, like because of this vulnerability. If
you're looking at patches like of the time, you're not
(23:46):
gonna have any problems. If you look at your operating
system and all the patches that hit it, and it's
going across billions of devices, and you look at the
software and the patches of your software going across billions
of customers, the vast overwhelming amount of the time patches
are installed and there's very little problems. It's just unfortunate
that it makes a very large news story like a
(24:06):
shark attack, right, it's a very big news story. The
Solar Winds thing was terrifying. But the reality is, if
you choose not to patch your systems, your likelihood and
risk of having something bad happened to you is going
to be much much, much higher than if you choose
to take the quote unquote risk of installing the patch.
(24:26):
I'm not rich, so I'm not really concerned that a
hacker is going to target me specifically. But that's not
what I should be worried about. Here's an example. Save
an old version of Windows or Mac operating system with
known vulnerabilities. Hackers can sweep the internet to find all
the computers running this operating system, then break in and
steal your password and credit card information. They won't target
(24:47):
you specifically, but you may be part of a larger
attack that includes your device. One of the biggest things
that I recommend is the vast majority of security attacks
that are going to hit you, they're going to come
in through your browser. Right, So if you can actually
find a way to protect yourself while you're surfing the Internet,
that is probably one of the best things that you
(25:08):
can do. Like Number one, don't click on links from
strangers if it's if it's anti inflammator. If it's not
anti inflammatory, that would be like I'd be profrin if
it's something really inflammatory, right, Like it's racial, if it's political,
if it's religious, just stay away from that, right, And
I would recommend just being honest. You shouldn't hang out
and party with people that get really worked up about politics, religion, um,
(25:33):
and you know, like all kinds of different issues. It's
just you get worked up and then you become an
easy target. I always told people, right, I can trick
you into clicking a link by trying to make it
look enticing, but the vast majority of people out there
are getting really good about like, you know, an iPad
for five dollars, click here, not today, Wiley hacker, and
(25:54):
they throw that email to spam. But if you look
at the most powerful tool for me geting you to
do something that I want you to do, it's Hey,
Like if I follow you on Facebook and I start
disagreeing with all of your politics, I started disagreeing with
your religion. I started to just disagreeing with your worldview,
and then I send you a link and I tell you, hey,
(26:16):
everything you believe about topic X is wrong. Here's a
link that proves it. It is darn near impossible for
someone not to click that stupid link, right, because somebody's
wrong on the Internet. Can't sleep, right, You're gonna click
that link. So I'm not saying you shouldn't care about
those issues, but what I'm saying is you shouldn't let
(26:37):
them control your life, because people will find a way
to make them control you. So that's number one. Don't
get worked up and go to like skinny websites because
you know your your politics or your more moral compass
demands it. There's probably some Russian trolls behind the other
side of that, and they've got you hooked at that point.
The other thing, as I said, is a lot of
(26:58):
the stuff that you look at attacks come from the browser.
So I recommend putting in plugins like ghost tree and
ad block, plus things that will actually start shutting down
malicious ads, and really really try to lock down your
browser as much as you can, because still a tremendous
number of attacks come through the browser itself. So those
(27:20):
would be some of the big things that i'd recommend.
And then the other thing that I would recommend, make
your passwords long. Please uh, you know, use a pass phrase, right,
you know, Let's say you know I worked at um
I worked at North through brummen would be a great
pass phrase, right, And then I would add some special
characters or some numbers or something like that, um or
(27:42):
you know, I graduated from this particular high school or whatever, right,
I like watching the Simpsons, whatever, it doesn't matter. But
it's a long pass phrase. And then you couple that
with maybe some like special characters and numbers, and you
have a really strong password. At that point, you're moving
words a pass phrase. Don't ever go into something and say, well,
(28:03):
my passwords password, because no one will guess that it's
the most obvious thing. No, they literally, well, that will
be like one of the first five passwords that they try.
And for the love of all that's holy, stay away
from season and year. John is a super nice guy
and I don't want to thank him, Deb, Jason, and
Lauren for their help with this episode. They're incredibly talented
and likable team. You can find more about John and
(28:25):
Black Hill's information security at black Hills infosec dot com.
That's black Hills info sec dot com. Thanks for listening
to Prodigy. We've got a bunch of really interesting episodes
coming out, so please subscribe to the show because we'll
be back next week with another episode of Prodigy. Prodigy
was creating produced by me lowber Anti. The executive producer
is Tyler Clay. For more podcast in My heart Radio,
(28:47):
visit the iHeart Radio app or wherever you get your podcasts.
Prodigy is a production of I heart Radio.
Prodigy is a production of I Heart Radio. Pretty Much,
anytime you have something of value, someone will try and
take it from you, so you need to secure and
defend it. The defenders are known as the Blue Team.
Attackers are constantly innovating and devising new and improved methods
of attack, so in order to strengthen security, defenders need
(00:21):
a team to think like the attackers do. This team
is called the Red Team. It goes back to military training.
They stage mock battles to practice their defense. It's not
just in physical warfare, it's cyber as well. I'd even
argue that wars are no longer fought with bullets and bombs.
They're fought with mice and keyboards. Corporations and governments hold
(00:41):
information with immense value, so they're constantly attacked. So in
order to strengthen their security, they hire professionals to figure
out their weaknesses. I don't know are we using camera
at all? No? Just audio. I went through all of
this work today, like combing my hair. John Straight is
the owner of Black Hills Information Security, which is something
(01:03):
called penetration testing. The joke is we break into places
so that other people can't break into those places. So
companies hired John and his team to penetrate their security
and tell them how to improve it so they're better
defended against real attacks. If you're looking at the concept
of let's just say a red team, it goes all
the way back to kind of some of the early
(01:24):
days in the military, where if a military group was
going to see what their adversaries could do, they would
basically bring in another group in the military or sometimes
without from the outside of the military to emulate what
an adversary would do. Right, So in the old days,
you have the United States Army, they had read team
and they would say, okay, what would the Russians do
(01:46):
in these situations? Well, that chronology has really kind of
carried forward into computer operations where you have companies that
are trying to defend their networks and then they hire
companies like ours to come in and emulate what hackers
will do. So hackers breaking in via websites, hackers breaking
in via social engineering or spear fishing. We will emulate
(02:10):
those tactics that you would see like the Russians, the Chinese,
and various other um various other you know, legal organizations
trying to break into companies we emulate what they do
to help make sure that organizations are defended against those
attacks and also can detect those attacks when they're incoming.
There's two basic ways to attack or steal physically, and
(02:32):
virtually the vast majority of cyber crimes are actually online
cyber crimes. Right. You absolutely have social engineering where somebody
breaks into a place. That's something that does happen, but
it's far less than the other types of attacks that
you would see. UM. An example would be business email compromise,
where an organization is attacked and the attacker is trying
(02:55):
to get people within that organization to give bank account
routing information, use ideas passwords, or trying to get someone
to act on the attackers behalf and do something they
shouldn't do, like transfer thousands of dollars to another account
that then immediately evaporates into thin air. So the vast
majority of the actual attacks that you see are cyber
(03:15):
in nature, and that percentage pretty much matches up with
what we do with a lot of our customers. So yeah,
we do absolutely do physical break ins, right. Um. He
mentioned Jack and the Darknet diaries. That was a physical
pen test that my mom did to break into a prison,
and we've had a number of different other places where
we've broken into classified locations, broken into banks, broken into
(03:38):
research facilities. So basically, if there's a way to break
into a place, we will do that type of activity. Okay,
so penetration testing is definitely the coolest job there is.
We've all thought of rubbing a banklets or twice in
their life. These people get paid to do it. Oh dude.
I mean you get to talk to people and sometimes
whenever they ask you what you do for a living,
(03:59):
you can say I robbed banks for a living, and
it's always kind of neat to see people get uncomfortable,
like what what do you mean you you rob banks
for a living? I mean I literally get to break
into places for a living. So it makes it just
this really cool dynamic field, and you know, it's just
it's just I mean, I've been doing this now for
(04:20):
twenty years. I've never gotten board. I've never been like, well,
I'm to do the same thing today that I did yesterday,
because it's constantly changing and the techniques are constantly evolving.
John also started a thing called Anti Piphon Training. They
teach people how to become security operations Center personnel, which,
to put it plainly, is a kick ask job in
high demand that pays really well. I don't know how
(04:42):
to code or hack, but with anti Piphon training you
can get started with little or no previous knowledge. Not
only that, but they implemented a pay what you can
system to train people who have the desire but maybe
lacks some of the funds to learn the necessary skills.
John and his team really are the good guys, but
they're every bit as sharp as the bad ones. Black
Kills does physical penetration testing, meaning they do get hired
(05:03):
to break into places like banks, but the majority of
the tax are virtual and one of the most common
tools that hackers use is Klie Lennox. You've probably heard
the word Lennox before. It's an open source operating system
that all types of things are built on top of.
Kelly Lennox is a version of Linux that comes with
a bunch of applications for hacking already installed. You can
(05:24):
download it for free right now and be up and
running in less than an hour. It's gonna have password
cracking tools, password spraying tools for trying to break into
places remotely. It's a collection of all those different tools. So, yeah,
we actually do use Collie because it's a very quick
distribution that we can just stand up. You mentioned off
stack UM, and off Stack is one of the main
(05:46):
developers of the Collie Linux distribution, and almost every pent
tester in the world and hackers, to be honest, are
going to be using Collie. UM. We also write a
whole bunch of our own tools as well for breaking
into place. Learning to code might seem like a pretty
big mountain to climb, but when you break it down,
it's just instructions that a computer can understand. I'm fascinated
(06:08):
by the unknown things you could accomplish. So I researched
what computer language is best to learn for hacking, and
I kept coming across one called Python. It almost begins
and ends with Python in the industry, and I'll give
you a quick survey, right, So Python is probably the
most heavily used language because it's very easy for people
to learn and pick up this language, and you can
(06:30):
become proficient and writing a tool very very very quickly. UM.
The other language that you see a lot in this
industry is Ruby, and the main reason why you see
a lot of people learning Ruby is because Ruby is
the language that met disploit is written in, and met
disploit is a tool for creating payloads to deliver to
(06:51):
compromise computer systems. It's a tool for writing and executing
exploits against services and misconfigurations, and it is also a
tool for doing just basic security checks. So there's a
lot of people that use Ruby, and if you're gonna
learn Ruby, I recommend why the Lucky Stiffs Guide to Ruby.
It's a great way to learn Ruby with cartoon foxes
(07:12):
and things like that. But we also have a large
number of people that are learning going from Google to
get into coding as well. So if you're gonna get in,
I recommend honestly Python or go link to get started.
But if you really like that whole exploit area and
you really like what the metasploit project is doing, Ruby
is a great option too. The cool thing about Python
(07:33):
is it's not just for hackers or computer nerds. You
can use it to do nearly anything. For example, one
thing my job of senior sound designer requires is ordering
equipment for new podcasts. Then I have to download the
invoice PDF, rename it, upload it to our expense tracking system,
then fill out and submit a report. Doing this over
and over every single day is tedious in time consuming.
(07:55):
With Python, I can write a simple script to automate
almost of that, which will end up staying me a
ton of time in the long run. If I'm trying
to break into an organization, one of the common techniques
the pen testers, red teams and hackers use is they
will try to gain access through week passwords. So there's
a ton of people out there that use a password
(08:17):
like Spring season in year is great because you have
to change your password every ninety days. The seasons tend
to change every ninety days and the year rotates, so
you always can remember what your password is without having
to like write it down or anything crazy. So if
I was going to try that password against let's say
a thousand user accounts, I could type it in one
(08:38):
at a time to like an email portal or a
web portal, or I can automate it. And with that,
there's a ton of tools, many of them written in Python,
and some modules in the met disaploit framework that you
can use as well against different services where you can
automate trying that single password let's say Spring against the
thousand user accounts, so I can write a script to
(09:00):
search the RSS feed for every podcast on Apple or Spotify,
find the contact email addresses inside those feeds, then organize
it into an Excel doc for easy access. Another benefit
of Python is that it's relatively straightforward language to learn,
and like the Romance languages, once you learn one, it's
not nearly as hard to learn another. At that point,
it's basically just learning the different rules of the languages.
(09:21):
They call those different rules syntax. I'm gonna give you
a hint if you're if you're ever stuck and you're like,
I've got to automate something, you just have to close
your eyes, wish very hard for someone else to write
that tool for you, and then go to GitHub and
look around and somebody's probably already written a tool that
does it. Get Hub is a platform that host code
(09:41):
so you can collaborate with others. There's tons of code
on there for all types of functions and applications. All right,
we'll hear more from John right after a quick break.
Welcome back to Prodigy. For more info or to get
in touch with me, visit Prodigy podcast dot com. So
John's company has grown a lot. He doesn't do much
coding anymore. His time is better spent training. UM. So
(10:03):
years ago whenever I first started was around two thousand
one time frame, and I started while I was working
at the Department of Interior with it was Anderson Consulting
in the next centure consulting. And if there was anything
that I did back then, right, it was all like
C and C plus plus. That was it, right, because
(10:23):
you would go to like packet Storm and you would
find exploits. None of the exploits would work, You'd have
to read, you'd have to change the code, recompile. It
still wouldn't work, and you'd recompile it. So a lot
of my early days was in it was in C
and C plus plus. Over the years, now that I
have a company, we have about like seventy employees. Um,
I'm spending most of my time doing training. So I'm
(10:45):
doing a tremendous amount of time and power point. So
I actually don't develop much of anything anymore. In fact,
i'd be hard pressed to probably write a program that
just prints out how low world these days. But no,
we It's just kind of one of those transitions that
happens in the industry where when you start your coding,
you're writing things, you're writing exploits, you're writing tools, and
(11:05):
then eventually this horrible thing happens to you called management.
Since John has built a successful security company, I was
curious to know what type of qualities he looks for
in a potential security professional. So I have this webcast
it's called your five five Year Plan to Information Security,
and I spend an hour talking about learning networking, learning
(11:26):
operating systems, learning coding and developing tools and getting out
to the community and if anybody wants to get involved,
anybody at all, that's listening. One of the most important
things you can do, no matter what level you're at,
is start releasing tools, start writing blogs, start doing videos.
And it honestly doesn't matter. It's not like you're gonna
be the next huge Twitch streamer by using n map.
(11:49):
But what you'll discover in this industry that's so critical
is there's so many people out there trying to find
anything to do with the basic skills. In this industry,
we have way too many whizard words trying to impress
other wizards. And there you know, I don't want to
give a talk unless it's a super advanced talk. On
a new technique for hooking the Windows kernel for doing
(12:10):
root kit style attacks. Um, but honestly, really what we
need is people understanding the basics and fundamentals. So even
if you create a blog post it's like the basics
of running NESSUS or end map or something really really
really basic, you're actually gonna get some hits on that.
And then the other thing that it does for you
once you start getting back to the community is whenever
(12:31):
you get resumes, like we're right now interviewing for positions
at Black Hills Information Security for pen testers and security
Operations Center staff, I have resumes that look really good.
They have good work experience, they have good education experience,
but they haven't done any talks, they haven't released any blogs,
and they haven't released any tools. Those are second tier resumes,
(12:52):
whereas we have resumes of people that have been releasing tools,
people that have been writing a blog posts and doing videos.
That really causes those resumes to rise to the absolute
tippy top. So you want to be a penetration tester,
a red teamer, and you've learned some stuff, it's a
terrible idea to practice this against real networks. So how
do you practice your skills. There is a tremendous like
(13:18):
plethora of different cyber ranges online. Uh, the best one
and probably the one that has the most prestigeous hacked
the Box. So if somebody is trying to get involved
in computer security or pent testing or offensive security, hacked
the Box, hands down is the best and most well
regarded cyber range um and it's also the most accessible. Right,
(13:39):
It's not going to cost you thousands of dollars. It's
very very very approachable, and you can work up in
levels and then they're specific challenges and badges and things
that you can learn and you're basically practicing against real systems.
So that's another thing I look for in resumes. If
somebody has hacked the Box and they've been going through
it for a while and they and they've scored fairly,
(14:00):
I'm absolutely just kind of in awe of those people that,
you know, they get done with their eight hour day
job and then they go home and they work on
something like that. But those opportunities do exist. You can
also google the Sands Ultimate pent Test Poor poster, and
a couple of years ago Sam's had this poster and
on the back of it it listed out a whole
bunch of cyber ranges and practice doctor images that you
(14:23):
could school up to practice web application attacks. And there's
literally hundreds of them on this uh, on this poster,
and they're amazing and you might have to plug around
for a little bit. It's it's yellow, it's on one
half of one side. Um. But there are many of
those posters on that website. But there are so many
places for people to practice and learn. Um, there's really
(14:43):
just no good excuse for not taking advantage of them.
And also, to be completely blunt, there's no excuse for
like going and trying to hack into somebody's website just
because your quote unquote trying to learn. Jones Company teams
out with Meta c ETF to build their own way
to learn and practice. It's called the Kills Information Security
Anti Syphon Cyber Range and you can find it on
(15:03):
their website, Black Hills infosec dot com. I'll link it
on the website. John has been doing offensive security for decades.
He's a legend in the industry. If you want to
hear some really interesting stories about his past experiences, then
check out the episode that Jack Resetter did on him
for a show Darknet Diaries. It's episode number sixty seven
titled the Big House. There's a funny story John tells
(15:23):
about how his mom helped them break into a prison.
By the way, I recorded an episode with Jack Resetter
as well, so look out for that. The thing with
Darknet Diaries with my mom breaking into a prison, And
one of the only reasons I could talk about that
is because you know, my mom is no longer with us,
and the prison is closed, has been closed for years.
So it's not like I'm putting, you know, a prison
(15:45):
complex at risk and telling those particular stories. But we
you know, like we do about six hundred and forty
assessments per year as far as breaking into places, and
it's just it's just crazy. Give you an example. One
of our testers right now, Derek is testing a mobile
application and this one company hired just some third party
(16:09):
mobile development company to write this app for them, and
there's no authentication like once you well, there is authentication,
but there's no like authorization on the back end. So
like if you log in as a user, let's say
John Strand with a password of password one to three four,
I log in with my credentials. If you know how
to like modify the customer I D. You can jump
(16:32):
into any other customers account, make purchases and you know,
change things around. That's bad, right, That's that's really not
something that ever should happen ever, but yet it does. Right.
We have organizations that are still running like server two
thousand three in their environment, something that hasn't been patched,
(16:52):
updated and over ten years, right, and they're always confused
when we break in and they're like, well, how did
you know to do that? It's like, seriously, the system
should have been retired a decade ago. So you see
a lot of those really really kind of dumb mistakes.
But then you have these companies that are really super secure.
(17:13):
We had we had one financial organization that we were
breaking into and they used Octa and they used two
factor authentication and they had really good spear fishing protection.
It was it was a tough nut to crack, and
we've been testing these people for a long time. When
we discovered you could spin up an Octa thirty day
trial account and then you could send an email to
quote unquote invite users to enroll an Octa for your organization.
(17:38):
But it gave you full access to the HTML to
the invite link, so we were able to actually go
in and modify the HTML to turn it into a
spear fishing attack against our organization that we were going
after in this particular assessment, and we were able to
have Octa send the spear fish on our behalf, so
(17:58):
immediately it shows up in their box with like an
urgent flag next to it, and we were able to
get an administrator that we were able to fish, get
their two factor authentication and and able to gain access
to their systems, which is like billions of dollars. So
you have this huge range, right you have people that
are just doing very little in the way of computer security,
(18:19):
and then you have these really advanced organizations that you
have to get super duper creative in order to break
into those organizations. And that's that's a concern that I
have in the industry. If you look at the industry
as a whole, the industry itself is not improving. You're
just seeing a greater spread and disparity of organizations that
are utilizing really good security practices and organizations that are
(18:42):
still saying things like, well, what would a hacker ever
want with my company or my network? Anyway? So it's
all over now. Honestly, we would rather break into the
more secure organizations because they're by far and away more fun.
But still, all these organizations need to have some semblance
of security, no matter where it starts. We have to
meet them where they're at and help them lock down
(19:03):
their systems. Another story John tells on darkknet Diaries is
about a kidnapping. Late one night, John got a call
from law enforcement. They needed his help to track a
missing girl. The suspect was actually um was actually using Skype,
and at the time, Skype just honestly wouldn't listen to
you at all, Like if you were law enforcement and
(19:24):
you said, hey, I need to track back this particular
Skype user, they would just tell you to pound sand
And so we had to find a way to basically
communicate with this individual and then find where they were at. Well,
one of this individual's friends we had actually gotten a
hold of, and we were able to send a document
to this particular suspect individual that believed had the girl.
(19:47):
And when that individual opened that document, we were able
to get the IP address, source port, and time stamp.
And if you're dealing with the United States based internet service, provider.
If you have the source IP address, the date, time
st happen, the source port, you can get a warrant
and you can actually get exactly where that specific IP
address was, and they were able to with law enforcement.
(20:09):
They were able to actually get that little girl girl
back in very short order. Um once they got the warrant,
they got that information. So that would be an example,
and that's pretty rare, right, you don't see those types
of things all that often, but it is something that
does happen, and we do have the ability as defenders.
Something I've been thinking about a lot since I started
working on these episodes is the Internet of Things. We'll
(20:30):
get into that right after a quick break. Welcome back
to Prodigy. For more info or to get in touch
with me, visit Prodigy podcast dot com. The Internet of
things are devices that collect and transfer data security cameras, refrigerators,
light bulbs, microwaves, slow cookers, grills, thermometers. The expression is
if it needs electricity, it will eventually be connected to
(20:52):
the internet. All of these devices are potential weaknesses in security.
One of the bigger problems that you run into with
the Internet of things thing is if you have a
computer system at home, You're logged into that computer system
and it pops up and it says it has updates
to install, and sometimes with some applications and some operating systems,
(21:14):
it just updates. It doesn't even ask your permission to
just updates. If you have let's say I've got an
arcade cabinet here, right, and my arcade cabinet needs an update,
it just doesn't let me know. If I have a
coffee maker that's connected to the internet, it's a very
strong possibility that it won't let me know that there's
a specific update. If you look at your edge routers
(21:35):
at home, your soho routers for connecting to the internet,
many of those don't really get updated because you have
to log into the device itself to get a notification
that there is an update. How many people regularly log
into their router at home that just doesn't happen. So
this gets into more of a complexity issue, right, And
it's also a cloud computing issue where you have so
(21:57):
many devices that are all interconnected, they are all connected
back up to cloud services, and they're based on things
like Linux and BSD and you know, some Windows devices,
and you're really just kind of getting into a more
interconnected world. And as that world gets more interconnected, just
by the fact that it's getting more inconnect interconnected means
that it's inherently going to be more complicated. And when
(22:19):
you're looking at security, the more complicated something is, the
easier it is to hack that thing. So just by
the nature of the explosion of Internet of Things and
the explosion of cloud computing systems and a p I s,
it's actually making the whole space a lot easier for
bad people to break into these things and take advantage
(22:41):
of that complexity. I hate updating software because I'm always
worried I'm gonna mess something up that was working fine before,
and that's always a risk. We updated of vulnerability and
open SSL a couple of weeks ago and we were
running an ELK stack and it just completely destroyed our
ELK stack. Um, so yeah, that is app reolutely a concern. However,
(23:03):
what I like to tell my customers is if you
if you look at your risk right, if you balance it,
it's like sharks and and vending machines. Right, you're really
worried about sharks, right, So people are like, I don't
want to get in the ocean because I'm afraid I'm
gonna get attacked by a shark. But your odds of
getting attacked by a shark are far less than having
a vending machine land on you and hurt you, So
(23:24):
we don't ever think of that as a risk. Where
you have something like Solar Winds that came out a
couple of months ago, a whole bunch of organizations got
really worked up and they started saying, we should probably
hold off on patching, like because of this vulnerability. If
you're looking at patches like of the time, you're not
(23:46):
gonna have any problems. If you look at your operating
system and all the patches that hit it, and it's
going across billions of devices, and you look at the
software and the patches of your software going across billions
of customers, the vast overwhelming amount of the time patches
are installed and there's very little problems. It's just unfortunate
that it makes a very large news story like a
(24:06):
shark attack, right, it's a very big news story. The
Solar Winds thing was terrifying. But the reality is, if
you choose not to patch your systems, your likelihood and
risk of having something bad happened to you is going
to be much much, much higher than if you choose
to take the quote unquote risk of installing the patch.
(24:26):
I'm not rich, so I'm not really concerned that a
hacker is going to target me specifically. But that's not
what I should be worried about. Here's an example. Save
an old version of Windows or Mac operating system with
known vulnerabilities. Hackers can sweep the internet to find all
the computers running this operating system, then break in and
steal your password and credit card information. They won't target
(24:47):
you specifically, but you may be part of a larger
attack that includes your device. One of the biggest things
that I recommend is the vast majority of security attacks
that are going to hit you, they're going to come
in through your browser. Right, So if you can actually
find a way to protect yourself while you're surfing the Internet,
that is probably one of the best things that you
(25:08):
can do. Like Number one, don't click on links from
strangers if it's if it's anti inflammator. If it's not
anti inflammatory, that would be like I'd be profrin if
it's something really inflammatory, right, Like it's racial, if it's political,
if it's religious, just stay away from that, right, And
I would recommend just being honest. You shouldn't hang out
and party with people that get really worked up about politics, religion, um,
(25:33):
and you know, like all kinds of different issues. It's
just you get worked up and then you become an
easy target. I always told people, right, I can trick
you into clicking a link by trying to make it
look enticing, but the vast majority of people out there
are getting really good about like, you know, an iPad
for five dollars, click here, not today, Wiley hacker, and
(25:54):
they throw that email to spam. But if you look
at the most powerful tool for me geting you to
do something that I want you to do, it's Hey,
Like if I follow you on Facebook and I start
disagreeing with all of your politics, I started disagreeing with
your religion. I started to just disagreeing with your worldview,
and then I send you a link and I tell you, hey,
(26:16):
everything you believe about topic X is wrong. Here's a
link that proves it. It is darn near impossible for
someone not to click that stupid link, right, because somebody's
wrong on the Internet. Can't sleep, right, You're gonna click
that link. So I'm not saying you shouldn't care about
those issues, but what I'm saying is you shouldn't let
(26:37):
them control your life, because people will find a way
to make them control you. So that's number one. Don't
get worked up and go to like skinny websites because
you know your your politics or your more moral compass
demands it. There's probably some Russian trolls behind the other
side of that, and they've got you hooked at that point.
The other thing, as I said, is a lot of
(26:58):
the stuff that you look at attacks come from the browser.
So I recommend putting in plugins like ghost tree and
ad block, plus things that will actually start shutting down
malicious ads, and really really try to lock down your
browser as much as you can, because still a tremendous
number of attacks come through the browser itself. So those
(27:20):
would be some of the big things that i'd recommend.
And then the other thing that I would recommend, make
your passwords long. Please uh, you know, use a pass phrase, right,
you know, Let's say you know I worked at um
I worked at North through brummen would be a great
pass phrase, right, And then I would add some special
characters or some numbers or something like that, um or
(27:42):
you know, I graduated from this particular high school or whatever, right,
I like watching the Simpsons, whatever, it doesn't matter. But
it's a long pass phrase. And then you couple that
with maybe some like special characters and numbers, and you
have a really strong password. At that point, you're moving
words a pass phrase. Don't ever go into something and say, well,
(28:03):
my passwords password, because no one will guess that it's
the most obvious thing. No, they literally, well, that will
be like one of the first five passwords that they try.
And for the love of all that's holy, stay away
from season and year. John is a super nice guy
and I don't want to thank him, Deb, Jason, and
Lauren for their help with this episode. They're incredibly talented
and likable team. You can find more about John and
(28:25):
Black Hill's information security at black Hills infosec dot com.
That's black Hills info sec dot com. Thanks for listening
to Prodigy. We've got a bunch of really interesting episodes
coming out, so please subscribe to the show because we'll
be back next week with another episode of Prodigy. Prodigy
was creating produced by me lowber Anti. The executive producer
is Tyler Clay. For more podcast in My heart Radio,
(28:47):
visit the iHeart Radio app or wherever you get your podcasts.
Prodigy is a production of I heart Radio.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.