July 23, 2025 β’ 34 mins
πͺ Join 500+ Smart Entrepreneurs β€ β β β β β β β β β β β β β β β β https://www.gabemarusca.com β β and learn each week for free, how to stop chasing leads, serve clients longer & enjoy freedom doing what you love, without burning out or breaking down.
In this episode, I chat with Grant McCracken, founder and CEO of Dark Horse Security and an ethical hacker with over 13 years in cybersecurity.Grant explains how over 60% of breaches start at the human layer and shows us practical ways to protect ourselves.With experience testing thousands of applications, he shares insights about common vulnerabilities like SQL injection and cross-site scripting that most people never see coming.We discuss password management, multifactor authentication, and why keeping software updated matters more than fancy security tools.We also explore how AI coding creates new security risks and why every application has vulnerabilities waiting to be found.Grant reveals the mindset shift that changed his career and offers concrete steps for anyone wanting to enter cybersecurity.Join us as we break down real-world security threats and actionable protection strategies for individuals and businesses.
πͺ Timestamps
(00:00) Trailer
(00:40) The Journey to Ethical Hacking
(02:49) Common Security Breaches and Vulnerabilities
(10:15) Fundamental Security Practices
(15:26) Security for Businesses
(18:40) Dark Horse Security Services
(29:15) Career Advice for Aspiring Security Professionals
(30:53) Dropped in the Wilderness
πͺ Connect with Grant McCracken
- Website: https://darkhorse.sh
- LinkedIn: https://www.linkedin.com/in/grantmccracken/
πͺ Connect with Gabe Marusca
- Website: https://www.gabemarusca.com
- YouTube: https://www.youtube.com/@gabemarusca
- LinkedIn: https://www.linkedin.com/in/gabemarusca/
- Instagram: https://www.instagram.com/gabemarusca/
- X/Twitter: https://twitter.com/gabemarusca
- Facebook: https://www.facebook.com/maruscagabe/
- TikTok: https://www.tiktok.com/@gabemarusca
Until Next Week,Pura Vida!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Over 60% of breaches start at the human layer.
Grant McCracken is the founder and CEO of Dark Horse Security,
an innovative startup that is a mission to make the world more
secure by making it easier to become secure for businesses of
all sizes and natures. Almost every single app that
you're going to look at in some way, shape or form is going to
have some vulnerability. In today's episode, we dive into
(00:22):
how to protect yourself, especially in the age of AI, how
to protect your business and make sure your employees are not
vulnerable to hacks, the most common mistakes people make when
it comes to online security, andlast but not least, how to start
a career as an ethical hacker. Grant, take me back to a moment
when you realize that you want to be an ethical hacker.
(00:46):
Oh boy. The moment I realized I want to
be an ethical hacker was when I wanted a paycheck.
It just happened to be the way Igot into ethical hacking was I
graduated in 2009 and Child Market wasn't great during the
great financial crisis or recession or whatever you want
to call it. I was just kind of looking for a
job and a buddy that I used to play video games with, he was
(01:08):
like, hey, you could do this. He also found the job.
And so he had me apply and that was with White Hat Security.
And So what White Hat had at thetime, they kind of had this farm
system where they take people that had all different kinds of
backgrounds and they teach them to be ethical hackers.
And obviously that was for profit and we did it for the
business and whatnot. But there was no, I want to be
(01:30):
an ethical hacker type moment, right?
There was no, oh, that's the career I want.
I went to school for communications, so I thought I
was going to work in marketing or HR or something like that.
I did not. I was not planning on getting
into ethical hacking. And that's just kind of how it
shook out. Yeah, that's interesting, right?
Like how many of us actually plan to do the exact thing that
(01:51):
you're doing now, probably 2% orsomething like that.
But for those that are not aware, what does a ethical
hacker do on a daily basis? Just about what it sounds like
they hack, but ethically the industry term is usually going
to be like a penetration tester.Basically the idea of a
penetration test is that you're trying to penetrate systems,
(02:15):
whether those be human systems, whether those be networks,
whether those be applications, APIs, web apps, mobile apps, all
that stuff. And you're just trying to
penetrate those systems now. And there's different layers to
kind of what you do there. It's sometimes it's a little
deeper, sometimes it's more surface lover, but fundamentally
you're just looking for vulnerabilities in whatever put
(02:35):
in front of you, right? Again, whether that's an
application, some sort of host that's on a network, or it could
even go into like configuration reviews, right?
If you're testing somebody's like AWS configuration or O365
Connect config, stuff like that.And Speaking of apps and web
apps and so on, what are the most common security breaches
that you encounter in your career?
(02:56):
To draw a little distinction, right, when you hear breaches in
the news, what they're typicallyreferring to is like an
organization's already been breached, so somebody's already
excellent records or something to that effect.
So usually not involved in breaches unless you're on kind
of the forensic side of the house, you vulnerabilities could
become a breach if they were exploited by a bad actor.
(03:17):
Some of the more interesting ones, right?
I mean, you see all sorts of crazy stuff.
For instance, the really powerful stuff as it relates to
like anecdotes and whatnot is like things like code execution,
right? So you get dropped on a network
and there's, you find a vulnerability in some machine
that's running on that network and you're able to just take
over that machine and you can dowhatever you want with it,
(03:39):
right? And you could install whatever
software you want on it. And this is effectively how you
kind of get to malware and otherthings.
But you could also, what you'll do as a hacker is you'll also
use that machine as a foothold. So sometimes if you're coming in
from the outside and you're ableto compromise an external
machine, you can use that machine once you take over that
machine to then take over other machines inside of the network
(04:01):
and so on and so forth. Anyways, obviously code
execution is like a really interesting type of
vulnerability. It's relatively rare, but when
you get it, it feels amazing because it's like I've got
complete control over this machine.
There's other things where again, depending on how far you
go within the pentest, where youcan go even further than that
and try to get domain admin be able to control not just the
(04:23):
machine, but like the network orall the users within the
organization. So levels to type of compromise.
But another one that's really fun is like SQL injection.
Not sure if you're familiar withthe idea of SQL, but most
databases are written in some sort of language, right?
You say grab the user where username equals this certain
thing and whatever else you wantto attached to it.
(04:45):
And so there's all these querieswhen a web page makes that or an
application makes a query, sometimes they don't do it in a
Safeway and you can actually inject into that query.
And that's called sequel injection.
And you can basically do whatever you want with the
database as well. So you could pull all the
information from the database. And this is where if hackers are
able to retrieve passwords or account details and stuff like
(05:07):
that, it's often a function, a sequel injection type
vulnerability. Though there's other ways of of
getting that information, not the least of which being at the
human layer. And over 60% of breaches start
at the human layer. Some of the really impactful
breaches are often as simple as like exploiting a human to get
Debbie in finance to send you some PDF of information that
(05:29):
obviously shouldn't leave the organization just because you
were the social engineer them into thinking that you were IT
and you needed that or you're the CEO or something to that
effect. So again, there's a lot of
different really interesting types of vulnerability and kind
of ways that they're exploited looking for.
Yeah, this is actually what I was looking for because I want
to see how we can protect those listening from this whenever.
(05:54):
That's why I think it's very powerful because indeed, in two
different methods, people can beincentivized to do something
that they don't even realize that they're not sending to the
right type of a person. And how that usually happens, if
you can share. And how we can protect ourself
from not sending the wrong e-mail to the wrong person, the
answering to the wrong message on our phone, or and so on.
(06:18):
Sure. At the individual level, there's
a couple of really basic things that you should be doing, right?
So there's a number of differentways that these exploits can
happen wherein they're able to attack an individual.
Everybody's got a phishing e-mail, phishing text messages,
stuff like that. And then there's also this idea
of cred stuffing is the officialattack terminology for it, where
(06:41):
you'd go look at a past breach and these public information.
It's just out there, it's on like paste bin kind of thing
where there's all these usernames and all these
passwords from past breaches andyou just say, OK, I'm going to
go try that on some website. And so you throw them all at
some organization, right? So I'm just coming up with an
example, but within that list ofcredentials, you might be able
(07:02):
to find that somebody registeredwith a work e-mail or something
like that, or you're able to tiethat e-mail back to that user
and then you try to log into their work accounts with the
same password that they use. So again, that's like a cred
stuffing account where you just take all the passwords that are
have historically been associated with an account and
you see if you can get those to work.
Again, that's fairly routinely in the news.
There was a very recent Australian one where that was an
(07:24):
issue where cred stuffing they got into people's retirement
accounts and stuff like that. So one of the first things you
could do as a user is just one not use the same password over
and over again. How you do that is you just use
a password manager. It's very hard to remember every
single different passwords. People probably have two or
three passwords that they use and then they just use those
(07:45):
same passwords and maybe slightly different combinations
over like a billion websites, right?
And so if it gets popped on one of those websites and they're
able to find it, then they can potentially get into every
anywhere else that's used. So using a password manager,
LastPass 1 password, any of those, that's one of the
quickest and easiest things thatyou can do to protect yourself
as a user too in using multi factor.
(08:07):
Multi factor authentication is essential because even if
they're able to get your password and your username and
they get both those things correct, if you have multi
factor on your account, they're not going to be able to get in,
right? It's going to say, OK, now give
us the one type password and they're like, well, I don't have
that and they're going to move on.
There is some data that says doing multi factor over SMS is
(08:29):
less secure, right? It is possible to do SIM
swapping and stuff like that. Don't super recommend SMS, but
if it's all you've got, SMS is still in order of magnitude
better than not using anything at all.
You're still going to protect yourself a lot.
So that's kind of how you can protect yourself from just a
wide swath of attacks about the gate.
And then obviously the layer on top of that is just being
(08:49):
skeptical and being critical. I think in today's kind of
misinformation and disinformation age, it's
essential to question literally everything at this point, for
better or worse. There was, you know, those
lawmakers got shot in Minnesota and the guy showed up saying he
was police even that you should question police.
Show up at your door, you got tocall 911 and be like, hey,
(09:10):
actually supposed to be police at my door.
Should I open? Should I talk to these people?
Yeah, just question everything. Especially now in the age of AI,
we can receive phone calls that sounds like our family members
or even video messages are similar and can be scary.
And in the same time the advisorto give is so valid because
(09:30):
unfortunately a lot of people are still using the same
password across multiple accounts.
Or even worse, like saving them in the plain document on their
computer or whatever. And that leads us to basically
the first example that you gave when others get access to your
own device. And obviously most of us see
(09:51):
these in movies like the recent one, Mission Impossible, in
which those kids were taking control over someone else's
laptop and grabbing some information, photos from there
and so on. And from those type of attacks,
what are the solutions and advice that you have to give to
those that are listening that, Oh my God, I need to protect
(10:11):
myself because you never know. Yeah.
Again, it's not going to be the Super fanciest advice.
It's kind of doing the fundamentals.
The first one is just keep your machine up to date.
Your Chrome browser or whatever browser you're using, you'll
notice in the upper right hand corner it all every couple days
or weeks it'll say update and it'll be green at 1st and then
it'll be yellow and then it'll be red at some point it'll force
(10:33):
you to update. So keeping your browser up to
date, your OS up to date, your phone up to date, everything up
to date, you'll see all the timewhen you do these things, if you
look at the patch notes or whatever, it'll be like, oh,
fixing security bugs or whatever.
And so you may not ever know what those bugs were and maybe
they were being exploited in thewild, maybe they weren't right.
But every now and then people have released something called
(10:54):
the zero click vulnerabilities. And then there's one click
vulnerabilities where you still have to engage in it, but one
click will kind of give them code execution.
They're really hard to pull off and they're really expensive,
but nation state level people kind of have access to who knows
what at this point. But keep your devices updated,
keep all your software updated as well.
When I'm on a network and I'm trying to break into a machine,
(11:17):
what I'm looking at is what's running on that machine.
And nine times out of 10, right when you're going to get code
execution or something like that, it's because they're
running some vulnerable piece ofsoftware that is outdated.
No, software isn't like vulnerable and it's just
vulnerable forever, right? There's like newer versions of
it where they like patch those vulnerabilities and somebody's
(11:37):
just running some old FTP serveror some something that they just
don't need to be running or thatthey never updated or it hasn't
been kept up to date. And that creates vulnerable.
But that's just a really big one.
It's just making sure that you keep those things up to date.
The second one on there is don'trun or execute things that you
shouldn't be running or executing.
That's again, just pretty. It's just common sense kind of
(11:59):
stuff. But you'd be surprised how
uncommon common sense is, right?I guess in the real world, I
mean, just kind of what we run into all the time.
If people did things that were common sense all the time,
there'd be far fewer breaches and stuff of that nature.
Again, be skeptical of anybody that is asking for information
and obviously confirm it before you do anything.
(12:21):
Never give out passwords, never give out one time use passwords
or the OTP codes or anything like that, and then don't
install random stuff on your machine.
It's just generally a bad idea and doing all those things will
again, mitigate for a significant portion of things.
But if if the NSA wants to get onto your laptop, they're
(12:44):
probably going to figure out how.
We probably don't have a prayer against them, but against less
sophisticated actors because they've probably got a stockpile
of 0 days and stuff like that. Every once in a while you'll
hear about law enforcement struggling to get into someone's
iPhone, and the vocal law enforcement doesn't have access
to the tools that, like the NSA or higher order organizations
(13:05):
probably do. Again, I don't know what they're
capable of, but I just assume they're capable of getting into
whatever they want whenever theywant.
Indeed. Security agencies or how they're
called, they might have access and if you look back at Snowden,
for example, the amount of information he revealed and so
on about how NSA and others are having access to our devices and
(13:26):
such. But for the day-to-day users,
the people that are afraid that someone else would take over,
apart from the advices that you give, do you think there are
other solutions, like for example, certain operating
systems or system devices are more secure than others, or
security software that we can install on our computers like an
(13:47):
antivirus or malware protector or any of that?
I'm. Hesitant to make any
recommendations around like additional software layers.
So there are like the these machines do a decent job these
days of whether it's Mac, whether it's Windows or
anything, they do a relatively decent job.
When you try to run an application, it'll be like hey,
this application is trying to access like XYZ, do you want to
(14:10):
allow it access? They tend to do a decent job
there. I don't necessarily I personally
don't run antivirus or anything to that effect.
I'm not sure that it's still relevant.
I'm sure it is in some sense, I just on average, I would just
recommend practicing the fundamentals, strong passwords,
(14:32):
multi factor, just good like operational security as it
relates to your devices. Don't just leave your devices
unlocked all over the place, whether that be your phone or
whether that be your laptop. Don't install random plug
insurance because a lot of theseplug insurance, when you add a
plug in, it'll be like, oh, it can read like everything you're
(14:52):
doing. And so you got to be really
careful in terms of what has access to which things and what
not. But on average, again, if you
practice those fundamentals are skeptical to a reasonable
degree, then again, I think you're going to have your bases
fairly well covered. So that's with individuals, but
when it comes to companies that usually involve so many
(15:13):
individuals that obviously they have their own devices, they
have the work device as well, they might browse their company
accounts from their personal device and so on.
How can one business protects their assets from such security
breaches in a sustainable way, basically.
(15:33):
Sure. I mean, a lot of it has to do
with the same things we were talking about at the user level.
Making sure your software is up to date, making sure that your
users aren't installing or doingnefarious things.
If you're an organization of thestat I gave earlier, 60% of
breaches start at the human layer, right?
So if you make sure that your human layer is not just easily
(15:54):
exploited by phishing attacks orother similar mechanisms, you're
eliminating a wide swath of potential like exposure as an
organization. Secondary to that, you want to
make sure that you understand all your different assets,
what's on your network, what domains you own, what's going on
where especially in the AI and vibe coding, people are just
like creating their own tools all the time.
(16:17):
And are these secure? Maybe not.
And so are you like plugging that into like production data?
So you just, you want to make sure that you have a real good
sense what has access to what, what is important to your
organization? What do you need to be able to
protect? And then ensuring that that's
not just exposed to everything out there.
You want to know what's on your network.
Again, because I've talked to different sea shows or people,
(16:38):
they come into these organizations that are legacy
organizations. They're super, super old and
they've just been doing businessforever.
And they start looking around and there's just like a, my
favorite story is there's like aRaspberry Pi just like hanging
off the wall attached to an Ethernet cable.
And like it just says, don't unplug.
And So what do you do? Nobody knows what it does.
(16:58):
So do you unplug it or do you not unplug it?
Like how do you how do you manage work with that?
So you just tell me a good disposition around or
characterization around where your exposure is.
And then obviously the next layer down is assessing that
exposure for vulnerabilities, right?
So that's doing things like penetration tests, testing your
applications, testing your networks, making sure that you
(17:19):
have somebody come in with with a security perspective and try
to identify vulnerabilities. So those would be like kind of
three things I'd say organizations should be doing at
a bare minimum in terms of trying to make sure that they're
more secure. Yeah.
Absolutely. And especially when it comes to
managing their employees, right.I guess at the end of the day,
(17:39):
if you don't educate them, it's so hard for them to know
actually this common practices that you mentioned for most
people are not something they'reaware of.
And for example, in my own industry, I used to build
websites and most of the websites back in the day were
building tools like WordPress and so on.
And often I had this long educational period in which I
(18:03):
had to educate my clients that of the importance of keeping
their plug insurance up to date,the core website, WordPress up
to date and so on. I guess most come from this
perspective that will never happen to me until it happens.
And then your own reputation andmuch more, sometimes money and
so on can be lost. And that's just one piece of of
(18:27):
the discussion. But when it comes to the more
complex things, like for examplewhen a client approach your
business dark horse to come intoplay and help them secure their
applications or their businesses, what do you guys
exactly do? Yeah.
So specifically what we offer primarily at Dark Horse is
(18:47):
vulnerability assessments, penetration tests, bug bounties
and vulnerability disclosure programs.
So it's one of those. It's one of those things when
they're coming to us, right, we're going to help them with
one of those. Now, if they have a larger macro
picture around what should we bedoing, we can have a
conversation around that and tryto help them understand their
exposure and make kind of a similar recommendation to the
conversation we're having in terms of, OK, So what are your
(19:10):
assets? OK, well, let's take a look at
your assets, OK, What's important to you?
OK, if it turns out that there'sthis one area that like has all
of your most important information, maybe we focus
there first, right? Then we'll go pen test that or
something like that. They typically come to us and
they say, hey, we need to pen test, get a vulnerability
assessment, a bug, Melanie, vulnerability disclosure,
whatever it is, they want to setit up and they want to identify
(19:32):
the vulnerabilities against a specific target.
So then we say, OK, let's talk about the target.
Let's understand the scope. Let's understand what we should
test, what we shouldn't be testing, what your goals,
objectives are, and then we leverage A tester to go perform
that work and then they get the vulnerabilities in the platform.
So I'm not sure if that's exactly what you were looking
for. Yeah, because I really want to
(19:54):
understand the process since a lot of people that run
businesses, especially small businesses, they are like, why
should I protect my? I guess I'm secure.
Like I just have my social mediaaccounts.
I maybe run a website, I might have some internal CRMS and
stuff and let's say they have a swell small app that it's
public. But in terms of problems they
(20:16):
can arise in that type of environment.
Some of them you already mentioned, but apart from that
from someone getting access to those, let's say database that
they have of the clients and so on, or getting login credentials
and sending e-mail in the name of one of their colleagues and
and so on. What are the things they should
be aware of and how important it's actually to protect your
(20:40):
assets through through a specialized company like yours?
Sure. So I mean, my first answer is
it's absolutely critical, right?For every organization.
Of course, I'm going to say thatbecause that's my belief.
But more than that, I've been doing this for 13 years.
Very rarely do you ever get an application that doesn't have
vulnerabilities. Very rarely.
So almost every single app that you're going to look at in some
(21:02):
way, shape or form is going to have some vulnerability.
And it happens, even happens to the security organizations.
It's not uncommon for security organizations to have
vulnerabilities. So if you go look at say for
instance, bug Crowd or hacker one, their bug bounty platforms.
And again, I used to work at BugCrowd, you can see on their bug
bounty program, they pay out their bug mounting program, they
(21:24):
pay out for vulnerabilities all the time.
So people are finding vulnerabilities in security
companies software. So you probably have
vulnerabilities in your software.
What you might be asking for is what are some of the different
attack vectors that attackers could use?
There's a ton of different stuffthat people can do right?
For instance, one of the really most common vulnerabilities out
(21:44):
there is something called cross site scripting, and that's where
you can inject your own script onto a web page.
Now, one of the most famous examples of this, and this just
kind of shows how things haven'talways.
Just because technology progresses doesn't mean we get
rid of the vulnerabilities. So like the most famous example
of a cross site scripting vulnerability was like, do you
(22:04):
remember Myspace? Yeah, you remember like the
Sammy worm where like it just infected everybody's profile.
That's an example of what you could potentially do with cross
scripting. With cross site scripting, you
can. And again, browsers are becoming
increasingly powerful, right, interms of just like the scope of
what they can and can't do. If you have scripting on
somebody'd page, you can rewritethe page content, you can
(22:25):
redirect the user, and you can have the browser do whatever you
want it to do. Because again, it just reads.
If you're it's, if it sources inyour script, again, it'll just
it, it doesn't care if the script that it's executing is
coming from you or it's coming from the person who wrote the
web page. Your browser doesn't know the
difference. It's just kind of doing what
it's told, right? It's just a computer.
(22:45):
You can do any number of things with cross site scripting.
Some other more interesting asset or vulnerability classes
include something called insecure direct object
references. That's called an idor until you
go to check out. And after you check out, it's
like confirmation number 1234. And then when you say, oh, what
happens if I put 1233 and it shows you somebody else's
(23:06):
confirmation information? Oh my, like suddenly I have
access to now I can just go 1232and like I get somebody else's
confirmation and it's potentially got their address on
it. I mean, I found something like
this just, I was, I was doing something for my dog and, and so
you have to upload like vet records or whatever to the site.
And I was like, huh, that's weird, this number.
(23:27):
And so I just tried one number higher and sure enough, I'm able
to get somebody else's vet records.
And so I sent it to the company and I was like, hey, you got a
vulnerability here. But vulnerabilities, they're all
over the place. I could talk for hours about the
different vulnerability classes and what that potentially
enables an attacker to do anyway.
So like you as a person that is running a small app, I would bet
(23:50):
money that they've got vulnerability somewhere in
there. That's why you need to make sure
that you're securing your assetsno matter what.
And even more so in age of AI, whether you built it with AI or
you're just leveraging AI via chat bot or some sort of
integration or something like that.
Plenty of opportunity for abuse.AI has just introduced a bunch
(24:13):
of new vulnerabilities, right? Not the least of which being
prompt injection. That's a vulnerability you've
heard of like prompt manipulation or stuff like that.
But like prompt injection, it's the same.
It's the same thing. It's like you just get it to
tell you things it shouldn't tell you kind of sequel
injection or something like that.
So a ton of different vulnerabilities.
It's unlikely that when buildingan, an application, you're able
(24:34):
to like really account for all these things because I know
building dark horse, right as I was going through and riding it,
I'd catch myself sometimes I'd write something and I'd be like,
Oh my, that could be a vulnerability.
I could see how that could be. And it can get convoluted.
It's oh, like under this condition, this person has
access to this thing, but unlessit gets revoked or and then you
need some sort of revocation process and all this other stuff
(24:55):
that not everybody thinks through all the time.
And so again, I'm I'll just stopright there, but hopefully
that's enough, no. But it's very important to bring
that awareness because indeed there are so many ways apps or
businesses can get exposed by these vulnerabilities.
And especially this one that yourepeatedly mentioned with coding
(25:17):
with AI or using AI tools in different ways, especially to
help you code things or vibe coding that you mentioned, like
using apps, I won't mention them, but using those third
party apps that are helping you build basic overnight, an app
that's not really production ready.
So at least not for now. And that's really dangerous
because indeed, if you put that out there and you might end up
(25:41):
in trouble. And still people will say, all
right, but instead of spending acouple of 10,020 thousand grand
to get the minimal viable product, I'll just use another
app to test that out. What would be your advice to
those people? Yeah, I mean, go for it for one,
right? Don't stop innovating.
Just also get security testing so you can build at the speed
(26:04):
that which you need to build. But make sure you're securing
it. Make sure you have someone from
a security perspective taking a look at it.
That's part of what Dark Horse really offers.
What Dark Horse is all about is providing access to smaller
organizations in the wild. Penetration tests typically cost
a ton of money and what we've done at Dark Horses, we tried to
make them as affordable as possible while still providing
(26:26):
access to high quality talent and so forth.
My recommendation is still you got to test it.
I mean, you can build as quick as you need to, right?
You don't not use those tools. Be skeptical, don't just trust
it at face value and it don't just push code that AI generates
to production. You want to make sure that
you're personally reviewing it and then again, also make sure
that there's some sort of security review in your pipeline
(26:49):
as well. Yeah, that's interesting because
for example, I played with one of the tools and I expressed, he
said at some point, is this codeactually safe enough to put into
production? And after the to review it, it
was like, oh, I apologize for that.
There is actually a security vulnerability here that I need
to address, but probably if I would go again and ask again,
(27:10):
maybe they find another one and so on.
So it's convenient to see that you have all this power to to
write code by just talking to a tool.
But in the same time, without having that extra layer of
security of a third party solution like Dark Horse or a
similar to come into play and actually make sure that the code
that you put out there, it's secure.
(27:31):
The importance of expectations cannot be understated.
And this goes in, in, in all aspects of life.
It's a result of a mismatch in expectations.
So when you think about things in that frame, it really and
you're able to get ahead of a lot of potential potential
issues, right? So if a client's unhappy because
they expected things to go a certain way, if you expected it
(27:53):
to break, you're not going to bethat upset.
You're like, oh, well, I kind ofexpected it to break.
But if you don't expect something to break and it
breaks, then you're going to be pretty upset about that.
So if you can manage the expectation successfully and
effectively, you're able to kindof of avoid a lot of potential
frustrations. And again, this goes with, this
holds true with managing employees.
(28:14):
It holds true with working with your boss, it holds true with
romantic relationships, friends,business, whatever.
Managing those expectations and saying, OK, this is what's going
to happen. This is what I expect to happen.
What do you expect to happen? Oh, shoot, you expect something
different to happen. OK, let's like reset
expectations. Now we go into this thing
aligned. Now we're going to have less
(28:35):
probability of friction later ondown the line.
So just managing expectations. I think it's been probably one
of the most powerful things for me in my career.
Totally. Agree, yes when you're on the
same page expectation wise either with anyone we are
involved with. Like all the examples that you
mentioned, it's so much easier to arrive at the desire outcome
(28:56):
rather than everyone has different expectations,
different desires and so on. And it's impossible then to
please everyone. And also on that note, that
doesn't mean that we should not aim for the best or should not
dream big and so on, but managing those expectations is
so important and on this path orcareer advice if someone want to
(29:18):
enter this space of security, especially nowadays where they
should start. I would say Hack the box, Hack
the box or ports Rigger Labs, Hack the Box is more complete
platform. So that's kind of where I
typically direct people. But yeah, you just you can just
set up an account for free and you can just start working on
(29:39):
their basic challenges. And they've got challenges
that'll take you in any direction you want to go.
You want to go into bounty hunting?
You want to go into pen testing?You want to go into blue team,
Red Team Hack the Box is just a great place to start, to kind of
get your feet wet, to kind of learn the basics.
Porch Wieger Academy is another one where Porch Wieger makes a
tool called Burp. Burp is the industry standard as
(30:01):
it relates to a proxy. Proxy is what you're typically
using when you're attacking a web application.
So they have a lot of great content on there.
There's Pen Tester Labs, there'sa bunch of other resources.
There's no shortage of information out there, but if
you're just picking one place tostart, I'd say Hack the Box.
Nice. Thanks for sharing that.
And Speaking of sharing, if those are listening resonate to
(30:23):
about their share and want to work with our course where they
can reach out to. Yeah, the website is Dark Horse
dot SH, so you can just go thereand hit the contact button and
you'll get in touch with somebody.
You can also e-mail me directly at Grant at dark horse dot SH
and then you can also find me onLinkedIn, right?
My name is Grant McCracken. If you search Grant McCracken,
(30:45):
Dark Horse probably going to be the only one that pops up.
You can find me there as well. Awesome, and I'll put the links
down below in the show notes as well.
You're dropped in the middle of a new city.
Let's see the wilderness of the city.
And you just have at your disposal one piece of advice
that you gather in all your career and that's the only thing
(31:06):
that you can leverage to start over again.
What that will be I. Want to say it's a little bit of
a mind hack, but ask yourself what a person with high agency
would do because we tend to think of ourselves constrained,
right. So if I get dropped into a city,
a fresh environment and I've just got to go figure it out,
the main thing that's going to help there is a mindset that is
(31:31):
looking for solutions. You're looking for a way to be
successful and like the human mind is really good at finding
like negatives, right. So we're really good at finding
reasons why we won't be successful, but being able to
put yourself in a state of mind where you could say, OK, if I
had an incredible amount of agency, what would I be doing?
(31:54):
Just as a thought exercise, it opens up a lot of doors, as it
were. It depends on what the goal is,
right? So let's just say the goal is to
make like enough money to live off of.
We're not trying to make $1,000,000, but you could apply
the same concept to $1,000,000. I could go knock on every single
door, I could go wash cars, I could, I don't know.
I'm not doing a very good job ofrepresenting this right now, but
(32:16):
it's opening your mind up to notbe constrained by what you think
that you're capable of and just being like, OK, what are all the
potential options? What would somebody that just
makes things happen do in this situation and that will unlock
opportunities mentally that you just wouldn't have before?
(32:37):
If you're just saying, OK, I am this sort of person and I do
this specific thing, you're going to be a little more
constrained by that. Whereas somebody that says I'll
do whatever it takes to accomplish this objective,
they're a little less constrained and able to fight a
way to get where they're trying to go.
Does that make sense? Am I making sense?
(32:58):
Sorry, actually make. Perfect sense and Speaking of
knocking on doors, you can't actually do exactly that right?
Asking those that have high agency and see them succeed,
like what they're actually doingon a daily basis, how they are
taking action constantly on certain things.
And yeah, I think that's very underrated advice because often
we think, oh, we should focus onthat.
(33:18):
But being high agency, especially nowadays when
distraction is all over the place, it's such a underrated
skill to master. And that's powerful.
Thank you so much for sharing that.
Yeah. You know what high agency is?
So sorry. I sometimes you say agency or
high agency and people are like what?
And so you obviously know what it is.
So maybe I could have just said high agency is the best advisor
(33:41):
behind develop the scale of highagency.
Yeah. Going to details like you did,
you make those that are not aware of term to realize what
exactly is that. And that's the thing that I was
looking out from you and you didn't use a point.
So thank you so much for sharingthat and thank you so much for
joining me today. It was a pleasure to have you.
Cool, thanks for having me. Happy to be here.
Over 60% of breaches start at the human layer.
Grant McCracken is the founder and CEO of Dark Horse Security,
an innovative startup that is a mission to make the world more
secure by making it easier to become secure for businesses of
all sizes and natures. Almost every single app that
you're going to look at in some way, shape or form is going to
have some vulnerability. In today's episode, we dive into
(00:22):
how to protect yourself, especially in the age of AI, how
to protect your business and make sure your employees are not
vulnerable to hacks, the most common mistakes people make when
it comes to online security, andlast but not least, how to start
a career as an ethical hacker. Grant, take me back to a moment
when you realize that you want to be an ethical hacker.
(00:46):
Oh boy. The moment I realized I want to
be an ethical hacker was when I wanted a paycheck.
It just happened to be the way Igot into ethical hacking was I
graduated in 2009 and Child Market wasn't great during the
great financial crisis or recession or whatever you want
to call it. I was just kind of looking for a
job and a buddy that I used to play video games with, he was
(01:08):
like, hey, you could do this. He also found the job.
And so he had me apply and that was with White Hat Security.
And So what White Hat had at thetime, they kind of had this farm
system where they take people that had all different kinds of
backgrounds and they teach them to be ethical hackers.
And obviously that was for profit and we did it for the
business and whatnot. But there was no, I want to be
(01:30):
an ethical hacker type moment, right?
There was no, oh, that's the career I want.
I went to school for communications, so I thought I
was going to work in marketing or HR or something like that.
I did not. I was not planning on getting
into ethical hacking. And that's just kind of how it
shook out. Yeah, that's interesting, right?
Like how many of us actually plan to do the exact thing that
(01:51):
you're doing now, probably 2% orsomething like that.
But for those that are not aware, what does a ethical
hacker do on a daily basis? Just about what it sounds like
they hack, but ethically the industry term is usually going
to be like a penetration tester.Basically the idea of a
penetration test is that you're trying to penetrate systems,
(02:15):
whether those be human systems, whether those be networks,
whether those be applications, APIs, web apps, mobile apps, all
that stuff. And you're just trying to
penetrate those systems now. And there's different layers to
kind of what you do there. It's sometimes it's a little
deeper, sometimes it's more surface lover, but fundamentally
you're just looking for vulnerabilities in whatever put
(02:35):
in front of you, right? Again, whether that's an
application, some sort of host that's on a network, or it could
even go into like configuration reviews, right?
If you're testing somebody's like AWS configuration or O365
Connect config, stuff like that.And Speaking of apps and web
apps and so on, what are the most common security breaches
that you encounter in your career?
(02:56):
To draw a little distinction, right, when you hear breaches in
the news, what they're typicallyreferring to is like an
organization's already been breached, so somebody's already
excellent records or something to that effect.
So usually not involved in breaches unless you're on kind
of the forensic side of the house, you vulnerabilities could
become a breach if they were exploited by a bad actor.
(03:17):
Some of the more interesting ones, right?
I mean, you see all sorts of crazy stuff.
For instance, the really powerful stuff as it relates to
like anecdotes and whatnot is like things like code execution,
right? So you get dropped on a network
and there's, you find a vulnerability in some machine
that's running on that network and you're able to just take
over that machine and you can dowhatever you want with it,
(03:39):
right? And you could install whatever
software you want on it. And this is effectively how you
kind of get to malware and otherthings.
But you could also, what you'll do as a hacker is you'll also
use that machine as a foothold. So sometimes if you're coming in
from the outside and you're ableto compromise an external
machine, you can use that machine once you take over that
machine to then take over other machines inside of the network
(04:01):
and so on and so forth. Anyways, obviously code
execution is like a really interesting type of
vulnerability. It's relatively rare, but when
you get it, it feels amazing because it's like I've got
complete control over this machine.
There's other things where again, depending on how far you
go within the pentest, where youcan go even further than that
and try to get domain admin be able to control not just the
(04:23):
machine, but like the network orall the users within the
organization. So levels to type of compromise.
But another one that's really fun is like SQL injection.
Not sure if you're familiar withthe idea of SQL, but most
databases are written in some sort of language, right?
You say grab the user where username equals this certain
thing and whatever else you wantto attached to it.
(04:45):
And so there's all these querieswhen a web page makes that or an
application makes a query, sometimes they don't do it in a
Safeway and you can actually inject into that query.
And that's called sequel injection.
And you can basically do whatever you want with the
database as well. So you could pull all the
information from the database. And this is where if hackers are
able to retrieve passwords or account details and stuff like
(05:07):
that, it's often a function, a sequel injection type
vulnerability. Though there's other ways of of
getting that information, not the least of which being at the
human layer. And over 60% of breaches start
at the human layer. Some of the really impactful
breaches are often as simple as like exploiting a human to get
Debbie in finance to send you some PDF of information that
(05:29):
obviously shouldn't leave the organization just because you
were the social engineer them into thinking that you were IT
and you needed that or you're the CEO or something to that
effect. So again, there's a lot of
different really interesting types of vulnerability and kind
of ways that they're exploited looking for.
Yeah, this is actually what I was looking for because I want
to see how we can protect those listening from this whenever.
(05:54):
That's why I think it's very powerful because indeed, in two
different methods, people can beincentivized to do something
that they don't even realize that they're not sending to the
right type of a person. And how that usually happens, if
you can share. And how we can protect ourself
from not sending the wrong e-mail to the wrong person, the
answering to the wrong message on our phone, or and so on.
(06:18):
Sure. At the individual level, there's
a couple of really basic things that you should be doing, right?
So there's a number of differentways that these exploits can
happen wherein they're able to attack an individual.
Everybody's got a phishing e-mail, phishing text messages,
stuff like that. And then there's also this idea
of cred stuffing is the officialattack terminology for it, where
(06:41):
you'd go look at a past breach and these public information.
It's just out there, it's on like paste bin kind of thing
where there's all these usernames and all these
passwords from past breaches andyou just say, OK, I'm going to
go try that on some website. And so you throw them all at
some organization, right? So I'm just coming up with an
example, but within that list ofcredentials, you might be able
(07:02):
to find that somebody registeredwith a work e-mail or something
like that, or you're able to tiethat e-mail back to that user
and then you try to log into their work accounts with the
same password that they use. So again, that's like a cred
stuffing account where you just take all the passwords that are
have historically been associated with an account and
you see if you can get those to work.
Again, that's fairly routinely in the news.
There was a very recent Australian one where that was an
(07:24):
issue where cred stuffing they got into people's retirement
accounts and stuff like that. So one of the first things you
could do as a user is just one not use the same password over
and over again. How you do that is you just use
a password manager. It's very hard to remember every
single different passwords. People probably have two or
three passwords that they use and then they just use those
(07:45):
same passwords and maybe slightly different combinations
over like a billion websites, right?
And so if it gets popped on one of those websites and they're
able to find it, then they can potentially get into every
anywhere else that's used. So using a password manager,
LastPass 1 password, any of those, that's one of the
quickest and easiest things thatyou can do to protect yourself
as a user too in using multi factor.
(08:07):
Multi factor authentication is essential because even if
they're able to get your password and your username and
they get both those things correct, if you have multi
factor on your account, they're not going to be able to get in,
right? It's going to say, OK, now give
us the one type password and they're like, well, I don't have
that and they're going to move on.
There is some data that says doing multi factor over SMS is
(08:29):
less secure, right? It is possible to do SIM
swapping and stuff like that. Don't super recommend SMS, but
if it's all you've got, SMS is still in order of magnitude
better than not using anything at all.
You're still going to protect yourself a lot.
So that's kind of how you can protect yourself from just a
wide swath of attacks about the gate.
And then obviously the layer on top of that is just being
(08:49):
skeptical and being critical. I think in today's kind of
misinformation and disinformation age, it's
essential to question literally everything at this point, for
better or worse. There was, you know, those
lawmakers got shot in Minnesota and the guy showed up saying he
was police even that you should question police.
Show up at your door, you got tocall 911 and be like, hey,
(09:10):
actually supposed to be police at my door.
Should I open? Should I talk to these people?
Yeah, just question everything. Especially now in the age of AI,
we can receive phone calls that sounds like our family members
or even video messages are similar and can be scary.
And in the same time the advisorto give is so valid because
(09:30):
unfortunately a lot of people are still using the same
password across multiple accounts.
Or even worse, like saving them in the plain document on their
computer or whatever. And that leads us to basically
the first example that you gave when others get access to your
own device. And obviously most of us see
(09:51):
these in movies like the recent one, Mission Impossible, in
which those kids were taking control over someone else's
laptop and grabbing some information, photos from there
and so on. And from those type of attacks,
what are the solutions and advice that you have to give to
those that are listening that, Oh my God, I need to protect
(10:11):
myself because you never know. Yeah.
Again, it's not going to be the Super fanciest advice.
It's kind of doing the fundamentals.
The first one is just keep your machine up to date.
Your Chrome browser or whatever browser you're using, you'll
notice in the upper right hand corner it all every couple days
or weeks it'll say update and it'll be green at 1st and then
it'll be yellow and then it'll be red at some point it'll force
(10:33):
you to update. So keeping your browser up to
date, your OS up to date, your phone up to date, everything up
to date, you'll see all the timewhen you do these things, if you
look at the patch notes or whatever, it'll be like, oh,
fixing security bugs or whatever.
And so you may not ever know what those bugs were and maybe
they were being exploited in thewild, maybe they weren't right.
But every now and then people have released something called
(10:54):
the zero click vulnerabilities. And then there's one click
vulnerabilities where you still have to engage in it, but one
click will kind of give them code execution.
They're really hard to pull off and they're really expensive,
but nation state level people kind of have access to who knows
what at this point. But keep your devices updated,
keep all your software updated as well.
When I'm on a network and I'm trying to break into a machine,
(11:17):
what I'm looking at is what's running on that machine.
And nine times out of 10, right when you're going to get code
execution or something like that, it's because they're
running some vulnerable piece ofsoftware that is outdated.
No, software isn't like vulnerable and it's just
vulnerable forever, right? There's like newer versions of
it where they like patch those vulnerabilities and somebody's
(11:37):
just running some old FTP serveror some something that they just
don't need to be running or thatthey never updated or it hasn't
been kept up to date. And that creates vulnerable.
But that's just a really big one.
It's just making sure that you keep those things up to date.
The second one on there is don'trun or execute things that you
shouldn't be running or executing.
That's again, just pretty. It's just common sense kind of
(11:59):
stuff. But you'd be surprised how
uncommon common sense is, right?I guess in the real world, I
mean, just kind of what we run into all the time.
If people did things that were common sense all the time,
there'd be far fewer breaches and stuff of that nature.
Again, be skeptical of anybody that is asking for information
and obviously confirm it before you do anything.
(12:21):
Never give out passwords, never give out one time use passwords
or the OTP codes or anything like that, and then don't
install random stuff on your machine.
It's just generally a bad idea and doing all those things will
again, mitigate for a significant portion of things.
But if if the NSA wants to get onto your laptop, they're
(12:44):
probably going to figure out how.
We probably don't have a prayer against them, but against less
sophisticated actors because they've probably got a stockpile
of 0 days and stuff like that. Every once in a while you'll
hear about law enforcement struggling to get into someone's
iPhone, and the vocal law enforcement doesn't have access
to the tools that, like the NSA or higher order organizations
(13:05):
probably do. Again, I don't know what they're
capable of, but I just assume they're capable of getting into
whatever they want whenever theywant.
Indeed. Security agencies or how they're
called, they might have access and if you look back at Snowden,
for example, the amount of information he revealed and so
on about how NSA and others are having access to our devices and
(13:26):
such. But for the day-to-day users,
the people that are afraid that someone else would take over,
apart from the advices that you give, do you think there are
other solutions, like for example, certain operating
systems or system devices are more secure than others, or
security software that we can install on our computers like an
(13:47):
antivirus or malware protector or any of that?
I'm. Hesitant to make any
recommendations around like additional software layers.
So there are like the these machines do a decent job these
days of whether it's Mac, whether it's Windows or
anything, they do a relatively decent job.
When you try to run an application, it'll be like hey,
this application is trying to access like XYZ, do you want to
(14:10):
allow it access? They tend to do a decent job
there. I don't necessarily I personally
don't run antivirus or anything to that effect.
I'm not sure that it's still relevant.
I'm sure it is in some sense, I just on average, I would just
recommend practicing the fundamentals, strong passwords,
(14:32):
multi factor, just good like operational security as it
relates to your devices. Don't just leave your devices
unlocked all over the place, whether that be your phone or
whether that be your laptop. Don't install random plug
insurance because a lot of theseplug insurance, when you add a
plug in, it'll be like, oh, it can read like everything you're
(14:52):
doing. And so you got to be really
careful in terms of what has access to which things and what
not. But on average, again, if you
practice those fundamentals are skeptical to a reasonable
degree, then again, I think you're going to have your bases
fairly well covered. So that's with individuals, but
when it comes to companies that usually involve so many
(15:13):
individuals that obviously they have their own devices, they
have the work device as well, they might browse their company
accounts from their personal device and so on.
How can one business protects their assets from such security
breaches in a sustainable way, basically.
(15:33):
Sure. I mean, a lot of it has to do
with the same things we were talking about at the user level.
Making sure your software is up to date, making sure that your
users aren't installing or doingnefarious things.
If you're an organization of thestat I gave earlier, 60% of
breaches start at the human layer, right?
So if you make sure that your human layer is not just easily
(15:54):
exploited by phishing attacks orother similar mechanisms, you're
eliminating a wide swath of potential like exposure as an
organization. Secondary to that, you want to
make sure that you understand all your different assets,
what's on your network, what domains you own, what's going on
where especially in the AI and vibe coding, people are just
like creating their own tools all the time.
(16:17):
And are these secure? Maybe not.
And so are you like plugging that into like production data?
So you just, you want to make sure that you have a real good
sense what has access to what, what is important to your
organization? What do you need to be able to
protect? And then ensuring that that's
not just exposed to everything out there.
You want to know what's on your network.
Again, because I've talked to different sea shows or people,
(16:38):
they come into these organizations that are legacy
organizations. They're super, super old and
they've just been doing businessforever.
And they start looking around and there's just like a, my
favorite story is there's like aRaspberry Pi just like hanging
off the wall attached to an Ethernet cable.
And like it just says, don't unplug.
And So what do you do? Nobody knows what it does.
(16:58):
So do you unplug it or do you not unplug it?
Like how do you how do you manage work with that?
So you just tell me a good disposition around or
characterization around where your exposure is.
And then obviously the next layer down is assessing that
exposure for vulnerabilities, right?
So that's doing things like penetration tests, testing your
applications, testing your networks, making sure that you
(17:19):
have somebody come in with with a security perspective and try
to identify vulnerabilities. So those would be like kind of
three things I'd say organizations should be doing at
a bare minimum in terms of trying to make sure that they're
more secure. Yeah.
Absolutely. And especially when it comes to
managing their employees, right.I guess at the end of the day,
(17:39):
if you don't educate them, it's so hard for them to know
actually this common practices that you mentioned for most
people are not something they'reaware of.
And for example, in my own industry, I used to build
websites and most of the websites back in the day were
building tools like WordPress and so on.
And often I had this long educational period in which I
(18:03):
had to educate my clients that of the importance of keeping
their plug insurance up to date,the core website, WordPress up
to date and so on. I guess most come from this
perspective that will never happen to me until it happens.
And then your own reputation andmuch more, sometimes money and
so on can be lost. And that's just one piece of of
(18:27):
the discussion. But when it comes to the more
complex things, like for examplewhen a client approach your
business dark horse to come intoplay and help them secure their
applications or their businesses, what do you guys
exactly do? Yeah.
So specifically what we offer primarily at Dark Horse is
(18:47):
vulnerability assessments, penetration tests, bug bounties
and vulnerability disclosure programs.
So it's one of those. It's one of those things when
they're coming to us, right, we're going to help them with
one of those. Now, if they have a larger macro
picture around what should we bedoing, we can have a
conversation around that and tryto help them understand their
exposure and make kind of a similar recommendation to the
conversation we're having in terms of, OK, So what are your
(19:10):
assets? OK, well, let's take a look at
your assets, OK, What's important to you?
OK, if it turns out that there'sthis one area that like has all
of your most important information, maybe we focus
there first, right? Then we'll go pen test that or
something like that. They typically come to us and
they say, hey, we need to pen test, get a vulnerability
assessment, a bug, Melanie, vulnerability disclosure,
whatever it is, they want to setit up and they want to identify
(19:32):
the vulnerabilities against a specific target.
So then we say, OK, let's talk about the target.
Let's understand the scope. Let's understand what we should
test, what we shouldn't be testing, what your goals,
objectives are, and then we leverage A tester to go perform
that work and then they get the vulnerabilities in the platform.
So I'm not sure if that's exactly what you were looking
for. Yeah, because I really want to
(19:54):
understand the process since a lot of people that run
businesses, especially small businesses, they are like, why
should I protect my? I guess I'm secure.
Like I just have my social mediaaccounts.
I maybe run a website, I might have some internal CRMS and
stuff and let's say they have a swell small app that it's
public. But in terms of problems they
(20:16):
can arise in that type of environment.
Some of them you already mentioned, but apart from that
from someone getting access to those, let's say database that
they have of the clients and so on, or getting login credentials
and sending e-mail in the name of one of their colleagues and
and so on. What are the things they should
be aware of and how important it's actually to protect your
(20:40):
assets through through a specialized company like yours?
Sure. So I mean, my first answer is
it's absolutely critical, right?For every organization.
Of course, I'm going to say thatbecause that's my belief.
But more than that, I've been doing this for 13 years.
Very rarely do you ever get an application that doesn't have
vulnerabilities. Very rarely.
So almost every single app that you're going to look at in some
(21:02):
way, shape or form is going to have some vulnerability.
And it happens, even happens to the security organizations.
It's not uncommon for security organizations to have
vulnerabilities. So if you go look at say for
instance, bug Crowd or hacker one, their bug bounty platforms.
And again, I used to work at BugCrowd, you can see on their bug
bounty program, they pay out their bug mounting program, they
(21:24):
pay out for vulnerabilities all the time.
So people are finding vulnerabilities in security
companies software. So you probably have
vulnerabilities in your software.
What you might be asking for is what are some of the different
attack vectors that attackers could use?
There's a ton of different stuffthat people can do right?
For instance, one of the really most common vulnerabilities out
(21:44):
there is something called cross site scripting, and that's where
you can inject your own script onto a web page.
Now, one of the most famous examples of this, and this just
kind of shows how things haven'talways.
Just because technology progresses doesn't mean we get
rid of the vulnerabilities. So like the most famous example
of a cross site scripting vulnerability was like, do you
(22:04):
remember Myspace? Yeah, you remember like the
Sammy worm where like it just infected everybody's profile.
That's an example of what you could potentially do with cross
scripting. With cross site scripting, you
can. And again, browsers are becoming
increasingly powerful, right, interms of just like the scope of
what they can and can't do. If you have scripting on
somebody'd page, you can rewritethe page content, you can
(22:25):
redirect the user, and you can have the browser do whatever you
want it to do. Because again, it just reads.
If you're it's, if it sources inyour script, again, it'll just
it, it doesn't care if the script that it's executing is
coming from you or it's coming from the person who wrote the
web page. Your browser doesn't know the
difference. It's just kind of doing what
it's told, right? It's just a computer.
(22:45):
You can do any number of things with cross site scripting.
Some other more interesting asset or vulnerability classes
include something called insecure direct object
references. That's called an idor until you
go to check out. And after you check out, it's
like confirmation number 1234. And then when you say, oh, what
happens if I put 1233 and it shows you somebody else's
(23:06):
confirmation information? Oh my, like suddenly I have
access to now I can just go 1232and like I get somebody else's
confirmation and it's potentially got their address on
it. I mean, I found something like
this just, I was, I was doing something for my dog and, and so
you have to upload like vet records or whatever to the site.
And I was like, huh, that's weird, this number.
(23:27):
And so I just tried one number higher and sure enough, I'm able
to get somebody else's vet records.
And so I sent it to the company and I was like, hey, you got a
vulnerability here. But vulnerabilities, they're all
over the place. I could talk for hours about the
different vulnerability classes and what that potentially
enables an attacker to do anyway.
So like you as a person that is running a small app, I would bet
(23:50):
money that they've got vulnerability somewhere in
there. That's why you need to make sure
that you're securing your assetsno matter what.
And even more so in age of AI, whether you built it with AI or
you're just leveraging AI via chat bot or some sort of
integration or something like that.
Plenty of opportunity for abuse.AI has just introduced a bunch
(24:13):
of new vulnerabilities, right? Not the least of which being
prompt injection. That's a vulnerability you've
heard of like prompt manipulation or stuff like that.
But like prompt injection, it's the same.
It's the same thing. It's like you just get it to
tell you things it shouldn't tell you kind of sequel
injection or something like that.
So a ton of different vulnerabilities.
It's unlikely that when buildingan, an application, you're able
(24:34):
to like really account for all these things because I know
building dark horse, right as I was going through and riding it,
I'd catch myself sometimes I'd write something and I'd be like,
Oh my, that could be a vulnerability.
I could see how that could be. And it can get convoluted.
It's oh, like under this condition, this person has
access to this thing, but unlessit gets revoked or and then you
need some sort of revocation process and all this other stuff
(24:55):
that not everybody thinks through all the time.
And so again, I'm I'll just stopright there, but hopefully
that's enough, no. But it's very important to bring
that awareness because indeed there are so many ways apps or
businesses can get exposed by these vulnerabilities.
And especially this one that yourepeatedly mentioned with coding
(25:17):
with AI or using AI tools in different ways, especially to
help you code things or vibe coding that you mentioned, like
using apps, I won't mention them, but using those third
party apps that are helping you build basic overnight, an app
that's not really production ready.
So at least not for now. And that's really dangerous
because indeed, if you put that out there and you might end up
(25:41):
in trouble. And still people will say, all
right, but instead of spending acouple of 10,020 thousand grand
to get the minimal viable product, I'll just use another
app to test that out. What would be your advice to
those people? Yeah, I mean, go for it for one,
right? Don't stop innovating.
Just also get security testing so you can build at the speed
(26:04):
that which you need to build. But make sure you're securing
it. Make sure you have someone from
a security perspective taking a look at it.
That's part of what Dark Horse really offers.
What Dark Horse is all about is providing access to smaller
organizations in the wild. Penetration tests typically cost
a ton of money and what we've done at Dark Horses, we tried to
make them as affordable as possible while still providing
(26:26):
access to high quality talent and so forth.
My recommendation is still you got to test it.
I mean, you can build as quick as you need to, right?
You don't not use those tools. Be skeptical, don't just trust
it at face value and it don't just push code that AI generates
to production. You want to make sure that
you're personally reviewing it and then again, also make sure
that there's some sort of security review in your pipeline
(26:49):
as well. Yeah, that's interesting because
for example, I played with one of the tools and I expressed, he
said at some point, is this codeactually safe enough to put into
production? And after the to review it, it
was like, oh, I apologize for that.
There is actually a security vulnerability here that I need
to address, but probably if I would go again and ask again,
(27:10):
maybe they find another one and so on.
So it's convenient to see that you have all this power to to
write code by just talking to a tool.
But in the same time, without having that extra layer of
security of a third party solution like Dark Horse or a
similar to come into play and actually make sure that the code
that you put out there, it's secure.
(27:31):
The importance of expectations cannot be understated.
And this goes in, in, in all aspects of life.
It's a result of a mismatch in expectations.
So when you think about things in that frame, it really and
you're able to get ahead of a lot of potential potential
issues, right? So if a client's unhappy because
they expected things to go a certain way, if you expected it
(27:53):
to break, you're not going to bethat upset.
You're like, oh, well, I kind ofexpected it to break.
But if you don't expect something to break and it
breaks, then you're going to be pretty upset about that.
So if you can manage the expectation successfully and
effectively, you're able to kindof of avoid a lot of potential
frustrations. And again, this goes with, this
holds true with managing employees.
(28:14):
It holds true with working with your boss, it holds true with
romantic relationships, friends,business, whatever.
Managing those expectations and saying, OK, this is what's going
to happen. This is what I expect to happen.
What do you expect to happen? Oh, shoot, you expect something
different to happen. OK, let's like reset
expectations. Now we go into this thing
aligned. Now we're going to have less
(28:35):
probability of friction later ondown the line.
So just managing expectations. I think it's been probably one
of the most powerful things for me in my career.
Totally. Agree, yes when you're on the
same page expectation wise either with anyone we are
involved with. Like all the examples that you
mentioned, it's so much easier to arrive at the desire outcome
(28:56):
rather than everyone has different expectations,
different desires and so on. And it's impossible then to
please everyone. And also on that note, that
doesn't mean that we should not aim for the best or should not
dream big and so on, but managing those expectations is
so important and on this path orcareer advice if someone want to
(29:18):
enter this space of security, especially nowadays where they
should start. I would say Hack the box, Hack
the box or ports Rigger Labs, Hack the Box is more complete
platform. So that's kind of where I
typically direct people. But yeah, you just you can just
set up an account for free and you can just start working on
(29:39):
their basic challenges. And they've got challenges
that'll take you in any direction you want to go.
You want to go into bounty hunting?
You want to go into pen testing?You want to go into blue team,
Red Team Hack the Box is just a great place to start, to kind of
get your feet wet, to kind of learn the basics.
Porch Wieger Academy is another one where Porch Wieger makes a
tool called Burp. Burp is the industry standard as
(30:01):
it relates to a proxy. Proxy is what you're typically
using when you're attacking a web application.
So they have a lot of great content on there.
There's Pen Tester Labs, there'sa bunch of other resources.
There's no shortage of information out there, but if
you're just picking one place tostart, I'd say Hack the Box.
Nice. Thanks for sharing that.
And Speaking of sharing, if those are listening resonate to
(30:23):
about their share and want to work with our course where they
can reach out to. Yeah, the website is Dark Horse
dot SH, so you can just go thereand hit the contact button and
you'll get in touch with somebody.
You can also e-mail me directly at Grant at dark horse dot SH
and then you can also find me onLinkedIn, right?
My name is Grant McCracken. If you search Grant McCracken,
(30:45):
Dark Horse probably going to be the only one that pops up.
You can find me there as well. Awesome, and I'll put the links
down below in the show notes as well.
You're dropped in the middle of a new city.
Let's see the wilderness of the city.
And you just have at your disposal one piece of advice
that you gather in all your career and that's the only thing
(31:06):
that you can leverage to start over again.
What that will be I. Want to say it's a little bit of
a mind hack, but ask yourself what a person with high agency
would do because we tend to think of ourselves constrained,
right. So if I get dropped into a city,
a fresh environment and I've just got to go figure it out,
the main thing that's going to help there is a mindset that is
(31:31):
looking for solutions. You're looking for a way to be
successful and like the human mind is really good at finding
like negatives, right. So we're really good at finding
reasons why we won't be successful, but being able to
put yourself in a state of mind where you could say, OK, if I
had an incredible amount of agency, what would I be doing?
(31:54):
Just as a thought exercise, it opens up a lot of doors, as it
were. It depends on what the goal is,
right? So let's just say the goal is to
make like enough money to live off of.
We're not trying to make $1,000,000, but you could apply
the same concept to $1,000,000. I could go knock on every single
door, I could go wash cars, I could, I don't know.
I'm not doing a very good job ofrepresenting this right now, but
(32:16):
it's opening your mind up to notbe constrained by what you think
that you're capable of and just being like, OK, what are all the
potential options? What would somebody that just
makes things happen do in this situation and that will unlock
opportunities mentally that you just wouldn't have before?
(32:37):
If you're just saying, OK, I am this sort of person and I do
this specific thing, you're going to be a little more
constrained by that. Whereas somebody that says I'll
do whatever it takes to accomplish this objective,
they're a little less constrained and able to fight a
way to get where they're trying to go.
Does that make sense? Am I making sense?
(32:58):
Sorry, actually make. Perfect sense and Speaking of
knocking on doors, you can't actually do exactly that right?
Asking those that have high agency and see them succeed,
like what they're actually doingon a daily basis, how they are
taking action constantly on certain things.
And yeah, I think that's very underrated advice because often
we think, oh, we should focus onthat.
(33:18):
But being high agency, especially nowadays when
distraction is all over the place, it's such a underrated
skill to master. And that's powerful.
Thank you so much for sharing that.
Yeah. You know what high agency is?
So sorry. I sometimes you say agency or
high agency and people are like what?
And so you obviously know what it is.
So maybe I could have just said high agency is the best advisor
(33:41):
behind develop the scale of highagency.
Yeah. Going to details like you did,
you make those that are not aware of term to realize what
exactly is that. And that's the thing that I was
looking out from you and you didn't use a point.
So thank you so much for sharingthat and thank you so much for
joining me today. It was a pleasure to have you.
Cool, thanks for having me. Happy to be here.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you wonβt hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, youβve found your people. Follow to join a community of Crime Junkies!
The Breakfast Club
The World's Most Dangerous Morning Show, The Breakfast Club, With DJ Envy, Jess Hilarious, And Charlamagne Tha God!