Chris Sienko: Hello, and welcome to another episode of the Cyber Work with Infosec Podcast. Each week I sit down with a different industry thought leader to discuss the latest cybersecurity trends and how these trends are affecting the work of Infosec professionals, as well as tips for those trying to break in or move up the ladder in the cybersecurity industry.
Our guest today, Alissa Knight, is the Senior Analyst at Aite Group, an independent research and advisory firm focused on business, technology, and regulatory issues, and their impact on the financial service industry. She’s here to discuss another biproduct of the connected future, namely the risks to be had from insecure security practices in connected cars.
Alissa is going to tell us about some of the most egregious cases on record, how we can prevent future disasters, and what you as a burgeoning cybersecurity professional need to know to get involved in the practice of protecting connected devices.
Alissa Knight is a Senior Analyst with Aite Group where she performs focused research into cybersecurity issues impacting the financial services, health care, and fintech industries through the assessment of sector trends, creation of segment taxonomies, market sizing, preparation of forecasts, and developing industry models. Alissa said her passion professionally is meeting and learning from extraordinary leaders around the world and sharing her views on the disruptive forces reshaping global markets.
Alissa, thank you for being here today.
Alissa Knight: Hi, Chris. It’s great to be here. Thanks for inviting me.
Chris: My pleasure. So let’s go back-
Alissa: That was a great intro, by the way. Thank you.
Chris: Oh good. Yeah, we cover all the bases right up front and then we’ll [inaudible 00:01:34] and that will be it. I just want people to know.
So, to start out with the usual first question for interviews. How far back does your interest in computers, tech and security go? Was this something you were always interested in or did that come later in life?
Alissa: Oh, goodness. I started with a 486SX-25, back when the CPUs were square and you put a CPU fan on. So yeah, they go back quite a ways. I started really getting into hacking when I was 13. Typical Hollywood story, hacked into a government network, got caught, arrested when I walked onto the school grounds. They were waiting for me.
Alissa: Yeah. The charges were dropped because I was interviewed without my parents there. I guess they didn’t realize they were interviewing a minor. It was like a couple weeks before my 18th birthday. Yeah, so I got off on a technicality.
Chris: What did you hack into and sort of what was… Was it just, I want to see if I can do this?
Alissa: Yeah. It was a government network. It wasn’t for any… There was no really malintent. It was: Can I do this? It was more out of curiosity. The good news is, is that because of that I really had an opportunity to get a second chance and really that it wasn’t the black hat that I wanted to be, it was a white hat and I wanted to be an ethical hacker, and I wanted to uncover these vulnerabilities that were so systemic across so many things.
Alissa: Nothing has really changed since then, right? So back then it was all about getting the technology out there, getting the connectivity out there, and securities was always an afterthought. So I’m a recovering hacker. I’ve fallen off the wagon a few times. I’ve been doing this for about 20 years. It seems like it was so long ago. So, yeah. So, it’s been a while.
Chris: Wow. I’ve asked this of a couple of guests before, but you had a pretty concrete moment where you decided, “Oh I’m on this side and I’m not on that side.”
Alissa: It was in inflection point for sure.
Chris: Yeah. So, having armed police people approach you at school probably is a pretty solid way to get that change happen.
Alissa: Yeah. I mean, it’s definitely cocktail party bragging, right. All of a sudden I was the nerd that was picked on all the time, and now I’m like being escorted off campus in handcuffs. It kind of puts you in the cool crowd, but actually because of all that I didn’t end up returning back to school.
I’m a serial entrepreneur. I did really turn my life around. I started my first company when I was 17, and I took it to a public company when I was 20. I started my second startup and sold that when I was 27. Really, for me, it was a very pivotal point in my life where, like you said, this was the demarcation point where I need to turn my life around. This is not who I want to be. So, for me, that was a wake-up call to say, “Okay. I can do this and I can get paid very well doing this.” The rest is history.
Chris: You said you’ve fallen off the wagon a couple of times of white hattery. Is there any horror stories you care to talk about?
Alissa: Yeah. Yeah, definitely. I mean, it’s funny, in the introduction you described Aite Group and I don’t want the listeners to think that Aite Group is a cybersecurity consultancy that does connected car penetration testing. It’s not.
It is an industry analyst firm. Aite Group is sort of your Gartner for the financial services industry. The large banks will subscribe to our research, and about around September of last year I joined Aite as their first cybersecurity analyst in their new cybersecurity practice.
What happened was they were focused on anti-money laundering, financial crime, that sort of thing in the payment sector and retail banking, and said, “You know what? A lot of the fraudsters, a lot of the anti-fraud stuff like synthetic identity fraud, and mule accounts, stuff like that is lot of the same adversary on the cybersecurity side, so let’s start a cybersecurity practice and let’s get someone in here who knows what’s she’s talking about.” At least I think I know what I’m talking about. At least I give the perception I do.
So, that’s kind of where I’ve ended at. To answer your question, have I fallen off the wagon? Yes, I have, but as an analyst, meaning that now I’m a full-time writer. It’s kind of funny. I’m a hacker turned CEO, turned writer. Just this year I published a new book on Hacking Connected Cars, which will come out under Wiley, and that actually will be hitting the bookshelves in a couple months.
So, I have fallen off the wagon in the sense that I’ve been hacking connected cars over the last decade. I lived in Germany, hacking connected cars for some of the largest automakers in the Stuttgart corridor, and now really I combine writing with hands-on practical lab work. I’ll write about how to hack a telematics control unit, but while I’m writing I will be there hacking at TCU. It’s sort of a different angle, a different voice in the analyst industry where it’s a combination of sort of the writing part with the actual practical part, which is pretty rare in the analyst industry.
Chris: My next question, and you’ve already sort of filled in a few of the gaps, but I want to sort of get an unbroken line here. Could you tell us a little bit about the career path that you’ve taken to get to the sort of senior level security analyst that you are now? I mean, you said you started a couple of businesses right out of high school, and you became a CEO. So what was your journey like in terms of learning skills, starting things, trying things, breaking things, what have you?
Alissa: You’re going to laugh, but I actually started out as a web designer. It’s funny. I’m probably the only hacker you’ll ever meet that is majoring in marketing in the university, and into accounting, and is also a former designer and artist. I started out as a web designer at a company called Winter Rain Graphics. I was designing websites.
Chris: I can see it in my mind now with a name like that.
Believe it or not, that was in Silicon Valley, so no. But I do live in Seattle for now, but that’s a different story. So I started out with a web hosting company doing web design and hosting websites. Then, my web servers were getting hacked all the time. At the time it was teardrop attacks, if you remember that?
Chris: Mm-hmm (affirmative).
Alissa: So, my web servers were getting DOS’ed, and I didn’t really know how to protect myself. I didn’t know what to do. So, the natural segue for me was, go to the bookstore, buy a book and figure this out. At the time the SANS Institute, Cyber CQ Training, Certified Ethical Hacker, all that stuff didn’t exist. Today, a lot of the cybersecurity engineers have the luxury of going to cybersecurity training. They have the luxury of majoring, getting a Master’s Degree in cybersecurity. All that stuff didn’t exist back then. At the time it was IRC. I was on Internet Relay Chat on ETHNet. Now, I come from the BBS days, right?
Chris: Yeah, yeah. Sure.
Alissa: Looking at modded renegade boards, upload/download ratios. At the time, starting out on IRC, meeting other hackers, and figuring it out on your own. Faking it until you make it kind of thing. Then just learning as you go, taking your bruises, and trying to figure out, once you’ve defaced a website, how to restart Apache, that sort of thing. Just figuring it out as you go.
Then that happened. I unfortunately went down the wrong path, made a wrong choice, and got off. I was very lucky to get myself out of that situation. Then realized, “Hey, I really am a leader. I really am great at starting things. I like to build things.” So, I started my first company. It was a services company, believe it or not, when VPNs came about, God’s gift to security triple DES encryption.
Sold that to a public company in British Columbia. I then took some time off, went to go work for some startups in The Valley in cybersecurity, and then went on to start my second startup, which was Applied Watch, and that was a CM solution for opensource software like [Snort Inline 00:10:35] and [Liberate Carpet 00:10:36]. Once I sold that to Endace in New Zealand, took some time off again, became a fashion photographer, which is a totally other story.
Then got back into penetration testing. So, I’ve kind of been on the red team, sort of adversarial side of the equation my whole career, and then got into Hacking Connected Cars after a contract win with an OEM in Germany. That was my sort of segue into hacking connected cars. What I would say in summary, it was sort of web designer, to system administrator, where I was administering Linux boxes, and stuff like that, networking, to cybersecurity, and so forth.
Chris: Was most of your learning… I mean, like you said, there’s a lot more sort of structured learning now, but at most points in your career were you basically sort of an autodidact? Sort of learning what you needed to learn in the moment, and sort of finding the information where you could get it?
Alissa: Yeah. So, at the time, if any of your listeners remember Security Focus, a lot of times it was going to Security Focus and reading white papers, or Googling, and a lot of times just playing with a lot of the exploits. So, at the time, looking at the C-source for Teardrop, or looking at some… Back then you had the [GCC-minus O 00:11:57] in Exploit.
Alissa: It’s not so point-and-click [inaudible 00:12:00], now this is Meterpreter and Metasploit, all that stuff. It’s a lot easier to hack these days than it used to be, and that should keep your exploit compiled, but yeah it was a lot of teach myself, it was [inaudible 00:12:12] at university, kind of teach myself.
Chris: So what does your average day at Aite GRoup look like? What are some jobs, tasks or responsibilities that are sort of a constant on most days?
Alissa: Yeah. So as an analyst I don’t really to [inaudible 00:12:24] me through companies. I’m really disrupting the analyst industry in trying to be a unique voice in the industry, in the sense that I don’t really to cover me through companies. The companies that are… Can you cover our pattern-matching, signature detection system? No. I want to cover something in machine learning. Cover our antivirus? No, I want to cover EDR and point detection response.
I want to cover SOAR. That sort of thing, so security orchestration. So, what does my daily job look like? It’s meeting with vendors, it’s meeting with reporters, it’s building my brand my personal brand while in parallel building the brand of Aite Group. So, kind of serving multiple masters where I need to make sure that I’m continuously putting content out there, and being a thought leader, and a subject matter expert that’s recognized in the cybersecurity industry, as putting good content out, so that can build trust with the industry who are reading my research, and then is that, “Hey, I need to be covered by Alissa. I need Alissa to write about our product and be an evangelist for our technology, and our company that people take seriously, and that’s credible.”
So I really need to continuously build my brands, my personal brand as well as Aite Group’s, is recognized in the cybersecurity initiative for its research in cybersecurity. So, my daily job is meeting with vendors, meeting with CISOs, understanding the pain points of buyers, and also understanding the latest technology out there that the vendors are putting out. Because, as you know, cybersecurity changes every day. It’s changing every day, new, zero-day experts are coming out while we’re talking. So things are continuously changing and evolving, and just being caught up with it is really important as an analyst.
Chris: Okay. Now it sounds like your sort of two primary foci right now are writing and meeting with your clients. Do you still do a lot of actual sort of penetration testing, or hacking? Or are you sort of compiling existing research these days more so?
Alissa: Right. Yeah, that’s a great question. I definitely traded the Meterpretor Shell for Microsoft Word.
Chris: Okay. Right.
Alissa: But I kind of call myself Guy Kawasaki in cybersecurity, but there is an element, like I said of a disruption where I am, while I’m writing about a network threat analysis solution, I am actually deploying that NT in front of a cardholder data environment, hacking into the CDE, taking the credit card numbers out of the database, excel-trading it, and writing about what that product looks like from the adversary’s perspective, and what it looked like from the blue team perspective.
So there is definitely this element that I bring of both practical as well as authorship, and really curating and creating new contents around what I’m doing.
Chris: Okay. Can you tell us a little bit about the most challenging case or security problem you ever worked on? What did you do to sort of turn into a successful outcome?
Alissa: I would say probably it would be in the connected car space. It’s such a labyrinth in area penetration testing. Any penetration tester, any senior penetration tester, you ask them, “Hey, can you do this connected car penetration test? Can you go hack this PC or…? I’ve never done it before, but it’s all the same.” No. Actually it really isn’t, and I’ll probably get trolled for saying this, but I don’t care.
It really is a labyrinth being very focused especially as the area of penetration testing. You’re dealing with different things, you’re dealing with different platforms, you’re dealing with different connectivity, you’re dealing with the CAN bus, you’re dealing with all these things that you don’t come across against an Apache or IIS web server. It’s just very different.
The challenge that I ran in was doing a penetration test against a head unit, and that’s the infotainment system of the car, and really the challenge was okay. We’re facing sort of kind of same vulnerabilities you would face in something running Android OS, right, so different head units will run different operating systems. You have PCS may run Nvidia Linux, you have some head units that may be running Android. It really just depends on the OEM, the challenge was really, okay, I know how to breach a web server, and pivot around within the Active Directory network, and collect tokens, or whatever and Kerberos, getting at domain admin, right, in the AD environment. How do you pivot around on a car?
Chris: Right. Yeah. That’s a good question, yeah.
Alissa: That was the most challenging Connor challenging section in my book was, okay, we’re following the penetration testing execution standards here, done all the other steps, now I’m on the post-exploitation chapter. How the hell do you write on a post-exploitation step of a car? It really is, it’s understanding sort of the fact that when you’re pivoting around in a connected car you still have connected components. That head unit still needs to communicate with other things, it still needs to talk to other ECU’s.
Whether it’s the steering column that’s connected to the CAN bus which the head unit is connected to, it’s understanding that the in-vehicle network is very much line an intranet. While it may not talk TCP/IP at least today, by the way a lot of fleets are moving to Ethernet, but while a lot of it is CAM today, it’s still networked components. They’re still Network TCUs.
Chris: Wow. Okay, so yeah. Let’s jump right into that. To start at the beginning. What have you found some of the most common attack vectors are that hackers are hacking into connected cars? Either that you’ve done, or that you’ve seen done out there, what are the scariest possible vulnerabilities that you see right now in connected cars?
Alissa: Yeah. So, I would say the answer to that is connectivity, right. So right now whether it’s autonomous vehicles, connected cars with autopilot, they need connectivity. You have manufacturers, automobile makers who are communicating over what’s called OTA, or over-the-air updates with the connected car, so they need to be able to communicate with that backend, and that is typically is always GSM.
So, the attack vectors, the attack surface, that mobile devices, that mobile phones have over GSM apply to a car, right. So the things that you are facing with your mobile phone, such as rogue base stations are the things that you face with the connected car. I think they’re the scariest thing that I would say is really just knowing that you’re driving down the street with you and your family in the car, and somebody that’s possibly targeting that car has a rogue base station set up.
Your car, the telematics control unit within your car is going to connect to a cell tower with the strongest signal. Now, if you’ve got a rogue BTS projecting a stronger signal than legitimate base station, your car is going to connect to that rogue base station, and it’s very cheap and very simple to set up a rogue BTS these days.
So I think that would probably be the scariest for me, just knowing that if you have… if you’re driving a car with you and your family in it and a vulnerability could potentially lead to loss of life or safety concerns with you and your family, it’s way different than the ramifications of a compromised web server, and having your website defaced, or even ransomware encrypt data that’s not backed up.
For me, from a connected car perspective, it’s a way different playing field when you’re talking about the potential for loss of life, and if [crosstalk 00:20:53] all that Network fabric through the rogue base station, you control that with the world of whatever is connected to that, and it’s all-
Chris: Yeah, I mean, if it takes a…
Alissa: … a stable encryption you can do all that.
Chris: Wow. Yeah, and even if you can sort of get the car back on board in a few seconds, that few seconds can make all the difference.
Alissa: Right, right. Because you have some companies that are talking about MSSPs for connected cars, there’s several that are saying, “Hey, we monitor connected cars from our security operations center, but now, okay, so you’re going to respond to an attack on a car that I drive right off of a cliff in a couple seconds, while you’re dealing with false positives and other things? We’ve got more time to respond when monitoring a computer network from a SOC than you do a car that’s driving on the road.
Chris: So what are some the most… What are the basic preventative measures or even advanced-level preventative measures and tires rolling off the assembly line that aren’t implemented as widely now as they should be that you would to see as industry standard?
Alissa: That’s a good question. I think the best answer to that is going to be the concept of network segmentation and micro segmentation. So I have seen cars in doing penetration testing where the passenger wireless network is being shared with the wireless connectivity between the telematics control unit and the head unit. So and being able to communicate with that TCU from the passenger Wi-Fi network.
So why am I using the same wireless network as the TCU which is the connectivity for the car? What I would to see more of is OEMs creating head units or creating devices that implements the basic concepts in tenets of cybersecurity that we practice in regular computer networks. Because let’s point the pink elephant out in the room, Chris.
Chris: Okay. Yeah.
Alissa: Today cars are not just cars, they’re not combustion engines, they’re networks, they’re networks with wheels, they’re cell phones with wheels, and we should be securing cars the same way we secure computer networks. If we’re doing network segmentation and they aren’t flat networks in a computer network, then they sure as hell should be in something that I’m driving myself and my family in.
The other thing is, a lot of times, and a lot of people don’t know this, but there are companies that are selling firewalls and intrusion detection systems for cars. So just as cars are now becoming these Ethernet networks and network devices in the in-vehicle network, and we haven’t talked about B2B yet, we haven’t even talked about vehicle-to-vehicle communication, but within the network of the car you can implement IDS, you can implement firewalls, but a lot of the manufacturers aren’t doing that because of the cost, and always weighing cost with security, right.
Chris: So these sort of firewalls and add-ons, these are things that are sort of commonly available, the connected car owner would be able to sort of get and install themselves? Or how does that work?
Alissa: Right, but I mean, here’s the thing. In my experience in talking with a lot of the OEMs when they’re piecing these things together, you remember that the manufacturer, a lot of people think that the manufacturer, whether it’s their Honda, or their Daewoo, whatever it is, they think that they are the creators or manufacturers of all these pieces, the head unit, the TCU.
No, the manufacturer of the cars just piecing together all of these other products from all these other companies in the supply chain, they’re just Lego blocks that the manufacturer is just putting all together, right. So the thing is that they need to understand that with these individual pieces that they’re putting together, there could be individual vulnerabilities in all those parts.
So, yes, there are firewalls that these OEMs can buy and implement, and there are, there’s segmentation they can do, however they’re weighing to consummate with it. So I’ve seen the OEMs complain over the cost of a 10-cent cable, right, a $2 cable, you multiply that by an entire fleet of cars you’re talking about a lot of money, right, for $2 cable. So they’re always constantly weighing the cost of it.
Chris: I mean, is that something that you would… If you had your druthers that you would sort of make it a requirement. I mean, it sounds like it, right?
Alissa: Yeah. I mean, I think what needs to happen is there needs to be some sort of legislation, or there needs to be something that says, “Okay, automobile maker, you can’t put this car out on the road unless there’s network segmentation, micro-segmentation between these, the in-vehicle network and the critical devices. The head unit should not be able to write to the CAN bus, or communicate commands to other ECU’s in the car. You should have firewalls between particular components within the in-vehicle Network.
These are the things that I think should be there, before the cars are put on the road. We have similar things within the computer industry. Certain things, whether it be safety, or whatever it may be, those things need to exist and need to be there. Let’s look at role-based access control, right, within Active Directory you can do role-based access control. The option to implement RBAC, and assign users to different groups based on their function within the organization. Why aren’t we doing this with the different issues, and what they do in the functions they perform in the in vehicle network?
Chris: Now, to go on the other side of that, if you find yourself the owner of a connected car, or maybe you’ve even had one for a while, and you’re not sure if your car has all these sort of firewall or safety features, what can you do to check or ensure that your car’s security protocols or other defenses, are best utilized? I know it probably varies from car brand to car brand, but is there some sort of a resource where you can look and say, “Okay, I need to do this, this and this.”
Alissa: Yeah. There have definitely been some manufacturers recently that if you search around on YouTube you can see a lot of OEMs and manufacturers have had their hand slapped for certain things. There is an increasing number of research within the automotive industry, from us from the cyber security perspective, so I would definitely urge, if you’re concerned about it, I would urge you to Google, look see if there’re any advisories out there, or any research out there on the particular car brand that you’re considering buying.
I have, definitely have my preference on who I think is doing it right, and who really isn’t considering it a priority. But it’s interesting because the car buyer, the mentality and the pre-sales questions of the car buyer is changing now with the new generation, the millennials, and these newer generations is that before the questions would be, how fast can this go? Does it have leather? [crosstalk 00:28:12]-
Chris: Right. Yeah. How loud is the stereo? Yeah.
Alissa: Should I Facebook while I’m driving? Can I Instagram while I’m driving? It’s all about connectivity, and what can you do, and what can you not do in your car [inaudible 00:28:23] autopilot? Can it drive from a chip? Parallel park for me? All those technologies, ask the security questions. When I go out and I buy something, and it’s something that I’m relying on for safety measure, for life and safety, I’m going to ask those security questions. Hey, who makes the head unit in this particular car? Okay, this is X, Y, Z manufacturer, I won’t name drop in this podcast.
Chris: That’s fine.
Alissa: But I’ll figure out, who is the maker of that head unit is, and like, okay, and that it for them. Or is anything published out there? But I guess it’s just being more vigilant, being more inquisitive of who you’re buying from and what it is you’re buying. It needs to be a lot more than just questions about connectivity and technology, and it needs to also be about security.
When we’re buying these smart doorbells, or smart cameras, those kind of things, we need to be asking these kind of questions, especially if I’m putting a smart lock on my door, I’m going to go out there and look if there’s been anyone talking about hacking that smart lock, It’s just basic things.
Chris: Yeah. No. Yeah and I mean, that’s going to be the real difficult sort of message here is getting people to understand that they need to understand this. I don’t think most people are even thinking in terms of this. When we pitched this idea for this episode, I was not even thinking about the idea that connected cars could be hacked. So I think there’s going to be a lot of messaging that needs to be done to let people know that this is even something they need to be worried about.
Alissa: Yeah, and it’s interesting. I don’t know if you’ve seen this, but there was that Jeep that was hacked, and they took remote control the steering wheel.
Chris: Oh, yeah.
Alissa: Where over the Internet were able to push the brakes, push the gas, turn on the stereo, it’s scary, I’ve been thinking about what you’re capable of doing, and even in the penetration test that I’ve done for over the last decade, it’s scary the kind of things you see. I mean I’ve seen precomputed, unencrypted keys sitting in world readable directories on the file system. OEMs using the same initial key across every device on the entire fleet.
Not understanding basic PKI security, and secure key storage of where are they storing these private keys. Just the basic stuff that we at cyber and cyber security engineers, we’re dealing with and we’re mediating vulnerabilities 20 years ago, are showing up in connected car components. It’s this really, really dumb mistakes. That humans are the weakest link in security, and we’ll always be the weakest link in security, and what can be made by humans can be broken by humans, and until we get that we’re not infallible, that that we we are going to get it wrong.
We need to start… We need to stop moving towards this speed-to-market over security, because security needs to trump speed to market, it just has to. In this day and age, you have 5G becoming a reality, cellular phone carriers putting out 5G, it’s here. More and more connectivity is going to create more and more of an attack surface. So we need to get that.
Chris: So you mentioned it just very briefly but you said, to move on to it later, but what about vehicle-to-vehicle connections? You’re saying that that’s a whole other… What’s going on over there?
Alissa: Yeah. Yes, it’s crazy. So what you have as V trucks, which is vehicle to everything, V2B, infrastructure. You have in-vehicle networking, it’s a whole other world when you’re talking about a car talking to another car. So what’s happening with V2B, is you and I can be driving down the road, right, two completely different cars, and your car hits a pothole.
Okay, you hit a pothole. Maybe your tire goes out, whatever. Your car can actually send information to my car in a V2B world and let my car know that there’s a pothole ahead. Crazy. I mean I’m not… and I don’t want the listeners to get me wrong, I’m not saying that this is a bad thing, I mean this is, with innovation, with connectivity comes really great things. I think everything in my house is smart at this point, I’m just waiting for my smart oven. It’s just, the thing is is that it’s not that it’s bad, it’s that we need to understand the risk, and the threat when you’re talking about vehicle-to-vehicle communication, or vehicles being able to communicate to outside vehicles.
If you have connectivity between two vehicles what does that tell you? It tells you the potential for man-in-the-middle attacks, right? If I can send communication to your car letting you know, I’m the car in front of you, there’s traffic head, or there is a pothole ahead, and your car can take action based on my information, I’m sending it, imagine how that can be exploited.
We already know through the bruises, and through the slaps on the hand, that we don’t get authentication right. We’re still trying to figure out password-less authentication, and MFA, and you still have banks where you can create an account and MFA is not enforced. Passwords are the only thing you need, and you’re still figuring out: we need to understand that you need to authenticate the messages within a car. Let me do an example, Chris.
Alissa: Cares are made up of a bunch of ECUs. electronic control units, there’s hundreds of ECU’s now within cars. The way CAN works is it’s a single broadcast domain, it’s single collision domain. If you remember hubs. Do you remember your hubs?
So they were a single broadcast domain, you can connect to a hub. I don’t even know if you can buy a hub anymore, but you can connect report on a hub and throw up a sniffer at the rail at the time and sniff and see all the packets of all the communication between systems talking. This is the same thing on CAN, ECUs receive every message on the CAN bus, every message, whether it’s destined for them or not, and they make a decision as far as whether or not that ECU should take action, that message was meant for them.
Alissa: There’s no authentication. I can pretend to be in ICU and send a message to the ECU that’s controlling your steering column, or controlling whatever, your braking, or your acceleration, and it will take action, because no authentication, the messages are not authenticated, and that’s the problem. It’s really just understanding the basic tenets of confidentiality, integrity and availability with cars. All right.
I mean, man-in-the-middle attack was the most common attack factor when I would go after a connected car. When I wanted to breach or compromise a car, MITM was the most common attack factor, the person in the middle, right, [inaudible 00:35:51] all that. Pretending to be the telematics control unit, and sending messages to the head unit, or vice versa when there’s a trust relationship between the two because authentication wasn’t being enforced.
Chris: Yeah. Now, are the solutions to these… Is this as attainable? I mean you were saying with a car unto itself that it would be… it’s a fairly low-cost thing to include a firewall, or segmentation, or micro segmentation. Is vehicle-to-vehicle, are these issues equally solvable but for the worry about the bottom line, and money, and so forth?
Alissa: Yeah, I’ve never been a believer in the fact that something is impossible. I mean, look at my career, starting a company at 17, anything is possible. It is possible to secure against these attacks, the problem is we’ve got developers hard coding API keys in their code, and we haven’t even talked about that yet. Cars are communicating over APIs. I don’t know if this or not, but Akamai just released a report that more than 87% of the traffic on the Internet is [crosstalk 00:37:05] API traffic.
That means that a majority of it is not human to application, it’s thing to thing, all right. So it is possible the problem is that we keep… we’re not learning from history, and whether it’s hard-coding keys in source code, or implementing a single wireless network for all these different devices within the car to share with the passengers, and their mobile phones, it’s taking the time to think through these things and making sure that automobile makers and OEMs have cybersecurity engineers on their team.
That’s a very common finding for me in meeting OEMs and car makers is that there’s no cybersecurity people involved in the product development lifecycle. Why? Where are the cybersecurity people? You’re bringing in me to do a penetration test on a product that you’ve made that security engineers were not involved in and were not a part of? That makes no sense to me.
It’s like asking someone, I don’t know, to come check the security of your house when you’ve got no locks on the doors, or you have a sign hanging saying, come on in. Why are you asking me to test to secure your house if you’ve got no locks? That sort of thing.
Chris: Well, that’s a perfect transition to my next question. Again we’re the Cyber Work Podcast, and we like to help people who are trying to climb the ladder in cyber security into their careers of their dreams. So for our listeners who are trying to move up the ladder, it sounds like they’re not, but can there be jobs or positions opening up that would address these types of connected auto issues?
Alissa: Yes, and more should be women [crosstalk]-
Chris: [crosstalk] thing we’ve been talking about for about two months now. Great, yes absolutely, agreed.
Alissa: The gender gap in cybersecurity is relatively huge. So the answer is definitely yes, and I’m a huge advocate of this, and I really, I do urge your listeners to reach out to me on LinkedIn and Twitter and follow me, I can definitely help educate and guide, I love that. I think there needs to be more women in cybersecurity, there needs to be more people in connected car cybersecurity. It is a very labyrinth area of cyber security, you do have to understand some other basics and principles, but it’s not it’s not unachievable.
But there is definitely a career path here. What is the right path? I don’t know. I’m a packet monkey. I come from layer-3, I love looking at packages, love to see [inaudible 00:39:43] at packets all day, and so that really helped me when I would look at payloads of a packet, or look at the headers of a packet in intrusion analysis, and so there’s definitely a career trajectory.
Let me say this, it should definitely include studying for the CISSP. Now, let me qualify that. Okay. I’m going to say this, and my car is going to get keyed for saying this, I don’t care. You can key my car.
Chris: We literally get two comments per video, you’ll be fine.
Alissa: Okay. Cool. Great. This will probably generate 200. So the thing is, it’s that I don’t believe that you should be a certification mill. Don’t get me wrong, I’ve got some brilliant penetration testers, Victor Westbrook, I’ve never seen anyone with more certification, but incredibly brilliant, and knows his stuff. But there are people that will go out there and get certifications just for the certification and the acronym after their name, and can’t tell me the headers of a packet.
I’ve seen someone with all the CISCO certifications in the world after the name, but can’t tell me what the protocol header of a packet is, or what the IP header, and what order it comes in after the Ethernet header, that sort of thing. So what I’m saying is, study for the CISSP, but you don’t necessarily need to go get the CISSP but studying for it will give you so many of the basics, the basics of operating.
It’s like they see it’s a mile wide and an inch thick. You’ll learn so much just by studying the CIA triad, and some of these other basic principles. The Certified Ethical Hacking Course, they study for it, you don’t have to go take the exam and get it, but study for it because it will teach you so much.
Chris: I would prefer that you take the exam as well.
Alissa: Yes. I mean, I’m not saying you shouldn’t.
No. Here’s the thing I have certifications. I got the GIAC Certified Intrusion Analyst Course. I did the Infosec Institute stuff. Those are good things, it proves to [inaudible 00:41:56] and proves to people that you know what you’re talking, that you passed the exams, that you did what it took. But what I’m saying is that just because you take the exam and fail it, that doesn’t necessarily mean that it’s the end of the world, because you still gained something from studying from it.
Whether it’s an Infosec Institute exam, or a course, or whomever it is, you learn so much just by studying for that cert, and it’s… I guess what I’m saying is it shouldn’t replace practical experience. That’s what I’m saying. Certifications are important, and you need them. Some places won’t even interview unless you have that cert, but you need to make sure that you also combine it with practical experience. Right?
Chris: Yeah. I think it’s, like you said it’s a difference between the mindset of the cert collector who wants to catch them all, versus having the right tool for the right job.
Alissa: Exactly. I mean it will get your foot in the door, but you need to be able to explain what a packet is after you do that.
Chris: Yeah, if you need this information…
Alissa: I mean, because I’ve so many people flame out in the interview, it’s like: “I’m interviewing you for a job…” Lets try that again. I’m interviewing you for a job and you got your foot in the door because you have the GCIA, or you have the XYZ certification, but I’m asking you to tell me what shell code looks like in a packet. I mean how can you have the cert but not explain that? So it’s really causing a question like: Yes, get the certs, they’ll get you in the door, but you need to be able to survive the interview after you get into the door.
Chris: Mm-hmm (affirmation). All right so let’s, you brought it up, and I’m thrilled you did, because we’ve been talking to women in cybersecurity for a while now. So what are your strategies for getting more women involved in cybersecurity? What have been the roadblocks? Have you experienced specific discrimination or setbacks-
Alissa: Oh. Yeah. Oh, yeah, for sure.
Chris: Okay. Do you want to give us some horror story?
Alissa: Oh yeah, for sure. You know what, it is real, it is mainly like the wage gap and the numbers around that are real of course, but there I’ve definitely experienced, experienced it as well. I’ll meet someone, and I’ll get the question, “Okay. Are you the marketing person?” Oh, no.
Chris: You’re the second female cybersecurity expert in two days who’s had that exact: Are you the marketing rep?
Alissa: Are you the sales person? No. I’m the cybersecurity engineer, I’m the one who’s going to be performing this work. What do you mean? It’s just, I don’t know, I don’t know what it is. You know it’s funny because the most brilliant hackers I’ve ever met are women, and it’s [inaudible 00:44:47], there’s definitely a lot there, and now I’m going to throw something at you.
Alissa: I’m transgendered, so not only am I dealing with the whole: Oh, you’re woman thing but, oh, you’re trans, oh you’re a trans woman, and so there is a very machismo… Cybersecurity is very more elite than now very machismo industry. I took a break from the cybersecurity industry specifically because of this, but there’s a lot of arrogance, and there’s a lot of jerks in this industry.
I remember, and I don’t know if you remember this or not Chris, but it was not that long ago when you would be walking around DEF CON and you would see girls walking around with green hair, blue hair, and they would be referred to as scene whores. That was an acceptable term to refer to women, and that wasn’t that long ago. So I think there really is, we need to change, we need to evolve, and I think the more women that get into cybersecurity and prove that they can write… that we can write exploits, that we can hang with the best of them. That’s where I think it’ll start to change.
I think it’s really maybe just… I’m not saying that these people who assume that I’m a salesperson, or assume that I’m marketing, that they’re bad people, they weren’t thinking before they said anything, sometimes that wire is broken for some people. Or maybe they just run into a lot of women that are in marketing roles, or a lot of women who are in sales roles.
Alissa: I like to give people the benefit of the doubt. They may not be sexist, they may be the biggest advocates of flying the flag for women in cybersecurity, but they just weren’t thinking before they said it, or-
Chris: Yeah, and it’s also a perception issue within… if you’re so used to the men are the security experts, the women, and then with less than 25% of the cyber security workforce being women you’re just sort of reflecting back what you’re seeing every day.
Alissa: Yeah. Exactly. Or in that cocktail party my fiancée, she’s… so on top of it, I’m also a lesbian, so I’m flying all the flags.
Chris: Oh, yeah.
Alissa: One is just not good enough.
Chris: No. Oh, man, let the-
Alissa: Yeah, My fiancée, she will tell someone at a party, or whatever, “Oh, I have no idea what she does, something with computers.” I think that just kind of it gets ingrained go back to the office and they just regurgitate that, “Oh, girls just don’t know how to explain what an IP is, or whatever.” I don’t know it’s just, I don’t think people are… Or like to believe that people are just genuinely good people, and they’re not these evil people. Like, “We must keep the women down.” It’s just history kind of evolving and people evolve with history.
That, yes, women were historically in these sales, and marketing, and support roles, or reception roles, but they can also now be in cybersecurity roles, where they are capable of earning just as much, if not more than men. It’s just, we just have to evolve.
Chris: Yes. Let’s talk strategies about that. Do you have any… Because this requires a pretty deep bench, it’s not enough to say, “Okay, we’re going to have a ton of women in help desk roles or whatever.” What is the strategy for getting women involved in managerial roles, leadership roles?
Alissa: Yeah, that’s a-
Chris: I mean like a multi-tiered strategy, and I’ve asked it of everybody, and obviously there’s no right answer, but I’d love to hear your take on it.
Alissa: Yeah, So, here’s the thing, and like you said earlier one, a lot of words for it. I had a client who actually made a sexual proposal to me in an effort to try and get that contract with them. I’ve had on the flip side with the trans issue, transphobia I’ve had a client not want to do business with us because he didn’t want to do business with a company that was run by a transgendered woman. Just stupid stuff, that guy of course doesn’t work there anymore, but just really ridiculous things. You run into it.
A woman in a decision-making role is is not that that she would be willing to sleep with someone for a contract because we’re women, or something ridiculous like that. So there are those horror stories. As far as how to fix it, I think the more… I think the more women we have at the conference stage, on the conference stage talking about the fact that they just created hardware-based malware. Or that they just figured out how to create a rogue BTS and compromised your thermostat with it, or whatever it may be.
I think the more role models we have this will start to change. Women in leadership, my favorite, some my favorite CISOs and CEOs are women. Sherry Ryan, the CISO, CISO over at Juniper. Now Jennifer sunshine Steffens, I would give my life for her. She’s CEO of IOActive, a very smart, very smart ladies. The more we have, Caroline Reese, she’s my CEO of Latin America, Mexico. Just women bring an awesome dynamic to the boardroom, we bring an awesome dynamic to the table
Alissa: I always make fun of… I love this story. I believe that, and I know I’m stereotyping here so don’t kick me, but I mean, I think, DNA-wise, genetically women are just a lot more patient than men, and where I’ve seen male hackers just kind of going, “Okay, well quickly again. I don’t care how noisy we are, I don’t care how much of a mess we make, just get in. Pump the service, get a shell, it’s quick and loud. It doesn’t matter.” Whereas a woman will take our time, low and slow.
Well, okay, let’s not make so much noise, let’s not make a mess of the kitchen, while we’re… We’re just a lot more methodical, a lot more patient, and a lot more, it’s just ingrained in our DNAs as mothers, just being more patient, until you get to the end goal.
Chris: That’s worth noting. I think that there’s the sort of detractors who say, “Oh, you’re just to get numbers, a numbers game. Or you’re just trying to fill some sort of quota.” But I try to stress over and over that a diversity of backgrounds, and opinions, male, female, queer, straight, people of color, you’re going to get different experiences, you’re going to get different specs based on whether people have chronic illnesses, that you never would think to make the buttons this way, or whatever, until you know-
Alissa: It is, it’s that whole argument that, “Men are from Mars Women are from Venus,” but no both planets offer great input to the same situation and a different way of looking at things. The same thing with men, obviously men bring some great, thought-provoking input to situation that I may not have thought about or that… So I agree with you completely, and I read a lot of self-help books, and one of things that I’m doing [inaudible 00:52:08] on right now is writing. You’ll see that authors will talk about this, and this was geared towards mean, and this paragraph was, “Stop writing what you’re writing, and then pushing it out there, bring it to your wife and have her read it, and let her give her input on it.”
It really is, there is something ingrained in our DNA, in our individual idiosyncratic differences and genders that just cause us to look at things differently than a man, or a man differently than a woman, and I think those need to be exploited to make better products and better outcomes.
Chris: Yeah. Now, so as we wrap up, this has been awesome, I could talk to you all afternoon. But as we wrap up today what are the security challenge, especially in connected cars, but just in general, what are some of the security challenges you see are looking on the horizon for 2019, 2020 and beyond?
Alissa: Oh. That’s a great question. I’m going to close it out with API Security. I mean the average number of APIs that a company runs these days is 420. You’ve got Bezos, Jeff Bezos who went to Amazon and said that anyone who builds a new application and doesn’t do it as a micro service behind an API will lose their job. Everything is an API economy now. It’s the API economy. So that creates a massive attack surface because people are not securing APIs properly.
This extends to connected car, this extends to mobile apps, just a few weeks ago actually, Chris, I dropped some research on where I downloaded 30 financial services mobile apps, and decompiled them and found that in every one of those financial services apps, 29 out of the 30 were not just shielding their code, were not putting any tamper detection in it, were not doing any white box encryption, and I could see everything in it, and including the API keys, including the tokens, including AWS credentials.
Being able to then know that, okay that back in API is not authenticating anything beyond the API key and API token. So if I just simply add that bare token into my authorization header this Bank or this credit card company is not doing any other authentication, I can pull whatever I want from that database. So it’s an understand being that everything now, the days of the monolithic app are gone, and everything has moved to micro services.
Chris: Wow. So if people want to find out more about Alissa Knight or Aite Group where should they go? You mentioned your LinkedIn page.
Alissa: Yes. So please definitely follow me on Twitter @Alissa Knight, and that’s Alissa with an I.
Chris: A-L-I-S-S-A? Yeah.
Alissa: A-L-I-S-S-A K-N-I-G-H-T, LinkedIn, I’m big on LinkedIn, and you can even follow me on Instagram if you want to see pictures of my food.
Chris: You said there’s a book coming out, what’s the pub date on that?
Alissa: Yes. It should be out in the next couple months. I’m in the process of doing copy edit review, and that’s like two years in the making. So it’s been [crosstalk 00:55:18] years of my life coming to an end.
Chris: The title is?
Alissa: Yeah, Hacking Connected Cars: Tactics, Techniques and Procedures. So, it will be through Wiley, it’s available for pre-order on Amazon right now, you can also pre-order it on Barnes & Noble if that’s your bookstore of choice.
Chris: Alissa Knight, thank you so much for joining us today.
Alissa: It’s been a lot of fun.
Chris: Okay. My pleasure. Thank you. Thank you all for listening and watching. If you enjoyed today’s video you can find many more on our YouTube page, just go to YouTube and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your work day all our videos are also available as audio podcasts, just search Cyber Work with Infosec, just in your favorite podcast catcher.
To see our current promotional offers available for podcast listeners and to learn more about our Infosec pro-life boot camps, Infosec’s skills-on-demand training library, and Infosec IQ Security Awareness and Training platform, go to InfosecInstitute.com/podcast, or click the link in the description.
Thanks once again to Alissa Knight. Thank you all for watching and listening. We’ll speak to you next week.