[00:00:00] CS: Today on Cyber Work, Ted Harrington, the executive partner of ISE joins me to discuss the practice of finding vulnerabilities. It’s much more than the job. It’s his life’s mission. We spend some time talking about being the first to hack the iPhone, thinking like a hacker to avoid being hacked, and Ted gives advice for people who would rather sell their wares online than spend all day thinking about security. Remember that Cyber Work listeners are eligible for a free month of Infosec Skills by going to infosecinstitute.com/skills and using the code cyberwork when joining. That’s 30 days of free security courses, hands-on cyber ranges, skills assessments and certification practice exams all when you use the promo code cyberwork on signup. That’s infosecinstitute.com/skills. And now let’s start the show
[00:00:48] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week we talk with a different industry thought leader and we talk about cyber security trends, the way those trends affect the works of infosight professionals while offering tips for those breaking in or moving up the ladder in the cyber security industry. Ted Harrington, executive partner at ISE, his bread and butter is finding new ways to protect digital assets. He’s helped companies like Disney, Amazon, Google, Netflix and Adobe fix tens of thousands of security vulnerabilities. His team at ISE is comprised of ethical hackers known for being the first to hack the iPhone where he ends where he applies his think like a hacker mentality to constantly adapt to fresh security and software development challenges.
So as we know, the world’s been moving in the direction of holiday shopping online for a bunch of years now, but with things being what they are in 2020, I think that trend is likely to grow exponentially upward as stores either become close to the public or only open to a few people at a time due to safety. Either way, this means a lot more online transactions and a lot of juicy targets for cyber criminals.
In past episodes around the holidays we’ve talked about ATM skimming and safety measures for consumers when ordering online. So today we’re going to be talking about ways that ecommerce websites, whether it’s Amazon or your local craftsperson with their own Wix site, can do everything to protect themselves from fraud, theft and compromise during this high-intensity shopping season. Ted Harrington, thank you for joining us today on Cyber Work.
[00:02:13] TH: Thank you for having me. I’m excited to be here.
[00:02:15] CS: We’re very glad to have you. And I’m looking forward to your insights here. So I want to start out with your background. How long have you been in the cyber security industry? Has this been a lifelong passion? Or what got you sort of move down this path originally?
[00:02:30] TH: Well, in my mind, I think I’ve been on the path to cyber security my entire life even before I realized it. Now, there’s plenty of people that I know in security who are like, “Oh, I was hacking computers when I was seven,” and I wasn’t quite like that.
[00:02:45] CS: I’ve interviewed a few of them, yeah.
[00:02:47] TH: Yeah, I’m in business with one of them. My business partner is that guy. But what drew me to security is that it’s something that matters. It is difficult. It’s filled with really intelligent people. It requires, not encourages. It requires that you get better every single day. And those are really principles that drive my life. And so that’s what I was skewing towards even though earlier stages of my career were focused still entrepreneurially, but in other sectors. And then it was about 10 years ago, plus or minus, that I first linked up with the guy who became my now business partner and it’s been just a rocket ship proverbial. It’s making sense.
[00:03:34] CS: Can you can you talk a little bit about the sort of what you – The two of you sort of like bring to the table in terms of – You said he’s a, “I’ve been hacking since I was seven.” And like what are your sort of like strengths that sort of balance each other and sort of make the two of you know more than just you?
[00:03:52] TH: Yeah. Steve, he originally founded our company in 2005 with a bunch of other guys out of the Ph.D. program at Johns Hopkins. And what they did was pretty rad. They wanted to challenge this claim that had been circulating at the time that the immobilizer function, which is part of the ignition sequence in a car, that was considered to be – And I’m putting this word at air quotes “unhackable”. It couldn’t be defeated. And so of course they said, “Challenge accepted.” And they went out and reverse engineered the cryptographic algorithm and built a weaponized software radio and were able to actually start the car without an authentic key.
And that was really the birthplace of the company. And what happened next was once that research was published, a lot of companies came calling saying like, “Hey, you guys understand how to break systems. Can you help us?” And that’s really what we’ve been doing since. That first iteration of the company took – I forgot, maybe like six years or something. It kind of went through its own sort of mini arc and then at that time Steve wanted to pivot a little bit and bought out his co-founders and he was looking for someone to help him, a fellow entrepreneur, someone to help him really like grow the business and take this idea of really thinking like an attacker and helping companies build better, more secure solutions. How can we build it and build it bigger?
And at the time I was working on another type of technology that really worked and that really mattered. It was more focused in water. But once I heard this opportunity, it was like my life’s been guiding towards this. And so our strengths really – Well, I think we’re the perfect Venn diagram and that uh we have a lot of overlapping strengths primarily around entrepreneurship and really challenging conventional wisdom and approaching problems differently. And then we also have different strengths as well. And those are into the specifics of our actual job duties that are different. That’s kind of how we work together.
[00:05:59] CS: Okay. Can you sort of walk me through some of the turning points or key moments in your career? Because I mean obviously when people see what you do now, and you’re finding vulnerabilities in in giant corporations like Disney and Amazon and things like that. That sounds like a dream job to a lot of our listeners I’m sure. So like what were some of the steps along the way? Like you said, you didn’t sort of like – You weren’t hacking when you were six or you weren’t doing this all the time. So like what were some of the sort of major milestones along the way that got you to where you are now and doing this kind of stuff?
[00:06:32] TH: Yeah, we often joke that it’s like we get to do bad guys stuff and get paid for it and not go to jail. It’s kind of amazing. It is the dream job.
[00:06:41] CS: It is. Yeah, absolutely.
[00:06:42] TH: Yeah. Yeah. Really –
[00:06:44] CS: Like movie sneakers, but for real. Yeah.
[00:06:47] TH: 100%. Yeah, you nailed it. Absolutely.
[00:06:49] CS: I interviewed someone here who had the laserdisc of sneakers behind him. He said the movie was such like an influence in his life that he just keeps it around.
[00:07:00] TH: I’m impressed he has a laserdisc. I mean that’s amazing. Yeah, we have people that will hire who they’re like they come in the first interview and they’re like, “Wait, there’s a job like this? This is what I would do on my own on the weekend anyway. This is amazing.” Oh, the questions. What’s the question that you asked?
[00:07:21] CS: How do you get to that point? What are some of the sort of like level-up things that happen? I was able to do this one day, or I was able to break into this thing, or I discovered that doing these two things means this, or I got this first giant client and then things just move from there and stuff like that.
[00:07:39] TH: Yeah. First turning point was definitely the car hacking story that I mentioned. A subsequent turning point was a couple years later when the iPhone first came out and we were the first company to hack the iPhone. And that of course being – We sort of were able to piggyback on the revolution that the iPhone was making in the world like. The iPhone changed the world, and the fact that we were the first people to hack it made – Like we got to ride that coattail of popularity, I guess.
And then another turning point was that inflection point I mentioned before when – And Steve and I started doing this together saying like how can we actually build this company in a way that we can help a lot of other big companies? The next big inflection point after that was I think we started looking at media and entertainment and we said, “This industry has some interesting problems to it. How do we help this industry solve some of their problems?” And having that sort of really narrow focus helped us really establish, I don’t want to say expertise, because that sounds arrogant. That’s not what I’m trying to say. What I mean to say is that because we really understood the problems, by focusing on this one area it helped us really understand the problems and really understand how to solve them. And so that helped us of course grow our ability to help people in that industry. And then just sort of like each step along the way when we looked at something and we said, “We want to grow in this or do this in this way,” we usually start at it from a point of research, and that would be my – There’s a long way of getting to the piece of advice. The advice to anybody would be when you want to make a change, you want to pivot into a different type of role, or you want to level up your own skills, or you want to find a way to get the dream job at some company. Research is such an incredibly powerful way to force an inflection point, because it does a number of things. First of all it helps you understand the issue, because you study it, you now understand the issue. Second of all, it gives you a reason to talk to people who are influential in that area that you’re studying. And then third of all, as the outcome, you actually get both a deliverable. Like as a result of the research, you’re going to have something that you publish, and that inherently establishes authority.
And so I actually make that same argument about why someone should write a book, because like let’s say you want to change career fields and you read a book about that field you’re trying to get into and now you’re the author of that subject matter, like you’re going to get a job. You’re probably going to get a job before you even publish the book. You’re going to get it just because you’re writing the book. Research is very similar.
[00:10:21] CS: The journey along the way that’s giving you the end point basically.
[00:10:26] TH: Yeah. Yeah. Absolutely.
[00:10:27] CS: Okay. So can you talk a little bit about what it’s like protecting digital assets on such a large scale? I mean I know you said it’s fun and it’s rewarding and you do it for free anyway and stuff like that, but like what are some of the sort of like surprising things about the job or just like the scope of it? Or is it just another like you just punch in and go, “Okay, I got to save them from large-scale cyber attack.”
[00:10:52] TH: Well, I don’t want people to think I would do this for free.
[00:10:54] CS: No.
[00:10:56] TH: I got a roof over that.
[00:10:57] CS: Yeah. No. We’re not discussing salary today. Yeah, not at all.
[00:11:00] TH: Yeah. No, I’m kidding. So I mentioned before some of the things that really are appealing to me about security, the mission orientation, the fact that it requires you to continually to improve your skills. And I think that’s true about pretty much everybody that I think is credible in the security community. And I hate to say it, but I put that word credible in there intentionally because I think there is a little bit of snake oil that is floating around the security industry. But if you disregard the charlatans, the people who are the real practitioners, the ones who are publishing research and giving talks and are like the authorities. There are so many like that. Those people are all similarly driven to solve problems and to make things better and to do the thing that they’ve been told is impossible. And I love that. I think that’s so incredible. I can tell you a story even.
[00:12:04] CS: Please.
[00:12:04] TH: We published this research recently that – Let me set the context with a metaphor, right? Okay, let’s say you go to the beach, right? And you bend over, you pick up a grain of sand and you throw it back. And then the next day I go back to that same beach and I pick up a grain of sand, any grain of sand. Now what’s the likelihood that I pick up your grain of sand, right? It’s pretty unlikely. Now if you multiply that by like every beach on earth and multiply that by – I don’t know, a gazillion earths. That gives you sort of a scale of what cryptographers might call statistical improbability. And statistical improbability is what protects cryptocurrency wallets. It basically means that private keys, the thing that actually enables someone to lock or unlock a cryptocurrency wallet, they can’t be predicted. But the question is, “Or can they?”
And so we published security research that was focused on Ethereum wallets where we found we could actually predict the key successfully 732 times. Now that’s like picking up your exact same grain of sand on those gazillion earths 732 times. It shouldn’t be possible once, let alone hundreds of times. And so that begets obviously the next question, which is, “Okay. Well, how much money are we talking about here?” And because cryptocurrencies are built on the blockchain, you can actually look at the transactions and see how much money is in each wallet. And it turns out it was a considerable amount, about a little over 54 million dollars’ worth of Ethereum across all these different wallets.
So the next question is, “Okay. Well, what’s happening with that money?” I mean if weak keys are protecting these wallets, that’s like cash is sitting on the sidewalk. Someone’s going to steal that eventually, right?
[00:13:58] CS: Yeah.
[00:14:01] TH: And someone did. All 732 wallets had all been funneled to a single destination wallet. So clearly someone had found the same flaw that our research had discovered and was exploiting it. And then we wanted to see how fast do these walls get looted. So we took a dollar’s worth of our own Ethereum. We put it into one of these vulnerable wallets and – I mean snap your fingers. And that’s how fast our money was gone transferred to this central wallet.
And I tell that story about this thief that we nicknamed the blockchain bandit when Wired wrote this big expose about it. I tell that story because that’s the kind of stuff that really inspires those of us in the ethical hacking community. That’s what really inspires security researchers, because stuff like that, it’s not supposed to work that way. And yet a story like that, it conveys two points really powerfully. The first point is that vulnerabilities exist. And the second point is that attackers exploit them. And all that we need as security professionals is that crystal clear, almost mandate that says, “These things exist. Vulnerabilities exist and attackers exploit them.” This is not a job. This is not punching the clock. This is a mission. And that’s what gets me really fired up about security.
[00:15:26] CS: That’s what I was hearing as you were explaining it, is it goes so far beyond why did this particular blockchain get robbed. You’re talking about something so systemic and so sort of wide-ranging. I mean for those of us tiny brains here, can you sort of explain what it was that you found that that allowed you to find that same grain of sand 758 times? These were supposed to be statistically improbable to be solved, but you were able to sort of like find a connecting thread. Can you sort of talk about that a little bit?
[00:15:58] TH: Yeah, and there’s very specific technical, deep, granular information on our website for anyone who wants to actually understand the technical details, but I won’t go to that level just for the sake of the audience, but I’ll give a little more depth. Basically what we were looking at was it was a weakness in the way that the software provisions keys and that weakness had made an assumption about the provisioning process. And it was one of these things that I think the way to think about it is it’s like – I don’t know. If you think about like a folder tree, it’s like a subfolder to a subfolder to a subfolder is where that decision was. It’s like so buried in the assumption of how the system works. And we said, “Well, this –” It was essentially based on errors. It was like, “Well, when an error happens, can we manipulate what the sequence of events around an error?” And that’s essentially how we’re able to do it, but that’s what ethical hackers do, right? Ask those what-if questions.
[00:17:02] CS: Right. Right. Okay. So yeah, they’re basically not exploiting the actual un-crackable code, but they’re exploiting the sort of error that happens when a code attempt comes through or something like that?
[00:17:15] TH: Yeah, maybe a metaphor would be like if you and I had a secret handshake and in that secret handshake we transfer some message to each other. The attacker wouldn’t look at that secret handshake and be like, “Okay. Well, when they do a thumbs up followed by a thumbs down, that transposes to this letter of the alphabet.” That’s not what they’re looking at. They’re looking at when you and I were sitting around your coffee table and we’re like, “Okay, when I do a thumbs up and a thumbs down, that means this.” And they’re looking right there and they’re like, “Okay. Well, I don’t have to break the code. The code’s right. This is how the code works.”
[00:17:56] CS: Okay. Okay. Wow! Okay.
[00:17:59] TH: It’s an imperfect metaphor, but it gives you an idea.
[00:18:01] CS: Yes, but it got me there. So it’s a perfect metaphor. And my listeners will fill up me alive if I don’t ask this as well, like how did you hack the iPhone exactly?
[00:18:15] TH: That is – There’s so much interesting about that question.
[00:18:19] CS: Okay. We don’t have to go too far in it, because that’s not we’re here to – But I am curious for sure.
[00:18:23] TH: Okay. Well, I’ll keep it a short answer then. The short answer was that we operated under an assumption that as Apple was moving from the desktop operating system to a mobile operating system that they might port over some known and previously identified vulnerabilities in the desktop operating system just through the rush of like, “Hey, we’ve got to move to this brand new thing. We’re breaking new ground.”
And so what we did was in advance of release date we built out a bunch of attack scenarios that said if they port this issue over, this is how we would essentially go figure out how to attack it. And because we were able to do that advanced work that no one else was doing, when it launched, we just walked through those different attack scenarios. One of them actually worked and it was a buffer overflow vulnerability. And that buffer overflow vulnerability enabled us to take full administrative control of the device from wherever. So we proved concept from our lab in Baltimore taking over the phone of a New York Times reporter in Manhattan. He was part of the research. We weren’t like – This wasn’t malicious.
[00:19:32] CS: It wasn’t just a surprise, yeah.
[00:19:33] TH: Yeah. And so that’s how we proved content. We were able to like add and remove contacts, send text messages, take photos, anything you do.
[00:19:41] CS: So was this the first iteration of the iPhone then?
[00:19:45] TH: Yeah. This was on the original iPhone. And then there was a bunch of research we did after on subsequent ones, but even though that’s like 12 years ago now or maybe 13 even, that’s such a revolutionary moment in human history that people always want to talk about it. So I’m like, “Here we go.”
[00:20:01] CS: Yeah. I mean the way I had heard it, it sounded like we were the first to crack the iPhone. But it also sounded like and thousands before me failed or whatever, but it sounds like part of it was also just that you were getting there right when the doors opened, which is really cool. And you’re saying like, “Okay, this is what we imagine is going to happen at the grand opening of the store. And when they open the doors to the public we can go around the back,” and stuff like that.
[00:20:27] TH: Yeah. Others wanted to be first as well, and that was an added dimension that none of us had an advantage. And so that’s why we built out those attack scenarios in advance, was in order to capitalize on that.
[00:20:41] CS: Okay. Very good. Okay. Even I understood that. Even the six-year-old in me understood it. So thank you. So I want to talk today, our main topic since we’re getting close to the holidays here, I want to talk about ecommerce websites. And obviously you’ve worked on large scale things, whether you’re Amazon or you’re a local gift shop that’s using a WordPress sales platform. You’re going to get more sales in December probably. Everyone’s doing their shopping online, getting it mailed to their home and stuff. So are there any risks that we should be aware of especially if you’re a small business person? What are some risks that you should be aware of if you proceed as a business as usual without making any adjustments to your security strategy in December?
[00:21:28] TH: Well, I might even reframe that question, right? Because it implies that you should – I know you’re not saying this, but woven in that is an implied bias that says, “Oh, you should take security more seriously in December than the rest of the year.”
[00:21:42] CS: And then immediately switch it back in January. Yeah, right. Yeah.
[00:21:45] TH: Yeah. And instead we should never be doing business as usual – Security needs to be a key element of how you think always. And the existence of the holidays don’t change that, but risk does change, which I think is really the spirit of what your question’s getting at.
[00:22:04] CS: Yeah. I mean I think if so many sites that have like Black Friday sales and stuff and every time you always get these emails like, “Sorry. We had so many people come through. It shut down the system for seven hours and things like that.” And I think in addition to just like site traffic, I imagine there’s got to be lots of opportunities within that level of sort of like that density of sales that would make more risk happen.
[00:22:28] TH: Yeah. I think that when you when you are talking about business models where a substantial percentage of income happens during a narrow window of time that can’t be recaptured, what that means to that type of organization is that downtime is unacceptable and there are a ton of attack scenarios and a ton of motivations for why someone would want to actually undermine system availability. So if you can imagine where it’s like, “Okay. Well, we’re going to make in this one week is when we make all of our sales and our site is unavailable during that week.” I mean that could be like business threatening. And it’s not a – I’m not the security guy who’s all doom and gloom and like, “Oh, people could – Everything. The sky is falling.” I actually prefer to find the silver lining in things, but this scenario is not far-fetched. And if you think about something like NotPetya, which was many consider to be one of the largest security incidents of all time. What’s crazy about this issue, which we don’t need to go into detail on what it was, but the impact is really important. Basically it’s largely attributed to Russia performing an attack against their rival Ukraine. So this is like these two nations sparring with each other, but the aftermath was that the attack wound up having these implications all across the globe, one of which was that Maersk, who’s the largest uh shipping – I forgot what you’d call them. But they shipped the world’s goods, right? And Maersk was shut down for – I forget what it was. I want to say it was like a month. I don’t know if that’s exactly right, but they were shut down for a really long time. So there’s an example of where a company had nothing to do with this inter-company dispute. And this is one of the largest companies in the world and they were non-operational for a period of time. And now imagine you take that same example and you apply it to someone who’s hoping to make their entire year’s revenue or most of it in a small number of weeks, that’s a pretty precarious position.
[00:24:41] CS: Yeah, absolutely. So I mean can we make some blank statements about e-commerce in 2020? Are there anything that you think sort of across the board businesses should be implementing no matter their size and scope that you don’t currently see?
[00:24:56] TH: Yeah. So let me give three actionable things. So number one, have the right mindset, and there’s two parts to the right mindset. So one is we’ve talked about this idea of think like a hacker. To defend against attackers, you need to think like them. And so having that real malicious mindset, which we can talk about more at some point today if you want, but that’s the mindset. Think like a hacker and then always strive to get better. I already talked about why that drives security professionals like myself. So that’s number one, have the right mindset. Security is not something you avoid or cost to minimize or whatever. It’s about getting better and having that malicious mindset. So that’s number one.
Number two is – And I even wonder whether I need to say this, but we should say it. Since we’re talking about e-commerce, always be using HTPS. I’ve seen plenty of sites out there that aren’t. They’re just using HTTP, and this is one of those cases where it’s like you don’t even see that security, right? You don’t even see it, and it actually makes –
[00:25:54] CS: Yeah. That’s like not having a lock on your backdoor like, “What are you doing?”
[00:25:57] TH: Yeah. It’s like you almost have to actively buy the door without a lock on the back. So just buy the right door. So always use HTTPS. That’s a good one. And then the third one is always keep as much out of your scope as you can. So when you’re talking about ecommerce sites, obviously larger sites they’re going to process their own payments, but smaller sites, you don’t have to process your own payments. You can integrate with a payment processor, some sort of third-party, a company like Stripe as an example that a lot of companies smaller ecommerce platforms might integrate with that. And the beauty of integrating with offloading as much as you can is there’re a few things. One, you get rid of the thing that the attacker wants, which is credit card numbers and stuff like that. So you’re going to get rid of that. The second is you keep yourself out of scope of things like PCI, which is a compliance program that’s kind of a nightmare to comply with. And then the third is you’re shrinking what’s called your attack surface. You’re shrinking the places where an attacker might compromise you.
And so wherever you can, imagine it like a herd of whatever. I can’t even think of right now what, a pack of animals out in Africa –
[00:27:14] CS: Buffalo.
[00:27:15] TH: Buffalo! Okay, perfect. I was like, “I’ve been on Safari.” Okay, a herd of buffalo. And it’s like saying, “Let’s keep the herd – Let’s not have the weak ones in this herd. Let’s have them be in a different herd.” And the lions are going to go after the different herd. That’s sort of the thinking there. So those are the three things. Have the right mindset, use things like HTTPS and push as much out of scope as you can.
[00:27:42] CS: Okay. Can we talk a little bit to the sort of SMBs, the really small companies? I had a friend who wrote me recently, because once you know about – So yeah. Like for small companies, five, ten people, whatever, who just have never thought about this before, like what are some things that they should be doing to sort of be interrogating? Like you said, you can offload it to people like Stripe and stuff like that, but how do which ones you know are the reputable ones? Or is there sort of a baseline of knowledge that business owners should be able to have in terms of security awareness? Or is it just sort of fine to say, “I’m assuming they’ve got it covered.”
[00:28:27] TH: Oh, I would never encourage that assumption. I would encourage the opposite assumption of, “They do not have this covered.”
[00:28:32] CS: No. No. Because like I say, people I know have said like I don’t even know what I’m looking for in terms of making my website safer and things like that.
[00:28:44] TH: Yeah. So to answer that question, maybe we should think about there’re maybe two groups, and I think the advice is slightly different to the two groups. So if we’re talking about – So one group would be companies that are building applications, right? So if you’re talking about a company like their business is building some sort of ecommerce platform, I’ll give advice to that. And then people who they’re some sort of business and they have a website. So maybe you sell T-shirts and you set up a Shopify store to sell those T-shirts exactly. You wouldn’t consider yourself in the technology business.
So the people that are the latter, right? The people who are not in the technology business, essentially the things I mentioned. Use HTTPS. Push things out of scope if you can. And then maybe the only other thing I might add for those such people would be just be wary of clicking links that are sent to you. That’s just sort of like standard security best practices, but it happens a lot for small businesses where they’re sent some sort of like an invoice or they’re sent a docusign link. Be wary of clicking links that are emailed to you. Anything that is sensitive, you can usually go access directly from that service. So if like docusign sends you something to sign, you can grab the document ID, go to docusign’s site instead and type that document ID, and that way you know if you’re logging, it’s legit.
[00:30:04] CS: There you go.
[00:30:06] TH: The other group, the companies that they’re in the business of building applications. Well, that’s a much more thorough – There’s more you can do. So the individual business owner without technical expertise, not a lot you can do. But the people who have technical expertise building systems, one thing I would definitely recommend is read my book, because I wrote this book, Hackable, for exactly that. Someone who’s building a system, wants to know how to do security right, is trying to figure out how much to budget, how much to spend, how to fix things, how to like separate the nonsense from what they actually have to do. So that’s a simple thing. It’s an inexpensive thing. I mean implementing the ideas isn’t simple, but reading a book is simple.
But the number one thing I think out of that book to the person who’s maybe a small business but they are in the business of building technology, start today. Like not tomorrow, today. Start building security in. And that means this is not something that you you’re saying, “All right. We’ll wait for the next release in order to think about security.” No. It’s got to be now, because you want to integrate all of those decisions into what your developers are doing today. And so that would be the number one thing. Get started on security right now.
[00:31:22] CS: Okay. Can we talk a little bit about – You mentioned before, but the sort of think like a hacker approach or mentality or whatever. Can you sort of expound on that a little bit and how that sort of can influence your mindset as you bring your business forward or your security practice?
[00:31:41] TH: Yeah. So let’s first talk about what normal users do. Normal people, we try to understand the rules. We then follow the rules. What attackers do is also try to understand the rules and then they try to do the thing that subverts the rules. So that’s maybe an oversimplification, but probably not. I mean it really is that straightforward, that attackers they do what you tell them they’re not supposed to do. And I think a good metaphor for that would be this this story – This was back when we could all go to bars and restaurants. And I go out this one night to this one bar, it’s like my favorite bar and a bunch of our friends are in there. I think there’s like a birthday or something. I can’t remember. We had to go to this bar and I can’t remember why, but it’s not like we go to some other bar. Had to go to this one, but there was this big ass line and had to pay a $20 cover and I just didn’t want to deal with either of those things. So a normal person would be like, “Oh, here’s a line.” You wait in line. You pay the cover. You go in the bar. But what an attacker does, the attacker says, “Well, how do I make this work differently? How do I make it work the way it wasn’t intended to?”
And so what I did was I walked right up to the VIP hostess and I said, “Hi, I’m on the list.” Now, I wasn’t on the list, but I needed her to believe that I was, because if I was associated with – If she thought I was on the list, I’d be able to skip the line and the cover. So she says, “Great, what’s your name?” Now, I wasn’t on the list. So giving her my name wasn’t going to help. I couldn’t just guess. That probably wasn’t going to – That’s like picking up the same grain of sand, like maybe, but probably not.
So what I said was I vaguely replied, “I’m with the group.” And now I wasn’t with a group, but I assume there were some groups. She says, “Great. Well, which group.” And to that I said, “Oh, I’m with the big group.” Now, again, I didn’t know the name of any group. So guessing wasn’t going to help. And so she says, “Oh, okay.” And she looks at her clipboard, she flips through a couple pages. She says, “Oh, the Smith group?” And so of course, “Bingo!” I was like, “Yes, I’m with the Smith group.” There it is. And so with that she lets me in.
And so I had broken the system, right? And of course that’s an example of social engineering, which is tricking people into doing something, but the principles are all the same, right? I had a goal, which was I wanted to beat their authorization model. I observed how the system works, which was they had this model which was if you want to get in the VIP line, you have to prove it, and this person verifies your authorization, which is the VIP hostess does that. And so then I issued some specially crafted inputs. This is a very common technique when exploiting applications. And in this case of course, again, we’re talking about essentially a metaphor here, but those specially crafted inputs were these sort of vague leading statements in order to get her to give me information. And then finally once I was able to get the information that I needed, I then exploited, which was saying, “Yes, I’m associated with that group,” which escalated my privileges to the higher level. So that’s really what thinking like an attacker is like. It’s looking at a system, understanding how it is supposed to work and then finding those sort of not obvious nuances in how it would work differently if you interacted with it differently than intended.
[00:35:07] CS: Okay. So to that end, we want to talk a little bit about the sort of work side of Cyber Work here. So for listeners who are trying to break into cyber security and move specifically into sort of vulnerability hunters and ethical hackers and things like that, what are some tips that you can offer to help them hone their skills in this direction? What kind of skills and backgrounds would you be looking for if you were looking at resumes like right now and what would sort of put someone at the top of the pack?
[00:35:36] TH: First of all, do it. Anyone who wants to know the answer to that question, I’m encouraging you to go for it, because there is such a shortage of this talent. It’s so needed and it’s only going to grow. So don’t be don’t be daunted by it. It is daunting to think like what do these wizards do? A lot of people think ethical actors are like wizards, right? We don’t have a magic. I would like to think we have a magical wand. We don’t. Yeah.
So I already gave one piece of advice before, which was to pursue some of your own research, because you’re going to learn a lot in doing the research. The kinds of things that really stand out to me when we’re looking to hire people, and some of these traits are actually irrespective of whether they’re looking for a security analyst, like an ethical hacker type role, or some other role at a company like ours. We’re always looking for people who are problem solvers, who are creative thinkers, who they’re proactive. They’re motivated to go do things, like they don’t need someone to tell them to do it. They just go do it. People who have that relentless pursuit of improvement and trying to keep getting better. Those are the mindset things that we’d be looking for.
From a skills and sort of technical capability perspective, the big one that I think sets a great foundation is just a background in computer science, because if you understand how things are built, you’ll understand where to look to try to break them. So that’s a really good foundation. So that’s like where to start. So I’m assuming these are people who aren’t already in security. There’s different advice I give to someone who’s making sure already been in a security testing type role. How would you level up those skills? But that’s where I’d start.
Certifications can be really helpful in some cases, and in other cases they’re not. But I think in the case of trying to acquire the skills to enter a field, targeting a certification like CISSP or certified ethical hacker, those are things that don’t separate average performers from excellent performers, but they’re the things that separate novices from being able to be in the field. And so in that regard they give a really good sort of way to organize their thoughts around, “Okay, these are the skills I need to acquire.”
[00:38:05] CS: Yeah. Now are there ways that you can kind of hang your shingle out as sort of a freelancer at the very beginning like this or do you have to sort of work for someone as an ethical hacker to sort of show off your bona fides?
[00:38:18] TH: Yeah. There’s two ways I think you could do that without needing to even get a job somewhere. The first I already mentioned, research. I mean no one pays you anything. Another version would be participating in a bug bounty program. Now, there’re a lot of things about the way that bug bounty programs are run that are just not good. Many programs are run in ways that are really bad for security researchers and they sort of take advantage in some cases. But that’s the implementation of the idea. That’s not the idea itself. But I only mention that just because I’m not advocating for bug bounty programs. I think that they have a long way to improve.
But to answer the question that you’re asking, which is how can someone acquire skills? Participating in a bug bounty program is a great way to do it, because the sponsoring company basically says, “Okay, here’s a technology to look at. Here’s the kind of issues that we like to see.” And then that gives an individual person a box to think about playing within. And then of course if you’re successful, you wind up actually getting – It’s not usually a lot of money, but you might get 50 bucks, a hundred bucks, 500 bucks, a thousand bucks. And that’s the great way to do it, because then once you have those, whether you publish research and you get – It’s called a CVE number, but it’s basically your designation that you found a vulnerability, or if you have a finding with a bug bounty program, you could take those now to a future employer and be like, “Look, here’s my body of work.”
[00:39:54] CS: Okay. Yeah, you can sort of directly leverage something like that too. Like here’s proof of concept. Here’s the thing that I’m able to do.
[00:40:01] TH: Yep, absolutely.
[00:40:02] CS: Okay. So do you see any new security or defense techniques coming out on the scene or in the years to come that are going to sort of change the game in this regard? Or is this going to be – I know it’s going to be kind of a constant arms race of they get clever and then we get clever to stop them and so forth. But do you see any particular like changes to methodology or technology or protocol coming down the pike?
[00:40:27] TH: Well, the only constant is change. So I couldn’t necessarily tell you what the world will look like in 10 years, but I can tell you with certainty that the security scenario in 10 years will be different than today in some regards. And I can also say with certainty that some elements of security will be exactly the same as today. So the things that will be the same are the principles, right? Like the fundamentals of what a secure system looks like, that’s not really going to change. Those are things like defense in-depth and all these ideas that probably would take more time than we have to go into, but these ideas are sort of these universal truths about what makes a system secure. Those are going to be the same in 10 years, for sure.
What’s going to be different which we can’t necessarily forecast is innovation is going to change how we approach security. So even just in the last, let’s say, 10 years, a few major ones. Right now we’re at the beginning of sort of this shift towards machine learning and artificial intelligence. We’ve seen adoption of blockchain technologies. A few years ago, starting with the iPhone of course, we saw the adoption of bring your own device to work. And we’ve seen really the adoption of cloud computing. So that’s in like 10 years. We’ve seen these four, at least four, major technology transformations and some of those are still in their infancy. And so to think we’re going to see more of those and we’re going to see new things that we haven’t even thought of yet today.
[00:42:06] CS: Yeah. Okay. S so as we wrap up today, can you tell us a little bit about ISE and some of the projects or products that you’re working on right now that you are excited about?
[00:42:16] TH: Yeah. I mean I talked obviously a lot about different research and stuff we’ve done with different clients. So I think the takeaway for any member of the audience here would be – Like the things I’m excited about are ways that we can continue to help companies. And even along the lines of questions you’ve asked, how can we help individuals get into – Level up their skills and get into the field? And so one of the things that we do that I love is called IoT village, and it’s this sort of hands-on hacking experience that when there were live events we were taking it to Defcon and RSA and and all the big security conferences, and now we’re doing it virtually until live events come back. And I imagine when live events come back, we’ll do some combination of the two. But that’s a way that people can get hands-on experience actually walking through demos and labs, how to hack things. So that’s one of the things that I’m pretty excited about. And yeah, that’s us.
[00:43:10] CS: I love it. So one last question, if people want to know more about Ted Harrington or ISE, where can they go online?
[00:43:16] TH: Yeah. I think the simplest thing would just be to go to my book’s website, it’s hackablebook.com. Obviously you’ll see the information there about the book .You can buy the book there. But also if you wanted to contact me, the links to follow me on Twitter or LinkedIn, or if you want to email me, if you want to talk about potentially working together or potentially working for a company, like anything you could possibly need as a result of this conversation you’ll be able to find on that website. So go to hackablebook.com.
[00:43:40] CS: Ted’s door is open. You heard it here first.
[00:43:42] TH: That’s right.
[00:43:44] CS: All right. Well, Ted, thank you so much for being our guest today on Cyber Work. This was a lot of fun, very illuminating.
[00:43:50] TH: Awesome, man. Well, thank you so much for having me.
[00:43:51] CS: My pleasure. And thank you all for listening and watching. If you enjoyed today’s video, you can find many more on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in your podcast catcher of choice.
Thank you once again to Ted Harrington, and we thank you all for watching and listening and we will speak to you next week.