penetration testing prodigy podcast

Penetration Testing

With an onslaught of ransomware attacks disrupting our supply chains, cybersecurity is more important than ever . The best way to strengthen your defenses is to hire hackers to discover your weaknesses. I interviewed John Strand, owner of Black Hills Information Security.

Lowell: Pretty much, anytime you have something of value, someone will try and take it from you. So you need to secure and defend it. The defenders are known as the Bluetooth attackers are constantly innovating and devising new and improved methods of attack. So in order to strengthen security, there’s needed a team to think like the attackers do this team is called the red team.

It goes back to military training, they’d stage mock battles to practice their defense. It’s not just in physical warfare, it’s cyber as well. I’d even argue that wars are no longer fought with bullets and bombs. They’re fought with mice and keyboards, corporations and governments hold information with immense value.

So they’re constantly attacked. So in order to strengthen their security, they hire professionals to figure out their weaknesses. 

John: Are we using camera at all?

Lowell: Uh, no, just audio.

John: I went through all of this work today, like combing my hair.

Lowell: John strand is the owner of black Hills information security, which does something called penetration testing.

John: The joke is we break into places so that other people can’t break into those pieces. So companies

Lowell: hire John and his team to penetrate their security and tell them how to improve it. So they’re better defended against real attacks.

John: If you’re looking at the concept of, let’s just say a red team, it goes all the way back to kind of some of the early days in the military, where if a military group was going to see what their adversaries could do, they would basically bring in another group in the military, or sometimes without from the outside of the military to emulate what an adversary would do.

Right. So in the old days, you’d have the United States army they’d red team and they would say, okay, what would the Russians do in these situations? Well, that terminology has really kind of carried forward into computer operations, where you have companies that are trying to defend their networks, and then they hire companies like ours.

To come in and emulate what hackers will do. So hackers breaking in via websites, hackers breaking in via social engineering or spear fishing. We will emulate those tactics that you would see like the Russians, the Chinese, and various other, um, uh, various other, you know, illegal organizations trying to break into companies.

We emulate what they do to help make sure that organizations are defended against those attacks. And also can detect those attacks when they’re incoming.

Lowell: There’s two basic ways to attack or steal physically and virtually. The

John: vast majority of cyber crimes are actually online cyber crimes, right? You absolutely have social engineering where somebody breaks into a place that’s something that does happen, but it’s far less, uh, than the other types of attacks that you would see.

An example would be business, email compromise, where an organization is attacked and the attacker. Is trying to get people within that organization to give bank account routing information, user IDs, passwords, or trying to get someone to act on the attacker’s behalf and do something they shouldn’t do like transfer thousands of dollars to another account that then immediately evaporates into thin air.

So the vast majority of the actual attacks that you see are cyber in nature. And that percentage pretty much matches up with what we do with a lot of our customers. So yeah, we do absolutely do physical break-ins right. Um, You mentioned Jack and the dark net diaries. That was a physical pen test that my mom did to break into a prison.

And we’ve had a number of different other places where we’ve broken into classified locations, broken into banks, broken into research facilities. So basically if there’s a way to break into a place, we will do that type of activity.

Lowell: Okay. So penetration testing is definitely the coolest job there is.

With all thought of robbing a bank once or twice in our life, these people get paid to do it.

John: Oh, dude. I mean, you get to talk to people and sometimes whenever they ask you what you do for a living, you can say, I Rob banks for a living and it’s always kind of neat to see people get uncomfortable. Like what, what do you mean?

You, you rub banks for a living. I mean, I literally get to break into places for a living, so it makes it just this really cool dynamic field. And, you know, it’s just, it’s just, I mean, I’ve been doing this now for 20 years, I’ve never gotten bored. I’ve never been like, well, I’m gonna do the same thing today that I did yesterday because it’s constantly changing and the techniques are constantly evolving.

Lowell: John also started a thing called anti-cyphon training that teach people how to become security operations center personnel, which to put it plainly is a kick ass job in high demand. That pays really well. I don’t know how to code or hack, but with Andy siphon training, you can get started with little or no previous knowledge.

Not only that they implemented a pay what you can system to train people who have the desire, but maybe lack some of the funds to learn the necessary skills. John and his team really are the good guys, but they’re every bit as sharp as the bad ones. Black Hills does physical penetration testing, meaning they do get hired to break into places like banks, but the majority of the tasks are virtual.

And one of the most common tools that hackers use is Cali Linux. You’ve probably heard the word Lenox before. It’s an open-source operating system that all types of things are built on top of Kelly. Linux is a version of Linux that comes with a bunch of applications for hacking already installed. You can download it for free right now and be up and running in less than an hour.

John: It’s going to have password cracking tools, password spraying tools for trying to break into places remotely. It’s a collection of all those different tools. So yeah, we actually do use Collie, um, because it’s a very quick distribution that we can just stand up. You mentioned off sack, um, and offset is one of the main developers.

Of the Kali Linux distribution and almost every pen tester in the world. And hackers to be honest, are going to be using Cali. Um, we also write a whole bunch of our own tools as well. Uh, for breaking into places,

Lowell: learning to code might seem like a pretty big mountain to climb, but when you break it down, it’s just instructions that a computer can understand.

I’m fascinated by the unknown things you could accomplish. So I researched what computer language is best to learn for hacking. And I kept coming across one called Python.

John: It almost begins and ends with Python in the industry. And I’ll give you a quick survey, right? So Python is probably the most heavily used language because it’s very easy for people to learn and pick up this language and you can become proficient in writing a tool very, very, very quickly.

Um, the other language that you see a lot in this industry is Ruby. And the main reason why you see a lot of people learning Ruby is because, um, Ruby is the language that Medisplay. Is written in and Metis. Floyd is a tool for creating payloads to deliver, to compromised computer systems. It’s a tool for writing.

And executing exploits against services and misconfigurations, and it is also a tool for doing just basic security checks. So there’s a lot of people that use Ruby. And if you’re going to learn Ruby, I recommend why the lucky, stiff guide to Ruby. It’s a great way to learn Ruby with cartoon foxes and things like that.

But we also have a large number of people that are learning Golang, uh, from Google. To get into coding as well. So if you’re going to get in, I would recommend honestly, Python or Golang to get started. But if you’re really like that whole exploit area and you really like what the Medisplay project is doing, Ruby is a great option, too.

Lowell: The cool thing about Python is it’s not just for hackers or computer nerds, you can use it to do nearly anything. For example, one thing my job of senior sound designer requires is ordering equipment for new podcasts. Then I have to download the invoice PDF, rename it, upload it to our expense tracking system.

Then fill out and submit a report doing this over and over every single day is tedious and time consuming with Python. I can write a simple script to automate almost a hundred percent of that, which will end up saving me a ton of time in the long run.

John: If I’m trying to break into an organization, one of the common techniques that pen testers red teams and hackers use is they will try to gain access through weak passwords.

So there’s a ton of people out there that use a password like spring 20, 21 seasoning year is great because you have to change your password every 90 days. The seasons tend to change every 90 days and the year rotate. So you always can remember what your password is without having to like write it down or anything crazy.

So if I was going to try that password against, let’s say a thousand user accounts, I could type it in one at a time to like an email portal or a web portal, or I can automate it. And with that, there’s a ton of tools. Many of them written in Python and some modules in the meta sploid framework that you can use as well.

Against different services where you can automate trying that single password, let’s say spring 2021 against a thousand user accounts.

Lowell: So I could write a script to search the RSS feed for every podcast on apple or Spotify. Find the contact, email addresses inside those feeds, then organize it into an Excel doc for easy access.

Another benefit of Python is that it’s relatively straightforward language to learn and like the romance languages. Once we learn one, it’s not nearly as hard to learn another. At that point, it’s basically just learning the different rules of the languages. They call those different rules. Syntax.

John: I’m going to give you a hint if you’re, if you’re ever stuck and you’re like, I’ve got to automate something, you just have to close your eyes.

Wish very hard for someone else to write that tool for you. And then go to GitHub and look around. And somebody probably already written a tool that

Lowell: does it get hub as a platform that hosts code. So you can collaborate with others. There’s tons of code on there for all types of functions and applications.

All right. We’ll hear more from John right after a quick break. Welcome back to prodigy for more info or to get in touch with me, visit prodigy podcast.com. So John’s company has grown a lot. He doesn’t do much coding anymore. His time is better spent training.

John: Um, so years ago, whenever I first started was around like 1999, 2000 2001 timeframe.

And I started while I was working at the department of interior with it was Anderson consulting and then Accenture. Uh, consulting. And if there was anything that I did back then, right. It was all like C and C plus, plus that was it. Right? Because you would go to like packet storm and you would find exploits.

None of the exploits would work. You’d have to read, you’d have to change the code recompile. It still wouldn’t work and you’d recompile it. So a lot of my early days was in O was in CNC plus plus, um, over the years now that I have a company we have about like 70 employees. Um, I’m spending most of my time doing training.

So I’m doing a tremendous amount of time in PowerPoint. So I actually don’t develop much of anything anymore. In fact, I’d be hard pressed to probably write a program that just prints out hello world these days. Uh, but no, we, it, it’s just kind of one of those transitions that happens in this industry where when you start you’re coding, you’re writing things, you’re writing exploits or writing tools, and then eventually this horrible thing happens to you called management.

Lowell: Since John has built a successful security company. I was curious to know what type of qualities he looks for in a potential security professional.

John: So I have this, uh, webcast it’s called your Fiverr five-year plan to information security. And I spent an hour talking about learning, networking, learning, operating systems, learning, coding, and developing tools and getting out to the community.

And if anybody wants to get involved, anybody at all this listening, one of the most important things you can do, no matter what level you’re at is start releasing tools, start writing blogs, start doing videos. And it honestly doesn’t matter. It’s not like. You’re going to be the next huge Twitch streamer, uh, by using end map.

But what you’ll discover in this industry, that’s so critical is there’s so many people out there trying to find anything to do with the basic skills in this industry. We have way too many wizards trying to impress other wizards. And they’re, you know, I, I don’t want to give a talk unless it’s a super advanced talk on a new technique for hooking the windows kernel, uh, for doing root kit style attacks.

Um, but honestly, Really what we need is people understanding the basics and fundamentals. So even if you create a blog post, it’s like the basics of running Nessus or end map or something really, really, really basic, you’re actually going to get some hits on that. And then the other thing that it does for you, once you start getting back to the community, Is whenever you get resumes like we’re right now interviewing for positions, the black Hills information security for pen testers and security operations center staff.

I have resumes that look really good. They have good work experience. They have good education experience, but they haven’t done any talks. They haven’t released any blogs and they haven’t released any tools. Those are second tier resumes. Whereas we have resumes of people that have been releasing tools.

People that have been writing up blog posts and doing videos that really causes those resumes to rise to the absolute tippy top.

Lowell: So you want to be a penetration tester, a red teamer, and you’ve learned some stuff. It’s a terrible idea to practice this against real networks. So how do you practice your skills?

John: There is a tremendous, like plethora of different. Cyber range is online. Uh, the best one and probably the one that has the most prestige is hack the box. So if somebody is trying to get involved in computer security or pen testing or offensive security hack, the box hands down is the best and most well-regarded cyber range.

Um, and it’s also the most accessible, right? It’s not going to cost you thousands of dollars. It’s very, very, very approachable and you can work up in levels and then there’s specific challenges and badges and things that you can earn. And you’re basically practicing against real systems. So that’s another thing I look for in resumes.

If somebody has hacked the box and they’ve been going through it for awhile and they, and they’ve scored fairly well on, absolutely. Just kind of in awe of those people. That you know, they get done with their eight hour day job, and then they go home and they work on something like that, but those opportunities do exist.

You can also Google the sands ultimate pen test, poor poster. And a couple of years ago, sands had this poster and on the back of it, it listed out a whole bunch of cyber ranges, practice, Docker images that you could spool up to practice web application attacks. And there’s literally hundreds of them on this, uh, on this poster.

And they’re amazing. And, uh, you might have to plug around for a little bit. It’s, it’s yellow, it’s on one half of one side. Um, but there are many of those posters on that website, but there are so many places for people to practice and learn. Um, there’s really just no good excuse for not taking advantage of them and also to be completely blunt.

There’s no excuse for like going and trying to hack into somebody’s website, just because you’re quote unquote, trying to

Lowell: learn. John’s company teamed up with Metta CTF to build their own way to learn and practice. It’s called the black Hills information security, Andy siphon cyber range, and you can find it on their website.

Black Hills infosec.com. I’ll link it on the website. John has been doing offensive security for decades. He’s a legend in the industry. If you want to hear some really interesting stories about his past experiences, then check out the episode that Jack resetter did on him for a show darknet diaries.

It’s episode number 67, titled the big house. There’s a funny story. John tells about how his mom helped them break into a prison. By the way, I recorded an episode with Jack resetter as well. So look out for that.

John: The thing with dark net dire is with my mom breaking into a prison. And one of the only reasons I could talk about that is because, you know, my mom is no longer with us and the prison is closed, has been closed for years.

So it’s not like I’m putting, you know, a prison complex at risk and telling those particular stories. But we, you know, We do about 640 assessments per year, uh, as far as breaking into places. And it’s just, it’s just crazy. Like, well, I’ll give you an example. One of our testers right now, Derek is testing a mobile application and this one company hired.

Uh, just some third party mobile development company to write this app for them. And there’s no authentication like once you, well, there is authentication, but there’s no like authorization on the backend. So like, if you log in as a user, let’s say John strand with a password, a password 1, 2, 3, 4. I log in with my credentials.

If you know how to like modify the customer ID, you can jump into any other customer’s account, make purchases and, you know, change things around. That’s bad. Right? That’s, that’s really not something that ever should happen ever, but yet it does. Right. We have organizations that are still running like server 2003 and on in their environment, something that hasn’t been patched or updated in over 10 years.

Right. And they’re always confused when we break in and they’re like, well, how did you know to do that? It’s like, seriously, This system should have been retired a decade ago. So you see a lot of those really, really kind of dumb mistakes, but then you have these companies that are really super secure. We had, we had one financial organization that we were breaking into and they used Okta and they use two factor authentication and they had really good spear phishing protection.

It was, it was a tough nut to crack. And we’ve been testing these people for a long time. Well, we discovered you could spin up an Okta 30 day trial account, and then you could send in an email to quote unquote, invite users to enroll in Okta for your organization, but it gave you full access to the HTML, to the invite link.

So we were able to actually go in and modify the HTML to turn it into a spear phishing attack against our organization. That we were going after in this particular assessment. And we were able to have Okta send the Spearfish on our behalf. So immediately it shows up in their inbox with like an urgent flag next to it.

And we were able to get an administrator that we were able to fish get their two factor authentication and, and able to gain access to their systems, which was like billions of dollars. So you have this huge range, right? You have people that are just doing very little in the way of computer security, and then you have these really advanced organizations that you have to get super duper creative in order to break into those organizations.

And that’s. That’s a concern that I have in the industry. If you look at the industry as a whole, the industry itself is not improving. You’re just seeing a greater spread and disparity of organizations that are utilizing really good security practices and organizations that are still saying things well, what would a hacker ever want with my company or my network anyway?

So it’s all over. No, honestly, we would rather break into the more secure organizations because they’re by far and away, more fun, but still all these organizations need to have some semblance of security, no matter where it starts, we have to meet them where they’re at and help them lock down their systems.

Lowell: Another story John tells on dark net diaries is about a kidnapping late one night. John got a call from law enforcement. They needed his help to track a missing girl.

John: The suspect was actually, um, was actually using Skype. And at the time Skype, just honestly, wouldn’t listen to you at all. Like if you were law enforcement and you said, Hey, I need to track back and this particular Skype user, they would just tell you to pound sand.

And so we had to find a way to basically communicate with this individual and then find where they were at. Well, one of this individual’s friends, we had actually gotten a hold of and we were able to send a document. To this particular suspect individual that we believe had the girl. And when that individual opened that document, we were able to get the IP address source port and timestamp.

And if you’re dealing with a United States based internet service provider, if you have the source IP address, the date timestamp and the source port, you can get a warrant and you can actually get exactly where. That specific IP address was. And they were able to with law enforcement, they were able to actually get that little girl girl back in very short order.

Um, once they got the warrant, they got that information. So that would be an example. And that’s pretty rare, right? You don’t see those types of things all that often, but it is something that does happen. And we do have the ability as defenders.

Lowell: Something I’ve been thinking about a lot since I started working on these episodes is the internet of things.

We’ll get into that right after a quick break. Welcome back to prodigy for more info or to get in touch with me, visit prodigy podcast.com. The internet of things are devices that collect and transfer data security cameras, refrigerators, light bulbs, microwaves, slow cookers grills. Thermometers. The expression is if it needs electricity, it will eventually be connected to the internet.

All of these devices are potential weaknesses in security.

John: One of the bigger problems that you run into with the internet of things, thing is if you have a computer system at home, you’re logged into that computer system and it pops up and it says it has updates to install. And sometimes with some applications and some operating systems, it just updates.

It doesn’t even ask your permission to just updates. If you have, let’s say I’ve got an arcade cabinet here, right? And my arcade cabinet needs an update. It just doesn’t let me know if I have a coffee maker that’s connected to the internet. It’s a very strong possibility that it won’t let me know that there’s a specific update.

If you look at your edge routers at home. Your Soho routers for connecting to the internet. Many of those don’t really get updated because you have to log into the device itself to get a notification that there is an update. How many people regularly log in to their router at home? That just doesn’t happen.

So this gets into more of a complexity issue, right? And it’s also a cloud computing issue. Where you have so many devices that are all interconnected, they’re all connected back up to cloud services. And they’re based on things like Linux and BSD and you know, some windows devices. And you’re really just kind of getting into a more interconnected world.

And as that world gets more connected just by the fact that it’s getting more interconnected means that it’s inherently going to be more complicated. And when you’re looking at security, the more complicated something is the easier it is to hack that thing. So just by the nature of the explosion of internet of things and the explosion of cloud computing systems and API APIs, It’s actually making the whole space a lot easier for bad people to break into these things and take advantage of that completely.

I

Lowell: hate updating software because I’m always worried I’m going to mess something up that was working fine before.

John: And that’s always a risk. We updated a vulnerability and open SSL a couple of weeks ago and we were running an elk stack and it just completely destroyed our elk stack. Um, so yeah, that is absolutely a concern.

However, What I like to tell my customers is if you, if you look at your risk, right? If you balance it, it’s like sharks and vending machines, right? Uh, you’re really worried about sharks, right? So people are like, I don’t want to get in the ocean because I’m afraid I’m going to get attacked by a shark. But your odds of getting attacked by a shark are far less than having a vending machine land on you and hurt you.

So we don’t ever think of that as a risk where you have something like solar winds that came out a couple of months ago. A whole bunch of organizations got really worked up and they started saying, well, we should probably hold off on patching. Like, because of this vulnerability, if you’re looking at patches like 99.9 9 9 9 9 9 9 9 9, 9, 9% of the time, you’re not going to have any problems.

If you look at your operating system and all the patches that hit it, And it’s going across billions of devices. And you look at the software and the patches, you have your software going across billions of customers. The vast overwhelming amount of the time patches are installed. And there’s very little problems.

It’s just unfortunate that it makes a very large news story, like a shark attack, right? It’s a very big news story. This solar winds thing was terrifying, but the reality is. If you choose not to patch your systems, your likelihood and risk of having something bad happen to you is going to be much, much, much higher than if you choose to take the quote unquote risk of installing the patch.

Lowell: I’m not rich. So I’m not really concerned that a hacker is going to target me specifically, but that’s not what I should be worried about. Here’s an example, save an old version of windows or Mac operating system with known vulnerabilities. Hackers can sweep the internet to find all the computers running this operating system, then break in and steal your password and credit card information.

They won’t target you specifically, but you may be part of a larger attack that includes your device.

John: One of the biggest things that I recommend is the vast majority of security, uh, attacks that are going to hit you. They’re going to come in through your browser, right? So if you can actually find a way to protect yourself while you’re surfing the internet.

That is probably one of the best things that you can do. Like number one, don’t click on links from strangers. If it’s, if it’s anti-inflammatory, if it’s not anti-inflammatory that’d be like ibuprofen. If it’s something really inflammatory, right? Like it’s racial. If it’s political, if it’s religious. Just stay away from that.

Right. And I would recommend just being honest, you shouldn’t hang out and party with people that get really worked up about politics, religion, um, and you know, like all kinds of different issues. It’s just, you get worked up and then you become an easy target. I always told people, right. I can trick you into clicking a link, um, by trying to make it look enticing.

But the vast majority of people out there are getting really good. About like, you know, an iPad for $5 click here, not today while he hacker. And they throw that email to spam. I am. But if you look at the most powerful tool for me getting you to do something that I want you to do, it’s Hey. Like if I follow you on Facebook and I start disagreeing with all of your politics, I started disagreeing with your religion.

I started drinking just disagreeing with your worldview, and then I send you a link and I tell you, Hey, everything you believe about topic X is wrong. Here’s a link that proves it. It is. Darn near impossible for someone not to click that stupid link. Right. Cause somebody is wrong on the internet. Can’t sleep.

Right. You’re going to click that link. So I’m not saying you shouldn’t care about those issues, but what I’m saying is you shouldn’t let them control your life. Because people will find a way to make them control you. So that’s number one, don’t get worked up and go to like Skine websites because you know, your, your politics or your moral compass demands.

It, there’s probably some Russian trolls, uh, behind the other side of that. And they’ve got you hooked at that point. The other thing, as I said is a lot of the stuff that you look at for attacks. Come from the browser. So I recommend putting in plugins like Ghostery and Adblock plus things. That’ll actually start shutting down malicious ads and really, really try to lock down your browser as much as you can.

Cause still a tremendous number of attacks. Come through the browser itself. So those would be some of the big things that I’d recommend. And then the other thing that I would recommend make your passwords long, please, uh, you know, use a passphrase, right. You know, let’s say, you know, I worked at, um, And worked at Northrop Grumman would be a great passphrase.

Right. And then I would add some special characters or some numbers or something like that. Um, or, you know, I, I graduated from this particular high school or whatever. Right. I like watching the Simpsons, whatever it doesn’t matter, but it’s a long pass sprays. And then you couple that with maybe some like a special characters and numbers, and you have a really strong password at that point, you’re moving towards a passphrase.

Don’t ever go into something and say, well, my passwords password, because no one will guess that it’s the most obvious thing. No, they literally, well, that’d be like one of the first five passwords that they try. And for the love of all that’s holy stay away from seasoning year.

Lowell: John is a super nice guy and I want to thank him, Deb, Jason, and Lauren, for their help.

With this episode, they’re incredibly talented and likable team. You can find more about John and black Hills information security@blackhillsinfosec.com. That’s black Hills info, S E c.com. Thanks for listening to prodigy. We’ve got a bunch of really interesting episodes coming out. So please subscribe to the show because we’ll be back next week.

With another episode of prodigy project was creating produced by me Lowell Berlanti. The executive producer is Tyler clang. For more podcasts from iHeartRadio visit the iHeart radio app or wherever you get your podcasts. Prodigy is a production of iHeart radio.

SHARE

Share on facebook
Facebook
Share on pinterest
Pinterest
Share on twitter
Twitter
Share on linkedin
LinkedIn