Ethical Hackers The MacGyvers of Security Intel Technology

Show video

(ambient music) - [Narrator] Welcome to What that Means with Camille. Companion episodes to the InTechnology podcast. In this series, Camille asks top technical experts to explain, in plain English, commonly used terms in their field, then dives deeper, giving you insights into the hottest topics and arguments they face. Get the definition directly from those who are defining it.

Now here is Camille Morhardt. - Hi, and welcome to today's episode of InTechnology. My guest today is Ted Harrington to talk about Ethical Hacker, what that means. - Thanks for having me. Excited to be here. - I'm excited to have you here too. Actually joined Ted on his podcast a little bit ago, and that was super fun, so I'm really excited to talk about podcasting a little bit later in this conversation, but do wanna start, because you are a good hacker, so I wanna start with that.

I also wanna point out you're an Executive Partner at Independent Security Evaluators or ISE, and your team founded and organizes IOT Village, which we know well, an event whose hacking contest has produced three Defcon Black Badges. So you're the real deal. (laughs) - Well, my team's the real deal, I guess, I'm just in the fortunate position to lead some really smart people. - So I wanna start by just asking you because you are a good hacker, what is that? I think a lot of people kind of have a sense of what hacking is, but what would good hacking mean, or ethical hacking? - Well, let's start with what hacker is, or what hacking is, because I agree with you that people at least should know what it is, but there's pretty rampant misconception about what it means, 'cause hacking or hackers typically framed as a negative, right, as a malicious person who does evil things, whatever.

Pretty much every single news article you ever read talks about hackers in a negative context. But hackers are neither good nor bad. Hackers are problem solvers. They're creative people who look at a system and they say, can I build it in a different way? If it's already built, can I make it do something different than it was intended to do? So that's really what a hacker is.

That's not good or bad. The fork in the road comes to motivation. Do you wanna look at a system to understand how it works, to figure out how to break it because you want to do something malicious? Well then, yeah, that's the type of hacker, the adversaries, the attackers, that everyone who's in the security profession is trying to defend against. But if your motivation is instead to do those same things, to find the flaws in a system, but to do that in order to fix the system, to make it better then that's where ethical hackers come from. That's where my corner of the world is.

So, that's really sort of the distinction. We use the same tools, we do the same things, we have the same sort of malicious view on the world, but the motivation is different. We want to do this in order to make systems better.

- And I guess there could be like a neutral hacker, or like a personal-reasons hacker, where you're actually just adjusting the use of the system for something that it wasn't intended for but for your own purposes. That's not bad or good, just kind of how you're using it. - Think of something like MacGyver, right? Like I don't know if anyone listening to this ever saw that show. I mean I barely saw it but I'm familiar with the concept of MacGyver. The guy would take like a paper clip, which is intended to clip paper together, and he would use it to like, start an engine or something, and that's hacking. That's like it was supposed to do one thing, can I make it do something else? - So that's like a good hacker.

What is a good hacker. So my next question is, what makes a good hacker? What makes somebody good at hacking? - Well, definitely starts from that problem solver mindset, for sure, is someone who looks at something and it's maybe ill-defined what it means to take a system that's supposed to do X and you want it to do Y, and how do you do that? Like there's not always a clearly defined process. So, the person who can sit down and say I have this idea and I now need to create something around the idea in order to execute it. That problem solving mentality. A considerable amount of perseverance for sure.

One of the things about ethical hacking is that you're just gonna run into dead ends all the time, and that's not a bad thing, but you have to keep going to find where the, you know, opportunities lead. The third thing that I would say is this relentless pursuit of excellence. Now, that's not to say that every single person who works in security actually achieves excellence, but one of the things that I have definitely noticed is that people who come from ethical hacking they tend to be wired to be life-learners, to constantly want to improve, to read research, to publish research, to learn from their peers, teach their peers. That growth mindset seems to be a really direct indicator of whether someone will be good at this, and what's interesting is you've noticed, like the first three things that I stated, which I think are probably the three most important things, have nothing to do yet with the technical capabilities. I didn't come here and say you have to be a master at you know, burp suite or whatever, and because I believe that if you have the right attitude and the right aptitude, you can learn the tools and the skills that will then, you know, assuming this is something you're interested and passionate about, you probably can't ever be excellent at something you're not passionate about, but you take all that together and then I think people can develop the skills along the way to be able to do what they need to do.

- That's really interesting. So, okay, so you have, you are a hacker, and you have, you know, a team of hackers, and you're actually pretty famous for having hacked some things that we all hope aren't hackable, and you wrote a book, Hackable. (laughs) I'm wondering, is there, what is something that you or your team's been able to hack that you were surprised at actually how easy it was to hack? Like, that shouldn't have been that easy, and unfortunately it was. - Certainly things within the IOT realm tend to fall in that category, but maybe it's not the right way to answer the question because they are, maybe it's sometimes it's not surprising that they wind up being easy because there's tremendous security challenges in IOT, in internet of things because you have typically small form factors which, you know, have to have trade offs, and computational power, and security, typically is one of the things that gets sacrificed.

You also have low price points. People generally hesitate to pay more for the things even that they know they should have, and need, and want, security being one of them. So, is someone gonna spend, you know, 50 bucks for a light bulb that has a ton of security in it when they can get a light bulb for like four bucks? Like, probably not, and so that's a very, very real challenge. But there was some research we did recently that's from a different realm that I think is really fascinating actually, that I don't know if it necessarily was like easier or harder than we initially expected but the outcome was really eye-opening, especially in the world today that we all live in, and that was research that we did on dating apps, and there were a lot of findings that we discovered, but one of the ones that was, I think, just super interesting was you could actually change the vote data.

So if someone, you know, swiped left on you, you could actually go and change that to like a swipe right to say they did want to match with you, and now in the real, like, implementation of the world does that mean that person's gonna wind up going on a date with you, and then like fall in love with you, and like somehow have been...like of course not, but what it hits in the heart is this sort of freedom of choice. Like you're using these apps because you are making choices about your romantic life and someone in a very trivial manner with low-levels of skill they could actually change that, you know, change that freedom, and that was the part that I thought was really interesting. It also caught people's attention because you know, a lot of people are on dating apps, and they're like, wow, that could affect me personally. - Noticing, I've been on a lot of dates with engineers, people are saying to themselves, wait a minute now. (laughs)

- Yeah, I feel like all these hackers- - I'm counting the number of hackers I've been on a date with. (both laugh) - What is going on? That one was those were, those were kind of eye-opening that they could be very easily done. - Well not only that, but that kind of touches on, you know, privacy. I mean we're laughing about it 'cause it's kind of silly like you say, it's not gonna, you know ultimately you're gonna find the person you're gonna find but you know that that gets right into privacy. You know, presumably hacking into that could allow you to see, you know likes and dislikes, and personal preferences, and all kinds of things that are extremely personal, you know? - The dating app, like the whole genre of it is kind of interesting that people are trying to meet other on the internet, you know, and you go back like what was it like 15 years ago or whatever people's parents would be like, don't talk to people on the internet and now they're like, call someone on the internet to pick you up in a car to take you on a date with a person you met in the internet.

It's like, so knowing where people live like you know, physically or geographically located is alarming I think to people. - Yeah. Definitely can be. Okay, so I wanna pull a part outta your book here. This kind of caught my eye because it's a little section in the chapter, Fix Your Vulnerabilities, and it's called Vulnerabilities Design Versus Implementation.

If you have a vulnerability because of implementation it's basically because you executed badly you know, what your design was. So, okay, there's lots to do to fix that, and you know, make sure that you are a good engineer, good developer, et cetera. But I am really interested by the other part which is a vulnerability in design because in this case you bring up the point that this isn't always that it's badly designed so to speak, I mean a lot of engineers design, or engineers develop according to a use case whether they're the person who wrote the use case or maybe a product manager wrote the use case but they're trying to make something work in a certain way, and if they do, that's kind of like a you know, green flag, right? We move forward. But you say, you know, by contrast design flaws are issues with the design itself. They happen when the system works exactly as intended, and yet the attacker can use that intended functionality to exploit the system anyway. And I think this is very interesting because this is really what product manufacturers have to think about and make sure that their, you know, their developers and designers are constantly aware of thinking of the security.

So I just want your opinion on, you know how do you protect against that given the mentality of design coming in and going, tell me the use case and I'll make it work. - It is a real fascinating part of the problem is like, oh, I was given essentially the roadmap to go build a thing in a way, I did it exactly that way, and it's like, oh we still have a problem. The simple answer with how you deal with that is you have someone, I mean I'm obviously coming from a bias point of view here, but what you should do is you should have ethical hackers actually look at the system, and have that sort of malicious viewpoint on it. It's a challenge thinking. If we have abstracted out, so let me, let me try to explain it differently so people aren't like, well Ted's saying that 'cause he comes from ethical hacking, of course he's like we should have ethical hackers involved. But think about really anything in your life that if you're a growth oriented person, I get a mentor, right? Or you want to improve your fitness so you go get a personal trainer, you're running a business you get a business coach, you want to be more efficient with your taxes, so you hire an accountant.

These outside parties, ethical hackers being one of them, what we all do is we bring that expertise from a different vantage point to help, like, challenge your thinking a little bit, and to push you to be better, and in a collaborative way, not in a, well at least for the most part, I mean there's definitely some out there who are kind of jerks about it, but for the most part ethical hackers come in and that's a collaborative thing. Like, hey, let's make this better. So a perfect example is to illustrate it like how we might do a project.

Someone might come in and like literally on a whiteboard have like, this circle draws an arrow to this box and that's how the system works, and we're like, but the problem with that box is this, so what if the arrow instead went like that? And they're like, oh yeah, cool, let's do that instead we haven't built it yet. Awesome. So now you just saved all the time all the money, all the effort, but they hadn't been thinking about how they would attack it. They're thinking about how to build it. There was one company that we worked with a few years ago who they were trying to do this really creative method for authentication, for how you actually log into things, and they were really trying to just completely change the model for how you would do it, and from a creativity standpoint it was a cool the idea was interesting, like, oh let's approach the password problem differently. But the problem was the way that the system actually was designed, it made it so that it was relatively easy to actually predict credentials for an attacker.

So like a brute force attack became very, very viable, and they hadn't necessarily thought of it that way yet. It was designed to be like that, and so that's an example where you want someone to come in and look at it, be like well here's why you probably don't wanna do it like that, and if we can shift it in this way you won't spend many years and however many millions of dollars building a thing, you can do it right in the first place. - Actually, it's kind of interesting what you're saying because I didn't ask you about the timeframe for bringing in hackers but I think a lot of times people imagine it's, you know after the fact, like the product is built, and you know, maybe it hasn't shipped yet, and there's certainly can be a lot of focus then, or even you know, teams within companies trying to hack a product before it ships out.

But you're suggesting, you know bringing in good hackers very early, even in the design process to kind of anticipate things as the design is happening, like in partnership with the designers for utility to come in and say, well let's make sure you're also considering security threats and risks that are out there. - Every step of the process of building something has a correlating security action and everyone should take that action. What you just described, where people will bring in security at the end, that's exceedingly common.

That happens all day, every day, where it's sort of like, oh we got the thing built, let's just make sure it's secure now. That's kind of like saying, well we got the car built, let's make sure the passenger's gonna survive. You're like, mm, maybe we should, in the engineering, and when we're actually specifying the vehicle, we should be thinking about what are the physics of a side impact look like. Those are the types of things, and the beauty of involving security earlier is it's both more effective and it's also less expensive, and that's the thing that people don't realize is they sort of assume, well, if I involved them earlier it's probably gonna cost me more, but actually, not only does the security effort itself cost less, like the actual dollars that you would pay to someone to help you, but the effort in remediation is astronomical. One of the things I talk about in the book, I actually looked at the data, our team looked at the data for what that means, and so we looked at, it was something like 10 years of data of, you know, projects that we've worked on and sort of compared and contrasted where they involved us and the difference in effort for remediation.

So let's say you had a design level flaw, like you, the issue is with the design, and it's not discovered until you're about to really deploy the thing, that, let's say, it took 10 hours to fix it, if you found it during the design stage, it now costs like 250 hours to fix it in deployment. So the delta was about 25 times, and you look at that and that's bonkers because you're already paying developers, engineers et cetera to build and iterate systems, so this cost doesn't actually show up on a profit and loss statement, but where it shows up is in the productivity loss because if you're now spending 25 times more effort on something than if you had just done that same activity earlier, it's kind of crazy, and the metaphor I always use to sort of think about this one is having a breakfast smoothie. Have a smoothie in the morning, right? And so you got your like, pea protein in there, you got your spinach water, cashew butter, whatever, and when you make the smoothie, you pour the smoothie out, you have two ways you can approach cleaning the blender.

You can do it now or you can do it later. If you do it now, it's easier, but most people are like, I'm busy. If you do it later, it's super hard. Like if you do it later, all those ingredients, they harden and they become like crystallized on the thing. You gotta disassemble it, you gotta scrub it, it's a nightmare, and you usually then have to do that when you're wanting to make your smoothie, right? But if you, right in that moment, you just put like a little bit of soap and a little bit of water, and you run the thing for like 10 seconds it literally cleans itself.

That's what it's like building security in earlier, the system will secure, it won't secure itself, but it will the process will make it so, so so much easier than if you do it later. - You started a podcast called Tech Done Different. What do you think of podcasting? Like how has that been for you being from sort of behind the scenes to like chatting with other people. Anything like awkward, unexpected, amazing? What kind of thoughts do you have on it? - What was cool about the process of writing the book was that I had this opportunity to interview all these people and you know, ask them about like well tell me about this challenge. Am I understanding this right? And then when that part of the book writing experience was complete, I was like, oh I mean I wanna fill this void, and then that moment in time was also right in the middle of raging pandemic, when people were, you know staying away from each other, and so I'm like well maybe there's a way where I can both talk to people and still continue to foster connections with people while I'm not able to physically be together, and so then I thought about, well what would be the format? What would be interesting? Where's there conversation that needs to be had? And so that was sort of the emphasis to it and I've really, really, enjoyed it because you get to, selfishly here I am, I get to talk to all these smart people and then every episode I'm like, here's a problem I have.

Can you give me advice on my problem? And that makes for a great episode, and I leave like, thanks for the consulting. and it's just, I love that, I think it's awesome. - I love that too. It's amazing all of the things that you're thinking about partly because of the other people that you're talking to, and that you've spoken with on a similar topic, and then you can ask another person, and just, it's like this constant flow of, you know building up of knowledge and information over time. It's very fun. Thank you Ted.

Ted Harrington who wrote the book Hackable, and Partner at the company ISE, and they started IOT Village, which is very cool. Go check it out if you haven't already. Thanks so much for joining today and helping us find good hacker.

- Thanks for having me, and if anyone had any follow up questions or wanted to reach out to me, just you can find me at tedharrington.com. - Very cool. Thanks Ted. - [Narrator] Never miss an episode of What That Means with Camille by following us here on YouTube, or search for InTechnology, wherever you get your podcasts.

- [Narrator 2] The views and opinions expressed are those of the guests and author and do not necessarily reflect the official policy or position of Intel Corporation.

2023-01-09

Show video