Ethical hacker Brian Self visits Fraud Busting. We dive deep into how people have paid him to break into hospital and government systems both online and in person, and how you can strengthen your systems to avoid being a victim. He reveals how to become a hacker yourself and gives inside information on voting machine hacking in US elections. This one is juicy.
Bonus: Here’s Brian’s Info sheet— 7 steps to protect yourself and your company from hackers.
Traci Brown: Brian, thank you so much for coming on Fraud Busting. It’s so great to have you.
Brian Self: Finally, yes.
Traci Brown: It took a little convincing. It took a little bit of convincing. But you know, I knew it wouldn’t take too long because I know you. We’ve known each other for how long? Like 15 years maybe?
Brian Self: Yea, probably that long.
Traci Brown: Yea, yea.
Brian Self: A little bit longer, but I don’t want to age myself or yourself.
Traci Brown: Well, I’m still 29, so we met when we were . . . (Laughing).
Brian Self: I’m 21 plus or minus a lot.
Traci Brown: There you go. Alright. This is super interesting because I’ve never really dug into what you do. I know surface level, you’re an ethical hacker, and I’ve known just bits and pieces of what you’ve been doing. Let’s just dive in because we’re talking about fraud and all the ways that people can manage to steal money which is probably the biggest thing, but also time and energy. What do you do all day? Let’s talk about that, or maybe how you’re trained. I’ll let you take it however you want.
Brian Self: Well, what I do all day is I read about all the latest, greatest hacks and wonder, who has all the time to find all these? I mean, there are tons of different vulnerabilities, just different risks that are out there. I’m reading about those every day. I am bringing up systems, breaking them, taking them back down, testing them. I do that all the time. Believe it or not, I do that for fun. That’s kind of the weird thing. Yea. I’m one of those guys that likes to go in and know how things work. I do call myself a hacker, but I do want to define the word a little bit different than what the media defines it as.
Traci Brown: Yea. Let’s talk about that. Tell us your definition and then how that parlays into how you make money from that.
Brian Self: Sure. I define a hacker as somebody who is just curious. They want to know how things work. Years and years ago I came from MIT. With trains, they would hack on the trains to get them to work, solder different things, put different things together. That’s kind of where a hacker came from. I take it as this curiosity mindset. The media has a little bit different view. They’ve kind of run with it that a hacker is a bad guy. But really there’s good and bad. Hence, there is a white hat hacker and a black hat hacker.
Traci Brown: Yea, yea.
Brian Self: In westerns, you’ve got the white hat, that’s a good guy. The black hat’s the bad guy.
Traci Brown: Right.
Brian Self: It’s not as clear cut but that’s fundamentally where we come back to within security. Are you a white hat hacker, black hat, or there are those that are gray hat that are kind of in between. They do some mischievous things but try to do it for good too, so there are even the gray hats that are in the middle.
Traci Brown: Oh, wow. Okay. You’ve got the bad guys, the good guys, and the guys that kind of are on the fence sometimes. What do those guys do?
Brian Self: They do a little bit of everything. They’ll go through and do the vulnerable disclosures and they say, hey, I contacted this company and I found this thing and company x is fixing it. Well, they never really had permission to do that, so that’s a little bit of a gray area. The law says you really shouldn’t hack without permission, and that’s where I really come back to. Ethical hacking is doing what I do with permission. For your site, I don’t just go out to your site and start dabbling around to see what I can find. I would seek your permission first. We’d have some contracts in place so that I have my get out of jail free card so it is agreed that I can do these things legally, representing you and looking to see what I might be able to find, say on your website or if it’s a business network, that’s where it starts to make more sense for the scope too, is business wise. A healthcare organization would hire me to come in and test their security controls. We have firewalls. We have antivirus. We believe we’re safe and we’re secure. Nobody can get in. And then I guess a password in 10 minutes.
Traci Brown: Let’s talk about that. Let’s talk about guessing the password. Because that’s one thing. Remember we’ve had a conversation about this.
Brian Self: Several.
Traci Brown: I believe there was an executive who almost didn’t believe that you could do it. It was only exclusively for the bad guys, and then you guessed his password and that’s how you got the job. What does that really take to do that?
Brian Self: Well, there’s the wonder of social media. Take yourself as an example. There are certain things that you’re going to be interested in that you’re going to talk about on social media. I can farm those areas, looking for keywords and try those as passwords. A lot of people use their pet’s name, their daughter’s name. The CEO that you’re talking about, he used his daughter’s name with a special spelling, and he didn’t really care that I was able to get in, but when I told him it was also his brokerage account, he was more interested.
Traci Brown: Oh, damn.
Brian Self: That’s the biggest thing I want to encourage everyone to do is don’t share passwords. There’s this technique where we take credentials and we just spray them out all over. What we’re doing, the good guys and the bad guys, are taking these password dumps from like Yahoo, LinkedIn, Capital One, there have been so many of them.
Traci Brown: Marriott. Yep.
Brian Self: Marriott. Yea. That’s a huge amount. They’re taking all these usernames and passwords, and bad guys are putting them in the list and just spraying them around and seeing where they work. If you’re reusing passwords, they’re finding them. It’s not so much that like yourself or your listeners are specifically being targeted. It’s just scale. If I am the bad guy, I just want to spray these around and see where I can find stuff, and then from there I’ll go and figure out a way to monetize it. Because, as you already said, that’s really what organized crime is doing, they’re monetizing what they’re finding it. The risk that they find, that’s what they’re doing. They’re figuring out ways to make money. A lot of my speaking, as you know, Traci, a lot of my speaking is to smaller groups that say, “Oh, we’re not targets.” Unfortunately, you’re just a number to those bad actors out there, the bad hackers. Like your mailing address, well, if I’m doing a direct mail scam, I don’t care who lives at 11123 Main Street. All I know is that’s another address to send something to. Computers are very similar. We have addresses and all they’re doing is just spraying around the addresses, and they find, oooh, there’s an easy way to get in. I’m going to go over there. It’s not so much that you’re being targeted individually, yet as soon as I say that, some bad guys will go, yea, they’re going to target me. Right. I want to be careful of that too because you don’t want to be a target. You don’t want to bring them in either. One friend of mine, he made a comment in a speech about how hackers were, and he inserted a word that starts with “L” and ends with “azy.”
Traci Brown: Oh.
Brian Self: A Twitter storm. He started getting denial service attacks. Certain people pay attention and take certain things as challenges. If you wanted to DOS my site, it would go down in 30 seconds. No challenge there. If you want to try to hack other things of mine, well, yes, everybody has vulnerabilities. It’s a matter of how much effort, how much time people want to put in. That’s the idea too is to make your listeners feel that they’re not the low hanging fruit. To go back to passwords, yes, I know it’s a pain in the behind, but make sure every password is unique for every site that you have. Now, I have three or four hundred accounts, and so I use a thing called a password safe. There are lots of tools that are great for this. LastPass is one. 1Password is another. There are tons of tools out there. They’re great ways to store those passwords, so you never know, I don’t even know what half my passwords are. I just store it in this area and I just use it to paste it into the website, what have you. I’m not really knowing my passwords. I highly recommend using those and, of course, multifactor authentication. I think it’s twofactorauth.net. I can verify that (Yes, needs to be verified) and make sure you get the right url for it, but that website will show you if your services that you’re using on the internet pull out some other factor besides passwords.
Traci Brown: I have one of those. Check out what I got from my bank. Can you see it? It’s a fob and it changes every minute, this little code, and I can take it with me on the road, but I don’t. It’s only here in the office, so if I needed something on the road with my banking, I’d have to call Matt and get him to real time the code to me.
Brian Self: That’s off token. That’s considered a hard token. You can also have an RSA application that does the exact same thing, but it’s considered a soft token.
Traci Brown: Okay, wait. Let’s talk about this because I don’t know anything you just said.
Brian Self: Okay, good deal. We can break that down. What that device is, it’s considered a token. A token is just anything. It could be just a little secret key or secret handshake or something that just identifies you uniquely. For authentication, there are three different ways that people typically do it. I remember it with an acronym, HAK. It’s something you Have, something you Are, or something you Know. The key fob is something you have. That, because it’s physical, is considered a hard token. You can have that same idea just running on software on your phone or on your laptop, and it’s considered a soft token, but it’s still something you have. Then something you are, like a fingerprint or a faceprint, that’s another way that we authenticate in the phones too, and then something you know which is the worst possible one, and that’s a password. I recommend using a pass phrase. My favorite one is: I need to lose some weight with some special characters, upper case, lower case. I like using passwords that mean something to me or remind me of a goal, if I do want to lose weight. But the longer, the better for passwords, and if it’s long, but it’s something I can remember and it’s a sentence with spaces, great, great, because then I can remember it and it’s easy. Then I can just use that one to get in my password safe and remember all the others.
Traci Brown: Got it. Got it. Okay. Let’s back up a little bit. How did you get started in this ethical hacking thing? It’s not something you can really go to college for.
Brian Self: You can now.
Traci Brown: Oh, you can. Okay.
Brian Self: Not when I started. When I started, I was on the system administrator side. I was hands to keyboard, doing my best to maintain systems at a local, I live in Golden, so it’s a local brewery that I’m really not going to name, but you can probably guess which one it is.
Traci Brown: The local, the small little brewery in Golden.
Brian Self: Yea.
Traci Brown: Got it.
Brian Self: Where you take a sniff and you can smell the beer. Right.
Traci Brown: Yea, yea.
Brian Self: I used to work there. I was a system administrator working with Windows systems, a little bit with Unix, and then somebody come in one day and my boss told me, “Okay, we’re having an audit. So if somebody comes in and they want to use your machine, it’s okay. You can let them.” I’m like, “Yea, that’s funny, like somebody would want to use my machine.” I go back to my cube and there is somebody standing there waiting to use my machine. I’m like, “Really?” He’s a younger guy. I’m like, “Okay.” I’m being kind of arrogant because I’m kind of a young guy too. “So yea, what do you need?” He’s like, “I just want to use your machine, but I wanted to check with you before I did.” I’m like, “Yea, sure. Go ahead.” I know it’s locked. I know he can’t get into it. He sits down and he gets into it, and he logs in as me. He logs in with my password. He just kind of moves out of the way, and he slowly types in my password to make sure I’m watching. I’m just like, “Okay, you have my attention.” He starts to show me all kinds of things. “You kind of did this wrong here, so you need to secure this down. Oh, look at the permissions you have these files.” I’m just like, “Who are you? What are doing? Wait. This is my stuff. How do you know?” He just went through. For the next 15 minutes we were just geeks loving it because he was showing me all this stuff about the network. “Oh, watch this traffic and watch this.” I was hooked. He was an ethical hacker.
Traci Brown: Was he wearing a hoodie?
Brian Self: No hoodie.
Traci Brown: Oh.
Brian Self: No, he was not.
Traci Brown: I don’t know how legit this guy was. (Laughing).
Brian Self: Business process. I do have one behind me just in case for credibility sake.
Traci Brown: Oh, good. Yea. Yea. You’ve got to have that.
Brian Self: But that’s how I started. It was just the human awe of “wait, you can’t do that.” “Well, I just did.” “You can’t do that either.” “I just did.” But, but, but. And it’s all the rules that I had in place. I realized that a lot of those, I knew how to bypass them, but I just wouldn’t because you’re not supposed to. That’s what they would do. They would take those paths and show that people will do this. You need to secure this. You can’t just trust people to be good. A lot of security is kind of for show to make sure good people do what they’re supposed to do, right, keep the good people good.
Traci Brown: Well, there’s a lot of that. It doesn’t matter if it’s in person or online. When I would work with a lot of pro athletes, that’s why they had managers to manage their money. It was to keep the good people honest. It wasn’t so much keeping the bad people out. Let’s talk about this a little more. What is the toughest case you’ve worked on or the toughest contract that you’ve had? Has there ever been any group that’s hired you that haven’t been able to break into?
Brian Self: Yes and no. One of the harder ones was a large major, major hospital chain back east. I had gotten in. I had actually gotten through, broke through different areas, but I remember I was on a specific machine and they had no security. I couldn’t find any security in place, so to me, it was like, whoo-hoo, I’ve got a playground. I can do whatever I want, and I started doing whatever I wanted, downloading some tools. It’s like, oh, I’m going to use this to get deeper, and a little notepad pops up and it says, “Please tell me you’re my pen tester.” That’s like, uh-oh. I’m like, “Yes.” I got very sheepish. I’m like, “Oh, I got caught.”
Traci Brown: You got caught by their staff.
Brian Self: Exactly.
Traci Brown: Breaking in.
Brian Self: I was like, “Yes, I am.” They’re like, “Okay, you need to call us.” I call them. They’re all laughing. They’re laughing so hard.
Traci Brown: Because they caught you.
Brian Self: Yea. Because they caught me and because I was being so boisterous. There was nothing watching me. Lo and behold, they had a different mechanism that wasn’t on the machine itself, but it was overseeing the network. These were virtual machines. It was actually a thing called the hypervisor which is kind of the brains for the virtual systems. That’s what was watching the computers, but I had no access to it. They could see what I was doing through their recording of all the different steps, and it’s like, okay, wow, you’re being pretty thorough because you did this, you did that, you did this, and I’m scanning them and doing all these things, thinking I have carte blanche, and that was one of the hardest ones because it’s like, no, there’s nothing here. I know I’m safe, and I’m not. For years I used to say the offensive side was easier because all I had to do was find one way in. But as I started to do more defensive stuff again, there are also some tricks through the offensive people. If they screw up once, the defenders can catch them. It’s very much a cat and mouse.
Traci Brown: Wow.
Brian Self: You make some wrong moves, the defender’s got you. But if the defender makes the wrong move, I’ve got them. Cat and mouse.
Traci Brown: If someone breaks into a hospital system, because you’ve heard of this, what’s the most lucrative thing they can do?
Brian Self: Well, right now it’s ransomware, unfortunately. If I go through your EMR system and I encrypt it, and I say, “Hey, great, you’re all back on paper until you pay me x amount of Bitcoin”, that’s how criminals are making money off of healthcare right now. Because they’re encrypting systems and then they hold the key and they’re like, “If you want your data back, you’re going to have to pay me.” That’s how they’re monetizing.
Traci Brown: And some of them are paying, aren’t they?
Brian Self: A lot of them are. And they’re also doing a thing called doxing which is they gather all this information and then if they don’t pay, and even if they do pay, they may just publish all this information out on the internet, so all the patient information, what’s called PHI, protected healthcare information, it gets published out there. They get to see I had an infection on my finger, and I had to go get whatever done or whatever, but usually it’s a lot worse type conditions and things like that, that you don’t want to have shared. A lot of different things I’ve done with hospitals are kind of scary.
Traci Brown: Like what? Let’s dive in. Let’s not hold it back, to the extent that you can. I don’t want to get you in trouble with your clients. What’s the scariest thing you’ve done in a medical system?
Brian Self: Well, played doctor.
Traci Brown: Nuh-uh!
Brian Self: Walk right in and “Hi, I’m Dr. So and So. Where is the patient Such and Such’s file?” “Oh, it’s over there.” “Okay, thanks.” Go over and get the file.
Traci Brown: You did that in person?
Brian Self: Oh yea.
Traci Brown: You impersonated a . . .
Brian Self: The security guy was hiding behind the wall saying, “You can’t do that.” I said, “Watch this.” Nurses want to help. Be it, nurses and doctors, their relationships, sometimes they’re good, sometimes they’re bad. A lot of times there is some animosity there, so they don’t want to deal with the doctors. It’s using social engineering, getting people to do things they otherwise wouldn’t do. That’s my simple definition for social engineering. Now, the social engineering dot.com guys, they’ll want to expand that. But I see it as being just that. I’m getting somebody to do something that they otherwise wouldn’t do via emails, phishing, or in person. In person, I tend to smile and people open doors. I like that, but I really hate testing it because I’m a nice guy, people smile, people help me, and then I have to write them up for helping me.
Traci Brown: Oh damn.
Brian Self: I don’t like doing that. At the same time, don’t hold doors. Question people. It’s okay to challenge people who come into secured facilities. They’re carrying a box and a little bit of a red face. It’s okay to ask them for ID. Yea, they might have to put that heavy box down. The times that I would carry flowers, and I would be talking about my fiancé. I would always find a couple ladies going back in, preferably if they’re older. I was talking about my fiancé and “Oh, how she’s great, brought her some flowers, oh, can you hold the door?” “Oh, of course, we can hold the door.” Now, I’m in the building. All kinds of different things like that. With hospitals, they care. They want to support you. They’re there to help you. It’s very weird for them to confront somebody and say, “Hey, why are you looking at that file?” A lot of them are uncomfortable with that because they’re there to help. They’re supporting us through all this pandemic that’s going on, right. My heart goes out for them. They’re working tons of hours and then here somebody like me sneaks up and takes a file, you know.
Traci Brown: Did they give you a doctor coat?
Brian Self: Nope.
Traci Brown: You just walked up and said you were a doctor?
Brian Self: Yep.
Traci Brown: What did you do then?
Brian Self: I just walked away with the file and give it to the security guy.
Traci Brown: Oh, okay. You didn’t get into writing prescriptions or anything like that?
Brian Self: No, no. No, no. Not for these geeks.
Traci Brown: How much do you do that? I know you’ve done a little bit of that but mostly you’re a systems . . .
Brian Self: Oh, I’ve done that for years. Years of that. For a typical HIPAA assessment, I’ll look at that. HIPAA is the Health Insurance Portability Accountability Act.
Traci Brown: Something like that. Yea.
Brian Self: It’s two A’s, not two P’s. HIPAA.
Traci Brown: (Laughing).
Brian Self: For medical, that’s really what they’re looking at. They do have some good regulations from HIPAA. They do have some requirements to follow. They have kind of a guide. That’s doing a lot of testing, going in and showing where you’re weak, where are you not meeting the minimums, where do you need to strengthen your controls, a lot of HIPAA assessments and testing, years and years of that as well. That’s the fun-ner stuff where I can hack from my PJ’s at home and get into computer systems who knows where, with permission, all agreed ahead of time, of course.
Traci Brown: Right, right. What’s the most surprising case you’ve worked on or a contract that you’ve had?
Brian Self: Well, when I was doing consulting to the government, I won’t name the bureau or the organization but I went to do a physical assessment and I walked around the back of the building and there were smokers in the back. That’s what I always want to find is where the smokers are at.
Traci Brown: Oh really?
Brian Self: Oh, yea, yea. Because the smokers, I don’t smoke, but if I light up a cigarette and start chatting with them, they’ll hold the door and I can go back in.
Traci Brown: Oh, man.
Brian Self: Smokers are kind of ostracized. I fit in with that ostracized group because I’m out there smoking with them, right. I’m one of the gang. They usually let me back in, so I always want to find the smokers. In this specific case, I found the smokers and there was a machine that was holding the door open so that they could get back in. I was like, okay, that’s kind of weird. I didn’t look like a desktop. It looked like more of a server type class machine.
Traci Brown: Wait. They were using a server to prop the door open?
Brian Self: It gets worse. Yea.
Traci Brown: Keep going. Okay, okay.
Brian Self: It was what’s called a domain controller, which is the main machine for a Microsoft Windows network or an active web group. That’s where you log into. That’s where it holds all the accounts, all the user information. That’s the machine that was holding the door open.
Traci Brown: Ooh.
Brian Self: They had two servers at this office. One was that, the domain control, and the other one was their file server. Since the domain controller was a little bit smaller, they would just wheel it out there and hold the door open. I could have just grabbed it and ran off with their entire active directory, which of course tied to the department which tied into others, easy peasy. That one was a shock. Because it’s like, wait, it isn’t supposed to be this easy.
Traci Brown: Wow.
Brian Self: Physical access. The rule in security is once you have physical access to something, you own it. It may take me a little bit of time, and yea, I may have forgotten the super secret strength to bypass passwords, I may have to google, but if I have physical access, it’s mine. Where there’s a will, there’s a way, and if you have physical access, you have a lot of time. It’s just your own persistence that stops you.
Traci Brown: So you could have just brought that whole thing home and had access to a whole government department, not only of personal info but all the records?
Brian Self: Well, all their usernames and passwords, which is all I need. From there, once I get a username and password, somebody will be a domain administrator, so then I can just jump to their account and then I have access to everything, every share that they have, everything that they’ve typed out, a domain administrator has access to that. I just go for that person’s account and pretend to be them and get to see everything.
Traci Brown: Oh, man.
Brian Self: The agent stuff, the payroll. Sure, sure, all kinds of fun stuff.
Traci Brown: Wow. Okay. Easiest case you’ve ever worked on?
Brian Self: One of my first ones. Another hospital. Not to pick on hospitals because there are some that are fantastic. Others are just small. They don’t have the staff, and I feel for them.
Traci Brown: A lot of them are just tiny and they’re failing out in the sticks.
Brian Self: Exactly. It’s tough to do security right. I mean, even for myself. But this specific organization, they’re like, “Okay, we’ve got three security guys. We’ve done everything. We’ve tightened this down. We’ve got all the firewall rules. We do pen tests every year and never get in. This will be probably the hardest one you ever do.” Blah, blah, blah. I’m like, “Okay, alright.” They’re like, “But, but, we really like you. If you want some hints or something, feel free to give us a call.”
Traci Brown: (Laughing). They offered to give you hints! Okay.
Brian Self: Yea. I was like, “That’s awesome. Thanks.” A lot of times it helps because for pen testing, a lot of times you narrow the scope down to here, but the vulnerability is right there. It’s like, well, the staff, they know that sometimes and they can say, no, we want this test. We want to show the executives that somebody can’t get in, so a lot of times they do coach and that helps because it gets more into the detail of the thing. I’m doing this for the customer, not to prove I can get in. I’m doing it for the customer. In this specific case, I sat down, I drafted my little secret hacking email which just has a signature file that has a picture, but the picture goes back to my server and my server says, “Oh, well Traci, I see you’re wanting to download some very important picture” which doesn’t exists, but that’s the second point. “But I see you’re trying to download this picture. Could you provide some sort of authentication for me? I need you to log in. Can you just give me your Microsoft username and password?” Your system goes, “Oh, well, sure, here you go. Here’s my username and here is my, what will eventually become your password.” It’s encrypted. It just sends that right over the wire to me. I drafted that email, sent it to him. He, of course, reads it because he’s like, “Oh, he probably already got in trouble.” He starts reading it. I see his username come up. I’m like, “Okay” and then there’s what will eventually become his password. Grab that, put it into a tool called a password hacker or a password cracker. It starts just chewing away. Password crackers are kind of unique. They’ll do brute forcing where they’ll guess every number. If you ever forgot a four-digit code, 1111, and you’re trying to guess it, 1112, 1113 . . .
Traci Brown: Right.
Brian Self: You’re going to be there a while, but that’s brute forcing. You’re trying every combination possible. That’s what this does for me. It’ll do every possible combination, upper case, lower case, special character, but it could take forever. The longer your password, the harder it is for me to crack. Long passwords are typically 15 characters. I don’t get popular after my talks usually.
Traci Brown: No. You’re totally unpopular.
Brian Self: Yea, 15-character unique passwords everywhere. It’s like, ugh. But in this specific case, they didn’t do that. I got it cracked in probably 10 minutes, maybe faster than that, probably like five minutes. Went and test it. Boom, got in. Found another little way that I could jump over, boom, I actually, I own their whole system. The total time was under 10 minutes.
Traci Brown: Oh, wow.
Brian Self: I turn around and I call my point of contact and he just kind of laughs. He was like, “Oh, you’re stuck already. How can I help you?” I was like, “I’m not stuck.” He was like, “Why are you calling?” This was my lesson learned, and for any pen testers out there, don’t tell them you got in and how you did because as soon as I did, what did he do? He changed his password and he fixed the way that I got in. Right. But I told him, I said, “Well, I used the username and password to get in and then I created a domain admit account, a huge global type of admit account” and he’s like, “Oh, you did.” He was very quiet. I kind of hear the chair moving around.
Traci Brown: (Laughing).
Brian Self: Then I hear some curse words that I won’t repeat here. I’m like, oh he’s found my account. He’s like, “How did you do it? How did you do it?” I was like, “Well, your password is x.” He’s like, “Oh man. Okay.” Like you have a simple password. It was easy to crack. He was like, “How did you get it?” I explained to him and he went through and changed his password and disabled my account and forced me to find another way in.
Traci Brown: Right.
Brian Self: I did, but it took about an hour. I found another way in. That was the surprisingly easy one because there was such build up. Oh, you’re not going to get in here. Then, 10 minutes later I’m calling him, and he was pretty embarrassed.
Traci Brown: Oh man. Okay. Let’s get into the nuts and bolts of this, just quick here. I’m so curious. Let’s say I wanted to be like you. I wanted to break into a system. Of course, I would have permission, because that’s what we do. Where do you start? You open up your computer. Do you have special programs that you go into for this? Take me through a little step by step.
Brian Self: Hacking 101 is you find some sort of capture the flag exercise because you’re going to get tons of help. They’re called CTFs, capture the flag. Those are just little mini mock hack competitions. With CTFs, you’re going to get a lot of people who are the same level as you, advanced level, and you’re going to be learning so much from so many different people. When they go through the results, if they do a post mortem and they explain how you could have gotten in, there is so much that you can learn from that and there are so many of them out there.
Traci Brown: Are they online? Are they conferences? What are we . . . ?
Brian Self: Most of them are online. You can just google CTF and you’ll find a ton of them.
Traci Brown: Oh, okay.
Brian Self: Some are a little bit less trustworthy than others.
Traci Brown: Okay, okay.
Brian Self: SANS is great. They are an organization that is doing security or security setting.
Traci Brown: What is the name of that?
Brian Self: S-A-N-S.
Traci Brown: SANS. Yea. I’ve seen them.
Brian Self: Yep. They have hacking challenges and CTFs. I trust them. There are others. Offensive Security has CTFs. There are tons of them out there. They can be web based or they can be network based too. That’s a great way to learn because then as you’re learning a tool, say, take a tool like NMAP which used to stand for network mapper, originally network mapper, but everybody knows it as NMAP. NMAP is a tool that will go through and scan networks and look for open systems, open ports, different things that are out there. It’s a good way of just gathering an inventory of what I have to attack. Well, you’re not really supposed to use that on just other systems. If you have one computer, it gets kind of boring to just scan it over and over, so these CTFs, you can use these tools, like NMAP, and learn different switches. Okay, what does this do? What does that do? You can watch it with other tools as far as sending traffic over the network. There is an infinite amount of things that you can do. The biggest thing I recommend is a Linux distribution called KALI, all the tools preinstalled, and that is a great, quick toolkit for me. I just load it into a virtual machine and away I go, and I have all my tools, well most of them.
Traci Brown: Oh, wow. Okay.
Brian Self: It is pretty straightforward. Then there are a number of different books that I’d recommend too.
Traci Brown: Okay. What books? Just so we know.
Brian Self: One of my favorite ones is The Hacker Playbook. It’s in version three now. That walks through, so you want to be a pen tester? In The Hacker Playbook, it says, okay, load this on your machine, make sure that you change this in this way, customize this in this way, update this for this. After you run through the book, it’s written like a football analogy, here’s the long bottom where you’re going to score the touchdown, but it’s less likely to happen. Here are these short yardage things where it’s always going to work, but you just have to keep doing it. It’s written very well. It sets up your machine and then it has you start to go through and use the tools. It’s a great book, and it’s written more as a reference. Then there’s the Red Team Field Manual, which is another great one. That’s were, if I can’t remember a command line for a certain tool, that one is awesome because it has all of those just in shortcuts form. It’s not really a book you read. It’s a reference. Then there’s also a Blue Team Field Manual too, but I haven’t been doing too much blue team stuff. Blue team, defenders. Red team, typically the aggressive, offensive guys.
Traci Brown: Oh, wow. Okay, okay.
Brian Self: The hackers you do know will be groaning as I say that, but the 10-cent version or definition, so we’ll go with that.
Traci Brown: Okay, okay. I had a great question. Yea, I did. You got me sucked into this red team, blue team thing.
Brian Self: Just to make it different. You’ve got purple too. We would do purple team assessments where we would have an engineer that usually does the attacking, same with the blue team, and say, okay, I know Brandon over here. I know he’s going to be doing one, two, and three, so pull up this tool and see if you can find him as he’s doing those scans. That’s what the purple team is. You’re kind of working with the blue team to catch the red team. The defenders, they’re like, “Oh, no, no, you can’t do that.” It’s like, “No, and he just did.”
Traci Brown: Oh my gosh.
Brian Self: A lot of it, from a defender’s perspective, you just don’t know what you don’t know.
Traci Brown: Right, right.
Brian Self: Purple teams are fantastic for that because you can really sit with them and say, “Okay, I just ran this tool. You see all that garbage traffic? This time it’s legit.” Nine times out of 10 it’s just garbage. This time it’s real because it’s coming from me and it’s a pointed attack. They get to see it in real time. It changes how they look at things. So there is a purple team too.
Traci Brown: Okay. Oh, wow. I have to ask this because we have the election coming up. Voting machines. You’re smiling. I had to hardly say it. What do you know about hacking voting machines? Here’s what I’ve heard. At some of these conferences, they’re bringing the voting machines in, all the different kinds of them and going through with a fine-tooth comb how to hack these things, and it’s supposed to be pretty easy. What do you know? I think we could really dive into this for a whole separate podcast if we wanted to. What’s the reality of being hacked? Is it really affecting the results of the election? There are foreign countries. Tell me what you know.
Brian Self: Really with voting machines, I get concerned because somebody, somewhere is writing the software. The software is meant to work, not to be secure. Not to fault developers. That’s what they’re getting paid for. They’re getting paid to get software out there as soon as possible, and we work and live in a very competitive environment. If I’m slow to get to the market, I could really cause a negative impact on my business. Developers are incentivized to get code out as soon as possible, not secure code. That speed to market has a cost. There is always going to be some vulnerability. It may be very hard to exploit, a very low risk, but there is always going to be some sort of a vulnerability. I do know some great developers that do very, very good with their code. The majority, you have to get it out there so fast, and you do the best you can with what you know. Fundamentally, these voting machines are running software that somebody’s written, like for Iowa where they had this little app.
Traci Brown: Oh, the app, right, in Iowa. Yea, yea,
Brian Self: Somebody wrote this app really quickly.
Traci Brown: For their primaries.
Brian Self: But it wasn’t secure, and it was somebody who had to get this out the door extremely quickly. They used vulnerable libraries, vulnerable code. They didn’t know any better. Again, what we don’t know can hurt us. That’s the case with security and with voting machines. Years ago, there was one big company that wouldn’t let anybody look at the source code, wouldn’t let anybody look at these because the DMCA or whatever protections they were hiding behind because it was filled full of holes. It was swiss cheese. Whether or not they knew that was a different story. I’m still kind of remembering that, and I don’t trust it. Inherently, if there’s a computer there that I’m supposed to trust, I want some sort of proof. I want some sort of assurance that I can trust it, and I don’t feel that way with voting machines. I don’t know who controls them. I don’t know what their motivation is or isn’t. I’m kind of an old-fashioned go back to paper guy as far as elections.
Traci Brown: I was wondering because there is this big riff right now about if paper voting is more secure, less secure. It’s very politicized. Me and my husband, we love mail-in voting, but I don’t trust . . . Those envelopes are pretty easy to spot, right, and so what we do is fill it out on paper and take it down to the courthouse and they have this big mailbox kind of thing out in front. It’s not a mailbox but it’s a voting ballot collection box. We put them in there. In your mind, because we’ve got Russia, we’ve got Ukraine, we got a lot of people that are taking some pretty big efforts to affect our election, whether it’s fake news, whether it’s out and out packing the system. What is your idea on what is safer? Is it mail? Is it the voting machines?
Brian Self: Yes, yes, and no, I guess, or no, no, and yes.
Traci Brown: (Laughing).
Brian Self: Really, it comes down to risk. Even where my preference is, to go back to paper, as soon as they see it, there are risks with paper.
Traci Brown: Sure.
Brian Self: Because who’s controlling the paper? I’m giving it to the bad nefarious agent who’s outside collecting them. It’s official because he’s got a badge. I’m handing it to him and I’m thinking I’m safe, but it’s really the bad guy. There are all kinds of different ways to attack different systems and that’s where it comes back to. What’s the real attacker? What’s the real risk? What’s the impact if it does happen? Computer systems, just because I work with them, I tend to be more paranoid of a computer system. But yet, people are fundamentally the issue here, even for social engineering. If I can convince you to click on a link. During Christmas, your Amazon package is going to be delivered back to the store, click this link, people are going to click that link. People are the weakest link. That’s what I would be attacking for the entire voting aspect. It’s attacking the people aspect, be it social engineering, be it getting votes that are sent to different precincts than can be counted. There are all kinds of different attack mechanisms that could be possible there. Is it safer one way or another? It depends what kind of controls are in place and who ultimately is overseeing those controls too. Like the Iowa thing, they were moving so quick that they didn’t test it. Had they tested it, maybe a different outcome, maybe it minimized the impact. It’s a tough one because as soon as I say it’s one thing, there are so many attack vectors there.
Traci Brown: Do you think that there’s enough, taking the fake news out, right, and just the general public opinion, do you think there is enough interference in the way that we vote now, either social engineering-wise or just out and out taking control of a voting box, is there enough to swing the election, given that we have the electoral college and the whole thing, what is the bottom line here? You’re the man with the answer. What do you think?
Brian Self: There are very intelligent people that know how to game any system. That is what a lot of us spend our lives doing is learning how systems work to make them do other things. There are a lot of nefarious people that are wanting those systems to break and not function. Yes, it’s possible. Yes, I do believe no matter what we do there will be influence felt. It’s too easy for me to sit in a basement, packing up my Mountain Dew and just hacking away on a keyboard, and affecting things that I never could before. My reach as just a single person is huge. It’s altered the entire world. Amplify that by a nation state that has unlimited funding, it’s not a painting a pretty picture. Then we have bipartisan politics where this points to that, this person did that, we can’t do that, we don’t have our best in mind. We’re fighting for our limited belief structures, saying oh, no, no, I have this lever in front of my name so that means this. Well, not always. I think until we can stop the bipartisan and come back to the United States, that of divided states, which that’s a tactic, that is a propaganda tactic that has been popularized by a foreign country. That’s what they do is they divide and conquer. They’ve done that very well here via social media, via oh my goodness, if you do this, it causes that. It’s like, there’s no correlation there. Massive amounts of people are believing x and y = z when there is correlation.
Traci Brown: No correlation, right. Wow. Well, we heard it here. We heard it here from the hacker about voting machine problems. Okay, Brian, what’s one last thing, if you could leave people with a message about how to protect themselves, what would it be?
Brian Self: Passwords.
Traci Brown: Passwords.
Brian Self: Make sure you’re using long passwords and don’t share them. The little computers that we have here, oh you can’t see it.
Traci Brown: Your phone. There it is. Yea.
Brian Self: Don’t just hand that to somebody. Somebody comes up and says, “Hey Traci, can I borrow your phone real quick?” “No. I’m sorry, I don’t do that.” Don’t unlock your phone for people. Use some sort of password on your phone. These computers are insanely powerful. They have our while lives on them. Playing into your bank account and I don’t have to authenticate. All you need to do is type in a code or you don’t have a code. Use passwords. Lock people out of things. Realize that bad people will do bad things. It’s not that they’re targeting you or your listeners. It’s just bad people do bad things. There are people out there that just want to set the world on fire and watch it burn. I’m not one of those. I want to put out the fire and I want to find out who did it and educate them. Well, more than educate, but yea. That’s where I come from. I want to help others so that the fire doesn’t start. Right now, we have these powerfully insane computers, laptops, iPads, so many people leave them open. I see people, when I was traveling in airports, they just leave their devices and get up and walk away. I’m sitting there going, um, um, um. I have no idea why you would do that. Trust, but verify, but maybe not even trust at first, maybe have somebody show you that it’s worthwhile. But like sharing your phone, don’t ever do that.
Traci Brown: Right. Yea, simple little things that we take for granted of being nice. We want to be nice, but maybe we can be classy and not give everything away. Right.
Brian Self: Yes, exactly.
Traci Brown: I think we can do that. You’ve been a big help. Thank you so much for coming on the show. It’s been great to have this kind of chat with you.
Brian Self: A lot of geek speak. If your listeners need translations, let me know. I’m more than happy to translate all those terms.
Traci Brown: Oh, right. Now, how can people find you? Let’s talk about that. This is your chance for a little commercial. If people want to hire you, either to break into their systems or to speak, because you’re a great speaker, how can they find you?
Brian Self: Really my website’s going to be the best one. It’s BrianSelfSpeaks.com. That has all my contact information on there, email, I have everything. That’d be the best place to go. If you want to watch any videos, you can do that too. I’ve got a few videos on there, mostly me griping about passwords and use multifactor authentication everywhere you can.
Traci Brown: Right.
Brian Self: Some other second factor, you’ll lower your risk significantly, even if it is text messaging. But there’s an attack for that too.
Traci Brown: Of course, there is. Yea. Alright, thank you so much Brian.