 Hey, hello everybody, and welcome to Batchy Talk. I am Andrew, the security guy, and Gordo the Texar is busy, so he's not here today. Angus went with him, but I got a great guest for you, Mr. Rodney Thayer is here, security analyst, security expert, all things security, and we're going to talk a lot about penetration testing today, and some of the, maybe more behind the scenes things that you don't know, so stick around for this. Rodney, thanks for coming, brother. I appreciate you coming in on a short lease there. So I know you've been on before, but go ahead and give our guests a little bit of your background, kind of where you grew up and some of that stuff. So we grew up in Massachusetts. Sorry. Been doing, hey, you know, I moved to California, so you know, I don't do snow no more. So been doing computer stuff for decades, starting since the 70s. Did you have computers then? Yeah, they only had zeros, we had to pound and flat with rocks to make ones. That's kind of the way it worked. So I've been doing software development and networking, and then got into encryption, and then from there got into doing security stuff. And you know, there's something in water in Massachusetts, something about the Redcoats in 1776 and all that. So it turns out I'm really good at thinking like a bad guy, so I get on the computer security, cybersecurity side of things. Okay. And so you've been out of Hawaii before, done some work out here as well. I know we've got a project now, which is fun. All right. Well, we wanted to get into for our audience today, really into penetration testing. And this is a piece that sounds maybe meaner than it is, but it's really a tool to help people understand what they've got, what their attack surface is. And there's some components to what's called the cyber kill chain. And I thought we'd just sort of walk through that and let Rodney sort of give you the what that piece is about and what happens in that space. So we tend to start with what's called reconnaissance. You know, hackers don't just show up and start doing things. They're smart and they like to look and see what's available. So in your perspective, what goes on in that reconnaissance phase? You know, what are you looking at for a client? So this is all in cyberspace. So we're doing things looking at networks and websites and email and things like that. But you do the equivalent thing you would do in the real world, meet space as the hackers would say. So you go around and look for places where there are weaknesses, chinks in the armor. You know, if you were a bad guy walking down the street in the middle of the night, throw a row of shops, you check all the door knobs, see if somebody left the door unlocked. So you do things like that, try to figure out through something that was unsecured or something that was in the internet case, is there something misconfigured? Because if they got one thing wrong, if they screwed up how they set up their website for one thing, they may also have other things configured wrong. And you can therefore, you can start to identify weaknesses and things. So in the reconnaissance phase, you probably wouldn't attack, but you maybe would just begin to formulate the types of attacks you were going to do. You would kind of, you know, decide which ones or decide what you'd have to go back and do some homework on. And certain cases. There's homework. Hacker homework. Yes. Yes. Hackers like everybody else use Google. So, you know, if I walk by and there's a sticker on some object in the lobby that has some funny word in it, I'll go Google the word and that might be the vendor name. And, you know, the vendor might very proudly publish their manual online, complete with the default passwords for the gear. So, you know, if it's, you know, Billy Bob's Wiggy Bob, I'd go look that up online and find the default passwords. And so then I could have armed with that information to go back and try to use that for the attack. I see. Yeah. A lot of times they'll give you like password length or type. And so, you kind of know what you have to do if you're going to brute force it or something. And again, this goes back to the, you're kind of doing recon time things. If you, if you find people using four character passwords, then they've got weak passwords. So you can kind of, you now know that there, there are things about their design of the system or at least the way it was deployed that might be issues. So reconnaissance reveals a lot. So, so what you've done this reconnaissance, the next phase in the kill chain is this intrusion portion. And what does that look like? Are we trying to go deep at this point or? At that point, what you're trying to do is get inside the network that you're trying to attack or the infrastructure is a sort of a better way to look at it. You know, these days, there's many, many networks in like inside a building or in a bank or any kind of organization. So you're trying to get inside the network somewhere so that you have a toehold and probably do more attacks from that. Oh, so get in there and then you're going to maybe hat out or plant something. Right, or plant something or use that as a place where you can, you can reach even further inside the infrastructure. And would this always be like done from behind the keyboard remotely or would you possibly have entered a facility in this intrusion phase? Going into the facility, that would require work, dude. You stay home and do this in your pajamas. You do this from the nearest Starbucks, you know, preferably with your favorite, you know, Frappuccino. Okay. So the, because everything's connected on the internet, it's often done not physically at the location. Okay. So you, but you have to be connected to things through the internet. And, you know, the internet isn't like, you know, I didn't have to swim here from California, but I did have to ride in an airplane for five hours. Sure. But, you know, you're only like a hundred milliseconds away if I've been trying to do it through the network. Yeah, internet. So you could be anywhere and get a great distance. And so, but what's our intrusions done and we've gotten this toehold or we've, we've opened a door that we can get in and out of pretty readily. This exploitation phase is what they talk about next in the kill chain. So what, what am I going to do then, you know, when I, when I start to exploit this, this, these vulnerabilities, I guess that I've found. Yeah. Well, you, between the recon and the, and the initial penetration into the, into the site, you'd go identify what kind of targets are, are most likely either the ones that are easiest to go after, or the ones that are the highest value. Okay. So you end up doing sort of a triage kind of thing. And again, these are hackers. So the triage, it's not like the military where we do a calculation on all this. It's, it can be something like, you know, I'm bored, I want to go to dinner, or I'm only going to do the quick ones. So you can have some kinds of attention span issues of the hackers sometimes. And the fact they're sloppy like that actually is good because you can, they'll cut corners and then you can identify things are happening. You get more of a, you know, the good guys who are trying to defend things can get, get some information out of that, get a little bit of signal. Ah. So in the exploitation phase, it's maybe they're a little more vulnerable to being caught or a little more vulnerable to revealing that they're there and you may, you may find them in this phase. So, so I'm in, I've found some, some, some stuff I want to get. I found some exploitable material. Maybe I can sell this information or whatever's. The next thing we talk about in the Kielce is privilege escalation. So what am I going to try to do there? So if you, first thing you're doing is looking for information, get with relatively little effort. Okay. Like if you're in a Windows environment, if somebody forgot and set up a file share with a bunch of documents in it, which isn't protected, but one of the documents is all the passwords in the firewalls. Okay. And believe it or not, people do things like this. So you would go look for any information or weaknesses you can use to change from being a regular user into some sort of privilege user or users on other kinds of systems. So like if you're in a bank, you know, you'd get into the ATM and then you try to get past the ATM to get into the good machine in the back room that can transfer millions of dollars. I see. So you're trying to, trying to increase your privilege within the customer, the victim's network. So like they call it's like a super user or an admin or administrative user or something like that. So if you see a bumper sticker in a car that says got root, you should be worried. Is that right? That's not the guy you want roaming your neighborhood and jumping on your Wi-Fi network. Right. Is, is this worth spending time on? I mean, if someone in certain environments, is it more valid? Because if you've, but you're past the exploitation, you're kind of available to be in caught. So would you spend a lot of time trying to escalate yourself? Can you hide yourself once you do that? Well, you try to do whatever the easy targets are. Again, you're trying to do triage stuff. Depending on what the adversary is going after and how valuable the target is, they may set up so they can take their time doing it. So like if you're going after a big retail operation and you think you can get your hands on millions and millions of credit cards, it would be worth taking the time to set up, set up some exploits, try to set up some back doors that you can get back in later because they may or may not be able to detect that kind of stuff. I see. So then, and then, you know, if you can get that thing set up so you can take your time, that would do that. So what does it look like, you know, from the keyboard perspective to this hacker as he's moving around? Is he adept at, at knowing where he is, at seeing other machines and what type of operating systems they have and things like that? Are there tools that he's using? There's tools that are using the most specific machines and you end up with specialties. It's, you know, it's, it's like a lot of other things. They're specialists. So they're, you know, they're Mac hackers and Android hackers and Windows hackers and Linux hackers. So do they team up if I'm hacking? I need a, I need a Unix guy. I just called my buddy Unix and said, hey, can you help me hack this thing? Well, they'll also team up in specialties. So like I do the recon thing and the initial access because with my engineering background, I can see the weaknesses more than some 20 year old punk who actually is good at writing exploits because, you know, they'll say up all night and write the code and I've read a sleep. Okay. So you end up with specialty combination teams. Interesting. Interesting. And so I guess that brings us to this next phase of the kill chain is we're talking about the lateral movement. So, so I've gotten in the network. I've maybe taken some stuff that helps me learn more about the network. I've escalated some of my privileges and now I need, now I want to move around. And as this shows, you know, they, I know they talked about, I think, target how they initially got into a POS vendor, got them in a system and they were able to move out throughout the entire like credit card system, things like that. So is that lateral movement or are we moving anywhere that I can get to? So, well, they look around to see what's available for targets. Okay. And no pun intended. And so they, you would find, you would be things you've been trying to look for, like you might be looking for credit card data or you might be looking for financial information. Or if you're in a hospital, you're trying to find the, you know, combination codes to the drug closet or something. Okay. Or healthcare records or whatever you can sell. Yeah, but you're also, you're trying to monetize the experience probably. So if you're in a retailer and you find the drug closet combination, you'll probably grab a copy of that so you can sell that tool. I see. So you, you know, people, people will have sort of collateral stuff that they would steal. And the lateral thing is that, yeah, they move around between different kinds of systems. So like in the target case that we're going after the vendor who sold them air conditioning equipment. Right. And they move from that to the, to the corporate network. And they move from that to the cash register and POS system. POS networks. Yeah, yeah. It was an HVAC vendor. Yeah, they brought them in the door. So would you, would you try to jump on another vendor? Say if you're in there and you see a guy plug in and he doesn't know what he's doing and you can jump on him and go out the door with him to someplace else? Yeah, yeah. Okay. Or if you, or for example, if you find vendors who, you know, if people in there have people in their supply chain who are a little sloppy about installing equipment, if you catch them using default credentials at one job site, you know, you might actually follow that vendor's trucks around the city. And, you know, when they pull into the next bank, they're doing the firewall install for you. They probably be sloppy there too. I see. Okay. So you can profile the victims and sort of see if they have patterns that you can use repeatedly. The next piece of the kill chain is called obfuscation. And so this is just trying to not be found. So you're staying there. You don't want to be found? Or maybe you've left and you still don't want to be found? What do these tracks look like? So you do things like you would make sure there's no logs left behind. If you log in, you delete all the logs or something. You'd make sure that as little as possible, there's little information is possible of anything you attempted to log into. So this is why when we give security advice, we want to make sure people have enough instrumentation in their network so they know about failed login attacks. I see. So, you know. So this is when you were trying different passwords and it didn't work. That should show up. That should show up. That should come up with an error and that should be logged somewhere. Okay. And is it a common practice for network administrators to alarm on that kind of thing so that they see that behavior in their network? Or is it the kind of thing that's easy to get? It's not common enough. It's getting better. I see. Used to be people would never log these things because they would just get continuous alarms from normal users, you know, mistype the password once kind of things. So the false alarm rate used to be the issue. Nowadays, you can get more and more sophisticated equipment so it can help you deal with the false alarm. So, you know, when you try to log in your bank account once and type the password wrong, yeah, whatever. When they see me log in 72 times from Hawaii to my California bank account. Within two seconds. Within two seconds. Because it's a machine doing that. Yeah. They would decide that was an odd behavior and there's equipment that would flag that. And then you're trying to make sure that whoever has to look at these alarms has a reasonable alarm data to look at. They're not having to look at false alarms. Sure. Okay. It's not just, you know, when a mango falls off a tree and makes the fence light up. And so we're, so we've gotten in, we've hidden ourselves, we deleted the fact that we're there. Presumably they could maybe figure out who you were, forensic investigator could follow the data about you backwards. And if you weren't doing it Starbucks, if you were dumb enough to do it at home, for example, maybe they could come knocking on your door. Yes. If you were, if you're silly enough to do a tax from your home network, yes, then some people occasionally do that. Yeah. You know, it's like any other kind of environment where there's bad guys, you know, some of the bad guys are pretty dumb. Sure. But yeah, they would be able to track you back to the addresses. There's a lot of techniques to hide where you are on the internet. Sure. You know, being in the Starbucks is in fact probably pretty good hiding. If it's like five states over, not the one up the street. Well, if it's five states over and they don't find you for a month, then that Starbucks, whatever logging they've got in that probably has been flushed out. It's gone. Okay. That kind of thing. So, so what's your hidden now? The next, the next piece of the kill chain is this denial of service that they talk about. So where resources have become unavailable for like a legitimate user. And so what's the idea there? Because it seems like there'd be notification that something's wrong. Well, so the causing the denial of service by itself can have value if you're the bad guy. Oh, I see. Or maybe someone's paying you to turn. Maybe someone's paying you. Maybe you're trying to hassle a company that has operators who get book orders on the phone. Okay. So, you know, you go shut down the phone system. So the competitor would pay you to shut down the phone system. So that company would lose money. So just the act of having the lost resources can be the target. The other thing is if you have denial of service, then you've got, you know, you're in the middle of a storm, everything's dark and you can then go after things and people wouldn't see it. So if there's a denial of service and I'm causing failed login attempts, they're not going to notice those in the middle of the millions of other kinds of errors. Got you. So we're talking about the cyber kill chain right now with Rodney Thayer and we're going to take a short break. We'll be right back. Thank you. I'm a licensed marriage and family therapist and I'm the host of Shrink Wrapped Hawaii where I talk to other shrinks. Did you ever want to get your head shrunk? Well, this is the best place to come to pick one. I've been doing this. We must have 60 shows with a whole bunch of shrinks that you can look at. I'm here on Tuesdays at three o'clock every other Tuesday. I hope you are too. Aloha. Freedom is all of these and more regardless of your ability. Diveheart wants to help you escape the bonds of this world and defy gravity. Since 2001, Diveheart has helped children, adults and veterans of all abilities go where they have never gone before. Diveheart has helped them transition to their new normal. Search diveheart.org and share our mission with others and in the process help people of all abilities imagine the possibilities in their lives. Hey, welcome back to Batchitalk, Andrew, the security guy. I'm sorry, Gordo is not here. Angus isn't here, but Mr. Rodney Thayer is. We are talking about penetration testing. We've been chasing the cyber kill chain down, reconnaissance, intrusion, exploitation, privilege escalation, lateral movement, obfuscation, denial of service, and finally exfiltration, sort of the jackpot of the hacker world when they're doing what, taking all the goods home. This is the Oceanus 11 scenario. We've got all the gold out of the basement. Now we've got to put it in the pickup truck and get away with it. So exfiltration, this is where, you know, the bad news is we're all copying military terms and everybody knows what they mean now. So exfiltration is the opposite of infiltration. So it's when you've got something on the inside and you've got to sneak it out the door. So like you're trying to get all the credit card numbers and take them back outside the network or steal the company's trade secrets. And I guess you could still get caught at that point. You could still get caught. So all this work you've done now, you know, you're vulnerable on the way out the door. So you combine all these skills together. So you want to make sure you cover your tracks as much as possible or leave as much damage as possible so they're too busy cleaning it up. Wow. So the penetration test is designed to sort of detect these opportunities in the kill chain inside of place. So a whitehead hacker like yourself goes into an organization and do you kind of go through these steps, kind of mimic these steps? You do a combination of going through these steps and for each step of the process identifying where the network you're looking at, where it might have some weakness that these things might apply. So you might just actually just run around the kill chain and do the whole thing. You might just do recon. And the idea is to try to find the information that would be helpful to the people who own the network to actually defend it. Define loose ends. So maybe you give them a report back just after the recon piece and say, hey, this is some stuff I found. I could do this or that. So that's the thing about being a whitehead hacker and you're working for the organization that's trying to defense. So you might do the recon and then go back and talk to the network group and say, hey folks, we found XYZ kind of a problem on this server. And you'd be a reasonable person about it. They may actually turn to their team and say, look, we've got 52 servers like that. Let's go check all of them. Wow. So you're trying to help people improve their defenses and be able to be able to have a better chance of surviving the next attack. Yeah, because the attacks don't stop. That's for sure. So can you share? I know you do a lot of government. I know you do a lot of things you can't talk about. Can you give us some examples of organizations that you've engaged in that you found stuff just really bad or really good or what type? Give us a couple of juicy bits. Let's see, juicy bits. So it's 2017 and we've been doing things like pen testing for 15 years, 20 years, depending on how you want to measure it. So there's a lot of this stuff that it's kind of shocking. It still happens. People still use short passwords. You can buy a Raspberry Pi for $35 and run a program on it that can crack four-digit passwords if they were all numbers in like two minutes. So it doesn't require giant supercomputers anymore. So it's a hacking's easier? Hacking's easier. So you don't have to be perhaps as gifted as yourself. Right. So the technology of doing hacking has been around for a while and it's evolving. And some of these tools can be used for good and bad. It's the same thing as anything else. If I take a paperclip and I straighten it out and I use it to pop the CD-ROM out of your old-fashioned PC with a CD in it, right? It's like then I'm your tech and I'm helping you. If I take the same paperclip, stick it in the lock, try to fiddle the pins and all that, then I'm doing the lockpick. So it depends on how you use it. The tool has multiple uses. The tool has multiple uses, yes. But the tools are getting more and more sophisticated. So they can do that. They can also automate the whole process. The recon, find things, penetrate, lateral, all that kind of stuff. So this is a piece of software that you can eat yet? It's a piece of software. You can buy these things, sometimes get them for free. And so you don't have to be that competent to run these things. Wow. So I've seen examples on the dark web of guys selling some malware services and a DDoS as a service and things like that. So these attacks are automated. Yeah, so what you need is a bad attitude and a credit card. Or maybe it's a Bitcoin if you're buying it. And you can hurt the world or hurt somebody that you... So kind of things I found, a bad finding, short passwords. There's a lot of tools that can break weak encryption. It used to be, in the late 90s, we would talk about how encryption algorithms were really hard to break and you need millions and millions of computers and nobody could do it. And nowadays, with Google and Amazon and all these other things, people talk about things like 20,000 cores being available at one time, a core being one computer. And so you can get massive computing power. And so things we used to think were easy, were difficult problems that would protect us, that difficult computing situations that would protect us, they're not so difficult anymore. So that's what people are getting more and more sensitive to using strong encryption. I see. And you'll notice like the browsers are getting more, I call it militant, but the browsers are getting more and more active at giving you warnings when you're using weak cash algorithms. If you don't get the lock, if you're not using TLS, there's no encryption on your website when you go there. And you'll get lots of warnings and pop-up warnings and things. So yeah, hopefully there are clear messages for end users to use. The other thing that goes on to this day is that some of the error messages are really arcane. So people will call me up and say, this dialogue box said, this sentence, what does that mean? And you can't tell. You trust it, right? If I get messages like that, I don't believe any of it. That's part of it. Close it, I'll turn it off. Whatever's happening there, I don't need it. Right, all those wonderful things you can do with a browser to render different things, animation, all this other stuff. Yes, that's just like that's another tool you can use maliciously. Yeah, I don't know if our user basically understands that you can embed malware in an image. You can embed code into videos. So in modern times, we don't just have static information like a picture. It's not just a picture. It's a bunch of bits and there may actually be programs or other kinds of information attached to it. Word documents is another example. People will attach macros to these things. And this is trying to help people do work. So you might have extremely complicated macros in a spreadsheet you're using to talk to your accountant, calculating profits, all sorts of things like that. The same sort of mechanisms can be potentially used maliciously. I see. So and then delivered to you via your email inbox or by some link or something. Somebody gave you an USB file that you plugged in. Oh, never do that. Yeah, never do that. So do you find a lot of open networks that are people disabling USB in the world you see or is it still just a problem, really? No. I collect stories about how the, oh yes, it's a secure network. Right up till the day they call me to, you know, march me into the command center to help take the virus off their computer they're using in their air traffic control system or something. It came in via USB. Came in via somebody with USB. Okay. Wow. So what else have you been working on? I mean, so we've seen a lot of, I mean, healthcare has been attacked really badly. The financial sector obviously stays under constant attack. What's your experience in those markets? Have you been called in on some of these? Yeah. The beginning is that they're all running the standard kind of computers. So they've got to go through, they have all the same challenges everybody else has. So people running a bank have to worry about things like are their windows machines patched and do they have proper firewalls and other kinds of issues like if there are people with cell phones, are they using them to share data over the public network that they shouldn't be. So we get those kinds of things in the most sensitive of institutions. Wow. Yeah. And you know, we sort of saw, you know, some of what you mentioned, I know we were on the call with Jay Fidel for Think Tech on Monday talking about WannaCrypt, which, you know, really just people just didn't patch their stuff or they used old un-patchable stuff. You know, is that common? Do you see a lot of people with older, firmer, I mean, businesses try to, you know, extend their investment, right? Is what they would say. Well, they try to extend their investment. The other thing is that they're more and more their business is relying on networking or internet access. So, you know, people have a storefront on the internet. They may actually still have a physical storefront, but that's getting pretty rare. So their whole business is running through the internet. And the good part of it is that all of the back end services, insurance, bookkeeping, you know, compliance rules, all this stuff is looking at that more and more. So they're more and more business drivers to do things securely. Also, people are realizing if you screw it up, it's a big deal. So it's now getting to the point where, you know, if your network gets hacked, you know, the board of directors might get sued. So, you know, now the big bosses, you know, potentially personally at risk if there were an issue. So they think about the risk. Is that swinging some of the calls that you get, you know, the opportunities you get invited into now? Is it coming from the board instead of the IT department? We get to use four letter words to start with R. It's called risk. Yes. And yes, it doesn't matter how technical or non-technical the CEO is, when you start talking about the risk issues, they will probably listen. And that's getting better and better. People are learning that that's important and there's more and more attention being paid to this. Yeah. Do you think that we're prone to, you know, like just as, let's just say, rampant of hacking opportunities as WannaCrypt was, do you think there's still more of that to come for the industry that's not prepared? Yeah. And do you think patches will help or do you think there will be, because this was an attack against older systems and unpatched systems, do you think? WannaCrypt was catching people with bad habits, having bad habits and using old equipment. So, you know, whether or not you have hackers to worry about, you should be doing backups if you're information. And this is, you know, I live in California. It's the same story as ever was, you know, there might be an earthquake. You know, your building might fall down. You probably should deal with that. You should probably make sure your records, you have a copy somewhere else, preferably not on the fault line. So, you know, and these kinds of good habits have been people known about these, you know, at least since they've been using computers, you know, are people just lazier, or is there just so much more to do? People are so used to highly reliable equipment that they, you know, people will keep their entire life on their cell phone and never do a backup. And every picture you have, you know, and then their phone breaks and it's all gone. Ten years, you know, you've got still got the pictures on your cell phone, you never have a copy. So people, people have gotten out of the habit of doing backups, what little happens to it. The other thing that's happening now is people want to share more and more information, social networking, all that stuff. And when they share more information, they're more vulnerable, potentially more vulnerable, because you're providing more and more detail. So, you know, it's a bad idea to use your dog's name as a password. If you're posting pictures of your dog, because you just got this nice new puppy and you know, it's all, you know, you trained it, you know, it sits when you say sit and all that, you know, and all these pictures on Facebook, and you got your dog's picture there. And if you make your dog's name, your password, people would notice that. No, you think. You think. So penetration testing is alive and well. If you need some whitehead help, if you need some help at all, go find it. Don't sit there and be a victim and don't use your pet's password, or your pet's name as your password. Andrew, the security guy, we're going to sign off. Roddy, thank you so much for being here. Hope to get you back in here soon. Aloha, everybody.