“But the red team fascinated me. It was just simple stuff like putting up message boxes on our systems that said, “I like turtles” and using remote administration tools like Nuclear RAT or Poison Ivy, but not knowing anything about hacking I thought it was the coolest thing in the world. Like a future virtuoso hearing the sound of the cello for the first time, I realized that all I wanted to do was be able to do that.”
Introduction
At Logmeonce, we’re focused on helping protect you against cybersecurity threats. We do this in many ways. First, we provide you with a suite of tools, including a password management tool, to help keep your passwords safe.
However, technology itself can’t solve all of our security woes (as we’ll soon discuss below). Education plays a big role in staying safe online. For this reason, from time to time, we bring in cybersecurity experts from around the world to help educate you, our blog readers, about the various ways you can protect yourself online.
Today, Logmeonce had the opportunity to chat with Georgia Weidman, founder and CEO of Bulb Security. She is also a serial entrepreneur, penetration tester, security researcher, speaker, trainer, and author. She holds an MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured internationally in print and on television.
We have an exciting interview planned for you today, so without further ado, let’s jump in!
The Interview
Hello and thank you for taking the time to chat with our blog audience today about your experience in the cybersecurity space. Can you begin by telling us a little bit more about your early days within the cybersecurity space? What was it about this niche that grabbed your attention and never let go?
I studied Math as an undergrad. I wanted to just be in a lab doing math problems all day, but quickly realized in graduate school that those kinds of positions were hard to come by. So, I switched to computer science in graduate school since it seemed like I could at least get a job in that.
In graduate school, we competed in the Mid-Atlantic Collegiate Cyber Defense Competition. Don’t get me wrong, being on a student team getting pulverized by the professional attackers on the red team, yelled at by the mock CEO for services being down due to said red team, and having to figure out things like how to set up Active Directory on the fly made me want to vomit from the stress. But the red team fascinated me. It was just simple stuff like putting up message boxes on our systems that said, “I like turtles” and using remote administration tools like Nuclear RAT or Poison Ivy, but not knowing anything about hacking I thought it was the coolest thing in the world. Like a future virtuoso hearing the sound of the cello for the first time, I realized that all I wanted to do was be able to do that. It didn’t hurt that as a security researcher I could totally sit in a lab all day doing math-like problems.
Your work in the realm of smartphone exploitation has been featured internationally in different media channels. You were also awarded a grant to continue your work within the field of mobile device security. What is it about mobile device security that you find so fascinating? Why is this an area of specific interest to you?
There wasn’t any particular plan behind it. I did my first research project and presented at Shmoocon on SMS based botnets, before it became in vogue for attackers to do just that. Then the DARPA Cyber Fast Track program started and I was encouraged to apply. I needed some major research project and it occurred to me that mobile was just as vulnerable as anything else to phishing attacks, local privilege escalation attacks, and even remote code execution and client sides as any other platform. Yet it wasn’t, and still isn’t other than my products, being served by the security testing market. So, I proposed creating a tool for doing penetration testing for mobility and was accepted by DARPA. The rest, as they say, is history. So mobile became my niche. I often consider doing a research project on something completely different just to keep people guessing.
All of your hard work has paid off and resulted in you being able to release an open source project into the world called “Smartphone Pentest Framework” or SPF. Can you tell us a little bit more about what SPF is and how it contributes to the world of mobile security? Why did you decide to make it open source?
Well SPF was the result of my DARPA grant. The idea was to comprehensively be able to simulate the same attacks attackers use against mobile — from phishing to client sides to simulated malware and post exploitation. SPF has now been folded into Shevirah’s Dagah product line for enterprise security testing and monitoring. It’s not open source any more since my investors didn’t want it to be, but there is still a free edition with all of the features of SPF and more. The free edition is aimed at students and security researchers wanting to test their personal device or do mobile security research as opposed to penetration testing a client or doing continuous monitoring of an enterprise with the professional and enterprise editions respectively.
On the topic of mobile security, what three pieces of actionable advice would you give to smartphone users who have little understanding of complex security issues at play, but want to keep themselves protected the best they can?
Take mobile phishing seriously. So many security awareness programs focus solely on email. People are learning not to click on suspicious links in emails, but you can be phished any way a link can be served to you. Mobile services such as SMS and NFC and social media messaging such as Twitter, Snapchat, WhatsApp, etc. are being used by attackers to gain access to your devices and trick you into giving up money or sensitive information.
Keep your device up to date. Software updates of apps, the device operating system, etc. often address known security vulnerabilities that are being actively exploited by attackers. For instance, many of you have probably heard of jailbreaking or rooting. Jailbreaks use vulnerabilities discovered in iOS to give the user additional access to their phones. Those same vulnerabilities can be used by attackers to completely take over your device.
Don’t rely on preventative products such as mobile anti-virus or enterprise mobility management as a silver bullet that takes care of security hygiene for you. This is a real problem even with large enterprises. The vendors say install this app and all your security problems will go away. But then the enterprises and the users don’t worry about basic things like patch management or security awareness. These products do provide value, but sophisticated attackers are either buying or pirating these products to ensure their attacks get pass them. So, use these products, but keep up with your security hygiene such as phishing awareness and updating your device software.
When doing a security assessment or penetration testing where do you usually begin with regards to password security / vulnerabilities? Why?
Well with passwords I naturally try default credentials on web servers, networking equipment, etc. Often people don’t change them. Additionally, I use LLMNR and NBT-NS cache poisoning to capture NETNTLM password hashes off the network. I did an in depth writeup of how this works here.
Are there any differences when thinking about password security on mobile devices compared to other types of devices (i.e. desktop, IoT etc).
Well, for one, IoT has a rampant default password problem. Just as networking devices are finally moving away from cisco:cisco and web server software is moving away from tomcat:password and making users create their admin credentials as part of the installation process, IoT has brought the default password back en masse. As for mobility, most users opt for a PIN. No one wants to have to type in a random 16 character password at a stop light! Naturally the key space is smaller with a 4 or 6 digit PIN.
The devices have somewhat mitigated this risk with the option to wipe the device after too many failed attempts; however, people with small children, for instance, often find this not to be feasible. And we have seen instances of bypassing this feature by NAND mirroring as we saw in the Apple vs. FBI case a couple of years back. The relatively recent advent of biometrics for authentication has improved the state of mobile security, though it has come with its own set of possible bypasses. In general, the biggest difference.
I think that if it’s a corporate issued laptop it is easy to enforce password standards while it’s harder on mobile. Though tools like Enterprise Mobility Management and Mobile Threat Defense have some of these same features, with a Bring Your Own Device scenario, it is difficult to not incite a riot among employees if they have to use a 12 character or more, 3 complexity classes, password with a short lock out time.
You do a lot of public speaking events and training seminars around the world. What are the main types of companies and organizations that bring you onboard in some type of training capacity? Why do you think that these types of companies / organizations, more than others, focus on security?
It really varies. I’ve done a lot of conference training at venues such as Blackhat, CanSecWest, and Defcon where I get students from different backgrounds and from all over the world in some cases. I’ve also taught at training centers where, again, the industries the students represented vary. I’ve done a fair amount with government clients. For instance, through my DARPA Cyber Fast Track grant I lectured at the NSA and West Point.
I do get brought in by individual companies as well, though, of course, I can’t name them. I’d have to say that finance is the most frequently represented sector among my students. Especially since I work with mobile, though I also teach penetration testing, reverse engineering, and exploit development, finance seems to keep the most abreast of the latest trends in security. As to why, like the famed criminal Willie Sutton once said about why he robbed banks, it’s where the money is.
When looking at the horizon, what are three cybersecurity threats (or issues) that worry you?
I always kind of rolled my eyes at Artificial Intelligence and Machine Learning as the fancy new buzzwords people were putting on the same old rule engines that have been around for decades. However, last year I was invited to speak at an event where all the speakers were experts in a topic. I was the cybersecurity person. One of the speakers was an academic expert on AI/ML. He had robots winning art competitions with their paintings, being able to hold a completely realistic conversation, etc. I immediately realized that AI/ML could be a major threat in the hands of sophisticated attackers.
Mobility continues to be a problem, which will only get worse as more users and enterprises phase out traditional devices in favor of tablets and phones. While the market is waking up to the issues, it is still seen as a nation state only attack. Mobile phishing anyone can do, and many jailbreaks have source code online which can be easily refactored for use in malware. Like Willie Sutton, the attackers go where the money is, so as mobility becomes the majority, we will see more and more mobile attacks.
Likewise, the Internet of Things is a growing issue. While some IoT users and IoT manufacturers take security seriously, many more set it up or install it and then never think about security issues again. The common argument is, “I don’t store sensitive data on the Internet-connected coffee pot”. This is likely accurate, but if the coffee pot is on the same network with your work laptop or, for instance, the customer credit card database, it can be used as a jumping off point to pivot onto devices that do store sensitive data.
When looking at the horizon, what are three cybersecurity advances (technology or otherwise) that excite you and makes you feel optimistic about the future?
Again, I would have to say AI/ML. Though so many companies are using it as a fancy buzzword for the same old rules-based engine, having seen the talk I mentioned in the last question, I see enormous potential on the defensive side as well.
Mobile Threat Defense is making the first real strides towards effective mobile device security that I have seen. The first Mobile Device Management solutions replaced the Blackberry BES used for device inventory and enrollment. As I’ve learned, in business this was a great idea, since there was a line item in the enterprise budget for the BES, so anything that filled the same need for iOS and Android was an easy sell. But again, it was primarily for inventory and enrollment and purchased by operations not security.
But just in the last year or so as the MTD magic quadrant came into being at Gartner, I’ve seen real strides in mobile security from some of the MTD companies. Just as an example, a lot of products check for the Cydia app to detect a jailbroken iPhone. People who jailbreak their iPhone will have a Cydia app, but an attacker using the jailbreak exploit to take over the phone has no need for a third-party app store. One of the MTD companies I tested flags on the partition being mounted as read-write which most jailbreaks require even if they aren’t installing Cydia. So that’s a much more effective test. I hope to see MTD continue to make strides towards being able to defend mobility from attack.
And on the more nontechnical side, security awareness is taking hold among the masses. We have the media to thank for that. Though the media around security has always been a bit strange in terms of what they pick up on (remember the printer vulnerabilities getting wide coverage when we had been using the attack for years), there are stories in all sorts of publications and news shows on a regular basis on a variety of security attacks. At least when I am quoted as the technical expert I try to put in understandable technical details and advice on how users can protect themselves. The success of scripted television and movies that show realistic hacking by using real security professionals as advisors such as Mr. Robot have helped as well. I expect going forward we will see more and more of this.
Lastly, knowing what you know now about building a cybersecurity company, if you had the chance to go back in time and give a younger version of yourself three pieces of advice about succeeding in the cybersecurity space, what would those three pieces of advice be?
I certainly had a bit of naivete about it going in. I thought building good technology that would make the world a more secure place was all it took to create a successful company. I didn’t know, especially in creating a new category like mobile pentesting, that, more so than the technology, marketing and sales were key to success. I also thought having the best product that solved the most problems meant you would be the winner. But I’ve learned that, again, so much of it is based on the non-technical things I’m not that great at — as well as timing.
Many great products (including mine) have come out before the market got there. There has been a need for mobile security testing since the Android G1 came out, but people are just now wising up to it thanks in no small part to all the media surrounding Facebook, Jeff Bezos, etc. getting hit by NSO Group clients. I do what they do, except for good, to make your devices more secure so that when the real bad guys come all your known vulnerabilities are mitigated and the user is abreast of social engineering vectors.
The third would be don’t believe it when people say doing a startup will be easy with a product as good as mine.
It’s not going to be easy at all. It’s going to be grueling with lots of disappointment along the way. Doing a startup is not for the faint of heart. That having been said, if you like being your own boss, never knowing what you’re going to be doing from day to day, and a constant stream of unexpected challenges, well, there are few things more challenging.
Thank you greatly for taking the time to chat with Logmeonce’s cybersecurity blog readers today Georgina. We truly appreciate it. To our blog readers, if you’d like to learn more about Georgia and the work she does you can follow her on Twitter or head over to her website here.
HASHTAGS: #security #cybersecurity #passwords #CyberSec #CyberSafety #privacy #creditfraud
