On Episode 85 of The Edge of Innovation, we’re talking with hacker and security expert, Adriel Desautels of Netragard, about whether there is any hope for computer security.

Sections

Is There Any Hope For Computer Security?
It’s Not Possible to Stop All Breaches
Understanding What To Protect When It Comes To Security
Why Security is Not Getting Better: A False Sense of Security
Why Doesn’t Tesla Let People Fix Their Teslas?
Autonomous Vehicles & Security
The “Integrity” Computer Operating System
The One Piece of Technology That Can’t Be Hacked
Closing
More Episodes
Show Notes

Computer Security: Is the Sky Falling?

Is There Any Hope For Computer Security?

Paul: So let’s flip the coin over now. Is there any hope for computer security?

Adriel: I don’t know.

Paul: Yeah, that’s a fair. So, you know her. Both of us know her very well — Chicken Little. Is the sky falling?

Adriel: It is. Yeah.

Paul: I mean, are you saying that because you’re on a talk show or…?

Adriel: No.

Paul: Because you can only say that a certain number of times and then people say, “Oh, you know, he wasn’t right,” or whatever. Or we’re overreacting, or we’re trying to inflame the situation. So talk about that a little bit.

Adriel: Yeah, so the sky is definitely falling and the security industry as a whole is perpetuating it which is a pretty bold claim, but a lot of the real researchers and real hackers are fed up with the BS in the security industry. I think maybe I talked about this previously, but if you look at the security solutions that exist today, they don’t really solve anything. They’re maybe partially effective at best.

I was walking through the airport — and actually one of the reporters from Gizmodo actually wrote a story on this. They walked through the airport. They saw the same thing. There was this sign up on the wall for Barracuda, for a web application firewall, and it said, “Stop breaches today,” or something like that.

It’s Not Possible to Stop All Breaches

And I’m thinking, you’re a web application firewall, and you’re talking about stopping breaches? And it was pretty inclusive. It was kind of like “Stop all breaches.” You know, people are going to buy that because they’re going to think that it makes them safe. And we’re just going to social engineer somebody and compromise the entire infrastructure anyways. So, you have the security industry selling technology and blatantly promising things or marketing things that people believe, but those things aren’t even close to being true.

You know, another case in point is, not to pick on anybody, but FireEye — because they deserve to be picked on — they were being used by Equifax. We all know this. This is public knowledge. If you read FireEyes’ literature — do a search for “FireEyes zero-day block or prevention” — they clearly say that they’re going to stop zero-day exploits from putting you at risk and compromising your systems. Well, maybe they didn’t pick up the Apache Struts vulnerability that resulted in in Equifax being breached. Maybe as my partner would say, “It’s because it was a known vulnerability and not a zero-day.”

Paul: Or they could say, “Well, we didn’t mean that one.”

Adriel: Right. Well, so in their literature, they also say, “We block things that conventional systems won’t.” I’m sorry. Snort’s pretty conventional, and Snort was very successful at detecting that vulnerability. So, and it’s not to say that FireEye doesn’t work. It’s not to say that these technologies are useless, because they’re not useless. They are useful but only to a degree. And what needs to stop happening to stop the sky from falling is they need to stop telling their clients that they are protecting them. They need to stop saying that they are entirely effective. Because what that does is that produces a false sense of security. And so when people have a fear, they go and they buy this technology. Then they feel safe. But it’s kind of like buying body armor that’s made out of cardboard and thinking you’re safe in going to battle. You’re going to get shot. You’re going to get killed. Right?

And you see companies being breached left and right as a result of this.

Paul: Right. Interesting.

Understanding What To Protect When It Comes To Security

Adriel: And then the second thing that people are doing that is causing the sky to fall — and businesses are as guilty of this as everybody else — is they’re building their defenses based off of generic ideas and assumptions. They think that they understand what they have to protect, and they think that they understand how they’re going to be breached. And they think this without actually having any exposure experience to how hackers are going to breach them. And they think that they know this because they might have purchased a lightweight penetration test or perhaps they read some kind of threat intelligence report. But they’re always wrong. And the way that you know that they’re wrong is because if they really knew how to protect themselves and if they really knew how they were going to be breached, then they wouldn’t be. These breaches wouldn’t be happening.

Case in point. We were testing a fairly large client of ours, actually, located here in the US. They had a relatively secure network except for the printer. And what my team ended up doing, was we found out that we could access the printer. When we say that the printer had an email address, that it was configured to send printouts or to email documents to when they were scanned in. And so we said, “Well, alright. Let’s check this out. Let’s see what these credentials are.”

So we were able to change the SMTP server to a server that we controlled. And we were able to get this printer to authenticate to us. And, of course, we captured the credentials. Low and behold, those were domain admin credentials. We took the entire network.

So they protected all their assets. They were using state-of-the-art technology. There was this new company that came out. They have this AI product that they talk about. They were using that product, and they were using some other technologies. And they protected what they thought was everything — except for the printer because who cares about a printer. Well, we do.

Paul: When was this? Was this a year in the past year or…?

Adriel: This was probably six months ago. Five months ago.

Paul: So this is a contemporary story. It’s right now. It’s not like “Oh, this was six years ago.”

Adriel: No, it’s today. It’s right now. And so this AI technology that was supposed to detect all this anomalous activity, it didn’t report on anything that we did.

Paul: Well, it wasn’t anomalous.

Adriel: And the reason why it didn’t report anything is because when we breached the network — just like when the bad guys breach a network — they mimic the behavior of your admins. So if I break into a network, and I’m doing what your admins do, and I’m using his account or her account, why is it going to trigger? You tune that out.

Paul: Exactly.

Adriel: I’m in your network. You have no idea. So, the security industry would say, “Oh, we’ll sell this solution that will detect everything and make you feel good, and you’ll protect everything.”

The client buys it, and they think, “Oh, this is wonderful.”

And the hackers are like “Yeah, no. Not really. And here’s why.”

Paul: They just go in the back door. So they bought a very good front door.

Adriel: Right. Yep, they bought a very good front door, and they didn’t think that they had to worry about the trash can hiding outside because it was a low priority thing. But they also thought that nobody would put anything inside of the trash can. So when they brought the trash can in the house, it would blow up.

Paul: Right. Exactly. That’s a good analogy.

Adriel: Yeah. That’s really what it is at a very high level.

Why Security is Not Getting Better: A False Sense of Security

Adriel: And so those are the two reasons why security is not getting better — well, two of the primary reasons, anyways — why security is not getting better. It’s because the security industry is perpetuating a false sense of security of products that are marginally effective, and it’s not to say that they’re all equally bad. There are some that are pretty good, but they’re still not 100%. Nothing is 100%. And then the second issue is people believe they are protecting their networks based on what they think is important without contacting a team, like ours for example —without contacting a team that can hack them, really hack them, show them how they will be breached and then provide them with intelligence about how they will be breached.

And I tell you, when we told that customer “Hey, you’re compromised. You’ve got a main through a printer.” They thought, “Whoa. Wait a second. We’re going to look at this differently.” And that’s how every single business is. Every single business today, this is where my credit card information is stored. This is what I have to protect. Well, that’s great. I’m going to go through this guy’s desktop instead because he opens every email I send him anyways. You know? It’s almost always that way. People tend to focus on what they think is important, and they tend to lose sight of the other things that kind of hang off the edge, the low-hanging fruit. And that’s how hacks happen.

We get in through the easiest path. We move laterally, horizontally, depending on what we have to do. And go from one lower privilege area to the next higher privilege area, and we keep on getting more and more privileges until we have full control over everything. And by the time we finish breaching an infrastructure, we quite literally have more control, more access, and more authority than anybody else in the business.

Paul: That’s funny.

Adriel: Right? Yeah. So thank God we’re the good guys. But there are bad guys out there that do the same things.

Paul: Yeah, of course.

Why Doesn’t Tesla Let People Fix Their Teslas?

Paul: So this is a little bit of a tangent, but let me get your thought on this. Something I hadn’t considered. But I stumbled on this guy on YouTube. His name is Rich Benoit. He’s from Massachusetts, and what he does is he hacks — not really hacks. I mean, yes, in your definition of hacking and in my definition of hacking, he hacks Teslas.

Adriel: Right.

Paul: And what he wanted is he wanted to build his own Tesla. So he bought a burned Tesla and tried to fix it. Now, he seems like a genius because he was able to fix it. But he stumbled on something that Tesla doesn’t make any information available. There’s no service manuals. There’s no parts. There’s nothing. And in Massachusetts, we have a Right to Repair law, which says that you have to be provided the information to be able to repair your technology or whatever it is. But there’s a catch in there, which I didn’t realize, that it says they have to… So, let’s say Apple has to provide the same tools that Apple provides to its dealers. And so for a car repair, they have to — like GM, if they’re going to give their dealer this tool, you have to, as an individual citizen, have to have the privilege to be able to buy that. Tesla doesn’t give any tools or any documentation to its dealers. They do all of those service themselves.

And so you’ve got this guy out there, and he’s been relatively successful. It’s really, from your definition of a hacker — somebody who is going to be doing something you’re not supposed to be able to do —and really disassembling it and taking multiple Teslas and taking them apart and putting them together. But just what are your thoughts on that? Because it was an interesting curveball that I thought Tesla was pretty progressive, and I was really shocked like why wouldn’t they let people fix their Teslas?

Adriel: I don’t know. So one of my friends, actually had dinner with Elon Musk at DEF CON. I don’t know much about the dinner that went on, but the fact that Elon Musk went to DEF CON made me think, “Well, jeez, this guy must really care a lot about security.” And hearing him talk and things like that about security also makes me think that he’s very passionate about it, and he cares a lot about it.

My suspicion is that Elon Musk sits at a very high level in the company, and there are a lot of people that sit between him and the cars.

Paul: Yeah, that’s true.

Adriel: And I’m wondering if, perhaps, some place in between there, his passion for security is sort of defeated by the drive for the business or the need to keep things proprietary or things like that. But I’m not sure. I believe that Tesla has a bug bounty program now. So, from that perspective, they definitely condone the hacking of their cars from a security perspective. And honestly, if this guy is tearing apart broken down Teslas and building up new Teslas, he comes across a bug, I’m sure he could approach Tesla and say, “Hey, here’s a vulnerability.”

I don’t know why they’re not making it easier to do, though, given that they have a bug bounty program. It could be just a political disconnect internally or there could be ulterior reasons that we’re just not aware of.

Paul: Sure. Absolutely. It was an interesting thing that I hadn’t anticipated.

Autonomous Vehicles & Security

Paul: So, I’ll get the next question. I think this might be one of our last ones. It is what do you think about autonomous vehicles, given the security profile?

Adriel: So I know that I can kill you if you drive a car that is 2006 or older, just because of how vulnerable the networks are. I think that autonomous vehicles are a great and very convenient idea — and I use the word “convenient” deliberately. Convenience is sort of the anti-security. Convenience is what drives people towards vulnerability. A case in point. Critical infrastructure systems were not designed to be connected to the internet. But how convenient is it that we can connect them to the internet so we can get readings off of these systems from afar as opposed to getting close to these systems and picking things up locally.

Well, you look at autonomous vehicles, and the state of security as it exists today, it terrifies me. I think it’s a great idea. I think it’s something that’s necessary, especially as people age. As I get older, I don’t want to be stuck at home because I can’t see or I can’t drive safely. And I know I don’t want to drive if I can’t drive because I’m not able. I’d love to have an autonomous vehicle. But I would not love my autonomous vehicle to be hacked so that it drives at 120 miles an hour into the side of a building. You know? That’s not a good idea.

And the fact that these things are being built on vulnerable technology, it really terrifies me. I do think that if we’re going to be building autonomous vehicles, that we should be building them on a platform that’s made by something like Green Hills Software.

The “Integrity” Computer Operating System

So Green Hill Software is a partner of ours. We’ve done a lot of work with them from the past, and we still do. They make an operating system that’s a real time operating system that’s called Integrity. Integrity is the only computer operating system — in fact, it’s the only piece of software that I’m aware of — that received an EAL6 certification from the NSA.

So, to put this into perspective, if you look at things like Microsoft Windows and every other operating system, they’re all EAL4 certified. What EAL6 means is, the fact of it, there is no vulnerability. Now, when we first met with Green Hills, we actually took one of their devices, and we spent a lot of time trying to hack one of their devices. I put eight of my zero-day guys on it. And these are guys that tear apart telephones. They tear apart everything.

After several months of them trying to find something, they all became very frustrated it gave up because they could find nothing.

Paul: Wow.

Adriel: Now, to kind of get an even deeper perspective, this system has gone through mathematical tests. So Integrity has gone through tests, and those tests demonstrate true separation between processes and they really demonstrate at a very, very high level — you know, layman’s terms — that there is no vulnerability in this technology.

And so if you’re going to be using technology in cars, don’t base it on some Linux derivative or Windows or what’s being used today. Go and base it on Integrity. Integrity is currently used in our fighters. It’s used in submarines. It’s used by the military in lots of different places because it is that secure.

Paul: I see.

Adriel: So they actually have quite a big user base. In fact, they’re using in many of the Boeings now so they’re really used in different places where people actually care about security.

If these companies were to use something like Integrity, I’d feel pretty good about the autonomous cars as long as they couldn’t be fooled by putting something in the road. But if they don’t and these cars stay hackable and everything stays as vulnerable as it is, I really don’t want to have anything to do with it because I don’t want to see what happens when somebody exploits something and causes my car to do something crazy.

Paul: Wow. Yeah, I can just see Windows on a car. Or any operating system, really. That’s cool.

Adriel: Right. Yeah.

The One Piece of Technology That Can’t Be Hacked

Paul: So Green Hills.

Adriel: Yeah. Green Hills Software. They’re a close partner of ours. We’re actually trying to talk about them more and more only because they quite literally have the only piece of technology that we have ever seen that has never been vulnerable to anything. If you look up Integrity OS, I think it’s in the National Vulnerability Database, you’ll see every other operating system has vulnerabilities, and they’ve all had vulnerabilities. Green Hills software, their Integrity platform, zero vulnerabilities ever in history.

Paul: Wow. Now you earlier said there was only one piece of technology that you could never hack. And is this, that?

Adriel: That’s it. That’s the only one.

Paul: Oh, cool.

Adriel: That is the only one. And trust me. We have tried, and we were convinced, when we first saw this thing, “Oh, there has to be a vulnerability somewhere.” But I can’t tell you how they do it, but if they were to explain to you how they do what they do, it would make a lot of sense. You’d say, “Well, of course there’s no vulnerability in this.” It’s really pretty remarkable. But we were convinced that we could find a flaw in something because you give us a page of code, and we’ll find a mistake.

Paul: Sure.

Adriel: The way they do it is they’re… I mean, it’s really brilliant. It feels weird for me to say this, but there’s no vulnerability.

Paul: That’s really cool. So it’s possible. There is a place where the sky hasn’t fallen completely.

Adriel: Yeah. Well, it’s possible because it really boils all the way back down to Dan O’Dowd, who is their founder and CEO. He had an idea about how to make things secure, and he did not bend. He did not waiver. And so when he implemented this idea, everything had to adhere to this idea. And he was right. He said, “This is how we are going to make software, and this is what this software will do, and this is why it will never have a vulnerability.” And he’s right. The amount of energy they put into making their technology and developing their software and the degree of security around it is phenomenal. So it’s really an impressive thing.

Now, could anybody else do this? I don’t know. I really don’t know. And not without completely resetting everything and doing everything from scratch. I mean, they’d literally have to just get rid of everything they’ve ever done and start from scratch.

Paul: Sure. Of course.

Adriel: Because you can’t go backwards once you’ve made mistakes like that.

Closing

Paul: So, cool. I think we’re getting close to the end of our time. Any things you want to leave our audience with?

Adriel: Not really. I mean, I’ve kind of covered everything. If you need good penetration testing, you can come to us. Visit our website. We’ll hack you. We’re not just going to scan you. We’ll actually hack you and show you how you’re breached.

Paul: Very cool. Well, all of the show notes will have all of the links and everything we’ve talked about today. And I want to thank Adriel Desautels from Netragard and I really appreciate you coming on. And look forward to doing it again soon.

Adriel: Sure. It was my pleasure, Paul. Thank you.

Paul: Alright. Thank you.

More Episodes:

This is Part 3 of our interview with Adriel Desautels.
If you missed part 1, about what’s new in the world of cybersecurity, you can listen to it here! You can listen to Part 2, “Why Does The Hacker Hack?” here!

Show Notes: