Tales From the Crypt…Analyst: The After Life

yeah okay so uh Jeff man um if you don't know him he is like you know kind of U I would start anx X ands guy uh Jeff is very very well respected in information security um industry he's a Advocate adviser hacker evangelist Mentor teacher International keynote speaker and former host of security and compliance weekly and co-host on Paul's security weekly tribe of hackers uh contributor including red team Security leaders and blue blue team editions and a member of a cabal of the kagon Kagan sorry my English is my second language I can use that as a excuse um Jeff currently serves as a PCI qsa and a trusted adviser for online business systems also a grant Advisory Board

member of gula Tech Foundation Advisory Board member for the technology advancement Center and it is the director of diversity equity and um inclusion for hack for kids non for-profit over 40 years of experience working in all the aspects of computer network information security including cryptography risk management vulnerability analysis compliance assessments forensic analysis and Fen testing uh he's a certified National Security Agency crypto analyst uh designed and fielded the first software-based crypto system ever produced by National Security Agency inventor of the whz wheel a cryptographic Cipher wheel used by the US Special Forces for over a decade currently on display at the national cryptographic museum honorary lifetime member of the Special Forces Association previously held security research management and product

development roles with the National Security Agency the Department of Defense and the private sector Enterprises pioneering member of the first pentesting red team at NSA uh for the past 28 years he has been a pentester security architect consultant qsa and a pcme providing the Consulting and advisory services to many nations known um nation's best known companies um if you want to uh watch his dark uh net Diaries episode number 83 that would be great we are trying to get you like for last five years finally we are able to make it so thank you thank you I should be good everybody can hear me okay uh thank you for the introduction it's uh great to be here and I'm going

to stall uh while the sound lady is making some adjustments out of curiosity raise your hand if you're 40 years old or younger yeah so I've been doing this stuff for your entire life and then so um I've been doing PCI for 20 years which continues to Bogle my mind because even PCI is almost a generation old now um uh you've heard a lot about me in the introduction uh stole my thunder a little bit but that's okay I'll go over a little bit about this um I want to start by asking you guys a a trivia question who knows the importance of this date shout it out if you think you know what it is

anyone this is part of the problem of everybody being under 40 my references the cultural iconic things are kind of old give

up now raise your hand if you have no idea who's who or what Skynet is be honest okay we're good um or at least you're not telling the truth um I mean you heard a lot about uh me in my introduction I'll go over some of that in more detail today um my story is really is it me walking is that part of the problem or you're just keeping it a test one I'll just keep talking and someday we'll hit it this is my contact information uh I am a consultant by day I work for a company called obs Global we're actually based in Winnipeg although I'm down in the United States we have a risk security and privacy

practice that's pretty much um Universal we go anywhere uh and I to have a couple clients up here in Edmonton so I've been coming up here for a couple years so the the planet's aligned this year and I'm here speaking I'm here working and I'm here and it's not snowing and it's above freezing which is what I'm most excited about um that's a little bit of a summary of my background in writing uh sort of cut my teeth at NSA been out in the private sector for quite a long time I consider myself an information security professional because I I started in the organization called infos at NSA um oh that's my compulsory OBS Global

slide um I'm getting out of order I do a podcast called Paul security weekly anybody ever watch or listen to Paul security weekly if not that's where you find it security weekly.com it's one of the oldest podcasts in the industry it's been going on almost 20 years uh I'm spending two days here at the end of the week I'm going to go down to Grand Rapids Michigan I'm speaking at a conference called geran I'm very excited that Paul the Paul and Paul security weekly he'll actually be coming there too and we'll get to hang out together I've been trying to get him to come to that conference for a long time um this is what I was trying to get to I'm also a

hacker I identify as a hacker I didn't grow up thinking that I was a hacker but over time I figured out yeah that's what I am and uh during Co I had a lot of time to clean my closet so I got organized and posted that picture one of our listeners when I posted this on Twitter and I refuse to say that other name it's just Twitter uh they helped me out with the organization uh as was mentioned uh there was a series of books that were published a couple years ago before Co called tribe of hackers it's a a set of books where uh the editor Marcus KY uh went around should I just I don't want to stand

there how's this this is better um the editor went out and found people that are known in the industry in various aspects of the industry and ask them all the same set of questions so every chapter in the book is a different person asking the same set of questions like what's good and bad about the industry what's your favorite hacker movie uh what would you do differently what were your greatest successes and failures different types of things and uh I happen to be one of two people that was asked to contribute to all four books in the series if you want to find out who the other person is of course you have to go out and buy the books I don't make

any money off that it was also mentioned there's a darket Diaries episode um it's actually Marcus kery who was the editor of tribe of hackers and myself we both have an NSA background uh but my part's better of course um and it was also mentioned that I'm a member of something called the cabal of the krogans so very often I'll go around and introduce myself or describe myself as a kogan a Kagan is that sort of proverbial grumpy old man but this particular group is a bunch of people that hang out that we all olders uh people that have been in this industry from the very beginning and actually predate it and we hang out with

a gentleman who's uh sort of in the pink shirt off on the left there uh gentleman named Jean spafford or spaff is what he's known as his friends he really is truly the Pioneer one of the real Pioneers in this industry he wrote the book on security uh published it back in like the late 80s and back then it was called Unix and Internet Security I have a picture of it later on we'll get to um so several years ago I was speaking at a conference and I met a guy at a speaker dinner the night before and he said I think it was actually a b-sides come to think of it um he I asked him what he

was speaking about he said oh I'm going to give a talk on introduction to cryptography so I'm oh that's cool I kind of know a little bit about that so I went to his talk and he gave a very interesting talk about uh early codes and ciphers and things like that secret writings and I thought gee I should give a talk like that because I kind of lived it um so I put together a talk and I was working at at the time for a vendor that had a marketing department with a summer intern and I talked him into giving me a little graphic so I came up with the idea of tales from the crypto analyst um

most people probably don't even remember there used to be an HBO show called Tales from the Crypt before that like back when I was a kid there was a comic book called Tales from the Crypt anyway that's the graphic um so the first part of the that first talk I sort of went over the first couple years of my history at NSA um that is my certification as a crypt analyst um over 30 years old um as was mentioned I I was at NSA at a very unique time where the digital age was just sort of becoming a thing we were doing machine cryptography we were building little black boxes that did the codes and ciphers but we weren't really

into the digital age yet we had you know my first job was a stand my had a standalone IBM PC that's kind of what was around and I had a customer approached me that was uh part of the military machine and uh they were people that worked with people that they recruited in certain other parts of the world and they would want to communicate with secret messages using something called a one-time pad a one-time PAD as you can see there is a piece of paper it's a pad of paper that has random characters written on it and you write your message one character at a time and then both sides know how to combine the

two letters to get a third letter or character and that's what becomes the cipher and what is sent it's actually a perfectly secure system it's unbreakable because there's only two copies of the key and as long as the key is not stolen and as long as the key as in the name is only used one time there is no mathematical cryptographic way of breaking it so perfect security uh we don't use them anywhere anymore cuz they're slow we've sacrificed security uh for Speed and convenience know this is a keynote so that's your first life lesson right there anyway uh this client approached me and the casew workers as they were the people that were in locked

rooms and and secure facilities that would spend hours encrypting and decrypting these messages letter by letter uh he asked there's this p on the desk isn't there any way we could do this on the PC and speed things up and and I was young and naive and didn't know the politics and the bureaucracy of NSA I said yeah that makes sense why not so I ended up becoming a project man manager and figuring out a way to get this this paper key uh which was printed by NSA we had a printing machine printing office at the time but to take that same key and put it onto a a that thing in the middle it's called a floppy

disc it's not just the save icon um that's what the save icon is based on um this was as it turned out revolutionary it had never been done before I was talking to managers and chief scientists and people like that at NSA you know the chief scientist told me you know there's really no such thing as software it's all Hardware that's all we do I had to go through a design specification review uh something called functional security requirement specification fsrs it was all written for hardware and I had to force fit this software thing through it um one of the requirements for example is uh you have to be able to when you have a piece of

paper and you've used it it's really easy to destroy it you burn it you rip it up into pieces um the people that are in the field their one-time pad very often was printed on very very small paper that very small pads that could fit in the heel of your shoe and they were actually printed on rice paper so you could eat it to to get rid of of it cuz those people were literally putting their lives on the line um but we had to figure out how to put that on a floppy disc and then securely delete a page at a time of the key and so I was told well you just come up with a secure deletion

uh routine so I'm like okay tell me one Well turns out there wasn't one nobody had ever had to do it before so we had to figure out a way to do it and do it in a way that was going to eliminate the key from the floppy disc um to the best of my knowledge that was the first fora into software at least in terms of a crypto system that NSA had ever done um I I put this this uh pitch before the senior level management of NSA this is the infos seex side sort of the board of directors and they very begrudgingly said okay we'll let you do it but don't do this again um somebody was asking me

earlier if I get nervous uh speaking in front of crowds and the answer is no because the very first thing I did when I was at NSA was I had to get up in front of all these suits all these old men with pocket protectors and slide rules and very esteemed Studios group and I was this young kid saying yeah we're going to do something new and different but I got it done um also mentioned was The Whiz wheel I was working with another client called the US Special Forces the Green Berets they were also using onetime pads I was actually helping them come up with a new memory crypto system in case they had to drop all their pads and they were

on the run but still wanted to send a secure message um and in doing that I wanted them to be able to use the the the algorithm as it were which is a three-letter substitution based on something called a vision a square which that's the that's the version of it they got on their onetime pad that's that's the front page of every onetime pad they had um I wanted them to be able to use that because the people that would do the encryption and decryption of the me messages would memorize these three-letter combinations and so it's already in their head I'm there visiting them working on different manual schemes wanting to use that algorithm and

struggling with the table which you can see is pretty awkward and um I saw I thought you know I've just been through a introduction to cryptography course I've learned about Cipher Wheels Caesar ciphers the little an Dakota ring um so I thought there'll be a way to do this out of this table so came up with this idea of making a wheel long story short they loved it we ended up producing 15,000 of them and distributing them and as far as I can tell from talking to former Green Berets over the years um they were used at least into the earliest 21st century they were still being used after 9/11 uh when we began the invasion of

Afghanistan um anyway uh that wheel uh is now on display at the national cryptologic museum which is the museum associated with the National Security Agency in Fort me Maryland I happen to be from Maryland I live in Maryland um this is a a picture of the museum there's a whole display case it's actually a display of a bunch of different cyer Cipher Wheels the oldest one being from the 1830s and there's mine at the end uh the little write up they did man reinvents the wheel when I when I created the wheel my my boss at the time put in for a cash award for me he had to do a little write up abstract and he

titled this little abstract man reinvents wheel so it kind of stuck um there's obviously more stories to tell more Tales to tell of those first days uh I gave that talk I don't know how many years ago but if you go to YouTube type in my name type correctly with one and and Tales from the Crypt you should be able to find one or more copies uh of uh talks that I've given telling all of those stories but that's not why we're here today another date this is the one that everybody should know this is your second talking point since this is a keynote anybody know what this date is you should know this date take notes

on this date this is what started it all for us this is why we're all here here today this is when the internet became publicly available with the publication of the first web browser which was called Mosaic so take that note down you don't have to remember the the month and day probably just remember this all started in 1993 by 1993 I was working uh still at NSA still in the infc organization uh and I tell these this story in the the sequel talk which is more Tales from the crypto analy um I was working in an organization that was doing fielded systems evaluations we were testing the security of all of our great crypto systems and code systems

and little black boxes that we had designed and built and they were perfectly secure and we were sending them out with our troops our military our diplomats uh state department and things like that but somebody at NSA came up with this brilliant idea that they realized the way that the main part of NSA the operation side which is where we do codebreaking which is what we're mostly known for except for these days violating human rights but it's another story uh historically let's say we were known as the Cod Breakers we were the Crypt analysts and we were intercepting Communications from all over the world in any way shape or form which is part of what's gets really classified but

essentially um that was the main mission and somebody figured out one of the reasons that we're often successful breaking other people's Communications is we take advantage of the fact that they don't use them correctly they don't change passwords one time pads I had a I worked at Ops one time and we had an adversary that we were evaluating where they're using one p Time Pad key they would use a page for a week when you do that and do multiple messages you introduce cryptographic vulnerabilities and you can break it um people finding bypass shortcuts a lot of the radio operators that were using this equipment 18 19 20 years old not disparage young people but they would find shortcuts

they would find a way to get the message around so we thought or somebody at NSA thought we ought to turn that around and figure out how that gets done to our systems are there ways to bypass our our systems are there ways to Mis misuse those systems one of the divisions in that office that I was in was focused on what we called at the time distribut systems that's what we called the early networks they were computers that were starting to get plugged into each other with physical wires and plugged into things called routers which would actually enable Communications the sort of the beginnings of what we now know as the internet so um 1993 was when I was

in this office and the internet was becoming more of a thing there had already been some fairly famous breaches U but it was mostly mainframes at universities because most of the internet was the the government and research Universities at that point wasn't really in the public hands but as it was becoming more into the public hands this idea of computer hacking and networking was becoming more of a thing so there was a small group of us that decided we're going to learn how to do that we're going to learn how to break into computers and networks um this book was published uh I think in 2015 and in this book the fourth chapter which is entitled eligible receiver um

there's a paragraph and I always like to do a dram reading but I don't have it memorized uh somewhere in the middle during its most sensitive drills the red team worked out of a chamber called the pit which was so secret that few people at NSA knew it existed and even they couldn't enter without first passing through two combination locked doors one of the people that I worked with at the time when this book came out they got a copy they read it they got to this chapter and he's sending emails and texting all the other people from our little group cuz we happened to uh work in an office that we had nicknamed the

pit we were trying to be hackers live the hacker culture learn the hacker culture which is code for just we were being nerds and Geeks and we named our our office kind of like again an ancient uh cultural reference uh show called Mash where the doctors from Mash their they called their their tent where they live the swamp so we were trying to be geeky and edgy and and somehow and to this day I don't really know the actual story of how the fact that this small group of guys that were learning how to do pen testing and learning how to break into networks and we were nicknaming our office the pit somehow that got into the

folklore and got into a book but it means we're famous um there were six of us all told I currently only have uh permission to uh acknowledge one other person that was the pit that's out in the private sector that's the the guy next to me there uh even he's becoming a cultural Relic uh he was the founder of a small startup company called tenable network security anybody he of nessus yeah he's the one that was he didn't write nesses but he was responsible for the company that was ness's he he was actually in the Air Force at the time he came to the pit a little after we had started and and we're still friends to this day and

he'll often introduce me as the person that taught him his first pentesting attacks way back in the day I actually realized I have to update the slide because the two people that are still at NSA I learned a little while ago that one of them's retired uh lucky him and then there's two other people out in the private sector but they they choose to remain anonymous so I don't dis uh I don't tell you who they are um so very quickly uh a little bit of story about the pit um it was something that was completely new it was something that was completely popular and I mentioned there the the books the spaff the cabaler kudin that's his book

on the left there practical Unix in Internet Security book on the right written by a gentleman named Cheswick and bellan I should give the other guy uh uh Simon Garfunkle I've met him virtually never met him in person uh firewall firewalls in Internet Security is sort of the story of two guys that similar to a person on the next slide working at universities because that's where the internet was with main frames discovered some hacking activity and tried to figure out who they were and tried to track them down and catch them um the most famous one being Cliff stall who wrote The Cuckoo's egg he was a um worked at a university back in those

days you had to pay for your time on the main frame and he was going over the monthly bill and noticed something like a a70 C50 discrepancy in the bill and in investigating that that led to ultimately him discovering that there were East German hackers as back in the days of the Soviet Union and the cold war that had broken into this University Mainframe and was stealing Government research because that University happened to be doing classified research for you know places like maybe that I used to work for um there's a gentleman I I put this up this slide up a little while ago because I I spoke at a conference that's a gentleman named W schwow he's been

writing about the the the coming information Warfare for probably about 30 35 years he was speaking right after me so at a conference I put it up there and I said that was early fud fear un certainty and doubt um because we were new at this because the whole thing was new uh and we were initially doing it just for the classified systems within the dod um but somehow word got out on the street that we had this capability um word got out and we were approached at some point by the Department of Justice the Department of Justice wanted us to do uh penetration test uh try to break into their internet facing systems um this is kind of an

important story for me uh because it did shape uh sort of my my career path as it were um we were contacted by the D by the doj and I was working at the time I was sort of the the the business leader of the pit because I actually had a business degree uh from college and I was working with the lawyers trying to figure out how to make this all legal how to streamline the process how to have a process and what at the time it was known that NSA was only supposed to do work on classified systems the doj systems were unclassified that was the purview of another organization called nist National Institutes of standards

and Technology at the time though they were known for not having any technical capability in the area of internet and network security so that was often deferred over to us in a sort of a back room arrangement of some sort but we were trying to do the right thing so the lawyers said well you need to have the cabinet level position asked for a favor basically so uh the Attorney General at the time Janet Reno uh she had written a letter to the Department of Defense asking for this service this is the letter going back from the director of NSA at the time General minahan saying yeah we're happy to do this this is a project that we'll take

on this was after several months I mean this this letter is dated August 21st I think they started they approached us in like March or April of that year uh it took months to work through all the bureaucracy and the politics you'll notice my name is up there as the point of contact but also that date is very important because this happened on August 17th the weekend before uh the letter was to be delivered it had already been signed but it just not had not been delivered to the client yet the very first government hack Government website defacement happened to the Department of Justice I get into the office office on Monday morning get a call from the the client the

Department of Justice person and he said help we've been hacked we've been breached it had never happened before we need help so I set out to figure out a way to get through all the bureaucracy and get to down to Washington DC to doj headquarters so I hung up the phone with him picked up the phone with the lawyers and explained to him what happened and said what do we need to do to get that get down there tomorrow to get a team down there there wasn't really forensics back then either there wasn't anything written down there wer there were no training courses or anything like that so we did go down we got we we I I

jumped through the Hoops that I needed to got down there on a Tuesday by Thursday um I got a call from somebody back at the pit saying I'm just going to quote it so I apologize Jeff the shit's hit the fan you guys got a drop what you're doing and come back now so apparently somebody whistle blew on us and somebody had gotten wi that NSA that's only I have a lot longer than that I've got like an hour and 15 minutes just to keep it in mind um which is dangerous because I'll just tell more stories um where was I oh got to go back we go back I get yelled at I was put on

double secret probation I learned years later that they were not only trying to to get me fired they were trying to come up with in information to prosecute me because of something that I learned about that I never knew before was something called the NSA Charter which was based on something called The Church proceedings the church proceedings was a government subcommittee that was formed after the Watergate uh incident which was back in the early 70s this is ancient history now um but the result of this study that happened after the Watergate Breakin during the president iial campaign of 72 was it's like two volumes but basically it said NSA CIA FBI have a lot of power and a lot of capability but

really no legislative oversight no rules No Boundaries and so the result of these Church proceedings was to give boundaries to each of these agencies NSA uh had the NSA Charter which I knew about it and it basically says that NSA can't do what NSA does to US citizens so when you're doing the ethical white hat good guy whatever we call it these days red teaming exercise uh technically NSA couldn't do that so that's where we got in trouble that's where I got in trouble um this is very rare we weren't allowed to have cameras in our offices we weren't allowed to have recording devices we weren't allowed to have transmitters um and I honestly don't

remember how we got a camera in our office but this is a actually a picture of my cubicle in in the pit and my friends the other members of the pit had found police tapes and decided to quarantine my my desk area um little did NSA know that you shouldn't let a hacker have access to his workstations even though they'd locked his account but that's another story for another day but interestingly enough when I was putting together this this talk this year I realized gez that happened at the end of August and I was I left NSA by the end of September that really did alter my life and it did set me it got me out the door and into the private

sector which is uh where I am now more of that story the way that we developed the pit the way that we developed our methodologies for doing pen testing ethical hacking vulnerability assessments and so on and so forth chronicled in more Tales from the Crypt which you can find out on YouTube as well which finally gets us down to and this is I just this cartoon was given me by a girlfriend back in college and I think it sums it up very nicely let you read that a minute but it brings us back to or down to uh this talk today um this is the third installment in my life story it started out at the beginning of the year

I thought PCI version 4.0 is coming out I should give a talk on PCI and then I thought nobody wants to hear her talk on PCI um but I thought it might be interesting to talk about how I got from NSA pentester cryptographer to PCI qsa which is sort of the the the tale that I tell today is what happened from late 1996 up until 2004 so in terms of the history books that's the time frame um I had already been as many of us were talking to a bunch of different companies thinking about going out into the private sector because it paid better we had these illusions of uh becoming rich in famous because we could

solve the security problem by breaking in and telling people what the holes are they'd close them and fix them everything would be good yes we were young and naive um I went back when I when I was under double secret probation started talking to all these different companies one bit so I went to work for a company doesn't exist anymore called Computer Sciences Corporation I was only there for 6 months because right after I started the the gentleman that hired me left to go out and start their own practice at another company so I was just kind of stuck there as a government contractor nobody knew what to do with me um hacking lore uh I used to work in

the same office where another hacker named Johnny Long worked so I I met Johnny long in the late n in the late 1900s um he wrote a book on was it Google hacking is that what he wrote among he's written several books um so I ended up working for another government contract I went looking very quickly and I I landed at a company called Nicholls research they were another government contractor but they were interested in setting up a commercial uh Professional Services practice doing the pro doing the pen testing vulnerability assessment type stuff but do focusing on the private sector um it's hard to put this in context this is late 90s I mean the industry of red

teaming and Pen testing and all that really boiled down to back in those days try to break into the company's Network because they were just plugging into the internet as a backbone and about the only security tool or protection there was out there was a firewall and there was only really like two or three firewalls on the market you know if you went to a big trade conference back then there would be like three vendors sitting at a table you had three choices of firewalls there's one there's a vulnerability scanning company or two in the very beginnings of what was called intrusion detection but we wanted to do the Consulting and advisory work because we were knowledgeable and we believed

that the way that you um explain security to people is not by just or solve the security problem is not by throwing a bunch of Technology it's you got to understand that it's a problem it's a process it's something you do um Sans was in its uh very early stages of existence I think they got started in the mid90s they used to put out these posters where this this is everything that had to do with security all in one page you know 2 feet by 3 I'm sorry 2/3 of a meter by a meter I'm sorry I'm I'm from America I try to translate um all the companies that did all the different things they were they

would be on the back page and our group was actually listed as one of the penetration testing services but look who else it was mostly back then it was accounting firms it was firms that were accustomed to already having very deep uh connections into companies and why not pick up one more Revenue stream uh yes I do have something against the big accounting firms and big it firms because we were competing against them and we actually knew what we were doing and we were pentesters and I'll probably offend some people but you know I learned from doing it I didn't learn from a book I didn't learn from taking a class and I don't have an accounting

background although I do have a business background later late more lately I've realized that accountants are good for things another story for another day but this was essentially the methodology and we called it pen testing but it was really a vulnerability assessment because we would ask our uh our prospective customers do you want us to just break in and see if we could break in or do you want us to find all the holes and all the ways that we could break in and they invariably wanted the ladder so it was invariably what we call it a vulnerability assessment but the fun thing was actually penetration testing penetration testing by the way the methodology that

we've primarily followed and what most companies that do it to this day follow is the methodology that was presented in a movie called sneakers anybody old enough to remember the movie sneakers if you're young add this to your watch list I think it's it's on one of the streaming channels I watched it not too long ago there is of course a famous quote in this movie where the the quote unquote bad guy Ben Kingsley is talking to Robert Redford and he's saying uh and I always have to refer back cuz I I can't remember anything these days he says there's a war out there old friend a World War and it's not about who's got the most

bullets it's about who controls the information what we see and hear how we work what we think it's all about the information keynote life lesson number three it's all about the information if you don't know that already learn that so pretty basic and again this was companies that primarily already had local area networks but they were starting to plug into the internet as a backbone and we it was based on Military T tactics in some sense Recon figure out what's out there plan your attack learn what the possible holes are and then go break in and try to get as far as you can and and recover and get to as many places not a lot of different from

what's out there today but we didn't have all sorts of training courses and degrees and certificat ific ites we were kind of figuring it out as we went along I mentioned there was a few products out there one of which was ISS they were sort of one of the early um big vulnerability scanners and they were all in it for the money very expensive and and the idea was to buy all their Solutions and you'd be secure um they were eventually acquired by IBM I think the IBM was the X force is still the remnants I don't know if there's anybody there from the old ISS days at this point um they were also very much into

uh real cool marketing real secure was their early uh attempt at intrusion detection and they put out this graphic knobble again this is probably 97 98 um that's actually the good guy by the way uh the bad guy the hacker in it is this scantily clad uh woman uh and I apologize but this was Mark back in the late 90s but they had a little bit of a sense of humor again if you remember comic books they had the old Charles Atlas type of you know ad at the back page of the thing it got pulled very quickly um we needed to use a vulnerability scanner right around the same time like within a week of when I

went to work for Nicholls I got a message that this guy up in Calgary had started this company called secure networks and put out a another scanner called ballista and I thought great an alternative I'll use Ballista so I corresponded with Alfred over email became one of his early subscribers to his product and we used it for quite a while what was and I've been coming to Calgary for the last couple years and it only occurred to me this past year alfreds in Calgary I need to try to visit him hasn't happened yet but it will hopefully um his company secure networks's Incorporated they mostly just did uh this vulnerability scanner and that's not even what they called it back

then notice it was back in the days of Windows NT that's how far back we're going um this is a description of ballista um I liked it mostly because it was an alternative to what everybody else was using so we could be a it was a discriminator discriminate um there was a guy that worked for their company put out the definitive paper again back in the late 9s on how to evade intrusion detection which to paraphrase it's probably a 50 or 60 page article I still have a hard copy of it uh go slow again going back to the movie sneakers there's a a scene where they have to break in and steal something where there's a a thermostat

that's detecting an alert on the the heat of the room so have a body walks in it's going to raise the temperature and trip it um so they raise they hack in and they raise the temperature and there's a motion detection system in place but they realize well if you move at like two Ines a second or whatever uh you can basically fly under the radar so there's a scene where Robert Redford's going very slowly and probably takes them an hour to go 10 ft uh it's a little Hollywood but you get the idea things that the good things that came out of secure networks what was very common in those days for security startup companies is if they had a

product they had something cool they got acquired by one of the big it groups or one of the big companies that was trying to become a security company so they lasted about a year very common um and they were not alone uh other companies that got snatched up by Network Associates um McAfee Antivirus pgp which was an encryption tool um Network sniffing used to be done with Hardware there was a network sniffing company uh they got bought up and then some other McAfee product again 9s 9s marketing which I apologize this is history we were angry at the time though not that there was a scantily clad woman portraying a hacker she was a hacking

with Windows

95 some of the more respectable famous companies were people from the dod and NSA went to work TI trusted Information Systems they produced one of the first firewalls commercially available firewalls wheel wheel group was uh the guys that started the wheel group were based primarily in Texas and they uh work were working for the Air Force where there was the first security operations center set up so they came out into the private sector and they had basically uh early intrusion detection response tools um all these companies got snatched up very quickly wheel grip was acquired by Cisco Cisco has been trying to be a security company for over 30 years um the guy that's sometimes credited for

being the in of the the firewall although he will disavow it you he doesn't want to take the credit Marcus Ram but he wrote code that was in a lot of the commercial fire walls for decades he worked he he worked for trusted Information Systems um they had a Consulting practice I had interviewed with them when they got acquired they got rid of the Consulting practice so one of the members of our team if you see there it says trusted information systems that was the person that used to run their Consulting practice then of course myself from the National Security agency we had somebody from the Securities Exchange Commission White House and so on and so forth so we had a

pretty experienced team but we were small nobody knew who we were um we used different tools back then it was very common to connect to the internet over modem uh on a dial up and so there was this thing called War dialing where you'd call phone numbers and see if a computer answer Allah the movie War games back in 1983 um there was publicly available programs but this particular package was put together by one of my mentors uh a woman named Becky Bas she was another one of the true Pioneers she was a one of the founding members of the cabal of the kajans uh she actually I was inducted into the cabal in 2017 uh and she died and she was one of

my sponsors to get into that cabal and she passed away a few months after that if you don't know anything about her she wrote some of the early books on intrusion detection um she was literally talking to the man at NSA when we had the pit thing going on she was talking to all the old managers all the old white guys saying you don't understand what they're doing but they need to do it it's important you need to back them up and leave them alone so she was very much instrumental in my career as well so I just like to give her a moment um some of our companies that were our clients obviously we still had some ties

to the government um one story I'll tell I wish I could find a slide for this but I can't we were doing a pentest of a a government facility ma major secure re I forget what msrc stands for but basically they had all the four or five different main frames the best fastest strongest most powerful computers of the day and it was at a research facility where they were trying to do fabulous new things with the technology like learning how to stream video and learning how to do holographic images and all sorts of stuff that we take for granted today they hired us to do a pent test they were run by the army they are located uh at brigh

Patterson Air Force Base which is in Ohio which is Air Force we had gone through all the uh rigar Ro of getting permissions and getting our get out of jail free card and deciding what times we were going to be there and what was our Windows of opportunity uh somebody forgot to tell the Air Force which was the tenant we were really on their Network or trying to break into their Network so woke up one morning and there was an Air Force cert advisory computer Emergency Response Team advisory issued against us so I've actually had a CT advisory issued against me because it was Air Force it's classified so if you go to the Wayback machine I can find the page

where it was listed but they didn't capture the other part um so someday I hope to find it um we were working very closely with another Maryland based company called JX they were one of the first hosting providers um you could arguably say they were one of the cloud providers because guess what cloud is just hosting um so we were we were there partner we had co-branded marketing literature um quick story this guy uh Amit yuran he's currently the the CEO of tenable he ran this company called riptech and riptech was a company that we were working with because we were doing the the architecture work we were doing the pen testing all the fun stuff we didn't

want to do the firewall installation so we farmed that off to this third party company called riptech when when shortly after became CEO he replaced rangula I met him and I was saying you know we have this common background cuz I used to work at nickels and we used to give you a bunch of work and he said oh my gosh you're kind of responsible for My Success because at the time he wasn't sure he wanted to get into cyber security he wasn't sure if it was a thing that he wanted to do but we were giving him so much business he thought heck I'm gonna stick with it so there he is so Ron is I'm Ron has me to thank for

his career and Amit has me to thank for his career you're welcome guys um of course digx like everybody else they got acquired so they became intermedia Communications but they brought us with them the guy that uh uh owned digx he took the proceeds a guy named Chris McClary and started this other company called us internetworking which really was truly more one of the first Cloud providers their idea at the time was they would host all the expensive programs uh and Lease them out to customers but they'd be responsible for the administration and the maintenance this is back in the server client type of days um again we became their partner um but they also hired us one

time to do a pent test just to confirm I really do have till 10:30 right okay I'm just and I have a clock there which is brilliant um I actually during my cleanup I found the actual two or three page pinest report right up so this is the actual pentest report right up the uh the guy that was their security manager he got fed up with talking to management about you're not giving us enough money and resources to do the things we need to do he got in touch with me and said okay you got a weekend you know it's in there somewhere 48 hours do as much as you can do as much of damage as you can so um we

broke in um we found out that their single point of uh protection of firewall which was mostly what we had back then didn't do much to stop us how did we get in we found a misconfigured SQL Server so how did we break in SQL injection that's what we did we didn't call it back that we didn't call it that back then we just knew that we could add stuff to the end of streams that we would send to a particular port to a secret server um we were able to get to everything we got in we immediately set up a base camp and set up a secure shell tunnel out and they had intrusion detection systems in place

but we were going over authorized ports and we were initiating once we got in our activity from the inside out which was implicitly trusted in those days so we we got Unix passwords and cracked them we even got Windows NT passwords and crack them um Ron Gula the guy I used to work with in the pit he was actually working at usii at the time he was so fed up with what we were able to do and the inefficiencies of the in prevailing intrusion detection tool that they had at the time he decided to start his own company and Rite his own software so his first foray uh into cyber security was a uh intrusion detection product called

dragon and his company he called network security Wizards and you know that lasted 15 months before he got Acquired and that's gave him the proceeds to go ahead and start tenable ultimately uh so Ron has me to thank for his career twice by the way um one of the guys that was our customers at digx got involved with some people from a company called metag Group which was kind of like a Gartner type group at the time um they uh wanted to start up a company so they you know that was security focused as a spin-off so they talked us our whole basically our whole practice into going to this startup called meta Security Group it

was the Tom craze so it doesn't really have a happy ending uh we had kind of an identity crisis we were met a security group then we were met a secure Ecom Solutions um but this happened during that time um I don't know how much of an impact that this had in in Canada I imagine that you have some sense of understanding of it um it was an amazing time from a uh cyber security Consulting perspective because we've been going around for years telling companies that all sorts of bad things could happen because of all the things that we were seeing in terms of vulnerabilities and weaknesses in their Network and all of a sudden they were paying attention and

they were very focused and they were listening and it ha it lasted for at least nine months it was amazing um some of the good things that came out of meta Security Group uh there's a guy probably most of you don't know him but he started a company called ardians it's one of the better pen you know high-end pen testing companies at least in the United States um the guys that were on my team they went to work for another company and they're they've been responsible for the crack me if you can contested defc con for like the last 20 years or something like that one of the people from meta security groups on the

board at black hat so we you know we had people that did stuff and continue to do stuff um but I was frustrated because after going around and talking to companies for several years and trying to explain to them why they needed to do security and why I need they needed to set up a policy and have a plan and all they wanted to do was well just tell us what we need to buy you know tell us how many firewalls and where to put them and what Blinky box needs to go we and what color should the light be and we'd pentest them every six months and the same way we got in the previous six

months was the same way we got in again same passwords were being cracked and so on and so forth um it was a combination of that and the guys that I was working with were younger and much more into the technology and they were more into the Automation and writing scripts on the Fly um but I was like yeah there's got to be a better way to get through to people and get them to understand this because it's not enough apparently to stick their nose in it once you've broken in and said you've got roote access to everything and own everything and about that time um I decided to go to work for a company that was called

trustway and shortly after I went to work there it was acquired by a company called amberon but they did this thing called PCI payment card industry um it was late 2004 and I was handed the version version 1.0 of the payment cards industry data security standard and I was told here read this this is what we're going to do and I read it and I thought this is actually pretty decent this is a pretty good highlevel comprehensive summary of everything you need to do uh to protect your organization both from a technical uh level and from a policy level and I would say that to this day that it's still a pretty decent uh overview uh and it's 20 years old there

aren't a lot of things that are this detailed and we can argue whether it's detailed or high level that have been around and made as much impact as PCI has for the last 20 years I'm not here to pitch PCI but that's just how I feel about it um I I try to recommend to every client that I have pay attention to this um don't just do all the paperwork part of it because it's necessary do all the paperwork part of it as a guide and especially all the documented procedures write it so the next person can do it the policy is what drives everything you've got to have the stuff written down so you know what to

do with all that technology that you necessarily need to purchase these days I don't like the technology but I you know I concede that we're kind of stuck with it um these are some of the clients I've had over the years and those are some pretty you know Major Brands i' I've I've had clients in Canada for several years um what I liked about PCI most though was while the clients that I was working with didn't have any better understanding or necessarily any better interest in security they at least knew they had to do it so they were sort of a captive audience and would listen but my goal was always to no I don't want you

to just go through this just to go through it I want you to go through it and understand it and understand why it makes sense to do all these different things because all the different requirements in PCI grew out of breaches and grew out of attacks that had happened to other countries companies you know it's it's a it's a hierarchy of response to things bad things that have happened um I'm allowed to say that I worked for these companies TJX companies they were famously breached back in the late 2000s 2007 2008 I was at qsa for six years um same hacker group also knocked over Heartland Payment Systems they were a payment processor are a

payment processor they're supposed to know better uh but they didn't um and I'm allowed to say I worked for them because that was publicly available because visa and MasterCard list all the uh PCI Compliant service providers the New York Times uh when I went to work for them they actually owned uh uh another newspaper called the Boston Globe New York and Boston in the US they have sort of a big Sports rivalry so it was kind of a secret that they own the Boston Globe they didn't like to advertise that but the Boston Globe owned a regional newspaper that was out in the western part of the state of Massachusetts and somebody there at this

small town newspaper had tried to print something off their subscriber database didn't know what they were doing and ended up dumping their entire subscriber database and pting printing it out on that old IBM paper that was kind of green and white lines that had the dots the holes on either side and just spew out so this big huge stack of paper and they thought well this is a waste so they put it in the recycle bin and somebody saw this big stack of paper in the recycle bin and thought well that's a waste so they pulled it out and they used it to wrap up the bundles of newspapers that you know the 50 at a time 25 at a time that they were

then sending it out throughout the state until one convenience store said hey I was looking at the paper you WRA the newspapers in and I'm seeing like bank account numbers and credit card numbers um so New York Times had this incident um PCI 4.0 is here now you know you you should know that by now um so in the last few minutes I'll I'll get to the the key notey portion uh and and and vent a little bit for you guys and I'm I'm going to say what I'm going to say I'm not going to say I'm going to let you read it um this slide deck that I'm going to show you now is from I think

1998 I'm not changing it the words are what we said 26 years ago this is why you need to have security this is why you need to have a program in place don't worry about taking pictures of this by the way I'll I'll have a QR code at the end if you want to just get a copy of this slide deck a lot of people like these slides and like to take them back and show it to their managers um what makes the network insecure it's not the lack of Technology it's the lack of really knowing what you're trying to accomplish with Security based on not having it written down not having it sort of Chartered

out um this is what we said that you needed to do we were teaching that security is an ongoing process it's a verb it's something you do it's not a state that you achieve I work with clients that want to get to the finish line and be PCI Compliant and I keep I've been trying to explain for them for 20 years that you're not done there and the PCI program has been trying to say for 20 years no there's things that you're supposed to be doing throughout the day throughout the year daily weekly monthly quarterly and so on and so forth 20 years in a lot of people still don't get it but this is what we were teaching

way back then and I believe this lesson less today but I still think it's true I think maybe someday technology will solve everything I think technology that's what we want we want just everything to be secure and not have to think about it maybe we'll get there someday but I don't think we're there yet until then we need to have policies around all the things that we talk about that can go wrong the people being the weakest link you hear that one a lot I happen to think that process is the weakest link because lack of process lack of procedure lack of consistent ways of doing things is what ultimately causes just about every breach that

you've heard about I mean pick a breach we could sit down and talk about it I'll tell you it was a process failure ultimately um what's an information security policy it's your plan it's your strategy it's what do we have that's worth stealing what do we have that's worth protecting what do we have that's worth putting money up against um what it's not I feel like these slides should be reversed because to this day this is what most people think policy is oh we got to go through the documents we got to have it all written down I have to rewrite all the statements out of the PCI standard and change shall to must and then we're

done I'm not giving you enough time to read it I apologize but you get the point this is not a new message and we're still working on the same message 20 years into it 30 years into it 40 years into it and again you can have these access to these slides later um this is changing but I I I still think Senior Management they don't really get it they don't fundamentally understand security and they don't necessarily need to but they need to trust the people that they've hired to think about and to worry about security um how many people have failed a fishing test at their company oh come on be honest every hand should be up I don't

believe anyone of you did you get fired for it did you get fined did you get reprimanded or did you have to take some stupid 10-minute video the remedial training and magically you're you're you're more aware what makes it work uh you you got to believe in what you're writing down it's not just words on paper you got to have consequences hopefully it's positive love and attention to the people that are the offenders in the organization um but remember it's it's it's it's something that's ongoing when we first pitched this back in in 1997 1998 we talked about the the security life cycle process being 12 to 18 months I would argue these days the process is

the same but sometimes it's 12 to 18 weeks sometimes it's 12 to 18 days I mean we're living in a much faster World these days um and I'll say we were wrong um a lot of what the premise for security was back in those days not we specifically but we as an industry we built Security based on this belief that we would establish a secure perimeter that what we had to protect our networks against was the internet which was displayed on our viso diagrams as a cloud because it was an unknown now's where's all of our resources these days it's in the cloud um so the ideas of security which is based on military tactics that go back thousands of years

putting your your most sensitive Assets in the innermost part it's where you get ideas of defense and depth and so on and so forth it worked up to a point but it doesn't exactly scale for what we're dealing with these days um I'll let you read some of these slides this is from meta Security Group so these slides are probably from 2002 or 2003 there might be a date on somehow I flipped that logo I'm not good at technology um now the Technology's changed a little bit like you know we don't talk about clicking on attachments in email now it's about clicking on the link but it's the same concept um patching you know that's that's not a

problem anymore is it we've solved that problem um backups that used to be how we protected against the malware attacks but now even our backups are being protected I can't tell you how many times I checked with uh organizations because backup is a PCI requirement and then we'd say Do you ever test your backups huh have you ever tried to recover your data say what and uh when they would do it 80 80 90% the backup didn't work but you know they were cut they were checking a box they had backups um using a modem while connected you know replace that with Wi-Fi uh Wi-Fi is everywhere seven mistakes that senior Executives make I'd like to think some

of this is changing but I you know they're not paid to focus on information security cyber security um these are just ones that I'm highlighting you can agree or disagree um replace the firewall with you know fill in the blank but most people believe especially in executive positions that security is something you drop in place and you're done and you don't have to think about it I think most people think that I think that's the that's the goal is let's make everything secure so we don't have to think and I guess my message as a keynote fourth point is now we have to think and as long as we still have to think we have to do all that other stuff

but the thinking is the key um well we've never been hacked before we haven't had a problem yet still hear that to this day and then the it groups the admin groups let's just cut to the chase I mean you can argue with me but I don't think I'm wrong um updated slides for the day over the weekend since I was here I did some sightseeing and I went to this indigenous people's experience at Fort Edmonton uh my client was uh very gracious enough to take me on a little field trip on Saturday uh I highly recommend going if you haven't been there very fascinating history you know I grew up in the United States we have

our own issues with uh minorities but this is uh what Canada is doing is very amazing but I I learned something um and I think is this is how I would like to redefine kudin is basically what I'm getting at I apologize if it's a hard to read there's very variable Lighting in the place and I was trying to take pictures of a lot of words um but again I'll you know these slides I'll have to update the deck on the website but uh I want to be known as an elder I think I call myself a kudin what does a kudin mean I'm an elder I've I've lived the life I've learned the lessons I've

danced the dance and hopefully at this point in my life I'm teaching and can pass on some knowledge to the Next Generation that's rising up so as an encouragement to you uh you should all be aspiring

kogent anyway um that's the QR code although I apologize that last slide won't be on it but if you want to get a copy of this deck that's the easiest way to do it this this slide deck is way too big to email anybody got it that wants it uh another possibility if you want to hear more about my origin story and can't find those Tales From crypto analyst talks uh there's a podcast called the teamhouse and if you just type into YouTube Team house in NSA they interviewed me back in April they let me talk for three hours uh also find me later out through the day I do have a limited supply of

stickers not just from this talk but from all three of my talks so if you're a sticker collector and if you're a hacker you have to like stickers that's one of the primary requisit uh hit me up and I'll I'll as long as they last I'll I'll give you give you some stickers and um I think there's five minutes left I'd be happy to answer question I I'll be happy to hear questions I'm not sure I'll answer them but anybody have a question

okay here oh there we go um with so without a compliance driver it's very difficult to get companies to buying to making changes to their security for the better what would be your recommendation for that if there's no compliance requirement I don't know any other the question is without compliance and regulatory requirements a lot of companies don't do the stuff they're supposed to be doing I agree with you true that was a true or false question I'd recommend a large stick what I recommend compliance and Regulatory standard I I've not seen anything else that works at scale there aren't enough companies out there that are just going to do the right thing because they're profit

driven companies and they got a they've got a financial statement and if they don't have to do it they're not going to do it largely with some exceptions next so um you mentioned about uh that there was a kind of a encryption strategy with the dis yep right back in time in uh in 19 uh 93 I guess I was working on um one of the companies they were making a database for another company they were making a software basically and they approached me to is there a way to make sure that nobody uses my code so I came out U with a plan to cut a CD oh sorry disc at that time 5 five I think five

and a quarter yeah yeah inches sorry that's what they cut it and U I actually cut cut with the blade and make a disc copy of it write some code and I have a code match it that way used to work at that time to make sure nobody uses it so I'm just Shing I probably would have broken it but just say any other questions question here if you have to leave that's fine you can clap on your way out or hi I'm I'm I'm currently a student actually enrolled in the cyber security program and I was wondering if you have any advice to give people who are just entering into the workforce um today

even try everything expose yourself to as many facets of this vast career that you can look at don't don't think oh I want to be this and just go for that expose yourself to everything um try to find something you like doing try to find something that you feel like you have the aptitude or the the potential to to get better at if you're really lucky they'll be the same thing and then do that you're welcome I just want to address the unicorn in the room this is Rainbow this is the best 25 bucks that uh my wife ever spent at clearance at a Target in Lake City uh we took rainbow to uh the last derby conon

and trying to get a 6 and 1 half foot tall unicorns for revolving door hotel is is fun uh I was tell this story about rainbow sh Deron to Jeff at Defcon and he said I'm pulling my speaker Rank and putting a a speaker requirement I have Rainbow on stage with me uh for my talk so in cleaning of a closet we actually discovered we have a backup rainbow and apparently I have like a whole Army here so that's why so I want my hacker handle to be dances with unicorns yeah any other questions I want to thank you for your time thank you very much Jeff enjoy