Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.


Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a Certified Information Privacy consultancy. I’m a privacy consultant and Certified Information Privacy professional providing practical privacy advice to overwhelmed companies.


Justin Daniels  0:37  

Hello, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.


Jodi Daniels  0:55  

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields including technology, ecommerce, media and professional services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit Today is going to be super fun. We’re going to have a why. Oh, basil, the dog is really excited.


Justin Daniels  1:32  

I see. I see you’re looking very summery in today’s workout fifth,


Jodi Daniels  1:37  

and Dede, Sal, why are we going to Hawaii because our guest is sporting a really fun Hawaiian shirt. Dahvid Schloss is the managing lead offensive security at Echelon Risk and Cyber as an experienced professional with over 12 years of cyber attack and defense experience. Dahvid has previously worked as a red team operator with a big four consulting firm leading and conducting adversarial emulation exercises. Welcome to the show.


Dahvid Schloss  2:10  

This is this was a fun intro. I like that. Especially the little little drumroll.


Jodi Daniels  2:15  

Ah, yeah, we trying to have some fun around here. Yeah,


Dahvid Schloss  2:19  

it quickly. I’ll just apologize real quick, because my internet’s been wonky today, thanks to good old internet provider. Right. So if I cut out, just let me know.


Jodi Daniels  2:30  

We all make it all work. Sweet. Excellent. You’re gonna get started.


Justin Daniels  2:35  

So we always like to ask our guests about how your career evolved to your present role. Yeah,


Dahvid Schloss  2:42  

this is always a fun one. Because I came from a very, I would say more unique background, right. So I started my career in the military as a IT administrator. More specifically as an A exchange 2003 administrator, which is like the pinnacle of being the worst exchange possible, which is like your mail protocols, right? From windows. I did that for a little bit. It was a good time. It was a fun time. But it wasn’t really like anything interesting. I didn’t get excited into it. So eventually, I decided to follow my heart. And I applied for a special operations position. And ended up getting picked up went through that went through selection, which is basically like a six month interview, where you’re doing everything from the teaching exercises all the way down to the physical, all that jazz, right, you failed any part of it, then they’re gonna kick you out, got through that I ended up becoming a what they call an RTO radio telephone operator. So I was handling communications for small SOS teams, or special operation forces teams. In the middle of nowhere is right. So I would handle everything from the satellite communication all the way down to the endpoint detection and what’s the word I’m looking for? Administration, AWS and technologies that I personally don’t have a whole lot of experience with any, you know, it was a great time. But eventually I started to find out about cyber right as a as a security aspect and hackers and all that stuff. It interests me in the in the past, but I really never got into it. I had found out through one of my deployments that there was a a cyber team essentially like a very exclusive and very hard to get into cyber program that the Special Operations Command runs. I decided I was going to apply to that. Got the got them to accept my applet Keishon and then yet again, another assessment process. Right. So that’s six months of, of just grueling, grueling learning everything from how protocols work all the way up to, you know, how do you exploit them. And this particular course was a zero fail course, which meant you had to get 100% on the test, or you weren’t, you weren’t making a pass, if you failed, you’re out, there’s no second chance. So extremely stressful. It was a terrible time. But I ended up graduating there. I was number 58. As a graduate for a course has been running for about 1011 years at that time. So super proud of that. That was exciting. I did that for a couple years doing special operations OsIo or offensive cyber operations. So I got to do some really, really cool hacking for the the United States of America and its allies, got to see some really cool tools. Learned a lot. But I had injured myself prior to going into that role from my old job. So I ended up getting out of the military. Once I got out of the military. A good buddy of mine gave me a shot at at a big four, firm as a red Teamer. And then I started doing this commercially. And then, you know, the rest is written in stone. And did that for a couple of years came here to Echelon. And now I run, I run our infestans offensive security


Jodi Daniels  6:38  

service. So let’s talk a little bit about red teaming. Because many people might have no idea what that means other than I’m the red team and someone else’s the blue team. Can you help explain what that is? Yes. What how it ties to the land of security?


Dahvid Schloss  6:56  

Yeah, of course. So Red Teaming is a concept that’s actually borrowed from the military. In the military, there’s a phrase it’s called, or that is that said, as you Train as you fight, right, so when you’re gonna go deploy, you go through some deployment training, where you learn combat techniques against the perceived enemy at the time, right? So if you’re fighting a guerrilla warfare, centric force, your opposing force that you’re training against, should be emulating guerrilla warfare. And so it’s this idea of like, really getting into your head, okay, this is our tactics. This is how we’re going to go ahead and combat that. So in red teaming, and like a lot of cyber principles, we’re doing exactly that. We’re coming in, and we’re emulating truly how a criminal would act in this sphere, not just a criminal, but also like nation state criminals, right? We might, we might say that spies aren’t crimes. But let’s be real here. If it’s against the a different nation, typically, it gets prosecuted as one, right? So it doesn’t stop at just like a normal pen test, a pen test, you come in, and you’re like, oh, yeah, let me just go ahead and hit anything and everything that I possibly can. And I’ll give you a report that says here is all our findings, we were able to get to domain admin, we were able to exploit this machine, so on and so forth. Red Teaming is like a very direct kind of testing. When we go in as a red team, we’re not going in with the idea to just exploit anything and everything. Usually, there’s the trusted agent will provide us with a list of objectives like, hey, I want you to steal this PII. Or I want you to execute ransomware right in some form or fashion. Of course, the ransomware is neutered, so it doesn’t actually do any damage. But getting to the point where you can commit those acts of criminal behavior is important. So nothing’s really off the table. Right? The Bangladesh bank heist started with physical a physical attack. And those North Korean actors were able to pull out close to a billion they didn’t get away with a billion, but they were able to pull it out. Right. So red teaming gives this ability for companies to have a really unique viewpoint into how well are their processes and procedures actually detecting criminal behavior.


Jodi Daniels  9:31  

Thank you for explaining very clearly, I think a lot of people will have a better sense of what that is.


Justin Daniels  9:39  

So I’m going to dovetail on a question that you asked when we have lunch with Dahvid which is we read a lot about DEF CON. And somebody I had lunch with recently said you know, the hotel had problems with the hackers because they decided to show off their skills by hacking into some of the Shall we say, hotel customers? So we’d love to get your help educate our audiences, what is the purposes of having these conferences where all the hackers get together and talk about how they hack?


Dahvid Schloss  10:14  

Yeah. So this is this is always a fun conversation, because I think it is one where it’s open to debate, right? And it kind of comes around the same idea of responsible disclosure. For those who don’t know who it is responsible disclosure is when we find an exploit, we have to privately tell that company before we go and publicly release it right? Or else those companies get angry. And really, cyber is the only industry that does responsible disclosure and hacking conferences are essentially of responsible disclosure, because it’s not selling an exploit straight to the, to the dark web, right? It’s not going out and being like, here’s a new C two or here’s a new ransomware agent. Instead, it’s coming out in in explaining in clear detail what they found and how they found it. And that not only provides us as red teamers with better ammunition for for our own engagements, but also provides blue teamers or the defense people in the network with ammunition to fix those issues, because if you don’t share the knowledge, then it forever stays as a as a hidden issue. And then the next thing you know, it’s being exploited in the wild. As far as like with DEF CON and whatnot, with its allowance of those who have less than noble intent when they go out into a network. I think even them sharing their stories and sharing the information that they’ve learned from times does provide us with the ability to only get better and stronger as a as a cybersecurity. If we don’t improve ourselves by by talking, you know, and listening to those actual attacks and how people are exploiting it. We’re never going to get better at it as an industry. I think that’s the TLDR right there. I kind of lost his train of thought when I noticed all those packets drop.


Jodi Daniels  12:27  

As Okay, I think it’s kind of fascinating that you have a system out that can tell them.


Dahvid Schloss  12:34  

Oh, I’m just straight running paying onto Google. I don’t Yeah, it’s it’s been a wild, fun time with my ISP. They refuse to fix the issue.


Justin Daniels  12:45  

They don’t know who they’re dealing with. You wouldn’t like me when I’m angry.


Dahvid Schloss  12:53  

I will not. I will not comment on that second piece. Yeah.


Jodi Daniels  12:59  

So you mentioned some of the the areas that you can learn from those conferences. What are some of the common exploits that you’re seeing time and time again?


Dahvid Schloss  13:12  

The the simplest of stuff, right? We like to look at security is like what’s the exciting thing? What’s happening right now? Right? For example, let’s take the exploit Blue Host, which has an RDP remote code execution. They have an exciting Yeah. Dahvid, I


Justin Daniels  13:35  

have to interject. Dahvid? Yeah. And you use the word RDP and Remote Desktop Protocol. Our audience is not likely all to know what that is. Please continue. just translate that into what we would understand it to be.


Dahvid Schloss  13:52  

Yeah, so now a lot of times I get stuck in, in my pathways, even in the military, like everything is an acronym, right. And cyber is just as bad. So yeah, I’ll I’ll keep walking it through in my brain. But no, so basically, what I what I was saying with remote desktop, the remote desktop protocol, remote code execution, called Blue bluekeep. is very exciting, right? It’s like, oh, cool. You can get exploitation this way. Everybody went out to fix it. Similar to log for J. Right? Everybody goes out to fix it. But the most basic, simple things like file sharing between your Windows network a there’s a thing called SMB, you don’t really need to understand what the SMB stands for. It’s just a file sharing protocol, essentially sign a which I can never remember. I think it’s Samba or something like that. You can sign the communication Pass, pass it back forth, right. It basically says, Hey, this is legitimate. And yep, I accept that. This is legit Amid, by not having that signs, you can actually exploit it. So that it will give you the user credentials of the individual that you’re trying to capture, which then can be later used for cracking the password, and then all of a sudden, you have a new user that you can bounce back and forth to. Um, but that’s been that’s been known for many, many years now 1010 12 years since the conception of of Windows file sharing, essentially. So just kind of the basic security hygiene, basic security protection. That’s where that’s really where you see a lot of the exploits coming through.


Jodi Daniels  15:43  

What are some of the other common basic security measures that you see companies not have?


Dahvid Schloss  15:55  

That one, too, okay. We’re back. Literally, like watching it to the side. And I’m like, you asked the question, I can see it just start to timeout. I’m like, Oh, great. Cool. Now, so I think the big thing comes down to passwords, right? People are still using, if you go out and look at the top 100 passwords in the in the world, people are still using Password, right? Or Password 1234 Password 1234. Bang, or bang is the exclamation point. Right? Like, it’s so simple that you can almost spray a essentially to go out and like guess the password for a user base off of the basic one hundreds, if the company is, is located in a major sports city, right, you put the sports teams name, and then the year and then maybe an exclamation point. And that tends to get a lot of success as well. Right? So just based off the geography of of where these companies are, you can start to guess what their passwords are. And just having a weak password policy can lead to a lot of exploitation. And then you start thinking, Okay, well, how about MFA? All right, yeah. So MFA is a big thing. People are starting to use it a lot. But a lot of companies still use push based MFA. That’s where you know, on your phone, you go through and you’re like, Okay, let me click yes, the I accept. So let’s say you figure out the password for something. You do that at 9am. How many times do you see people just kind of go okay, yeah, sure. Go ahead. Right, because they’re logging into their own systems at the same time as well. So you guys are getting past password issues right then in there. So I usually recommend trying to utilize like a password manager, something like LastPass or, or or others keeper. I mean, there’s plenty in the business out there that are really, really strong. But, you know, yeah. So yeah, that was that was the end of it. It was just like, hey, yeah, get your passwords, set your passwords, right?


Justin Daniels  18:08  

The coolest part of this interview is that you know, exactly when you drop and when you don’t, that alone qualifies you as being a unique guest. I guess I wanted to ask you a follow up about password managers, because we do talk about them a lot on the show, which is, in your view, how secure are they? What I mean is obviously, if someone steals my phone, they’d have to know my digit to get through the Apple iPhone. And then if they could then click on my password manager. So outside of that, in your opinion, how, how reasonably secure are these password managers? Because it is a common point of failure, because if someone gets a hold of that, you’ve presumably put all of your passwords there.


Dahvid Schloss  18:54  

Yeah, so I’d like to say Never use a first or second party Password Manager, right. And by that, I mean, don’t have Google store your your passwords don’t have Chrome, or Firefox or Apple store your passwords, right? Those are first and second parties. And the reason being is because it’s it’s one step, right? Hey, I exploited your Google account. Now have all your Google passwords, right? I always recommend using a third party app like LastPass, or a keeper or, I mean, there’s tons to go around here. But they’re they’re usually add ons to your, your, your device or your browser. And the reason why these are nice, is because a it’s a different password than what’s on your phone. Right. So like for my phone, I grab it, I put the fingerprint on there. And then I can go to my last past app, and I have to put in a different password. So on top of that, I use a little nifty hardware device called a UB key, there we go, these little things. So even if you found out the password to my password manager, you’re not going to be able to get into it unless you have the hardware token, which in the computer, all I have to do is plug in the USB drive, I hit the little button and it uploads the secondary. The secondary authentication or with my phone, it’s an NF NFC, I think is the right protocol. So I just like rub it on the back of it, and it goes, Oh, yeah, we’re good to go. So it’s, it’s much more secure in that manner in that fashion.


Justin Daniels  20:37  

So you’re saying basically, there’s a way when I log on to my phone that I could set up LastPass. So that if I wanted to click on the LastPass app, I could get asked for yet another level of code or password.


Dahvid Schloss  20:52  

Correct. Okay, yeah. And then none of that data is actually stored internally to your device, right? That sounds kind of weird and dangerous, where you’re like, Okay, it’s not stored here. On my device, if somebody can’t get physical access, and then decrypt it, it’s stored up in, like, all these third party apps, they use a cloud and they all use a encryption method that not even they can read. So it’s encrypted at rest, that they can’t recover any of that data as well. So it’s not only protected from the attackers is also protected from the companies that are running this. Okay.


Justin Daniels  21:28  

Well, thankyou for that.


Jodi Daniels  21:29  

Yeah, there’s your lesson for the day. I know.


Justin Daniels  21:31  

Well, it’s especially useful since now on iPhone can be hacked without them even having to have you click on anything, which to me is downright scary. But that’s a discussion for another day. But now I want to switch to a topic that Wu and I have talked about in the past, which is love to have you talk a little bit about some of your work with auditing smart contracts in the blockchain space, because that’s been a real common point of failure that has led to billions of dollars being hacked on the blockchain,


Dahvid Schloss  22:01  

I think, smart contracts, and blockchain security as a whole is a very interesting space, because, frankly, no one’s cared about it. Right? Look at look at all these big ol crypto coins, right, none of them really went through a security process as far as we can tell. And then with NF T’s with their smart contracts. A lot of times, it doesn’t seem like there’s a third party audit at all. And so this is a space that we’ve started actually getting really into, because we find that a lot of times, it’s completely negated as a as a measure to go through and review this code for best practice or security practices. But ultimately, it it seems like it comes down to how how developers are, right. I’m a dev myself, I mean, I write malware a little bit different of a dev, right, but at the same time, still develop software, and a lot of a lot of devs. We just copy and paste code. We’re like, I don’t know how this works. Let me go to Stack Overflow. Oh, okay. Somebody else figured this out. I’m just gonna copy what they did put it into mine and change it up just enough. So it works in my code. Is that best practice? Absolutely not. Right. And when we talk about smart contracts, it seems like a lot of these people, because they get paid to just write these smart contracts, right? For whoever the, the artists or whoever the company that’s commissioning them to do this NFT project, they just copy old code, paste it over. And then they’re like, well, we want to do this as well. Okay, I’ll write this in real quick. And because I’m not saying that they’re bad developers, no. So like, the laziness of developers leads to this situation where it’s like, oh, we’re gonna change something up real quick. We’re gonna put this in, but they don’t really like, know what they’re, they’re doing. They’re too complicit or not complicit. What’s the word I’m looking for? Where you’re kind of lazy. complacent, complacent. Yes, there we go. English is hard, you know.


Justin Daniels  24:13  

But Dahvid the other thing is, they want to get to market so fast. The Business People have no interest in caring about security, because they want to scale and they want to get paid.


Dahvid Schloss  24:23  

Oh, exactly. Yeah. 100%. And, you know, I think that a lot of these people that are getting into blockchain development, they’re especially around smart contracts. There, they look at it as a money grab. They’re like, Oh, here we go. Here we go. Here we go push things out. Which is terrible. Because you know, then there’s no security in the process. We have dev SEC ops and in most applications now where it goes through a security review internally so that they can be like, Oh, this makes no sense. You’re just allowing somebody to jump in right here in Mint for free. Um, but that doesn’t necessarily exist yet in the NFT, and smart contract space, and it’s only a matter of time where we are losing a ton of money and where these bigger companies that are coming into this space to build their own NF T’s, are gonna start realizing like, we didn’t get to where we are today without like running into the poor security practices of 10 years ago. You know, and I don’t want to think that was going to take 10 years for NF T’s to get there, because that just means it’s going to be a collapsible market right then and there, right? There’s nothing sustainable about that, especially in the modern day where people are much smarter when it comes down to electronics and coding.


Justin Daniels  25:40  

So it’s, it’s fair to say we can we can create whatever kind of consensus or trustless protocol we want. But if we don’t have basic security, what’s the point? Yeah, I


Dahvid Schloss  25:51  

mean, it comes down to that same principle of zero trust, right? Everybody says zero trust zero trust, zero trust is zero trust that if you went to RSA, everything was zero trust. Right? That was the name of the game. But ultimately, it doesn’t matter if you have a platform that says zero trust, if you’re not implementing it properly, or doing the basic things to review what you’re doing, it’s going to be exploited regardless.


Jodi Daniels  26:16  

So we talked about a few security tips already. Password Manager, strong multifactor is there one that we didn’t discuss that you would offer? To those listening?


Dahvid Schloss  26:31  

Stop clicking links and emails. You know, even even if it seems legit, more than likely, alright, especially with like banks and stuff like that, more than likely, your bank is never going to send you a link that says, hey, login now, right? Are login at this page. And even if it does, like, you should always check the top link, right? Is it actually going to Wells Fargo or Bank of America, whoever it may be? Good not to be going somewhere different. Or in a business sense. Let’s say you get a link that says, hey, we just changed our managed service provider. So for most of us that are like it, like, I’m not evil, is like alright, that’s pretty evil, right? That’s malicious. But for the average user, for the average person, that looks normal, oh, we got a new IT staff. Okay, cool. Maybe I can hit these guys up about stuff. Right? Just if you don’t know, or you aren’t sure. Just don’t click the link, email your, your admin array your local people, there’s always somebody or ask, ask your buddy, hey, did you get this email? Because a lot of times phishing doesn’t hit everybody to hit some people, but not everybody. So if you ask the person to your left or right, or to your friend, that you’re what I like to call green dots, stalking, if you use use teams, and set the reference to that little green dot for being available, you know, ask those people and if they didn’t get the email, don’t click it. That’s funny.


Jodi Daniels  28:11  

I haven’t heard the green dots docking term before, but it’s true. I can see these they’re not gonna go. Well, our last question,


Justin Daniels  28:20  

when you’re not red teaming, or designing malware, what do you like to do for just fun?


Dahvid Schloss  28:27  

Oh, well, I guess there’s a lot. I’m a, I’m a big Dota two fan, which is a video game, which has been out forever. And for some reason, I’m still addicted to it like 10 years later, which is a problem, I would say. But you know, pass the electronics pass all that I’m a I’m a big woodworker. A I built pretty much everything inside or all the furniture inside my house. I don’t like paying like $1,000 for a table. Right? I think this is overkill. But I can spend maybe 150 $200 for some wood and just build it myself over a weekend. I’m happy with that. I think that’s a good time.


Jodi Daniels  29:12  

That’s really fascinating. I’d love to see pictures of some of the furniture that you’ve made. I think that’s super cool.


Dahvid Schloss  29:17  

And then I’m planning on changing these to these two, what do they call bookshelves and I’m gonna make a full wall bookshelf. So I haven’t seen too much junk. Well, if


Justin Daniels  29:31  

you think about it, it makes sense. He’s a craftsman in the electronic world and in the real world. He’s a craftsman with wood, right? Yeah, I see that. I see the correlation. I see the relationship. I didn’t know I get it.


Jodi Daniels  29:44  

So Dahvid if people want to connect with you or to learn more, where should they go?


Dahvid Schloss  29:49  

Yeah, so I have LinkedIn which I add everybody to you can just search my first and last name. I’m the only one. I’m pretty sure there’s only two of each losses and I think I’ve Finally, finally bypass the other Dahvid Schloss who is an artist. So I think I’m more famous than him now. Maybe we’ll see. And then the other one, I have a Twitter. It’s again at my first and last. You can hit me up on there. Follow me there if you want. That one’s a little less, more of the professional side and a lot more memes usually posted a ton of memes on there. All right.


Jodi Daniels  30:29  

Well, thank you so much for joining today. Even with the internet problems. We’re grateful for all the wonderful information that you have shared as well as some of the humorous stories.


Dahvid Schloss  30:40  

Yeah, thanks for thanks for dealing with my ISPs terrible situation going on right now.


Jodi Daniels  30:47  

Oh, we hope it gets fixed soon. Thank you again for joining. Thanks.


Outro  30:56  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.