Cyber Security
The cyber security podcast from SE Labs.
Understand cyber security and other security issues. Practical and insightful, our experts have experience in attacking and defending in the physical and digital worlds. Peek behind the curtain with Cyber Security DE:CODED.
Cyber Security
Interview: Daniel Cuthbert | S2E12 Bonus Episode
Simon Edwards 0:02
Welcome to DE:CODED. This is a series two bonus episode featuring a full length interview with Daniel Cuthbert. Dan is the Global Head of Cybersecurity research at a very large international bank. He has a long history of penetration testing and other security consulting roles, many of which he can't talk about. But what we did talk about was threat modeling, vulnerabilities in the security industry, hardware hacking, better ways to approach penetration testing, and the time he became a convicted cyber criminal. So Dan, what do you make of today's WiFi threat? Should we be using personal VPNs? In 2022?
Daniel Cuthbert 0:45
I think what we've seen, since the early days of WiFi attacks, research stuff like myself and Glenn were doing with Snoopy Deena was doing with karma. And indeed, many others. Those days are definitely behind us. And for good reasons. We have back then you really did need a VPN, because using a Wi Fi network, it was it was trivial to compromise clients and indeed gain access to data. But fast forward to 2022. And there have been some serious advances in mobile clients. That kind of makes for me personally, the need of a VPN less of an issue than it was a 2004 2010.
Simon Edwards 1:27
What are the threats, the main threats that people faced some years ago, which don't seem to be such a problem today?
Daniel Cuthbert 1:34
Two big things, I guess the first one was the lack of adoption of TLS. So a lot of sites did make use of plaintext. So which means you could do interception and gain access to credentials, I think we've seen a widespread adoption of TLS, which is great. And then secondly, the controls around how mobile devices and desktop devices connect to websites. So before it was trivial to do interception, it was trivial to do a man in the middle, that kind of style of attack. Whereas today, it's actually very hard. And anybody who has set up some form of interception capability on modern networks trying to gain access to Facebook, or Twitter, or Gmail, or any of the modern sites, they will notice that it's not easy at all. So that's kind of where the big changes for me have happened.
Simon Edwards 2:27
What about things like cookie theft? Is that still a problem?
Daniel Cuthbert 2:31
It is a problem if the site itself is still operating. In a world where Britney Spears was this mega pop star doing really. And indeed, there are many out there still do that. But it's not as prevalent, it's not a case of if I grab your cookie, I can log in from anywhere. Not like it used to be, I'm not saying it still doesn't happen. But we're not seeing the same level of polish that we did, you know, 1520 years ago.
Simon Edwards 2:57
And I guess it comes down to your threat model now, doesn't it? If if you are an Uber, secret guy that everyone wants to spy on, then if you're not using a VPN, they can't see the information that you're sending or receiving, but they can see the sites that you're visiting, potentially. But most normal people, the fact that you're visiting McDonald's or Lloyds Bank, that's not really a problem.
Daniel Cuthbert 3:21
No, and my big concern is the actual VPN providers, who are they? You know, what makes their security really good? Because, you know, just because you're routing traffic through their infrastructure, nobody's actually, you know, step back, and when are they doing the right things? You know, can they be subverted, you know, are their input secure all these types of things? And who has influence over them to Yeah, you know, it's just a case of what's a VPN, it must be secure, uses cryptography. So what,
Simon Edwards 3:51
and you're sending all of your traffic through this third party that you may or may not be paying? Yeah,
Daniel Cuthbert 3:56
and anybody who's spun up large scale, distributed systems will know that that stuff is not cheap. It really isn't. And it requires an obscene amount of maintenance, and administration and looking at threats that come in and stopping those threats. And it's, you know, you've got to ask the questions, these cheap VPN providers, how are they doing so
Simon Edwards 4:16
cheaply? Well, that's an interesting point. So normally, when we think of VPN, we think it's a way to pop out in another country to stream some content. But of course, it becomes like a proxy internet service provider. And with that, comes a some kind of responsibility for filtering out some of the threats.
Daniel Cuthbert 4:35
Yeah, I mean, you know, if you look at some of the regions where these VPNs are hosted, again, if you look at the cost factor I just talked about now and maybe that country is under control of giving access to data. You need to build that into your threat model and between us and anybody listening, I do think that notion of every should have a threat model, right? It's the most complex and absurd thing you can expect. No, you shouldn't have a threat model, right? That's only something that parallel 1% security people have. But I think you need to rethink how you look at a VPN and go, hang on a minute, they get to see stuff that are supposedly stopping other people from seeing.
Simon Edwards 5:15
Now that's, that's, that's segue onto that, Ben. So threat modeling, what is it? Is it that life and technology should be so effective and nice that we don't have to kind of work out what our threats are and how we prioritize handling those?
Daniel Cuthbert 5:30
Yeah, I mean, I'm a big fan of threat modeling, from the early days of Adam's stride and dread, and what Microsoft we're trying to do. And indeed, they were the dark days, because anybody who's did Threat Modeling back in those days, got frustrated, because it was an ugly process, it wasn't easy. We're seeing a kind of a new dawn of threat modeling tools at the moment where it's a lot easier. But I think where we need to get to as an industry is to have this usability, you know, I shouldn't have to worry about the device being secure, the device should just work. Because if you look at our daily life, and the tools that we use, when I go downstairs and turn my coffee machine on, it's not internet connected. I shouldn't get shocked, I should just work. When I get into my car, it shouldn't kill me instantly. I don't think Well, it depends which car. But you know, for the most part, you know, you expect the products to function as designed. We're not in that stage of life, when it comes to it at the moment. I'm still struggling with stuff that gets pushed out that, frankly, hasn't been designed. Well. You know, I've been going on a rampage against security vendors for a couple of years now. Because frankly, they've let the sides down. You know, if you look at CSIS, Kev, you'll see a large chunk of commercial security products that are vulnerable and being exploited. And, frankly, I'm calling them out. Now you you literally have made a mess in the bed and you expect all of us to sleep in that bed. It's not acceptable anymore.
Simon Edwards 7:02
And you know, even things like internet of things. I mean, that's like totally awful, isn't it? But you're talking about established companies that are making billions of dollars a year selling product after product service after service. And yet the bad guys still appear to be operating quite comfortably.
Daniel Cuthbert 7:18
Gartner Magic Quadrant buy my tool, because it will fix the world? Oh crap. How many vulnerabilities Do you have? You're still using cgi bin? What the hell? That's where I'm starting to get quite angry because these big companies are not broke the internet of things. It was an interesting one, I think early Internet of Things. Yes. Horribly insecure. It was it was blown up a little bit. I think a lot of nerds got really excited saying you could take of my fridge if you were sitting outside my house with a massive amount of laptops and and tell us, bro, I would notice you outside my house with a laptop with a lot of bandwidth temps. Right? Again, you know, that whole hype cycle.
Simon Edwards 7:58
And people weren't caught doing that. When you could crack people's WEP Wi Fi. And they were doing naughty things they did get caught by the police because they were reported for being weird. Yeah,
Daniel Cuthbert 8:08
you know, standing outside your house with with things it's going to get noticed. But I think if I look at the threats over the last couple of years, it's come from companies that should know better. You know, like, during lockdown, everybody moved over to VBS what a criminals do naturally started to dig deeper VPLS. What did we start seeing coming out of the vulnerability world? God awful vulnerabilities in VPNs. So it comes back to that question. VPNs is supposed to make things secure. But actually, they're not. They're making things a little bit harder.
Simon Edwards 8:37
And now we're talking about the kind of VPN where endpoints connect into a corporate network rather than the sort of thing we might use to access Netflix in the States, for example? Yes. You don't just get vulnerabilities in software, though, do
Daniel Cuthbert 8:53
I? I've said this before, I do believe we are living in the golden age of hardware hacking. I think Never before have tools, and hardware been so easily accessible to all. You know, 1015 years ago, if you wanted to get into hardware hacking, it was a considerable investment because the stuff wasn't cheap. Whereas now there are so many amazing projects out there where you can get software bases telescopes, you can get oscilloscope that no longer break the bank, you can get a decent one for a couple of 100 up to 1000 pounds. And as such, we're now starting to see people rethink the security of the physical device. And indeed, work out how that could be subverted. It's an exciting time, you know, to see what's happening. I mean, one of the best projects I've seen and did have in the lab at the moment is bunnies precursor, which is kind of his attempt at getting people to rethink about how you would design a trusted device that's verifiable from the Physical chips components used, how it communicates, how we store secrets and so on. And I, I've been waxing lyrical about precursor for a long time. And I finally got mine the other month. And it's phenomenal to look at how and why decisions have been made. Because before it was a case of, well, if you had access to devices game over, and it doesn't always have to be that case.
Simon Edwards 10:24
What about if you go really down low level? So we, there was a time not that long ago, where people had a conspiracy theory that some of the chips and super micro servers were all compromised? Is, is it a real thing that you could have ended up with a situation where major vendors shipped a load of laptops, and some opponents to the the main Western way of life has somehow compromised all their systems at a really low level.
Daniel Cuthbert 10:49
It's not implausible, the grain of rice was a very interesting time. Joe Fitz came up with a quote that's always stuck with me. Phenomenal hardware hacker does amazing training. He was like, the aim of hardware implants is to get from hardware to software in the shortest amount of time possible. And I think that's where if you look at the murky world of espionage and implants, a lot of people are still struggling with, because you need to somehow make it usable to export data, and do everything else. So it's not completely implausible. Yes, you can do hardware implants. And yes, we've heard of some, and there's probably many more out there. But I don't think it's a grain of rice, dump it in there and have full access yet.
Simon Edwards 11:34
No. And how would you even unless you're a very specialist nerd, how would you even start to defend against something like that?
Daniel Cuthbert 11:41
Very hard. I mean, how would you detect it first? You know, how do you notice that this this ship is on the board when it shouldn't be it's not like people get full schematics, when they buy a device, they tear it open and look at and go, Ah, there's a IC there that shouldn't be there that that will doesn't happen. We're seeing it with software base, you know, controls, one of the things I would love the industry to do more about is to be a bit more critical about the stuff that by I talked about this forever how var have off, like did a blackout keynote in Asia, I think it was 2017. And it's phenomenal one to watch February's not seen it, where he talks about the fact that if we as an industry band together, we could demand more from our vendors. We don't we have phenomenal buying power if we all clubbed together. And I think the same thing goes with the defensive capabilities. You know, maybe if we're buying hardware now, and we have that concern, we could say to the vendor, we would like either a software bill of materials, which Funny story, I'll talk to you about that in a minute. Or when we say hey, we need you to prove that this has been shipped to me where it hasn't been subverted from the factory. The onus on the vendor
Simon Edwards 12:53
will actually yes. And then you've also got the chain of custody between the factory and the end user as well, haven't you all the delivery companies and Amazon's and all those kind of guys.
Daniel Cuthbert 13:04
Yeah. And I think one of the things that, you know, I finally realized was when we started to design more and more things in the lab is how complex the supply chain world is. You know, you have no idea that the chip that you've ordered from AliExpress, or Amazon or somewhere else isn't fake. Because on the face of it, it looks legit. It has the the printing on the top, it looks like a legit chip. It's only when maybe you X ray, do you notice, hey, this is a repurposed chip, or it's a secondhand chip. And indeed, with the controls or the problems that we've got supply chain at the moment, this is now becoming a fairly serious thing, because you can't just go and buy components anymore. I've got a dev board for one of the pollution sensors that every single month Mouser drops me a mail saying has been delayed by another month.
Simon Edwards 13:51
And what's happening to it in that time?
Daniel Cuthbert 13:54
Yeah, I mean, I do I get it, who knows what's, you know, can we can I can I? I'd like to get it. But yeah, you know, is it good as a jet? How many people have handled it all the way from the factory and so on. So I think that's where Bonnie has really started to think about it, that that's something that interests anybody listening, I would look at bunnies precursor project, because it's a phenomenal way of rethinking how we look at these products.
Simon Edwards 14:20
Even consumers can get ripped off this way. Why the very first PC that I bought was a DX 266 from a company called Tiny which doesn't exist anymore. And it was quite an expensive processor to have in a PC. And many years later, I chipped the heatsink off it and it wasn't a DX t 66. It was the cheaper equivalent. And that okay, I wasn't being spied on but I wasn't getting what I paid for. And, you know, I had no way as a normal regular computer user to know.
Daniel Cuthbert 14:51
No, and we're actually starting to see reports about this now, where because there is massive strain on supply chain and indeed, I see components just don't exist. At least, you know, people are repurposing them. So the whole and that's probably a good thing. No, the whole e waste thing is massive. So we are recycling. But if you think that you're getting brand new chips, and they might be 10 years old, some of these D sold and resold, like, is that being made aware to you when you're buying that? Probably not.
Simon Edwards 15:21
So when you're doing your hardware hacking, using x ray machines, and all sorts of amazing stuff, Dhoni
Daniel Cuthbert 15:27
in the lab, yet we do, we're very fortunate where we've built up a lab, mostly for what we're trying to design and what we're doing. Where the X ray machine, it's a time saver. You know, if we looked at a device that came in, and we wanted to manually reverse engineering, it could be weeks, whereas the X ray machine, it's 10 minutes.
Simon Edwards 15:47
So you're just comparing like the the tracks on a chip to what the what it should be on the blueprints, essentially,
Daniel Cuthbert 15:53
that's any telltale signs of potential manipulation, understanding more about how it works.
Simon Edwards 16:00
Oh, so from a logical perspective, that you actually kind of working out how the how the chip thinks in a way,
Daniel Cuthbert 16:04
that also designs of boards. For me, I'm a big fan of the X ray machine. It's it's a time saver, and it's just genuinely made our lives a lot easier.
Simon Edwards 16:16
We've come quite a long way, haven't you? We knew each other way back in the day of an early DEF CON and ISS and all that kind of thing. How has it been for the last say, 1015 years for you?
Daniel Cuthbert 16:27
It's weird to see the industry evolve, that's for sure. From you know, the Alexus part type stuff you're talking about. to DEF CON pre pandemic, when I was last there, it was 30,000 people, which is just phenomenal.
Simon Edwards 16:43
People who are interested in security, I mean, you would you would have thought back in the day that it was quite a nerdy clicky interest and yet so many enthusiasts.
Daniel Cuthbert 16:54
Yeah, I'd say the whole hacking computer security scene was very trending now. There's TV shows that are quite cool. It's, you know, it wasn't the ultra nerd thing that it was back then. And we still have that element of it. But now it's it's quite cool.
Simon Edwards 17:12
Like, well, I suppose the devices are quite nice now, aren't they? In the old days, it'd be a big beige PC that weighed a couple of tons.
Daniel Cuthbert 17:19
I actually do miss the beige.
Simon Edwards 17:23
Where you used to run what was it open BSD on a laptop, it seems
Daniel Cuthbert 17:26
that I was a weird status back then. It's the statistic. That's probably why I didn't have any girlfriends, too busy trying to get x working.
Simon Edwards 17:36
Now at this stage, it's worth mentioning that Dan had a run in with law enforcement some years ago. In 2004. He became known in the media as the tsunami hacker, because under the strict wording of the Computer Misuse Act, the CMA, he was accused of attempting to hack into a website. That was fundraising after a large tsunami in Asia, he was found guilty the following year, it was a life changing experience. Working in offensive security, as we both do, the law often doesn't seem to keep up with the reality. So I'm pretty sure that in many countries, even having certain tools on your laptop against the law technically. Have you seen much change in the way the police and other authorities handle security experts?
Daniel Cuthbert 18:26
Yeah, I think since since my case, which was 2004, which, in internet years is decades and decades and decades ago. The CMA or Computer Misuse Act has kind of come under the spotlight as to how its interpreted and how that law needs to change. Especially now that we're seeing more and more computer based crime than ever before. There are definitely a need of security researchers and incident responders and indeed law enforcement to be able to do stuff to stop these criminals from abusing it. And I think that's where the CMA kind of butted heads with everybody. Because you know, even the police were falling foul of the law, which is crazy, because criminals don't follow laws. And the people investigating the criminals have to act within the law. And that's 100% normal, we expect that. But when the laws then impeding them from doing their job, well, something's really wrong. And I think that's where we were trying to get a whole group of us to get the CMA to reflect more what is needed in a modern society when it comes to computer security laws that protect the public, but also at the same time don't hamper individuals or those involved in investigations from doing their job.
Simon Edwards 19:46
Well, your case was interesting. For those who who don't know, Dan was involved in something called the tsunami hack. There'd been a tsunami in Indonesia, and there was a charity website that Dan had a look at and assessed and the police thought he was doing something naughty. And it felt a bit like an episode or a series of The Wire, where the police got a bit overexcited about statistics, and getting a conviction of just anyone, rather than focusing on what the real threats are to society.
Daniel Cuthbert 20:17
That was so eloquently put. Yes.
Simon Edwards 20:20
Well, I actually met the police officer in charge of your case, a few years ago to security conference, because he's become a cybersecurity spokesperson because of his time at that organization. And he regrets doing it because that he said they would just wants to get a conviction. And you weren't the person that they should have been going after?
Daniel Cuthbert 20:41
Yeah, I think with age, you start to chill a lot more. I was very annoyed with them. Because I saw what was happening at the time. One of the proudest moments for me at the moment is I now helping change that law and changing how people see that law. And working with some really good people, John Ellis, and the folks at NCC cat, you know, we're trying to get people, especially those in the home office to rethink the law. And one of the things that we're pushing us that the notion of good faith security research,
Simon Edwards 21:14
that the time when someone got convicted of a hacking offense or anything, really, it pretty much destroyed their career, how did it affect you, in the short and then longer term?
Daniel Cuthbert 21:25
It did affect me, I mean, so much. So I left the industry. Because, you know, it was very hard to work because I was a convicted cyber criminal. So I went back to what I knew well, which was fashion and photography, conflict photography,
Simon Edwards 21:43
I knew that you never told me about your fashion, but just the way you the clothes, even back in the DEF CON days, I knew you must have an interest.
Daniel Cuthbert 21:49
Thanks. I'm very good at that. And yeah, it was annoying, because, you know, in hindsight, looking at what I was doing, I was looking at phishing websites, in the early 2000s, that were abusing websites and taking people's money. You know, the tsunami website was awful. I'm gonna be frank, it was badly designed. Not much has changed on the web. But that's kind of where the good faith security research comes in. Because we need some kind of protection for people doing investigations into security flaws or vulnerabilities in security, enter in software, hardware, firmware, whatever. Because as we're seeing with the bugs that are coming in time and time, again, that are being exploited by criminals, these companies aren't looking for these bugs. And one of the things that we've gotten now that was different back then, I mean, 2004, on the internet pages was doc, right? A lot of people weren't using the web like they are now, a bug found, then you might not have the impact that a bug has now, you know, a vulnerability in a tool today or a product to has the ability to impact millions and millions of people. So what we need the law to do is kind of not fully give them carte blanche to do what they want, but protect them in a way where they are acting out this good faith security research. So let's say they're looking for vulnerabilities and they go down the responsible disclosure. They, you know, as, as we've seen time and time again, when somebody reports a vulnerability to a company, that company then says, you've broken the law we're gonna go after. We don't need that, you know, and I honestly hoped that that would be a period of time that we all experienced would disappear. But indeed, we still have companies who act this way.
Simon Edwards 23:44
Yeah, we do. There are bug bounties aren't there from the more sort of responsible aware companies, but others get aggressive?
Daniel Cuthbert 23:51
Yeah, I think we've actually seen that at BlackHat. In the last couple of years, you know, move back, say 10 years ago, I would never expect to see the likes of Microsoft, or Intel or Google coming to Blackhat and letting their staff present at the biggest security con in the world about vulnerabilities in their product. There was right, these are the companies that would normally nail you on the wall.
Simon Edwards 24:17
But when we went to DEF CON together years ago, I remember someone announcing that ported a particularly horrible backdoor trojan type thing to the Mac operating system and all room cheered. Yeah. Yep. Apple was with Apple was there. They weren't showing that they were there.
Daniel Cuthbert 24:32
No. But what we've seen now is, you know, you look at the last couple of years. We are seeing companies embracing this. I mean, I you know, I like my cars, and I like hacking cars. One of the weirdest things we ever had in the last couple of years, was BMW doing a joint talk with the Chinese researchers who really did own the hell out of BMW. And it's it's up there as one of my top talks because it showed how vendors who would normally go off security researchers go, actually, you found a serious vulnerability, we're going to fix it. But let's work together. Let's tell the people the other side.
Simon Edwards 25:09
Like they've realized that security through obscurity doesn't work, it doesn't work.
Daniel Cuthbert 25:13
And you know, at the end of the day, going back to what I said earlier about consumers want to have the products that just work, I would feel a lot better if I was buying something where the company was open about, hey, we do have bugs. And anybody who says they don't have bugs is lying through the back of their teeth, I would rather that company say, Hey, we've got a bug bounty, or we welcome security researchers to do it in a responsible way. Work with us, we'll give you whatever you want money, fame, T shirts, and so on. But let's get those bugs fix. For me, that's a responsible company, what is not responsible as a company that automatically threatens laws?
Simon Edwards 25:52
What about penetration testing is there's still room in the world for getting a company in to check your security posture and tell you what's vulnerable and run necess and maybe do some other bits and bobs
Daniel Cuthbert 26:04
100% done about the nest as part of 100%. I still I still do believe in the the offensive pentester industry as much as it's grown and watered down a little bit with a race to the bottom of, you know, everybody's now a pen tester, I still see the benefit there. What I would like is more companies not necessarily pulling in security at the end, which indeed a pen testers, but embracing more of the tears, the hipster term shift shifting left. I think that's where we start learning bugs. And if we'd look at, you know, especially on the code aspect, which is really quite heavily involved in, we're in the fourth generation of the code security testing environment, we've got some amazing tools out there that are really finally called bugs. And it's never been easier to kind of embrace the shifting left or guardrail mentality than it was, say 1015 years ago.
Simon Edwards 26:56
Are there other ways to do pentesting? Wrong and ways to do it better? Like, for example, you know, you might, you might engage with a group of pen testers on a regular basis, rather than just bring them in every six months to have a look.
Daniel Cuthbert 27:10
Yeah, one of the things that we tried was, you know, the wild 1000 Plus pen tests I've been involved in was always, for me at the wrong time of a project. There's always the pressure on the pen tester to get it done the project going live, or the week after that. One of the things that we tried last year or two years ago, was embedding pen testers in the sprint. So we said, One, there was no reporting, we're incident reports, you will sit with developers, you are part of the sprint, any defects of bugs that you find would go into JIRA. And then you can track the lifecycle we did over two weeks. And it was actually a very, very cool moment, because not only were the pen testers really happy, because they have to do reports. And, you know, any asked me any, anything about pentesting the worst part was reporting, like even the most miserable period, because, you know, you have to make words work and the tables are crap.
Simon Edwards 28:13
That's not... That's not where you're interested in.
Daniel Cuthbert 28:15
No. So by fitting into how developers were building things, you know, they could find a defect, speak to the dev say, Hey, I found this dev confirms it, you log the ticket, they then work on a patch, you confirm the patch works, you close the ticket, move on. It was a more fluid like assessment. And I think maybe that only kind of works when you have access to so the devs or the code, but you could also maybe embrace it for the network style pentesting where you say write a pen test team sits with the blue team. And rather than us doing everything at one go, you say right, we're going to test at an ad rolls. We're gonna see if we add a user to the ad, can you detect it? Are you detecting Okay, what if you did that there's more of a symbiotic racial relationship between blue and red. Whereas the moment is just all things about red, or the blue team have to pick up the pieces.
Simon Edwards 29:08
So there's training involved as well as now you're telling the defenders how to defend better
Daniel Cuthbert 29:12
Exactly. And I think that's where, you know, for me, the hardest problem is security. The moment is defensive. It's easy to break into stuff today. It really is. You know, you've got amazing tools. It's not hard to find bugs.
Simon Edwards 29:30
Please subscribe. And if you enjoyed this episode, please send a link to just one of your close colleagues. And that's it. Thank you for listening and we hope to see you again soon.