In this episode, author, hacker, entrepreneur, and content creator Alissa Knight reveals her journey from “bullied computer nerd” to federal cybersecurity contractor to famed car hacker. She gets real about the risk of APIs, offers up some must-hear advice for anyone getting into cybersecurity, and delivers candid views about the infosec industry as a whole.
In this episode, author, hacker, entrepreneur, and content creator Alissa Knight reveals her journey from “bullied computer nerd” to federal cybersecurity contractor to famed car hacker. She gets real about the risk of APIs, offers up some must-hear advice for anyone getting into cybersecurity, and delivers candid views about the infosec industry as a whole.
-------
Why you should listen:
* Get inside the head of one of the most provocative and interesting cybersecurity influencers today.
* Hear about her work with federal agencies to help secure the future of transportation.
* Learn more about the urgent need for better Application Programming Interface (API) security.
* Get new insights into the growing threat to health care organizations and financial institutions.
* Hear Alissa’s take on how cybersecurity companies can improve their approach to content and marketing.
-------
Key Quotes:
* “I care more about the adversary that can hack my car from her living room. I care more about the hacker that can take remote control of my car that I'm driving around in my family with, from anywhere.”
* “Okay. Yes. I can take remote control of this vehicle. I can move the steering wheel. I can push the brakes.”
* “You would be shocked if I told you how endemic [it is in] the industry to hard-code not only tokens, keys, and credentials like usernames and passwords and to apps for their own APIs, but also third-party APIs like payment processors.”
* “The plumbing for our entire financial system and healthcare system is APIs...that data is worth more than oil, right? So hackers are shifting their attention to hacking APIs.”
-------
Related Links:
* Alissa Knight’s Twitter: @alissaknight
* Knight Ink Media: https://knightinkmedia.com/
* Alissa Knight’s Website: https://www.alissaknight.com/
* Official Trailer: Law Enforcement Vehicle Hack: https://www.youtube.com/watch?v=Soj3P3S3i_o
* Synack Website: Synack.com
* Synack Trust Report: https://www.synack.com/trust-report/
* Jeremiah Roe’s Twitter: @c1ph3rflux
* Bella DeShantz-Cook’s Twitter: @bellarosedc
* Black Hat Events: https://go.synack.com/black-hat-events-2021
Jeremiah Roe: [00:00:00] How's your day been? Bella.
Bella DeShantz: [00:00:25] Hey, Jeremiah. Uh, pretty good here. It's been threatening to rain all day, but no signs of it yet. So I don't know. Not too bad. we currently have Alyssa Knight on the show. I'm super stoked to be able to speak to you. So welcome to the show, Alyssa, how's your week [00:01:00] been for you?
Alissa Knight: [00:01:01] Things are good. Things are good. I live in Las Vegas. So the world has opened up
Jeremiah Roe: [00:01:06] How's the how's everything going?
Alissa Knight: [00:01:08] I mean like when, what was it California or whatever was still eating outside and actually many restaurants. It was pickup only. We were already eating inside her restaurant. So we've spoiled over here during the pandemic.
Jeremiah Roe: [00:01:22] Okay, well, it's awesome. The last I haven't been to Vegas since I think the last time I went to Vegas was last with Def con 2019.
Alissa Knight: [00:01:30] Yeah.
Jeremiah Roe: [00:01:31] Yeah, it was when everybody was there. Um, and I haven't been sentenced. Um,
Alissa Knight: [00:01:36] The attack of the locuses or grasshoppers wasn't there?
Jeremiah Roe: [00:01:39] yes.
Alissa Knight: [00:01:40] Upper attack her in 2019.
Jeremiah Roe: [00:01:43] oh my gosh. I got there, like at the tail end of that and they were everywhere. They were just flying.
Alissa Knight: [00:01:50] I on it, Jeremiah, I honestly thought the world was ending. I was waiting. And, and the horses and, you know, the rivers [00:02:00] to flow blood, uh, it was, it was the apocalypse. It was,
Bella DeShantz: [00:02:04] I remember my friends being there for that and getting all these like videos and pictures while it was like, totally cool chill at home and just being like, you know what? That's okay. I did the right thing this year.
Alissa Knight: [00:02:16] you know, what's kind of scary is that like, that was like, it was like nature telling us that the pen was coming.
Jeremiah Roe: [00:02:25] It totally was.
Alissa Knight: [00:02:27] It's the, isn't it like? W w what was the, uh, you know, book of revelations? Wasn't the first one, the plague that is COVID-19, it was the blag
Jeremiah Roe: [00:02:37] I don't know which book that was, but I can say
Alissa Knight: [00:02:40] or the plague.
Jeremiah Roe: [00:02:42] it sounds legit. That was a good year. That was a really good year. There were a ton of things that were going on. Um, they had a really awesome car hacking village there that year. I believe where they did some fun stuff.
Alissa Knight: [00:02:58] You know, it's funny cause [00:03:00] I, so car fucker, um, is, uh, his alias, Robert Lee, Allie, uh, is a dear friend of mine. And he actually wrote the forward to my book hacking connected cars and
Jeremiah Roe: [00:03:11] I've got that book by the way. That's awesome book.
Alissa Knight: [00:03:14] oh,
Jeremiah Roe: [00:03:15] I do. I've I've got that book.
Alissa Knight: [00:03:17] I'll buy it. I'll sign it. I'll buy it. I'll buy it and I'll sign it. Then I'll go back to you.
Jeremiah Roe: [00:03:21] I would love to. That'd be great.
Alissa Knight: [00:03:26] See, live streams are so much more entertaining because you know stuff, doesn't get cut on posts. Um, yeah. Thank you for, for buying my book. Hopefully you liked it. Imagine how embarrassing like is like Alyssa. That was the worst book I ever read.
Jeremiah Roe: [00:03:45] Yeah, no, I wouldn't even know. I mean, You've got like Jeremiah over here saying, you know, I would love to write a book someday. I can't even get past the three dots that keep blinking in front of me. I have no idea what I can't put anything on.
Alissa Knight: [00:03:58] it's hard. Jeremiah, [00:04:00] look, I don't know if you and Bella have ever written like long form content, really? Whether it's a white paper or read a book, it's hard. Like you D you, you expect to sort of wake up with this inspiration to write and that's not happening. Right? Like you, you have to sort of, you, you, you have to make yourself sit down and write.
It's the, it's the crazy it's crazy. Anyway. Um, yeah, and I actually read books on Stephen King and he says the same thing, you know, you know, they're famous writers in history who have had to, you know, turn off all their network communication on their laptop, lock themselves in a hotel room. And right. And just cause we're all distracted, we're all distracted.
So easily, all our pop-ups and social media and, you know, it's, it's really easy and I'm the add poster child. Right. So I think that's, what's always kind of made me a very effective hacker is I'm like the [00:05:00] ADT poster job. And so I get distracted very easily. And so, yeah, I actually turned off the wifi on my, on my system when I was writing, because it was so tempting to load up Chrome.
So.
Jeremiah Roe: [00:05:16] Yeah, I could totally see that too, to the point of your book though. Funny, funny enough, when I got that, um, I was, I was so stoked because, so I come from sort of traditional, I guess, traditional, uh, pen testing background, and, um, you know, I've had the pleasure of operating within a real, real red team where you do the sort of nation state emulation stuff.
But I had zero experience in, in car hacking. I think the most exposure I had to vehicle hacking or any sort of API vehicle hacking or plugging into that was what year was that? I think 20, it was like 20. 14 when, um, [00:06:00] Chrysler got in trouble for mailing out those USB drives to update people's vehicles.
Alissa Knight: [00:06:06] yeah.
Jeremiah Roe: [00:06:07] And I remember getting that in the mail. I don't know if you recall that, but I remember getting that in the mail. I'm like, huh, this seems pretty interesting. Plugged it in and looking through the code base, you see all kinds of commits and comments and just API keys, that point back to things. And a lot of really interesting stuff in there.
I was like, oh my gosh, there's going to be a lawsuit here.
Alissa Knight: [00:06:28] Well, you know, it's funny because one of the things that I find in speaking at conferences and meeting other people in the community is, you know, a lot of people think that you just kind of wake up. And you just know how to do this, right? Like your hacker, you know how to act electronic control units here, a hacker hack, a car, your hacker.
And it's, it's really an Inn I came from the same space you did. Right? Like, so I came from the BB se, right. I started out with BBS is I ran a multi node underground BBS in Seattle. [00:07:00] So, you know, I came up that sort of traditional pen testing. How can I as her Apache web server, and now I'm in trouble freaked by this brand new world of the internet of everything and things floating around on the water or driving around on the road with wheels that have IP addresses now.
And things that weren't historically connected are now connected and it was a brand new world for me. And it's much to your point, you just because you're a pen tester doesn't mean, you know, how to hack your car. Like when I first sat down and began learning this, it really was like, I didn't even know how to spell ECU, let alone what the hell in ECU was.
You know, it's like vehicular mechatronics, what, you know, what telematics control unit. So, you know, hacking embedded systems is way different than hacking an IIS web server. Right? And so for me, when I was living in Stuttgart Germany at the time I had [00:08:00] an amazing client who literally sat me down in this was, uh, a very large company in automotive and he sat me down and just, we locked ourselves in a room in Germany and white boarded.
For days on end, just explaining the vehicular, the, the, the vehicle network vehicle, the vehicles, a VTV networking, um, 800 to one, you know, P all of these things that I need to understand, to do the penetration test that they contracted me for. And it was amazing. It was like this traditional hacker getting educated on hacking a connected car.
And it was amazing because, you know, and, and he, to this day is a very dear friend of mine. And he, for them, it was like, We don't want a traditional car hacker. We want to take someone who's really good at hacking and teach them about vehicular mechatronics. [00:09:00] And it was this amazing. I feel like it produced this very creative out of the box thinker when it comes to approaching car hacking because I very much color outside the lines.
That's my, that's my mantra. Right? For me, it was wait a minute. Okay. Yes. I can take remote control of this vehicle. I can move the steering wheel. I can push the brakes, push the, push the gas accidentally drive the car into the side of the building, which we'll talk about later. It was over a 100, it was $130,000 car.
And I accidentally the side of a building anyway, a long story. Um, but, um, that's not the point. You know, the fact of the matter was, was that this car was talking to API APIs and for me. The that's where my attention was. Right. So I care very little about the adversary that needs to break the window in order to get into, be able to hit the OBD.
Two port, I care more about the adversary that can hack my [00:10:00] car from her living room. I care more about the hacker that can take remote control my car that I'm driving around in my family with, from anywhere. Why, why get out, why get on a plane in flight into some buildings when you can do it from your living room
Jeremiah Roe: [00:10:13] absolutely.
Alissa Knight: [00:10:14] and everything is, is that so recently the, the I've been doing connected train hacking.
So several states have reached out to me about this new fleet of connected trains that they, that they are deploying. And these things have telematics control units, just like cars, the, you know, airplanes flying around in our sky. Telematics. All of these things are. Communicating over either wireless or T or GSM.
And now with 5g, even more things are connected. And I don't know if you saw the recent report from Akamai, but was it more than 82% of the CDN traffic is API traffic now
Jeremiah Roe: [00:10:56] Yeah. Yeah.
Alissa Knight: [00:10:57] and Bella, this, that, that means that more than [00:11:00] half of the traffic on the internet today is no longer human to app traffic it's app to app traffic it's device to device.
So.
Jeremiah Roe: [00:11:10] No, I totally saw that. That's one of the things that I think most users don't quite realize is in the grand scheme of things, the majority of traffic that's out there just to reiterate on your point is not human traffic. So when you see these things that are producing traffic on, on the interwebs, then, you know, a lot of that is bot based.
Most of it's API traffic, and most of it is, is untested. Majority of it is untested.
Alissa Knight: [00:11:40] yeah, good point. And that's a thing is the plumbing for not just the U S infrastructure, but global infrastructure. Look at open banking, such PSD two in the UK, right? Look at where we're headed here in the United States with the same thing with financial aggregators, [00:12:00] you know, mobile apps, we're in an app economy in app first world.
Now the number of laptops sales are going down while the number of mobile phones, sales are going up. People don't want to lug a laptop. It's around anymore. Even laptops are too big. Now my 17 year old kid doesn't know what the hell a mouse is, right? The generation Z is all about touchscreen, right? What the hell is a mouse?
Why do you need a mouse? Right. So things are changing. And the thing is, is that all of this, the plumbing Farr, entire financial system, our healthcare system is API APIs. So the thing is, is that data is worth more than oil, right? So hackers are shifting their attention to hacking API APIs. They know that that's where the oil is that they know that that's where the data is.
So they're learning how to hack APIs. We as defenders need to know how to secure APIs properly. And so recently Wiley has awarded me a new book contract to publish a new book on hacking API. So [00:13:00] that's coming. I totally did just drop that.
Jeremiah Roe: [00:13:03] I'm, I'm super stoked to check that out. I it's interesting how much you've talked about where, what you're currently focused on in this very niche area of, of car hacking or, and like API APIs, which I guess are not exclusive to cars, but, um, this sort of, you know, where you are now, and, and you've mentioned how you got into hacking, but I'm a little bit curious about that original introduction.
Like how did you get into cybersecurity? Why was it interesting to you? And, and then how did you go from, from that, to this? What we've talked about?
Alissa Knight: [00:14:51] So it was in Seattle and this is about the time during the time of IRC, BT 100 shells for accessing the internet, internet relay chat. If you're old enough to remember IRC pound Dak. And, um, so, you know, and BBS has in dial the dial up scene.
And so. I wanted to get into phone freaking, which at the time was called, you know, his phone hacking you'd make banana boxes. Um, I was big into the, the all 2,600 and you know, all this stuff regarding hacking phones and phone systems, making free calls, stuff like that. So that sort of led, led me to accessing IRC.
And so some of the more underground IRC channels and meeting other hackers, meeting other people that are interesting is now at the time there was no YouTube. There was no even security focused.com. There was [00:16:00] no bug track. There was no Sendak, you know, I mean the idea of publishing. You know, even if you think about it at the time open, the concept of open disclosure, did it even exist.
So if you found a vulnerability in something and you published it, you could be arrested and thrown in jail. Right? So, you know, bounty hunters, wasn't a thing. And so at the time, because you don't have the education and resources available to you at the time, you really were on your own. You had to download back then Bella, you had to know how to GCC compile a Dotsie exploit.
And get it to work in order to be it, you know, in order to actually hack anything, unless you wrote the code yourself, like you had to know how to fix, that's what you finally found the exploit for Wu MVPD and you cross your fingers. That that damn thing would compile. And then like, oh my God, it's not compiling.
I've got to find a new exploit or fix it. And, [00:17:00] um, so, you know, Medisplay, wasn't a thing a lot of hacking now is point and click, right? Crime kids, you know, you've met us boy, muttered, putter shells and all that thing. Wasn't a thing. So this is a very, long-winded answer to your question, but basically my start to this was figuring it out on my own and really just downloading things, looking at what the exploit was doing.
Lunching, tcpdump been recording the packets back and forth to look at what the stimulus and response was, what it was doing with the, the service on the other end. And then once sort of, kind of breaking that apart, just. Okay, I'm going to admit it targeting networks that I shouldn't have been targeting.
Um, so the first network I hacked was a fast food chain. I won't say who I was lucky enough to not get caught. And then when I was 17, I, my parents were so excited because I like, oh my God, she's good at graduate. Just get it graduated. They were so worried about me graduate and it was for my [00:18:00] graduation and sure enough, I had to government network and I got caught this time and they were waiting for me at school.
The agents were waiting for me at school and it was weeks before my graduation. And I went from being, you know, the bullied computer nerd to like the most popular kid in high school. And cause they erected in front of everyone and the quad.
Bella DeShantz: [00:18:24] it's like a movie. This is like a typical teenager movie. Not typical, I
Alissa Knight: [00:18:29] Yeah, exactly. So, so I got arrested. Um, so fast forward, the, the district attorney dropped the charges and I ended up going to work for the us intelligence community in cyber warfare.
And realize that, Hey, you know, I could get paid to do this, this, this, this is a thing. And so, yeah. And so the cybersecurity scene kind of started to develop around me, you know, security focus came along, um, and then open disclosure came along. I published the first vulnerability on hacking VPNs, and that was at the time on bug track.
And now we have platforms like yours, where, you know, you can make money being a bounty hunter, you know, finding vulnerabilities and being paid for them. Oh, what a concept? Because when, when I, when I presented my vulnerability of black hat briefings on how to do this, they sent [00:20:00] lawyers to the brief, to the presentation.
And I had been fired from my job for, for wanting to talk about this and effected every VPN that was deployed. They sent lawyers to the presentation. It was a bad time for vulnerability researchers. If you wanted to do vulnerability research, You had to make sure that you look good in orange, because there was a possibility that you would get arrested.
So, you know, um, you know, thank God things have changed and you can do it without worrying about the knock at the door.
Bella DeShantz: [00:20:30] I'll age myself a little bit and say, um, you know, one, I got into computer, anything that sort of a late stage in my life, like not until late college. Uh, but by that time I took an introductory security course and basically everything that we learned was like, yeah, this is how it used to be, but that doesn't work anymore.so a lot of my introductory or introduction to cybersecurity was like [00:21:00] exclusively web applications, like, cause everything is just online now basically. Um, and, and a lot of it was, yeah. I mean, I think a lot of us who call ourselves hackers or have any pen testing experience probably have a good amount of, you know, figure it out on your own.
I think that's how a lot of security is, but so much of it was like, okay, here's how, here's how people originally figured it out and then it's been fixed. I always find it so interesting hearing about like, you know, I don't know the more gee hacker experience, But it was different back then. It was very different by, I mean, you know, it was upload download ratios. It was Z modem. Like it was mom, I've been downloading for four hours and you pick up the phone, you know, it was, that was, that was life.
And so, yeah, it is. It's tough. And so [00:22:00] please don't take this the wrong way. Audience do not think on this. You know, horrible person when I say this, but like, I totally love to mentor. Okay, sure. I'll be a mentor. I'll mentor you when I've got the time I'll have people message me like, Hey, I saw you on the Sinec podcast. I was wondering if you could teach me how to hack there's. So like, There's so much out there for education on how to learn, how to hack, how to learn, how to analyze packets, how to learn anything, the security tube, YouTube Sans, you know, training.
Like there's so much information at your, at your fingertips now with the internet and, and Google. There's no reason you should have to approach anyone and say, [00:23:00] teach me, like learn. The best way to learn is to learn on your own the best way, because you have the capability to be better than me. Like if, if someone asks you to explain, to teach how to hack, like maybe you're going to talk, you're going to talk about a different thing than I would than Jeremiah would. Like, we all have different focuses.
Alissa Knight: [00:24:26] You might, you might talk about, you know, the, the, the fallibility of Apache or, or you may talk about, Hey, you know, screw trying to buffer overflow a patchier, you know, we'll have TPD, I just send an email with a weaponized PDF file and game over, you know, but I may talk about. What are, are the API is in the environmeneveryone has their own narrative you've got to take onus upon yourself to like, if you want to learn something awesome. If you want to put in the effort to learn something even better, because there's so many resources, like you said, there's that, there's that certain thing that, that drive to get out and do something.
Alissa Knight: [00:26:21] that's why I got that fire. Yeah. Well, and you know, it's what what's interesting for me is. So I'm, I will admit, at least say, and you both know this, I'm not a bounty hunter. I don't have anything against bounty hunting. I've known nothing at all, like against bounty programs, but recently I've been learning more about them.
And, and the interesting thing that I found in, in researching them was you guys actually offer content out there to teach people how to do some things. Like, I think probably one of the best API hacking articles that I read was actually on a bug bounty site. Like there it's, it's really interesting. Like it's really [00:27:00] trying to educate the command.
Like, Hey, not only if you only will we be there for you, if you're interested in being a bounty hunter, but we're also going to give you tutorials. Like what you're going to even train and teach bounty hunters. Like that's insane. You know, so, I mean, I just think we live in a really exciting time right now.
And if people would just stop trying to take the shortcut and say, teach me hacking through DMS. I just think there's so much information at our fingertips these days.Bella DeShantz: [00:27:40] I do want to get a little bit more technical about some of your experience and, uh, Maybe low key, maybe ask you to teach us a little bit of some stuff. So specifically, you know, w we've talked a little bit about your experience, uh, hacking connected cars, you were working in [00:28:00] Germany, hacking connected cars.
Um, I'm wondering if you could give us a little bit of an explanation and we can get a little bit technical here just for the record, uh, of like how, how does that work? We've talked a little bit about API APIs and how those are relevant to, to connected cars. Can you tell us a little bit about how that, how that is structured?
Alissa Knight: [00:28:18] So there's really two types of APS that I target. I target mobile API and web APIs. Mobile API is to me are a lot more exciting because of the systemic problem of developers, hard coding, tokens, and keys into the mobile app without a code up Istation or slash application shielding. And so I'll literally just download the mobile app from the app store and use APK extractor to extract the APK off of the device and load it onto my machine.
Reverse engineered back to the source code. And actually just scraped the source code, looking for keys in tokens. And you [00:29:00] would be shocked, maybe you wouldn't, but you would be shocked if I told you how endemic that is and the industry to hard-code not only just tokens and keys and credentials like usernames and passwords and to apps for their own API APIs, but also third-party APS like payment processors.
It's, it's, it's very common. And, you know, so the research over the last few years that I've been doing it, the hacking API is, has, has been really eyeopening because for me using these mobile apps, I didn't really understand or know that this was going on underneath it, where, you know, in some cases, things being passed on encrypted or, you know, even.
Talking to app developers and them not knowing that I could actually extract the, the Android app off of the device and reverse engineer and look through the code. So just a lot of rules, early insecure, crappy development going on out there. I [00:30:00] don't know if I can say that word on your show. I apologize if I can't, but, um, you know, just, just really, really piss poor programming and as from a security perspective.
And so once I've done that, I'll then go after the API and do what I'd like to call a woman in the middle attack and inject myself in that, in that community and actually understand how the API works. So especially in cases where there's no documentation, like if it's a bank, there's no documentation on the API.
Not that I've done this illegally, it was a sanctioned, I promise, but injecting myself.
Jeremiah Roe: [00:30:37] 2029 times.
Alissa Knight: [00:30:38] Yeah, exactly. And really just kind of mapping out that API and looking at the API requests and the responses. So like stimulus and response, and then taking that re API request and then feeding it into a free API client like postman or arc and modifying that API request [00:31:00] to specify different object ID, different endpoint.
And every single API they tested, for example, the recent eHealth research wasn't vulnerable to Bola or authorization vulnerabilities. And for your audience who doesn't understand what Bola broken object level authorization vulnerabilities are, I uses a great analogy. Stop me if you've heard it. Um, but it's like if Jeremiah and I, or let's say Bella bill and I were at a cocktail party and stay in front of me, like, oh my God, I love that Burberry coat that Belle is wearing.
And I'm thinking, and I'm sitting there wearing like this ghetto coat, like Marshall's and I want Bella's coat. Right. So she goes to the coat check. And she checks in her Burberry coat and the coat check gives her the number 18. And I come up behind her and I check in my ghetto coat and I get number 17.
I take a Sharpie and I modify that ticket to be an eight, that seven to an eight. Give it back to the coat check and I get to leave with Bella's coat. That's a great [00:32:00] example of a Boulevard or ability. So I've got a ticket I'm authenticated. I have a jot token I'm authenticated. I should be there, but I'm not authorized to leave with bellows coat.
I'm not authorized to request those patient health records. So, you know, that is a very common attack that I, I employ against API APIs. So hopefully that answers your question, Bella, for my methodology, you know, for web API is it's very different because you don't really have that mobile app reverse, but there's a great tool called burp suite.
Where you can actually, and really any proxy. Um, there's also Mid-Am proxy. I using burp suite a lot more lately because like an all-in-one Swiss army knife. And so it'll actually proxy the request and send certificates in both directions and alighted decrypt that traffic. And they actually have a built-in chromium web browser where you can go after web API is that way and immediately intercept and analyze [00:33:00] those requests and test an API directly from within burp suite.
Jeremiah Roe: extrapolating out the whole API discussions. Right. And putting it into wider perspective.
When we talk about these things from, you know, a consumer grade products, like, you know, regular vehicles and, and, and API things on maybe mobile applications and, and, and how that affects the common user. When we go a bit wider, how does that look for say, you know, government and planes and, you know, military operations.
Alissa Knight: [00:35:35] So a very interesting thing happened to me recently. Um, and I'm, I'm still kind of in the midst of it. So I can't really talk too much about it, but I will disclose enough for people to understand what's going on. So if you have been to my YouTube channel and if you haven't subscribe and hit that bell button, uh, sorry.
Um, if you, if you look on my YouTube channel, um, there's a couple of videos there about me hacking federal and state law enforcement [00:36:00] vehicles, and me standing in a parking lot, actually remotely controlling of a law enforcement vehicle. And I published this on YouTube. Now I didn't publish the screenshots for you to see what I'm actually doing and how I'm doing it, but it was enough to scare the hell out of the U S government.
And so a lot of the. Actually all of the three letter agencies, DHS, FBI, CIA, NSA, they all, they reached out to me. And so the interesting thing here was I was actually approached by the U S government by law enforcement to do this research. It's just not all the components actually talk to each other in the us intelligence and law enforcement.
Jeremiah Roe: [00:36:39] it's weird.
Alissa Knight: [00:36:40] Yeah. I know. Maybe it's gotten better, but I think there's still a lot of politics at play. So they actually reached out to me to perform this research and they actually permitted the filming of a documentary. But once the federal government got involved in law enforcement got involved, it was very much like, oh my God.
Because if you think about let's, let's talk about this for a minute. Let's be honest. [00:37:00] Let's point the pink elephant out in the room. If I can do this with law enforcement vehicles for this particular automaker, doesn't that mean that this vulnerability exists in every one of their cars on the road? Of course.
So this is a very big problem. And so much to your point. Where, you know, w we, we can talk about something in a very, at a very small scale that affects the very small attack surface, but it's very, but you can also extrapolate that and actually expand it. And all of a sudden you realize that, oh my God, APS are everywhere.
These, these vulnerabilities are everywhere. This is affecting air, every everything in which we live, work and play like everything from our passenger transport, I'm doing a penetration test of a super, yet like a yacht. Why does a, why does a boat need an IP address really come on. But you know, this is what's happening.
Everything is becoming good. We [00:38:00] as humans want to continue to innovate. We as humans in this, these millennials and the Z generation Z all want always on connectivity. How do you do that? You have to give everything an IP address. And unfortunately, as humans, we innovate before we secure and we need to fix that and move to a ship left and shield, right mentality where we're securing things at the code level when the code's being written or when the product is being made and then shield right when it's actually in production.
And none of that is being done. Um, so looking, looking in the future, right? Five, I don't know, five, 10 years down the line from here, um, with a lot of this research that you've developed, how do you have the largest impact?
And before I pause, I would like to, um, touch on Knight Inc. And some of the strategies that you have there to help address them. Yeah. These things.
Alissa Knight: [00:44:29] I people ask me? Like, what the hell is night, Inc? What are you doing? Like, I'm still trying to figure that out. So. I'm a very complex creature. Um, so if, I guess the best way to describe [00:45:00] it is if a hacker and an and a content creator were to have a baby, I would be the product of that.
So basically I merge, hacking with content creation because I firmly believe that CSOs and cybersecurity engineers are sick and tired of the marketing bullshit of papers, talking about the features of the product and trying to de-mystify. Whether or not the product actually does what the marketing material says it does.
And so I'm trying to create a new kind of content that proves the efficacy of a cybersecurity companies product by hacking it or packing something that shows how their product would have prevented it. So let me give you example. One of my biggest exploits and claims to fame were, um, a small little cybersecurity startup that no one really knows about called Sentinel.
One approached me, said, Hey, look, we're [00:46:00] publishing, we're creating this new product called Sentinel one ranger, and it's going to be an IOT security product. And we want you to write a white paper. And I was like, oh, I got a better idea. What if I were to show through an actual hack of me pulling her up into the parking lot of a bank, hacking the bank through the CCTV cameras in the parking lot and showed how your product would have prevented that.
And it was amaze-balls, it was just, this light went off and it was like, oh my God, I could actually do this for a living. And so that's what I'm doing at night. Um, I'm a big believer in Simon Sinek. People don't buy what you do, they buy why you do it. And you know, it's, it's like, it's why we're all walking around with, uh, with an iPod or an iPhone in our pockets to listen to MP3s.
Instead of crave labs, crib labs came out with the first MP3 player, 17 months before apple did, but creative labs told us [00:47:00] what it is and apple told us why we need it. Um, I'm also really trying to. Okay, I'm going to piss off some of your audience here. I used to be an analyst and I do not believe in the ivory white tower and the analyst industry. It is a lot of pay for play. And I think a lot of CSOs and a lot of cybersecurity engineers are sick and tired of it. Alissa Knight: [00:48:13]how can CSOs insecurity engineers really make purchase decisions off of the company that has that's the highest bidder? What about the companies that can't afford to work with with these analyst firms?
What about them? What if their products are more superior, but they just can't afford the analyst firm. How does that make us more secure? It doesn't it doesn't. So I'm really trying to disrupt [00:49:00] the analyst industry. And the content creation industry P 64% of your buyers are making purchase decisions off of custom content.
Not advertisements people no longer want to be advertised to anymore. They don't want to be inundated with Google ads. They're making purchase decisions off of podcasts like this of a white papers off of videos off of content. And so I think that's where our industry is broken and I think it needs to change.
Jeremiah Roe: [00:49:34] I think, you know, you've hit the nail on the head with talking about, you know, content and the why, because it's not necessarily the, what you could have the best product in the world, you know, reference that MP3 example that you gave.
Right? You could literally have the best product in the world, but if you [00:50:00] can't tell your story as to why, then it falls short. And so I love the fact that you're doing something like 19, especially when it leads to, you know, how does the future of cyber and the future of APIs in the future of these things that, you know, commercial and government entities aren't looking at when it leads to developing better, better content around why that's, in my opinion, exceedingly important.
And so, you know, props on that, by the way, one of the things I wanted to discuss really is, you know, along with that content strategy, for those that are listening, what are some of the things that, you know, just maybe real quick, some quick, I do not want to say checkmarks, um, some, some quick sort of a hence that you can lead to for how the industry should be moving forward.
Alissa Knight: [00:50:55] I think what we need to do first and foremost [00:51:00] is stop disenfranchising, certain groups of people within our industry and making them feel less than because they're not programmers because they're not the right color. They're not the right gender. They're not the right gender identity. They're, they're the disenfranchisement of cybersecurity of this whole more elite than thou attitude that we have in cybersecurity that ostracizes, or disenfranchises certain, uh, parts of our population is wrong.
And I think adversaries want more of it. Those who are attacking us. And just the ransomware as a service gangs, they want us to basically turn on each other because how do you defeat an enemy? You turn that enemy against themselves, right? So it's all [00:52:00] asymmetric warfare, it's all asymmetry. You know, so having sex that I think one of the first things we need to do is we need to start coming together and stop making people feel like they're not as good of a hacker because they don't have any CVEs to their name, which is stupid.
I can't believe that ever came up on Twitter. You know, you're not a good enough hacker if you don't know how to cook that, all of that is nothing, but people trying to feel better than other people in the industry and it's wrong. I also think that where we need to go and what we need to do better at is.
We're relying too much in the security industry. If you look at the overall ecosystem of cybersecurity products, a lot of it is shield, right security product. A lot of it is post-deployment protection through firewalls WAFs, network detection and response and point detection, response, all of these different [00:53:00] tools and products to build the layers of the onion versus the ship leapt security solutions, where we just send developers to secure code training.
Can we just write more secure code? Can we just do static code analysis while it's being written? Like what happened to fixing things while the ingredients are being put together and then baked instead of waiting until it's baked and rolled out and accessible from the internet? I think that's another big fail.
That we need to get beyond in venture capitalists, private equity firms. I'm talking to you, stop investing so much.I'm just taking down everyone. It's a shotgun approach, but you know, [00:54:00] VCs and private ended. Look, I started my own venture capital fund up or sold my last company. I okay. I've got great friends who are VCs I'm that, you know, I don't ha I'm not a hater, but what VCs shame on you. There's just, there's too much of, you know, it's like if you put machine learning in your PowerPoint, you're going to raise your first round of Cedar at round a, you have machine learning.
If you have AI, whatever, but we need to start investing more in providing resources and support. Two companies that are helping us just make more secure products versus securing more products. The other thing is, and this is a very interesting term that the industry has taken recently. I don't know about you, Jeremiah and Bella, but have you noticed that a lot of really amazing innovation is coming out of Israel?
Like, oh my God.
Jeremiah Roe: [00:54:52] yes, 100%.
Alissa Knight: [00:54:55] God.
Jeremiah Roe: [00:54:56] It's crazy.
Alissa Knight: [00:54:57] So I think the [00:55:00] new Silicon valley is Televiv look at all of the amazing tech real I'm not talking about features, features, cybersecurity companies. I'm going after you. Now, now I'm talking to you vendors features or not innovation. Let me make that crystal clear features are not innovation.
Real innovation is coming out of Televiv. And if you look at this, you know, there's there, there, these new product or the breach and attack simulation deception. A lot of these companies are coming out of former 8,200 of the Israeli defense forces and coming out and leaving the idea up and starting their own cybersecurity startups and bringing that out to the west.
Bella DeShantz: [00:55:59] Yeah, I'm a, [00:56:00] I'm a big time nerd for threat modeling. So, uh, the whole, the whole idea of shift left, like I've worked as a pen tester, but basically as soon as I learned about threat modeling, I was like, oh, this is it.
Alissa Knight: [00:56:13] there's a great shop, um, section of my book and threat modeling. So I actually break out and de-mystify all of the different threat modeling frameworks that you can use, like Microsoft as you've got these different like pasta and like all these great threat modeling frameworks. And I agree with you. I am drunk on the threat modeling.
Kool-Aid I I'm, I love just drawing things out in thinking about things or from. Uh, just a hierarchical level. Um, when you're talking about threats and glory, because at the end of the day, really the mutter putter shell and modus splits should be the last step. Everything else should be done for that. Do you know how many arguments I've gotten into with pen testers [00:57:00] over why we're failing so bad with pen tests is, or at least not as exhaustive as we could be because we're not doing risk assessments before it, like you can't hack what you don't know they have, right.
Asset registers, just like you can't secure what you don't know. You have, you, you, the, the, the process of risk assessment is so near and dear to my heart and it, because it's so important. And I think that's another big fail in cybersecurity that we need to do more of is fricking risk assessments. Number one first in bars, I'm sorry, pen testers, but that client of yours is not going to fix every vulnerability.
They're just not, they're not there. You're going to remediate the vulnerabilities that are in an unacceptable risk to the business that is what's going to happen. So you can throw away that Nessus report with over 600 pages of vulnerabilities, like self-signed [00:58:00] certificates that no one cares about and talk about the critical vulnerabilities that have a business impact.
Bella DeShantz: [00:58:21] you've got a book you've got a lot going on on YouTube. Um, if, if our listeners are interested in finding any of the content that you're putting out, how, how can they find it?
What have you [00:59:00] got going on?
Alissa Knight: [00:59:00] Yeah, so I'm really big into cinematography and film production. And so the first place I always published content is YouTube. I do weekly live streams, weekly videos, check my, check out my YouTube channel, follow me on YouTube. Subscribe, hit that bell button and that if you want to support me the best way to do it is by following me and subscribing to my YouTube channel.
Um, follow me on Twitter, Twitter, uh, connect with me on LinkedIn. I'm pretty much everywhere on Instagram. You can see photos of it. My food. I can't say that. Um, I do really anything useful or a value on Instagram except take pictures of my food, but that's about it. Oh, and you know what, actually, Bella, Jeremiah, do you want to drop this?
Um, you've heard it here first on this show, I was approached by producers from Netflix to publish and work on a new TV series. So [01:00:00] I'm actually writing a, uh, Greenpoint.
Jeremiah Roe: [01:00:03] That is exciting.
Alissa Knight: [01:00:04] They want it. So basically the, the, the producers, and I don't know if it's gonna end up on apple TV or Amazon prime or Netflix, but basically they wanted a new TV series where the protagonist, unlike Mr.
Robot, that where the protagonist is a woman. And so in talking with the producers, I'm they want the TV series to be based on my life. So I'm writing a screenplay right now. So if a lot of your, like how much content is coming from Alyssa Knight right now, it's because I'm trying to figure out how to make more hours of the day.
And so I'm, I'm working on a screenplay right now. I just finished the pilot episode. Um, it's going to be amazeballs. I want all of you to know, and I will come back on this podcast and, and drop it. When that, when that new TV series is going to air. Bella DeShantz: [01:01:08] We have one final question. It's, it's one that we ask every single guest. And it's also the question that we ask every single new hire here. Um, so what is one thing that no one would know about you just by looking at your LinkedIn, your website or your YouTube page?
Alissa Knight: [01:01:23] Oh my God. That's a good question. What is the one thing that no one would know about me without looking at my Twitter, LinkedIn or YouTube? I have crossed off everything on my bucket list, except for skydiving before I die guide, dive better. One
Jeremiah Roe: [01:01:47] we're going to go skydiving.
Alissa Knight: [01:01:49] I've started in sold companies. I've worked for the us intelligence community and cyber warfare.
I've started defense contracting company providing counter-insurgency support operations [01:02:00] in the middle east. I've published books. I'm now writing a screenplay for a TV series. The one thing that I have to do before I die is, is I need to fall out of a plane. Bella DeShantz: [01:02:50] That's an awesome final thing to check off. I feel
Alissa Knight: [01:02:53]
[01:03:00] Jeremiah Roe: [01:03:00] Alyssa. Thank you so much, Bella. You were awesome. Everyone else. Thank you.