A Chat With Justin Elze, Director of Innovation, Research, and Advanced Testing at TrustedSec
We discuss security, ethical hacking, and what apps a security professional uses in their day-to-day life. (11 min read)
Homescreens is a publication about how we interact with our most intimate possession, our phones. Each week I interview founders and creators across industries, and we reflect on the apps they use, how they’re organized, and their philosophy on notifications and mindfulness. Check out the end of the interview for a full recap and links to all the apps and media discussed.
Jason: Hey Justin, give us a brief backstory of what you're up to. You're the Director of Innovation, Research, and Advanced Testing at TrustedSec. Can you explain what you do there?
Justin: Yeah, TrustedSec is a security consulting company. Companies generally hire us to break in or break something, and then maybe help them fix it. So that could be a big bank, and they could say, “Hey, in the next eight weeks, I want you guys to come up with attacks to break in, get into our system where you can, send a payment to somebody, and either actually do that or prove out that you could do it.” We've also done work with car vendors—they've actually had a car at my house and they had us trying to hack it, and basically see if we could take control, to help them build a better-secured design. We've done work with electric meters. Smart meters talk to each other, so we did some hacking on those. Basically, anything that somebody might want to break or hack into, we try to do that, and then help companies build a better defense for it.
Jason: That's super cool. Do you mainly focus on business systems, or also IoT devices?
Justin: Yeah, I would say a small section of our businesses is IoT, so things like cars and stuff. Our core business is breaking into enterprise or technology-based companies. Breaking into systems used to be easy, I mean, it still is depending on the client, but we do have more advanced customers.
Jason: I see you’re a Certified Ethical Hacker, how does one get certified to be an ethical hacker? What put you down that path?
Justin: You know, I watched the movie Hackers when I was growing up, and I always thought that was cool. I've always been into technology and breaking stuff. I had a pretty lengthy background in systems engineering, network engineering, and I've worked in a bunch of different help desk jobs. I was always trying to get into security, but the funny thing about security is most places want you to have some security experience before they'll hire you, so that was always my struggle.
I think 9-10 years back, I got a break, and I got into security. As far as certifications go, most Certified Ethical Hacker ones are kind of like: you take a class and you take the test. It's not a great gauge of what you know. I took one from Offensive Security, the OSCP [Offensive Security Certified Professional], and that's like a hands-on lab and probably the best one. They make you hack into four or five systems and then write a thorough report explaining what you've done, so it's kind of different.
Jason: Very cool, and thanks for sharing that. Let's dive into your phone. There are a few apps that stand out that I definitely want to chat about. The first one is Mattermost. Looking at their website, it looks like a more secure version of Slack.
Justin: Yep! Slack, as you know, is out in the cloud, and it's a big target now, right? Working from home, everybody's concerned about it. We [TrustedSec] want to own all of our data and have complete control over all of our data. If we have a conversation about a client, we want ownership and control. So, we were looking for alternatives to Slack, and Mattermost is pretty much a one-for-one alternative to a self-hosted Slack.
Jason: That makes sense for the nature of your business. And related, you have the messaging app Signal. How does Signal compare to other messaging apps like iMessage or Telegram that also offer end-to-end encryption?
Justin: Signal takes things very seriously, and they're not a big corporate entity. We looked at all the different secure messaging apps, and internally, we all felt Signal was the strongest. We have a lot of clients that opt to use Signal, and they may need to communicate something to us after hours.
iMessage and things like that are large targets for everybody at this point, and the federal government wants to access everybody. It's just an extra layer of security for us. A lot of our clients like the self-deleting messages in Signal, so their stuff is not sitting around in a backup somewhere for years. That's one of the disadvantages to iMessage and things like that. We've been happy with it, and the clients love it.
Jason: That makes a ton of sense. If you scroll back in my iMessage history with my wife, there are probably a million passwords. Amazon password, Netflix password, they’re all there. I should probably change that. Continuing on with the theme of security, I see you're a LastPass user. What are your thoughts on password alternatives like biometrics or multi-factor identification?
Justin: I actually use one of these, a YubiKey, if you’re familiar with that. It’s another layer. Basically, you need a physical key that does NFC to your phone, plus your passcode. You plug it into a computer as USB, so obviously, that's a good intermediary step.
I am assuming you know Microsoft is trying to get rid of passwords. If you ask a lot of people, they’ll say, “Oh, we'll just get rid of passwords.” Super easy, right? Then you're like — Well, what happens when you get locked out? What about this legacy app that's over here? It's really hard as soon as you have any technical debt, anything legacy to push forward. I'm assuming that'll happen over time. We use weak passwords all the time to break into companies. In a perfect world, you tell everybody to use random, alphanumeric, or some sort of passphrase. But in the real world, people make mistakes; people come up with a password that’s easily predictable. Microsoft did something recently where they blacklisted a bunch of passwords that were common, like Spring2020, Winter2020, things like that. So we went through and figured out the ones that didn't filter, the weird variations of those. Human nature is predictable.
Jason: Absolutely, I just set up a new iPhone and I went into my iCloud Keychain saved passwords, and it warned me that a website was detected of having a data breach, and asked if I wanted to change the password. Why did you choose LastPass as your password manager over, Apple’s offering, or Google Chrome's offerings?
Justin: I think when I started using one, the Apple password management piece wasn't a thing yet. I looked at OnePass, and I looked at some of the other solutions that were off-cloud. I weighed how big of a target I am personally, and I kind of made that risk assessment to say LastPass will work with me, and I'll put this extra layer on and use a YubiKey. That way, even if you've got my master password, you still need a piece of hardware. And if somebody can get by all of those pieces and LastPass, then they can have my password.
Building a risk profile of yourself, you know, we have this conversation with clients all the time where they're like, “What if somebody finds a new hack for some software that our whole business runs on?” And we're like — okay, that's completely possible. Are you the first person they're going to use it on? If you're not in that top tier, maybe you prioritize resolution of the issue a little lower? So for me, I use LastPass. I have some personal passwords and things like that in there, and if somebody gets it, yeah it's gonna ruin my day. If somebody can get to mine, they can probably get to how many others though? It’s about trying to balance everything.
Jason: That makes sense. Also, you have the Burner phone app, are you using that for TrustedSec or for personal use?
Justin: All business. Occasionally, we'll have to send text messages or make phone calls. It's part of our job. So with the working from home piece right now, a lot of companies are concerned about people pretending to be the helpdesk or pretending to call about some specific issue. And we've found that because of everything that's going on, people are very apt to want to help you over the phone. So we just use that [Burner] to create some numbers to try to call and test those things out. Same thing with SMS messaging.
Jason: Got it. One app that I couldn't find in the app store is the TRC app on the bottom right of your screen?
Justin: Yeah, that is probably an obscure one that has nothing to do with work and everything to do with hobbies. I drag race cars. That app has a bunch of information about the weather, there's a bunch of calculations you can do for car gearing and things like that. So whenever I'm at the racetrack, we're always concerned about what the weather's like, what the humidity is, all of those things. It’s purely a hobby thing but we drag race fairly often, so it's a good thing.
Jason: That's awesome. You mentioned that you were into car hacking. Are there any side projects you have going on, besides the dragstrip?
Justin: I'm always digging into car hacking. All modern cars have a thing called a CAN bus. It's basically a big network that everything on the car communicates on. My race car has an aftermarket control system and that even has CAN bus. Basically, every sensor and everything in the car is broadcasting messages, and you can get on there and you can broadcast the same messages. Even as I do this as a job, I’m always doing some car hacking on the side. It’s just something fun to dig into, and kind of an emerging industry — the security side of it, at least.
There's a big focus on vehicle-to-vehicle communications over the next probably 10-15 years. If somebody can plug into something, they can make it do something, and that's obviously hacking. But to do something at scale or do something remotely is where an issue happens. As vehicle communication increases and more cars have Bluetooth and internet connectivity, there's more attack surface there. A few years back, there were some security researchers who were able to hack into a Jeep remotely. They were very lucky that that particular Jeep had some open ports on the internet, that basically let somebody connect in, throw some arbitrary commands at it, and do some really cool work with the firmware that they were able to actually take control of the car. So it's pretty interesting.
Jason: That’s super interesting to me. The furthest I've ever dipped my toe in is buying an OBD2 dongle and reprogramming my car’s ECU to fold in the mirrors when I hit the lock button. That's about it for me!
Are there any apps that you want to highlight that we haven’t talked about, or that aren’t shown on your home screen?
Justin: Yeah, WireGuard is like a VPN alternative for phones that I've used a fair amount. A lot of people have used OpenVPN in the past, but I’ve been experimenting with WireGuard, and it's significantly quicker. So that's somewhat different and interesting. Probably the rest of my apps are all related to getting food to my house [laughs].
Jason: I’ve used VPNs on my phone before, but would you suggest to people that if they're not connecting to publicly available Wi-Fi and mostly staying connected to their home Wi-Fi, to use a VPN?
Justin: So I think there's a weird thing happening now where people are all moving to a VPN, and they're finding the cheapest VPN for $6 a year, right? I found some random company, and I’m like, who runs the company? What are they doing with the data? Is there a reason they're six dollars? I think running your own one at home, to dial back and get security on Wi-Fi is great. I would be more concerned with picking up random VPN providers and having you sign up for a year because you don't know who they are, or what if they are looking at your data on the other end, right? Your data is only encrypted between you and that provider. When it leaves there, there's no telling you what they're doing. They're subsidizing it somehow.
Jason: That makes perfect sense. Have you always used an iPhone?
Justin: I was always a giant nerd. I used to use an Android phone and I would hack it. But now, I just want my phone to work: I want to pick it up, I want to send a text message, I want to order some food, I just want it to work. I don't want to hack it, I don't want to do anything crazy. Younger me was of a completely different point of view on this. I'm happy with the level of security I get. I don't find myself being as big of a nerd on that side of the house anymore.
Jason: So it was the baked-in security and simplicity that made you switch to the iPhone and iOS?
Justin: Yes, initially. I used Android in the past, Android security had been a really big problem for a really long time. The App Store and being able to load apps that random people wrote, and there's been a bunch of documented exploits. The problem with Android is all of the variants of their phones not running completely updated operating systems, so they still have some of those vulnerabilities. As a security researcher, if you wanted to do a deep dive on your iPhone and put some antivirus and things like that on it, there's no way to do that. You can't tell what's going on behind the scenes. Maybe if you jailbreak it, you can, but there's no easy mechanism to do that. So you're putting a lot of faith in Apple doing a good job. Android gives you the ability to install some extra things to kind of get a better look at that. So I would say at one point, Apple was way ahead of Android, but I think they're pretty similar now. And I know I've said this a couple of times, but your risk profile is: is somebody willing to spend a whole bunch of money to hack into your phone? Maybe, maybe not.
Jason: That's all the questions that I had whipped up about your phone. Before we go, do you have any interesting security-exploit stories you could share, without naming names?
Justin: Yeah! So without naming a particular company, the goals that clients give us and the ways that we get to them have always just been a unique path. Sometimes it’s something as benign as a phishing email, and then going to the bank at the same time, and saying, “Hey, we got the repair order for this printer, have you checked your email?” And then walk in where they had their server rack for the bank, which was inside the vault. So they just let us in there, and then left. So there are situations like that, when at the time, it's like, “There's no way this is ever gonna work.” And then, we go through with it and walk out, and get it done.
Jason: Oh wow that’s incredible. So you aren’t just hitting them electronically, but also using social engineering.
Justin: Oh yeah, that's always the biggest vulnerability, at any company. Every environment is a little bit different, but there's this thing when companies are like 1000 people or smaller, if they have security investments, they're very hard to break into. Once you start getting into Fortune 100 companies, it's actually much easier to break in, even if they have a floor of security people, because they’re so disjointed. Managers fight each other, Directors fight each other, they have systems that are twenty years old that they need to keep online for some reason. It’s mind-blowing for me, because you're like, “Oh, this place has two floors of security people, 24-hour monitoring, there's no way.” And it's definitely proven itself the other way around. The company’s size is giving you more places to make mistakes.
Jason: That makes sense and is super interesting, Justin, this has been absolutely great talking to you, I’ve learned a lot.
Justin: Thanks for having me, this was fun, I like what you’re doing with this. Talk to you later.
Endnote
Thanks for reading my interview with Justin. You can connect with him on LinkedIn and Twitter, plus find him featured in the following books:
Tribe of Hackers Red Team: Tribal Knowledge from the Best in Offensive Cybersecurity
Tribe of Hackers: Cybersecurity Advice from the Best Hackers in the World
Lastly, if you enjoyed this interview, consider sharing it with someone and subscribing if you haven’t already. New interviews are published every Friday morning. If you have an interesting story to tell and home screen to show off, submit a request at www.homescreens.co.
📱 App, Product, & Media Recap
💬 Mattermost - Mattermost is a high trust, open source collaboration platform built for developers.
💬 Signal - Say "hello" to a different messaging experience. An unexpected focus on privacy, combined with all of the features you expect.
🔑 Yubikey - Stop account takeovers, go passwordless and modernize your multifactor authentication. Get the world’s leading security key for superior security, user experience and return on investment.
🔏 LastPass - LastPass is a password manager that securely stores your passwords and personal information in a secure vault.
☎️ Burner - Burner is the market-leading private phone number app — a second line for calling, texting, and picture messaging in everyday situations.
🐲 WireGuard - WireGuard is a fast, modern, and secure VPN tunnel. This app allows users to manage and use WireGuard tunnels.