A Conversation with Alissa Knight: Security Is In The Eye Of The Implementer
Recovering hacker extraordinaire and content creator Alissa Knight is a disruptor. Her videos and white papers from the perspective of an adversary exist to assist companies in determining the efficacy of their products. Join us as she talks about mobile app security, FHIR, and what it means to be a hacker.
Welcome to In Scope, the healthcare security podcast. In each episode, we bring you insightful interviews, informative technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem with host, Mike Murray.
Today’s guest is Alissa Knight. With over 20 years of experience, Alissa calls herself a “recovering hacker.” She is a researcher and content creator specializing in cybersecurity. She goes on to describe herself as “a disrupter of the content marketing space” as she assists brands and market leaders in locating vulnerabilities in their unique Application Programming Interface (API) systems from the perspective of a potential adversary. She then creates strategies on how to better safeguard the cybersecurity of their users. In particular, Alissa has been focusing on mobile security and the potential flaws within mobile apps, specifically within the healthcare system. In her research, she explores the challenges that mobile developers face. In her efforts to transform the cybersecurity industry, Alissa reveals that many organizations have never undergone API penetration testing and how this puts mobile app users’ private health information at risk. Alissa is also an author and entrepreneur. She started and sold two cybersecurity companies and is the CEO of managed security service provider, Brier & Thorn.
In expressing his excitement to “geek out” with Alissa today, Mike starts off by asking Alissa about her recent mobile hacking paper in which she explores poor practices on behalf of mobile developers and healthcare developers. She breaks down her process of static code analysis, explaining how the continued use of hard coding usernames and passwords over the years has proved to be problematic in securing personal private information. She then explains how she implements network traffic interdiction to gain further insight into how the organization’s API system functions so she can better infiltrate the system during cybersecurity testing.
Mike inquires further about this topic asking why Alissa chooses to do traffic interdiction and why other apps aren’t doing “cert pinning,” otherwise known as certificate pinning. For listeners that are unfamiliar with this concept, Alissa explains certificate pinning as a means of telling your API system to only accept your certificate and to reject any alternate incoming certificates. With this in mind, Alissa then discloses how she goes about intercepting messages within the system in order to manipulate the incoming information within the API. She reveals that of all the systems tested, she found all were vulnerable to broken object level authorization and provides a real world example to demonstrate what those risks can look like.
The discussion shifts to what Alissa describes as “authentication versus authorization.” She believes the problem ultimately boils down to developers focusing on authentication while authorization often gets overlooked. She elaborates saying how these code challenges not only influence the vulnerability of patient medical records, but also extend into other areas such as the vulnerability of private financial and banking information and believes this to be an overall systemic issue in need of addressing.
Mike then focuses on solutions and asks Alissa for her insight as to how to overcome these code challenges in the mobile app space. Alissa reveals that she believes the answer is multidimensional but that it begins with secure code training. This includes doing away with hard coding credentials within the app and regularly undergoing penetration tests in an effort to hack into your own systems.
They conclude today’s episode by excitedly discussing Alissa’s passion for hacking and how it indeed is its own art form. Mike inquires about what’s next for Alissa and what her newest research entails. She discusses her new video titled, “Playing with FHIR” and how it explores vulnerabilities affecting FHIR API systems. More specifically, the vulnerabilities that can result from implementation as they will all be implemented differently. Before departing, she offers her personalized wisdom urging listeners that “security is in the eye of the implementer.”
– Host Mike Murray opens the show
– Mike introduces guest, Alissa Knight
– Poor practices on behalf of mobile developers and healthcare developers
– What defines a hacker
– Traffic Interdiction and why apps should use certificate pinning
– Authentication vs. Authorization
– Mike shares his experience working for a medical device manufacturer
– How to overcome code challenges in the mobile app space
– The art form of hacking
– Alissa’s work with FHIR API systems
– How to further connect with Alissa Knight
0:00:02.7 Mike Murray: Welcome to In Scope, The Healthcare Security Podcast. Each episode, we bring you interviews, technical tips, and a unique point of view on the challenges facing the ever-changing healthcare ecosystem. Here’s your host, Mike Murray.
0:00:20.9 MM: I’m really excited about this guest. This is one of my favorite podcasts that I think we’ve ever done because as any of the listeners know, obviously, we’re a healthcare security podcast, but I’ve done a lot of things in mobile security, including being chief security officer at a company called Lookout, where we spent a lot of time examining the flaws in mobile apps around the world, and when I read our guest’s paper on Mobile Health app, so I was like, this is the perfect person for us to just nerd out about all of the challenges that mobile developers have as well as healthcare. So with that, we have Alissa Knight with us who wrote a really cool paper and is about to do another one. So I’m really excited to have her on the podcast today because I think we’re just gonna geek out about all kinds of really cool things. So Alissa, welcome, and maybe you can give the audience some background on yourself.
0:01:10.9 Alissa Knight: Let the geek out begin.
0:01:12.5 MM: Exactly.
0:01:13.3 AK: Yeah. Sure. So I kind of feel like I’m at that arrogant stage of my life where I can just walk right into a podcast ’cause I’m just everywhere, and I don’t need to give my bio anymore, it’s kind of like… It’s kind of like a famous Hollywood actress where she just doesn’t have to introduce herself anymore, I’m like Julia Roberts, and I just don’t have to go on about Pretty Woman or anything like… Or Erin Brockovich, I just say, “Alissa Knight.” And everyone’s like, “Oh yeah, her.” No, I’m just kidding. I’m not that arrogant.
0:01:45.5 MM: Soon enough, you can just go by Alissa and everybody knows, like Madonna or Cher.
0:01:51.3 AK: It’s just Alissa or AVK. Yeah, yeah. It’s not even the name. It’s just the initials. Or I could just be like Prince with the symbol. Anyway, so yes, I’m a Alissa Knight, recovering hacker extraordinaire and contact creator. So if a content creator and a hacker had a baby, I would be the product of that.
0:02:15.0 MM: That is a fantastic elevator pitch. We in start-up land love our elevator pitches, right.
0:02:20.8 AK: I like to disrupt, and so I think the best way to describe me is I really see myself as a disruptor of the content marketing space, where you can kind of throw a rock and hit somebody that can write a white paper about a product and how great it is, and I mean that in the most respectful way possible to all the vendors out there and all the marketers out there, ’cause that’s needed, right. But I’m a big believer in Simon Sinek’s, people don’t buy what you do, they buy why you do it. And so what I’ve done is I’ve said, okay, we need to change this up. And so what I’ve done is I create content, whether it’s videos or white papers from the perspective of an adversary, so I blend hacking and consecration together to show the efficacy of a company’s product. So in the research that you’re talking about, that you spoke about in the intro, it was a vendor that approached me with an API security product, and I said, okay, well, instead of us talking about how you protect APIs from attack, why don’t we go out there and attack 30 mobile health apps and APIs and show how your product would have prevented it and how it prevented it, so people can make sure that the product does what the marketing material says it does, which I think is a systemic problem in cyber security.
0:03:43.6 MM: I completely agree with you. I rant all the time about cyber security and the diet industry being the only two industries I can think of where in selling the product, it’s really hard to demonstrate the benefits. If I say to you that I protect against Russian APT, if you don’t happen to have Russian APT on speed dial to call them up and be like, “Hey, can you attack this for me.” How do you prove it?
0:04:05.4 AK: “Can you make sure this salesperson is not lying to me? Can you run ransomware in my network?”
0:04:11.5 MM: Yeah, it’s hard.
0:04:13.4 AK: It is, it is. As a CISO, as a buyer, I’ve been on that side of the table, and a lot of times you’ll find features, they meant to say were going to be in the future version, not the current version, or, “Oh, that’s coming.” You don’t really get what you think you’re buying, and so I’m trying to transform the cyber security industry and be a different voice and really disrupt the way we’ve been doing things up until now.
0:04:48.6 MM: I love that so much. And so let’s geek out a little bit. Let’s talk a little bit about your mobile hacking paper, because I think you identified so many really interesting bad practices on mobile developers and also bad practices that healthcare developers fall into and maybe give some color on what you found.
0:05:06.6 AK: Sure, so I started out with what’s called static code analysis, where I downloaded the apps, I used APK extractor to pull them off my Android device, moved them to my work station to actually analyze the code to look for hard-coded API secrets, tokens, credentials, even in 2021, we’re still doing that, we’re still hard-coding usernames and passwords in apps, we’re still hard-coding API keys and tokens. So despite best practice, despite the two or three decades of slaps on the wrist for doing this, we’re still doing it, after I’m done with the static code analysis, I moved to network traffic interdiction where I actually inject myself in the middle of the communication between the mobile app and the API, so I can understand how the API works, right? And that’s why I’m a big proponent of the fact that you don’t have to be a programmer to be a hacker, and I’ve fallen on the opposite side of that debate so many times where it really has become a religious debate, where the programmers and supporters are… You’re not as good of a hacker unless you know how to code, and if you look at things like black box penetration testing or embedded systems, like a connector, you don’t wanna have access to source code.
0:06:26.4 AK: So how is that even relevant? And the best hackers that I’ve ever met couldn’t write a line of code to save their life, but they’ve got… Not that this even matters, but CVEs to their name, because that’s how people are being measured now too, right. How many CVEs do you have? It’s ridiculous.
0:06:43.7 MM: Sorry, the audience couldn’t see my head in my hands as you said that…
0:06:48.2 AK: There was this thread on Twitter where some woman was being attacked by this dude that was like, how many CVEs do you have to your name, how do you call yourself a hacker if you don’t have any CVEs? And it’s ridiculous. The whole thing is, to me, is asinine, because that doesn’t define a hacker. To me, hacking is just sending stimulus that the developer didn’t expect and seeing what the response will be. That’s all it is.
0:07:17.0 MM: Yeah. If you wanna get a bunch of hackers riled up, tell them that security is really just one additional step of QA, and we’re all just glorified QA people as much as we like to think that we’re better than that in some way. So question for you, you’re talking about traffic interdiction and I wanna… So one of my favorite struggles in mobile security, how are you doing traffic interdiction? Why are none of these apps cert pinning and for… Maybe explain, cert pinning to the audience for people who aren’t up on what we’re talking about.
0:07:45.9 AK: That’s a good question. So unfortunately, in my 2019 research where I did this with financial services mobile apps, and now this year with mobile health apps, it is a systemic problem, it’s endemic to I think the industry where… And the only answer that I’ve gotten around this question is, we’re afraid of breaking the app. Either the certificate expires or we do something wrong, and pinning ends up breaking our apps. So we accept the risk and don’t implement pinning. I think it’s a lack of confidence in implementing, pinning the potential repercussions of a certificate expiring and not knowing what to do, or just problems in general with the certificates. And for our audience who doesn’t know, certificate pinning is simply just telling your mobile app, this is the… Or the API, this is the only certificate that you’re allowed to basically accept.
0:08:42.2 AK: And so it basically hard-codes that cert and says “You need to ignore all other certificates unless this one is presented to you.” And so when you don’t implement that, you can insert yourself… What I like to call a person-in-the-middle, or woman-in-the-middle tech where you are presenting a certificate to both sides of the communication. I’m pretending to be the API server, so I present my certificate to the mobile app. I’m pretending to be the mobile app and I present my certificate to the API. And so both ends of that communication think they’re talking to each other and they’re really talking to me. So that allows me to decrypt the SSL-TLS sessions.
0:09:17.0 AK: So when you’re doing this, it allows you to decrypt that traffic, which would otherwise be encrypted and allow you to understand what the URI requests are to the API that they API expects to receive. So that’s all I’m doing. I’m just watching that traffic, I’m watching these two end points talking to each other and manipulating it. So if an API sends get/patient/100, I’ll intercept it with a tool called Burp Suite and change 100 to 1001 and see if the API sends me that data. And if it does, that’s indicative of what’s called the broken object level authorization vulnerability or BOLA vulnerability, and every single one of the APIs that I tested were vulnerable to this. So it’s like they’re renting and leasing the same code… And don’t get me wrong, I have an immeasurable amount of respect for developers. I think the problem is that developers are getting authentication right, but they’re not getting authorization right. They need to understand that you need to authenticate and authorize.
0:10:22.8 AK: And for your audience who also may not know what BOLA means, it would be like, Mike, you and I go to a party and you check your Burberry coat and wallet into the coat check, you get 18 as the number, and I come behind you and say, “Hmm, I want Mike’s Burberry wallet, and I want Mike’s Burberry coat.” And I get 17 and I check mine in. And then I take sharpie and I change that seven to an eight and go back to the coat check and say, “I want my stuff,” and then being able to walk away with your Burberry coat and wallet because I’m authenticated. The coat check person says, “Hmm, Alissa has a number.” It’s just, I don’t have my number, I have your number. And that’s a great example of authentication versus authorization. I’m authenticated, I’m allowed to be there. I’m authenticated, I’m allowed to talk to the API, but I’m not authorized to request Mike’s patient records.
0:11:12.8 MM: And we see that in healthcare so much. I often tell a story. I’m gonna tell the story on the podcast for the first time, and I think you’ll get a kick of it. In a prior life, when I worked for a medical device manufacturer, there was a product that didn’t ever reach the market, and it was because… It’s the only time I’ve ever brought in a pen test team and had them quit. The pen test team started the engagement at 9 o’clock on a Monday morning, and they called me at 1 o’clock on Monday and said, “We’re done, we’re out.” And I was, “What do you mean? It’s a two-week engagement, guys.” And they said, “No, it’s really simple. With any user log in, here’s the URL, it’s a get-request, and it’s literally patient record ID1, ID2, ID3. And if you have any account, you just iterate through all of it and you can dump all the patient data out of the entire system.
0:12:01.5 AK: Was that an API or a web app?
0:12:03.9 MM: No, that was a web app…
0:12:04.4 AK: Oh, wow.
0:12:04.9 MM: But eventually, they were talking about a mobile interface using that as an API, just like everyone else. And so I’ve seen that same pattern so often. And like you said, in mobile as well, it’s not just health apps, it’s finance apps, it’s all kinds of apps that have these challenges with code, I think because we don’t train our mobile developers well enough. With these challenges in the mobile app space, what do you see as the solution? Is it just secure code training? How do we solve this problem? And especially because the research you did went across not just mobile app developers, but hospitals and health-care delivery organizations who aren’t necessarily spending huge amounts of their time developing software… How do you solve this?
0:12:49.3 AK: Yeah. That’s a good question. So I did actually speak to some developers. Obviously I’ve had FHIR developers reach out to me, I’ve had mobile app developers reach out to me. And I like to ask this question, What got us here? Why am I still seeing this now two-and-a-half decades later. This is stuff that reared its ugly face 20, 25 years ago, hard-coding credentials and keys and tokens and BOLA, or what used to be called IDOR, insecure direct object reference. And we’re still seeing it in 2021, and the most common theme and narrative that I get back is, “Well, if we can’t hard-code the keys in the app, where can we put them?
0:13:33.3 AK: We need to have a completely, a carbon copy for this conversation. What do you mean, where do you put them? And so that leads us down this whole conversation about code obfuscation and keystores and all that. Anyway, but I think the answer to your question is secure code training. Humans are the weakest link in security. We will forever be the weakest link. It doesn’t matter if you have a blank check for all the security controls in the world. If you have a human that hard-codes credentials and tokens into a mobile app, it doesn’t matter how big of a security budget you have. If you have stuff like that going on, game over.
0:14:10.7 MM: And I think you bring up another really interesting point is, if you look at state-of-the-art around API development and stuff like that, you find HSMs and keystores and secret stores that to do it well, you have to actually work at the design and development of the architecture of the app. And I think a lot of times when I’ve talked to a lot of mobile developers, they’re so focused on building the mobile interface that the API that serves the data from the back-end is often a bit of an afterthought. Did you see some of that? I’m curious just what you think of that idea?
0:14:40.6 AK: Well, first of all, I think the response was obviously different across different organizations. When you’re talking about 30 apps, you have different responses and different visceral levels from different organizations. The response is different and with some organizations it’s, “Thanks for the free penetration test. We know what to… ” And it is cool. It’s very philanthropic work because it’s not just about me doing some work for a client. There’s actually multiple companies that have used that research and pointed to it for their own marketing purposes, and of course, it helps developers understand what they need to be doing better. Organizations to understand that this needs to be better because it’s PHI. It’s our most sensitive data. Like I’ve said before, a bank that has a compromised credit card or debit card can just send you a new card in the mail. If your PHI is compromised, how do I send you new PHI in the mail? It doesn’t work that way.
0:15:39.9 AK: I think the responses are different. I think different organizations have different explanations for why. I’ve run into some organizations that say, “We’ve never had a penetration test before.” How is that possible? It’s in production. What do you mean? “Well, our SDLC goes this way and then once it’s in… ” It’s shift right security versus shift left. So I wanna say that the answer to your question is multiple layers of an onion. It’s different things. It’s shift left security. It’s using solutions like Approve. It’s performing penetration testing and hacking your own stuff. It’s hopefully doing it before production. It’s not hard-coding credentials in your app and keys and tokens in your app. It’s all of these things that we’re… It’s not just one thing. And that’s what I love about this. This is why I’m so passionate about hacking is, you and I are hacking the same API, guess what, you’re gonna find different findings than me.
0:16:39.3 AK: You’re going to look at things differently through a different lens, just like you and I standing in a museum, I’ll be like, “Mike, that’s the ugliest painting I’ve ever seen.” And you may say, “Alissa, I love that painting, I’m buying it.” So everyone has a different perspective and that plays out in penetration testing, and that’s what I love so much about it.
0:16:58.2 MM: Yeah, it is a bit of an art. There is an art to that, to red teaming into finding volumes. Alright, I have to ask you, I know you’re about to start doing some work on the FHIR standard.
0:17:09.7 AK: Yes, it’s coming.
0:17:11.7 MM: Maybe you wanna do a little bit of foreshadowing on that.
0:17:14.4 AK: Alright. So, it was dropped here. You heard it here first on Mike’s podcast. I haven’t talked about this research yet. So the video did drop as my loyal fans expect of me, a cinematic DreamWorks-style trailer to unveil new research. It’s called “Playing With FHIR,” F-H-I-R, of course. I’m partnering up with several organizations that have offered their FHIR APIs up for me to blow up and target, which is really cool. For them, of course, the benefit is that they get Alissa Knight to hack their… I’m really sounding so arrogant and I really am. And if you get to know me, you’ll find out that I’m the least arrogant person in the world. Anyway, so… Sorry, I sound like Donald Trump, “I’m the least arrogant person I’ve ever met.”
0:18:08.5 MM: You should start a brand, Hacked by AVK.
0:18:10.9 AK: Hacked by AVK. I’m having the T-shirt made. Phil, you’re in charge of that.
0:18:19.0 AK: So I’m not only member, I’m also the president. So yes, I’m excited about this new research. I’m excited about what we’re gonna find. I’ve already begun poking it, the first FHIR API. The thing about FHIR… Okay, so first of all, this is a huge thing because the National Institute of Health, the US government has passed this federal law around the use of FHIR APIs. It’s being mandated. It’s being required for healthcare data interoperability between providers, between the entire healthcare sector in the United States. So it’s a big thing and they’re being built on FHIR. What everyone needs to understand is that FHIR is not a shrink-wrapped API you can buy. FHIR is a standard. It’s like a schematic. It’s a blueprint for how to build the API. Now, what is the first thing that comes to your mind as a hacker when you hear something like that? If the beauty is in the eye of the beholder, then certainly security is in the eye of the implementer. Oh, that was good. I need to trademark that.
0:19:24.2 MM: Yeah, you need to say that one a lot.
0:19:26.3 AK: I’m impressed.
0:19:27.4 MM: I’m gonna quote you on that a thousand times.
0:19:29.5 AK: Please, yeah. There’s just a small royalty I’ll expect every time you use it.
0:19:33.4 MM: Yeah, that one’s gonna end up in a slide deck that I present somewhere.
0:19:36.6 AK: So, the thing is, is that with FHIR implementations, every company is gonna implement it differently, therefore the security is gonna be different across all implementations. So the interesting thing here is, yes, my results in this report will be around vulnerabilities affecting FHIR APIs, but we need to be careful to state that and clarify that this is not vulnerabilities in FHIR, it’s vulnerabilities in these specific FHIR implementations ’cause everyone’s gonna implement it differently and the interesting thing, and I don’t know if you saw this, Mike, you probably know this with your former life, but you can go to Amazon and AWS and search for FHIR, and they have pre-built stuff for building and quickly spinning up a FHIR API at Amazon. It’s crazy like this stuff is everywhere go to Google, Google has the same thing. Go for Google Cloud. It’s crazy this stuff is everywhere.
0:20:29.0 MM: Yeah, FHIR, for those that don’t know, is the intellectual successor of HL7, which if you know anything about HL7, it is everything to everyone, it’s patient interchange, it’s interchange about care and doctors and nurses, and it literally has been extended so many times to do everything and FHIR is now doing the same thing, like you said, every implementation of FHIR is a unique implementation, even though it adheres to theoretically a standard and that means…
0:21:01.3 AK: Yeah, and you’re probably going there, fast healthcare interoperability resources, FHIR. Yeah, the interesting thing, even Apple Health Care uses it, Apple Health on your iPhone.
0:21:12.8 MM: Yeah. And I’m really excited to see the work that you do, I think people like you sort of intimated people look at something like FHIR and they say, “Oh well, it’s FHIR, it’s secure.” But to your point, it really is in the hands of the person who implements it to determine whether or not that’s secure and whether or not it’s built securely.
0:21:33.7 AK: Intimated. I like that word.
0:21:37.5 MM: I tend to use big words.
0:21:37.7 AK: I’m gonna use that word.
0:21:39.7 MM: I love it.
0:21:40.7 AK: Okay, you get to quote me and I get to us intimated.
0:21:43.9 MM: Done. With that, where can the world find more of you? I mean, everyone already knows you, but…
0:21:50.2 AK: Everyone must be so sick of me. My wife walks up to me the other day, and I didn’t know how to process this, she walks up to me and she’s like, “Honey, you’re everywhere.” And I’m like, “Oh my God, what does that mean? Like, are you sick of me?” I’m like, I’m kind of… I think of Jeremy Maguire when kush was like “I’m getting kush lash.” I’m everywhere, it’s Kush lash, not it’s like Ali Lash. But yes, definitely subscribe to my YouTube channel, that’s where a lot of my videos would drop first as I am a YouTuber, I release new video, and I do live broadcast every week. So definitely check out Knight TV on YouTube, as well as on LinkedIn and Twitter.
0:22:32.8 MM: Right on. Well, thank you so much for coming in. Maybe when you release the FHIR paper, we can have you back and we can do this again ’cause…
0:22:38.7 AK: We will, yes, we’ll drop it here, we’ll drop it here first.
0:22:42.0 MM: I love it. I love it. With that, thank you again for being here and we’ll talk again soon.
0:22:49.4 MM: Thanks for joining us for this episode of In Scope. To make sure you never miss an episode, hop on over to www.scopesecurity.com to sign up. Or you can listen on Apple Podcasts, Spotify or Stitcher. And if you have ideas for topics, guests or technical tips, please contact us at [email protected]
ABOUT THE GUEST
Alissa Knight is a recovering hacker of 20 years, blending hacking with a unique style of written and visual content creation for challenger brands and market leaders in cybersecurity. Alissa is a cybersecurity influencer, content creator, and community manager as a partner at Knight Ink. Alissa is also the principal analyst in cybersecurity at Alissa Knight & Associates.
Alissa is a published author through her publisher at Wiley, having published the first book on hacking connected cars and recently received two new book contracts to publish her autobiography and a new book on hacking APIs.
As a serial entrepreneur, Alissa has started and sold two cybersecurity companies to public companies in international markets and also sits as the group CEO of Brier & Thorn, a managed security service provider (MSSP).