Interview with Georgia Weidman– The founder and CEO of Bulb Security
1- Can you please introduce yourself to security Kaizen magazine readers (bio, experience, history)
Georgia Weidman is a penetration tester, security researcher, and trainer. She holds a MS in computer science as well as holding CISSP, CEH, and OSCP certifications. Her work in the field of smartphone exploitation has been featured in print and on television internationally. She has provided training at conferences such as Blackhat USA, Brucon,
and Security Zone to excellent reviews. Georgia founded Bulb Security LLC, a security consulting firm specializing in security assessments/penetration testing, security training, and research/development. She was awarded a DARPA Cyber Fast Track grant to continue her work in mobile device security culminating in the release of the open source project the Smartphone Pentest Framework (SPF).
Georgia is a member of the spring 2015 cohort at the Mach37 cyber accelerator, founding Shevirah Inc. to create product solutions for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions. She is the author of Penetration Testing: A Hands-on Introduction to
Hacking from No Starch Press.
2- Could you tell us more about the company that you have founded?
I’ve actually founded two companies. First I founded Bulb Security LLC, which is my security services business. We do penetration testing and vulnerability assessments, security training, exploit development and research, coding projects, etc. I recently spun off Shevirah Inc. as part of the Mach37 cyber accelerator program mentioned in the next question. Shevirah is a product company taking my previous DARPA Cyber Fast Track project, the Smartphone Pentest Framework and turning it into a commercial product that can be integrated into the penetration test or security program by consultants and on site security teams. Shevirah is a provider of testing tools for assessing and managing the risk of mobile devices in the enterprise and testing the effectiveness of enterprise mobility management solutions.
3- Can you tell us more about the cyber security incubation program that you joined?
Mach37 is an accelerator in Herndon, Virginia, near Washington, D.C., that specializes in earlystage cybersecurity product companies. The Partners come from the security industry and have founded and exited a number of security companies, and have operated business units within large organizations in the security market. Several have institutional investment backgrounds. They invest and provide a program for security startup founders to validate their product concept, market fit, go-to-market strategy, and investor value proposition. Mach37 hosts a new cohort of 6 to 8 companies in the Spring and Fall of each year.
4- What inspired you to write your first book?
When I was first starting out in security, I found that a lot of the books, tutorials, etc. assumed a certain level of previous knowledge about Linux, programming, even security in some cases. When I would ask for help I’d often get “GTFO n00b” sort of responses. So when I was approached about writing a book it seemed natural to me to try and make learning the basics easier for beginners. I wrote my book with my early career self in mind. I hope it helps many beginners like me jump into security and hit the ground running.
4- The usage of smart phones is increasing with a very high rate especially in Middle East. Can you tell us more about the latest mobile security issues and threats?
Mobile is interesting since it goes with us everywhere, has pretty high computing power these days, and thanks to the mobile modem can be thought of as an Internet facing device. Mobile basically has the same sort of issues as any other device. It might be possible to exploit them remotely say through a default SSH password on a jailbroken iPhone or through a malicious cell tower attack or attacks on SIM cards. They are also subject to client side attacks, much like browsers, PDF viewers, etc. on our traditional computers. When an app on a mobile device opens a file, if that file is malicious it may take control of the application or even the entire device. Social engineering is a big problem in security, from malicious links in emails, to someone walking into the office pretending to be a pizza delivery person. Mobile phones have their own brands of social engineering risks such as malicious links in text messages. Even users who are savvy about the risks of social engineering emails may not make the connection to text messages, when the attacks are
much the same. Another issue with mobile is physical access, even with a PIN in place, if it isn’t strong or
the attacker has a guessing device, if your phone is misplaced all the data could be compromised. Additionally I’ve seen some interesting research around malicious mobile phone chargers. Who has not borrowed a charger from someone or plugged their phone into someone’s computer to charge it in a pinch. The computer could attack the phone or vice versa.
5- How do you see the future of cyber attacks especially in the Middle East region?
Next generation devices as I call them, be they cloud, mobile, internet of things, etc. are getting a tremendous amount of traction. It took years and years for the security posture around our traditional networks to get as mature as it is now, and it is far from perfect. We are basically starting over with a lot of technologies in terms of security.
We need to work much faster to mature security around our new technologies. I suspect we will see many sophisticated attacks around these technologies as well as simple ones such as this simple toilet hacking scenari involving a hardcoded PIN https://www.trustwave. com/Resources/Security-Advisories/Advisories/ TWSL2013-020/?fid=3872.
6- What kinds of things do you do in your daily life to protect yourself?
Honestly, probably not as much as I should. Functionality vs. security is a very difficult problem, and I completely understand when users say it just isn’t feasible to for instance have a 10 character password on your phone. Say you are stopped at a stoplight and running late and need to call the person you are meeting and let them know, good luck typing in 10 characters correctly with one hand still on the wheel watching for the light to turn green. Or consider the best practice to wipe your device if it receives multiple incorrect login attempts. I’ve known multiple people with children who end up losing all their data because their kids were playing with it. I am very careful about securing my customer’s data, but as far as my personal data goes, I’ve resigned myself that to do things online is to take on an inherent level of risk.
7- Which Security Conferences are you keen to attend every year?
I like to attend conferences in new places. I like to see the world and I get the chance to meet people I would not get to meet if I just attended the bigger conferences such as Defcon. Not everyone makes it out to those; lots of people just go to their regional events. I recently attended the Regional Security Summit in Oman, which I really enjoyed. Later this year I will be keynoting the Australian Information Security Association’s annual conference in Melbourne, another new place for me.
8- Do you plan to release another book soon ?
Probably not for a while. I’m pretty busy with my companies right now. I also have some goals in the
exploitation space I want to meet. Maybe somewhere down the road I could see doing another one, but it is a lot of work to write a book.