What is a Connected Car? & How to secure it’s API?

View Show Notes and Transcript

Episode Description

What We Discuss with Alissa Knight:

  • What is a Connected Car?
  • What is API?
  • How do I secure APIs?
  • How can someone secure API for Connected Cars?
  • What should you do to monitor API?
  • Can I buy a Tesla?
  • Apple has API to record body contact, which cannot be turned OFF
  • COVID Safe apps and the future of how freely information is collected by internet aware smart devices?
  • Who do you report to when you are concerned about your connected car?
  • And much more…

THANKS, Alissa Knight!

If you enjoyed this session with Alissa Knight, let him know by clicking on the link below and sending her a quick shout out at Twitter:

Click here to thank Alissa Knight on Twitter!

Click here to let Ashish know about your number one takeaway from this episode!

And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at [email protected].

Resources from This Episode:

Ashish Rajan: [00:00:00] Hello and welcome to another episode of Coffee with Ashish. My name is obviously Ashish. I am here with Alissa Knight today. I want to give you a quick 30 sec spiel on what we are and what we do. So, I started the whole Virtual Coffee with Ashish because I want to keep having coffee with people, but the whole COVID19 situation made it very impossible. So I started this Virtual Coffee series so that I could still meet people and I could still have conversations with them, but from the safety of their home and my home. So. the intent is to cover any cyber security topics that are, that people who are in my network would be interested in.

Or I’m interested in. Today’s topics is one of those ones, which is about connected cars and hacking connected cars. Cause I’m not gonna even pretend that I know what I’m talking about. So that’s why I got myself an expert for it. I’m gonna bring her on in a moment. [00:01:00] Yeah. Alissa coming on the

Alissa Knight: [00:01:02] O

Ashish Rajan: [00:01:03] a I mean, it’s

all right. I’ve already gone.

Alissa Knight: [00:01:10] Can you hear me okay?

Ashish Rajan: [00:01:12] I can hear you okay. For sure.

Alissa Knight: [00:01:17] Okay.

Ashish Rajan: [00:01:17] Come need to be in the centre. I mean, it’s changed. Another view of this is,

Alissa Knight: [00:01:20] Oh, there you go. There we go. That’s

Ashish Rajan: [00:01:22] better. Yeah. All right. Cause I’m like, I’m using you for it. So

like scream, scream, scream. That is for sure. I’m, I’m definitely going to be some dips on a stream. Yeah. Why are cost from you after this? But welcome to the show. I know we’ve spoken to Bart, before in my other podcast, which is executed podcast, but I’m glad I could bring you over here as well, and I’m not going to butcher your introduction, right.

I think I’ve tried giving different versions who I’m like, [00:02:00] how do I make this sound? Because she’s already so amazing, but how do I put this? So I’m gonna, if you don’t mind, if you could introduce yourselves to the audience. For people who haven’t heard of you before.

Alissa Knight: [00:02:13] Yeah, definitely. But you know, I’m such a big deal.

Everyone should know about me.

Ashish Rajan: [00:02:19] That is so true. Why didn’t you guys know?

Alissa Knight: [00:02:24] So, yeah. So, I’m Alissa Knight. I am the, gosh, who am I? I’m, I’m, I’m a recovering hacker. I’m in a 12 step program for recovering hackers. I have, so I’ve been working in cybersecurity for about 20 years. typical Hollywood story, arrested for hacking into a government network when I was 17, went to go work for the us intelligence community and cyber warfare at one point.

started in, sold two previous cyber security startups. I’m in the middle of an M and a on my third, started a venture [00:03:00] capital fund to invest in startups, back in Chicago. I’m now, the partner at night inc where I’m doing. Content marketing for cybersecurity vendors. I’m also a published author.

I just got a new book deal to write a second book. And my first book was on hacking connected cars. I lived in Stuttgart, Germany for awhile, hacking into connected cars and, just traveled around Asia, Europe, talking about how to actually hack telematics control units, which are basically the cell, the cell chips within connected cars.

and, um. Yeah. So that’s me in a nutshell. I would say that I would say as a hacker, I, I focus more on embedded systems. I, I’m very big into, you know, like the research I published where I had to bang through at CCTV cameras in the parking lot. you know, I like to target, I like to target very labyrinthine areas of security, like connected cars, embedded systems, [00:04:00] connected medical devices.

I like to target the stuff that isn’t very commodity. I like to niche myself in specific areas of security.

Ashish Rajan: [00:04:11] Interesting. And, well, I was very straight dive into question, but before we dive into question, because this is a coffee show.

that’s

Alissa Knight: [00:04:25] amazing.

Ashish Rajan: [00:04:27] so I’m gonna start with the obvious question. For people who don’t know what is connected

Alissa Knight: [00:04:32] cars. Oh man. Any car made after 2001. So a GMC GM OnStar was actually what really introduced the connected car. And, I believe it’s any are made after 2001. so for those of you who think you’re impervious to being hacked because you’re not driving around in a Tesla, you’re wrong.

Yeah. [00:05:00] really any car, these days is connected. whether it’s a Jeep or a Nissan or a Chevy or, you know, Mercedes, whatever it is, they’re all connected.

Ashish Rajan: [00:05:11] Also is connected in the context of a connected to either to the internet or mobile phone, or to a device. It can connect to a device.

Alissa Knight: [00:05:20] Yeah. Sorry. So let me, let me just expound upon that.

so the cars have SIM chips in them very much like a cell phone. So all of you need to stop thinking about cars is like this just combustion engine. And you know, uh. It’s, it’s, it’s a network. It’s a network on wheels. I would go as hard to say that it’s a cell phone on wheels cause it’s, if you think about it, you know, there’s network interfaces to it, like wireless.

and a lot of automakers, they’re connecting the, the, basically the router for the car, which is the TCU, think of it as the router for the car. they’re connecting the TCU to the head unit over [00:06:00] wifi in many cases. it’s got a Bluetooth interface, a wifi, GSM, you know, so what does that sound like?

It sounds like a cell phone. So it’s, yeah, it’s, it’s pretty interesting. cars are not, you know, just these unconnected devices anymore.

Ashish Rajan: [00:06:19] Yeah, it’s a, it’s a risk area. Well, cause I just, funny enough, when I wrote the post for it, I was like, Oh, I think it’s just to assess Tesla or any electronic car, like cruise automation or Lyft and Uber.

But now it’s like, if I, if I have a, a Nissan after 2001, I’m still, I guess I’m still affected by this, which is scary. But I think the. Yeah. So the whole park, I guess there’s the, what you coffee came off the Clark security podcast that I run as well. And the intent was to kind of cover two topics on cloud security and then it kind of, as I was going through it, it kind of made sense that, Oh, actually [00:07:00] anything which is running on cloud has API APIs and is primarily on, I guess emeritus since are also running on a lot of API.

So like Tesla was a great example. That’s kind of where the whole. Connected cars and competition came in were just what has a dedicated connection to the main hub where it’s learning or I guess creating as machine learning algorithm as the cameras are picking up information. That’s my understanding.

Sorry, go on.

Alissa Knight: [00:07:25] Yeah, yeah. So exactly. Your, you made a good point here. API is, are very much the glue that glues the internet of things together. anywhere, whether it’s a connected car or it’s the baby monitor in your house, you know, or you know, a smart lock. Everything, any, everything within the internet of everything, connects to back in the APA separate.

So your car is actually. Phoning home and communicating with an API server at the, on the car makers, automakers, backend. So those are API servers that the car’s communicating [00:08:00] with. And you know, API stands for application programming interface. And now even. Banks are, are being powered by API. As you know, we’ve left this, this world of monolithic applications, and we’ve moved to this microservices model where everything is kind of running in little pieces and all of those little pieces are communicating over what’s called API APIs.

And if any of you have seen my YouTube channel, by the way, subscribe, I’m trying to get scribers, before the weekend. youtube.com/c/alyssa night. So if you’re interested, yeah. If you want to follow my vulnerability research or publish my videos on YouTube, so check it out if you haven’t. but yeah, there’s actually, there’s actually a video on my YouTube channel that talks about, that actually shows me hacking a European banks API servers.

This, of course, was a client, so it wasn’t illegal, but they gave me permission to record. And [00:09:00] so. You can actually see me going through the process of hacking an API server for a bank, where I can change the pin code of any bank customers, debit card or, you know, transfer money out of their account without a user gap.

The problem is, is that companies are, are are. Spawning building these API end points and they don’t know how to properly secure them. They’re trying to secure them with traditional web application firewalls and you know, traditional security that you would use to secure a web server. And it’s the wrong tool for the job.

It’s like trying to, you know, use a screwdriver on a nail. It’s, it’s when you should be using a hammer, you know, you need to be using APA security solutions instead. So, yeah. So everything is powered by APS much.

Ashish Rajan: [00:09:43] Great. That’s pretty interesting in terms of, so, and that’s one of where when we were talking about this, about hacking critical cause earlier, and when you mentioned API, that that instantly caught my attention.

Like, Oh, I need to bring a lift. And so, um. APS security, I guess what does good as APS security look [00:10:00] like and what, I guess bearing in mind some of the audience members are probably still. Quite new to the API concert. cause there might be people who weren’t required advanced. So they might be having a public facing APIs of their, of their company, which may be, I don’t know, it’s sort of, it’s, even though it’s public, but it may be authentication enabled in terms of they might have people, it will only work in a certain token, like kinda like to reward AWS does.

So in that space, I guess, what does good API security look like in your opinion?

Alissa Knight: [00:10:34] Yeah. Great. Great question. So if you don’t mind, I’ll quickly explain what API is, are in a way that your audience can understand it. So my wife actually loves this analogy. so think of, think of API APIs is this. so you have electrical companies, you have your house, right?

So the electrical companies are generating electricity with nuclear charcoal. You know what, you know, wind, you know, whatever, or you have, like in Vegas [00:11:00] here, so, sun city, right? So all these ways that these electrical companies are generating electricity, you don’t care how the electricity is getting generated is just that the electricity, comes to your right.

Your, your house, the, the electrical company generates electricity, sends the electricity over the power lines to your house where the electricity company doesn’t care what you plug into the plug. You can plug your iPhone into charge it, you can plug your hair dry hair blower and you can plug in your lamp.

The electrical company doesn’t care what you put into it. Is it just as long as it can fit into the electrical socket and, and pull electricity. so that’s an API. The API provider is the electrical company in this point at this, in this scenario, the, electrical sockets in your house are the API end point, the API servers and your device that you’re plugging into the outlet.

is like the mobile app, it’s, it’s or [00:12:00] whatever that, or your car that’s pulling, sending and pulling data from the API end point. And the provider. In this case, the electrical company is providing that data. So that’s the best analogy I can give all of you. before we used to design websites like amazon.com was one big monolithic web application.

Think of it as too many cooks in the kitchen trying to stir the same pot, right? All too many developers trying to write the same code for the same app. So what we did was we figured out, well, that sucks. That’s stupid, right? Let’s break this thing up. So I’m now, we’re living in an age of microservices where that one big amazon.com website is broken up into a shopping cart.

the, the catalog, the checkout, the, you know, the, the front page, all of that is broken up into these different services and all of those services can then be worked on by individual developers or. Teams of developers, and they’re not all, you know, overriding each other’s code. They’re not all stepping on each other.

And those microservices talk to each [00:13:00] other through API. So it looks like one big giant web application to us when we go to amazon.com when in fact it’s about 50 or a hundred or more microservices that are all being powered and by API APIs.

Ashish Rajan: [00:13:15] That’s awesome. And here the extra in Vegas comes from casino North from the sun.

Alissa Knight: [00:13:24] You know? Yeah. I actually just saw sun city their day. My wife took me out. It was amazing. I, if you have not seen sun city yet, it’s, it’s, it’s built by Tesla. So Tesla built in called sun city out here in Las Vegas. And it’s just miles of, what are those solar panels? Miles of solar panels, and they’re providing, they’re generating electricity off the sun and it was built by Tesla and it’s called sun city.

It’s right outside of Las Vegas. And it’s, it’s a Marvel to see like, it’s massive. Anyway, your, your, your, your question was. How should people be [00:14:00] securing their APIs? The problem is, is that companies are treating them like web servers and they’re trying to secure them with web application firewalls or even API gateways like, you know, the MuleSoft and apogees of the world.

but there’s actually API security products out there that people should be using, like salt security, like some of these other, API security vendors where the, the. Th th the, system is interdicting that traffic or it’s being passed to that, that solution off of a span port, right? A passive, port on the switch and it’s analyzing that API traffic and it’s looking for API tax.

The reason why a web application firewalls, for example, don’t work very well for protecting APIs is they’re looking for traditional web attacks like sequel injection, cross site scripting and all that stuff. Versus. Alyssa is presenting this API token, but she’s requesting all of this data, the token real, the [00:15:00] tokens.

Correct. But should she be requesting all of this data? A web application firewall isn’t going to be looking for something like that. A web of, okay. You know, so, but an API security solution will, and one thing I can tell you is, sheesh, the biggest problem that companies have is they don’t know what API is they’re running.

They don’t know where they are. They don’t know how many they’ve got. It’s kind of like that whole, that whole quote, you can’t protect what you don’t know you have. And some companies are running hundreds, even thousands of APIs, and they don’t, they don’t know where they are. It’s called the, it’s a shadow API problem.

Ashish Rajan: [00:15:37] So, you know, do you need like an asset management for API that’s relevant?

Yeah. So, so, these APIAlissa Knight: [00:15:43] security solutions like salt security. disclaimer, they were a client of mine. but, they, it’s a solutions like sold security. We’ll catalog your API servers, let you know how many you’ve got in your environment, let you know what it’ll even, you know, some will even tag it [00:16:00] as PII.

Right? So this API is serving, transmitting, processing, or storing PII. So, you know, there’s, I just can’t imagine an organization. These days, especially with all the API breaches trying to protect their APIs with API management solutions with security as a feature or a web application firewall. It’s asinine.

It doesn’t make sense as a hacker. I love it when companies do that. I’m trying to protect them or monitor their network and secure them. I wouldn’t use a WEF or. So

Ashish Rajan: [00:16:39] I think it’s interesting because a lot of people try and copy the whole Amazon model of public so that our customers consumer, and to your point, if it is something as basic as indication that people don’t.

Do well, what’s the, so is, [00:17:00] is like, I think if he goes to go by, I don’t go too technical in case it goes over, I guess some people’s head and they can reach out to you directly for getting too technical into it. Very basic perspective. I guess authentication, which is kind of like the bare minimum they should have.

People are going to imagine because it’s public, it should have attended station. It should have like a, something like a cloud front for people using AWS, which gives them denial of service. production. Is that pointless or that’s still relevant?

Alissa Knight: [00:17:29] No, I mean, yeah, I would say that nothing insecurity is pointless.

You know, if you want to think about it, I’ve always been a big proponent of the fact that security should be built in layers like an onion. So first, figure out what it is that you’re trying to protect and then build your layers of security around that. Data or that crown jewels. So in this case, and have an API, you’ve got the data that the API is serving and you want to build your security like layers of an onion around that.

And, so, [00:18:00] you know, nothing’s pointless. I would use a, you know, an API security, or they’re called API threat management solutions now. but you know, you want to use an APA threat management solution, you want to use, definitely an authentication authorization. you know, it’s that whole CIA triad right.

Confidentiality, integrity and availability that you want to make sure that you’re, you’re, you’re putting in authentication, not only authenticating the individual and making sure that those tokens expire and, and are being regenerated, short life lifetimes,, but also authorized. Just because I’m authenticating as sheesh doesn’t necessarily mean I’m authorized to see that data.

Right? Just because I have a key, let’s say the hard coded in a mobile app, which is a thing, by the way, I run into that a lot. yeah. Still in 2020 I still run into hard-coded API. Yeah. The mobile apps

Ashish Rajan: [00:18:59] I’m going to do, the [00:19:00] obvious developer thing is a hardcore at API key encrypted.

Alissa Knight: [00:19:05] Yeah. New office location and encryption.

so, you know, a lot of, a lot of developers don’t realize you can, you can reverse engineer a mobile app and grab everything that’s been hard coded in their API. requests that are hard coded in the app, to API tokens, or API keys. So, yeah. Have a strong authentication authorization solution, like a ping identity or, or whomever.

Right. But make sure that you’re, you’re doing strong authentication and you’re authorizing those requests. Because just because I have a working token also, does that mean that I should be able to do a pull for everything in the database? No. Have restrictions authorize what those tokens and what those keys are, are able to do.

And you know, it’s just, it’s, it’s that whole, I think. The reason why history repeats itself in cybersecurity is the reason why we keep [00:20:00] repeating our mistakes when it comes to cybersecurity is because we’re not learning from our past. We’ll, we’ll, we’ll, you know, build something new and advancing shiny, and we’ve got the shiny new toy like APS, and we’re not.

We’re not remembering. And going back to the basics of security, like confidentiality, integrity, and availability. And you know, so every time a new shiny new toy comes out and we do something cool and we innovate, unfortunately cyber security, you know, always is the last in line. No, it’s, it’s always 10 years late to the problem is I like to say

Ashish Rajan: [00:20:37] Chinese lady, the Prague.

that’s a good one. I want to take a moment over here just to, for people who are watching and thinking we’ve got 10, 12 people, what’s your, across Twitch and LinkedIn, if any thing, have any questions, feel free to leave a comment and, I’m sure Lisa will be happy to answer them or. we can come back to it too.

We’ll come back to the questions [00:21:00] towards the end of the show. Alright, sweet. the operational side of things done. The next question that I wasn’t, I was going to ask you is. API is very popular these days, and even though it’s connected, and I know I’ll bring back to the connected cars again. So I’m pretty sure people here are connected cars as well.

how different is the enterprise API security to say a connected car? Like what’s the, I guess, what’s the difference you would see between, is there any difference between the APLs use for cars versus enterprise or other same similar start

Alissa Knight: [00:21:35] model. you know, that’s a great question. I would say, you know, there’s, there’s API APIs for sure, like that are used in different industries, different sectors, different, you know, things, but they’re there.

It’s, it’s just code that the, it’s an it’s code that the developers created. API is, will serve different things, but their, their functionality is the same, right? [00:22:00] Just like. Back to my analogy of electrical companies. There’s different electrical companies. Some make some make electricity through nuclear, some make them through coal.

but it’s still producing electricity, right? It’s, you know, so it’s, yeah, there’s, there’s different API servers for different things. but. You know, they’re, they’re all fundamentally the same thing. They’re, they’re enabling applications to talk to each other. It’s enabling communication between applications and devices.

You know, it’s whether it’s a car or it’s the parking meter, you know, actually those things that are in smart cities, those things that lift up and down and let you into the parking lot. Um. Th th that’s, that’s a smart device. It’s talking with an API. You know, a lot of those are connected. you know, that you’ve got ticks, like traffic information.

So you got all of these things, all of this, innovation and intelligence being added to smart cities and, in highways and roads and it’s, it’s all to [00:23:00] make life better, safer. Who is it that the CEO of America’s for? was it Honda or Hyundai who said yes? you know, he’s got a zero, crash, goal, because of autonomous vehicles and smart cars by like, what was it, 2021 or something like it’s soon.

It’s like, yeah. So I mean,

Ashish Rajan: [00:23:25] I mean he may not be bad. He may be wrong because it’s covered cause there’s no one’s driving. I guess the crash trade would already be veto,

Alissa Knight: [00:23:32] I guess. Yeah. You know, I mean, it’s, that’s obviously a very lofty goal, right? Like zero crashes. I mean, Jesus, but I mean, it’s great. Like, but I mean, that’s the kind of, that’s the kind of innovation, that can save lives, right?

So, you know, you think about how many people die every day because of a car accident and around the world, you know? And so, um. You know, when you’re talking about connected cars, you have what’s called V to X or V to V [00:24:00] vehicle to vehicle. And so if you’re driving in front of me, right, and I’m driving behind you, the concept is that you would, your car, once it hits a, a pothole, will send data over, believe it or not, eight to two, 11.

P, right? So it actually uses wireless protocol wifi like you would use in your house, but eight to 11 P and it would send data to my car and say, Hey, Alyssa, I just ran into a pothole. Your car needs to go around and there’s a pothole in front of you that is what’s happening with VTV. So actually not just sharing traffic information, but also I just ran into a pothole.

You know, or you know, the, there’s a, there’s a, five car pile up in front of me. I’ve just slammed my brakes on, you know, that kind of information is being, is going to be communicated between cars over 80 2:11 PM.

Ashish Rajan: [00:24:58] Wow, that [00:25:00] would be awesome. And I think to your point, we all need to pay for causes as well, because I think as, as security has it humans, humans are the biggest weakness or security.

Same with goddess as well. I feel

Alissa Knight: [00:25:11] like. God forbid, I can’t, you know, Facebook while driving or, you know, teams, Microsoft teams or LinkedIn while driving, you know, or tweet while driving. but yeah, I, it’s, it’s interesting that I just saw this question pop up from Siddharth about, you know, third party solutions.

you know, for securing APS, you don’t wanna have to use third party solutions. Obviously, if you’re in an enterprise, if you’re, you’re monitoring or running enterprise APIs. you want enterprise grade security, but yes, I think it’s all of the above that are, I think. If I’m saying her name properly, I think it’s, it’s, it’s all of the above.

It’s, it’s writing more secure code and [00:26:00] implementing and, you know, security solutions once it’s in production. But I think all too often, developers sort of rely on the security team to take care of it from there. And so I think developers, we as organizations need to start sending our developers to, um.

you know, to secure development training? No. Yeah. We’re training our employees, like our receptionist all the way down to, you know, our executives through cybersecurity awareness training every year as a matter of compliance. But we need to start sending our developers to secure code training, you know, and, and, and shift left in security where the vulnerabilities are being identified.

instead, while the code is being written in the IDE, rather than waiting until it’s deployed into production.

Ashish Rajan: [00:26:50] Also to justice. I’ve taken leave from the DAS question then to securing API APIs. Can that be done? I guess you probably obviously needed a tool for other open [00:27:00] source version stored as well, or the only paid versions at the moment for API security.

Alissa Knight: [00:27:05] you know, there’s, there’s definitely stuff that people can implement such as Olof, which is, you know, a w which will help. Yeah, exactly. authentication, authors’,, authentication. and, so yeah. all of the above. there are open source free things you can do. I want to say. I know things like sneak,, they’re doing things in microservices, vulnerability management.

so there’s definitely some things out there that you can look out on the open source side. A hundred percent. I

Ashish Rajan: [00:27:43] think maybe a couple of examples that I was thinking of more in tem. So if they’re doing, like, if they do something as basic as just logging the APR requests coming in, so they know. What kind of requests are being, how are they being responded to, and what’s really happening in terms of, say for example, Alyssa comes in with a [00:28:00] request to access a your Tesla car API, but should she be able to access that board, which talks to the mothership of Tesla.

Or should she just be talking to the interface or should she just be allowed to change your music on the Tesla car or whatever? I don’t think that could be like doing that basic step I feel is a good start if that Ford is, I guess thinking of as well.

Alissa Knight: [00:28:24] Yeah. Yeah. I mean, it’s, it’s, it’s just, it’s making sure that as a developer where we’re saying, okay, this is what you can do with the API and this is what you can’t do.

Right? Like, I shouldn’t be able to call everything from the database just because I have a token. Right. I mean, it’s, it’s. It’s making sure that, and I don’t know, maybe, maybe it’s developers just wanting to, and I don’t want, I don’t mean to offend developer hope. You’re not all like, God, this Alyssa man, she’s really big.

but, you know, I think, I think if we can just start [00:29:00] thinking more securely, like, you know, critical thinking, using critical thinking role writing code, like, yeah, I mean. should I be able to communicate with that API if I’m actually not the Tesla? Right? Like, so there’s this, there’s this other API security solution, critical blue, that that’s got the seat based security solution, called approve, and they actually are an SDK.

So like Siddharth you can, you can actually write your API with, the. with the, SDK. And not have, not really interrupt that SDLC, right? Like the biggest problem that Avery security companies are trying to do is eliminate the friction, right? Developers do not want friction. Don’t give me anything more that I have to do to write my code, especially if it means security.

And I think. You [00:30:00] know, when he thinks of things like, like critical blue is, is that there? It’s just an STK you compile in with your app and your API secure. Right. And what it does is it’s, it looks at the Travis, Hmm. That traffic doesn’t look like it’s coming from Alyssa’s Tesla. That topic looks like it’s coming from postman.

You know, an API client, that at API traffic isn’t coming from a shisha mobile phone. It’s coming from, you know, Alyssa postman, client. So, you know, the, that sort of stuff. But unfortunately, a lot of things like that are not free and open source, you know. But I mean, again, if, I mean, if you think about how much a breach costs, you know, you’re, you’re, there’s already data getting published.

Equifax for target for these major, I mean, Equifax was a result of the fricking Apache struts. Vulnerability. Like that’s API stuff. You know, it’s, it’s just, it’s in, we’re taught that was what a $2 billion cost to Equifax of it was insane. It was [00:31:00] massive.

Ashish Rajan: [00:31:00] It has always been insane. I think I always find interesting, having conversations about this with, I guess for people who may not be technical as well.

And I think you’ve been a great thing by explaining with the, electric company example. Cause I think that kind of leaves out the fact that. You if you relate the vulnerability to something that you can understand, even as a developer or as an exec, it’s really easy for people that are kind of realizing, feel as paranoid as every security person out there.

There’s a reason why every time you tell someone, I’m going to go, I’m going to have public API. They will be like, okay, maybe we should talk about this first before you open it to the internet. I think there is a, there’s a reason for that kind of reaction from a lot of security people. and just taking that a step further to your point about the executives, do you feel okay maybe cause we do have a few people who are size, those he sows and head of securities.

How do you, I [00:32:00] guess explain this to them and what can they be doing today? She kind of all like works at your point about, you mentioned the products already, you’ve been doing, I can start off with them constantly making this important, I guess, and they’re

Alissa Knight: [00:32:15] free CSOs that they’re like, one of the things you need to remember, and like I, this is coming from, so I worked the large biotech breach alongside mandate.

in the apt investigations,, I’ve done a BT incident response. I’m a forensic analyst as well, and I’ve done digital forensics and incident response. And one thing I can tell you, and you know what I’m about to say, CSOs, the first head to roll in a breach is the CSO. It doesn’t matter if it was your fault or not your fault or someone else’s fault, or the supplier’s fault or the developer’s fault.

The first had to roll as the CSOs. And, you know, it’s, it’s, they’re always looking for a fall guy, right. Our fall girl. the thing is, is that, you know, my recommendation and vice to CSOs is if you look at the [00:33:00] Equifax breach, that was a one point $4 billion costs plus legal fees. That doesn’t include the legal fees.

Right? And that statistic was just posted a year in 2020. You know, like they’re still posting. About the, the, the surmounting costs, right. With, with the Equifax breach, and we’re talking about the, the, the breach of data of 150 million Americans, right? And you look at, okay, let’s let, let’s think about this for a minute.

Right. One point $4 billion. And you’re, and you’re concerned about a $100,000 cost for an API security solution. Like, you know, that’s less than the salary. I’m sure you’re making. See. So, you know, I mean, I’m sure you’re making more than a hundred thousand a year, you know, it’s less than your salary. Yeah. I mean, it’s like, yeah, hopefully there, you know, but otherwise you need to be looking for a new job anywhere.

you know, but. I think we need to start realizing that, you know, when you start getting [00:34:00] pissed off with how much these things are costing, like you need to think about the cost of a breach and the fact that you probably won’t have a job once the breach and incident response is over. And every single one of the breaches I’ve worked over the last 20 years.

The CSO was always fired, always fired. It doesn’t matter when it was their fault or not their fault. It doesn’t matter how big the company is. And every single one of the breaches I worked, there were resignations and,, you know, and you don’t want to be tied to that. It’s like, you know, like the, the, the God, the, the CSO of Equifax, she was.

Beat up by the court of public opinion in that. I mean, she was like, they were attacking her personally, like what her degree was, and

Ashish Rajan: [00:34:47] that was

Alissa Knight: [00:34:48] hard for her. And it’s like, you know, it was, yeah, it wasn’t. It was long after. You know, Equifax and you know, it’s like, it’s horrible. Like you, you, it’s the only thing I can tell you is that like, you know, you [00:35:00] don’t want your personal brand as a CSO. Cause we’re all brands now, right? It doesn’t matter if you’re a marketer, an influencer like myself, we are all brands.

And when you’re, which is why when you’re applying for a job, the employer, is. You know, looking at,, your, your Twitter feed, looking at your Facebook, looking at your LinkedIn, when you’re applying for a job, they’re not just looking at your resume. As a matter of fact, I would dare to say that they really don’t care about your resume anymore.

They want to know what you’re posting on your Twitter wall, you know, what are you reading about? Um. You know? So, I think, you know, you need to respect the fact that you are a brand. And when you’re talking about the cost of, of implementing security controls, I think it ends up being a lot less than you having to find a new job or.

You know the cost of

Ashish Rajan: [00:35:49] Twitter that any post of mine is my own North. My employers,

Alissa Knight: [00:35:56] I’m sorry, like I have to, and [00:36:00] I’m probably going to get my car keyed for this or a lot of you, but. I, cause I see it. It’s so stupid to me because it’s like, actually, no, it doesn’t matter whether you put that or not. If you put something up like praising the most recent terrorist attack, you know, or you know, saying something that’s, you know.

Racist or you know, against LGBTQ. Like it doesn’t matter if you have that disclaimer. First of all, you, someone’s going to tag your employer and say, Hm, this is interesting. These are the kinds of people you hire. It doesn’t matter if you have that banner on their mic. These posts are my opinions and not that my input is gonna call me into the human resources office and your, and your job’s going to be gone.

It doesn’t matter if you have that or not. and, and also your personal brand. I mean, that doesn’t cover your personal brand. You see something stupid on social media that stuff lives for ever.

Ashish Rajan: [00:36:51] That’s why, that’s why I think it’s, it’s funny, right? I think both you and I are quite a bit of social media.

Like [00:37:00] you do channels. It’s, I’m sure you do this as well. You kind of have to have a mental filter every time then. Am I okay for this to be out there on the internet?

Alissa Knight: [00:37:12] Yeah, you’re good. That’s a great point. You know, I mean, and you do, because you have to think about like, before you, um. you’re welcome center.

Before you post something, you need to think or retweet something. what am I retreating? Who is it that tweeted it there in the first place? You don’t want to accidentally retweet something from David Duke, right? Like, Oh, this is a great ranch. We like, great, dude, I’m going to retweet this. I’m going to have your followers, you know, 70,000 followers tell you, why do you read tweeting David Duke?

You know, like, I, it’s, but you know, when you’re African American. You know, but like, yeah, but it’s, it’s, you just gotta be careful what you do out there on social media because you just don’t know what you’re doing. You don’t, you know, and even if you go in there and delete the tweet, you are done. It doesn’t matter.

[00:38:00] Like it does not matter by the time you have to be careful.

Ashish Rajan: [00:38:03] There’s another question, by the way, hi, David Reeve. he’s also an author in June in New York. Just give me a shout out to David, but from poem. Companies, which are doing good work in connected car security.

Alissa Knight: [00:38:16] Oh, yeah. Well, yeah. So I mean, I definitely have to shine my own spotlight here, but obviously, Briar and thorn, which is the company I’m the group CEO of, we do a lot of connected car penetration testing.

so, you know, we do., more and more on the red team, adversarial, emulation side of, of connected car security, like TCS and head units. there are companies that are doing that are more on the defense and the, the fenders and versus the breakers. you know, and, and,, those are companies like block Harbor who might just, actually had a meeting with last week.

so, you know, there’s, there’s, there’s all kinds of, I think I’m also grim. does, does some connected car security stuff [00:39:00] as well. Hey Powell. Pawan. Yeah. I, if I’m massacring anyone’s name, I apologize. but yeah, I mean,

Ashish Rajan: [00:39:10] it’s hate speech over there guys, because, it’s on the internet now and we have these little retweets.

What? We

Alissa Knight: [00:39:19] don’t hate it. but, yeah, I mean, it depends on what you’re looking for. You know, there’s people that can help you secure it. There’s people that can help you break it and figure out what the vulnerabilities are. And I’m more on the breaker side.

Ashish Rajan: [00:39:31] Yep. Thanks for coming. Thanks for that question as I’ll go and answer the heart and hello to David as well.

I’m just kicking a pause over that again. I’ve still got about 12 people on Twitch and other 12 ish on LinkedIn, I think, but if you, if he goes on a leave, a question for you for leave a comment. If you just want to say hydro, Alyssa, as well as awesome.

Alissa Knight: [00:39:51] You just want to say hi. Have you defined what my favorite color is or what Sierra light in the morning.

Cinnamon toast crunch. I’m a cinnamon toast [00:40:00] crunch girl. Cinnamon toast is purple. What

Ashish Rajan: [00:40:04] is that? Even a thing. Cinnamon.

Alissa Knight: [00:40:07] Okay. I’m sorry, but it doesn’t matter what you guys think. And girls think the best thing in the world is cinnamon toast. I don’t care who you are or what country you live in or what. You take some white bread, toast that up, put some a bunch of butter on it and sprinkle it with cinnamon and sugar.

Oh my God. And yeah, they turned it into a cereal. It is a thing.

Ashish Rajan: [00:40:28] Oh my God. Okay. All right. I’m going to take that out as well, but it’s funny you mentioned, your favorite color because I do have a section for that. yeah. So I’m just mindful of the time as well for a lot of people. Think we have a few more minutes then, but, if people were in the comments from any of your questions or feel free to reach out to Lisa later on.

if you want to leave a hello trialist I’m there for you where you’re from that we also know as well. just so we spoke about CEO’s and sizes and how they, why they should be considering this important. [00:41:00] Spoke about APS security as well. I’m just taking a leave from per question that in terms of the pen testing that you’ve done for some of the car connected car companies, is there any that you can probably share are good examples of connected car?

Like what car can I buy now? Can I not buy any car?

Alissa Knight: [00:41:19] You know, unfortunately. things like, you know, security controls for your car aren’t in the hands and aren’t in the power of consumers. I actually spoke at CES. and this year or last year. And, I don’t think there’s going to be any conferences this year at all.

but, last year, and, you know, this brought, this got brought up, you know, you can’t, like, you can drive over to best buy and buy a firewall or security device for your home wifi network, but you can’t pull over and go to best buy and say, Hey, do you guys have any firewalls for my electronic control units in my car?

You know, it’s like, first of all, they’re not going to want an ECU as in the first place. but you know, it’s, it’s, [00:42:00] it’s, it’s, you know, unfortunately, outside of our control, but we as consumers need to change the narrative. And when we’re shopping for a car, we need to not, you know, we need to stop asking questions about what color this car comes in.

And, you know, what color interior I can get. We need to ask questions like, you know, w we need to research right. We need to research whether or not, this particular OEM of this head unit, you know, is cares about security. We need to look on their website. We need to look at the stuff they’re posting.

You know, we as consumers need to demand more and do more research. before we go out there to buy a car. we need to change, because, if we don’t start holding the feed to the, you know, to the fire of, of these OEMs and these car makers, they’re not going to change. They’re going to say, consumers don’t care about this.

And, and we do. That’s the thing is we do, is there a

Ashish Rajan: [00:42:54] way to kind of share this across, gotten to your point about consumers? Because most of the consumers don’t care. [00:43:00] They just plug in their his faith now and they’re like, Oh, I’m happy with this. I, it does.

Alissa Knight: [00:43:04] Yeah, yeah, yeah. Well, I mean, it’s like, look, I mean, look at stupid things like, like hotspots inside your car.

Like, seriously, let’s talk about that for a minute. Who the hell cares if there’s a hotspot in your car? Do you rent when you’re looking at cars and you’re like, Oh my God, it’s got a hotspot. Oh, you have to pay $40 a month for it. Why when I got a cell phone like you don’t like, that’s ridiculous.

Ashish Rajan: [00:43:29] We have, we have buses with wifi days as well.

So, and airplanes with wifi, everyone’s like,

Alissa Knight: [00:43:34] why? Like, I mean, think about it. Think about it for a minute. And now this, and now we’ve got five G, right? So you look at the, the, the, the transfer speeds for. For, for five G. I mean, it’s astronomical. It’s faster than our home internet connections. I mean, it’s, it’s insane.

So, I mean, if you look at the, you know, what we can do on five G, whether or not, look [00:44:00] at this. Okay. Download speeds of one to three gigabits per second. Do you think that over saturated wifi in the bus is really going to be able to do one to three gigabits per second? That’s ridiculous. we, that’s faster than, than most.

Faster than you can get in your home for internet speed. And one of my clients, a major car makers told me like. We’re not going to be doing this anymore. We’re going to be phasing out the hotspot. Yeah, because you had what, one person in the last five years pay for it and then, you know, and I was in the accident probably.

They probably did. And then they paid for it and forgot they paid for it and forgot they have it. You know, it’s like seriously, but you know, I think we need to start considering what’s more important. Like I’m driving around with my wife and kids in the car. you know, it’s one thing for a hacker to deface a website.

It’s another thing for a hacker to take control of my car and crash it into a wall. [00:45:00] And that is a thing now. It’s not just Hollywood. It’s a thing you

Ashish Rajan: [00:45:04] can do relative to the point that a lot of people don’t care about this as well too, to the point that I think. The security people came across come across as a paranoid guys, like, I’m not going to do that.

And you’re right. For a large extent, they, no one wants to be other people to be affected by something like, so if you’re selling a car, you don’t want them to go and crash on this or affect their family loss of life. Probably worst case scenario, but you don’t want that to anyone. But then you. I think to your point, maybe a lot of credit card companies are ignoring that and pushing that to the end.

Like, Oh, okay, don’t worry about this because we haven’t found anything. So it should be good.

Alissa Knight: [00:45:46] I don’t want everyone to think that the sky is falling. I’m not one of those people. You know what I mean? One of the things I can tell you is that things are changing. Like car makers are requiring OEMs to do penetration testing of their devices. if it. [00:46:00] You know, if it can talk, you know, they, they are requiring a proof of a vulnerability report, a risk assessment, whether it’s Eva, or any other risk assessment methodology.

so, I mean, it’s, it is changing and I think, you know, everyone is to blame it. Like, if you think about it, right? So if you guys remember the G pack right. They don’t say the name of the OEM. whose head unit was involved in that Jeep pack? They say Jeep, right? It’s Chrysler. Chrysler got thrown under the proverbial bus, no pun intended.

in that situation, it’s a Jeep, Jeep, Jeep Jeep. But I know the particular OEMs head unit that was, nobody knows about that. Nobody, nobody thinks about the, the companies that’s not a Jeep head unit. It’s a head unit for one of its OEMs. And you know, the, the car makers need to be better about saying, Hey, look, it’s not you that’s going to be out plastered all over CNN when this is [00:47:00] hacked.

It’s us. It’s our brand. It’s not the OEM’s brand, it’s our brand. And so yes, you are gonna do a pen test. We don’t care how much it costs. You are going to do a risk assessment. We don’t care how much it costs or we’re, or we’re not going to award you this RFP. So they’re actually putting these requirements in the RFP when the RFP goes out on the street.

That’s

Ashish Rajan: [00:47:22] really good. And I think I’m glad that they are as well, because for people, it’s kinda like the, the agreement that people say yes or no to the terms and conditions. Every time you sign up for new service and you just say yes and like, Oh yeah, we’re, it seems to be the right thing and take my data.

Alissa Knight: [00:47:39] Exactly. Small print. Yup.

Ashish Rajan: [00:47:42] Yup. I’ve so, I wish the Odysseys would make sure that this gets included and people are the case notified. So tomorrow that it becomes much more co, it’s as common as people talking about privacy in Facebook. It’s, it shouldn’t be as common as that.

Alissa Knight: [00:47:57] Yeah, I agree. You know, and [00:48:00] I don’t know.

I mean. I, I’m guilty of that too. I’m pot calling the kettle black, but I mean, you know, I hate reading those things too, but I’m starting to pay more attention, like, you know, actually, our, our, my wife and I, his best friend, pointed out this morning, the new, iOS release and how it enables the API for, contact tracing.

Right? So,, AP, I don’t know if you guys saw this, but Apple and Google got together and they’ve built this API, to support contact tracing apps. And that’s for covert 19. So, your, whether or not you’re infected with Cova 19 or anyone, your, you know, that’s infected with cover 19. If they’ve got this new version of iOS and they’ve installed the contact tracing app.

That health data, your health data of whether or not you’re sick or whether or not you’ve been infected with covert 19. All of that is, is shared is, and it’s enabled by this new API. And I, okay, I want to say this, I [00:49:00] want to be abundantly clear with all of you, cause a lot of you are probably looking as shocked as a sheesh right now.

it doesn’t automatically send your health data. It does. You, you have to go out. And download a contact tracer app from the app store. So if you’ve got the new 13 dot five release of iOS that came out, I think today or yesterday, I don’t know when it came out a few days ago. you have to download a contact tracer app just because the API is enabled on your phone.

However, I do want to make it clear that. If you Dow the contract tracer app, you cannot disable the contact tracer API functionality. You cannot disable that data being shared. So as long as you don’t install a contact tracer app, you’re fine. but the API sport is enabled in the new iOS.

Ashish Rajan: [00:49:52] Well, I guess the government is being engaged over tracing that anyways, right?

Like the Australian government has a, an app called covert safe, [00:50:00] which is basically, keeping a track on who is infected and it uses at the moment to go, if I’m sitting right next to you and if I had covert 19 or I was just a positive, you instantly get a notification saying, or. My assumption is instantly that you are allowing someone who has covered 19 so you probably, you should be cautious that they already

Alissa Knight: [00:50:22] know who you are.

Like does it say she standing next to you in the grocery line is infected? Recovered 90

Ashish Rajan: [00:50:30] though, right? Cause Bluetooth. So you’re not far from

Alissa Knight: [00:50:34] I good point. So it uses Bluetooth. Oh wow.

Ashish Rajan: [00:50:38] Expects you to have Bluetooth on. And I do want to do a complete episode on that as well, cause I find it really

Alissa Knight: [00:50:43] interesting because especially, especially since I’ve branded myself as a Bluetooth hacker recently with this whole BLE lock hack videos, I’ve been public.

I

Ashish Rajan: [00:50:54] feel like it’s really interesting from that perspective as well, right. Where you have. I guess [00:51:00] you have something which is like a double edged sword. You want to be notified if you’re standing next to someone who’s covered 19 but at the same time, you don’t want to give your information away as well.

Alissa Knight: [00:51:08] Yeah. I mean, it’s kind of like, okay, imagine if this happened. Okay. All right. This is going to be controversial, controversial statement, but imagine 2030 years ago, right. And when HIV exploded and it was all in. Now, right now it’s all about cancer. Everyone’s dying from cancer, right? You never really hear about anyone dying with AIDS anymore.

It’s they figured out how for us to live with HIV and live with AIDS, they’ve, they’ve figured that out, like, right. But like now everyone’s dying of cancer. But what if you, 2030 years ago, 30, 40 years ago, what if, you know, you had an app. Right. That identified everyone that had AIDS around you, like, Oh my God, like people would be in, but now that it’s covert 19 it’s like, Oh, okay.

I want to know if somebody [00:52:00] got covert 19 next to me, you know? But you know, back then, 40 years ago, I was like, how politically correct would it be? Say I want to know if somebody next to me has got AIDS. Yeah,

Ashish Rajan: [00:52:11] I think, sorry, just to take another leap on this point about that information is still stored somewhere in dumps or disclose.

If you have some medical condition. Every form these days has that free sports thing.

Alissa Knight: [00:52:23] That’s a good point.

Ashish Rajan: [00:52:24] And I wonder if the whole covert 19 thing, and I know we’re going to compete on this, I’ll come back to the actual thing, but just to close out one, I think it’d be really interesting if people start expecting people to mention that they had covered 19 in the fonts.

Alissa Knight: [00:52:40] Oh, that’s a good point. Yeah. Like have you ever been diagnosed as having positive for covert 19 you know what, here’s the thing that I’m, I’m, I’m, I’m always talking about is, you know, right now it’s covered 19 when is it going to be covered? 20 covered 21 I think. Our society is going to fundamentally change where like [00:53:00] in Asia, they walk around, you know, everywhere in China, they will walk around with face masks before Covin 19 I think, at least in the United States, I can’t speak for Australia, but I think at least in the U S I think this is going to be a permanent part of our life.

I don’t think there’s going to be a. Days after coven 19 I think. Next I think we’re going to all permanently start walking around with masks. I think we’re all gonna start permanently walking around concerned about that next Cove. It outbreak and social distancing. I don’t know. Forever going to shake hands again when we meet someone for the first time.

I think she is now out. Fist bumps are out. Oh,

Ashish Rajan: [00:53:38] it’s funny, we have David who is online as well, but David mentioned this to me, and I don’t know if, if, if you were aware of this, but apparently the whole handshake thing started only because you wanted to tell the other person that I’m not carrying a gun.

And,

Alissa Knight: [00:53:52] yeah, that’s how bad, how far back that goes is I’m not, yeah, I don’t have a gun in my hand, you know, so it’s, it’s like, [00:54:00] I think we just kind of adopt things and it just sticks, you know, for, for, for centuries. You know? but, going back to cart connected cards, but like the last question, what are your thoughts on over there?

I’m really glad that Neil brought this up, actually. I think I know CDO. Hi Suneel. but, I think he’s one of my followers. but, you know, here’s the thing is that, OTA is a, is a huge attack vector OTA. So over the air, OTA updates is what happens when your car’s grabbing firmware updates or whatever updates from the backend OEM or carmaker, it’s called OTA.

And. that actually, so that was one of the things that our team broke when I was living in Germany is we figured out how to, reverse engineer the certificate exchange protocol for OTA, for one particular car maker. And it’s, it’s just, you know, it’s, it’s your car identifying itself with the backend.

And that’s all [00:55:00] done over GSM. And we all know how vulnerable GSR I should say 60. Secure GSM is, but you know, it’s, so believe it or not, the backend of the car maker actually communicates with the car over SMS or SMS text messages. And it’s all like you’re getting, so if you, if any of you guys are interested in picking up my book, I’m hacking connected cards.

It’s on Amazon or Barnes and noble. the, there’s a chapter on this and I actually show a screenshot. Wireshark. Of me actually using a rogue base station to attack a car. through its TCU and, me showing a screenshot of a real screenshot of wire of Wireshark and the packets, the GSM tap packets falling, over, that Wireshark interface.

So it’s pretty neat. Yeah. Oh my

Ashish Rajan: [00:55:54] God. Yeah. Oh, hope Hey hates Neil. I think that he definitely knows you as [00:56:00] well. thanks for the question. That’s awesome. Alright, we’re coming towards the end of the interview and I would love to keep doing. I know. I love talking to you and I’m

Alissa Knight: [00:56:10] sure you gotta have me back.

Ashish Rajan: [00:56:13] I think we definitely need to go a bit more deeper into this, but I usually end my, towards the end of my show I have these, I guess I’ll just say fun questions as I like to call the colon. So it’s not that many, just three of them. first question, what do you spend most time on when you’re not working on cloud or technology?

Alissa Knight: [00:56:31] Oh, God. so, um. It’s hard to say because my job in, in, in, in tech, my job insecurity is a lifestyle. I’m a, I’m a big proponent. Fact that cybersecurity isn’t a job. It’s a lifestyle. So if I’m not doing anything in tech, I’m, I’m doing video editing. you know, I’m really big enough, really big, as you guys all know, into video, or, you know, [00:57:00] photography or videography.

so let’s say, I would say videography. Oh,

Ashish Rajan: [00:57:05] nice. yeah, I’ve seen your videos on our phone. I think YouTube, LinkedIn, you’re pretty

Alissa Knight: [00:57:09] much working for Dreamworks,

Ashish Rajan: [00:57:16] at least I was still available if you guys want to reconsider, by the way, I love videos as well. I feel like that’s definitely a great way to share a story, even though something like what we’re doing right now. Connects people on a whole different level.

Alissa Knight: [00:57:31] Don’t get me wrong, like, I mean, I think people still love to read blogs and I love writing everything these days.

Ashish Rajan: [00:57:37] Yeah, a hundred percent I can make more of a video as well. Plus I don’t like to read a lot of it. So anyway. what is something that you’re proud of but it is not on your social media?

Alissa Knight: [00:57:48] Oh my God. I, there’s something I want to talk about cause it’s, it’s like covert. It’s very covert. Top secret. I can’t talk about it.

but I’m very proud of it, so I can’t talk about, so that means I [00:58:00] can’t use it cause everyone’s gonna look at me strange. Like what is she talking about? but I already have this top secret project. I’m really proud of it, but, okay. I would say my family, I’m proud, to be married to my wife. I’m proud of my son, Danny.

hi daddy. Hi wife. so, you know, I, I, I’d say that I’m proud of my family. I’m proud to be part of my family.

Ashish Rajan: [00:58:23] Awesome. hi Danny, as well. Hello life.

Alissa Knight: [00:58:29] I can’t say who she is.

Ashish Rajan: [00:58:30] Oh, fair enough. What’s your favorite cuisine or restaurant that I can share?

Alissa Knight: [00:58:37] I’m Italian. I love Italian. I’m a pasta girl. I love, second would be sushi.

I’m a big sushi girl.

Ashish Rajan: [00:58:48] Oh, any good pass up basis or any time in Vegas?

Alissa Knight: [00:58:52] Oh my God. A lot. My favorite, my favorite so far that I’ve been through is this [00:59:00] place called, a Moray or, like a Moray AMEA more or love something I can’t Moray or something like that. How Casa de Moray custody Moray. My favorite Italian place in Las Vegas.

Ashish Rajan: [00:59:14] Anyone from Vegas who wants to check out that restaurant as well? That’d awesome. I just wanted to say thank you so much for taking the time. That was the end of the interview, but I had such a good time and I can’t have to, I can’t wait to bank. Bring you back on again and thank you. Thank you to the audience as well.

It’d been like really amazing. Of course, 12 on a scream on one end, and there are another 12 and the others were kind of like, this is like a new high for me as well.

Alissa Knight: [00:59:41] I’ll, I’ll, I’ll say it’s me.

Ashish Rajan: [00:59:44] Well, I’m not, I’m not going to deny it, but I’ll wake and people find you on social. I know it could be. We’ll find you on social equity.

Alissa Knight: [00:59:55] Like, I like [01:00:00] a few, few subscriptions away from reaching a thousand subscribers on my YouTube channel. So everyone, please, please, please subscribe to me on YouTube, hit that bell icon to be notified of new uploads. I upload new videos every week. you can also find me on LinkedIn, linkedin.com/in/alyssa Knight.

That’s Alyssa with an eye and night like sorts of shields and, you can find me on Twitter. Um. I’m not on Twitch yet. but you can also find me on Instagram. Believe it or not, I’m on IGT V

Ashish Rajan: [01:00:30] Oh. ICTV well, we can come back to, I’m surprised how many people saw from cybersecurity are on Instagram, but thank you so much for your time.

I really appreciate it. What’s going to go on YouTube as well as when you get the pre shattered, everyone gets to reach out to you. But yeah, thanks so much for your time. I really appreciate you coming on the show.

Alissa Knight: [01:00:51] Thank you everybody for joining us.

No items found.