Cyber Security Wake-up Call - Quis custodiet ipsos custodes?
- 12 June, 2015 11:11
I’m a person who has had a keen interest in trying to stay across developments in Cyber Security, but a recent Symposium at Sydney’s Luna Park has been an eye opener on many fronts.
Personally I’ve always struggled with the concept of White and Black Hat hackers. What makes a person decide to take which path? As I scanned the audience of 350+ and wondered which of these participants are here ‘scouting’, but actually playing for the other side?
You know that you can’t really tell – unfortunately the bad guys don’t wear a ‘hat’ that gives them away. So who watches the watchmen?
How to get into the Black Hat Mindset
The nagging question for me has been is this about fundamental integrity and honesty? Or is this just lack of career options, that then leads to this choice?? Another more cynical side wonders if is just the fact that Black Hat hackers are much more skilled at hacking???
For answers, I was privileged to hear Brian Krebs past writer for Washington Post, who has engaged with the Black Hat hackers to write his book entitled SPAM Nation. A New York Times Best Seller, Brian is a fascinating storyteller who was able to connect with ‘friendly’ Black Hats and also some others who were not so friendly.
In understanding the mindset of a Black Hat hacker, Brian explained how such countries with the ingredients of Maths + Science + Technology - Job prospects = a breeding ground for recruits.
This is especially the case in the Russia and the Ukraine there are also no legal deterrents to this activity. (Perhaps I was correct about lack of career options being a factor!)
Brian noted that the average 20 year old Russian will get into this profession gradually, and on a part-time basis. They are selling what is essentially software as a service – albeit a Bot service or a DDOS capability.
Australia’s Cyber capability weakness
Here in Australia, we don’t have a great standard of Maths and Science compared to global leaders. Hence I do worry that our local White Hat Hackers are less skilled and indeed outgunned by others who speak a different native language but use the same TCP IP protocol.
Let’s remember though that one of the most famous hackers in the world comes from Australia. Julian Assange also studied Maths, Science and programming and started off as an ethical ‘White’ Hat hacker, then went rogue later pleaded guilty to 25 charges. Assange was also a good guy as an Advisor to the Government and generally providing advice on computer security. Then he founded WikiLeaks, which is debatable what colour hat he wore?
The wake-up call is that; it’s just a ‘hat’ and perhaps it is more ‘Gray’ than either Black or White. To me the bigger issue, is that the so-called White Hat guys are given access to test your systems for vulnerabilities – so how do you know if you can really trust someone?
Yes, we have to trust our guards but who then guards them??
From what I see, it is not fair to say that the Black Hat guys are smarter hence gravitate to this field. They are also human and fall to the same mistakes that you and I make.
Brian Krebs discussed that he followed crumbs to gather evidence and this required extreme patience. In many ways it emulates the same technique that Black Hat operatives will use and that is monitor and look for those vulnerabilities sometimes waiting for 9 to 12 months before acting on this.
In the same fashion, Brian explained how he pursued comprehensive analysis and followed trails. The same weaknesses that Hackers exploit being the ‘human’ element is also what he looks for.
Some examples were reusing a personal email address for business, and then having the same password on chat rooms as email or even reusing a pseudonym name. These are all behavior that in corporate worlds leads to vulnerabilities and it just proves that it is more about ‘people’ not the technology that is the most critical factor.
Brian shared that he has waited for these moments when hackers hacked each other, leading to them bringing down the Hacker Forums. At that moment he would then grab all the unprotected details of these databases. This provided you access to their personal photos, which are brazenly shared. It is interesting to note that Black Hat guys also use tools that you and I utilize such as SKYPE, and not some secret encrypted service.
Hackers Hack each other
I’ve never thought that Hackers hack each other for fun. My belief was this was just for money and ransom. I was not aware the degree of ego involved in this ecosystem and Hackers when they are not targeting enterprises are taking pot shots at each other. There is real competition between these parties and getting an advantage over someone else clearly has monetary reward as well. At the end of the day, most hackers are also ‘gamers’ and this is part of their psyche.
That was another huge wake-up call moment to me and I start to worry about the background of the White Hat guys that I might engage. Then consider are they really low profile and have no enemies?
Social Engineering Attacks
My hair also stood up with another discussion, and that was how Hackers use Linkedin to scout and gather further information on you. As an avid user of that channel, it makes you more wary of those unsolicited requests that we receive.
In the case study, once a hacker knows more about you then they can provide what looks like an innocent connection for an app. However what is lurking is a malware injected app that is able essentially take over your smartphone – to read your calendar, email and even record your conversations.
Yes, we do carry that phone device everywhere don’t we…..
This takes social engineering, beyond what I imagined to be just the help desk and customer service being points of concern. In this regards, yes the bad guys are much smarter than we are and can take advantage of our people, process and technology weaknesses.
Now that I realise that I know much less than I thought. It is a poignant moment to reflect on how very advanced are the hackers. This is their living and it is only when you take on their persona and approach much pros like Brian Krebs have adopted do you have a fighting chance.
Alternatively you have to hire a CISO and security staff who perhaps are much more closer to that edge than you thought. But then how do you know that they are really White and not like our friend Julian Assange and been all the various shades?
Then we have to watch these watchmen as they hack each other through various tactics and work out are they still White hat?
It’s a sobering wake-up call.