FBI offered hackers cannabis perk in recruitment drive, says ‘ethical hacker’

Ralph Echemendia: the ‘ethical hacker’

What is the price of convenience when it comes to security?

This was the question posed at the recent Customer Contact Expo 2016 by ‘ethical hacker’ and Hollywood cyber consultant Ralph Echemendia.

If the 2014 hack of Sony Pictures Entertainment cost the company hundreds of millions of dollars as Echemendia asserted (Sony claimed it was ‘only’ $12m) then it’s a high price indeed.

Incidentally, the speaker, who worked on two films from Oscar-winning director Oliver Stone, also insisted that the North Korean government was not behind the breach, after which the attackers insisted that Sony pull the film The Interview, which satirised North Korean leader Kim Jong-un.

[mk_mini_callout]

Sign up for Black Hat Europe 2016: the world-renowned information security conference

Taking place at the Business Design Centre, London, Black Hat Europe provides education on how you can protect your business against cyber attacks. Secure your free business pass, which gives you access on 3 and 4 November, now before it’s too late. Register here for your free business pass[/mk_mini_callout]

Who are the hackers?

Asked a question from the audience about hackers’ moral compass – or lack thereof – Echemendia said there was a disconnect between the virtual and physical worlds. If a hacker hacks your computer, he said, he doesn’t see a person; he sees data and a computer.

Nevertheless, there was reassurance for individuals, with Echemendia – who recently answered our questions about his career and the cyber security landscape – saying hackers really only go after companies, not random individuals, as this was the path to making money.

Hackers are invariably self-taught. They start out as amateurs and, through trial and error, can become highly accomplished, said the speaker.

Not that you need sophisticated skills to hack successfully.

Many people don’t realise, he said, that Word documents actually retain their editing history until they’ve been renamed

How to hack

Echemendia introduced the audience to a little known hacking enabler: Google.

“It freaks them out when I do this at, say, a government conference,” he said. Typing a few choice keywords he generated 3,000-plus military documents containing the word ‘classified’. It’s an appealing vulnerability for hostile countries with nefarious motives, said Echemendia, especially when the target of such hacks doesn’t know who is targeting them; they only see Google.

He also showed delegates how you can narrow the search to ExCeL spreadsheets, documents containing customer passwords, or to a specific domain.

Why was he focusing on Word documents? Many people don’t realise, he said, that Word documents actually retain their editing history until they’ve been renamed. This meant many redacted documents could readily surrender some very compromising secrets to prying eyes.

Accelerated by the internet of things, the “digital landscape is growing in a digitally unprotected way,” said Echemendia. It’s “very difficult to keep up with the security of IoT environments.”

He also mentioned the well-known phenomenon of hackers breaching call centre databases, then contacting customers under the pretence of being the call centre.

Cyber security skills lacking

What’s the unemployment rate among cyber security specialists? “Zero,” said Echemendia. Indeed, one million jobs are unfilled in this “unique”, creative space.

Of the thousand or so people he’d taught on the subject, Echemendia could count on one hand the people who really “got” hacking; the rest just followed the rule book. But there is no rule book – because hacking is about “making things not work the way they’re supposed to.”

Small wonder that, as the speaker told his audience, cyber security experts now often earn more than some executives.

Who knew? A perk of working for the FBI

Incentives offered to hackers to join the FBI illustrate the point. Addressing one hackers’ conference, an FBI recruiter told the archetypally countercultural delegates that they could “smoke weed” on the job.

A people problem

Cybercrime is not primarily a tech issue, said Echemendia; it’s the people using the tech that represent a weak point in the trinity of people, process and technology.

The most important person in your organisation isn’t necessarily your CISO or director of security; your janitor, pointed out Echemendia, has keys to every room, including the computer room.

Echemendia recounted how in more innocent times he had charitably notified Microsoft that he’d discovered bugs or vulnerabilities in their software. At best they hung up; at worst they threatened legal action

The shocking stats

These stats illustrate starkly the scale and intractability of the hacking problem:

• 1,080: number of people globally who are hacked every minute
• 31%: percentage of victims who discover breaches themselves; the other 69% are notified by an external entity
• 27 days: average time it takes to resolve an attack
• 229: average number of days attackers roam within networks before detection
• 25%: percentage of Americans who have been victims of data breach in last 12 months – and that’s just the ones they know about
• 75%: percentage of threats that are financially motivated

The message was clear: you will probably be hacked (if you haven’t been already) at some point. So what can you do about it?

[mk_mini_callout]

Sign up for Black Hat Europe 2016: the world-renowned information security conference

Taking place at the Business Design Centre, London, Black Hat Europe provides education on how you can protect your business against cyber attacks. Secure your free business pass, which gives you access on 3 and 4 November, now before it’s too late. Register here for your free business pass[/mk_mini_callout]

Protecting yourself

‘Resilience’, not security, should now be the watchword – and this means assuming that you have been hacked.

Minimise the time between a breach and you finding out, the speaker urged the audience. A simple thing you can do to spot a virtual break-in quicker than Yahoo (two years!): examine the flow of data during a given period. If, say, there is an unusual spike in network activity between, say, 2am and 4am, then something is probably going on.

The BYOD, or bring your own device – or “disaster” – trend, only amplifies the risk.

Illustrating how much things have changed Echemendia recounted how in more innocent times he had charitably notified Microsoft on several occasions that he’d discovered bugs or vulnerabilities in their software.

But were they grateful? On the contrary: at best they hung up, at worst they threatened legal action.

In some ways things have barely progressed. Antivirus remains a go-to form of protection for consumers and businesses two decades after its invention, despite, in Echemendia’s estimation, being next to useless.

“There’s no cloud”

The ‘cloud’ into which so much data is migrating almost sounds like it exists in the ether, transcending physical hardware down on terra firma. The mundane reality, says Echemendia, is “there is no cloud […]it’s just someone else’s computer.” The IT industry has just changed its business model, he added.

He acknowledged the model’s enormous benefits – not least “elasticity” – but said it’s vital that anyone buying cloud services understands what questions to ask their providers and who between them is responsible for what. Most of them don’t, he added.

The government only uses FedRAMP-approved cloud companies. So gruelling is the compliance process that only a handful of companies have obtained FedRAMP status.

The Black Swan event

Huge data breaches at major corporations are now a weekly event. However, it is the once-in-a-blue-moon occurences that bother Echemendia: black swans.

A black swan event is characterised as having very low probability, but high impact. In the physical world it means things like the Fukushima nuclear accident, earthquakes, 9/11.

But the cyber equivalent can have physical implications too, warned Echemendia, in an age when even fridges and coffee machines are connecting to the internet.

Fielding questions from the audience the ‘ethical hacker’ was asked if he had seen any interesting authentication methods beyond passwords and biometrics. Early iterations of two-factor authentication were hopeless, he said, as people hadn’t the patience for two stages. Using proximity-based authentication as an alternative second stage, could get round this problem, he said.

Listen to the IFSEC Insider podcast!

Each month, the IFSEC Insider (formerly IFSEC Global) Security in Focus podcast brings you conversations with leading figures in the physical security industry. Covering everything from risk management principles and building a security culture, to the key trends ahead in tech and initiatives on diversity and inclusivity, the podcast keeps security professionals up to date with the latest hot topics in the sector.

Available online, and on Spotify, Apple Podcasts and Google Podcasts, tune in for an easy way to remain up to date on the issues affecting your role.

Listen to the podcast today