National Post (National Edition)
Ex-hacker looks to raise awareness about cyber attacks.
Many companies are vulnerable to data security breaches without realizing it, so a reformed Canadian hacker wants to raise awareness about the issue and he’s partnering
with HP Canada on a new documentary to do it.
Called Rivolta, the documentary tells the story of Michael Calce — also known as Mafiaboy — who took down some of the world’s largest e-commerce companies in 2000 at the age of 15, causing about $1.7 billion damage. Now 32 and reformed, Montreal-based Calce runs a company called Optimal Secure that tries to find weak points in company networks and helps businesses understand how vulnerable they are.
“The biggest threat from all of this is that when I was hacking, it was about notoriety,” said Calce in an exclusive interview. “Today, it is about monetary gain and I think companies need to really understand that.”
Forty per cent of Canadian companies have had a data security breach at some point, according to data by IDC. Meanwhile, 56 per cent of those breached said it happened through what seems like an unlikely source: the printer, which houses sensitive company data every day.
“Realistically, printers are the largest group of devices in an office setting and they have evolved so much,” said Calce, adding that many companies just pull the device out of the box and plug it in with default settings. “Hackers can pull all of the jobs from the printer’s memory or they can do many other things to run exploits like use some of the ports of the printer to gain access to the entire network.”
Printers and other Internet-connected devices are among the biggest weak links to data breaches, according to Calce. It’s not just small-to-medium sized companies either, as major Fortune 250 companies are guilty of letting these devices fall through the security cracks.
“The problem is huge. I go into major financial institutions that are still using default passwords on printers,” said Colorado-based Michael Howard, chief security adviser and worldwide security practice lead at HP. “Largely printers are sitting on (company networks) unmanaged and unmonitored, and they don’t have any way to know if anything is going on.”
Howard advises some of the biggest companies in the world to think of every device that’s connected to the Internet — no matter how small — as a risk and to financially invest into proper security resources, in addition to changing the default settings.
“In Vancouver, there was a breach where (hackers) turned on a TV and recorded everything going on in a boardroom,” Howard said. “Or it’s also things like vending machines being put on networks.”
The other major vulnerability for businesses is what’s called social engineering, according to Calce, where hackers use things like misleading emails or websites to trick users into downloading software that allows a breach. The key is to be aware the problem exists and be more skeptical when something doesn’t seem right.
“Nothing will ever be 100 per cent secure, but you can mitigate the risk,” he said. “It’s like driving a car … do you buckle your seatbelt or not? You mitigate the risk of losing your life by doing so.”
Calce got his first computer when he was six years old and became immersed in hacking culture by his early teens, eventually leading to his recruitment by one of the most dominant Russian hacking groups in the late 1990s called TNT/Phorce. By the time he was 15, in 2000, he used denial of service attacks to take down Yahoo, eBay, CNN, Dell and Amazon.
“You have to understand, it was during the e-commerce boom where a lot of investors and wealthy Wall Street people were putting their money into tech,” Calce said. “When these companies started going down, the stocks dropped.”
The upcoming documentary Rivolta — directed by Academy Award-nominated director Hubert Davis (Hardwood, Invisible City) and produced by HP Canada — is still finalizing its release date but will take viewers through Calce’s story.
“It’s an effort to really open the eyes of businesses and consumers to the weak spots that may exist in their networks,” Calce said.
“Technology is here and it’s not going away,” added Howard. “But as security professionals, we have to adapt and change the way we look at it, and look at how we can continue to roll out stronger policies around it.”