Hacking the hackers
Security experts step into the world of cyber attackers to better plan their defence.
Mark is a disgruntled employee. So disgruntled that when he decamped from his job he downloaded critical files from his company computer, files he could sell to fund what he envisioned as an early retirement. Hot on his heels are the white-hat hackers, called in to recover the stolen files and shut off the lucrative pipeline to the company’s internal computer systems.
In this case, Mark is fictitious and the hackers are security and law enforcement experts participating in Symantec’s Cyber Readiness Challenge, held during a recent High Technology Crime Investigation Association conference in Halifax. The international organization focuses on education and collaboration for the prevention and investigation of high-tech crimes. But the Mark scenario is all too real — one that occurs at companies and organizations on a regular basis, says Symantec’s Michael Garvin. To keep up with cybercriminals, security experts work through elaborate challenges, learning, in effect, to step into the shoes of a hacker. “This is an industry where we niche into different skill sets,” said Garvin, who develops and delivers Symantec’s CyberWar Games and Cyber Readiness Challenge. “So what we’re trying to do is to help folks across all of the different skill sets understand the threats and how we respond to them.
“Hopefully by going through that process, using the tools and conducting the attacks themselves on something that is going to react like it normally would, they get a better understanding of what the attack is and how can their organization defend against it.”
Find the IP address
Tracking down information about Mark is scarily easy — even passwords and other personal information. As the challenge unfolds and the tasks get more difficult, the hacking tools are still ones readily available online — no degree in computer science required.
If you think your technology is secure, stepping into the shoes of a hacker may convince you otherwise.
The first step in the challenge is reconnaissance. Find out more about Mark.
Mark downloaded the information from his company to two websites, one being a social networking site. You need to find out more about them. With the competition run on a “capture the flag” model, the first flag is finding the Internet Protocol address of the site’s server. The experts breeze through that; anyone else could Google “find IP address” to see how easy it is.
As the competition goes on, you need to find more information about Mark.
How to crack a password? Well, assuming Mark hasn’t used ‘123456789’ or ‘password’ — surprisingly popular among people who can’t be bothered to remember anything more complicated — finding a password could be as simple as putting in a “forgot my password” request.
Maybe Mark has put in security questions so you have to know some personal information. That’s easy: check your victim’s social media profile, which can turn up an amazing amount of personal information and often enough to answer the security questions.
The second step for the hacker is incursion — that’s where you actually get into the corporate or government network.
“Now you are on the inside you can start looking around and see what other things there are available,” said Garvin. “You begin to work through and eventually get something interesting that you can begin to monetize — for example credit card data would be a good one.”
Full access
The third step is capture. The hacker gets full access privileges and so can carry out activities as easily as if he (or she) was on the company payroll and a trusted security specialist.
“If I’m Mark, I may be thinking about this as my retirement plan,” said Garvin.
Then comes exfiltration, which is a way of saying data theft.
It’s the illegitimate copying, downloading or transferring of data from a computer or an organization’s servers.
“The traditional tech crime guy has now got to have so many hats on because they have to investigate so many facets of crime when it comes to IT or technology,” said Peter Morin, senior IT security specialist at Bell Alliant and second vice-president of the HTCIA’s international executive committee.
“I think what will have to happen is a lot of companies have to start investing more, not necessarily buying equipment or throwing more protection — they have to start putting more budget towards educating their security workforce as well as their regular workforce.”
Morin said a security specialist without regular update training can’t keep up.
“Companies have to understand this isn’t like ‘I have a developer in my company and he builds applications and every couple of years I send him on a course and he learns something new but he can keep doing his job.’
“Security people really can’t function unless they’re continually trained on what’s going on.”
High priority
After years of being fairly low on the corporate agenda, security is now a priority. It has taken high-profile breaches to get it there and they show no signs of abating.
Last spring, Target CEO Gregg Steinhafel stepped down after it was discovered hackers had stolen the personal data and credit card information of millions of Target customers. Earlier this month, Home Depot disclosed a security breach that could affect as many as 56 million debit and credit cards across North America.
Although in an email to customers Home Depot noted its Canadian stores are already enabled with the more secure “chip and pin” technology for cards, in the email it offered 12 months of free identity protection services, including credit monitoring for customers who used a payment card at a Home Depot store from April 2014.
And the recent leak of nude photos of celebrities, the result of hackers launching an attack on celebrity users of Apple’s iCloud storage service, further underscores the risks in online security.
Jeff Greene, senior policy counsel, cybersecurity and identity for Symantec, said attitudes toward security have changed in recent years. Greene, who before Symantec worked with the U.S. Senate’s homeland security and governmental affairs committee, said that four or five years ago security wasn’t a priority for companies.
“We would
regularly hear from CISOs (Chief Information Security Officers) and other security people from within major companies, all on the down low — ‘no one pays attention to us, we can’t get attention, how do we get attention,’” he said.
“We were very focused in that time on what do we need to do to draw in the C-suite awareness of it.
“Nowadays, I don’t think there are many board meetings at any company where they don’t talk about cyber as an issue.”
While security breaches have focused the corporate world on the importance of cybersecurity, the Internet of Things — the notion of a world where everything can be connected — is considerably expanding the security risk.
“All these new connected devices being built these days, security is not really built into them,” said Green. “It’s an afterthought, because functionality is what sells.”
Security goes far beyond stolen credit cards, celebrity nude selfies and intellectual property.
“There’s the physical risk as we connect every piece of machinery in the world to be able to control it remotely,” said Greene.
In a simple demonstration, a hacker took control of some electronic highway signs in North Carolina, posting the message “HACK BY SUN HACKER TWITT WITH ME.” While the message seemed a prank, the implication wasn’t so funny.
Such capability isn’t new. In 2011, a hacker said he hacked into a South Houston water plant simply to demonstrate how easy it was to do it. In another reported breach on a water utility, hackers destroyed a pump.
“There are reports regularly about intrusions into the energy sector,” said Greene.
“I try to stay away from the cyber Pearl Harbor, cyber 9/11 analogies, but I do think there is a risk for real physical harm on a mass scale.”