We’re in ‘a hackers’ world’: security expert
Michael Calce, better known as Mafiaboy for his infamous cyber attack at age 15 that shut down websites including Amazon, eBay, and Yahoo, says that the best companies can hope for against a growing army of hackers is prevention, or at least damage mitigation.
“This is really a hackers’ world right now. We’re on the defence 24/7,” says Montreal-born Calce, who took his punishment 15 years ago and now, at 30, is a so-called white hat hacker who audits businesses and advises them on how to avoid becoming victims of black hat hackers like his younger self.
“I don’t want you to be paranoid — but you probably should be,” he told the crowd at a cybersecurity conference in Toronto on Thursday. “It’s time to start thinking you’re a target, rather than that you’re not a target.”
Calce made it clear during his talk at the Investment Industry Association of Canada conference that he has some practical advice that only comes with a fee for his services. Recent cyber-breaches like the one at JPMorgan Chase mean companies, including some banks in North America, are coming to him. The JPMorgan hack “definitely raised a lot of questions, and banks are starting to buzz a little bit,” Calce said after his talk.
He did offer some free, if tough-to-follow, advice, saying companies are vulnerable to hackers when they strive for efficiencies by urging employees to use free Wi-Fi and hot spots in hotels and on commuter trains.
In a test, Calce says his team was able to gain access to a company’s network through the laptop of an employee as his train was passing by the highway they were on. He said the example illustrates an important point: IT departments are trained to follow rules, while hackers “are dangerous and succeed by thinking outside the box.”
Calce, who adopted the Mafiaboy handle used by his brother for legitimate computer activities, warned that companies are, in some cases, being attacked from within — either intentionally or unintentionally. “There’s a lot of internal hacking, (and in some cases) someone in the IT department is actually the one hacking here,” he said.
Companies are also facing external threats from a growing arsenal of easy-to-use tools, including some that effortlessly crack passwords. Others generate fake phone numbers that appear to belong to company administrators, and are used to trick employees into turning over enough information to allow hackers access to the company’s systems. Calce said he believes this relatively simple tool was used in the infamous Sony email hack, and allowed the perpetrators to gather significant data over a prolonged period of time.
Companies are also vulnerable through their increasing reliance on the cloud to store data, Calce said. He predicted there will be a “major” cloud attack on a corporation sometime in the next year, which would give the hacker access to any device that has been used for cloud storage.
“I hate cloud. I think you’re putting all your eggs in one basket,” he told the audience.
Calce said the Internet was created as a giant interconnected library, with security added as an afterthought.
“The reason this will never go away is we’re building on inherent flaws,” he said. “To fix the problem, you would have to rebuild and restart.”