Dutch data privacy campaigner Marleen Stikker had a revelation of the ‘Big Brother’ potential of digital technologies in 1994, just ten years after the iconic date of Orwell’s 1984. As a founder of Digital City – Europe’s first virtual community – Stikker was offered a demonstration of the dark side of what were then emerging technologies.
The cyber threats have become so severe that no business can afford to be complacent, according to 24-year-old Jamie Woodruff, one of the world’s most famous ‘white hats’. Following a whirlwind rise, Woodruff now travels the world lecturing on cyber security and he even has worked with members of the Saudi royal family. “I can guarantee every company in the world will be hacked within five years. We need to change people’s perception of what a hacker is so they wake up to the dangers,” he said. “A lot of media still portray a hacker as a guy in a basement with a mask, but the reality is it’s done by organised crime based in entire office blocks. They have employees with KPI targets to hit.”
The sophistication of the criminal networks means the situation will get worse before it gets better, Woodruff says. “It’s so easy to get access to ransomware. Anyone can send £10,000 through bitcoin to obtain their own version of undetected ransomware that can infect computers round the world. They don’t need any hacking experience whatsoever. They can work 9 to 5 and make a massive amount of money,” he said. “From the 1960s to the 1990s we had money laundering through car washes, or laundrettes, but now we have data laundering, a huge and highly sophisticated field.”
Large companies have to accept that if they are targeted by a nation state, such as China, or Russia, they will eventually succumb. The best they can hope for is to minimise risks, according to Peter Wood, a world-renowned ethical hacker and the CEO of First Base Technologies, which pioneered the techniques in the UK in the 1990s. “The Chinese are one of the most advanced at nation-state level hacking and if you are in their sights they will throw huge amounts of people and technology at you until they get in. Most organisations settle for mitigating the damage,” he said.
Even the giants of the online world, such as eBay, LinkedIn and Sony, have been unable to defend against the hackers despite their ranks of technology geniuses. The LulzSec ‘hacktivist’ collective cracked Sony’s Playstation network in 2011, revealing the contact information, logins, and passwords of 77 million players. For eBay, there was a massive and very public breach of 145 million user accounts in 2014. LinkedIn was hacked in 2012, but it took four years before the social networking giant admitted that 117 million users passwords and logins had been stolen, then sold on the black market in 2016.
But small and medium-sized companies need to be aware of the dangers as well, says Peter Wood, especially if they are part of a larger firm’s supply chain. “The criminal activity is not as simple as people think. A small company might provide services to a larger one working in the nuclear industry. The nation state could target the smaller, not well-defended company, which is connected to their ultimate target,” he said.
The criminal strategies for getting in to the networks are almost infinite and Wood says it is a never-ending job for his team of 20 ethical hackers to keep up. Constant study is essential and only those with a real passion for endless crossword-like problem-solving stay the course. The sheer number of threats makes it essential, too, to narrow the focus when First Base Technologies works with a firm.
The first step is to define the greatest threats, which largely depends on the sector. For a bank or insurance company, it’s likely to be from organised crime. For a pharmaceutical company, it could well be a competitor trying to steal secrets, or a nation state wanting to reduce its research and development costs. First Base Technologies makes a short list of the likely attackers, and their methods, and then draws up storyboards. “It’s like creating scenarios for a movie and it requires a lot of imagination. We have to think how we would get through if we were the attackers? It’s complicated because most attacks comprise six or seven steps.”
Once they have their scripts written out, Wood and his team of ethical hackers conduct their attacks, but with the ‘safety catch’ on. This means they don’t destroy data, or impact anyone’s human rights. Part of the agreement with their clients is that the team will test the vulnerabilities of members of staff, but they won’t identify them as individuals, which could undermine their reputations. “All responsibility lies at the corporate level even if the failings of individuals are often the best way in. Once we’ve finished our hacking work, we often help to train the staff to be aware of the dangers, using our ‘film scripts’ to bring sessions to life,” said Wood.
Jamie Woodruff goes even further in identifying the employees as the weakest link. He says in his experience this is “always the case and that won’t change in hundreds of years”. Large firms, he says, will spend billions of dollars on their security infrastructure, but neglect to value their employees. “Too many businesses treat employees as objects and fail in their duty of care.
For me as a hacker, the easiest way past their defences is through a disgruntled employee, someone who doesn’t want to be there, someone I can buy a uniform off, or buy information from. It might be at a corporate event, or a retreat, or a conference, when an individual is drunk and sharing confidential information with a group.”
Part of Woodruff’s skill lies in weighing up body language and knowing which individuals are susceptible to being tricked. He calls this the “social engineering” side of hacking and says it’s just as important as his more technical skills. He says his life at times is like that of Frank Abagnale, the con artist portrayed by Leonardo DiCaprio in Steven Spielberg’s film Catch Me If You Can. Abagnale was a master of disguise who knew how to get people’s trust. And so is Woodruff.
One of his favourite hacks involved breaking into a bank dressed as a pizza delivery boy. It took weeks of planning. Woodruff knew that a well-known chain delivered pizza to the bank every Friday. He applied for a job with the pizza company and got hold of a uniform that allowed him to waltz straight past security and into the server room. He then used some UV spray to see which buttons had been pressed on a keypad and bypassed another layer of security to gain access to the supposedly ‘secure’ information. To aid this type of work, Woodruff has a number of badges, props and uniforms, including Royal Mail, FedEx and UPS.
First Base Technologies also employ experts in social engineering. Peter Wood says the stunts are fun to carry out, but require detailed planning and imagination to succeed. A classic example involved a hacker posing as a flower delivery person on Valentine’s Day in order to trick his way into a company that was a major supplier to a government department. “We’d done reconnaissance so we knew the toilet facilities were on the other side of security. When he delivered the flowers, he first asked if he could take them to the individual. They said ‘no, they have to be left at reception’. But then he said, ‘I’ve been going non-stop since 6am as it’s Valentine’s Day, can I use the bathroom?’ They let him past the barrier and he was inside the building and off and running. A lot of social engineering plays on how nice and helpful people can be, which is what the criminals do.”
Businesses will soon be forced to pay more attention to their data security, Wood says, when the European General Data Protection Regulation (GDPR) comes into force on May 25, 2018. A raft of new measures will extend the protection of private data. Companies with more than 250 employees, for example, will have to keep much more detailed documentation about personal
data and breaches will have to be reported within 72 hours. However, by far the most important change, Wood argues, is in the massive increase in the size of fines for organisations that fail to process data correctly.
Under GDPR, smaller offences could result in fines of up to €10 million, or 2% of global turnover (whichever is greater). Those with more serious consequences could have fines of up to €20 million, or 4% of global turnover. “Most of the provisions are an extension of existing legislation, but the maximum fine is so large now it could drive firms out of businesses,” said Wood. “It’s being used by a lot of security people to beat their management over the heard and get them to take security seriously and that’s a terrific thing.”
Although GDPR is more concerned with privacy information and companies are usually most concerned about intellectual property (IP) and their bank accounts, the act is still profoundly important, he says. For one thing, if personal data can be stolen in enough quantities, such as with the eBay and LinkedIn breaches, it has monetary value ‘on the streets’. But there’s another key reason why it’s important for businesses to keep personal data safe, Wood says. When criminals do their information gathering about companies they want to attack, they profile the individuals working there as carefully as they can.
“The more information they can gather, the more targeted the attack can be. That’s why personal information is highly important in the early stages of any sophisticated attack. It’s phase one of a long-term ‘social engineering’ strategy. It’s another reason why improving controls because of GDPR will provide better protection against all attacks,” he said.
Safeguard your printer
The battle to keep up with the criminals is constant, but there are simple steps companies can take to secure office equipment, Wood says. One of the most vulnerable entry points, he says, is the humble office printer. While businesses focus on protecting computer systems, crooks find alternative, unprotected ways in. “It’s been done by hackers many times not least because a lot of businesses take their nice, new printer out of the box and plug it in without thinking about how it’s configured. Most printers come with every service in the universe turned on by default, which means they’re easy to use, but far from being secure out of the box,” he said.
Typically, he says, there are web interfaces, telnet ports and SSH interfaces. If they’re not being used, they should be switched off to decrease the chance of the machine being hijacked. If everyone in the office network is running windows, then Apple Services should be switched off, too. Many printers come with the facility to connect back to the manufacturer for updates which is another weakness that should be switched off as a hacker could use the machine’s ability to talk to the internet as a “reverse channel to get hold of the machine”. However, companies need to update their printer software manually as soon as new versions are available to avoid running old software that is more vulnerable to attack, he said.
Passwords for all printers should be changed as soon as they are plugged in. “That’s so simple, but it’s the biggest security risk. The hackers know all the default passwords and share the information, even publically,” he said. Another weakness is wireless connection, which makes it easier to use printers, but makes them less safe. “We don’t use wireless connections at our company. They are only ever wired directly to the network, which is less convenient, but more secure,” he said.
Wood says the Internet of Things (IoT) means the number of devices attached to the internet all the time is on the rise. It considerably increases what he calls “the attack surface”. “At home, we have internet-connected kettles, or internet-connected cookers. In the workplace we have web-connected heating and ventilation systems and uninterruptible power supplies, and other things. Each device connected to the internet is a potential entry point for an attacker,” he said.
One of the most common IoT devices is a web cam, whether it’s monitoring babies, or dogs, or the CCTV outside office blocks. Again, the first step is to change the passwords. “If you don’t do that, as soon as you plug in your new webcam, the hackers could be using it to invade your privacy in your own home, which is a scary thought,” he said.