Chapter 1: How did I - We get here?
“Everyone on your team must surrender their passports to me.”
At least our point of contact spoke English.
But the senior executive wasn’t letting up. “Everyone on your team must surrender their passports to me.”
I refused. The first rule of travel is you never give up your passport.
“Why do you need them? We’re here to help you, aren’t we? We’re not terrorists or anything.” I wasn’t letting up either, so we continued to argue. Ten minutes later, thinking I had the upper hand, I went on.
“Well, you know, we can go back home if that’s what you want.” And that should’ve ended it. It was already nighttime in Saudi Arabia, and the atmosphere was hot. I was fine leaving the heat early.
“Bill, don’t worry, we’ll stop you at the airport on your way home anyway. You keep your passports,” he said, only half-jokingly.
Shit.
They could keep us from leaving the country whether we had passports or not.
Did they not know that local companies occasionally get burned because foreign companies made promises they didn’t keep? Furthermore, cybersecurity experts aren’t spies. We try not to fly too much into hot spots, but sometimes that’s where the action is.
This was a serious deal. The client was not only one of the world’s largest companies by revenue but also one of the most valuable. This was the first case of cyber-warfare in the commercial sector. It was the first time an infiltrator had accessed and destroyed a large proportion of the IT infrastructure environment of a massive organization using the Shamoon virus attack. It wiped out tens of thousands of computers and replaced the data with a partial image of a burning American flag. Leon E. Panetta, the then-United States defense secretary, said the attack could be a harbinger, that “an aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches.” Our mission was to figure out who was attacking them, what they were after, locate any forensic evidence, and help them recover.
My assignment took me to Dammam, Saudi Arabia, four hundred kilometers from Riyadh. It was my first trip to the Middle East, and I didn’t speak the language. It was also during the time of the Arab Spring, which meant heightened security.
I spotted a driver who motioned me to get in the car. I agreed—even though the name on the sign he held up wasn’t quite mine because it was misspelled. An hour later, I wondered if I was actually in the right car as we hurtled down the pitch-black freeway and swerved past a herd of camels. The road lights weren’t even on . If only one member from my team were there with me, I’d feel less anxious. But since we were spread out all over the globe, we had all landed separately, each one taking a hired car along the same road, and perhaps, past the same camels to get to the command center.
By the time I reached the client’s site, half the team of around fifteen was already setting up in response to the company’s call. We worked in the command center over the next few months, sixteen to eighteen hours day to diagnose, analyze, and test to find the culprit, and helped the client secure its infrastructure. We were protected by guards, escorting us to and from our rooms with our passports intact. Surrounding countries were also experiencing similar instability. This meant that the attack could’ve been done by an insider, so these guards were armed. And if it turned out not to be an inside job but something else, military airplanes flew around the compound to protect it. While we all collectively learned a lot from this incident, most importantly the client recovered from the event, and I was impressed how they then went on to build a worldclass security operations center.
I continue to perform infrastructure security around the world from the Nordics, Egypt, Turkey, and the European Union, the USA around to Japan, Philippines, and Australia. While I have yet to experience the level of IT infrastructure devastation as I did in Saudi Arabia, I find nothing surprises me anymore.
Hacking and exposing vulnerabilities
The internet has been around since 1983; it took roughly another sixteen years to become mainstream. Back then, (if you’re old enough to remember), many of us used it at work to receive and forward jokes to friends and colleagues. Now, of course, we use the internet to shop, bank, find a dinner date, file taxes, and enroll in school. Today, millions of online transactions are performed every twenty seconds, and over 269 billion business and consumer emails are sent and received every day. In a short time, we’ve gone from using it as a small part of our daily work tasks to faithfully relying on it as a transmitter of information.
Technological advances have made the internet more readily accessible and available to everyone. Some savvy computer users saw weaknesses in networks and the code itself and took this as an opportunity to test their mettle. It did not necessarily start as a harmful act, but soon enough, some also discovered they could make a lot of money by stealing identities, information, or… money.
Here’s where hacking comes in. In its plainest form, from a security point of view, hacking is the unauthorized access of a computer system. Hackers essentially test hardware and software to understand and exploit any weaknesses in a system and gain access. They then may go on to commit cybercrimes. While most of us use the internet for well-meaning purposes, hackers use it as their playground where they can access, share, steal or delete data, steal identities or login information, or spread viruses.
Hackers give “white hats” like me an opportunity to get in and fix what’s broken after the fact through forensic investigation. We also help prevent attacks through ethical hacking and penetration testing2. We’ll delve deeper into these disciplines in later chapters, but for now, just know that the internet means different things to different people.
People, the weakest link
The internet was originally designed as a closed “network of networks” for scientists to share data. It was not built with security in mind. Once it became an open network, the internet—and especially social media—made it possible to collect, store, analyze, and share a lot of our personal data and information. Naturally, big data and the infrastructure it resides in are very attractive resources to hackers. They can’t help themselves from creating chaos, and this is what makes us vulnerable. According to the Ponemon Institute, malicious or criminal attacks accounted for 47 percent of data breaches in 2017, followed by human error and system glitches.
The question is: when did it start?
The answer is: we have always been vulnerable.
From my experience there are many reasons why we are defenseless against hackers, I shall talk about three that come to mind.
1. Some companies have little or no visibility of the problem. Certain organizations sometimes don’t know what they don’t know. They’re content in trying to secure the basics in their infrastructure, and like an ostrich, bury their heads in the sand.
2. Others have a casual attitude toward cybersecurity, so it’s easy to see how criminal attacks happen almost twice as frequently as human error or system glitches.
3. Lastly, the cost of securing an organization’s infrastructure sometimes prevents them from fully protecting themselves, and those that are breached once will be breached again.
But here’s the twist: even when the cost isn’t prohibitive, organizations often still don’t cover even the basics. Unfortunately, many of them operate without updated antivirus protection that requires only a signature update to avoid a computer virus infection. It’s sometimes the basic-level hygiene that companies don’t pay attention to that will eventually breed more significant problems.
In 2011, Sony sued George “geohot” Hotz after he broke into the PlayStation 3 video game console and published its root keys on is website. In revenge for the lawsuit, the hacking community went after Sony. It was one of the first major publicly acknowledged cases where a congregation of hackers with a common cause got together to outdo big business. They exploited a trivial yet glaring security vulnerability that had been known for a long time and should have been fixed. Through an SQL-injection attack (3) , the group broke into Sony’s PlayStation Network, its streaming media service–Qriocity, and its game developer and publisher–Sony Online Entertainment. The group exposed the personal data of some 77 million customers in the biggest gaming hack to date. PlayStation as again breached in October that year. I know what you’re thinking: company with pockets as deep as Sony’s should be able to better protect themselves, right ?
Certainly, an attack surface (4) like Sony’s is so large that a proper integrated risk assessment may not have been performed to deploy appropriate technical countermeasures and remediate vulnerabilities. Furthermore, the then-senior leaders of the organization may not have understood the simple vulnerabilities exploited by the hackers well enough to ensure they were fixed. In Sony’s case, it was reported the company faced a loss of $171 million the following year as a result of the breach.
All companies are a complex inter-connection of computer systems—doing a thorough risk assessment takes time and money. When you consider the size of a very large infrastructure like Sony’s, the complexity of their organizational structure and their financial health, it’s easy to understand why executives may not have spent what they should have on security. And when you then factor in the technical ease of some attacks, you can see why hackers continue to breach other organizations with little or no repercussions.
We were called in to Sony to patch up—literally—the vulnerabilities. We knew how the breach occurred, so we tested the systems to see which ones were still vulnerable, provided recommendations, re-tested them, and applied a remediation plan. Sony is actually lucky; many companies that can’t afford to properly protect themselves simply don’t.
Surprisingly, public tolerance has gone up—it’s no longer shocking, but rather considered the norm when hackers breach giants like Sony or Equifax. There’s a lethargy around the subject, and it’s as if people already know that it’s not a question of if, but when they’ll be hacked. This then begs the question: why would you not protect yourself if you knew that someday your personal information will be breached?
Knowing that most online users, companies, and governments aren’t properly protected, why wouldn’t cyber criminals take full advantage and exploit every human error, software flaw, and website loophole? As the global online community continues to grow exponentially, and as people increase their attack surface with new Wi-Fi-enabled gadgets, hacking targets will only multiply.
Other reasons we’re vulnerable
Big data, the “new oil”
If you ever think cable, satellite, telecommunications, or utility providers have too much power, you’d be right. Cable, satellite, and telecommunications companies know what we watch, record, and download, while utilities companies know our credit history, how much water or gas we consume, as well as our payment history. But companies that collect AND store data in large quantities are scarier. Big data has become so valuable, it’s sometimes called the “new oil.” For example, banks monitor your transactions in real time and then offer products and services based on your behavior. (Or, from their perspective, they show that they understand your needs.) Have you ever received gold or platinum credit card offers over periods of continuous employment? Or, the opposite—credit card balance transfer offers to a short-term, low-interest card or line of credit? If you have, the bank simply made use of the data they have on you.
Equifax, TransUnion, Experian, Acxiom and thousands of data brokers also hoard and centralize large amounts of data (date of birth, social security number, driver’s license, etc.) over the customer’s lifetime. As the data grows over the individual’s life, it can’t possibly all be secured; the rate at which they acquire the data exceeds the speed at which new security protocols are implemented. So, if an organization like Equifax can’t move fast enough to keep up, is it surprising that the May–June 2017 breach exposed the personal information of more than 140 million American customers?
If this doesn’t scare you, then think about this: the five most valuable companies today—Apple, Amazon, Facebook, Microsoft, and Google’s parent company Alphabet are also scrambling to collect data every time you log onto their platforms. They’re all fiercely competing to dominate and influence consumer technology. To make things even more interesting, their formerly your) information is stockpiled in huge data stores in the cloud.
Is this a target-rich environment for hackers? Definitely.
The misuse of privacy: We’re all Being watched
Privacy means nothing these days. The explosive growth of email, social media, and online marketing has made it impossible to roll back to a simpler time when we sent and received most of our correspondence by snail mail. People do not understand that they have given up their privacy when they post about their personal lives, and they do not know how their data can be used for ulterior purposes.
Early in my career, I was part of a social engineering assessment for a company in the Defense Industrial Base (DIB) industry. It was during the Iraq war, and Al-Qaeda was targeting company board members’ children. Our job was to assess how easy would it be to breach a specific organization and to learn how susceptible the executives and their families were to kidnapping threats. We undertook an exercise to profile their executives. We used an open source application that allowed us to drill all the way down and learn about their children, tracking what they did on social networks, who they met, or where they might go on holiday. We quickly built their profiles and demonstrated how easy it would be for terrorists to access the children’s profiles on the internet, threaten each of these families. The attack surface in the defense space was, and still is, highly attractive to terrorist organizations, so this assessment helped us determine if someone on the Internet could access their profiles, and eventually kidnap a family member to exact revenge.
Fast-forward to today. Governments around the world allow internet service providers to collect and sell the data of citizens and organizations, while websites and social media platforms track visitor activity. Everyone knows this. But most people don’t know that the internet is not a safe place. They don’t understand the concept of online privacy and security, and they certainly don’t know that current security mechanisms aren’t protecting them.
Even if you think you have nothing to hide, whatever you do online is never entirely private. There is no privacy online.
Lack of internet regulation
Most hacking skills are easy to acquire through a simple online search. With just a few clicks, you can find tools to download and use. Some are point-and-click, so you don’t even have to learn how to code to attack your target.
Legally, there’s minimal deterrence, even for a persistent hacker who has committed multiple breaches. Successful prosecution requires proving which physical jurisdiction the attack took place in, and that can be fruitless when trying to coordinate across geographical borders. If they bounce through a server in Japan and then to servers in Canada, the US, China, and Russia to finally hack someone in Canada, which country should prosecute? How many law agencies should be subpoenaed? Where is the jurisdictional boundary of the breach? How long would the process take? And at the end of it, how would they even know they have the right person? Law enforcement resources are too fragmented, and they don’t have enough people sufficiently trained to conduct high-tech forensics. It would take too much time and resources. Most companies don’t want to go to court and have all their dirty laundry aired, so they wouldn’t prosecute.
Very few hackers get caught and are prosecuted. If I had to guess, I’d say only 10 to 20 percent of breaches are discovered and reported. Between the low barrier to entry via the free online tools and a lack of online regulation, a persistent hacker can rack up money and data undetected and repeat the process many times. When you add the defenselessness of most companies, even amateurs can break in and cause serious, lasting damage to an organization’s reputation and bottom line.
The lack of online regulation, the ever-growing pool of big data, our own lethargy around privacy, and organizations’ inability to treat cybersecurity as more than an afterthought are what make it so easy for “black hat” hackers to wreak so much havoc. What it means for you, aspiring cybersecurity specialist, is the opportunity to make a difference in educating the public against cyber criminals.
Impact of Cybercrime, the damages
The impact on everyday citizens includes identity theft, holding information as ransom, debit fraud, money theft, and unauthorized apps installed on their devices. Most victims have no idea how to defend themselves, and even fewer comprehend why they have become the targets. Cybercrime leaves an emotional toll on those who thought it could never happen to them.
In comparison, the impact on organizations varies depending on the industry they serve, the timing, and the duration of the breach. While losses can be monetary, they can also include fines if the organization doesn’t comply with data protection legislation, a decrease in sales, denial of service to customers, loss of jobs, and operational disruptions that can cripple a business long after the breach. Here’s a look at just a few of the biggest organizational data breaches to date.
• In 2004, a former AOL (America Online) software engineer steals 92 million screen names and email addresses and sells them to spammers who send up to 7 billion emails to
unsuspecting customers.
• 2007: Hackers steal debit and credit card data of 45.7 million shoppers from nearly 2,500 T.J. Maxx and Marshalls stores.
• 2009: The US military erroneously sends back a defective unencrypted disk for repair, which holds records of 72 million veterans dating back to 1972, without destroying the data first.
• 2009: Hackers access Heartland Payment Systems’ corporate and card processing network and expose 130 million credit card numbers; the hackers had first accessed the company’s network two years earlier.
• 2012: Sixty-eight million addresses and encrypted passwords are leaked from Dropbox.
• 2013: Yahoo is breached and names, dates of birth, phone
numbers, passwords, and security questions for 1 billion user accounts are compromised. The company discloses the breach in 2016.
• 2012: Adobe discovers that 38 million accounts were breached, including those of 33 million active users whose encrypted passwords were stolen.
• 2014: Hackers breach Yahoo’s network and steal information from up to 5 million users; the company discloses the breach in 2016.
• 2016: The Democratic National Committee (DNC) is targeted by hackers believed to be engaged in political espionage.
• 2018 : Facebook Breach affecting nearly 50 million people, accounts were compromised when a vulnerability let hackers steal security tokens linked to their Facebook profiles.
Did you notice that the majority of these incidents were neither inside jobs, nor caused by human error, but malicious attacks?
Big companies aren’t the only ones that are breached of course. However, despite the significant potential impact of the damage, businesses of all sizes and governments at every level continue to adopt a “wait and see” approach. Perhaps they hope they’ll never be breached, or that if they are, the effects will be minimal and remain undetected.
Information is beautiful provides the best visualization of all the major breaches known to date (http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/)
It’ll never be over
Cybersecurity is one of the fastest growing markets in information technology. Although viruses have been infecting computers for over thirty years, virus engineering has quickly shifted from sporadic vandalism to cybercrime. An exponentially increasing volume of malware (both sophisticated and crude) infects computer operating systems or crashes entire networks. It is sometimes hard to discover and can bypass known defenses.
There’s no doubt that if we keep moving in the direction and at the speed we have been, we’ll continue to be more connected and therefore, at greater risk. I’ve been involved in investigating and solving hundreds of security breaches, and I’ve seen it all first-hand: multiple systems online in different places, vulnerable infrastructures, tiny bugs that can develop into serious flaws, or networks that were already compromised.
I sum it up in two words: “Shit happens!” Nothing surprises me anymore.
Meanwhile, hackers are growing increasingly more skilled and sophisticated, and they will adapt to infiltrate systems and get what they want, without a second thought to their victims. In our increasingly digitized world, the future is driven by data, and since everyone stores some type of data somewhere, everyone is fair game. And for aspiring “white hats” like you, it means having the opportunity to flex your technical, problem-solving, and communication skills. This means being one step ahead of the bad guys while staying cool under pressure.
Endnotes
1. This is the standard protocol for investigating an incident.
2. Penetration testing means trying to get access to an organization’s systems from the outside.
3. SQL injection is a code injection technique used to attack data-driven applications, in which nefarious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). For more details: https://en.wikipedia.org/ wiki/SQL_injection.
4. An ‘attack surface’ is all the surfaces (physical, logical, human, process, technology) that are vulnerable to attack, and may be exposed to become targets.