Getting into the mind of a hacker
360Crossmedia met with an ethical hacker to assess how vulnerable Luxembourg is to a cyber attack.
How would you proceed if you wanted to "attack" a Luxembourg bank and access its clients' data?
Social engineering would be the first aspect of the attack. I’d visit the location, scout out the premises and look for weaknesses in terms of secure access to the building. I would also look at employees’ movements and habits to look for weaknesses,
to gain their trust and to access the building! Local webcams and CCTV, which can be accessed on
the internet, are helpful. I would use them to build up a profile of employees’ movements throughout the day to gain an understanding of the busiest periods: the busier it is, the easier it is to access the building without being detected.
Could you give some examples of classic breaches?
Gaining access to the premises by befriending fellow smokers is a great opportunity - it’s often possible to follow them back into the building without the need for a security pass. The process requires interaction with them over a period of time, so that they feel that you’re a part of the business – it’s important to talk about the company and to find disengaged or disgruntled employees who would be willing to give you access to the building by letting you through when they access the lifts.
Dressing up as a delivery driver is very effective too. This has been magnified in the last few years with personal deliveries which are sent to offices to ensure that they are received.
Recently, when I was working at a large financial institution, I noticed that a pizza delivery person was let through by security every Friday, so I did what any resourceful hacker would do: I got a job at the pizza shop! Once employed, I left early with the pizza, made it to the company and accessed the building undetected. I proceeded past internal security personnel and located the server room on an upper floor.
« I proved I could gain access to the server. »
Wow, that sounds simple. Do you have any other similar tricks?
USB drives! Everyone likes getting something for free.
Handing out free USB drives - which are cheap to purchase and brand – which have been infected with spyware allows access to company servers without the need to hack the firewall.
These USB drives can be made more attractive by adding a fake prize to the drive, encouraging employees to access a fake website which will be able to collect more data relating to employees and their companies.
What would you do to prevent your bank from hackers' attacks if you were a bank manager?
Robust cybersecurity software – above and beyond the company’s normal firewalls - is essential but is only one element when it comes to ensuring that a company is secure. Companies should test their systems on a monthly basis and perform full onsite checks every quarter to verify all systems and to patch any potential breaches. These technical and non-technical reports are vital for the IT team and directors to understand the potential threats to the company's data and balance sheet. Staff training is also essential to keep a company safe from cyber attacks.
Do you think tat the loT and connected cars present new risks?
Yes, the potential for IoT devices to be compro-mised is huge. A hacker could find their victim’s password online, simply by knowing their email address. If the victim has been compromised on websites previously, his or her details will be in a database. A hacker could then extract that informa-tion and begin to take ownership of other accounts – because, let’s face it, people tend to use the same password for everything! The DDoS attack on the West Coast of the US in 2016 is a prime example of this kind of attack.
Is it more interesting for a hacker to hack companies for a living or to get hired by a company or a government to prevent hacking?
The modern hacker’s motivation has changed over the last 5 to 10 years. Before, hackers were looking to prove to their peers that they were able to access even the most well-secured servers and websites. They would gain access and leave a digital
signature – a kind of digital graffiti - while the more malicious sought to damage or close down a system, server or website to prove that they could gain access. The process wasn’t motivated by money. A new breed of hacker is now financially
motivated, aiming to extract data or money from businesses. This may be more interesting for the hacker, but if a hacker is caught and convicted of a cybercrime which involves stealing large amounts of data or money, the punishment can be up
to 10 years in prison. Lauri Love, for example, will be looking at 99 years in prison if he is extradited to the US and convicted.
Unethical businesses and countries buy stolen data. Is this creating a new business for hackers?
Yes, but again, it has the same risks: no country or large corporation is going to support anyone found to be trying to sell data to them, even if they requested the data in the first place. A long prison sentence would be very likely. We need to dispel
certain stereotypical myths when it comes to the modern hacker. You can still find a few teenagers dressed in hoodies but large security breaches are now being carried out by organised companies with employees on the payroll. These businesses are outside of the EU’s jurisdiction so it’s very difficult to prosecute them or to shut them down. The need to take professional and personal cybersecurity seriously is key. By 2020, 60% of digital businesses will suffer major service failures due to the inability of their IT security teams to manage digital risks.
360Crossmedia has invited the hacker to the CEO lunch in April 2017.