- Former notorious hackers from UK share key insights at Daily FT-CICRA Cyber Security Summit
By Madushka Balasuriya and Himal Kotelawala
LulzSec and Anonymous Founder Member Darren Martyn
In Stieg Larsson’s bestselling Millennium trilogy protagonist Lisbeth Salander manoeuvres her way into someone’s computer by simply hacking their WiFi router. While Salander’s character is described as one of the world’s finest hackers, in this particular instance her task is made rather less taxing by the fact that her target’s WiFi router still uses the default password. If you’re seated there thinking, ‘well that’s awfully convenient’, I’d be willing to wager good money that most of you reading this article still do the same.
Back in 2014, a study by security specialist Avast found that more than half of all home routers in the US were poorly protected using default password combinations such as admin/admin or admin/password. While there are no studies to give an accurate idea as to what the present state of affairs is in Sri Lanka, a panel of experts at the recently concluded Sri Lanka Cyber Summit believe that as a society we’re at even more risk to this sort of backdoor hacking in 2017.
“We’ve seen a big rise in really annoying stuff. You know, the Internet of Things (IoT), botnets and an army of interconnected toasters! The sort of science fiction which would’ve been ludicrous only a few years ago,” says Anonymous and Lulzsec Founder Member Jake Davis during a panel discussion at the event.
“As has been mentioned by I think every speaker so far, the attack surface has grown so wildly and you know we’re seeing stranger attacks, and strange pivots into companies.”
LulzSecand Anonymous Founder Member Jake Davis
For Davis these “strange pivots” could come from anywhere in the not-so-distant future, not just your WiFi router; from a “keyboard sniffing air freshener” to a mobile hacking station disguised as a pizza box, or even internet-connected coffee machines; daily use items and appliances could potentially compromise vital company or personal data.
“You know when your coffee machine is connected to the internet and your head of marketing goes to have a cup of coffee, the coffee machine could track the head of marketing,” says the hacker-turned-cyber security expert.
For a quick refresher, The Internet of Things essentially revolves around increased machine-to-machine communication; it’s built on cloud computing and networks of data-gathering sensors; and they say it’s going to make everything in our lives ‘smart’ - yes, possibly even our coffee machines.
With the wide-scale adoption of internet-connected ‘smart’ devices coming soon, quite literally, to a neighbourhood near you, it is then prudent to understand some of its ramifications. On the plus side, it is going to be a game changer in terms of the way we function as a society. From little things like remotely monitoring and controlling the usage of electronic items in your home, to things a touch more useful like smart traffic lights. Indeed, with the shift towards driverless cars, it’s only a matter of time before a smart city grid is developed to communicate with smart cars, which can then relay information to smart traffic lights, which will then be able to respond to changes in traffic flow instantaneously. So long kilometre-long queues at traffic stops.
The possibilities are endless and humanity as a whole could be better for it. However, as the saying popularised by an early 2000s tale of a friendly neighbourhood superhero goes, ‘with great power comes great responsibility’.
Darren Martyn, who like Davis, is also a founding member of Lulzsec and Anonymous, questions whether society and tech companies are losing sight on their overall goals. People need to ask themselves what devices should and shouldn’t be connected to the internet, he says, voicing concern over the possibility of things getting an “awful lot worse” in the future.
“It is going to get an awful lot worse. We’re going to see ridiculous things getting hacked like internet connected toothbrushes probably - given that everything else is getting connected to the internet,” says the now ethical hacker and security researcher.
“I think that as finding ways to secure these things, I think we need to have a long think about ‘do all these devices need an internet connection?’ It’s something that concerns me a little. Does my toaster need to be able to check Twitter? I don’t know. I think that with some devices the best thing to do is disconnect the internet because there’s no real case for them actually being connected. I think that’s the best way to secure those.”
However, no matter how many fail-safes are put in place, or how secure you think your business is, there is always one element that cannot be accounted for: human error. Hackers, says Davis, are always looking for novel and unique ways of breaking into a system. This builds on Dane’s point of it only requiring one instance of the defence failing.
“It’s difficult for one vendor to get everything under one bucket, and hackers obviously have the advantage in that regard. They’re the attackers, so they’re constantly thinking about different ways to get in,” explains Davis
“Even if you think you’ve covered 99,000 different avenues of exploit, a hacker is just going to come and go, ‘hmmm, no I’m just going to do this funny thing that you’re completely not expecting’.”
Sometimes that exploit is not a technical one but a social one. The technical term given to it is ‘social engineering,’ and it has been around for as long as civilisation. In the popular Marvel TV series Jessica Jones, Jones is a private investigator who constantly manages to get access to sensitive information by simply making phone calls and pretending to be someone she’s not. Many other TV shows in fact use characters with such skill sets as a crutch to move the plot forward, and with good reason - it works.
Martyn relates a simple real life story of how easy it is to perform basic social engineering, where a hacker just impersonates the administrator of a company over the phone.
“This guy just emailed the other admin, asking for a password so he could log in, claiming he was on the road and didn’t have his passwords with him. The other admin assuming that this is all legit changes the password and emails it back.”
For Davis, his favourite example of social engineering doesn’t even involve a hacker.
“Someone in the UK was sent to prison for stuff completely unrelated to hacking, I think it was robbery or something. He smuggled a phone into prison, then registered a website that looked like the court’s website, and emailed the head of the prison security pretending to be the judge granting him bail. So he faked his entire bail letter, and they released him.”
The most incredible part of the story is that this piece of ‘engineering’ did not take place in the early 2000s, when the internet was still a relatively unknown quantity. No, it happened last year. Social engineering therefore, says Dane, is often more profitable than hacking through traditional means.
“Pretending to be the CEO or CFO and instructing somebody to transfer money from one place to the other. That’s been very effective and doesn’t involve a lot of technology,” he says. “That is more profitable for these guys than often the technology only ways.”
“No one really then protects themselves because they think hacking is this inevitable thing.”
So what should you or your company do to protect themselves? Well for companies several avenues exist; from hiring professional security firms like CISCO, to enlisting the aid of hackers through Bug Bounty programs, to simply ensuring something as simple as two-factor verification is in place.
According to the panel, one of the most common ways people get hacked is because they use the same password for multiple websites. This means that even if one of those websites were to be compromised, your data from other websites would be at risk if you utilised the same password elsewhere.
Martyn meanwhile suggests www.haveibeenpwned.com as a possible tool to check what information of yours, if any, has been compromised. While the simplest thing to do could be to download something like a password manager, which will allow you to have multiple highly secure passwords without having to worry about remembering them all.
As to why people may not take their online security as seriously as they should, Davis has a theory.
“When something gets hacked and Anonymous is responsible, in people’s minds they go fine that’s impressive, that’s very scary, but it’s Anonymous, Anonymous are this thing that can do everything. They’re everyone and no one, they have all the power… so no one really then protects themselves because they think hacking is this inevitable thing.”
Over 43,000 data leaks underscore SL cyber security need
The two ex-founder member of the internationally notorious hacktivist groups Anonymous and LulzSec have found over 43,000 individual data leaks belonging to .lk domains in just 32 out of a total 2,500 breaches.
The leaks, covering a span of about six years, are spread out across political, financial, military and business interests, the researcher claims.
Speaking to Daily FT on the sidelines of the 5th annual Cyber Security Summit, hacktivist turned ethical hacker Darren Martyn, now serving as a Security Researcher at the UK-based Xiphos Research Lab, said that his team have yet to form a full picture of what could be out there.
“So far we’ve collected evidence of 2,500 data breaches. That’s unique ones. That’s 2,500 different organisations whose data have leaked publicly to the internet. We only analysed 32 of those breaches. We haven’t had the time to go through the others yet. We need to validate and verify,” he told Daily FT.
Martyn and his colleague Jake Davis, both of whom were in Colombo for the 5th Annual Cyber Security Summit organised by the Daily FT in collaboration with CIRCA Holdings, had found passwords, emails and other personal information among the more than 43,000 leaks belonging to what Martyn called “important people.”
“The people affected probably have no idea their data has been made public by third parties,” he said.
According to Martyn, the leaked data had initially been made available for sale, but had eventually become available free of charge, leading him to believe that the hacks had been carried out with the intention of profiting.
Among the compromised organisations Martyn had found were at least one big-name commercial bank and an internet service provider (ISP).
However, he was quick to point out that some of the risks were not the victims’ fault.
“Those organisations had done nothing wrong. Maybe they just had a network appliance that was connected that had a vulnerability. We found that they had so many security issues but we can guarantee that every company has security issues,” he said.
The vulnerabilities found, according to Martyn, were to do with how the victims had implemented Secure Sockets Layer (SSL) encryption, as well as Heartbleed, Freak and a few other well-known but easy-to-fix exploits. (Heartbleed is an information leakage vulnerability that allows an attacker to read memory from a server so they can leak information like usernames, passwords, encryption keys, etc.).
“All you have to do is upgrade the version of SSL and problem solved,” he told Daily FT. Asked if the organisations ought not to be more concerned, Martyn said it’s a lot to do with manpower, time and budget.
“They’re probably fixing more severe things, and that kind of got kicked down the pile a bit. I’d say that they’d probably fix it now,” he said.
He did, however, recommend a more rigorous patch management and ensuring that everything was up to date. Martyn also suggested haveibeenpwned.com as a possible tool to check what information, if any, has been compromised. Basic security measures such as a password manager are also recommended, he said.
“I assume everyone’s doing their best, but we always have to up the game a bit.”
Asked how damaging the leaks could potentially be, Martyn said: “If the criminals have the data already, if they were to start using that data, if those passwords were still valid quite a bit of damage could potentially be done. So it would be good to work on getting that fixed.”
“You’ll find data on anyone if you look hard enough. That’s the terrifying thing. It’s all available. You just have to find it,” he added.
Read more on the Cyber Security Summit:
More complex cyber security threats pose serious ongoing challenge to business
Cyber security is not a technology issue but an organisational need
Hackers find social media easy prey
Industrial Control Systems inherently vulnerable to cyber attacks
Personal data losses continue to accelerate
Cyber security implications in banking and financial services sector growing