Your browser is out-of-date!

Update your browser to view this website correctly. Update my browser now

×

Confessions of a professional hacker: think your AV/IT is safe? This may change your mind

"Every piece of AV equipment is a doorway for a hacker to enter" - AVTE spoke to an ethical hacker to find out how scarily simple it is for a cyber criminal to access your most valuable data

The threats from cyber attacks are reaching epidemic proportions.
 

As I write this, an email with the headline ‘councils hit be 37 cyber attacks every minute’ has popped up on my screen. Surprised? After all, the subject of cyber threats for many is like discussing a life threatening illness or crashing your car. It’s something that happens to other people, right? Maybe. Maybe not. 

Statistically, the threat levels demand it be taken seriously. Figures from the Online Trust Alliance (OTA), place the number of reported cyber attacks on businesses in 2017 as just shy of 160,000 – that’s double the figure in 2015. Combined with unreported cases (quick fixes, embarssment, ransom paid), the OTA puts the figure closer to 350,000 – the population of Bristol.

“The change and transformation that AV brings is fantastic, but it’s all a potential proxy for the bad guys to get into an organisation”

It’s not just small companies either. Many highly successful and highly resourced companies have made the headlines in recent years due to vulnerabilities in their securiy. Equifax, Uber, Verizon, Yahoo, Vodafone, Carphone Warehouse, AA, Deloiite, NHS, Playstation – the list goes on.

Hacks come in many different forms. For some hackers, it’s the thrill and the self-satisfaction of being able to gain access to something they shouldn’t. Some just want to be a nuissance. Take last year’s attack on Union Station in Washington DC for example, when a large advertising display was hacked during rush hour to display pornographic content. Embarrassment aside (and a few difficult questions from children) the hack was harmless – a warning to up their security at worst.

On the flipside, some hackers – “the bad guys” – do it for personal gain. A career in targeting your data to use, sell, maniplulate or hold to ransom.

Such incidents can cause irreparable damage to a company or an individual (remember all the angry wives after the Ashley Madison hack?)
Perhaps the most startling figure is that 93 per cent of all breaches in 2017 could have been avoided by using common and simple security practices. But what are they? Is it as simple as buying and installing a bit of software off the shelf and forgetting about it?

“If I go back 20 years when I was doing this stuff, it would take me four or five weeks to gain access to an organisation. Now it would take me minutes or seconds because an organisation’s footprint is so much bigger. It’s on premises, it’s in the cloud – it’s everywhere.”

● Cyber crime damage costs to hit $6 trillion annually by 2021 – double that of 2015

● Cyber security spending to exceed $1 trillion from 2017 to 2021

● Ransomware costs UK/EU businesses £71m in downtime during 2016/2017

● Average ransom demand from hackers was between £350 and £1,407 during 2016/2017

Hart attack 

Jason Hart is a potentially very dangerous man, possessing the skills and knowledge to cause the kind of damage suggested above. Thankfully, Jason is a good guy. A successful “ethical hacker” now helping companies like yours. He knows how the bad guys think and what it is they want and the methods deployed to go and get it and – crucially – the best ways to stop them. 

Hi Jason. How does one become a hacker? 

I’ve always had a very in-depth curiosity of technology, but also to break technology. My parents would buy me a remote control car for Christmas and within three hours, the remote would be in pieces and I’d be trying to make it faster or do things it wasn’t designed for. That’s how my mind has always worked. 

What do your skills allow you to do?

I can go into any organisation of any size and very quickly identify any risks or potential ways that the bad guys can gain access. People think the hackers out there have immense sets of skills. That’s not true. Some of them are very articulate and extremely smart, but what they actually do is look at an organisation and look at the relationship between the technology, people and process and expose weaknesses in those three areas. I call it ‘situational awareness’. The problem we have today is most organisations think they’re secure. They may be. But unless they look at the risks holistically across technology, people and process, that’s where they fundamentally break down. The bad guys have the ability to look at the situational awareness and from there they can expose and compromise them through their weaknesses. 

“We’re in the connected world, so things are being connected to the organisation and to your home and that absolutely includes AV equipment”

 Just how difficult is it for a hacker to gain access to a company’s data? 

Every breach we see today is mainly around confidentiality, such as gaining access to confidential information of an organisation. An example would be compromising someone’s password, gaining access and downloading information. So, the confidentiality has been compromised. 

We’re in the connected world, so things are being connected to the organisation and to your home and that absolutely includes AV equipment. By things being connected to the network there’s a potential door for a bad guy to gain access to and control the wider business. 

Everyone’s password is unique and almost always has a meaning to them. So the probability is your password is linked to a family name, an interest or a hobby

Has this made it easier? 

Absolutely. If I go back 20 years when I was doing this stuff, it would take me four or five weeks to gain access to an organisation. Now it would take me minutes or seconds to do because an organisation’s footprint is so much bigger. It’s on premises, it’s in the cloud – it’s everywhere. 

Talk me through the process. You’ve identified me and AVTE as a target, what now? 

For me, I’d start with doing a bit of digging on you. It would be very simple. I have your email address already and if I didn’t, I’d be able to find it or work it out quickly. I know who you work for, so I’d be able to find some form of digital footprint online. Very quickly I’d be able to automate that (looking at other sites such as Facebook and Twitter) and find out your hobbies and interests plus potentially some family linkage as well. 

Everyone’s password is unique and almost always has a meaning to them. So the probability is your password is linked to a family name, an interest or a hobby. That would be my starting point. 

Once in, the second step I’d take is to quickly map your email address to any other associations online you use it for. Accounts such as Twitter, Facebook, LinkedIn, Google and all the usual suspects. I can quickly establish the relationship between your email addresses and your online accounts. From there, I can create a profile of you as an individual and look at your business associations and your business life. We call that cross-pollination. From there I have enough information to start conducting direct attacks against you without you even knowing. 

“Over a gradual period of time, I could take control of your life – but more importantly, I’d go for your business and use it as a proxy to go after other employees or family members”

For example? 

Now I have some understanding of your life, I could send you an email from a fake account, which you would believe has come from a family member or someone you work with and trust. It could ask you to check something via a familiar link, which you have no reason to doubt is genuine. That link would take you to a site you use and will willingly enter your email (which I already have) and your password. You’ll get either a failure message or a redirection to the real site itself. You might just think you entered the details incorrectly the first time because after I’ve captured your details, I can send you to the actual website second time around. Unbeknown to you, I’ve been the man in the middle and I’ve captured your information. Now I can start taking control of your life. I just need to profile you, get some information, which I can then use to conduct account takeovers and use your identity to do other forms of attack. 

Over a gradual period of time, I could take control of your life, but more importantly, I’d go for your business and use it as a proxy to go after other employees or family members that may have a higher net worth or a bigger profile. It’s a daisy chain. Using the data to continually attack. You can do this against any organisation, no matter how big or how small. 

 You make it sound easy. 

It can be. You have a physical device and for me, getting access to that physical device is very hard. However, I’m certain your laptop has relationships with services in the cloud, whether that’s Google Drive, Hotmail and so on. So with that, the risk exposure of your laptop has opened up. Twenty years ago, I’d have needed access to your machine. To get access to you username and password as a bad guy can be very easy. Ninety per cent of it starts with identifying a username and password. 

“People have this belief they’re of no value to a bad guy. That’s a total misconception”

So, what’s the alternative?

There are ways of preventing this. The world is reliant on passwords. If we remove the need for a password, we remove 80-90 per cent of every breach that occurs. Every major breach starts with the compromise of a username and password, so why not eradicate passwords and replace them with one-time passwords? In the event of a bad guy capturing a password that he or she believes you’re using, it immediately becomes invalid. This technology exists. People sometimes portray security as a black art. It’s really not. It should be at the forefront of every individual. It doesn’t need to be complicated. 

How should a company assess their security? 

As an organisation, regardless of size, you need to ask yourself “if a breach was to occur, what data would give you the biggest pains?” The bad guys want data. So as an organisation, you need to look at the different types of data you have.
Secondly, where is that data? Is it on your phone? Is it in the cloud, in a server?
Thirdly you need to look at people. Who’s accessing that data? By doing that you’re creating a very high-level risk assessment.
You cannot apply security or mitigate risk unless you have clear visibility of those three different pots. When you have that visibility, you can start drawings maps, linking them together. This is what the bad guy does. Once you’ve done those very simple process maps, you have to ask what type of risk you’re trying to litigate. Is it a confidentiality risk? Is it availability or integrity? That’s as complicated as security gets. How can you be secure if you don’t understand what it is that you’re trying to prevent?

“Every piece of equipment that’s connected to a network is a potential doorway for a hacker. Anyone with a digital display, or does video conferencing, uses microphones and has speakers are potentially at risk”

Is there such a thing as a typical target?

People have this belief they’re of no value to a bad guy. That’s a total misconception. A lot of the time, there are high profile targets, but a bad guy will attack anyone. They might do it for self-gratification; they don’t always do it for money. They do it just because they can.
What people don’t realise is for many attacks, is that a persons data is potentially already out there in the wild. So those usernames and passwords have already been captured and being monetised and exchanged. So all I have to do is take these email addresses and passwords and find out what other relationships that person has with other online services. As we know, your password is very common and almost certainly used across most of your other accounts. You may change the number at the end or add a capital letter here and there, but that’s easily discovered.

“Think about all the information displayed on an interactive whiteboard? Your entire business strategy might have been outlined, containing highly confidential information”

Specifically for AV, what are the biggest threats or risks we should be aware of?

As mentioned before, every piece of equipment that’s connected to a network is a potential doorway for a hacker. Anyone with a digital display, or does video conferencing, uses microphones and has speakers are potentially at risk.

Think about all the information displayed on an interactive whiteboard? Your entire business strategy might have been outlined, containing highly confidential information. That whiteboard is recording everything electronically and storing it on a computer and that computer is backing it up to the cloud. If I was a bad guy and could access that information, the ramifications could be enormous.

“What about a lawyer or a legal council using forms of AV technology, such as conference calling? What if I could find that conference calling system online and listen in to the calls without them even knowing?
The change and transformation that AV brings is fantastic, but it’s all a potential proxy for the bad guys to get into an organisation.

What would your final advice be? 

If you’re putting in new AV equipment, don’t connect it directly into your network. Create a separate network or VLAN that is firewalled off. So in the event that it is compromised, it doesn’t allow the bad guy to go straight into the normal network of the business. Creating an element of segregation is very important.
Secondly, if the AV device needs to connect to the outside world, make sure that any default passwords are disabled and more importantly, ensure that multi factor protection is enabled.
Thirdly, make sure that you know who, when, why and where they’re accessing your AV. A and finally, make sure that any data that is being created by a device, that the appropriate security controls, such as encryption and key manager are applied.

BIO: Jason Hart
is CTO, Data Protection at Gemalto, a world leader in digital security. He is a former ethical hacker that has at one time worked with many of the FTSE 100 companies to test their defences and point out their vulnerabilities.

You can find out more about Jason, including videos on how simple it can be to access unauthorised information by visiting: www.jasonhart.co.uk