Cyber Security Wake-up Call - Quis custodiet ipsos custodes?

I’m a person who has had a keen interest in trying to stay across developments in Cyber Security, but a recent Symposium at Sydney’s Luna Park has been an eye opener on many fronts.

Personally I’ve always struggled with the concept of White and Black Hat hackers. What makes a person decide to take which path? As I scanned the audience of 350+ and wondered which of these participants are here ‘scouting’, but actually playing for the other side?

You know that you can’t really tell – unfortunately the bad guys don’t wear a ‘hat’ that gives them away. So who watches the watchmen?

How to get into the Black Hat Mindset

The nagging question for me has been is this about fundamental integrity and honesty? Or is this just lack of career options, that then leads to this choice?? Another more cynical side wonders if is just the fact that Black Hat hackers are much more skilled at hacking???

For answers, I was privileged to hear Brian Krebs past writer for Washington Post, who has engaged with the Black Hat hackers to write his book entitled SPAM Nation. A New York Times Best Seller, Brian is a fascinating storyteller who was able to connect with ‘friendly’ Black Hats and also some others who were not so friendly.

In understanding the mindset of a Black Hat hacker, Brian explained how such countries with the ingredients of Maths + Science + Technology - Job prospects = a breeding ground for recruits.

This is especially the case in the Russia and the Ukraine there are also no legal deterrents to this activity. (Perhaps I was correct about lack of career options being a factor!)

Brian noted that the average 20 year old Russian will get into this profession gradually, and on a part-time basis. They are selling what is essentially software as a service – albeit a Bot service or a DDOS capability.

Australia’s Cyber capability weakness

Here in Australia, we don’t have a great standard of Maths and Science compared to global leaders. Hence I do worry that our local White Hat Hackers are less skilled and indeed outgunned by others who speak a different native language but use the same TCP IP protocol.

Let’s remember though that one of the most famous hackers in the world comes from Australia. Julian Assange also studied Maths, Science and programming and started off as an ethical ‘White’ Hat hacker, then went rogue later pleaded guilty to 25 charges. Assange was also a good guy as an Advisor to the Government and generally providing advice on computer security. Then he founded WikiLeaks, which is debatable what colour hat he wore?

The wake-up call is that; it’s just a ‘hat’ and perhaps it is more ‘Gray’ than either Black or White. To me the bigger issue, is that the so-called White Hat guys are given access to test your systems for vulnerabilities – so how do you know if you can really trust someone?

Yes, we have to trust our guards but who then guards them??

Cookie Crumbs

From what I see, it is not fair to say that the Black Hat guys are smarter hence gravitate to this field. They are also human and fall to the same mistakes that you and I make.

Brian Krebs discussed that he followed crumbs to gather evidence and this required extreme patience. In many ways it emulates the same technique that Black Hat operatives will use and that is monitor and look for those vulnerabilities sometimes waiting for 9 to 12 months before acting on this.

In the same fashion, Brian explained how he pursued comprehensive analysis and followed trails. The same weaknesses that Hackers exploit being the ‘human’ element is also what he looks for.

Some examples were reusing a personal email address for business, and then having the same password on chat rooms as email or even reusing a pseudonym name. These are all behavior that in corporate worlds leads to vulnerabilities and it just proves that it is more about ‘people’ not the technology that is the most critical factor.

Brian shared that he has waited for these moments when hackers hacked each other, leading to them bringing down the Hacker Forums. At that moment he would then grab all the unprotected details of these databases. This provided you access to their personal photos, which are brazenly shared. It is interesting to note that Black Hat guys also use tools that you and I utilize such as SKYPE, and not some secret encrypted service.

Hackers Hack each other

Read more: Tesla patches Model S, nabs security head from Google’s Project Zero

I’ve never thought that Hackers hack each other for fun. My belief was this was just for money and ransom. I was not aware the degree of ego involved in this ecosystem and Hackers when they are not targeting enterprises are taking pot shots at each other. There is real competition between these parties and getting an advantage over someone else clearly has monetary reward as well. At the end of the day, most hackers are also ‘gamers’ and this is part of their psyche.

That was another huge wake-up call moment to me and I start to worry about the background of the White Hat guys that I might engage. Then consider are they really low profile and have no enemies?

Social Engineering Attacks

My hair also stood up with another discussion, and that was how Hackers use Linkedin to scout and gather further information on you. As an avid user of that channel, it makes you more wary of those unsolicited requests that we receive.

In the case study, once a hacker knows more about you then they can provide what looks like an innocent connection for an app. However what is lurking is a malware injected app that is able essentially take over your smartphone – to read your calendar, email and even record your conversations.

Yes, we do carry that phone device everywhere don’t we…..

This takes social engineering, beyond what I imagined to be just the help desk and customer service being points of concern. In this regards, yes the bad guys are much smarter than we are and can take advantage of our people, process and technology weaknesses.

Smelling salts

Now that I realise that I know much less than I thought. It is a poignant moment to reflect on how very advanced are the hackers. This is their living and it is only when you take on their persona and approach much pros like Brian Krebs have adopted do you have a fighting chance.

Alternatively you have to hire a CISO and security staff who perhaps are much more closer to that edge than you thought. But then how do you know that they are really White and not like our friend Julian Assange and been all the various shades?

Then we have to watch these watchmen as they hack each other through various tactics and work out are they still White hat?

It’s a sobering wake-up call.

Feeling social? Follow us on Twitter and LinkedIn Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags cyber attacksCyber capabilityblack hat hackersSydney’s Luna ParkTCP IP protocolWake-up Callwhite hat hackerLinkedInsocial engineeringcyber securitycookies

More about CSOindeedTechnologyTwitter

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Gee

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place