Hacking Made Easy

I am honoured to have been invited back to present at the prestigious e-Crime Congress to be held in London, March this year. However it caused a flash-back to the last occasion I presented at Congress in 2009, when things seemed to be very different.

It was around that time when myself, and a small number of other security professionals were predicting darker things to come. But for some reason, at ‘that’ time, I, and other likeminded professionals suffered rejection, objection and isolation regarding such predictions, attracting push back ranging from Senior Security Managers, through to CISO’s, all of whom were of the opinion that e-Crime was actually decreasing!

I also recall a very lonely moment when presenting in 2009 at Loughborough University, when a very well respected delegate from Cambridge University vocally disagreed with my opinion, insisting that e-Crime was actually in decline. However, what I feel had been lost in translation circa 2009 was, smart-evasions had been interpreted as decline, when in fact it was actually the new era  of discreet Cyber Crime.

As a documented reminder of my own 2009 assessment of that period, some extracts from my postscript of the e-Crime Congress 2009 Report:

‘Post analysis of the recent e-Crime survey statistics, a number of factors jump from the findings. First of all, notwithstanding the ‘perception’ that e-Crime is actually in the decline, the reverse seems to be the case.’

‘Time will only tell just how bad the state of e-Crime, and related matters stand, but one thing is for sure. It would certainly seem to be the only growing industry of the current day.’

Again, shock and horror resounded, but funnily enough, approximately twelve months later, those who had been in denial were starting to develop their own ‘original’ opinions.

So we are where we are, and whilst I am certain there will still be some who consider e-Crime to be in decline, they may need to catch up on the new landscape of threats. Hacktivism, Organised Crime, CyberConflict, CyberWar, and this is not to add into the pile the elements of the Security Industry who just can’t keep their own powder dry!

And then by chance I was chatting with a very good friend of mine who had met with members of a well-known, well established group of active hackers. And given this prime opportunity, they were asked about their super-high levels of skill, and techno-savvy capabilities. However, their response took the interviewer aback, when they said ‘it’s not that we are that highly skilled, it’s just that so many systems and applications are left insecure, unpatched, and are simply badly managed’ – so me thinks, time to do a little testing for myself.

Only looking at web facing publically accessible information, I selected five sites that were either providing ‘Security Applications’ to the public, or sites that were providing ‘Best Practice’ security advice – the findings were astonishing, with one well know Security Agency bleeding from a wound of data leakage like there was no tomorrow. Another attendee big name at RSA 2011 suffered the same exposure, revealing what would represent low hanging fruit for further exploitation by any passing hacker – they have, however, been informed, and I expect they are working on corrective action as I type – but nevertheless such discoveries on sites of these associated profiles is absolutely unacceptable.

And then the discovery of a vulnerability that holds the potential to serve up a mirrored ‘Security’ application to the public, but with the added feature of a Trojan to leverage compromise of any online experience of the intended victim(s) – and weeks later, that reported exposure is still in the same state as it was at time of discovery! But given time spent on testing was less than 2 hours, my hit rate of locating security exposures in my sample was 60%.

So, this Friday being the evening of the White Hat Ball, it may be a good time between back-slapping, to ask the question ‘just how can we do better?’ for in my humble opinion, from my vantage point, we can’t afford to do any worse – Cheers, to one-and-all, enjoy that hangover, as I feel it will last a jot longer than 24 hours!

And to close on some breaking news – apparently, MP’s now consider the threat from Cyber Crime to be so significant, it requires some form of Public Education to raise awareness of the public – so I guess, based on this, its official, Cyber Crime is a threat. However, if the MP’s care to check back to 2007, they will find a House of Lords Report on Internet Security, where I made these very recommendations!

Comment on this blog