Season 1 Episode 1: Cyber security – how safe are you?
Bastien: Cyber attacks are the biggest threat to the business world we’re facing today. That’s more than terrorism, natural disasters, more than anything else. We’re talking about a trillion dollars. So how do we protect ourselves? How do we make ourselves feel safe? My name is Bastien Treptel, Founder of CTRL Group and the reason I founded this company is I have a bit of a nefarious past. I would call myself a reformed black hat. A black hat is someone who uses technology, hacking or cracking to basically gain information or steal money or advantage by means of the internet. When I was a little fourteen year old kid I had a passion for computers, and I became fascinated with coding, the internet, chat boards, and forums – you name it and I was into it.
I found it just amazing that banks back at the time would just connect up to the internet without thinking too much what risk that posed. What I did with that information was I stole credit card numbers: the numbers, PINs, expiration dates. I built up a massive list of these things. I literally had hundreds of thousands, if not millions of dollars worth of credit cards at my disposal. What did I do with this? I ordered pizza, probably about once a week. About three years after my decent little credit card collection, one day I got a fairly loud and scary knock on the door. My mother answered the door (and to be fair with you a police knocking on my door wasn’t that rare in occurrence) but this was the federal police and it was the first time they’d knocked on our door. I’d made a simple mistake and left an IP address somewhere and they busted me. Luckily with the criminal acts that I perpetrated back in the day, it was prior to the Patriot Act and other laws that have come in place. So if I did those same crimes now I would probably be, even as a minor, looking at some jail time.
Years later I saw a family friend who had a successful business that had run for over fifteen years. It got taken down by a cyber attack, the criminals had infiltrated their systems and transferred all of the money out of their bank accounts. These guys had done all the right things, they had insurance, savings, and they’d done everything correctly. Unfortunately by the time the insurance kicked in they couldn’t afford to run their business and pay their debtors, they couldn’t pay their staff wages and the business went under. I spent a bit of time talking to the family friend and understood how they got in, and it was just so easy to prevent. It was so simple to take a few steps that would’ve stopped all this from happening. That’s when I took the black hat off and started really thinking to myself about how we could stop this from happening.
It’s important to remember now that hackers have evolved. Back when I was wearing the black hat, all that people were interested in was defacing websites. You’d get kudos from your peers for changing a photo or you’d get some prowess for stealing credit card numbers. Now we’re seeing that cybercrime is the largest source of income for criminal organisations globally. That means that they’re running proper businesses. We’re seeing companies in the Philippines or in Russia that have multiple employees who have sick leave, HR managers, and we’re just seeing this go up to the point where you really just can’t not take cybersecurity seriously anymore. You can’t be that age old Australian saying “she’ll be alright, mate.” Australia is a massive target because of that attitude. Gone are the days when you can just install some antivirus, put a firewall in place and think you’ll be fine. If you have that attitude you’re on the way to fines from the government for not taking other people’s data seriously, and you’re on your way to grief because we see in the threat intelligence world just how much cybercrime is going up everyday.
For years we’ve been paid by organisations to hack into them and show how we’re breaking into them. It wasn’t really explaining to the business what the risk was, and it wasn’t showing the top of the business, the board and directors what that actual risk was. So we created this methodology that very simply stripped it all back. Even without having to hack into an organisation, we stripped it back and said what is it about your business that makes you profitable or drives you, basically what leads you to continue existing? Is it data, function, or assets? Then we could very easily show the board of directors on a dashboard what would happen if they were hacked across multiple different channels from confidentiality, availability, and integrity.
We created this methodology, we had these dashboards and a way of communicating to the board level of what we did, how we did it, and how to protect them. Then we thought how do we get this out to the world? We looked up a whole heap of different industries and we stumbled across insurance. Now AON Insurance is one of the largest brokers in the world and we wondered what would be the odds of a big organisation like that actually talking to us. We trundled through the doors of AON and lo and behold Fergus Brooks was actually interviewing security companies all around Australia, just dumb luck.
We were the last people to see Fergus for the day and he had had a long day, you could see he was a bit tired. At the time he said, “Bastien, you’ve got five minutes. Your time is important, my time is important.” So here we are explaining, a little nervously, to Fergus about our new methodology. He cut us off and I thought that was it. Instead he cut us off saying that this is exactly what we need, this is the only company in Australia talking your language, this top down data-driven approach to risk and also a way to solve it. With that I’m going to pass over to Fegus Brooks, you’ve got over twenty years of experience in the cybersecurity industry. We’re very grateful to the person who linked us to AON in the first place.
Fergus: Thank you, Bastien. AON is one of the largest brokers of cyber insurance, and that’s why they employed me. As an IT security consultant with over twenty years of IT security experience, which makes me a sort of veteran in the field. No one who was with me in IT security twenty plus years ago thought that there would be a career or an industry or that we would be sitting here having this discussion now. Obviously the advent of the internet has created with it so many different security vulnerabilities and security flaws and so many different methodologies.
Cyber insurance is the fastest growing area of insurance at the moment. That’s simply because, as we discussed throughout the series, organisations continue to be breached and defences are imperfect. We’ve probably adopted technology faster than we’ve learned to defend it. That’s one of the key issues that leads to people needing insurance. On the day in question, yes you [CTRL Group] were the last company that I saw to discuss various different methodologies of how we quantify cyber risk. What is it going to cost an organisation if we have a data breach? It’s very easy with a company who’s looking for insurance for their building, if we have a fire it’s going to be the cost of replacing the building and the clean up of the mess etc, so that’s easy to quantify. But how do you quantify the actual loss of an organisation’s data and definitely of the personally identifiable information of customers, it’s very difficult to quantify.
We were looking at ways of actually assessing the risks of particular organisations. AON wasn’t skilled up for that so we were looking at technology partners to come in and look at the customers and see what’s going on. Now I’d heard methodologies that were all pretty similar: they’ll do a certain amount of testing, they’ll come in and do data classification exercises, and that’s all well and good as it’s stuff I’ve been doing for twenty plus years. The CTRL Group approach was different, Bastien ran through their data-centric approach where they said: let’s stop talking about all the toys and the toy box that we can stick in and around the data, and let’s stop talking about how many products and services that we can throw at something. How about we just talk about the data itself. What is the value of the data? Who’s it valuable to? And then think about how we should protect, classify it, and how we can move forward. This is what I’d been waiting to hear from every single one of the ten or so meetings that I’d had with various technology companies and it was a breath of fresh air.
Bastien: Thank you Fergus, I appreciate that. That’s what we’re going to cover off in this podcast, so not only for individuals and businesses but we’re going to strip away why a hacker would want to hack an individual and a business, what they’re trying to extrapolate, and what they’re trying to achieve. Then when we know what they are after and we know what they want, what are we going to do to stop this from happening? To also create visibility for you guys and also to explain how we actually stop these things. We also have some fun examples of some real breaches and hacks that we’ve seen in recent times and how those organisations coped with it and how they could have potentially coped with it a bit better.
One of the things that we see a lot of is that people don’t take cybersecurity very seriously themselves. Their bosses are telling them things like “don’t click on links.” But if you try and think to yourself about this scenario: you’ve gone and stolen $200,000 from an organisation. Rack your brain and think how you would move that money around. If you move it to a bank account that has anything to do with you as the criminal or linked back to you, the federal police are going to be knocking on your door pretty quickly. So what these criminal organisations need is a book of identities that they can use to open bank accounts with and that they can use to then transfer money from bank accounts to cryptocurrencies. They can use them as fake IDs to get phone numbers, get internet connections, to buy cars with. These businesses that are run have logistics problems just like any other businesses. They need loans, cars, bank accounts, phone numbers. So quite often when people say to me that they’re taking it seriously at work, and ask if it is a risk for them personally, hell yeah it is! Because when you put your black hat on you need a person to take the fall.
Fergus: We’ve seen a lot about this, the whole concept of identity theft. You don’t want to be tracked back to yourself so it’s better if you use someone else’s identity in order to perpetrate any kind of crime – that goes back as old as history. Again, a weak password form an individual might give someone access and you won’t even know that someone’s using your credentials in order to perpetrate something. We see this all the time in terms of people taking out loans, renting cars – which comes back to bite them, but it wasn’t even them. It was just because of poor cyber hygiene.
Just be mindful of your passwords, don’t use them across all of your accounts. It’s very easy to do, because complex passwords are annoying and you’ve got to remember them. If you’ve got different passwords across everything it’s going to be painful. If you’re using the same password across your Hotmail and Gmail account and your work accounts, then chances are if someone gets hold of that then they’ve got hold of your entire identity. It’s a scary thing, and it’s something I learned from the Ashley Madison hack several years ago. A friend of mine was working at one of the large banks. After the breach they actually had to go through and find which of their employees were an Ashley Madison user, and they had to have the uncomfortable conversation with them that they needed to change their passwords. The reason for this is because people will use the same password for remote access into a corporate network as they will use for their online banking, as they will use for their Ashley Madison account.
Bastien: Just for everyone, the Ashley Madison breach was an adult website that allowed people to find like-minded married people looking for some extracurricular activities. The database was actually quite large with millions of records. A well to do vigilante decided that it was not a good thing for people to have and leaked the records out everywhere, and quite a few big names fell on that one. The first thing that we saw when we were looking at all the threat intelligence from this was people downloading that list and buying access to those passwords.
To give an idea of just how easy it is to hack these days, an example being: we set up a little lunch box with a few solar panels on it and we set it up outside of McDonald’s. This was a couple of years ago now, before they introduced hyper strict transfer protocols. Essentially this little box was a wifi unit that allowed people to connect to it, and it was called “McDonald’s Free WiFi.” You’d be amazed at the kids that were just transferring small amounts of money to pay for their double cheeseburgers. We managed to get something in the order of two thousand account details and netbank log on details through many of the big banks. That information would allow us to manipulate all sorts of information about the individual, and obviously take money out of their bank accounts. It is still very easy to do and it’s quite scary.
Another example was from a business point of view, we often tell businesses that if you ever connect to an open network and you don’t delete that open network from your phone, you’re a sitting duck. As soon as you join an open network, every seven seconds when you’re not connected to a wifi network your phone sends out an information packet that says “this is every network I’ve ever connected to, are you out there.” Our device responds and says yes we are out there, your phone then connects to our evil access point and we watch every piece of information flowing in and out.
There’s some grey area even in the legislation at the moment. Does it constitute a breach of information if your phone goes through a man-in-the-middle attack? A man-in-the-middle attack is connecting to our evil access point and we’re getting information possibly whilst you’re using your company intranet or even pulling your contacts out of the phone – does that mean you need to then go and notify the privacy commissioner, and if you fail to do so are you then in a short line to get a $2.1 million fine or $410,000 fine per director? There are so many things that businesses just aren’t aware of and something as innocent as connecting at the airport puts you at a huge risk. Fergus, from your expertise in the industry, is that actually a breach? Would you be calling up the privacy commissioner and advising them of a breach?
Fergus: Depends whether or not you’ve lost any information, and that’s a really good question. When the mandatory data breach legislation, or the amendment to the privacy legislation, came out in February 2018 it talked about how you needed to notify people if you believe that they’ve been put to serious harm, that’s the main context.
Now anyone who’s from the legal profession and a lot of skeptics will ask what does serious harm mean. So you have to be notified if you think there’s been serious harm. There’s been a lot of discussion about this but what we haven’t seen is it being tested in the courts as of yet. It’s only going to be set by precedent. Serious harm in my mind (and I’ve been doing this for a long time) would mean credit cards, health records, anything that can cause harm to an individual whose records you’ve lost. However, does that include tax file numbers? There’s a very grey area here, so if you’ve lost a bunch of tax file numbers does that mean you’ve caused serious harm to individuals? Medicare numbers and these kinds of things are very much a grey area at the moment.
Bastien: I agree, if you look at it from my point of view on what serious harm is, once we connect say a phone to valuable gateways basically we can get people’s home addresses, their phone numbers etc. As you know we’ve got a hundred percent breach record, and what that means for an organisation is that every company that’s ever paid us to hack them (and I have to stress that they pay us to do this legally) we get into them. We very rarely hack the front door, which is the firewall. We are usually identifying humans in high level positions, we are pulling information from LinkedIn, Facebook, from any other sources we can get. We’re building profiles up and then we’re essentially attacking that human. The reason why we have a hundred percent breach rate is we mix that information with technical ability to get done what we need to get done, and that’s either get data, move money, deface websites – whatever they perceive as a big risk to their business. It’s terrifying that we still have a hundred percent success rate. It’s not really the firewalls or those three dimensional effects like we see in Hollywood, it’s really just hacking the person with a bit of mixed technology.
Fergus: We’re also starting to see now with things like Mr Robot a slightly more accurate representation of what really goes on in the IT security world. But certainly some of the things that I’ve seen with these 3D walkthrough models of data and this kind of stuff is pretty funny. The thing is that risk is not funny and it’s not going away, it’s actually becoming worse. If we go back twenty odd years to the start of the internet then what we saw was that the early hackers were simply just looking for attention and they wanted people to know. If you watch something like WarGames, which is pretty funny, back in the modem days people were hacking purely because they could. They wanted to see where they could break in and if they could change a website.
Bastien: They were kids with a spray can on the internet essentially.
Fergus: But what we’re seeing now, and this is really disturbing, is that in 2018 Verizon’s data breach investigation report they took 987 breaches that they investigated forensically with criminal investigations and other stuff. The statistic that came out of this that was really concerning was that for the first time more than fifty percent of the things that they investigated turned out to be organised crime related. At the moment we’ve got organised criminals on the rise, violent crime is decreasing (you’re less likely to get a gun stuck in your face) but there will be teams of people with computers who are coming after your money who are looking to potentially extort you and steal your identity. That’s what’s happening real time at the moment and it’s on the rise.
Bastien: One of the fun things that we get to do at CTRL Group is actually listen to these attacks. We’ve got credit cards with very small amounts of money and follow them down the rabbit hole. One of the even more fun things to do is screwing these people over after we find out what the new attacks are. There are heaps of people doing this on YouTube if you want to check it out. We actually have auto dialers at work and once these guys call up from their service desk we can hit them with close to 1500 calls a second and block out their lines, which is pretty fun. We can also record them when they do pick up the lines and they get very frustrated. There are some pretty decent attempts and business attempts to defraud people and no one should be transferring money around without voice verification. It’s scary to see how often that happens.
Fergus: It’s happening all the time, I’ve heard some figures on nationally how much money is getting lost in this respect. I get this a lot of the time, certainly when I was working in the insurance industry, customers saying to me that they’re too small for anyone to pay attention, “we don’t have much.” They say that surely people are going after the big banks – that’s just simply not true. Any size company is potentially a target. Why would you go after a bank that has the best firewalls and best endpoint security and all that kind of stuff, when you could go after a smaller company that’s not expecting it? I think small business owners need to be very aware that they’re just as much a target of organised criminals as anyone else. Another thing I get from companies all the time is that they say they have everything in the cloud, or that they’re moving everything to the cloud, and therefore they think they are secure. No.
Bastien: All the organisations that are out there that believe they’ve moved everything to the cloud and it’s nice and safe, well we can use something as simple as voice or email fraud, or even go in on site. You’d be hugely surprised how many places you can access with a high vis jacket or a ladder over your shoulder, even just confidently walking through the backdoor. Smokers are notorious for being friendly people, they love their kin and if you happen to be smoking they’ll let you in the backdoor of basically anywhere. Then we use a simple device, we often get usernames and passwords using a device called a keylogger. We’ll wander in on site and find a keyboard with no one sitting in front of it, unplug the keyboard and plug the keylogger in. What it does is that every stroke you tap on that keyboard is being sent wirelessly to us either by wifi and we’re sitting in a van outside, or to an IP address on the internet. That works when the computer is locked or on, we can see what you’re typing in an email, when you log in with your username and password, we can even see your two factor authentication if you type that in. Then we can do a side-loading attack to gain access. Having things in the cloud, once we’ve got your username and password, means that all the information is ours and we don’t have to be in your premise to get to it.
A very large builder fell for that attack, we managed to gain access to their systems and then to the financial controller system. We did a very simple ABA file attack, and an ABA file is what businesses use to upload hundreds if not thousands of payments to the bank and we intercept that ABA file and change it to our bank account details. The total still adds up and everything looks fine, so the first you know about it is when your clients who expect to have been paid haven’t been, which could take weeks if not months. By that time the money is well and truly somewhere in a crypto wallet or in an evil entitiy’s bank account.
The other important point to touch on is that hacker’s tend to be lazy. We don’t really want to go to work so we’re happy to sit in front of our computer. Some of the ways that organisations can help themselves is to make sure that your organisation isn’t that super easy low-hanging fruit. By that I mean simple things: if you’ve got public infrastructure then make sure at least your internet infrastructure is patched so that when they do a big scan on 50,000 IP addresses your IP isn’t going to come out on a database and show the vulnerability that can be used. Quite often hackers will look at these things and consider that if the organisation has all these vulnerabilities on their public facing infrastructure, chances are that internal is going to be even worse. So get yourself off that list.
Just an important bit of advice as well is that if you do happen to have this happen to you, get in touch with a professional. I know that in our organisation we store the keys. Everytime we see a new variant of CryptoLocker, WannaCry, Petya or whatever it may be, we actually go through and help organisations and if they pay for the key then we store that key. Quite often when these guys are downloading this software from wherever they’ve bought it from (usually the dark web) they’ll be cycling through keys. Some of them only have about ten keys, so once you’ve captured all those keys come and talk to someone like us or a professional organisation that deals with this stuff everyday and we’ll try those keys. Sometimes we get lucky and you don’t have to pay anything and you can decrypt your files.
Obviously you want to be in a position where your backups can recover you quickly back to business as usual. There are fantastic systems out there these days that with the image based backups you essentially backup in real time. But those backups are connected, so when you get this issue those backups are going to be encrypted as well. So make sure you’ve got an offline backup that is available to get you back to business as usual as soon as possible.
Fergus: The last thing I want to add for this high level conversation we’re having at the moment is that passwords are really really important. I saw one example of social engineering recently where it was obviously a fairly weak password, or a password that was possible to be brute forced. People often ask how do you guess someone’s password? If you’ve got a young child chances are it will be a derivation of that young child, if you don’t have children it will be your pet, and as you get older it will probably be your pet again or your football club. It’s not hard and that’s social engineering at its core.
Bastien: We can give the exact formula that we use: when we go after an executive we will literally look at their close family, their kids, pets, their football clubs, the dates of birth of their children or their spouses, their own date of birth etc. People think they’ll throw an exclamation mark at the end of it. Nine times out of ten that actually condenses the alphabet down into a very manageable set of characters that a decent graphics card can crunch into however many iterations and get into an account pretty quickly.
Fergus: I think you successfully scared the living daylights out of everyone, Bastien.