Thursday, April 12, 2012

Written Speech: TEDxMaui -- Hack Yourself First


Earlier this year I was fortunate enough to give a presentation at TEDxMaui. Previously I discussed what getting the opportunity was like and the overall experience of being on stage -- nothing short of amazing -- life changing. While the Hack Yourself First video recording was recently posted, no amount of preparation would allow me to really say everything that I wanted to and in the order necessary. Everything I really wanted to say, in the written version...

-----

Every day, every day the life-blood of our nation, the fuel of our economic prosperity, is being sucked away, invisibly and without our knowledge. Every day, our country’s innovation is being stolen, our national security jeopardized, and your most personal information is being robbed – by computer hackers – malicious hackers. Hackers, who are located both domestically and abroad, are getting away with data by the terabyte daily and are profiting in the billions annually. 


And do you know why?

Because hacking is easy. Because hacking works.

I know this because I am a hacker – no, not THAT kind. My kind is like the Jedi as opposed to the Sith. You know, are the good guys and there is also the dark side. In the world of hacking it’s no different.

More than being a hacker, I teach other people how to hack. In fact, I teach a lot of people how to hack -- all sorts of ways to hack into banks, retail websites, social networks, government systems, … into computers just like yours and your online accounts. I teach people how this can be done from anywhere across the Internet. 

I’ve been invited to teach these skills, publicly, for the past decade -- to businesses, to government agencies, to university students, and industry groups, across six continents. I share stories about precisely how every day people, just like you, and businesses, just like those you own or work for, governments too, have been hacked into, often and with ease.

I bet many of you wondering why this is a good thing, teaching people how to hack. I know hacking is often stereotyped with illegal or nefarious activity. I also know teaching people how to hack, building up our cyber-offense skills, and focusing these skills inward at ourselves, are critical to our national security and helping ensure the economic well-being of us all. 

I call this approach, Hack Yourself First, a concept that can, and must, be used as a means to defend ourselves.

I feel so strongly about this that I built a company, WhiteHat Security, around this idea. At WhiteHat, we get paid by companies, who do business online, to hack into them and explain how we did so. And they pay us a lot of money to do this work. On the average website, our team can identify one or more security gaps, usually in under 20 minutes.

In under 20 minutes we’re able locate digital doorways to take over some or all of their the systems, steal whatever sensitive data they have, access their customers accounts, or steal data they have on the system -- all the things that could have made headlines like those you’ve probably seen a lot of in recent years. This is actually what they are doing right now back at headquarters. This is the work we do every day.

And let me make something else perfectly clear. These are systems owned by the largest and most well known organizations in the world. You know them. You do business with them.

These companies pay us to hack them because they know, as we know, that anything and everything connected to the Internet will endure some type of cyber-attack, likely several a day. They want to avoid being another headline, another cyber-crime victim. They want to know what the bad guys know, or eventually will, so overlooked problems in their security can be fixed. And all this, so you can remain confident in doing business with them. 

So, Internet security can be thought of as a race between the bad guys who find and exploit security weaknesses, we call them vulnerabilities, and the good guys who find and fix them. Unfortunately, no one is quite sure what group has more people. It would not surprise me if the good guys are outnumbered when it comes to Internet security, as anyone with an Internet connection can become a malicious hacker these days, and earn money doing it.

What you might find interesting is that many hacking techniques are not sophisticated. There are tricks that really anyone can do. In fact, I’d like to teach one of our tricks right now.

*REDACTED* Watch the video! ;)

See, I’ve now taught the people at TED how to hack. Keep an eye on the people sitting next to you. They’re hackers now!

I’ve also shown methods to steal or reset someone’s passwords, monitor their email, snap pictures of them with their computer’s built in webcam without their knowledge, siphon money out of their bank account, find out what websites they visit, make it look like they downloaded child pornography, and list goes on. Doing any of this requires only slightly more sophistication than what I just described in many cases. If I had an hour, instead of 15 minutes, I could teach you how these things are also done. 

I should mention that firewalls and anti-virus software don’t provide any sort of real protection to any of this. It’s kind of like wearing sunglasses and expecting not to get a sunburn. They’re better than nothing, but far from solving all your problems. 

We all have a vested interest in the Internet and its future. 

A few years ago I recognized that the bulk of not only my professional life, but my personal life as well, was spent in front of a computer. 

One day I wanted to get out and do something else, anything else, for a few hours as long as it wasn’t it front of a computer screen or on a cell phone, which is nothing more than a tiny computer these days. I considered watching TV or a movie, listening or learning music, reading a book, writing a book, research something new, buying something nice for my wife, etc. 

The trouble was these things are typically done on a computer these days. I had to try really hard to think of things that have nothing to do with a computer – something that gets increasingly more difficult each year with technological advancement.

It occurred to me that the vast majority of my life, and the lives of those around me, are completely tied to pervasive computer use – and an Internet connection. That’s when it really hit me that that my work on Internet security is important to just about everyone. Look around at how many of you here brought your laptops, your iPads, and smart phone, and are right now connected to the Internet. Without the Internet, many of us might not even know when and how to get to our next appointment. 

By the way, are you using the public WiFi? Just curious.

The Internet has been instrumental in helping overthrow oppressive government regimes.  At the same time our leaders, from the US and UK governments, are on the record having reserved the right to retaliate against cyber-attacks with militarily action. Bombing computers and computer hackers is part of the plan. I guess you might call this policy bombs for bits, a policy that should really concern us.

When you think about it that way, Internet security, computer security may now be more important to you than it was a moment ago. Isn’t it?

I’d bet that everyone – everyone here, everyone who will be eventually watching this video – at some point has had their computer hacked into and been infected with viruses, had one or more of their online accounts previously taken over, or at the very least knows more than one person who has. 

Does anyone here want to claim they’ve never been hacked? If so, please raise your hand, I’d like your email address and we’ll get that sorted out.

Hacking, malicious hacking, cyber-crime, has already touched all of our lives, and does so more often than we are lucky enough to be privy to. These days many experts believe you are more likely to be a victim of cyber-crime than any other crime. 

For you, most of the time getting hacked means a slow running computer, annoying pop-ups, losing some money, your personal information exposed, identify theft, and perhaps some public embarrassment.  Bad, but not THAT bad.

If you are a politician, celebrity, news outlet, or a corporate executive, your position, your access, puts you at even more risk  -- including those closest to you – the bad guys will hack their way closer to you, one friend or family member at a time if they have to.

For businesses and governments, who are also hacked into daily, the damage is often far more severe. Professional cyber-criminals who target them of course are after money, but they also want intellectual property, trade secrets, and military capabilities, which can be worth much more than the contents of any bank account. These things are vital to our economic well-being and national security. 

Even more revealing is who they work for and what motivates them. For this I’d like to quote Ian Bremmer, President of Eurasia Group.

“When you have hundreds of western multinational corporations that have seen industrial espionage, that’s been directly targeted at them through cyber attacks, massive unprecedented cyber attacks, that were either directly organized by the Chinese government or were known about and actively tolerated by the Chinese government on behalf of Chinese corporations -- that’s a pretty good description of a war.”

There is a reason why the Chinese fighter jets and rockets look suspiciously familiar to our own.

I don’t mean to single out China, they are certainly not the only ones being called out for engaging in cyber-crime and cyber-espionage. On that list is also France, Russia, Estonia, Romania, Ukraine, etc. There is no solid confirmation, but it wouldn’t surprise me if most countries in the modern world are actively engaging in cyber-offense.

Mr. Bremmer goes onto say...

“National security is no longer about tanks. National security is increasingly about economic well being, internet security, and issues that allow us to live on a daily basis. We’re not worried today about the soviets blowing us up with nukes, but we are worried that our kids will be able to enjoy a quality of life vaguely related to our own.”

That is exactly right! 

How can a corporation, even the largest, let alone small businesses and individuals, possibly defend themselves against such an adversary -- literally, armies of well-funded nation-state sponsored hackers. Hackers professionally trained, with no reason to fear our laws, who are equidistant from their victims, that’s US, and operate 24 hours a day, 7 days a week, 365 days a year. 

Many people in positions of power have expressed concern about the Internet being brought down. I’m more worried about what happens when it stays up. I’m worried about the long-term economic damage, the loss of our ability to innovate, the inability to take advantage of the opportunities that the Internet provides. Most of all though, I’m concerned what happens if the majority of people, all of you, lose confidence in the system -- the security of the Internet – and either stopping or limiting your use of the Internet.

New laws against hacking are not going to help this problem. Conventional warfare tactics are not much good either. The perpetrators can be geographically located anywhere, are extremely difficult to identify, prove attribution, track down, even harder extradite, and then finally successfully prosecute. Not to mention foreign governments are highly unlikely to turn over soldiers in their own hacker army.

Having said that, improving international cyber-crime law enforcement is a path necessary to pursue as part of a larger program, but we should be realistic about its limits.

People ask me all the time, what do we do? How do we secure our computers, our networks? How do we secure the Internet? The reality is a problem as diverse and wide reaching as cyber-crime, and cannot be solved by any one thing, but I’ll tell you this -- protecting the Internet requires a completely new way of thinking. I have an idea, an idea worth sharing. Hack Yourself First. An idea furthered by teaching people to hack, and in a manner of speaking, making hacking legal.

While our cyber-defense ability is severely lacking, one thing we all clearly know how to do extremely well is cyber-offense. Offense can be used to inform defense. 

Hacking a system, that doesn’t belong to you, without consent of the owner is against federal law, as it should be. The problem arises when system owners don’t provide consent, which only serves to ward off good samaritans who would have gladly shared what they knew and helped protect their users. The bad guys, the real bad guys, do not care and are not deterred.

What most don’t realize is that any individual, business, government department and so on can actually invite hackers, to test their systems lawfully, and provide a safe way to share their results. Put simply, allow anyone who wants to, can try and hack in. I realize for many that suggesting such an approach might appear counter intuitive, but what it’s not is unprecedented.

Recently a few forward-looking companies started new programs and did exactly that -- openly welcoming hackers, they use the term “security researchers,” to attack their systems and publicly credit them for their discoveries. It’s almost like crowd-sourcing Internet security. Some are even rewarding those who point out serious security gaps with stacks of cash. The industry calls this Bug Bounty programs.

The companies offering these programs are far from obscure, these are some of the biggest sites, who have hundreds of millions of users, transacting billions of dollars, and are some of the most visible companies on the Internet. You may have heard of a couple of them. 

Google, Microsoft, PayPal, Facebook, Saleforce.com, and Mozilla. All of which have directly felt the pain of nation-state sponsored attacks and/or organized crime. They’ve committed not to sue or press charges against security researchers who find vulnerabilities in their systems and discreetly share the details with them. Collectively they’ve awarded millions of dollars to security researchers and resolved thousands of previously unknown issues that protect us all.

These companies have stated their programs have proved extremely cost effective, helped them identify and hire security talent, eliminated many negative PR headlines, and improved security for themselves and their customers. Huge wins for everyone. All the warnings detractors gave about why bug bounty programs were bad idea simply failed to materialize.

Unfortunately, Internet security history is littered with counter examples where other companies have responded hostilely to those trying to help. Such as the likes of Daniel Cuthbert, Patrick Webster, and dozens of others.  

This reminds me of Rule #1 of recreational hacking: 
Never ever, ever touch government or military systems. 

A rule written well before they mentioned anything about a militaristic response. Anyway, the rule reminds curious hackers that the government, should they choose to track you down, has an enormous budget of time and money to do so – far more than any company who all must eventually consider cost effectiveness investigations. What it also means is that to hackers, the Jedi, government and military systems are like the forbidden fruit.

So imagine the excitement if our government and military officials truly started to embrace “Hack Yourself First” and offered up bug bounty programs! Let me tell you, every aspiring and well-known hacker out there would jump at the chance to match their skills against the cyber-defenses of whitehouse.gov, fbi.gov, army.mil, and the thousands upon thousands of other systems. The street-cred alone would be worth it to many, but a bonus would be helping to protect their country.

There is no reason such a strategy could not be adopted by just about anyone. Doing so could end up being the most important long-term economic and national security decision.

I used to work for Yahoo. 12 years ago I hacked Yahoo Mail. More accurately I hacked into my own Yahoo Mail account, to see if I could do it. Some people have hobbies like artwork, sports, cars -- I hack. I found a way, several ways actually, to get into my inbox without needing a password. I let Yahoo know the details – promptly and privately. In return they gave me a t-shirt. I was pretty excited about that.

A dialog followed with one of the founders, which later earned me a job -- to hack everything that Yahoo had, before the “real” bad guys did, and my experience there led to a career. 

A company with a different point of view might decided to call their lawyer, or the cops, filed a lawsuit, cost me my job, and the freedom of a 21 year old. In which case, I wouldn’t be been in front of you here today -- teaching you how to hack and the importance of Internet security.

Remember, security is optional, but so is survival. 

It has been said that if you are a playing a game that you can’t afford to lose, then you must change the rules. Hack Yourself First.


3 comments:

Anonymous said...

What percentage of your clients and students are aware of the following:

1. Being that some architectures are more commonly used, exploits are created faster.

2. BSD and Linux systems allow the use of- and creation of if it does not exist- the wheel group.

3. In the above systems, chmod can be used to limit access to every file and directory.

4. Securing the browser helps.

5. It makes more sense to teach someone the basics of building a house through interactive examples than to teach the same as to pitching a tent.
Or.

Why not teach people security through the building of an OS rather than a few quick tricks?

6. You had suggested people giving you their emails so that you could prove your hacking skills. If the email given to you is not theirs and you use it, does that make you guilty of unauthorized access? I don't know of many people willing to incriminate themselves.

7. Services can be disabled.

8. Jails and other chrooted environments can be created to run binaries, services, et al. If the computer is running Windows, then qemu and VirtualBox can be used as such an environment.

9. Good security does not make up for shitty code.

share said...

great posting..thank u for sharing

ibukun said...

Wow. This has put a whole different perspective on computing and internet security. It makes a lot of sense to.