Edition 328 - Hacking & Cyber Threats
This time fascinating UK-based "ethical hacker" Mike Godfrey on beating cyber threats...
This time fascinating UK-based "ethical hacker" Mike Godfrey on beating cyber threats...
Time | Text |
---|---|
Across the UK, across continental North America and around the world on the internet, by webcast and by podcast, my name is Howard Hughes and this is The Unexplained. | |
So the middle of January in London town recording this in the middle of a rainstorm and I'm talking about a mini monsoon. | |
It's not that particularly cold, but it is grim and it's grey. | |
And I just want winter for all the reasons that I know I've talked about before on this show to go. | |
Thank you very much for all of your emails. | |
I'll do some shout-outs in a forthcoming edition of this show. | |
And when you get in touch, please tell me who you are, where you are, and how you use the show. | |
I'd love to know those things. | |
And you can get in touch with me by going to the website, theunexplained.tv, and you can follow the message link from there. | |
And by the way, if you've left a donation for the show recently, thank you so much for that. | |
It means an awful lot. | |
Thank you very much to Adam, my webmaster as ever at Creative Hotspot in Liverpool for his continued hard work on this show. | |
On this edition, something very different. | |
I think you know that I'm very interested in all things to do with the internet. | |
You know, I was a bit of an early adopter with it all, and it changed my life. | |
It changed the way I did news. | |
When I was working at Capitol Radio in London, I think we were the first station to make real active use of the internet in so many ways. | |
I just realized the potential of it from the very beginning. | |
And of course, the internet's allowed me to communicate with you without having to do it through a radio station or be employed by some big organization telling me what to do, which is a great thing, let me tell you, to get that kind of freedom these days. | |
It's not something you're going to get working for any big organization. | |
And of course, you have to use it responsibly, but I'm really pleased that I've got the internet as a way of communication these days. | |
But the internet is becoming increasingly insecure. | |
And there's a constant battle, and we've talked about this before on this show, between the good guys who are trying to give you functionality and trying to keep you safe online and the bad guys who are trying to steal your money and your data and your intellectual property and everything. | |
So I'm delighted to be able to talk with a man who runs a company at the cutting edge of all of this. | |
His name is Mike Godfrey. | |
He runs an organization called Insinia. | |
He is an ethical hacker. | |
And one of the things that they do is that they actually go into companies at their request and attempt to break into their systems and check out where the vulnerabilities are so that they find out what the vulnerabilities are before the bad guys. | |
It's fascinating work and he's a fascinating man. | |
So he's the guest on this show. | |
Like I say, thank you very much for all of your emails. | |
Keep them coming. | |
Thank you so much for your support through these dark days of winter. | |
So let's get to the guest now. | |
From the company Insignia, ethical hacker Mike Godfrey is online to the unexplained. | |
Mike, thank you very much for doing this. | |
Yeah, no worries. | |
My pleasure. | |
Tell me a little bit about you then. | |
You describe yourself as an ethical hacker. | |
Now, I know such people exist, but I've never quite checked out or known how you define them. | |
So what are you? | |
No worries. | |
So yeah, obviously, as you can imagine, this is a question that we get asked quite a lot. | |
But really, it's exactly as it says under Tim, we're ethical hackers. | |
So what we do for companies is we'll look to attack companies from a remote perspective, a physical perspective, like completely digitally in all kinds of ways to simulate real-world attacks from nefarious hackers. | |
So we use the same tools, techniques, methodologies, operating systems, exactly the same methods that a nefarious hacker would use. | |
The only difference to us as ethical hackers as opposed to nefarious hackers is that once we've exploited a company, of course, on their instruction, then rather than running away with all their money, we give it back to them and provide a full report. | |
Really, that's the only difference between us and seriously organised criminal gangs, Diffany. | |
Right. | |
And in order to be able to do this, and you don't have to answer this question, but a lot of people who do the kind of stuff that you do have had experience on the dark side before they come over to the light side. | |
Have you? | |
I wouldn't say that I've so much got experience on the dark side. | |
And I actually wanted to become an ethical hacker in 2003 when I was 15. | |
Basically, I wrote a piece of software which was responsible for sending out millions of emails a day at the time. | |
And it wasn't illegal. | |
There was nothing nefarious about it. | |
But really, the term hacker has been hijacked. | |
So people now think it's this kind of dark and nefarious term. | |
When in reality, hackers have been around since the 60s and 70s, from the days of radio, from phone freaking. | |
And really, hacking just means taking something out of its intended use. | |
I mean, that's it, really. | |
There's nothing to say that hacking necessarily is bad. | |
So for example, I've got a Canon 7D camera and we've changed the HDMI output to be an HDMI input so you can play a PlayStation on it. | |
That device is hacked. | |
That doesn't mean that we've stolen any intellectual property or we've done anything nefarious with it, but it's a hacked device. | |
And that really is where hacking come from. | |
You're dead right. | |
You're reminding me now of something that goes back years to the dawn of DVDs, really, when people started getting DVD players. | |
You know that all DVD players are by region. | |
So there's Australasia, there's Europe and Africa, and the United States, which is a big region by itself. | |
I think there are three DVD regions. | |
And players that you used to buy in England and whichever region you were in, usually the shop would only sell you one that would play DVD discs from the region that you were in for commercial reasons. | |
But some players that you could get could be, and the word that was used then was hacked. | |
I'd forgotten that. | |
And if you found the right code to put into them, then you could hack the DVD player and they would play DVDs from any region. | |
Absolutely, yeah. | |
So we're talking about PAL and NTSC. | |
And yeah, absolutely. | |
Like you said, a lot of devices that we buy in England are LOXA PAL and America's NTSC. | |
So yeah, absolutely. | |
That was definitely a big thing. | |
And also PlayStations and other devices. | |
PlayStations used to be chicks, so you could play copied games on them. | |
And yeah, I mean, that really is hacking. | |
So I've built a go-kart out of a lawnmower and I've built a number of hovercrafts that are perpetual leaf blowers. | |
100% that is hacking. | |
Taking something out of its intended use is hacking, absolutely. | |
So yeah, sadly, we're kind of under this kind of dark nefarious layer of hacking that people understand. | |
But in reality, we've got no interest in doing anything legal. | |
We never have done, which is why all of the people that we employ have definitely got an interest in the web and the internet and attacking stuff. | |
And don't get me wrong, I love what I do. | |
I love attacking stuff. | |
And I definitely love taking stuff out of its incentive use and hacking stuff. | |
And for me, it's a real buzz. | |
But that doesn't necessarily mean that I want to go and break the law. | |
For me, it was a big thing. | |
My mum was actually a victim of credit card fraud when I was younger. | |
And she was a single parent. | |
And I saw her not be able to use her card in the shopping center. | |
And she was absolutely distraught. | |
And from then, not that I had any kind of inclined to do anything legal anyway, but that really hit home to me. | |
That a lot of people, for example, online in the hacking community and the nefarious hacking community are what's known as carders. | |
So they carry out a lot of credit card fraud, which is actually surprisingly difficult. | |
People think it's easy, but it's actually not. | |
And for me, that's just something I've never, ever been interested in. | |
Like I said, from that experience with my mum, it really kept me on the straight and narrow. | |
Definitely. | |
And a lot of people do credit card fraud. | |
You know, they think it's a victimless crime and they think it's a crime for which they will not be caught. | |
But ultimately, they are. | |
You know, it happened to me once. | |
My card was cloned at a petrol station of all places, a gas station. | |
And it took a long time for this to surface and be realised. | |
But somebody posed as me and I think they withdrew cash in Canada when I was somewhere else. | |
And clearly it wasn't me. | |
But all the people who did this, they were caught and they were banged up for it. | |
And quite rightly. | |
So it's not a crime that is as easy to escape with as some of these people tend to think, I would suspect. | |
But no, and this is what you find a lot. | |
So, for example, with the Tool Talk hack, which we were actually the ethical hackers that discovered Tool Talk being hacked when I found a data per cell on the dark web. | |
And this kid that attacked it really used an automated tool to find that attack. | |
He's 16, 17 years old, so he's quite young, and he's used that tool to do that. | |
And now he's potentially facing time in prison. | |
So yeah, a lot of people think that this is kind of something you can do in your bedroom without getting caught. | |
And that might have been the case 15 years ago. | |
But now the Met Police and the police in general are really, really on the case of this. | |
So let's look at the profile of your average hacker. | |
We get this view of a kid in his bedroom or her bedroom who's very savvy with all of this stuff. | |
And of course, has the ability to give all of his or her time to it in a way that people who are working for a living on the other side, you know, they're doing the job. | |
They're working nine to five. | |
Once they go home from whatever company it is, that's it for them. | |
But if you're somebody in your bedroom and you are totally into your tech, then you can spend an awful long time working a perfect way into systems that you shouldn't be getting into. | |
And that's the enemy now, isn't it? | |
Absolutely, yeah. | |
And you raised such a valid point where I actually gave a talk at Scotland Yard about this to the Met where they were saying, look, how can we upskill their operatives to reach the level of hackers? | |
And I said, look, sadly, you're too late. | |
For me, I learned TCPIP from the age of 11 or 12. | |
So my dad first bought us a 486 computer from a company called LNX when I was seven years old. | |
So when was this 95? | |
And from then, I've been hacking computers. | |
It's as simple as that. | |
Now, the problem that organizations like the Met have got, for example, is that they have people that go on a career track. | |
So even if they've got an interest in computers, they join the police. | |
They then have to do two years on what's called being an on-the-beat bobby. | |
So do two years on the street. | |
Then they can start sort of working with the cybercrime division or the cyber terrorism unit or whoever. | |
Then they start becoming skilled in hacking. | |
So by now they're 25. | |
And by the time they've actually finished the degree, they're kind of my age. | |
So I'm 29 now. | |
And the problem that they've got is that when I was a 13, 14, 15 year old kid, absolutely, like you said, I'd be on a computer from the minute I got home from school until 3 in the morning. | |
So that kind of commitment that you can commit to when you're a kid simply can't be achieved once you hit adult life and once you start finding pubs and you have kids and other stuff that really consumes your life. | |
So it's a constant struggle to upskill and to kind of chase these kids. | |
At the same time, it is a bit of a myth that these nefarious hackers and people that are carrying out super high-level exploits are kids in their bedroom. | |
The reality of it is that you normally get a base skill set by the time you're kind of 16 to 18. | |
And by then, you've probably looked at things like TCP IP, probably looked at things like networking. | |
But the really skilled, capable hackers that are really earning serious money from this, generally are mid-20s to mid-30s, that's kind of the generation that do this. | |
And you definitely do build that skill set up over that 10-year period, without a doubt. | |
And that's kind of the reality of it, to be honest. | |
And these days, it's massive business. | |
Of course it is. | |
Otherwise, syndicates of criminals wouldn't band together and maybe employ some of these kids, but, you know, to hack into systems. | |
And we've only got to look at the last year when we saw enormous hacks. | |
The NHS suffered from the WannaCry vulnerability. | |
There was the Equifax hack. | |
This is a credit database in the United States. | |
I think it was 143 million Americans. | |
Data may have been compromised, they claimed at the time. | |
It also affected some people in the UK. | |
So 2017 was very much the year of the hacks. | |
And as we look as individuals, as punters reading the newspapers, it just looks like some of these organizations virtually sit there and hope for the best. | |
Yeah, absolutely. | |
And again, you raised some brilliant points. | |
So with the NHS hack, I know that that's potentially being pinned on North Korea at the moment. | |
But what you find with 80% of these high-level attacks, and we look at Ashley Madison and a lot of these other huge, huge data leaks, 80% of those are inside jobs. | |
They're insider threats. | |
So even hackers know that when you've got something which is really technically hardened, your easiest route in is with a person. | |
That's why a lot of what we do is social engineering. | |
So we try and social engineer information out of people that are employed within a company. | |
And criminal gangs will do the same thing. | |
So they'll look for people like cleaners, people that are disgruntled, people that are on their way out, and they'll actively recruit them. | |
Also, the other thing is that when you look at the NHS, the first thing that was NSA hacking tools, which were turned on the NHS by potentially, as we hear North Korea. | |
But let's not forget that these are hacking teams. | |
And one thing I always say in every talk I give is that it was Oceans 11, not Oceans 4 for a reason. | |
And what you find is that you need capable hacking teams. | |
So you need people that are skilled in web app pen testing or web app hacking. | |
You need people that are skilled in network exploitation. | |
If you need physical access to somewhere, you need somebody that's skilled in RFID or NFC. | |
So what you find very quickly is that these kids from their bedroom start going to hacking conferences. | |
Hacking conferences. | |
Yeah, absolutely. | |
Yeah. | |
So I attend the biggest hacking conference in the world called DEF CON, which is in Vegas. | |
And that's got 30,000 of probably the world's most capable hackers attending that every year. | |
Why, was it not raided by the cops? | |
No, it used to be. | |
There used to be big issues. | |
I mean, it's in this 25th year now, so well, 26th next year. | |
So, yeah, there used to be big issues. | |
But I think the police's attitude and the FBI has changed as well towards hackers, realizing that it really is a conscious choice to do something criminal or illegal. | |
And a lot of people really don't want to get involved in that. | |
So, yeah, there's these huge conferences and people generally network from that and from that get built up into kind of their own hacking teams or criminal gangs. | |
And we see that over everything, whether that's hacking teams from Russia or hacking teams from America, et cetera. | |
There's definitely some seriously capable hacking teams out there. | |
That really is the real danger. | |
I think obviously the insider threat's huge and social engineering and that side of it. | |
But definitely hacking teams that are capable really, really are seriously skilled. | |
So one view of it that I've heard from the hacking community is that it is the organization's fault. | |
If their systems have vulnerabilities and weaknesses and holes in them, then that's their fault. | |
It's almost like if you leave your front door open, then don't be surprised if somebody's going to step in and walk out with your TV and your smartphone. | |
It's going to happen. | |
And similarly with these companies, if they don't spend the money, if they don't vet their employees properly, if they don't have the latest security hints and tips and tricks going for them, then obviously it's going to happen. | |
And the hackers, some of them would say, well, it's their fault. | |
If they leave the front door open, we're going to walk through. | |
Yeah, so and to an extent, that's true, to an extent it's not. | |
So firstly, a number of the issues are a technological problem doesn't necessarily warrant a technological solution. | |
And what we find is that a lot of companies that have written insecure code, for example, so there are some brilliant apps out there that have done some absolutely pioneering work, but they've not thought of security from the beginning. | |
So what companies then try and do is patch their bad code and secure their systems with a firewall. | |
But that doesn't work. | |
You have to build security from the ground up. | |
So that is part of the issue. | |
Secondly, a lot of this isn't just money. | |
Now, when we look at, and I don't want to pick on ToolTalk or any specific company, when you look at that attack, the attack that was carried out on that was older than the person that carried that attack out. | |
It's a very, very easy attack to stop. | |
Now, there's no excuse for not stopping that. | |
When we look at other organizations that have had an insider threat and a denial of service attack and a range of attacks carried out on them at once, that really is very, very difficult to defend. | |
And let's not forget that a lot of these companies are the first victims in this. | |
So even though we're the kind of low-level victims, and when three of mobile network gets hacked and I'm only free, then I'm definitely a victim of it. | |
But also side of that, people are going to lose their jobs. | |
So people don't necessarily want to get hacked. | |
What a lot of people don't do in a lot of big organizations is they don't have a proper, what's called a cyber instant response plan. | |
So they don't look at things realistically. | |
I think a lot of people think that they've spent a lot of money on this pioneering firewall. | |
So that's it. | |
They're secure. | |
Well, really, they should look at it a lot more realistically and say, look, what happens when we do get hacked? | |
What is our data loss prevention strategy? | |
What's our business continuity plan? | |
And then they can start putting things into action where what we find at the moment is a lot of companies' policies are spend a load of money on stuff that doesn't work. | |
And then we call it put-pap, pick up the phone and panic when you get hacked. | |
And that definitely is not the best security policy to adopt. | |
And that, of course, that way of doing things, what you're doing is you're literally throwing a lot of innocent people who are your customers or clients under the bus, aren't you? | |
You're being quite willing for that to happen. | |
I sometimes get the impression that some companies, and let's not name names here, they decide to spend so much and no more on their security. | |
And they accept it's almost built into the balance sheet, it's almost built into their costings that they're going to lose a certain amount of business and they're going to have a certain amount of embarrassment caused to them by this. | |
But spending the kind of amounts you'd have to to be 99% secure instead of 95% secure is not worth it for them. | |
Economically, in terms of their viability, that's why they don't do it. | |
Yeah, absolutely. | |
And I think one of the main issues is that people really don't understand how to secure themselves. | |
So one thing that I always talk about is secure password policies. | |
And we all hear this a lot. | |
So what we always hear is set a really strong password. | |
So some companies will have strong password policies, which are changed every 30 days. | |
So they'll say, right, everybody has to have a really strong password of uppercase, lowercase, special characters, etc. | |
Now, for us as penetration testers, that is absolutely perfect. | |
We've never had a penetration test where we've not walked straight through the front door from a range of techniques, whether it's clone and an RFID card, a social engineering or receptionist, or posing to be a cleaner or somebody else. | |
I can accurately say that we can get straight into most buildings, if not any. | |
Okay, now that's an important point that we've just got to hover over for just a second, because this penetration testing, which is what you do, that is being asked by a company organization to go in and check out their systems and try and bust them. | |
You know, it always reminds me of that Sliced Alone movie where he's put into a prison and has to try and break out of it just to test the prison security system. | |
Same kind of deal here. | |
You know, this is amazing when you say that in every case that you've investigated, you've been able to walk straight in through the front door. | |
That's appalling, isn't it? | |
It is, but then again, this is people not understanding the technology. | |
So I'll talk about this in a banking perspective because most of us have used banks. | |
We use a range of undercover techniques and technologies. | |
So we've got camera watches, we've got camera glasses, we've got all this different kind of stuff. | |
Now, I could give you that kit and you could steal from that bank very, very simply. | |
And one of the easiest ways to do it, and this isn't telling anyone anything they don't know, this is just an example. | |
Oh, you do have to be a bit careful. | |
Yeah, yeah, of course, yeah, definitely. | |
So when you start at a bank, you'll see that to get into the secure area, it's a pin code which goes onto the door system, which inevitably allows you into the door. | |
Or, for example, if we use a more widespread thing, self-checkouts. | |
So where you check out and you self-check out, you'll see that a lot of the operatives who authorize your stuff that's overweight or this has been misplaced or whatever, they scan a barcode. | |
But what you find is that those barcodes become damaged. | |
So they end up having an override code. | |
Now, if you're standing there with a camera watch, you can very easily grab that code. | |
And when you've grabbed that code, you can very easily pretend to be them. | |
So it's exactly the same with an RFID or NFC card. | |
Now, when you go into a building, whatever building that is, and you tap your card onto a reader, we can carry out a range of attacks against that. | |
And what we actually used to do was set up an induction loop. | |
When we were pen testing before for a large banking organization, we used to set up an induction loop and everybody would walk out and everybody that walked out, we'd get their access cards. | |
So we would then look for the most privileged user. | |
So somebody who could gain access to everywhere in the building. | |
Right, so somebody who's got like access all areas. | |
That's it, yeah. | |
So we're always looking for the most privileged user. | |
And then from that, we could just clone their card and walk straight in. | |
Now, as bank cards and NFC and things like Easter cards became more prevalent, we couldn't really do that because we were literally grabbing everything. | |
So now we've got a piece of kit which literally grabs and clones devices very, very easily. | |
We don't even have to write it to another card. | |
So now we're at a point where somebody can walk out of a building. | |
As they're walking out, we can grab and clone their card and walk in and nobody would know. | |
So yeah, physical exploitation is a huge thing and people don't often think that. | |
Do you ever go to organizations and buildings, you know, uninvited and do this and then contact them and say, look, I've got some important information that you need to know? | |
Or is that not the way it works? | |
Never. | |
I used to, what we do is we adopt something called the open bug bounty. | |
So my colleague Matt specializes in web app testing. | |
And whenever we find bugs, and we test out a lot of our testing tools online, and when we do, we find holes and vulnerabilities in websites. | |
So we've always been very nervous about going to a company and saying, look, we found a vulnerability because then they're expecting your next email to be saying, we want X amount of money. | |
So what we do is we use a system called the Open Bug Bounty, where we report it to the Open Bug Bounty. | |
And they then go to the company and say, look, this ethical hacker has reported this flaw. | |
They're not asking for any money. | |
They're not doing anything like that. | |
But if you give them credit, then they'd appreciate it. | |
And we were actually so successful at doing that that we dominated the leaderboard for two days. | |
And Open Bug Bounty actually got in touch with us and asked us if we'd hacked the leaderboard because we were so successful. | |
So they thought you'd actually change the rules of the game? | |
Yeah, they thought we'd hack their own leaderboard, including their VIP submission leaderboard. | |
So something we're very proud of, but that's the way that we do it. | |
To be honest, we've actually had quite a bad response from people. | |
When you start calling their baby ugly, then people really don't like it. | |
And what we say is that we work on impacts pen testing. | |
So we don't do generic vulnerability scans. | |
We show you the realistic ways that companies or organizations will attack you. | |
And I say companies because corporate espionage is huge. | |
So when we look at actually who's attacking companies, it's not just lone individuals. | |
It's not just people looking for money. | |
It's people looking for blueprints, people looking for intellectual property, people looking for people with security clearance, as we've had with the OPM. | |
So this is nation states and a whole bunch of different people who are potentially your adversaries. | |
And yeah, it creates a big issue. | |
But no, in answer to your question, we don't ever go to anybody and say that generally because it's not very well received. | |
But if you can always walk in through the front door, and if you or people like you can always do this, it's a little bit depressing, isn't it? | |
Because it just means that nothing is safe. | |
No bank is safe. | |
No organization is safe. | |
If somebody is really intent on breaking in to either steal intellectual property, data, whatever, or money, they're going eventually to be able to do it. | |
If you look at things that way, is that so? | |
If it is, it's massively depressing. | |
I wouldn't. | |
What I always say to people about this is that I wouldn't be depressed about it. | |
You're no less secure than you were before we started speaking. | |
The fact of it is that generally when hackers are looking at attacking companies like banks, et cetera, they're generally looking for high-net worth individuals and ultra-high net worth individuals or huge companies with huge amounts of money. | |
Generally, for people like us that are just kind of your average, ordinary user, there's no real risk of being targeted by a directed attack. | |
No, you're absolutely right in what you say, that when there's a spearheaded attack against an organization, it's very, very difficult not to get attacked. | |
But at the same time, there is stuff that you can do. | |
And we're very proud of the work that we do with our clients to try and keep them secure. | |
But we always say there's no such thing as 100% security. | |
It just doesn't exist. | |
And if it does, then there's no usable system. | |
And like we were saying, when we do penetration tests and we walk through the front door with the password policy, so companies have really strong password policies. | |
That is perfect for us because we know that your employees have got no choice but to write these passwords down. | |
So we just go up to keyboards, lift keyboards up, and a lot of the time there's passwords underneath them or passwords taped on screens. | |
In fact, the BBC and ITV have actually broadcast a bunch of National Rails passwords on a screen because they're filming in one of their operations centers and they've accidentally caught the screen. | |
The screen's got all the passwords written over it. | |
So yeah, strong policies often hinder companies more than they help them. | |
And this is why we try and help them kind of understand the real threat landscape and what it really means to them and how they can try and keep more secure. | |
In the news over the last two weeks or so has been this big vulnerability in two major types of chip that has been unearthed and the industry's been working to try and mitigate the effects of this thing. | |
But it is understood there is now a vulnerability in literally millions upon millions of computers and smartphones and devices of every kind that use these particular kinds of chips. | |
Have you been brought in to try and test some of these systems involving these chips? | |
Or do you think it's only a matter of time before you are? | |
No, absolutely. | |
We actually did one of the first proof of concepts for this exploit. | |
And it was massively anticlimactic, to be honest. | |
What we found is that this doesn't actually present any more of an opportunity to a hacker than a bunch of already known tried and tested methods. | |
A lot of the exploits on these chips require physical access. | |
Once you've got physical access, the game's over anyway. | |
There's a list of 100 things that you would exploit before you go looking for this exploit, which really exploits a lot of stuff in memory, some quite intricate attacks that you then have to traverse onto other stuff from. | |
And in reality, this has not changed the game for hackers at all. | |
Like I said, for us, this would be bottom of the list of stuff that we'd try out. | |
So even though, yeah, there's been a lot of hype about it and a lot of speculation on what it could be, the reality is that it isn't particularly serious at all. | |
Well, one of the things that didn't stack up for me, one of a couple of things that didn't stack up for me when I heard about this, they said, we've been telling developers and people in the industry about this for a while so they can make preparations. | |
And we've been keeping it quiet to everybody else until now. | |
And I thought, well, that's a joke, isn't it? | |
Because it only takes one person who's working on this to talk to his friend in a bar and the cat's out of the bag. | |
Yeah, definitely. | |
And a lot of companies do believe there's security for obscurity. | |
And really, that is not the best policy to have. | |
I'm not sure what device you use, but when we look At iPhones, they are particularly more secure than Android phones. | |
And that's purely because Androids are open source and iPhones aren't. | |
So, having that information out there does then give people the ammo that they need to shoot you, really. | |
So, yeah, I can see why companies don't want to disclose stuff straight away, but at the same time, as consumers, we have a right to know where these vulnerabilities are. | |
And that's the biggest thing that I say. | |
Look, we're not 100% secure. | |
We're probably never going to be 100% secure. | |
But at least know where your vulnerabilities are and at least know what the risks are to you. | |
And yeah, the reality of it is that this Intel and AMD and other chip manufacturers attack that's come out isn't anything new. | |
It's nothing pioneering to us. | |
It's new in the sense that it's been discovered at the CPU level. | |
But it definitely doesn't change anything for us at all. | |
Well, it's the first time, and look, you know, I'm not an expert, but it's the first time that I've heard anything in the news, and news is what I do, that is about the hardware and not the software. | |
It's always software we've been told about up to now. | |
It's a big shock to be told, actually, your hardware's a bit suspect in cases. | |
Oh, definitely, yeah. | |
So again, you find out a lot with software, I say this a lot, it's the black sheep theory. | |
Now, the issue with software is that you've got tens of thousands, even hundreds of thousands or millions of lines of code. | |
Now, for me as a hacker, if you picture this as sheep, you've got thousands of sheep out in a field. | |
If there's one black sheep, it stands out like a sore thumb. | |
And that's exactly what it's like in computer code. | |
When you start going through code, if there's any sort of vulnerability or any hole that you can get through, it really does stand out. | |
So I only need one bad line of code in your 100,000 lines, which I'm sure you've done a great job on as a developer, probably a better job than I could do. | |
But I'm an attacker, so I look at it from that perspective. | |
And really, we need one line of code to be wrong or misconfigured or provide an escape where it shouldn't. | |
And that's our entry point. | |
That's it. | |
So it is a hugely tough task for people that are writing software. | |
But at the same time, I'm not sure if you saw some of the stuff on my Twitter about safe hacking. | |
Now, one of the things that we do on a pen test, because we do impact-based pen testing, is one of our clients said that basically we weren't going to hack them because their passwords were in a safe. | |
So straight away, that sets us a challenge where we now have to become safe crackers. | |
So I started looking at safes and you can see all these videos online. | |
They're all on my Twitter or they're on Incinna's YouTube channel. | |
And the safe that he actually had, I'd managed to unlock it by banging the top of it. | |
So it was as simple as that. | |
Bang the top of the safe and it's open. | |
What do you mean they admitted you to their building and they said this is the safe where it's all hidden and you're not getting in there? | |
And you were able to get in there by smacking the top of it. | |
Yeah, literally by banging the top. | |
So when I started looking at this, I thought, well, I'm putting a code into this safe, cheap digital electronic safe. | |
I thought, I'm putting the code into the safe. | |
I'm then turning the handle, which is physically turning these big impressive bolts. | |
So I thought, right, the lock-in mechanism is only actually stopping me turn the handle. | |
So I thought, what is that that's stopping turning the handle? | |
And when I took it apart and looked at it, it's an electromagnetic solenoid, which is when it's energized, it pulls down a slug. | |
That clears the way for the handle and you can open it. | |
So all you need is a big magnet, don't you, to be able to shift that? | |
Don't you, if you have a big magnet outside that, any solenoid device, you can disrupt it. | |
That's it. | |
I'm sorry, I'll see you on hard. | |
Yeah, that's it. | |
So any magnet will open that. | |
But with that one, it was just a case of bouncing the solenoid. | |
So yeah, as soon as we bounced it enough, it was open. | |
That's with one sharp hit. | |
But I started looking at more intricate safes and more secure safes. | |
And did exactly that. | |
So when I looked at it again, same thing, electromagnetic solenoid. | |
All we had to do was put a magnet on the outside and the safe was open. | |
It was as simple as that. | |
So yeah, then we actually did tell the manufacturer about that. | |
And we said, look, there's a big issue with your safe. | |
So we can open it with a magnet. | |
And they were completely uninterested. | |
They actually weren't very happy at all. | |
And they said, well, look, we fixed it. | |
You know, we've put a non-ferrous metal plate in the new one, so we're not interested. | |
So I actually went and bought the new one. | |
And sure enough, the vulnerability was still there. | |
You could just put a magnet on the front of it, tip the safe forward, tip it back, and it was unlocked. | |
So this is the human element, then, isn't it? | |
Because it's the company that thought it's a good idea to put all of our crown jewels inside an old-fashioned safe. | |
And it's the people who designed the safes who are still in the 1960s thinking that solenoids are the way to go. | |
Absolutely. | |
And there's a bunch of ways of defending this which they didn't adopt. | |
And when we went back to them and said, look, you've done it again. | |
And this is a £300 to £400 safe. | |
So it's not particularly low level. | |
It's not the most secure safe you can get. | |
But I know people that store family valuables and stuff like this. | |
You can get them everywhere, these safes. | |
So they're a well-known brand. | |
And after everything, they came back and said, well, we're not interested because it's a fire safe and not a safe. | |
So it's like, okay. | |
But that's not how it's been marketed to people. | |
And the company using this to protect their data presumably didn't know that it's mostly about fires. | |
No, of course not. | |
No, of course not. | |
Well, yeah. | |
So what you're saying really is, yes, a lot of this is about technology and flaws in lines of code, but a lot of this is also getting people to think more about everything, every aspect of it, even mechanical, physical ones. | |
Everything. | |
Yeah, absolutely. | |
So the question in people who walk around an office. | |
So again, when we've never been challenged on a penest, when we've walked around offices and secure areas, we've never once been challenged. | |
We've never been caught on the way-in. | |
We've never been challenged whilst on a penest. | |
And we've never been detected in a penalty. | |
And I think, listen, I can bear that out. | |
I'm a journalist. | |
And in my time, you know, I've walked into buildings with a clipboard. | |
Of course, obviously I don't do anything like that now. | |
You know, I'm in studios these days. | |
But, you know, you walk into a building with a clipboard and maybe a briefcase and you look reasonably smart. | |
And even these days, in many cases, unless it's a big city institution where they've got a great big front desk and electronic barriers and they check everybody out, if it isn't a company like that, you walk straight in and no one will ever question you. | |
Yeah, that's it. | |
And again, companies adopt what's called a man trap. | |
So we're talking about electric barriers or man traps. | |
But again, you can, when you start exploiting the human element of things, if you turn up to a building having two cups of coffee and like you said with paperwork in your mouth, somebody will undoubtedly scan you in. | |
And a lot of it's definitely timing, 100%. | |
So yeah, getting into buildings, like you said, if you look the part and you seem the part, then yeah, generally it's quite easy. | |
Surprisingly. | |
It's a shame, isn't it, that we're having to become so much less trusting these days. | |
But that's just the nature of the world at the moment. | |
In 2018, where do you think the next threat is coming from? | |
I mean, we had these hacks, Equifax and the WannaCry Situation last year. | |
Do you think that it's going to go up a gear in 2018? | |
And do you think it's going to be big utilities and governments that get hacked more? | |
Definitely, yeah. | |
So, one of the things that we really specialize in is industrial control systems. | |
And that's from our range of experience and background. | |
We're actually the only gas-safe registered penetration testing company in the country. | |
So that means that we can work on huge industrial manufacturing systems and gas boilers and gas cookers and heaters, etc. | |
Those themselves are extremely vulnerable. | |
So we're definitely going to see a lot more industrial control systems hacked. | |
When we look at what hackers want, and even this team, which is apparently North Korea, what they're after is money. | |
They're up for ransom in kit. | |
And that's exactly what we saw with the NHS. | |
It was a ransomware attack. | |
Ransomware attacks have been widespread for a long time, really since 2013, and have become even more prevalent. | |
But what we found now is that hackers, and even though we've worked in industrial control systems for the last 10 years, we've seen a massive, massive increase in attacks against that because hackers have realized really over the last few years that if you hack an industrial manufacturing process, | |
which some places are making hundreds of thousands of items a day, if you can stop that for an hour, you're putting the company into a position where they're very likely to pay you a ransom purely because it's the cheapest, easiest and quickest way to get their infrastructure back up and running. | |
And when you've got companies that are losing tens or hundreds of thousands of pounds a minute from a production line being stopped, then it's a big issue. | |
And luckily for us, we're kind of ahead of the curve on that because we've worked in it for so long, but we're definitely going to see an increase in that. | |
And we have done. | |
We've seen dams being hacked. | |
We've seen critical national infrastructure being hacked and a lot of other stuff in America, especially. | |
So yeah, undoubtedly, we're going to see that. | |
We're going to see a lot more ransomware attacks. | |
Well, you know, ransoms is a whole other issue, isn't it? | |
We've read cases around the world where ransoms have actually been paid out because it's easier. | |
And then, of course, the authorities have the massive task of trying to follow the money. | |
When you pay up, you know, if you pay them in Bitcoin or however you pay them, they then have the issue of trying to somehow follow the money trail back to the people who did this. | |
And I guess that's a nightmare. | |
Oh, it's very, very difficult. | |
Now there's ways. | |
And this is why really our skills were so good when we were younger. | |
When I was younger in the hacking community, there was no Bitcoin. | |
PayPal was still very much in its infancy. | |
So the only way of actually trading or dealing with any kind of hacker, and like I said, this doesn't mean it's anything nefarious, but trading tools, trading code, trading, et cetera, then the only way to do it was to build something which was valuable and trade that. | |
Whereas now anybody can pay money on Bitcoin. | |
Even I was doing a talk at Think Tank a while ago, and we were showing just how cheap and quick and easy it is to set up a ransomware. | |
And we're talking less than £50. | |
And a lot of high-level hacking teams will run a commission structure. | |
So if you're working at a company, for example, you can contact one of these hacking teams. | |
You can install the malware yourself. | |
So again, you could just be a low-level, underprivileged user on a system, but you tell this hacking team what you've got. | |
They'll send you a piece of malware. | |
You deliver it and they spit it 60-40. | |
So yeah, these kind of things are huge threats, definitely, like 100%. | |
And we're definitely going to see a lot more of it. | |
Boosting mobile device screen ransomware a whole lot. | |
On another topic completely, just taking you aside for a second, Bitcoin. | |
A lot of talk about Bitcoin lately. | |
It keeps going up in value. | |
Is it a bubble that's going to burst? | |
I personally think so. | |
I look at this from what the hacking community have said. | |
And bear in mind that I remember when Bitcoins were less than $20, $25. | |
So when they were next to nothing. | |
And people that I know were spending ridiculous amounts of Bitcoin on coffee and all other stuff. | |
And there's a famous story about someone I think paying 400 Bitcoins for a pizza. | |
And that was because at the time they weren't worth a lot. | |
Everybody in the hacking community was saying before the end of the year, they'll be worth $1,000. | |
And everyone was saying, no, no, get out, get out. | |
And of course it was. | |
And then that was, you know, November 2016. | |
I think a Bitcoin was £830. | |
And now we're looking at over £10,000. | |
And the hacking community genuinely believed that this is going to be worth £100,000 by the end of 2018. | |
So is it a bubble that's going to burst? | |
Maybe. | |
Funny enough, one of my colleagues, he actually remortgaged his house two years ago and put £150,000 into Bitcoin. | |
And at the time, I said he was crazy. | |
I said, look, you've got a house mortgage-free. | |
Don't be silly. | |
And he quadrupled his money and sold out. | |
So he proved me wrong. | |
A lucky man, I think. | |
It could so easily have gone the other way. | |
But, you know, smart move when you look at it in hindsight. | |
But like they say, hindsight is 2020. | |
It is very concerning. | |
And then there's the whole issue of terrorism. | |
Have you ever been called in by organizations trying to protect themselves from terrorist attacks? | |
Yeah, definitely. | |
Yeah. | |
So cyber terrorism is, again, a huge thing. | |
And when you look at attacks like ransomware and like other stuff, then where is it funding? | |
And what we actually found with the attack I spoke about earlier, when we discovered that, what I found was that we were buying data on behalf of a big national newspaper that released the story. | |
And when we were buying data, we were finding people that were, when we were ringing them and we were saying, look, we're really sorry, we bought your data online from a nefarious hacker, but we're running the story only, we wanted to let you know. | |
We found that a lot of these people were on benefits. | |
So people with not much of an income. | |
So that to us was quite interesting. | |
We started looking at what had happened. | |
And what had happened is this young kid had hacked this huge telecoms organization. | |
He'd then gone to a hack forum and effectively bragged about it and said, look, I've got 300,000 of these super, super good data. | |
Who wants it? | |
He was then hacked by ISIS and by the cyber caliphate. | |
ISIS hacked him and took all the data. | |
Then they stripped off everything like Black American Express cards, all the high net worth individuals, everyone with a West London postcode, anyone that was of use. | |
And then they sold the low-level data to people like us on the dark web that they thought were low-level criminals when really we were working from a journalistic perspective. | |
So definitely the cyber caliphate and ISIS did at one time have a very, very good hacking team. | |
I would say that's almost disappeared. | |
We hardly see anything now from the cyber caliphate. | |
There's some very good British hackers that were out there working for ISIS and most of them have been killed by airstrikes, which really did take away a lot of his capability. | |
So even tools that we're seeing that are distributed by ISIS are very low-level tools. | |
In fact, one of my colleagues actually got a fat work put out against him because he called out these tools for how bad they are. | |
They're not particularly high-level at all. | |
I think when we look at terrorism, the main thing really is nation States, that's going to be the biggest issue because it's them that are looking at attacking national infrastructure. | |
And then you get into playing the game that small-time criminals and larger-time criminals have been playing. | |
In other words, the blackmail thing: if you don't give us this much money, we're going to close your manufacturing process down. | |
But just imagine if it was somebody acting on behalf of a government who says, if you don't do this for us, or if you don't concede on this, and maybe this is all happening through back channels so it doesn't get reported in the media like many things don't, if you don't do this for us, then we're going to take down your hospitals or we're going to stop your water system purification systems or we're going to take down your entire power grid. | |
That's a frightening prospect, but very much a real one from what you've been saying. | |
Definitely, yeah. | |
And when you look at what happened with Russia and Ukraine, I think not Petio has just been linked to Russia, which was a piece of malware which really did attack Ukraine in a seriously vicious way. | |
And I think that with that, a lot of people do wonder about what happens with that. | |
And I know that GCHQ and the NCSC came out and said that we're in a position to retaliate. | |
And I think that really that is one of our best defenses at the minute, is the nation states know that if we pin it to them, and bear in mind that when organizations were hacked by China, they actually pinned it to a specific officer, to a specific seat, which is speculation how accurate that is. | |
But that's the level that especially the UK and US government think they're working at. | |
So if they can accurately pin these attacks onto a specific person or nation, then 100% they should be expecting a fierce retaliation. | |
I've got to say that I personally have had a very pessimistic view of the internet for many years. | |
And I think I was one of the first people to do a show about 10 years ago called Threat to the Net, which was one of the editions of my radio show. | |
And I talked about the possibility that there would be so many bad actors out there, there will be so many hackers out there hacking into systems and making them unviable, that eventually the internet as we know it would collapse. | |
All confidence would be lost in it and you wouldn't be able to use it anymore. | |
And we'd have to either stop doing things this way, which would be pretty much impossible, or evolve Internet 2, something more secure. | |
Are we moving in that direction, do you think, Mike? | |
Yeah, definitely. | |
And there is 100% plans for Internet 2.0, which works on different things. | |
When we look at the TCP, IP or UDP protocols, they're flawed by design, really, because, again, they weren't built for security. | |
They were built for communication. | |
And that's a huge thing. | |
And it's the same with industrial control systems. | |
These are built for safety and reliability before they're built for security. | |
Obviously, safety is absolutely key because you don't want things like manufacturing devices killing human controllers. | |
Also, reliability, you don't want them going down. | |
So security comes third on that list. | |
And absolutely, yeah, we definitely see issues with the internet being built by design. | |
Now, there has been some really good things like SSL, so secure sockets low, which provides us security for internet banking, and encryption, which does work really well for us. | |
But part of the issue that I know the government see is that Middle Eastern countries are becoming more connected. | |
Facebook wants to put the internet everywhere. | |
And sadly, we've seen a whole range of attacks coming up from places like Somalia, places like Nigeria. | |
In fact, in Nigeria, there's huge internet casts, which are just franchises for fraud, where it's literally just to fraud other countries in the world. | |
So as we see connectivity become more widespread, I think the problem's going to increase, definitely. | |
And sadly, it is the typical game of cat and mouse between the people trying to defend it and cyber criminals. | |
Absolutely. | |
And how long do you think it will be before we get into a situation where the internet, as we know it and love it now, is not something that we can depend on or trust anymore? | |
I don't know if it's something you can really put a time on. | |
What I would say is that the landscape of the internet has changed very much since I was a kid. | |
Now, when I was a kid, the internet wasn't half the size as it is now, and the internet's now huge. | |
But there has been some brilliant stuff put in place to keep us secure. | |
I think we're going to see a lot more compartmentalization of the internet. | |
So I think the stuff is going to be segmented off potentially like the kind of system they have in China where you can only view specific things. | |
Now, the argument to that is that for kids, that's probably not a particularly bad thing. | |
When I was younger, my mum had no idea what I was getting up to in the internet. | |
We were quite often attacked by Russian hackers who thought that we were seriously capable older hackers, not knowing that we were 13-year-old kids. | |
And the landscape has definitely changed massively. | |
So I think the stuff is going to have to be put in place. | |
We see that a lot by the government already, who are trying to put in encryption and visibility and ISPs keeping logs, etc. | |
But the reality of it is, really, though, I think it is filled by design for security and it's going to have to be rethought definitely. | |
And what does this mean, all of these developments mean, for our privacy? | |
Something that I treasure and we all treasure here, being able to lead a life that is not open to everybody's scrutiny. | |
Most of us have nothing to hide, but we just don't want people prying around our lives. | |
And it's our right to privacy and our right to a free and open life. | |
With the world becoming more connected and with the world becoming, in a cyber way, more risky, we're going to lose our privacy, aren't we? | |
Little bit by little bit if we're not very careful. | |
How on earth, and this is a big philosophical question, but how do we protect that thing that we fought for, that thing that we vote in elections for, that thing that we have democracies for, and that is our right to be free and private individuals? | |
Yeah, that's it. | |
And look, for me, this is a huge issue. | |
And I have massive, massive problems with this. | |
Now, I call, a term that's used in our community is J-POP, which is judging people on paper. | |
Now, obviously, in your position, Howard, you're a journalist and you research stuff. | |
If you look at your history, your search history, you could be looking at potentially paedophiles, child groomers, all kinds of different stuff for your work. | |
Now, if I just take an abstract view of your search history, what am I going to think based on you? | |
And an analogy that I use quite a lot is that if I'm a dad and I take my kids to a snooker club every week, and that snooker club is known to be a hangout for serious organised criminals, and there's going to be a huge raid in the snooker club. | |
Now, straight away, I'm a person of interest just because I've taken my kids somewhere, guilty by association. | |
And that could be the same for websites that you use. | |
So you're using the same website, or you're using an encrypted messenger app like Signal. | |
A lot of us for operational security, me and my colleagues, use encrypted channels. | |
So that could potentially flag us up to nation states or to security services, etc. | |
So I think it's a very, very dangerous game. | |
Once you start judging people on paper and you start using web results to build a profile of people, it's very, very dodgy grass. | |
Well, when you start using algorithms, I mean, for example, yesterday I researched a murder, an assassination. | |
I think I probably put the word terrorism into a search engine because I was doing some research for a show that I was doing yesterday evening. | |
If you look at that just as a bold thing, then you might say, what's this guy putting assassination into a search engine for? | |
If you're not very careful. | |
So again, it comes back to the human element. | |
When we start using algorithms to profile people and to investigate people and to try and find out what they're up to, we've got to do it in a very diligent manner. | |
We have to be very, very careful. | |
And knowing how the police work with this, I think a lot of people think that it's like a case of putting an IP address and you can see what everyone's got. | |
It isn't. | |
And what they have to go through to get warrants to actually look at people's stuff is so, so difficult. | |
It really is challenging for them. | |
So, I mean, working on both sides of it, I don't think it's a case of any sort of police officer could just see what you're doing and see what you're up to, and that's that. | |
But at the same time, I do think there's huge risks with this. | |
And with the mind in the ISPs, hands to Hovar. | |
Like we said, you never know what anyone's doing and why they're doing it without being in their mind. | |
Well, if you're getting metadata, metadata is just the broad data of a rough idea of who you communicated with. | |
It doesn't actually go into the specifics. | |
But I would guess the metadata would show you something like this person living in this address searched the word terrorism at this time. | |
but it wouldn't actually show you why they did that. | |
No, of course not because the reality is Yeah, that's it. | |
They could be an actor researching a part for a film. | |
You never know. | |
And this is the problem. | |
And once you start using that as a stepping stone to start kind of triggering an investigation, then what other things are you kind of taking away their privacy on? | |
So for example, we all use bank cards. | |
We've all got cars that are subject to ANPR. | |
So very quickly, a government or a security service or whatever, build a profile of us from where we are, where we live, where we eat, where we go to the gym. | |
Even for open source intelligence, it's very, very easy. | |
Now, it only takes a few things on that. | |
So for example, again, you're going to a gym which is known to be used by criminals. | |
You're searching terror. | |
You've recently converted to Islam. | |
Now, straight away, you want to hit this for terrorism. | |
And really, you're not doing anything wrong at all. | |
So, yeah, it's very, very difficult. | |
I think this is a huge thing for web privilege. | |
And there are benefits. | |
I mean, our government here tell us constantly the number of terrorist atrocities that have been headed off at the past because they've been able to get the people through their communications in advance. | |
But we are living in a world where we're increasingly tracked. | |
And you mentioned ANPR. | |
For people in North America listening to this show, that's automatic number plate recognition. | |
And certainly around London, Greater London, and many of the big conurbations, there are high cameras on major thoroughfares, major roads, that actually track people's number plates for good reason. | |
In many cases, it can see whether the car is insured, whether they've paid their road fund license, which we used to do through a paper disc in cars, and now it's done electronically. | |
So you can do all of that by tracking the number plates of cars. | |
But also, you know where everybody is who's got a car at any moment of the day. | |
And that's a bit of a thought. | |
I don't know whether it's a worry, but it's definitely one to be thinking about. | |
For me, it's a worry. | |
For me, it's a huge worry. | |
And again, there's a myth that GCHQ work with the Met. | |
And the reality of it is that there's very, very little correspondence between GCHQ and the Met because they know that the Met's got holes in it. | |
And if you saw a documentary on the BBC a couple of years ago about the Hunt Syndicate, I think it was on Panorama, they were saying that they literally could not keep anything secure in the Met police. | |
So that is why it's a worry to me. | |
When you see that police, don't get wrong, I'm definitely not saying this is about all police officers, but there has been corrupt police officers. | |
And when you see that police officers were renting out warren badges for £150 a night, and like I said, it's all on this documentary, that is a big issue because these are inevitably the people that have got access to this information. | |
And funny enough, somebody that I know in the hacking community, he designed the first tool for law enforcement to unlock iPhones. | |
And after the first tool, he said he'll never do it again. | |
And when he was asked why, he said because for the first two weeks, it was brilliant. | |
And they were using the tool against terrorism and against serious organized criminals. | |
And after that, loads of police officers were using it on their wives and girlfriends. | |
And that's really not on. | |
And you have to be careful with these. | |
Okay, I mean, obviously, we don't have any substantiation on that. | |
And that's a big claim to make. | |
But, you know, it's well within the bounds of possibility, isn't it? | |
So you have to be very careful in whose hands you put important and powerful technology. | |
That's it, definitely. | |
And like I said, I'm not saying that this is all police officers, and some of the best people that I know are police officers, but when you get any big organization like that, then a lot of the time there is an element of corruption. | |
And we've got to say that the vast majority of police do a fantastic job and they do all the stuff that we don't want to do. | |
My dad was a copper. | |
And let me tell you, he was a copper in the days before there was much in the way of computerization. | |
But all the stuff that people don't want to do, the picking body parts off roads after accidents, the going after criminals who've got firearms, those are the things that the police do. | |
So, you know, I guess we have to make that point here about all of that. | |
And one thing I do want to say about the police is that what a lot of the hacking community think is that, and I'll try and explain this to the hacking community a lot, a lot of the hacking community feel very detached from the police force. | |
When in reality, a lot of the people that I know in the police force that work in a cyber perspective are into the exact same things that we are. | |
So they've got the same hobbies, they use the same tools, they're into exactly the same stuff, but they work for the police. | |
That's the only difference. | |
So these are great people that have got brilliant skills and really do things in the right way. | |
Have we got enough of them? | |
From what I read about police funding these days, we haven't. | |
No, I'd say that we definitely haven't. | |
Obviously, yeah, police funding is a whole different thing. | |
And apparently the police have been cut massively over the last 10 years. | |
I'm sure they have. | |
But I think policing's changed. | |
The landscaping of policing's changed. | |
And definitely the cyber side of it now against Britain. | |
You've got to think as well that now we've got a connected world. | |
We're getting attacks from everywhere. | |
So where crime was quite centralised to our specific island and our country, now the influx of attacks that are coming from all over the world is absolutely huge. | |
And in reality, do we have enough network specialists? | |
Do we have enough computer specialists? | |
No, we probably don't. | |
And I think this is why a lot of crimes that are under a specific limit or a lot of low-level stuff is overlooked by the police. | |
They can't do everything. | |
And it's very difficult. | |
But saying that, there has been some massive, massive progress made with things like the NCSC and a lot of stuff that GCHQ is doing to try and get people from school into the police force and into that kind of community, to the law enforcement community. | |
And it's brilliant work. | |
It really is. | |
We're definitely at a completely different place to where we were 10 years ago. | |
Absolutely. | |
You know, some older people, and maybe I could put myself among them. | |
And when we say older people these days, in terms of technology, that's anybody older than about 35, I think. | |
But, you know, a lot of people these days throw up their hands and they say, actually, maybe life was a little better before we had all of this stuff. | |
But the truth is that artificial intelligence is coming down the track. | |
The internet is forever evolving. | |
Devices are getting smaller, faster, better. | |
You cannot turn back the clock. | |
So we're in the situation that we're in. | |
You've got to live with it. | |
And that includes the security aspects. | |
We've just got to find ways of making ourselves as safe as we can be. | |
And we have to remember that we mustn't fool ourselves into thinking that the world was perfectly safe years ago because you don't read about them today. | |
But I can remember when you get the London paper and pretty much every day, few times a week certainly, you'd read reports of people wearing what they called stocking masks over their heads, walking into bank branches with sawn off shotguns and walking out with a lot of money. | |
You know, those things tend not to happen now because crime is done in a different way. | |
Definitely. | |
Yeah, 100%. | |
So yeah, so the policing landscape has definitely changed. | |
And if you're an old school police officer that's now approaching 55, 60 years old, then yeah, it can potentially be a difficult thing that your old school methods of policing don't work anymore. | |
And it's like one of my friends, he was a super high-ranking police officer, he's now retired from the Met, he was saying about car stereo theft. | |
It used to be the biggest issue that car stereos were getting stolen everywhere. | |
And they used to set up task forces on the top of multi-story car parks, looking, oh, I need to do this and that, they used to go to car beat sales. | |
The only thing that stopped it was car stereos being built into cars. | |
That's it. | |
So we have to find ways of making it less possible to get the thing that you're looking for. | |
And I remember the era of car stereo theft. | |
You know, when I first came to London, and this is early 90s, I can remember parking my car and it was a little red Nissan. | |
And I was very proud of my little Hitachi car stereo. | |
And somebody smashed the window and they took my cassettes and they didn't bother taking the stereo out because it wasn't good enough. | |
It was only a cheap one, they thought. | |
But that was the big crime back then. | |
And of course, that never happens now because those things are built in. | |
Well, on that, you raised such a valid point because, again, when we look at hacking, we look at what is the hack value. | |
Now, you find all different reasons for hacking. | |
You find hacktivists who are people like Anonymous who just want to deface stuff or prove a point. | |
But obviously, a lot of criminal gangs actually want to look at the hack value. | |
What is it that they're taking? | |
And just as that thief's done with your stereo, he's decided the hack value or the theft value is not in your stereo. | |
And it's the same for cyber criminals. | |
They might see something is not valuable enough and move on to the next target. | |
So really, this is why for defense on organizations, it really is defense in depth and keeping all of your valuable stuff in so many depths of security that it's really not worth a hacker taking it. | |
But what you say is the same thing. | |
Criminals look for the value and they attack where the value is. | |
And in your case, it seems to be your cassette as opposed to your stereo. | |
Yeah, well, I just wish he hadn't broken the window first before he discovered that it was a pretty cheap stereo. | |
But that's a very, very long time ago. | |
And it almost sounds like another world. | |
So look, having talked about what we've talked about, the world that you work in is a busy one. | |
I guess this is going to be another big year for you. | |
Definitely, yeah. | |
I mean, we're getting busier and busier by the day, it seems. | |
And even Christmas, obviously, we're just into the new year now. | |
And Christmas is a massively busy period for us because that's when loads of attacks happen. | |
They know that people aren't going to be in offices defending and manually looking at logs and system changes, etc. | |
So for that period, it's definitely a busy time for us. | |
But yeah, undoubtedly, I mean, the cybersecurity industry is one of the fastest growing industries in the world. | |
And I can't see this going away anytime soon. | |
Definitely not. | |
Last question. | |
The people that you employ, how do you vet them because you're doing high security work? | |
How, you know, no system is completely foolproof, but what sort of questions do you ask them to make sure that they're okay to employ? | |
Yeah, so we look at a lot of stuff. | |
And obviously, technical ability is one part of it. | |
But if you're technical and you're a criminal, then that simply doesn't work for us. | |
So really, it's the ethics behind what you're doing. | |
And we look at people, so we employ mainly people that are my kind of age, not for any reason, but purely because they've got some kind of history in the industry. | |
So again, like a lot of people, and most of the people that I know in the hacking community are not nefarious hackers. | |
We're people that have got a shared common interest. | |
We're people that write code and make software and etc. | |
But we're not criminals. | |
So on that basis, you're not running into criminals every single day. | |
It really isn't the case. | |
But when we work with people, obviously we do vet them. | |
They need to do specific checks. | |
I won't go too much into the checks, but specific security clearance checks. | |
We all work under strict, strict NDAs, so we can't disclose anything when we work with companies. | |
And also, we don't know what we're going to find in companies. | |
So we have to work under strict, strict agreements with what they do. | |
And we've never had an issue. | |
A lot of the people that, well, everyone that we use is qualified and competent. | |
So there's some really good policy frameworks for ethical hacking qualifications, including with the EC Council. | |
So the EC Council do a course called the Certified Ethical Hacker. | |
And that shows that you know the methodology and the process of carrying out administration tests. | |
What you find with hackers is that they don't have that methodology. | |
So hackers will go in, smash a place apart, try and find what they can. | |
Whereas pen testers will literally plan it and plan the ways that they can get into the system undetected, that they can get in and circumvent specific stuff, but also report on it properly. | |
So yeah, we really look at a lot of things, not just technical ability, but reporting ability, history in the community, previous exploits, previous research, how they disclose that research. | |
Do they work to the responsible disclosure, which is disclosing to companies' vulnerabilities before they go public and all kinds of stuff like that? | |
So yeah, it's definitely a long process. | |
It's not particularly easy. | |
And are we getting to the day where artificial intelligence might be able to do your job or maybe a big part of it? | |
I don't think so, to be honest. | |
I have huge issues with artificial intelligence and massive, massive issues with artificial intelligence. | |
And a lot of people don't understand the difference between automated, autonomous, and AI. | |
And they're three very, very different things. | |
Now, a lot of companies, and where we're very, very different as a company, is that we do impact-based pen testing. | |
So we look at the realities of how somebody would attack you. | |
If you're really, really good with online security, then we'll look at your physical security as well as your online security. | |
Whereas what a lot of companies will do, and I'm not knocking any other company at all, and this is absolutely fine for some organizations, but a lot of companies will do generic vulnerability scans with software. | |
Now, undoubtedly, that can be taken over by a computerized operator. | |
I think a lot of what we do in terms of physical exploitation probably won't, but then it depends on where you view the artificial intelligence community as going. | |
Because if we get to a point where we've got solid synphespians like in Westworld, for example, where we really can't tell the difference, then I don't really see any reason why computers couldn't take the solar. | |
If there's a computer that can one day achieve substrate independence, then I don't see why it wouldn't be able to be taken over by a computer. | |
But I think you're going to be all right for a while because I can't imagine any robot or AI system that would come up with the idea of banging a safe on the top to release the door because the solenoid is the thing that's controlling the door. | |
You know, I think that's the kind of thing that only a human could devise. | |
Yeah, and I don't think we're particularly close to it. | |
But then saying that as well, computers are very, very good at understanding parameters. | |
And if you put something in front of them, like an electromagnetic solenoid valve, then how quickly is it going to have the ability to think out of the box and take this out of its intended purpose? | |
And in all honesty, I don't think we're a million miles away. | |
I think in 50 to 100 years, we're going to be in a completely different world than what we're living in now. | |
And for me as a hacker, it worries me, definitely. | |
I'm not going to lie. | |
And I think there's a few important questions that is asked on this, which is what happens when computers become so complex that we simply don't understand them. | |
And that's a huge issue. | |
When you look at Moore's Law and transistor density doubling every two years, any computer now could render anything from MS-DOS back in the day instantly. | |
So it's fair to say that in 50 to 100 years, a computer will be able to do anything that we could conceive now instantly. | |
So when that happens and when computers can be so reactive, and again, the question you raise is an absolutely brilliant point. | |
When I was at DEF CON, not last year, but the year before, DARPA were doing a challenge called the Cyber Grand Challenge. | |
And they had three top, top education institutes set up a range of servers that they believed were secure. | |
And these servers had kind of an artificial intelligence element. | |
And the idea was that they needed to scope the area around them. | |
So they needed to identify other computers around them. | |
They had to defend themselves from attack, find vulnerabilities in the other computers around them. | |
And if they could exploit them, then exploit them. | |
So humans got these computers to a point where they thought that they were impenetrable. | |
So they thought they were absolutely solid. | |
By the end of the weekend, there'd been over 600 exploits found in either of them. | |
So the computers did a better job. | |
And it's like Kasparov did an amazing talk on obviously IBM's initial set out to beat him at chess. | |
And it worked. | |
And it worked at the end of the day. | |
And it worked through different methods. | |
But now, I think you're going to struggle to find any human that will beat a computer at chess. | |
And back in the day, that was the theory of when computers become super intelligent is when they can beat a human at chess. | |
Those goalposts keep moving. | |
So we keep moving those on and on to different things. | |
So what we're saying really is at the end of this, all bets are off. | |
Yeah, I mean, in a certain point. | |
And the other important thing is that when computers become extremely intelligent and they become self-aware of their environment, at what point do they wipe us out? | |
And I say this a lot of the time. | |
When you look at what humans are doing to this planet and the way that we're using resources and polluting the planet like mad, if an alien race was to come down here and see what we're doing, could we really blame them for wiping us out of a nuclear bomb? | |
Probably not. | |
And it's the same with computers. | |
At what point do computers decide that actually maintaining humans isn't to the greater good of the world or of them or of anyone? | |
And I'm definitely not saying that that's going to happen overnight, but eventually if we keep going the way that we're going to, everything will be a possibility, I believe. | |
And it really is impossible to predict what the world will be like in 100 years from now. | |
I mean, my prediction is, and I know this is something that you also have looked into and we'll talk on another occasion about this, is that in a very short span of time, you know, not 100 years, we may get to a situation where it will be impossible to discern what is real, what is three-dimensional reality, flesh and blood in front of us, and what is not. | |
And that's a scary prospect. | |
It's definitely a scary prospect. | |
And when I was younger, we were hearing about, I mean, I genuinely believe I'm from the golden era of the internet and of computer technology. | |
I've gone from not having any connectivity at home to having dial-up internet, then ISDN, then broadband, and now high-speed broadband, which in 30 years, this won't be high-speed broadband at all. | |
This will be absolutely terribly low-speed broadband. | |
So I've kind of gone through the whole thing, and I've gone from having an Amiga and a Commodore to having a master system and a Mega Drive and a PlayStation and going through all of this stuff to a couple of years ago when I was at a conference where they've now got artificial reality that hangs you. | |
So you hang on kind of a hook and you can run within an environment, you can pick stuff up, you can do all this kind of stuff. | |
And for years, we've been asking, well, how can you actually get to a point where you can run around your living room and think that you're in a game? | |
That has pretty much found it. | |
When you're hanging in a specific place, there really is no limits to what you can do. | |
And yeah, I don't think we're years away from that, from being unable to discern what's what, really. | |
Now, I said a few minutes ago I was asking you my last question. | |
Actually, I probably lied because this is. | |
A lot of the work that you do as an ethical hacker is, in fact, all of it is very, very secret. | |
So why are you talking to me about it? | |
I don't think it's particularly secret. | |
I think a lot of the tools and methodologies that we use are quite secret and behind closed doors. | |
But the reality of what we do is that more companies need to understand what we're doing and how it helps them. | |
Now, if you're a company that's got any kind of critical infrastructure or any client data, et cetera, GDPR is coming in. | |
So I'm not sure if you're familiar with the GDPR. | |
It's the general data protection regulation, and it's changing on May the 1st this year. | |
And it's basically updating the Data Protection Act. | |
So, companies have now got a responsibility to test and to carry out invasive or penetration testing. | |
So, what we do isn't secret at all. | |
What we do, I'm more than happy to speak about it in public and let companies and organisations know how we work to better protect them. | |
That doesn't mean we're going to share all of our codes for exploits or anything like that, but definitely talking about the issue and trying to bring some awareness about the threat that people face is one of the main things that we're doing. | |
So, it's an important thing to talk about for us. | |
And if people want to see your great website, I think it's insignia.co.uk, yeah? | |
Yeah, that's it, insignia.co.uk. | |
And I'm quite active on Twitter as well, MikeGhacks. | |
And I'm definitely open to any question. | |
I'll answer any question and try and help out where I can. | |
Definitely. | |
Fascinating conversation, Mike. | |
Thank you very much for it. | |
Cool. | |
No worries. | |
Thanks a lot, Hard. | |
Cheers. | |
I don't know about you. | |
I found that hour really, really interesting. | |
And this is the shape of things to come. | |
Let's not be under any illusions about that. | |
The man we've been speaking with is Mike Godfrey. | |
We'll talk with him again. | |
His company is Insinia, and I'll put a link to him and his work on my website, theunexplained.tv, which is designed and created and owned by Adam from Creative Hotspot in Liverpool. | |
More great guests in the pipeline here at The Unexplained. | |
Thank you very much for being part of my journey here in 2018. | |
So until next, we meet here on The Unexplained. | |
My name is Howard Hughes. | |
I am in London, and please stay safe, stay calm, and above all, please stay in touch. | |
Thank you very much. | |
Take care. |