Back to listing
I recently had the privilege to attend the first annual WIREDSecurity conference in London, and it was awesome. I learned so many things from different perspectives; how a social engineer can penetrate a company from the ground up by exploiting the human hardware that inevitably fails, to how an entire country has been digitised, to the way that malware exploits the gullible and technically ignorant. Incredible. There was so much information from so many amazing and pedigreed speakers that by the end of the day I felt ready to burst; but most of the speakers identified one single theme when taken as a whole: the user and their ignorance of good security measures is the weakest link in the security chain. Another thing I noticed at the talk that I wish the world knew: no two hackers look alike, no matter what google image search might tell you.
One of the big take-aways from Jamie Woodruff; (a casually dressed dude with a scruffy beard, a cheeky grin and glasses) was that being a penetration tester is badass. He told us the story of gaining access to a company by watching, waiting and then finally dressing up as the pizza guy who he knew always got buzzed straight up and letting himself into the central server room with his hacking gear inside a pizza box. Diabolical! The bosses weren’t impressed by his #serverSelfies by any means. The only thing more awesome is when you realise that his every day job is the stuff spy movies are made of, without the imminent death. Lucky he’s a good guy, who has chosen to undertake the tough job of exposing these kinds of weaknesses in a company’s defences… Otherwise, he’d be deadly.
It almost seemed timely that WIREDSec should be held so soon after the Mirai botnet was revealed as a huge emergent threat online and just before we really saw it unleashed on the world in the form of the incredibly far-reaching Dyn DDoS attack that crippled a whole host of online services in a single swoop, by taking down the address routing system that manages all those resources. It was disheartening hearing Mikko Hypponnen (a tall, serious man in a sharp suit, with a pirate ponytail and swagger to spare) Chief Research Officer of F-Secure and globally respected Badass netNinja say “If there’s one thing I’ve learned about people, it’s that people will never learn. They will always double click on every executable, they will always follow every link, they will always type ther password and credit card number into any field that asks for it.”
This image is the one he showed us in his talk, followed by the words "I quit." Though facetious, I totally understand his point. When you consider that most of the malware (bad programs/viruses) that is used in ransomware attacks (where they encrypt your files and sell them back to you) is installed on your computer through activating malicious Word documents, it makes sense: The general public has a huge knowledge gap when it comes to knowing how viruses are spread.
HackLab Hint: If you EVER get an email with a word/excel document attached and you aren’t sure who it came from: DON’T CLICK ENABLE CONTENT. It’s how they hide malware – inside the word document there is a macro which runs on your computer once you allow it to, giving the hackers access to your file system. This goes for ZIP (WinZip) files too. Stay away. Even if it says you’ve won the Nigerian National Sweepstakes…trust me, you haven’t.
More poignant however, was when Troy Hunt (a tall, athletic Aussie bloke with a ready smile and an amicable nature - and founder of HaveIBeenPwned), took the stage to discuss personal data breaches and their sources, impact and dangers. He told us that quite a few times when information has been given to him or his organisation it comes from young people who used a piece of software they found on the web and committed a felony act without understanding exactly what it was they were doing or what the ramifiactions of that act were – infosec peeps refer to these budding pentesters as scriptkiddies. It’s kind of like a gigantic hacking fruit-machine: Download a piece of malicious software from a hacker forum somewhere and give it an input; say…Ashley Madison’s website. Pull the lever and watch the wheels spin… and after a while it spits out the data you were mining. Another famous one was the OIC (Orbital Ion Cannon) used on the Operation Chanology DDoS attack against the church of Scientology in 2008. Lots of people who didn’t understand what the program did, but ran it anyway, were charged with committing computer crimes despite their ignorance. It certainly dispels the image of the hoodied techno-villain being the fount of all our digital strife.
It’s crazy to think that some of the data breaches we’ve had in the last few years might be the accidental result of some (now terrified) kid who was just looking to satisfy their curiosity and ‘see what happens if.’ The broken record in my brain started up again at this point: Why isn’t there an infosec curriculum taught in schools? Why aren’t we speaking to these kids and helping them use their innate curiosity to create a better web? Why are we (the education establishment) insisting on the old system of ‘security through obscurity’ and hoping that if we don’t teach them how it works, they can’t use it against us? It’s not working; they’re teaching themselves. And with the lack of many legal and safe ways to experiment and learn these skills, kids are turning to online forums and message boards where ethics isn’t a consideration when using these new powers they’ve acquired. Would you rather your kid learned magic from teachers at Hogwarts, or from the sketchy trolls that live under the bridge? We’re breeding a generation of super-villains by keeping their skills on the outskirts of our digital society instead of treating them like the shining guardians of our data. It’s mental… and disappointing.
So when Dr Ian Levy (a cheerful man with piercing eyes, a warm smile and who definitely owns a collection of cardigans – and current Technical Director of Cyber Security at GCHQ) began to speak about how GCHQ is hoping to address this problem, I felt a little better. The National Cyber Security Centre is a new initiative being spearheaded by Ian aims to help create a better culture of cyber security across the nation through a range of different channels. One of which is the education of young people on the skills and understanding required to keep themselves safe online and prevent data theft. Great! So the people in charge of our digital security are trying to get in front of the problem and show the users how to protect themselves. How to create strong password easily, how to avoid malware scams and keep your data safe with services like LastPass. That’s what the nation really needs, right? JobCentre training for everyone on keeping your data game tight in this world of hacks, cracks, thefts, scams, flim-flams and men-in-the-middle. Well, don’t worry. We’re developing a kid-friendly infosec curriculum as we speak, aimed at helping kids become more powerful online and making sure the rest of us can sleep soundly knowing that soon nobody else will tweet their credit card picture.
WIRED Security was an amazing event, I’ll definitely be going next year. Mac and I learned loads, met some cool and interesting peeps and had an excellent time. The feeling of community was strong, we made a lot of great contacts and had a lot of preconceptions challenged by the wide array of talented men and women who are keeping our data safe. Hopefully though, next time we won’t be the only ones in hoodies at the hacker convention!
If you want to learn some binary badassery, there are a few places you can head online. here are a few of the good ones:
Cybrary is a free online learning platform for information security learning. Their content is good, but their videos are not very exciting, if I'm honest.
Hack This Site is an old stalwart that has been around for ages. Their gamified and levelled style is fun to play and doesn't treat you like a noob scriptkiddy or lok down on you for being a beginner.
Cyber Security Base is a newer one that's come up, created by F-Secure (the same guys who work with Mikko keeping us all safe from attack) which looks really good. I haven't found the time to have a go yet, but it looks the business.
A teacher, a beat-poet, a skater, a geek;
A writer, a reader, a rhymer, a freak.
A hacker, a thinker, a player, a cad;
The overgrown kid who co-founded HackLab.