MacDougall, who has presented at security conferences including BlackHat EU, BSides Las Vegas and DerbyCon, will be speaking at the Cyber Defence Summit Middle East and North Africa organised by ITA, Oman CERT and naseba in Muscat on March 4-5th.
How difficult is it to walk the fine line between finding security holes and not actually exploiting them for personal gain or any other unethical purpose?
Not difficult at all. It depends on the ethics of the person doing the security assessment. I am in the business to help people solve problems, not exploit them. That said, not everyone out there shares my ethics, so it is very important to do background checks on anyone you allow into your network.
Do you consider the possibility that security agencies like the FBI, CSIS, MI5 etc would probably have very thick intelligence files on you, perhaps making the concept of privacy elusive?
I am positive they do have files on me. But they do on most citizens at this point. The concept of privacy is really an outdated one; there are few places in developed nations where true privacy exists. Your purchases can be tracked by loyalty cards or credit card trails, your movements can be traced by your cellphone, your e-mails can be monitored, etc. There really is no privacy at this point.
What do you think about the Aaron Swartz affair (the Reddit co-founder committed suicide recently after being prosecuted for downloading academic documents from JSTOR)?
I think it is yet another example of judicial overreach. In the US and other nations, prosecutors seem to be aggressively targeting privacy advocates for the simple reason that openness is the enemy to most governments. I am more concerned about the Andrew Auernheimer incident, where they are about to jail a security researcher who found sensitive information just by incrementing URLs. He didn’t bypass any security features at all, yet the US government prosecuted him successfully for hacking.
It’s not only an outrageous verdict, it is stifling security research. It’s a truly chilling development, which will only aid attackers.
What would you advise teens who are experimenting with hacking?
There are lots of places to hack legally and learn about computer security. Sites that sponsor ‘capture the flag’ or ‘hacking challenges’. Those are great places to build and learn skills while staying legal. A lot of security conferences also host competitive hacking contests. I would recommend every budding hacker to attend at least one security conference a year, if for no other reason than to learn and network with others.
Some sites include overthe wire.org, www.mitrestemctf.org, hacking-lab-com, vulnhub.com, ctf365.com, and others. You can google ‘online hacking challenges’ and ‘hacking capture the flag’ for more.
What is it that law enforcement agencies lack in the fight against cyber crime?
I think they lack skilled people with good backgrounds. The fact that they crackdown with excessive charges on researchers is doing nothing positive to help that. That said, the number of skilled ‘cyber sleuths’ in law enforcement is growing rapidly, and the skills gap is closing quickly.
You have said that social engineering is the biggest threat to the enterprise. So, what should CSOs be doing about minimising this risk?
They should be doing intensive training, and by that I mean spending more than 15 minutes talking to employees. My company, Tactical Intelligence, offers intensive training aimed at all users within a company, regardless of skills. The course takes a day, but by the end of it, everyone knows what to look for, and more important, how to protect the company’s assets.
There are other steps companies can take. Do a social media ‘deep dive’ to discover every piece of information that is already out there about the company. Institute a company ‘word of the day/week’ – if the caller is posing as an employee they need to answer the challenge question. If they can’t, they are most likely not an employee.
Is hiring a hacker a good idea to improve IT security?
It depends on the company. Hiring an established security company to do a comprehensive vulnerability assessment is critical. That will help to identify any weaknesses within the network. Once the company has addressed these issues, then it might be appropriate to hire ethical hackers to attempt to penetrate the security. But if you haven’t first identified the problems and addressed them, it’s a waste of money.
How did you prepare for Defcon last year (MacDougall walked away with top honours in the Wal-Mart social engineering case)?
I prepare for every year’s contests by doing three to four weeks of research, just as I would if I were doing an engagement for a client. This involves crawling every nook and cranny of the Internet to identify employees, company information, technology used, locations of facilities, contractors, conference presentations, etc. Once I have all this information I put it into a dossier and then determine who best to target and prepare ‘pre-texts’ – the stories I will use to extract information from the target.
What kind of challenges do you face at Tactical Intelligence on a day-to-day basis?
Our biggest challenges are finding skilled people to deploy on engagements. Unfortunately there’s a real shortage of good security people, so we sometimes end up having to turn down engagements if we don’t have people available. It’s regrettable, but I’d rather turn down work than present a substandard product.
Have Black hats ever tried to hack you and/or your company/colleagues?
Every week we have people try to attack us. It gets tiresome after a while, but that is the world we work in, so it is part of every day life.
We have everyone from state sponsored hackers to what we refer to as ‘script kiddies’ – low skilled attackers, and they try everything from launching zero days to phishing attacks on us. It doesn’t work because our website consists of plain old HTML and our e-mails are run through several levels of AV and anti-phishing filters.
Does being an ethical hacker make travel challenging in some countries? Do immigration/visa officers take an extra interest in you when you mention what you do for a living?
I haven’t had many problems. I’ve been stopped a couple of times and been sent into secondary screening, but I’m not one of the bad guys and that becomes pretty apparent to the officers once they speak to me and examine my past. I hope that trend continues!