VICE and I recently worked together to create 10 Questions You've Always Wanted to Ask An Ethical Hacker. In order to introduce what even is an Ethical Hacker?
Being a 5 minute video, it was challenging to get everything covered. I wanted to make sure that even though things often seem doomed to be hacked, there is still hope in keeping yourself secure.
Let's dive into the questions asked:
Question 1: What is an ethical hacker?
Hacking isn't malicious in itself, it's finding new ways to do something. An Ethical Hacker is an innovative person that looks at something for what they can make it do vs what it was created to do.
"What is this and what can I make it do for me?"
When preparing for a talk on Offensive Security, Dean Kelshall provided a sanity check. Without sounding like the aim is to create our own personal hacker army, the talk was aimed at people non-technical persons how to hack in order to better protect themselves.
"Just because you have the skills doesn't make you malicious." - Dean Kelshall
The thing is, all ethical hackers, security researchers and specialists I know aren't out there to harm, they're using their skills to educate and help.
Question 2: What's the biggest misconception about hackers?
The media likes to portray hackers as these mythical creatures with wizard-like skills. Unicorns that can manipulate technology into giving us their secrets.
I don't see the world in binary, I can't use my lenses to find Password in the Matrix... Unfortunately, I haven't received my wizard robes just yet, so for me, I'm a normal mortal human that generally is just curious. I get distracted easily, and am not great at doing what I'm told. When I look at something I think, what can I make it do?
Breaches that state highly sophisticated attack often aren't, there are highly skilled person(s) out there. At the same time, there's malicious actors out there re-using code and exploiting old known vulnerabilities with publicly available exploits - that simply weren't patched.
The zero-day may sound exciting, even sexy, but often it's the two-hundred-day exploit that gives access. Patch management is quite a large aspect of Cyber Security. That means, you don't need to know all the cyber jargon, but simply updating your software, that can make a difference.
Question 3: What exactly do you do?
A lot of failing, trying again, and eventual success.
When a client comes with a question, we review what they have and what they want to achieve. Ethical Hacking is simply one part of bigger plan to secure you and your environments. There are three approaches when it comes to client engagements:
Black box: the ethical hacker knows nothing about your environment, or even your people. All information is gleaned from open-source information, including IP addresses to employees names. This form is the most real-life, however it can take the most time and can be costly.
White box: the hacker is provided all information needed including: IP addresses, emails, document naming format, etc. This is used when time is limited, budget tight, etc. This is the least real-life like, but does have it's place.
Grey box: as you can image, it's between white and black. This approach is the most common that I've seen, some details are given, whilst others are researched via open-source intelligence.
There are a variety of types of validation, these are simply the ethical hacker's inside knowledge prior to beginning the engagement. Check out Ideas for Defining Testing.
Question 4: What's the weirdest thing you've heard of being hacked?
As stated in the video, adult toys. I'm not saying don't use them, have fun how you like, but be mindful when buying a connected device.
If it connects to the internet, it has the potential to be manipulated. If you want to use it, look at the reviews and the company's reputation. I often read the negative reviews first, why are they voting it down - a missing feature or horrendous design? Is the company known for solutions that do not include security?
Did you know, there are researchers out there who dedicate their time to finding vulnerable adult toys. Search the products, read the reviews, understand the company that you're 'getting into bed with.'
Question 5: What's the most common hack?
Phishing leads the way! Phishing is a social engineering form of attack, that uses emails with a crafted storyline that convinces you to click a link, open a malicious document, or enter credentials. They can be targeted, see Spear-Phishing, as well as general campaigns with the largest scope of targets.
Phishing is efficient because basically everyone has an email address, and combined with social engineering, are extremely effective.
Did you know, during the North American Tax Season (1 January - 15 April), Phishing sees a rise globally.
Question 6: Do people underestimate the dangers of social media security?
Scott Helme and I filmed two different episodes in late 2017 dealing exactly with this, how much personal information available online, and not-that-surprisingly, provided by us.
The challenge is humans are social beings. We want to share our achievements with our friends and family - our community - the Internet has just made this easier. Our communities are larger because of social media sites, our ever more connected world. Unfortunately not everyone liking our photos have innocent intentions.
We need to recognise that the information we put online can often be viewed by a larger audience, and is almost impossible to remove.
We can enable private settings, limit our audience on our social media accounts. However, remember platforms can be compromised, our contacts can share further, and not-so-positive motivations exist in our communities. Next time you are uploading images or information think before you post.
Are you happy with the world to know this information?
If not, is there any way you can minimise this information?
I'm not saying don't use social media at all, I mean half my job revolves around it! I'm just saying be mindful of the information you are making available, and if you are comfortable for others to know.
Question 7: How safe is sexting and sending nudes?
It's your life, and your body, and you have a right to do as you wish with it. My advice here is simply think before sending.
Realise when you send data to someone, no matter what it is, you are losing control of that data. If you're sending photos, you should trust the person(s) you're sending it to, will honour your wishes with it.
Secondly, the company that owns the software you and the receiver use will also need to be trusted. Using apps such as Threema, which is end-to-end (E2E) encrypted, will assist in keeping the communication secure. E2E encrypted means only you and those within the chat end devices can receive and decrypt the message. However, it does not mean they cannot continue to send onwards.
My friend Dr. Jessica Barker also made a great point of, if you're sending nude images, removing identifying points can help if this image is lost. Such as not including your face, or things like birthmarks or tattoos.
Remember, when you put things online there will always be a risk it is lost, even big sites fail sometimes. In the event that your image is lost or someone is attempting to use it against you, see sextortion, remember that no matter what you are worth more than the number of people who have seen you naked. It's just skin, and although at the time it may feel like your world is ending, I can promise you it isn't.
Many people have fallen victim to malicious actors doing this exact same thing. If someone is attempting to shame you for a decision made, remember you are not alone, and there are organisations such as The Badass Army, to help.
Question 8: Have you ever been hacked?
Yes.
I am human, even worse I'm an outspoken woman, I have had malicious actors target me but also there's communities out there that simply don't like success of others.
Nothing is 100% secure, but you can take back control by enabling things such as multi-factor authentication, auditing information you have online. There are services such as Have I Been Pwned? which are excellent resources.
I've even written a blogpost dedicated to personal security here.
Question 10: What advice do you give to people to keep them secure online?
Start by doing a review what accounts and information you have online. Close accounts you no longer need, remove information that you don't want shared.
Next enable multi-factor authentication, and review security settings such as Trusted Contacts.
Terms and Conditions are hard to understand, but using resources such as the Children's Commissioner campaigns to keeping children safe online.
Lastly, be proactive. The unknown can be absolutely terrifying, but knowledge can enable you and your family to be more secure. Again, check out The Essential Guide to Digital Privacy for You and Your Family.
Question 10: What's it like being a women in this industry?
When I started I didn't know where to look for support. I didn't have role models in industry, and I was told so often that women couldn't succeed; to the point I began to believe it.
There are communities online, meet up groups, and brilliant organisations that promote diversity. They can remove this sexist and completely inaccurate noise.
Fun fact: building a diverse team makes your company and their solutions more secure!
When you're alone, anything can feel insurmountable, but as a community we can overcome.