The percentage of the population that is tech savvy is higher than ever. Across the world grandmothers know how to tweet using their iPhones and they no longer make a funny face when told to “Google” something. Progress.
Our level of dependence on computer systems in business and industry is deeply ingrained. Computers are everywhere and they now power the infrastructure and processes that make everything function. The more we come to depend on these systems, the higher the stakes will be when someone tries to harm us by hacking them.
Behind the internet of networked computers that everyone sees and uses on a daily basis lies another, deeper realm that can be collectively termed the Underground Internet. This underground consists of the Deep Web and the Dark Web.
The Deep Web is the collection of information that is available on networked computers, but is not indexed by search engines and other typical data-retrieval tools.
The Dark Web consists of overlay networks that use the same infrastructure as the public web but require special tools and knowledge to access. Both lie beyond the casual reach of the typical Internet user.
“The Underground Internet is beginning to spill over into the mainstream web”
The Underground Internet is a playground for hackers. It has troves of information that never were intended to be publicly shared that can be used to create havoc in the physical world. It also contains a wealth of information that can be used to gain even more sensitive data from private networks and computers – information that could fuel the most successful hacking attacks.
A look at the world’s worst hacks reveals a common pattern: these hacks were mostly not accomplished by using sophisticated hacking tools or brute force attacks on security mechanisms. Consider one of the worst attempts – the 2012 attack on Saudi Aramco, one of the world’s largest oil companies. Within hours, nearly 35,000 distinct computer systems had their functionality crippled or destroyed, causing a massive disruption to the world’s oil supply chain. It was made possible by an employee that was fooled into clicking a bogus link sent in an email. This is social engineering.
Believe it or not, 90% of hacking is social engineering, and it is the human elements in your organisation that are going to determine how difficult, or how easy, it will be to hack you. We – the users – are the weakest link in the chain of computing trust, imperfect by nature. All of the security software and hardware in the world will not keep a door shut if an authorised user can be convinced to open it.
The good news is that there are patterns that we can look at and, in some cases, use to predict where the next attack may fall. Experienced hackers don’t concern themselves much with your firewalls, anti-spyware software, anti-virus software or encryption technology. They want to know whether your management personnel are frequently shuffled; whether your employees are dissatisfied; whether nepotism is tolerated and whether your IT managers have stagnated in their training and self-improvement. They want to know what level of transparency exists within the corporation and how bloated your chain of command is. In short – they want to know how healthy and nimble your organisation is.
While any individual or organisation is susceptible to an attack at any time, hackers, like anyone else, will tend to go after the low-hanging fruit. Why go after a tightly-knit organisation of competent, satisfied professionals supported by a stable IT staff unless there is a tremendous and unique payoff promised? There would be greater risk involved and the chances of success would be low. Instead they will target an organisation with identified human and structural vulnerabilities.
“Shocking types of information that used to be available only for a price on the Dark Web can now be found using simple web searches”
To make this identification, hackers have traditionally turned to the Underground Internet. But recently it has started to become even easier, as the Underground Internet is beginning to spill over into the mainstream web. Shocking types of information that used to be available only for a price on the Dark Web can now be found using simple web searches or mobile apps and can be found by anyone. While some of this information may seem innocuous to the untrained eye, the fact is that much of it is manna falling from hacker heaven.
What this means is that protecting systems and networks against successful attacks just got harder, and will require us to take a good look at ourselves and our organisations. IT professionals are accustomed to securing hardware and software. But how well do you know the human side of your organisation? Is there information about your organisation out there, right now, migrating out of the Underground Internet to appear in simple web searches? Does this information make your organisation an attractive target?
Answering these questions honestly and taking the time to find out for ourselves what information is already available about us needs to become required best practice for IT security. We are accustomed to securing systems and networks against sophisticated teams of hackers. But information wants to be free; just like water it will flow freely once released from its container. Are you prepared for a world where grandma or anyone else can quickly obtain, on the wide open web, all of the necessary information for a social engineering hack? Is your organisation prepared?
The Security King
Internet security king John McAfee became a household name and enormously wealthy as his software businesses rocketed in the Eighties and Nineties.
John McAfee, 70, worked for NASA and Lockheed before developing the first anti-virus programme after discovering a copy of the ‘Brain’ virus. His fortune of $100 million (£67m) was built by giving away his software free, but charging for updates. He later moved to Belize in 2007 to develop natural antibiotics, but went on the run after being wanted for questioning over a murder of a neighbour. He has since moved back to the US and Belize authorities have seized his assets, but have not sought to pursue charges.
Don’t forget to lock the back door!
THE FBI is demanding Apple unlock the security to an iPhone used by US terrorist Syed Farook, who murdered 14 and injured 22 in December 2015.
US justice officials say it is a reasonable request to gain evidence from a single phone, but Apple boss Tim Cook, is refusing, claiming the FBI is demanding “a master key” that could be used to unlock hundreds of millions of iPhones.
Apple will fight the order to build a custom version of the company’s famous iOS software all the way to the Supreme Court, he says.
Other top tech CEOs including Mark Zuckerberg of Facebook, Sundar Pichai of Google and Jack Dorsey of Twitter have supported Apple along with the American Civil Liberties Union. But Microsoft’s Bill Gates has sided with the US Government saying: “This is a specific case where the Government is asking for access to information. They are not asking for some general thing, they are asking for a particular case.”
Here John McAfee gives his view:
“It has finally come to this. After years of arguments by virtually every industry specialist that back doors will be a bigger boon to hackers and to our nation’s enemies than publishing our nuclear codes and giving the keys to all of our military weapons to the Russians and the Chinese, our Government has chosen, once again, not to listen to the minds that have created the glue that holds this world together.
The US Government has ordered a disarmament of our already ancient cyber security and cyber defense systems, and it is asking us to take a walk into that near horizon where cyber war is unquestionably waiting, with nothing more than harsh words as a weapon and the hope that our enemies will take pity at our unarmed condition and treat us fairly. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable. The Government is asking Apple to hack our own users and undermine decades of security advancements that protect our customers — including tens of millions of American citizens — from sophisticated hackers and cyber criminals.
The same engineers who built strong encryption into the iPhone to protect our users would, ironically, be ordered to weaken those protections and make our users less safe. In spite of the FBI’s claim that it would protect the back door, we all know that’s impossible. There are bad apples everywhere, and there only needs to be one in the US Government. Then a few million dollars, some beautiful women (or men), and a yacht trip to the Caribbean might be all it takes for our enemies to have full access to our secrets.
With all due respect to Tim Cook and Apple, I work with a team of the best hackers on the planet. I would eat my shoe on the Neil Cavuto show if we could not break the encryption on the San Bernardino phone. This is a pure and simple fact. So here is my offer to the FBI. I will, free of charge, decrypt the information on the San Bernardino phone, with my team. We will primarily use social engineering, and it will take us three weeks. If you accept my offer, then you will not need to ask Apple to place a back door in its product, which will be the beginning of the end of America.”