Ethical

now browsing by tag

 
 

#hacking | Insight from an ethical hacker

Source: National Cyber Security – Produced By Gregory Evans

As the internet grows, it becomes more and more difficult to physically store the real-world objects that store and manage its content. To understand what technology has sprouted on in the space of this need, and to learn more about the ethics of hacking, we spoke with Craig Stevenson, CEO at HyperQube Technologies.

ABERMAN: I’m looking forward to learning about HyperQube, but tell me first: what exactly is virtualization?

STEVENSON: Virtualization is a technology that many billion-dollar companies have been built on the backs of. So, in the beginning, you had one server for every single website, so you can imagine how many websites there are out there today. Imagine if every single one of those required at least a single physical computer. There wouldn’t be enough space to house it all. So, what people soon figured out was, 90 percent of the time, the computer they were running, for example, a website on, was only operating at 10 percent of its capacity, or maybe even less.

So what would be great is if you could take that other 90 percent, and essentially turn them into other computers. So, what virtualization does is, it takes one piece of hardware, and allows you, rather than just having one computer, to have a bunch of smaller computers that can scale up and down based on demand.

ABERMAN: And that’s effectively what Amazon Web Services is doing, right? Just basically renting slices of time on a large computer, as, effectively, little computers that run for specific moments and specific tasks.

STEVENSON: Absolutely. They’ve managed to build a rather nice business off the back of that piece of technology.

ABERMAN: Yes they have, and they continue to. And rumor has it that they’re coming to start here. I’m looking forward to that. But, HyperQube. How exactly are you using this technology to grow business here in the region?

STEVENSON: Sure. So, this is a really powerful technology, but the tools for producing and consuming this technology have all been aimed at highly skilled developers, which means it takes a long time before you can do anything productive with it. And what HyperQube is trying to do is, if I can describe a computer network to you in 30 seconds using plain English, it should only take you 30 seconds to build it and deploy it into any cloud of your choice. You shouldn’t need to know how that particular cloud works. That’s our end goal. I’m a firm believer that there are millions of potential customers for this technology that are currently being untapped, because of the specialized skills it requires to do anything with it.

ABERMAN: So, just to make sure I’m understanding this properly: if I set up an I.T. system in an organization, I’m going to have servers in the cloud, I may have servers in my office some place, I’ll have a lot of client computers, I’m going to have mobile devices, printers, all these different things that will be integrated into a single system. And that sounds to me like I’ve got a couple of problems, then. One, I’ve got to make sure everything operates together, but then two, I’ve got to make sure that my cyber security systems are properly deployed.

So, what you’re telling me is that I either have to have all that stuff built and integrated in the real world, and then I can apply cybersecurity technologies to see if they work. Or, I can create a virtual network that behaves as if it was real, and then I can apply cybersecurity technology and other things against it, to make sure that the system is safe and works properly. Is that what you’re doing?

Subscribe to the What’s Working in Washington podcast on iTunes.

STEVENSON: Yeah, that’s correct. Only organizations that had an incredible amount of resources at their disposal used to be able to do that. So, they’d build an entire test copy of something physical, essentially a duplicate of what they were going to be deploying in the field, make sure everything works, before they put it in the field. Then virtualization came along. And so now, they were building virtual copies of things before they were putting it in the field, but it still required a huge team of virtualization engineers. And what I’m trying to get to is, anybody who has the vocabulary to just describe a network should be able to build a copy of it, run tests on it, and figure out what to do.

ABERMAN: I’ve seen, in addition to your business, a fair number of startups over the last couple of years grow, a number who’ve been sold now, around this concept of creating virtual machines, virtual networks and so forth. It seems to me that this is a particular strength in our region, and perhaps one of the reasons why Amazon Web Services is growing so rapidly here. What is it about our region that creates the kind of software and engineering talent that’s suitable for this type of field?

STEVENSON: A lot of it came out of the government, but I mean, the Internet started here. You know, if you drive out the Dulles Toll Road to Sterling, Virginia; that literally is where the Internet is. Like, every time you access a Web site, there is a physical computer somewhere that that thing is running on, and most of the time, that happens to be in what’s called data center alley, out in Sterling, Virginia. So like, when you watch Netflix, those bits live in Virginia, and get streamed to your house. So, there’s just a ton of talent in and around that space in the area.

ABERMAN: For the less technical, it’s like in the ocean, where you have a heat vent on the ocean floor, and a lot of life because it’s warm. The Internet, as well, had an effect where the bandwidth is broadest, right in our region. So it literally creates this concentration of highly technically skilled people who are comfortable with the Internet. So, I think that gives us an idea of where the talent comes from. You’re in cybersecurity, and I was really interested, and I looked at your LinkedIn bio, to see that you described yourself, in fact you certify yourself as, an ethical hacker. Which, to my mind, is an oxymoron I guess. But, explain to me what an ethical hacker is, or why somebody would put that on their LinkedIn profile.

STEVENSON: The term hacker has sort of been taken over to mean something bad these days, but it never used to. Hacker was just a person who liked to take things apart, and figure out how they worked. And so, there’s actually just a certification that anyone can go take a test and get, that makes you a Certified Ethical Hacker. But the idea there is, we’re the good guys. So, when bad things show up and people want to figure out how they work, the good guys take it apart and figure out, essentially, hack it to figure out how it works.

ABERMAN: I love the concept of good guys, bad guys. Which really leads me to think out loud with you: sounds to me like cybersecurity is an arms race, or it’s a fight between the good guys and bad guys. Do you think it’s a fight that can be won?

STEVENSON: I wouldn’t say it’s a fight that can be won. I’d say it’s a battle that’s never going to stop. Like, good guys figure out some way to stop something, bad guys figure out a way around it. It’s just an arms race back and forth. But the good guys are getting a lot better these days. Companies are starting to care a lot more, so there’s a lot more resources being thrown at solving good guy problems.

ABERMAN: What do you think changing in corporate America that’s caused people to focus on this more?

STEVENSON: A lot of companies lost a lot of market capitalization from getting hacked. It’s really it’s really just incentives. Well, there’s two things going on. One: everything is connected to everything. So theoretically, from my phone, there’s a path to important corporate data on some corporate network. There’s a lot of things in between me and them to stop me from getting access to it. But theoretically, it’s all connected. So that’s one, that’s number one. And then number two, the bad guys are starting to have a huge financial incentive to go get that data. It’s all about incentives. Like if I’m a hacker, it’s a business. I’m trying to figure out what data can I steal, and how much can I sell it for. And that determines how much resources I can throw at stealing it. These days, the data sitting inside of companies could be worth billions of dollars. So that means, if there’s data out there worth a billion dollars, I can spend 100 million dollars trying to go after it.

ABERMAN: You know what’s interesting to me about this whole issue of data is that, the data is actually most valuable in the hands of the people that have legitimate businesses. The actual value of hacked data, on a per data bit basis, is actually very low. So really, you would think that businesses would have a lot more incentives here to protect their data than the bad guys wouldn’t trying to get after it.

STEVENSON: And in fact, that’s something that’s happening now. So, everyone hears about ransomware. The economic flip that happened there, bad guys realized that stealing someone’s data is worth X, but preventing that person from accessing their data was worth way more. So, I could go into an enterprise, and I could take a copy of all their data, and the enterprise would say, good luck, do whatever you want with that. But if I go into an enterprise, and I lock everything so they can’t get access to their own data. All the sudden, that’s a huge economic problem for that enterprise.

ABERMAN: Craig, before I let you go: we have listeners that are starting businesses, tech businesses, right now. What would be your best advice for them? What’s the biggest lesson you learned that you think they should all be aware of?

STEVENSON: You’re going to be wrong a lot in the creation and running of your business. And there’s tons of companies out there that fail because they got something wrong and they kept plugging at it, even though the market was telling them a different lesson. So, I would say the biggest thing we’ve learned so far is: run experiments to determine whether or not what you think is correct. And if the market is telling you you’re incorrect, fail, and fail fast, and move on. And this is actually one of the biggest advantages startups have over large enterprises. A large enterprise will throw a hundred million dollars down the hole because somebody had an idea, and they won’t let it go. Well, as a startup, we’ll throw 200 dollars at that idea, and very quickly find out if it’s wrong, and move on to the next thing.

ABERMAN: So, embrace the ups of a startup, but also the downs of a startup, in order to truly learn.

STEVENSON: Absolutely.

ABERMAN: That’s great advice. Craig Stevenson from HyperQube Technologies, Thanks for joining us today.

Copyright © 2019 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

Source link

The post #hacking | Insight from an ethical hacker appeared first on National Cyber Security.

View full post on National Cyber Security

#hacking | Ethical Hacking is Evolving – Here’s How Your Company Can Keep Up

Source: National Cyber Security – Produced By Gregory Evans

With the global cost of cybercrime expected to surpass $2 trillion by the end of 2019, it’s no surprise that organizations have sought out unconventional cybersecurity strategies. For years, businesses have encouraged — and even hired on — hackers to unearth their digital vulnerabilities.

To be clear, these hackers aren’t bad guys turned good. Ethical, or white hat, hackers use their computer security expertise to hack into organizations’ digital infrastructure and identify cybersecurity weaknesses, rather than exploit them. The profession isn’t necessarily new, but the ethics surrounding it have begun to evolve.

While 75% of white hat hackers say that no amount of money could turn them into black hat hackers, that leaves 1 in 4 ethical hackers who would switch their hats for the right price — or more recently, the right cause.

While that isn’t to say that all ethical hackers are easily swayed, the promise of a hefty payout or even “hacktivist” glory can be attractive. With this knowledge in mind and sensitive data on the line, businesses must reassess their ethical hacking practices. Before communicating with outside ethical hackers or bringing an ethical hacker onto your team, consider how you can best ensure this practice isn’t endangering your organizations’ data.

Before you continue reading, how about a follow on LinkedIn?

How to hire an ethical hacker

Companies have offered bug bounties to outside hackers for years, but it’s different to invite a white hat into the office — and behind your security perimeter. When hiring an ethical hacker, organizations should reinforce all of the precautions usually taken during the onboarding process to ensure their data and their customers’ is protected.

Remember, ethical hacking is an increasingly accepted and legitimate profession. Therefore, be careful not to treat an ethical hacker like a former (or current) criminal. While the nature of their duties is historically “bad,” that doesn’t warrant a set of guidelines separate from their coworkers. Doing so makes an already traditionally solitary role even more isolating and could make them feel like they are doing something wrong when they are actually helping your business.

Just as you would for any employee that handles or has access to sensitive company data, be sure to make it clear in the ethical hacker’s contract that legal action or other serious consequences are possible should they misuse company data and information. Be sure to thoroughly check their references and obtain a comprehensive history of their career to cover your bases.

Companies should indicate in ethical #hacker’s contract that legal action or other serious consequences are possible should they misuse company data. #respectdata Click to Tweet

It’s also critical that you make an effort to ensure that other employees do not perceive their new coworker as dangerous or untrustworthy because of the nature of their work. Encourage trust and familiarity with team-building exercises throughout the company and education initiatives that help everyone understand the projects the ethical hacker is working on. When there is visibility into what the ethical hacker actually does, the employee feels supported and accepted — and leadership has extra reassurance that the hacking remains ethical.

Approach outside ethical hackers with a set protocol

While you’re rethinking your organization’s policies toward hiring ethical hackers, it’s worth considering how you deal with outside white hats too. Some organizations offer “bug bounties” to those who can find previously unnoticed vulnerabilities in their digital infrastructure. It could be dangerous to overlook these independently operating hackers — over 70% of cyber attacks are financially motivated, so having some sort of compensation is a best practice.

Organizations must be open to all security opportunities

In an environment where cyberattacks are only set to increase, being open to the latest cybersecurity strategies is essential to protecting the digital infrastructure of your organization. While there are some risks that come with ethical hacking, having someone who thinks like and is equipped with the same skills as the bad guys might be the best way to keep your information safe from them.

 


Source link

The post #hacking | Ethical Hacking is Evolving – Here’s How Your Company Can Keep Up appeared first on National Cyber Security.

View full post on National Cyber Security

At Berkeley, a #New Generation of #Ethical Hackers Learns to #Wage #Cyberwar

Source: National Cyber Security – Produced By Gregory Evans

Whenever I teach a security class, it happens that there is something going on in the news cycle that ties into it,” Doug Tygar, a computer-science professor at the University of California, Berkeley, told me recently. Pedagogically speaking, this has been an especially fruitful year. So far in 2017, the Identity Theft Resource Center, an American nonprofit, has tallied more than eleven hundred data breaches, the highest number since 2005. The organization’s running list of victims includes health-care providers, fast-food franchises, multinational banks, public high schools and private colleges, a family-run chocolatier, an e-cigarette distributor, and the U.S. Air Force. In all, at least a hundred and seventy-one million records have been compromised. Nearly eighty-five per cent of those can be traced to a single catastrophic breach at the credit-reporting agency Equifax. That hack was reported in early September—just as Tygar and his students were settling into the third week of a new course called “Cyberwar.”

The purpose of the course, according to Tygar’s faculty Web page, is to teach Berkeley’s budding computer scientists to “forensically examine real cyberwar attacks” with an eye toward preventing them. Occasionally, this might mean mounting attacks of their own. Penal codes around the U.S. are not especially lenient when it comes to cybercrime; in some states, certain computer crimes are considered Class C felonies, on par with arson and kidnapping. So, for the hands-on portion of their studies, Tygar’s students rely on HackerOne, a sort of marketplace-cum-social-network devoted to “ethical hacking.” Companies, organizations, and government agencies use the site to solicit help identifying vulnerabilities in their products––or, as Tygar put it, “subject themselves to the indignity of having undergraduate students try to hack them.” In exchange for information about what they’re doing wrong, many of these clients offer monetary rewards, known as bug bounties. Since 2012, when HackerOne was launched, its hundred thousand or so testers have earned a total of twenty-two million dollars, a figure that the platform’s Dutch-born founders, Jobert Abma and Michiel Prins, hope to quintuple by 2020. For Tygar’s students, there is an added incentive: every bug they catch through HackerOne also gets them points toward their final grades.

Late last month, about fifty “Cyberwar” students, shouldering overstuffed backpacks and dressed in various forms of U.C.-stamped apparel, gathered in a nineteenth-century building on campus for a “hack night.” HackerOne swag was sprinkled across the desks—T-shirts, laptop-camera covers, branded fidget spinners. Tygar darted around the room in a sweaty teal polo shirt and Birkenstocks, enlisting volunteers to set up stacks of boxed pizza and distribute cans of soda. Once fortified, the students set about looking for bugs. HackerOne had sent a cadre of cybersecurity professionals––most skinny young men, most wearing sweatshirts––to provide counsel. One of them, Tanner Emek, an engineer at the personal-finance company NerdWallet, had recently received a fourteen-thousand-dollar bounty at Def Con, an annual hacker convention in Las Vegas, for discovering a flaw in Salesforce, a platform for customer-relationship management. (“It’s definitely fixed,” Emek assured me.)

Tygar’s students were after more modest prizes. “There are certain companies that are considered low-hanging fruit for hackers,” Vy-An Phan, a junior, explained. “For me, state Web sites and local-government Web sites, are, like, the fruit that’s already fallen onto the ground.” Although HackerOne’s government clients tend not to offer cash bounties, Phan had decided to focus on various secretary-of-state Web sites around the country, which house tools central to the electoral process—voter registration, ballot measures, candidate information, Election Day guidelines. So far, she had found eight bugs spread across four sites. One was a clickjacking vulnerability, in which a user might be unwittingly manipulated into clicking something undesirable. Several others were cross-site-scripting (XSS) vulnerabilities, an especially flexible and malicious type of attack, in which hackers inject their own code into a domain or Web application. “I could trick someone into registering for the wrong party, or not registering at all,” Phan said. “It all really depends on what I want to do.”

Across the room, two exchange students from China’s Wuhan University were testing the U.S. Department of Defense’s Web site. “We’re just finding bugs,” Angus Zhu, a junior, said cheerfully. He and his classmate, Farlui Li, had discovered that part of the site was susceptible to XSS attacks, making it relatively easy for a malicious actor to steal data from other visitors’ browsers and impersonate them. Zhu and Li were also testing social networks such as Facebook, Twitter, and Quora for vulnerability to homograph attacks, in which hackers use similar-looking characters from different writing systems to confuse their targets. The technique is particularly popular in e-mail phishing scams. If, for instance, a hacker wanted to fool people into handing over their credit-card information, he might send them a link to a fake version of Paypal.com, replacing the Latin letters in the URL with Cyrillic look-alikes—the English “p” for the Slavic “р,” which actually sounds like “r”; the English “y” for the Slavic “у,” which sounds like “u”; and so on.

Christian Ng, a freshman, was sifting through the source code of a venture-backed cryptocurrency platform. He seemed unimpressed. “They were using Flash, which is notoriously insecure,” he said. “If I can inject code into the Flash object, I can create an XSS vulnerability.” Attackers could theoretically use such a vulnerability to steal transaction or bank-account data––and Ng could receive a bounty of as much as seventy-five hundred dollars for finding it. A few tables away, Jobel Kyle Vecino, a junior, was working with a partner to hack into a children’s entertainment site. “Our line of thinking is that the parts of the Web site that are primarily for the children are probably not very well tested,” he said. (In July, after a number of Internet-connected smart dolls and stuffed animals were found to harbor security flaws, the F.B.I. released a public-service announcement warning about “opportunities for child identity fraud.”)

Abma, the HackerOne co-founder, had been pairing up with students throughout the evening. Now, sitting at the back of the classroom, he told me that some of them had the potential to become “really successful” hackers. But he also expressed some skepticism. “Persistence and creativity and the drive to keep going are things that are really hard to teach someone,” he told me. He likened hacking to a Rubik’s Cube: “You don’t know how to do it, necessarily, but you know there’s a solution.” For Tygar, the solutions themselves are less important than the experience and perspective that “Cyberwar” will provide his students. “We’ve all read the news with these reports that Russian hackers broke into infrastructure that’s helping to support the integrity of elections,” he said. “It puts a whole other twist on it when you think that undergraduate students in college can also break in.”

The post At Berkeley, a #New Generation of #Ethical Hackers Learns to #Wage #Cyberwar appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

‘The #weakest part of #security is us’ – #Ethical hacker on the #fight against #cyber attacks

Source: National Cyber Security – Produced By Gregory Evans

‘The #weakest part of #security is us’ – #Ethical hacker on the #fight against #cyber attacks

‘The weakest part of security is us’

This was the message from ethical hacker Mike G.

Speaking at the Irish Independent annual Dublin Information Sec cyber-security event taking place in Dublin today, Mike G, who helps organisations in their fight against cyber security and hacking, said that humans are very easily hacked.

Citing the hacking of US actress Jennifer Lawrence’s Apple iCloud, Mike G said that the hacking was done through the actresses’ password for iCloud being her dog’s name, and the fact that Ms Lawrence had posted a picture of her dog on Instagram – the hacker went from there and leaked photos apparently showing her in the nude on the internet.

In addition, bad systems design and/or insecure security policies can leave people and organisations vulnerable to hacking.

Mike G, who describes himself as a pilot, engineer, and ethical hacker,  described the various was in which hackers can gain information about a person or a company, including through social media, certain types of jobs – “sales people often give out everything” – and even job listings.

In a sobering talk, he listed spoofing texts, calls and emails among the ways in which people and companies can get hacked.

In addition he said that anything can get hacked including pins, biometrics, TVs, and even our fitbits.

However when a person’s phone can be taken over, it’s “huge” he said.

In what was a stark message to businesses, Mike G asked those present at the event whether their company would be able to recover if the competition had all of their data?

However, the news from the ethical hacker was not all bad.

Mike G and his team do a lot of forensic planning, providing, among other services, cyber security awareness training, and impact penetrating testing to show companies their weak spots and how these can be overcome.

The post ‘The #weakest part of #security is us’ – #Ethical hacker on the #fight against #cyber attacks appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Licensed to hack: Singapore looks into registration scheme for ethical hackers

Source: National Cyber Security – Produced By Gregory Evans

thical hackers in Singapore could soon require a license to get their hands dirty, so to speak. The small Asian nation is currently requesting feedback on a proposed cybersecurity bill which will see ethical hackers having to obtain a license to do their work, and although it could seem quite…

The post Licensed to hack: Singapore looks into registration scheme for ethical hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

When Is Hacking Ethical?

To Purchase This Product/Services, Go To The Store Link Above Or Go To http://www.become007.com/store/ Source: National Cyber Security – Produced By Gregory Evans When is hacking ethical? Let’s start with a couple basic definitions. Hacking is using a computer to gain unauthorized access to data …

The post When Is Hacking Ethical? appeared first on Become007.com.

View full post on Become007.com

ETHICAL HACKERS RAISE MONEY TO HELP REPEAL BILL REDUCING INTERNET PRIVACY

Source: National Cyber Security – Produced By Gregory Evans

ETHICAL HACKERS RAISE MONEY TO HELP REPEAL BILL REDUCING INTERNET PRIVACY

A UTD group called Ethical Hackers is donating the profits from its first annual fundraiser to protest a federal bill overturning previous Federal Communications Commission regulations protecting consumer privacy. On …

The post ETHICAL HACKERS RAISE MONEY TO HELP REPEAL BILL REDUCING INTERNET PRIVACY appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

GSA to join DoD in hiring ethical hackers to find cyber vulnerabilities

Source: National Cyber Security – Produced By Gregory Evans

The federal market for “white hat” hackers continues to grow. Not only are ethical security burglars popular in the Defense Department, but now the General Services Administration’s Technology Transformation Service (TTS) is setting up a bug bounty program. TTS issued …

The post GSA to join DoD in hiring ethical hackers to find cyber vulnerabilities appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Ethical hacking in the age of cyber warfare

Source: National Cyber Security – Produced By Gregory Evans

Ethical hacking in the age of cyber warfare

The ease with which one can hack just about anything online is remarkable in its speed, simplicity and availability.
“It’s more than easy,” said ethical hacker and cyber security expert Bryan Seely, “It’s almost embarassing.”
Among other things, Seely

The post Ethical hacking in the age of cyber warfare appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

An ethical hacker at one of the world’s biggest tech companies

Source: National Cyber Security – Produced By Gregory Evans

Charles Henderson gets paid to think like a bad guy. As an ethical hacker for IBM, Henderson’s job is to break into networks, applications, or physical locations to figure out how a real attacker would go about their work, exposing flaws and the impact those flaws might have on an organization’s security. Given the increase in cyber attacks and the need to bolster cyber security, there’s been a steady shift in corporations hiring their own hackers to “pen-test” (penetration test) online systems, networks, and physical locations, IBM says. In fact, Henderson is just one of the 1,000 security specialists the tech giant hired in 2015. We recently spoke to Henderson, 40, about what it’s really like to be a hacker for IBM. Here’s what he had to say: “Let me start by saying, I was a curious kid” “I grew up and still live in Austin, Texas, which has become a haven for young technologists with its vibrant computer security scene. I attended the University of Texas and studied Computer Science. “When I was 11, my father brought home our first computer. Within a week, I had become an active participant on the Bulletin Board Systems (BBS). Using these bulletin […]

The post An ethical hacker at one of the world’s biggest tech companies appeared first on National Cyber Security.

View full post on National Cyber Security