Angela Gunn, an old friend who is working as a security researcher these days was explaining some of the problems with traditional approaches to thinking about security. But she is focused on Hewlett-Packard’s latest push, which is to think like a bad guy trying to break into computer networks and databases.
We were both attending the HP Protect conference here, which spotlighted the “Think Like a Bad Guy” theme pretty much everywhere you looked. “Really,” she said, “you have to think like whoever the bad guy is working for.” My friend had a point. While it’s important to understand the cyber-criminal’s approach when they’re attacking you, the only way to really understand them is to understand their motivations. What is it they’re looking for when they break into your network?
I found out when I entered the conference display floor and wandered to the back of the room to the Bad Guys Lair. This required a walk through a smoke-filled corridor crisscrossed with laser beams to reach a bunch of people sitting around among pizza boxes, soda cans and bags of empty calories. These were the HP “Bad Guys.” I later found out that I could have gone around to the rear entrance and avoided the drama. Leave it to security guys and corporate hackers to engineer in an analog back door.
What I found there laid out clearly was what HP means about thinking like a bad guy. On a wall-sized screen were employment ads for low-level hackers to run a local mission, provide expertise in specific areas of some operating systems, or perhaps infiltrate an office and drop off a malware laden USB memory stick. On another screen there was page after page of ads for commercial software, but these packages were commercial malware designed to sniff out credit cards or passwords. These applications were sold and licensed just like software from big-name software companies.
Want an app to read credit card numbers from Firefox? That’ll be $500. Want one that does Firefox and Internet Explorer? You can upgrade for an additional $500. One of the security researchers, who we’ll call “Sam” (they don’t want their real names used in public) explained that one of his colleagues maintained between eight and 10 identities on those hacker websites so they can keep up with what’s current. Then he showed me where you can buy credit card numbers. Unfortunately, this illustrated just how easy it is to obtain those numbers, and how easy it is to create counterfeit credit cards.
He took a blank plastic card with a magnetic stripe, ran it through a device and created a blank credit card in less than five seconds. So I asked him how useful such a card would be. What he told me is enough to immediately stop using any card without an EMV chip.