Cyber Security Expert - Increased Hacking And Personal Security
May 28, 2013 1:01 p.m.
Jim Stickley, CTO and Vice President of Strategy & Solutions for Trace Security Inc.
CAVANAUGH: In the news today, a story about secret American weapons systems being compromised by hackers. In hackers in China have gained access to designs including those for combat aircraft, ships, and missile defenses. Organizations of all kinds are battling the threat from cyber criminals, and ordinary citizens are urged to be on the defense. One man who is working to increase awareness and help people and institutions become more secure online is my guest, cyber security expert Jim Stickley, vice president of Strategy and Solutions for Trace Systems Incorporated.
STICKLEY: Thank you for having me.
CAVANAUGH: One would think that the Pentagon would have developed an unbreakable system to guard the nation's secrets. Is that just impossible to create?
STICKLEY: I think it's absolutely impossible. If it wasn't, they would have done it. It just can't be condition. Every time you think you've got something and you've got it locked down, there's a new vulnerability, a new risk, a new human aspect that opens it back up.
CAVANAUGH: Are these more of a challenge to hackers? Or are we beyond that when it comes to nations?
STICKLEY: When you're talking about nation, it's way beyond that. This is now a full-time job for thousands of people.
CAVANAUGH: Does the news about China hacking into U.S. weapons design surprise you?
STICKLEY: It's become the norm. Almost every month, you read about some sort of breech or something that's related to hacking.
CAVANAUGH: Several years ago, nations and big institutions -- I don't know, they seemed to be lagging behind a bit in technology. They weren't prepared for the potential threat of cyber crime. Would you say they are better prepared today?
STICKLEY: They're getting better. Definitely compared to the old days, much, much better. The problem is the technology is still so far ahead of the curve that they're continually playing catch-up. The problem is they need the security to go with it, and that's kind of, like, oh, yeah, we should put that on now.
CAVANAUGH: One more question about this Pentagon thing. When an organization like the Pentagon or our military organizations have designs for top-secret weapons, don't they go to somebody -- a very smart cyber person who will try to figure out what the vulnerabilities are in their system?
STICKLEY: Absolutely. The problem is, it's usually one little mistake. Somebody probably got a hold of them, unencrypted them, left them on a desktop, or something dumb, and that's all it takes.
CAVANAUGH: So a lot of what you find is dumb human error as opposed to some really big flaw in the program itself?
STICKLEY: That's exactly it. You always go for the low-hanging fruit. They have all the security everywhere, except for here this one little thing. And hackers have all day to just bang away until they find that one little thing.
CAVANAUGH: You're contracted by major companies to test vulnerabilities in their system. How does that work something
STICKLEY: Many different ways. A lot of the time, they'll have us go and just try to hack in, the same thing that hackers would do. Or they have their network set up and they say we want you to steal data. So tell us here's our network, you're the hacker, get in. And it's boring, not very exciting, but it still needs to be done. The other thing we'll do is physically go and rob places. I'll go in as a fire inspector at a bank, show my badge, come in, and once I'm in the door, my goal is to steal whatever they've hired me to steal without them knowing it.
CAVANAUGH: And you actually physically steal something or steal something from their computer system?
STICKLEY: Both. If they have backup tapes, that's the entire database of every customer they have, our job is done. Or we'll steal servers, pick up computers and carry them out of the bank. Or we'll leave behind equipment that will allow us to monitor what's going on on their network. So we can leave, but their computers are being controlled remotely by us.
CAVANAUGH: I saw you do something like that on a public computer, you put in a disk that was going to record all the keystrokes.
STICKLEY: That's a simple one. A lot of people don't realize when they use hotels, they'll use the publicly available computers, and most of those, hackers have already gotten into and put some trojan on it that monitors everything. All that is being stored, and hackers will monitor that, start accessing your e-mail, or get into other accounts of yours.
CAVANAUGH: Can you tell us some of the organizations that you worked with? No.
[ LAUGHTER ]
STICKLEY: Generally no. Most people don't like to have their names put in the public eye.
CAVANAUGH: But that would be recognizable?
STICKLEY: Oh, yes, from Fortune 50 up to anything. Across the board.
CAVANAUGH: And you go from this low-hanging fruit to seeing if there is a problem with their sophisticated software?
STICKLEY: Exactly. We'll do a lot of testing with online applications. So my job is to get a regular account like you would have and figure out how to take over everybody else's accounts from that. We run about a 90% success rate on being able to breech the systems.
CAVANAUGH: We had heard of hackers who have run into problems with the law and then started working with a company like this. That's not your history?
STICKLEY: No, I'm the exception to the rule. I had really, really strict parents.
[ LAUGHTER ]
STICKLEY: A good moral structure. I was definitely a curious kid. I had my runins as a punk, but I was never into writing viruses or stealing stuff. I just wanted access. So I spent all of my time just figuring how to get into systems, and once I was in, the fun was over.
CAVANAUGH: Did you always find a security problem?
STICKLEY: I'd say the majority of the time, yeah. It's require that you get shut out.
CAVANAUGH: Even by programs that are aimed to do specifically that?
STICKLEY: Exactly. And the problem is, if you have all the time in the world to just bang away at something, you'll find something somewhere.
CAVANAUGH: Recently there was an elaborate scheme that used debit cards. Hackers hacked into the banking system, they changed the limit on prepaid cards and used them with that higher allowance. How much security do they have to get through to do that?
STICKLEY: They haven't specifically said. But it sounds like it was relatively low amounts of security because they targeted a third party. So the bank was using a third party for their software, and the hackers targeted that company, and they were able to get into the bank from that. And the thing with that that was so genius, instead of targeting your debit card, if I tried to rip it off, within a few minutes, the banks are going to notice, notify you, and shut the card down. But with the prepaid card, there's nobody to notify. So they're not really monitoring it. So hackers could pull all the money off very quickly, and no one is watching. And more important, they put more money onto the card, it just made it a money tree.
CAVANAUGH: What do you know about hackers and organizations of that nature? When it comes to nation states, that's done in a nefarious way. But are there worldwide organizations of hackers?
STICKLEY: Yeah, absolutely. There's organized crime, and most organized crime has gone into hacking on some level. Then there's groups like Anonymous. There's no figurehead of the group. If I'm a hacker, I can post on behalf of Anonymous, they get all the credit, it makes them look like this big, scary, organization. But anybody can be part of it.
CAVANAUGH: Is there any estimate as to how much companies lose when it comes to all the types of different hacking?
STICKLEY: I know there are statistics, I don't know them off the top of my head. I know it's a lot. Some studies recently talked about organizations and how they're just getting destroyed by hacking. And you don't really think about it. Oh, if somebody gets hacked, no big deal. But when you add it up, and you have thousands and thousands of people, it adds up very quickly.
CAVANAUGH: Much of the data that's hacked from banks seems to be focused on personal information of customers, Social Security numbers. Is there anything that we can do working with our banks to protect our personal information?
STICKLEY: The most important thing from your standpoint would be keeping your computer secure. And that starts with patches or updates. So many people don't patch or update their system ever. And you'll get little notices. So many people just click remind me later. And every time you're doing that, you're telling your computer I don't want to patch right now. But if you get a malicious e-mail or website, that's how your computer is compromised.
CAVANAUGH: Is there a significant majority of these patches related to upgrading your security system?
STICKLEY: Oh, yeah. The vast majority of them. And that's the problem also. It'll say a new update is available but it doesn't tell you what it is a lot of times. So you don't realize this update is a major security update.
CAVANAUGH: Besides updating our computer, how can we protect ourselves online? So much of our lives now involve the internet from banking to shopping.
STICKLEY: It's tough. Unless you never use your computer, there's no guaranteed fix. My family members have been compromised before, I know a lot of people who have. It just takes one little mistake. If you get an e-mail, and in the e-mail there's a link, and it says check out this funny website, just clicking the link alone, that one click you're already getting compromised because the minute it hits the website, it starts downloading malicious software on your computer, and you don't even see it happening.
CAVANAUGH: After you've done the dumb thing, is there any way to backtrack?
STICKLEY: You'll need a professional at that point. Sometimes your antivirus, you might get lucky, and it'll catch it and say hey, somebody is trying to do something bad. If it missed it, once it's done there's no putting the genie back in the bottle.
CAVANAUGH: Is there a special vulnerability involved in using smart phones and tablets for transactions that used to be done on computers in the fact that their security perhaps is not as -- not as many phones have security.
STICKLEY: Sure. The antivirus software made for tablets is still pretty weak at best. And there's definitely been malicious apps out there. I wrote one not too long ago that allowed me to -- you would install the app, you were just checking some e-mails, and in reality it would monitor all of your e-mails and send me your addresses. I could take your e-mail Gto a real website and click forgot my password. The app would send the e-mail from your phone and forward it to me. So I would get your password e-mailed to me through your app. People don't think about what these apps are going to be able to do, and it's unlimited.
CAVANAUGH: I see an awful lot of advertising to join some sort of organization that's going to help protect your identity. Are they -- do you find them valid? Do they work?
STICKLEY: Yeah, they do work. It's one of those things where you can do a lot of what they do yourself. Most of the time, if you have a homeowner's policy, it will cover identity theft.
CAVANAUGH: So you won't lose your house necessarily which you see on one of these ads. I only knew they was hacked into when I lost my house.
STICKLEY: That would be very bad. But as far as doing the rest of it, I consider it like getting a maid service. I could clean the house myself or hire a maid to clean my house. With the way they're monitoring, all they're doing is contacting the big three, Equifax and Transunion, and they just do it every three months and update it. You could do that right now for free. Paying for it is just sometimes more convenient.
CAVANAUGH: It's not just only at home. Fake ATM machines? Is that a widespread problem?
STICKLEY: Most of the time, it's all just about the skimming. They'll put a skimmer device on a real ATM, and as you put your card in, it's recording the data. And another thing -- that's easy to do though, so I decided to make my own machine because I thought it would be funny. And I put them out on the streets in Austin, Texas, and we stole hundreds of cards. It was ridiculous how easy it was. The funny part about the machine, if they looked at it, there was no place for the money to come out.
[ LAUGHTER ]
STICKLEY: But people never got that far because it would just throw an error after they put their code in, and we would capture their information.
CAVANAUGH: A report earlier this month by Congress told of the potential threat of hackers bringing down the nation's power grid. Some thought the threat was being exaggerated.
STICKLEY: I don't believe that's exaggerated at all. You look at what happened with the exploit that happened in Iran where they basically were able to cripple their entire nuclear production facility, and it's just because nowadays you have so much equipment that is being run by computers. It's not like the old days where you have a centrifuge and it was manually operated. Everything is on the network. If you have hackers that infiltrate the network, they can start by leaving things on that aren't supposed to be left on. So suddenly things are just blowing up.
CAVANAUGH: Great way to end it.
[ LAUGHTER ]
CAVANAUGH: Cyber security expert Jim stickily with trace security incorporated, based here in San Diego. Thanks so much.
STICKLEY: My pleasure.