Hacker and Internet security guru Jeremiah Grossman thinks everyone should learn how to hack. Why? Because “every day, our country’s innovation is being stolen, our national security jeopardized, and your most personal information is being robbed – by computer hackers – malicious hackers.” Grossman said it’s “because hacking is easy. Because hacking works.” He is a self-proclaimed “Jedi as opposed to Sith” type of hacker who has been teaching all flavors of people how to hack. He’s extremely well known and respected for numerous reasons, including his yearly Top Ten Web Hacking Technique lists. Grossman is also the founder and Chief Technology Officer of WhiteHat Security.
If you have not seen his TED talk, then please take some time to do so. You won’t be disappointed.
Interview with Jeremiah Grossman:
Your excellent TED talk presented ‘Hack Yourself First’ to the masses and the same concept inspired you to start WhiteHat Security. The threat of being vulnerable to cyberattacks is real, but not everyone has the hacker mindset or the skill to break into their company computer systems in order to patch the holes making them vulnerable. Do you have a few starter suggestions for companies, or even people with ecommerce sites, to hack themselves first before the bad guys do?
Jeremiah Grossman: Actually, everyone can and should learn "how to hack" -- something, anything. It doesn't have the most sophisticated technique in the world, but you'd be amazed at how powerful and effective even the most simple hacks can be. Like the one I shared on stage during my TED talk.
As you say, it is true that it's difficult to learn about every attack the bad guys might throw at you. So the most important thing is to appreciate that you are, or will eventually be, in someone's crosshairs. If you are responsible for a commerce site, appoint someone to be responsible for its security. Someone who can approach computer security defense from the context of the adversary by understanding their methods and motivations.
You wrote, that Rule #1 of recreational hacking is to 'Never ever, ever touch government or military systems.' That same rule, you said, "reminds curious hackers that the government, should they choose to track you down, has an enormous budget of time and money to do so – far more than any company who all must eventually consider cost effectiveness investigations. What it also means is that to hackers, the Jedi, government and military systems are like the forbidden fruit. So imagine the excitement if our government and military officials truly started to embrace 'Hack Yourself First' and offered up bug bounty programs!"
In this world of cybercrime, nation states engaged in espionage and offensive/defensive cyberwar measures, do you foresee the government offering monetary reward, a bug bounty for hacking the forbidden fruit, as opposed to say . . . prison time?
Jeremiah Grossman: I really hope so and I'll continue encouraging others, including our government, to offer "Hack Yourself First"-style bounty program. Such programs would be far more effective in helping protect our government and military systems than threatening prison time. Companies such as PayPal, AT&T, Google, Mozilla and Facebook have already figured this out. They understand that there are lots of skilled people out there willing to hack them, and help them, if only allowed to do so. For just a few hundred or thousand dollars at a time, these companies are shutting down a myriad of ways the real bad guys could cause really serious monetary and reputation damage to an organization. I can see in the coming years hundreds of organizations following in their footsteps with regards to "Hack Yourself First."
WhiteHat Security finds the holes and tells companies and government agencies how to patch them. According to the WhiteHat’s 12th Security Website Statistics Report [PDF], you had good news, that the data shows a massive drop in vulnerabilities. On the other hand, it highlights that hacking problems now fall more on the shoulders of businesses' security strategies and those strategies are still based on 1990s and early 2000s thinking rather than what hackers are doing today. Other than companies in outright denial that anyone would want to hack them, what are the most common security blunders you see companies make before bringing in professionals to assure their business cannot be penetrated by malicious hackers?
Jeremiah Grossman: One of the most damaging things is a false sense of security, often caused by blindly following compliance standards. While compliance standards may be well intentioned, when you really think about it, at best they are a perpetual lagging indicator of how bad guys have previously compromised systems. Each year, new security controls must be purchased in order to comply with an increasingly large compliance checklist, and every year, the bad guys shift their tactics to get around them. Thereby, each year, IT security budgets must get bigger, while our adversaries' spending remains essentially flat. Today, defenders are spending 10x, probably 100x, more than what the bad guys need to spend to overcome those security controls. This all but ensures the bad guys will continue being successful.
To turn things around we must look at information security from an economics perspective. What can we do, less expensively, that drives up our adversaries' cost substantively. That requires understanding a lot about who exactly we are up against.
Web security is a constantly changing landscape of vulnerabilities. Every year security researchers come up with a plethora of new or revised hacking techniques and you compile the top 50 to 100 for voting upon the 10 most lethal hacks for that year. Do you see a pattern of reoccurring vulnerabilities that companies do not protect themselves against?
Jeremiah Grossman: Each year the known attack techniques become that much more numerous and effective. Because our security resources are limited, it's important that we keep track of them and rate their risk accordingly. This is precisely why I create my Top Ten Web Hacking Techniques list every year. When you get right down to it, the vast majority of Web-based attacks can be thwarted by a few application-level security controls. They are not fancy, but they work. Input validation, ontext-aware output filtering, parametrized SQL statements, and separating idempotent and non-idempotent HTTP requests by GET and POST respectively. That get's you about 90% of the way already. At that point you may begin tackling things like Clickjacking.