'Mafiaboy' spills the beans at IT360 on underground hackers

Social engineering plays a major part in computer hacking

Attending IT360 last week didn't guarantee you a seat at Michael Calce's keynote with Craig Silverman. The conference room reached full capacity and left a crowd of onlookers spilling into the hall outside the doors.

Calce -- a.k.a. Mafiaboy, the Montreal teen hacker who was the subject of an international manhunt after bringing down some of the highest-profile Web sites on the Internet -- delivered on his promise to provide insight into underground hacker communities.

Social engineering is a much larger aspect of hacking than people think it is, said Calce. "Hackers rely on you to be naïve. They are counting on it," he said.

Internal IT hackers in your company are still more of a threat than remote exploits or denial-of-service attacks, he pointed out. Calce suggested securing your organization before worrying about outside threats.

"You have to integrate some type of security awareness program and training for your employees, because people are still being socially engineered and it's still a very viable threat," he said.

Calce delved further into the hacker mindset in a postconference interview. "They're all about people manipulation skills," he said. "One way or another, you have to manipulate someone."

Hackers can just dress up in a telephone company uniform and walk into your office, Calce explained. Some will print documents saying they work with the phone company or carry order and supply forms.

"As long as you look like you're there for what you're supposed to be doing, they don't really question why you're there -- especially if you do it well. If you're good and you keep a solid face and you have paperwork or a hat that goes with your façade, it's very effective," he said.

"People aren't expecting that angle," Calce explained. "They think that they secure their networks and they're not vulnerable. It doesn't necessarily operate like that. Hackers always think outside the box."

Keeping all angles in mind is an important part of evaluating a company's risk factor, according to Calce, who is forming his own penetration testing company. "I will be doing a lot of technical work and verifying their networks, but a huge portion of it is also social engineering -- how can I get in at the front desk," he said.

Even with the proper training and education, employees might continue to be the weak link in an organization. "They don't really care what happens to the company as a whole. They care about the paycheck they get, they do their job and they go home. But people need to take it to heart and realize that there is a lot at risk," he said.

Calce pointed out the benefits of hiring an ex-hacker during the keynote, which took the form of an interview with Silverman on stage. "You know the ins and outs, you know the way the community works, you may have leaks of information on zero-day exploits that aren't public," he said.

But former hackers have to work hard to gain respect and rebuild credibility with the industry, he explained. "You really have to show that your motivations are on the right side and hopefully people will see that, because there's no 100% definitive way to know if someone has been completely reformed," said Calce.

There are ways to explore technology and satisfy your curiosity without participating in illegal hacker practices, he noted. "You can set up your own network and infiltrate it like that. Set up an operating system and go ahead and see what you can do with it. You don't need to illegally access [a] computer."

Calce addressed further issues during a question-and-answer period with the audience, which included a query about whether or not he had a valid passport.

One attendee asked whether Calce believes there is a way to get ahead of hackers or if IT will always be playing catch-up. "Unless we rebuild the Internet and various protocols, it's always going to be them striking first and us answering back with patches," he replied.

Hacking the hackers would solve a lot of problems, but it's illegal to do so, Calce pointed out. "You need a government institution with the rights to do that," he said.

Calce said his own systems have never been compromised. "I run Unix servers, so I'm constantly maintaining. I'm always watching the logs. Unless there is someone in my systems who is very undetectable, to my knowledge, nothing has been tampered with."

Zero-day exploits are among the biggest threats, according to Calce. They are normally effective because they haven't been out for long, so people don't know about them and there aren't patches out there yet, he said.

Calce suggested a government-level certification process for software releases. "Not one individual in here sees every piece of code that's going out there," he said. "We need some type of hierarchy that monitors what is being released. Obviously, there is not enough debugging and there's not enough bug checks out there."

Another question focused on Calce's distrust of online banking systems. "Down the line in the future, I believe... all these wonderful things will be safe. But as it stands today, I don't have confidence in them," he said.

"We are advancing too quickly for our own good.... We are constantly creating new technology without fixing predecessor technology and making sure that is secure before moving on.... We need to secure things before we move down the line. We're just jumping ahead and we're not stopping. We're not even looking back," Calce said.

This story, "'Mafiaboy' spills the beans at IT360 on underground hackers" was originally published by ITWorldCanada.com.

Enterprise mobility 2018: UEM is the next step
Shop Tech Products at Amazon