The myth of cyber security: An ethical hacker explains why our data isn’t secure

Accenture’s Chris Thompson chats with ethical hacker Jamie Woodruff about cyber risk and security.

If you think your financial firm can prevent all cyber attacks, think again:

  • An Asian bank invited a consultant to speak about security, only to find the consultant had cloned their ID access cards with his cell phone, gaining access to the building by tapping his phone against the entry points.

  • A hacker intercepted peoples’ cell phone data simply by passing near them, using $40 of technology purchased online.

  • A woman was stunned when a security expert gained her full 16-digit bank card during an interview, simply by asking key questions that teased out the right data.

  • Conference attendees were tricked into signing into a false LinkedIn® site by another attendee, who then gained access to their passwords and account data.

Meet Jamie Woodruff, ethical hacker and chief technology officer, Patch Penguin, who designed these attacks to demonstrate security flaws. Our own Chris Thompson, senior managing director, Accenture Finance and Risk Services, interviewed him about cyber security—or the lack thereof.

How can you be both ethical and a hacker? That can come across as a contradiction in terms.
You have boundaries and you have lines, and you have to establish what those lines are within the scope of the project. There are guidelines to follow, such as responsible disclosure, but you have to think black hat (e.g., like a true hacker), think outside the box, or you are no better than traditional penetration (pen) testing.

Sometimes you see data and you think, “Wow, that’s really great.” But you have to limit yourself, and stay within your lines.

We talk a lot about cyber security in risk management. Things seem to be getting worse. Are we facing an epidemic?
We’re going to see more and more of this kind of thing. It’s on the increase. Everything we use now gives criminals an additional edge. We store everything on our cell phones, where we have our bank cards and contact list.

People ask me how they can send secure emails, and the answer is, use carrier pigeons. You’ve got more chance of sending a carrier pigeon to your target than you have of sending an email that hasn’t been intercepted.

When it comes to security, what is a business’s weakest layer?
People are the weakest layer. It’s about social engineering. I find that’s the easiest way to gain access to a physical infrastructure.

If I was to hack a bank, for example, I wouldn’t go after the online services—that would be stupid, because I know they’ve got three-factor authentication. I’m better off just walking into the bank using social engineering methods.

Here’s an example: A large financial institution in the United Kingdom orders pizza for its developers every Friday. So I applied for a job at the pizza place and got myself a uniform. I was able to walk right past security—because Friday pizza was a normal thing.

With my own technology I could tell where switches were picking up the most data, which led me to the server room. There, I sprayed the lock pad with Luminal and waited an hour, after which I could see what punch codes had been pressed.

And I was in the server room.

Sometimes I’ll use traffic cameras or publically available cameras to track movements of individuals. I can work out how many people are attending when a conference is on; I can find the conference data online. Once I’m with people, I can get inside their comfort zone. Then I can start asking individual trigger questions to gain the knowledge I need.

"There’s always a way in. It’s about making sure that way in takes a long period of time, and making sure you’ve got the policies and protections in place."

So if you’re a business, how do you defend against things like social engineering?
It’s security through obscurity. Don’t follow the same patterns. That’s the weakness I always find in an infrastructure—there are always people who follow the same route.

And, it’s about your employees feeling safe in their environment. It’s about your employees knowing the limits within that environment and knowing the policies of what they can actually do and what they can’t do.

When you’re trying to work out different vulnerabilities and different ways in, what do you use as source material?
I use everything. I use LinkedIn®, I use Facebook®, I check out a person’s kids—online profiles are quite open, so I can build out where they’ve been, their holidays. I can target high profile CEOs and directors, who will be the ones with the most infrastructure access.

I check jobs' databases. There might be a posting, for example, seeking a database developer for MySQL (Structured Query Language)—and then I have inside information. I know they use MySQL. I can target my attacks around that.

Hackers go to extreme lengths to access your data. They think nothing of spending months finding a way in if there's lots of money involved—so that’s what I need to do in an internal security audit. When I hear that a pen test will be done over a couple of weeks I tell people it won’t be sufficient.

It sounds like there’s a blend of technology and non-technology involved.
You always need the tech once you get into the infrastructure. Once you’re inside, you need to get through lock systems, you need to get through passwords, you need to get through so many different things, so you have to bring the technology with you. But it’s definitely a blend of the two.

The financial services industry is going through a transition to digital banking, moving toward truly electronic exchanges of money and better online interaction. Is that making things more secure or more vulnerable?
I’d say it’s more vulnerable, but if you ask someone in banking they’d say more secure. It depends on the way you look at it.

Within the banking industry, more banks are going digital, and that’s wonderful. It’s great. It’s all about the customer experience—but it’s not just the customer experience. Too many providers don’t enforce enough security. They won’t use dual factor authentication or voice fingerprinting. Because that limits the customer experience. That upsets the customer. When a customer finds they are talking to a machine, the customer gets upset and angry and then they go and do business elsewhere.

If you had to give a single piece of advice to businesses defending against cyber attacks, what would you tell them?
Make sure people keep to themselves, and don’t give them access to data they don’t need for work purposes. Make sure they have only the access they need. That’s the best thing I can tell you.

There’s always a way in. It’s about making sure that way in takes a long period of time, and making sure you’ve got the policies and protections in place.