Canada has just set up its very own cyber center, a federal body that advises citizens and businesses, develops security tools and measures for our digital society, but are we doing enough? Our next guest was once on the FBI’s most wanted list.
He is now a white hat hacker with a consulting business and works with an AI company to develop new defense systems against cyberattacks kevin Mitnick joins us now from the RBC Capital Markets. Point of view conference good to be with you Kevin, hey.
Thank you for having me on your show all right. So when I talk to anyone in different realms of Canadian business, whether it’s banking or our central bank they’re all concerned about the threat posed by cyber attacks, we have this new agency in Canada.
From your point of view, you take a look at what’s happening right now in North America and Canada. Are we doing enough? No, I don’t think we’re doing enough. I think we need to do more. I think businesses and governments have to be much more proactive at mitigating the risk, and I hope that this agency that’s been formed, helps actually do that actually accomplishes that objective.
Now we think about how technology just runs through every part of our life there are so many. So many different avenues to explore. Let’s start with the political one, though, there’s a lot of concern about what happened in the US election in 2016, we have midterms coming up in the United States.
We have a federal election in this country coming up next year. How vulnerable are we still to these kinds of attacks and influence on our democratic process? Well, I’m not sure if I could really say how vulnerable we are.
What I can say is these government agencies, whether or not they’re decentralized like they are in the United States. They really need to test their security controls to make sure it’s extremely difficult for a threat actor to compromise those controls with John Podesta.
He was victimized through what we call a spear phishing attack, so what that means is people inside the government also have to be made aware of exactly what fishing and spear phishing attacks are and actually to be trained about these types of threats, so they don’t fall victim To them now this seems key to me and I find that this part of it very interesting when we think about people of launching cyberattacks like the best hackers in the world.
We think of them diving into lines of code stuff that the average person can’t understand. But, as you pointed out, you get someone in government. He just opens the wrong email and clicks on a link and that’s the entry point.
That is what’s the low-hanging fruit, but it works. It works. It works extremely well. In fact, I run a company where we do security testing, where clients around the globe hire us to break in to test their security controls.
And the first thing that we do is actually conduct a spear phishing campaign and our success rate is 99.9 % that we’re going to get inside the company, and then we use technical means to try to gain access to other computers and servers and so on.
Well, when you’re trying to hack into this, is this fascinates me as well, because sometimes I’ll admit I get locked out of my own computer, because I forget my password when you are trying to hack into it.
You call me you say what are your kids names? Then you’ll pretty much crack the code. I just told national television, but when you’re trying to crack a company system or what do you do first so you’re trying to do that hard crack into the code and go through it or you just trying to do a simple fishing exercise, see if you Can fool someone in that company just letting you walk right through the door? Well, fishing for sure, as I mentioned before, but also what companies aren’t aware of is pretext phone calls.
So attackers call people inside the business over the phone and trick them into protecting their, for example, with an IP there with the IT department or they’re a vendor tricking them to give information about their computer.
What software they’re running and also pretending they’re from the IT department, maybe to do something like a password reset or this sort of thing, the other? Ok. So if this social engineering, which encompasses protects phones, calls and encompasses spear, phishing attacks, do not doesn’t work, then attackers look at internet-facing websites.
So a lot of companies have portals that customers and partners could log into and don’t forget. Web applications are built usually with thousands of lines of code, so there’s always flaws. So what hackers try to do is find these flaws and exploit them, so they can gain access to the company through they’re vulnerable web application.
Obviously, we’ve seen a lot of high-profile instances of security protocols, but big companies are being breached. At the same time, though, sometimes I think why doesn’t it happen more often, I think about the fact that our energy infrastructure, the hydro grid, so many things I mean conceivably, a hacker – could get in there and turn off the lights for the eastern seaboard.
How are we preventing these things from happening at the moment? Well, that’s critical infrastructure, so you have government. You have companies that support critical infrastructure that is responsible for deploying best-of-breed security controls, they’re responsible for testing these things, but it’s absolutely critical.
In fact, when I was a blithe black hat hacker back in the 80s and 90s, I compromised most of the phone companies in the United States and it was like a walk in the park. I pray today it’s much harder because now we have to be concerned about terrorist threats and other nation-state attacks, so the government needs to regulate this area, and the companies that support critical, critical infrastructure need to meet a certain standard to mitigate the risk.
Unfortunately, there’s no silver bullet to eliminate the risk, but what they could do is raise that bar extremely high to make it really hard for a nation-state to compromise us. Lastly, I want to ask you, Kevin, given your expertise in this field, cryptocurrencies Bitcoin.
Are they as bulletproof as we are told they are well, I believe, in the crypto, but you have to think of your consumer of a cryptocurrency? Where are you hosting your wallet? Is third-party companies secure? Could they get it? Could they be? Could they get hacked and your cryptocurrency was stolen, or are you keeping the wallet on your own personal computer and what, if malware, ends up on your computer and is able to install a key logger? So they can get your secret passphrase to your crypto keys that lock? Your wallet and then they run off with your entire wallet.
So nowadays, automated tools, like bots, are doing these type of types of attacks. It’s not a human being doing it, so there is definitely a risk to using cryptocurrencies and that’s why consumers need to be more aware of these risks.
All right, Kevin, fascinating stuff, thanks for joining