Login Register Subscribe
Current Issue

Ex-hacker: Act on assumption nothing is safe

Reprints

SAN FRANCISCO — During the Industrial Age, there was a simplicity to the repetition of small tasks, but in today's Information Age, complexity drives progress, an ex-hacker told attendees at Business Insurance's 2015 Cyber Risk Summit in San Francisco.

“Complexity grew over the years of the Information Age, and now, specialization is the key to progress,” Jeff Moss, a former hacker also known as The Dark Tangent, said Monday. “And 10 years from now, we will be even more specialized, but this will lead to complexity with systems that fail in unpredictable ways.”

Mr. Moss, also is a member of several key organizations involving cyber risk mitigation, including the Homeland Security Advisory Council.

How any system will fail is impossible to predict, he said. “Just assume it will fail, for your own well-being, so you can sleep,” he said.

Hackers, according to Mr. Moss, are categorized into four groups: nation states who want secrets, organized criminals who want money, protestors who want attention and researchers who want knowledge.

A common type of cyber attack used by hackers is a distributed denial of service, or DDoS attack, where a DoS attack compromises multiple systems to target a single system and cause a denial of service, by locking the data. These attacks are getting worse year by year, Mr. Moss said, and there is no known way to keep data safe.

Even physical keys used to lock data can be photographed by thieves and hackers and then replicated by using a 3-D printer. The only safe physical key available at this time is EVVA MCS, which uses magnets on both sides of the keys so hackers can't tell the orientation of the magnets. Mr. Moss said he uses these types of keys for his home.

As technology manufacturers continue to build devices that store and have the ability to update their data, nobody has given thought to the problem of being able to manage and upgrade their systems once they are made vulnerable, he said.

“Encrypted police radios, mobile phones, GPS, Web browsers, alarms and access control systems, satellite phones and pagers — none of these are safe,” he told the conference.

“Eventually, a software-enabled toaster will burn down a house, and this is where software liability will begin, but right now the only software liability is the price of the software,” Mr. Moss said.

In the meantime, people need to be responsible for their own security, he recommended.

“You need to have a holistic approach; have a knowledgeable team that will understand the technology, a life cycle management of prevent-detect-respond, senior leadership to buy in and have ownership of protecting the company and, finally, do what you can when you can,” he said.