It’s amazing how cheap the hacking business is becoming. The whole “business” is becoming commoditised: services and hacking kits can be bought at bargain prices.
There’s no sign of a January sale, it’s not that commoditised, but prices have been falling. For somewhere around $500,000 (£312,000) you can buy the services of a team that will hack its way into almost any system you point them at.
That figure comes from Daniel Cuthbert (pictured), assessment manager with penetration-testing and security consultancy firm SensePost. In a recent talk he gave to attendees at a SecureData conference at Wembley Stadium, he said that such a team would have a 90 percent success rate. If the target is in the highly secure 10 percent, the task is not impossible but would cost up to $10 million.
Cuthbert is a swaggering former hacker who runs a team of 20 staff which he claims could hack their way into “almost anything”. He is one of the best speakers on the security circuit because he does not pull his punches or try to hide anything from the audience – which often embarrasses the security industry but, at the moment, most people agree that this is no bad thing.
The weak point of the current security armour-plating is the browser. Cuthbert claimed that these were never built with security in mind and basic flaws that have been around for years still work effectively.
“Hackers are interested in you and your browser because the browser is inherently insecure,” he said. “Exploits that were discovered 10 years ago still work so attackers are not interested in the OS but in the browser being used.”
This has allowed an Achilles’ heel to develop as companies have moved to centralised systems with the browser as the primary environment.
“Browsers weren’t meant to do what they’re doing today and they are inherently insecure – Microsoft has admitted this, Google has admitted this – that’s the nature of the browser today.”
With simple hacks being around for so long, they are well documented and it doesn’t take a genius to implement them. Cuthbert reckons that the LulzSec team were not particularly gifted as hackers but had learned how to manipulate simple hacks against their target sites. The group only gained notoriety because of the headline-grabbing exploits it managed to push to the popular press sites.
It is the external hackers who pose the greatest problem. At the same conference, Etienne Greeff, professional services director for SecureData, said that 92 percent of hacks now come from outside the organisation. Insiders may wittingly or unwittingly be used to facilitate access but not many are the actual perpetrators.
And it is the big money aspect that attracts organised criminal gangs into the fray. Bribing insiders for information, hiring expert hackers to grab specific information, and either selling or using the information gathered for financial gains is the main activity these days in the high profile company hacks.
RSA, EMC’s security division, claims that only a couple of the company’s customers suffered a breach after the sensational theft from its SecurID site. Cuthbert begged to differ. He said that the closed-US congress in which RSA brought together many top organisations such as banks, law enforcement, military and big business security staff showed that 761 corporations were breached following the attack.
Of course, neither RSA or Cuthbert can substantiate their claims but it shows that whoever targeted the SecurID system had a ready market for their swag.
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
Get your definitions right. A hacker is a coder, a programmer, particularly one who is clumsy "1970".
Not in the UK. A hacker has been defined as a malicious coder for the past 25 years. According to the Oxford English Dictionary "hacker" is defined as: a person who uses computers to gain unauthorized access to data. Even the dictionaries secondary (ie less used) definition is "an enthusiastic and skilful computer programmer or user" which again goes against any US definition. Also, you might like to check this Wikipedia entry http://en.wikipedia.org/wiki/The_Hacker's_Handbook