Real life is rarely as exciting or fraught with complications as the movies, except when it comes to businesses under attack. Cybercriminals around the world take hacking to the next level — stealing passwords, scraping credit card numbers and attacking the Internet of Things. That’s where “ethical hackers” like Sherri Davidoff come in, finding weaknesses and helping businesses protect themselves and their communities.
Davidoff is a cybersecurity and digital forensics expert and CEO of LMG Security and BrightWise Inc. She has worked with businesses and organizations for several years, evaluating security systems and data breach responses. Ahead of her appearance at NRF PROTECT, Davidoff shares some thoughts about hacking, security and data protection.
What are some misconceptions about hackers?
People have this misconception that hackers typically work independently or that they’re young or just playing around. There’s this stereotypical image of a young man in a hoodie hacking someplace dark at night. Other than the fact that a lot of hackers are night owls, that stereotype doesn’t apply.
For those of us that hack ethically, hacking is a business. Our counterparts are organized crime groups. These people go to work just like you and me, and their job is to hack consumers and businesses and steal credit card numbers to try to commit fraud. They are making money and it’s a big business.
Have you ever been hacked?
I get hacked all the time — in LMG’s play lab. We set up systems that are not patched just to see if they get hacked. Last year we set up an Office 365 account and made it a whole little small business enterprise. We set up different accounts with it, and then we clicked on links to see what would happen. Criminals broke into it and stole my password.
Then we watched — we watched all the logs, we saw when the attackers logged in and we saw that they searched my email for anything relating to invoices. Then they set up rules so that if a vendor emailed me and said, “Hey, where’s the payment,” I wouldn’t see it. It would go into “junk.” Then they sent me a fake invoice that said, “Hey, can you send our payment to this other place?” They were trying to redirect the payment they thought I was going to be making to a vendor. It’s truly eye-opening.
The other thing I thought was fascinating is the criminals often work normal business hours. In this case, they appeared to close on Friday, and they didn’t work Saturday or Sunday. Monday was Martin Luther King Jr. Day, so they knew better than to email. Then, first thing Tuesday morning, we got an email from them. I don’t know if their office hours are limited or if they knew our office hours were limited, but they kept to normal U.S. business schedules.
A hacker known for selling personal information recently put up 26 million stolen user records for sale on the dark web. Do you hear those kinds of statistics over and over?
I’ve been telling people for years — your Social Security number has already been stolen. And we must assume our credit card numbers are already stolen and be prepared for that.
Yes. It happens so much more than we ever hear about because not all databases are for sale in a place that anyone would discover it. I’ve been telling people for years — your Social Security number has already been stolen. And we must assume our credit card numbers are already stolen and be prepared for that. Monitor your accounts and don’t be surprised when you hear about it, because chances are it’s already been stolen for quite a while before you ever get a letter about it.
Companies didn’t have to report theft of Social Security numbers until around 2003, when California made a breach notification law. Before then, breaches happened but weren’t reported publicly. Chances are your Social Security number was stolen a long time ago and nobody ever found out about it.
Are consumers who use IoT technology in their homes equally vulnerable?
Yes, they are. One problem I see is that, because it’s on the internet and people log in with their passwords, often it’s a problem of password management. Consumers are not picking good passwords for their devices, and so criminals can get them or maybe steal them and then they log in remotely.
This is not to say that we should pull back on progress — it’s important for us to invest in new technologies and move forward. We need to make sure that we’re helping consumers make educated choices, and that security is included as one thing that they consider when they decide what to spend their money on.
Presidential candidate Beto O’Rourke joined the hacktivism group Cult of the Dead Cow as a teen. What do you think of that?
If he did that last year, I would be concerned about it. But remember, at that time, hacking was very different as a culture. There were a lot of young people looking to explore this new world. There weren’t really a lot of rules about it.
I’m not saying what he did was right, but there were not the same social connotations. People didn’t think of themselves as criminals. Today, the culture has changed, and the industry has changed. Nowadays if teenagers or people who are learning security want to explore, we have places for them to do it. We have capture-the-flag contests where they break into computers to capture a flag. We have internship programs where they can ride shotgun and learn to conduct a test. There are training programs. Those things did not exist in 1998-99. There literally were no training grounds, no practice grounds for people who were interested in getting hands-on with security.
Does anything surprise you?
What has surprised me is how the old problems have not been resolved. I mean, I think it’s been probably eight years since I said, “passwords are passé” and we needed something else, and passwords are still a problem. The same problems we saw back in 2002, 2003, with vulnerabilities being unpatched, are still a problem today, so it surprises me that we haven’t figured it out.
We have the technology to fix security for the most part — we have the technology, for example, to implement end-to-end email encryption, but there are business issues and organizational issues that get in the way and prevent us from properly implementing security technologies.
Retailers want to capture consumer data and use it to deliver a better experience, so they’re reluctant to purge it. Most say it lives in the cloud, but does that make them immune from problems?
If something’s in the cloud, that’s great, but that’s when you really need to implement things like two-factor authentication. … Two-factor authentication can prevent a lot of problems. It’s really important for retailers to leverage data to build relationships with consumers, but we have to remember that there is a cost to maintaining data.
I think right now we are not estimating the cost correctly. We’re underestimating how much it costs to properly maintain and secure data. It’s not just something free that you can harvest — you also have to control it and you have to keep it safe. The more data you have, the more able you’re able to build those relationships, but the more risk you have as well.