A Hacker Explains: How to Protect Yourself Against Malicious Attacks
Since leaving Tonbridge in 2009 to pursue a degree in Economics, Seb Maltz’s career has headed in a vastly different direction. He now works as an Ethical Hacker for a company specialising in cyber...
Since leaving Tonbridge in 2009 to pursue a degree in Economics, Seb Maltz’s career has headed in a vastly different direction. He now works as an Ethical Hacker for a company specialising in cyber security. Day-to-day, he could be hacking websites, writing code, or even operating under cover in your office, in attempts to test the security of corporate computer systems.
How did you get into the cyber security industry?
I discovered the industry after doing an internship at a large ISP (Internet Service Provider) in the UK, which happened to be at the same time as they were setting up a new cyber defence team. This piqued my interest and so I applied for a cyber security consultant role after university. There was a tough decision to be made because I was studying for a BSc in Economics, which I thoroughly enjoyed, so I also applied for an economist role in the Civil Service’s fast stream.
After the application process I was assigned to start at the Ministry of Justice, which would have certainly been interesting. But, I am glad I chose the nerd route now! Although perhaps I would be saying the same thing about being a government economist, who knows!
How did you end up becoming an ‘Ethical Hacker’?
After starting as a cyber security consultant in my first company, I was assigned into a risk management type position. However, with every horizontal movement across the organisation, I chose to do an increasingly technical role, because I found it more interesting. I found myself constantly in a sink or swim situation and had to quickly learn to code, understand networking and use a Linux operating system.
The team that seemed to be doing the most exciting work were the ethical hackers or ‘penetration testers’ as they are known, and being paid to legally hack computers sounded like a fun job! So I tactically asked the team’s leader to be my career mentor, and agreed a path with some goals that I would have to achieve if I wanted to join the team.
One of the challenges was to pass the Offensive Security Certified Professional (OSCP) qualification, where there was a training network packed full of computer systems, each with their own security flaws that needed to be found and exploited. After becoming confident enough to take on the exam, a new network with a smaller number of machines is given, each with a point rating reflecting how hard they are to hack. There is a 24-hour window to gather enough points to pass, and another 24 hours to write a report on the methods used.
After achieving this qualification, I moved into the ethical hacker team, and gained some experience. Following this, I knew offensive cyber security was the area that I wanted to settle in, so I moved to a small specialist company.
What is your typical day like?
It could be anything. Hacking web sites, attempting to gain remote access to a company’s network over the Internet, writing code to perform attacks, visiting a client’s office to hack from the perspective of a malicious employee or dropping USB sticks in a company’s car park maybe with the label ‘payroll’. If a curious employee were to plug a USB such as this into a corporate machine, it may be possible to take control of the computer and use this as a foothold into the rest of the network.
The goals of the projects vary between engagements, however primarily there is a focus on finding vulnerabilities that could be exploited by a nefarious actor, and informing the client of those vulnerabilities along with recommended mitigation strategies. Also, it’s not always electronic hacking; sometimes the engagements will be a physical intrusion assessment.
Physical intrusion, what exactly does that involve?
The primary objective for a physical intrusion test is to measure the strength of existing physical security controls and uncover their weaknesses before real malicious attackers are able to discover and take advantage.
On one occasion I managed to talk my way into a company’s office after posing as an employee from their ISP. After gaining access to the building I connected to their internal network and launched network based attacks from behind the firewalls. After this I wondered around the offices, chatted to employees, had lunch with some staff members and even participated in the company’s charity table football tournament. There was even a photo of me posted on the company’s Intranet site with the caption “A big thank you to all staff that raised money during today’s charity event”!
Next I started looking through cupboards for sensitive data and came across a filling cabinet full of HR records. I carried a bunch of files over to a desk and started taking photos of pages using glasses with a hidden camera inside. Then suddenly I was seized from behind by two people demanding to know what I was doing with the files. My feeble response of “...is that…not…okay?” was met with a shout of “NO THAT’S PAYROLL INFORMATION”, as the files were snatched from me. This was followed by demands to know who I was and what I was doing there. At this point I had to produce a document signed by the company’s CEO to explain that I was in fact legitimately hired to perform the assessment.
The engagements are not always this smooth. On many occasions I have been left red faced and embarrassed after my pretence had been easily seen through. It can also not be so glamorous; sometimes I’m rooting through the rubbish bins outside a company looking for discarded data that might be sensitive or confidential. I usually wear a high-vis jacket while doing this, as people tend to assume importance or authority from reflective clothing.
Did your time at Tonbridge prepare you for this career?
I found the general standard of teaching at Tonbridge brilliant. Two teachers that particularly inspired were Mr Evans (English 05-06) and Ms Moxon (Economics 07-09). Playing sport nearly every day definitely taught me to work in a team and some leadership skills. However, I could not have been less interested in computers while I was at school. I had ICT classes until GSCE year and remember finding the lessons particularly uninspiring. I’m really pleased to hear that the IT curriculum has evolved to be more dynamic, now including aspects of programming, including game and app design, web development, computer science and even video production. It’s great to see the school recognise the global need for skills in this area.
Cyber security is a particularly good part of the tech industry to be working in. There has been a 0% unemployment rate across the sector for several years, possibly even since the industry began. In penetration testing, you can almost choose which company you want to work at, once you have the skills and experience. Additionally, because the industry is relatively new, you become thought of as rather senior in a relatively short amount of time.
There may be some people reading this who are wondering how they can protect themselves from hackers, can you give some tips?
It really depends on what data you want to protect and where it’s stored. If you are worried about data stored on your laptop in the event of it being lost or stolen, it’s best to enable full disk encryption. This means if anyone finds or steals your laptop and it is powered off, if your password is long and random enough, it should not, in theory, be possible for anyone to view the data. On Mac OS this can be done by enabling FileVault in the system settings. On Windows, BitLocker can be used, although this requires an enterprise version of the operating system. Additionally, software like 7zip can encrypt files, which can offer more protection when the device is powered on. For data stored on your phone, both android and iOS devices are now encrypted by default, as long as a passcode is used to unlock the device. However, when it comes to syncing data to the cloud, you are effectively giving someone else your data, so there are no guarantees that it will be kept from prying eyes.
In terms of online accounts such as email, social media, online banking and other payment services, my number one recommendation is to use a different password for every site. The most common way people have their accounts compromised is through a hacker finding a security flaw in a website and compromising the database containing every users’ email address and password. These are then sold or leaked onto the internet. If you reuse the same email address and password, this can be used to access your other accounts. Password leaks happen very regularly, for example every password ever created on Yahoo! was leaked in 2017. An ethical hacker keeps track of public leaks and has created a website (https://haveibeenpwned.com/) where you can input your email address and see if it has been included in a password leak.
To protect yourself from leaks, you can use a password manager, like LastPass, which is a browser plugin and mobile app. You login into the password manager and it generates a random password for all your accounts. This way you only need to remember one password.
Alternatively, create a system where a proportion of the URL is in part of the password. Therefore the passwords are always different and easy to remember. Additionally, activate two factor authentication for important accounts, whereby in addition to a password there is also a push notification on your mobile that needs to be accepted to login, or by using a token that generates a number that changes over time. Avoid the SMS based systems as the cellular network has been proven to be insecure. For this reason, if you want to have a private phone call or send a private message, use apps that support end-to-end encryption like WhatsApp, Threema or TextSecure.
It is important to note the points mentioned above won’t keep anyone secure if implemented alone. The security of data is only as strong as the weakest link and therefore it’s more about managing risks rather than finding a silver bullet.