Hacking 101: Frank Heidt at TEDxMidwest

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
Transcriber: Shihwan Go Reviewer: David DeRuwe So today's talk is going to be a little bit more conversational, and I hope that it doesn't scare you. That's actually not my intent. So really what I want to do is sort of educate you. I want to kind of present things that you can do, ways that you protect yourself, ways that you can protect your country, your company, your community. Interesting stuff. The Roy Batty quote, he's from Blade Runner, [HACKING] so for those of you who get it, thumbs up. [INTRO] So I'd like to ask you what you really think you know. Unfortunately, there's way too much Hollywood education in hacking. So I want to describe how average people - you, me, everyone - gets hacked. And then we're going to talk about the real ways that companies get hacked, and we're going to talk about how governments hack, and if we have time, we'll talk about how governments get hacked. And I want to actually leave you with something positive. This is something that I feel very, very strongly about, and it is the epistemology of security. And so for those Philosophy 101 people, yes, it's going to be as bad as you remember. (Laughter) We're going to go in reverse order, right? So here's the reverse order. [COUNTRIES] What's the most common way that governments hack their citizens? And I want to be interactive, and I want someone to shout out what they think is the most common way a government hacks their citizens. (Audience) BioRICS. That's good. Not the right answer, but good. (Laughter) So that is such a can of worms, I'm not even going to comment on it. (Laughter) Anybody else want to try? We're not going to do this a lot. We'll go a couple answers and then I'm going to go - Yes? Pen registers, phone tapping - the audience member said phone tapping. That's not a hack, that's the law. Yes? (Audience) Credit cards. Government's can't do that because there's ambitious federal prosecutors. Ambitious federal prosecutors save us more than they hurt us. (Audience) Tell us why? Governments can't do "things" with your credit cards. I mean they couldn't hack - What's that? (Audience) DMV. Oh, the DMV is torture. That's not hacking. (Laughter) But good! Good. So I'm going to tell you, I'm going to tell you. It's surveillance. It's surveillance, but it's not the surveillance you're all thinking about. It's not the surveillance of the NSA. It's not a three-letter agency. It's petty surveillance, and it burns my ass. So I'm going to tell you that I am a guy who's pretty powerful, in my own way. Throughout history, individuals like me have never held this much power. I run a group of the best hackers in the world. I'm not bragging, and I'm not selling to you. They're the best in the world. I heard this story three years ago about a school district in Pennsylvania, installing software on the laptops of middle school children. And the story developed that there was someone using the software at the school district in an unauthorized way. And that unauthorized way manifested itself by photographs being taken of children in various stages of undress in the privacy of their own homes. I'm a powerful guy. That burns my ass. I get two engineers to tear that software apart, and then we call "Wired" magazine for a demo. That's a powerful thing. What we found was that software was hackable by anybody on the capital-I Internet that could figure out the password to generate the packets to authenticate to the application. The password was - and I swear to God this is true - a line from a nihilistic German poem. You cannot make this shit, a stuff up. (Laughter) So this is an example of petty surveillance, the kind of erosion of your property that happens and starts in places like middle school? That gives somebody the ability to surveil you in your home? That's not good. Those little petty surveillances happen infinitely more times than the NSA is going to intercept your phone call. The only time the NSA is really going to get your phone call is it's from the US to outside the US, and trust me, they have a lot of people to watch. I don't think they're going to be interested in, generally speaking, you and I. So that's an example of how a government hacks you, and the power of distributed hackers to kind of make a point of hacking back. You're going to hear a lot more of that in the talk that's coming up next. So next, we're going to spend some time on this one. [COMPANIES] So how does a typical company get hacked? There's way too much Hollywood. We're going to dispense with swordfish. We're going to dispense with sneakers. We're going to dispense with any animated GUI on a screen you ever see, like the things sweep in and stuff. That does not happen. I am going to tell you how my company hacks companies, and what we've found of companies that have gotten hacked. So moderately frightening hacks - October of 2001, the World Trade Center is still a smoking ruin, we are requested by a government agency in the executive branch to evaluate energy companies for vulnerabilities because they had what they called "shatter." They wanted to see if someone could break into an energy company in a major American city and what kind of damage they could do. Ah - The way this company got hacked was they had a cafeteria with network drops in it. We actually doing, this is fantastic, so during the meeting where we described what we were going to do to this company, the head of security engineering actually, and he did it in a high, weedy voice, he said, "It would be inconceivable." I swear to God, he used that phrase. (Laughter) It would be inconceivable that we could break into their networks. And we most literally walked out of the room, walked downstairs, walked through the little turnstiles, right into their cafeteria, jacked into their flat network - I can explain that - were given a IP address, and we ran through them badly, badly (Laughter) At the end of day, what we did was we turned on a ventilation fan. We simply turned on a ventilation fan in a building, but we could have closed a switch, opened a valve. We could have done anything. And it wasn't inconceivable. It was trivially easy. Um ... That's an example of relatively sophisticated hacking because once we did get on the network, we had to go through things that were vulnerable, and we did have to actually write some software, and we did have to actually intercept some packets and stuff, sophisticated stuff but kind of fun. You know you walk into the cafeteria, you have your coffee, you get a danish, you could own a power plant - this is the stuff that really is good. OK, so that's kind of mythical; that's kind of mystical. These are really difficult hacks. How about easy hacks? How does the typical company get hacked? So the typical company gets hacked this way. They go onto Facebook, and they see the CEO of the company, and they look at his kids, or they look at his wife, and they get the name, and then they look for email addresses attached to that name. Then they might pop your kid's computer because the odds are that your kid's computer is going to be way less secure than the computer that the company IT department gave to the CEO. That's not always the case, by the way, right? So then they pop your kid's computer, and they make a very plausible sounding email. Very plausible. I once got a permission slip. I once got a permission slip, personally, but that was not a gym that my kid went to. But somehow the People's Liberation Army thought it was. But figure this now. What if you get, say, your kids sending you, I don't know - same thing, concept - your wife sending you a shopping list? OK, all of these things I've actually seen happen. I would say what you need to know is that better than 80% of the time - Let me back up. If someone pops your kid's computer, the email appears to come from your kid's computer, the headers are correct, the mail agent is correct, your spam filter's not going to run on that one. It's from your kids! Even if your whitelist! Pretty bad stuff. So, let me continue - when we hack companies, we find about 80, 80-plus percent of the time, that works. You open up a PDF document, if you're not a hundred percent patched, right? If you're back a couple of Revs, one Rev, you open up that PDF file, (Finger snapping) your box is owned, like that! "Owned" is really cool hacker parlance for, you know, broken into. (Laughter) So yeah, that happens all the time. Every single professional attack that we've seen, all the big ones that you hear on TV - APT, Night Dragon, all these fancy names - all that is is cyber espionage. Every single one that I've ever seen, the final investigative report, all began with a PDF. There's a lawyer in Los Angeles who did not get beat. He said, "I've worked with my partner Bob for 15 years. That message wasn't how he sounded." That's cool. Tone and voice, things that humans are great at. You're great at listening to tone. You're great at intonation, voicing, and the written words. Pay attention to that. If something sounds off from Bob, don't open it, don't open it. How do you survive in this age where one Rev back on a patch, one client-side vulnerability, screws the pooch for your entire enterprise? Turn on auto-update! I use auto-update. If your IT department says we can't turn on auto-update, get a new IT department, (Laughter) or something. That's how companies get hacked: social engineering and spearfishing. What's the most common way, and this is a shout out, [PEOPLE] what's the most common way people get hacked? Shout! Anyone? (Audience) Fishing Fishing? Yep, true. (Audience) Sharing passwords. Bingo! That's a good one. Sharing passwords, true! Let's take a sidebar here. How many people, and be honest, you can pan this if you want, how many people use the same password for multiple services? Don't do that! (Laughter) Jesus Christ! (Laughter) Don't do that! Did you get that? You all need to stop that! Here's why. You've just extended your trust boundary from you to Living Social. Living Social got popped, you're popped. You've just extended your trust boundary from you to LinkedIn, LinkedIn got popped, you've got popped. See what I'm saying. Don't express that boundary to someone you can't trust. Your password changes could be anything you want as long as they're different. Make them mnemonic. If you need to use phoneticized characters and Chinese, do it. If you need to use the international call sign alphabet to spell things out, do it. But do not, don't do that anymore. You make my life meaningless when you do that. (Laughter) Okay, the most common way that people get hacked is by automated bots. The average person gets hacked by an automated bot. They don't want you personally. If someone wants you personally, and they're capable, you are screwed. There are powerful people in this audience who are very, very likely to be the targets of intelligence gathering operations - you must be extra vigilant. Average people, yes, you, average, (Laughter) turn on an auto-updating. You will not get owned by a bot. And I'm going to take the last five minutes of this talk, and just to be clear, I don't have to talk more about the way common people get owned. You get owned by bots. Turn on auto-update, you're done! We're done! We'll never have to talk about it again. But this is what I want to talk about. [BONO PASTORE] Bono Pastore is a Catholic term. Epistemologically, it means being a good shepherd because you are actually responsible for your little technology flock, and you have to be a good shepherd. Your tablets, your phones, your PCs, your laptops, someday your car, someday your house, someday your fill-in-the-blank, right? You need to be a good shepherd because the internet is a rare and precious gift. And if you are in what's called a botnet, in other words, your computer got owned, and some computer program somewhere in Romania is pushing, you know, organ enlargement pills on your behalf, you are officially part of the problem, and you make it bad for all of us. So that's what I mean by Bono Pastore. Be a good shepherd to your devices, and we get to have nice things. Be a member of a botnet. Grant that I get paid either way, but like we really do want to keep the internet. And I'll say this. It is a rare and precious gift because it spreads knowledge and understanding throughout the world. We did that Joi - I have 3/4 of a thumb, so it's really cool with the "Joi Ito" thing - Where were you on the internet? I'm right here on the internet for me. I think the only thing that's ever solved problems in the past has been knowledge and understanding spread the widest possible. The internet is the best thing that humans have ever designed to do that since writing. So I think that everybody has to be a good shepherd, take care of their thing. Let's just go over this one more time. Don't click on the link. No one in Nigeria actually knows you. That's just a fact, right? Keep your systems updated. Microsoft has worked very, very hard to ensure that auto-update, and Apple's worked very hard to do this. Mozilla could work harder though. But turn on auto-update for your packages, the things that you use. And be a good shepherd. Understand where your bandwidth is going. Put a password on your wireless. Don't be part of the problem; be part of the solution, and we'll all get to have nice things. So thank you very, very much. (Applause)
Info
Channel: TEDx Talks
Views: 1,014,065
Rating: 4.8458123 out of 5
Keywords: Surveillance, Tech Security, ted x, Frank Heidt, Software Hacking, English, Technology, ted talk, State Sanctioned Hacking, Government Hacking, Cyber Security, Company Hacking, tedx talks, tedx talk, Hacking, TEDx, TEDxMidwest, Hacking 101, TEDxMidwest 2013, tedx, ted, United States, ted talks, Hackers, Network Security
Id: nnKh6SFEaLg
Channel Id: undefined
Length: 15min 36sec (936 seconds)
Published: Tue Mar 11 2014
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.