IT security faces huge challenge, says hacker ‘Mafiaboy’

Hackers vastly outnumber IT security professionals , says reformed ‘black hat’

Michael Calce’s parents knew there was “something rather unique” about him when he was five years old, he says.

Handed a computer with unlimited internet access as a child, the Montreal-raised Calce is the infamous as "Mafiaboy", who in February 2000 at the age of just 15 took down a number of websites, including Yahoo, CNN, Amazon, Dell and eBay with denial-of-service attacks. The hacks cost some $1.7 billion in economic damage.

The hacker later wrote that his attacks were “illegal, reckless and, in many ways, simply stupid”.

“At the time I didn’t realise the consequences of what I was doing.”

READ MORE

A rehabilitated Calce, now a "white hat" hacker, runs his own penetration-testing company, Optimal Secure, in Canada, advising companies on how to defend their systems before hackers strike.

He was flown to London last week by HP for an innovation summit during which it announced the launch of a new range of A3 multifunction printers, with in-built hacking protection.

Manhunt

"I like to think that everybody in their life has one 'Oh crap' moment," Calce told journalists from across Europe.

For him, that was when former US president Bill Clinton and his then attorney general Janet Reno announced a special security summit and a manhunt for Mafiaboy.

His trial took about a year and a half. He was sentenced to eight months in a group home facility and was fined the grand total of $250.

“That was the maximum that you could give to a youth and God bless Canada,” he said last week.

He says the “institutionalisation of hacking” is now very real. “We were just messing around when I was a kid.”

His black-hat contemporaries got a bit of damage done – but it wasn’t intentional, he adds.

Now, he can teach “anyone in this room in 30 minutes how to become a hacker” with access to some basic, off-the-shelf tools.

It's kind of honestly hard to feel bad about what you're doing and realise the impact, because it's all done digitally and it's hard to see the damage you're causing

On a daily basis he sees the companies hit by employees clicking on links or downloading attachments containing malware.

“They’ve got to make them smarter and more conscientious of what they’re clicking, because, as we can see, spearheaded vector-phishing attacks are still very common and effective and they’re still baited into clicking links or downloading attachments.

“I think it’s imperative that companies really focus on training their employees to prevent against that because it’s been quite some time now since we’ve made aware of these types of attacks and they’re still highly effective. So it’s really up to companies at this point to educate their employees to better protect against these type of threats,” he says.

Hackers these days are also making “a good deal of money”, he says.

“It’s such a broad industry, it’s really broad. “It depends on where they’re focusing their efforts. But a good chunk of them are making a good deal of money.”

Russian hackers

On the hacking of the Democratic National Committee’s emails during the US presidential election last year, Calce says he is “absolutely” certain the Russians played a part.

“I have key contacts still within the community and it’s been my consensus that that’s exactly what happened. I mean, maybe the level of influence has been exaggerated to some degree but they definitely played a role, no question.

"I can tell you first hand some of the key communities I was a part of were Russian hackers and in my personal opinion, of course, I think that Russians are the top-level hackers of the world. There's no question in my mind," Calce told The Irish Times.

What rehabilitates a hacker? Is it punishment or is it money? Are hackers in China and Russia just unstoppable?

“It’s a good question, you know,” he says. It comes down to psychology.

“I can tell you first hand from being a reformed hacker, it’s very tough to feel a level of remorse for what you’re doing, right? It’s not like a bodily harm type of crime where you’re punching someone, killing someone, hurting someone, because if you do something like that there should be a level of instant remorse.

“Whereas when you’re committing computer crimes, it’s kind of honestly hard to feel bad about what you’re doing and realise the impact, because it’s all done digitally and it’s hard to see the damage you’re causing right at that moment or even later,” he says.

“If anything it’s mostly financial – you’re not really hurting people in most degrees or extents. Can we reform them? Absolutely.”

“I think rather than trying to make them realise what they are doing is wrong, I would go with the approach of making them realise the good that they can do and how much better it will be, because the challenges still exist on the good side of hacking. You can make a profession out of it and you’re still helping companies and there’s still those equal challenges – if anything, the challenges are harder because the number of hackers versus IT security professionals is absolutely overwhelming.”