Web Summit: TalkTalk hack ‘tip of a tiny iceberg’
Experts says companies need to pay more attention to cybersecurity as threat grows
A section of the crowd attending The Web Summit 2015, at the RDS in Dublin. Photograph: Eric Luke/The Irish Times
A panel of cybersecurity experts at Wednesday’s Web Summit warned that recent hacker attacks such as those of Ashley Madison and TalkTalk are “the tip of a teeny, tiny iceberg” and that the cyber equivalent of 9/11 could happen and is “a very real danger”.
Dermot Williams, managing director of security firm Threatscape, reminded the audience the recent TalkTalk hack was followed by a statement revealing that it was a very sophisticated attack, something that “almost made us feel sorry for them” until it emerged that a solitary 16-year-old was arrested.
TalkTalk got hacked because “it wasn’t paying enough attention to its cybersecurity,” claimed Evgeny Chereshnev, vice-president of global consumer marketing for Kaspersky Lab.
However, Chereshnev was not implying that this was a trivial attack. He said that anyone with a relatively high IQ can find guidebooks out there on the web that act as a colour-by-numbers guide to hacking into various security systems.
“It’s getting to be a bigger and bigger threat landscape out there,” said Rami Essaid, co-founder and chief executive of bot-blocking service Distil Networks.
“It’s one company versus an infinite amount of expert knowledge and hackers. Security must be part of a company’s core infrastructure because we [security firms] alone aren’t enough to stop all threats out there.”
Essaid gave the example of a recent case where an actual how-to guide was published for getting into a particular company’s secure network (he didn’t mention the company). This guide was simple enough that plenty of people could follow it. It included steps for exploiting vulnerabilities and even social engineering, in other words, ringing up a tech helpline and tricking the operator into giving you private information.
“You don’t want to be the corporation that’s easiest to get into,” said Todd Simpson, chief strategy officer for AVG Technologies, to which Chereshnev added that one of the most common reactions he gets from a big company, when he tells these stories, is “dead eyes”.
“It’s like they’re not understanding that this is real. We can save a lot of companies data and money but it’s not our call,” he said.
The conversation strayed into bounty programmes, the act of offering big money to hackers that can get past a security system. There are the bad guys out there, explained Williams, including an organisation that recently offered a large sum to anyone who could find vulnerabilities in Apple’s iOS 9.
Companies can retaliate or perhaps prevent these paid-for attacks by putting out a bounty to a “white hat” hacker to find any weaknesses in their network or computer system before the bad guys get there.
Tesla recently did this when it visited hacker conference Defcon: hackers found weaknesses in the software, Tesla stumped up and the next morning Tesla was able to update their software based on this, explained Simpson.
And then there is the Internet of Things (IoT), a new way for hackers to gain access. Sometimes it happens in ways you might never have imagined, unless you have a devious mind. A case in point, says Simpson, is an open online app that tracked bike rides around a city.
Some hackers looked at this, thought “wait, the kind of people who track their bikes probably own expensive bikes,” and they watched the bike ride until the owner got home, went to the address and stole it.
“If we continue down same path we’re going down: giving out personal information to all kinds of entities, leaving thousands of thousands of copies out there, this is a problem,” warned Simpson.
“Architecturally we don’t have to continue that way but it takes a change in attitude going forward. It will probably will get worse until we design more intelligent systems.”