The Coeur d’Alene Press – Local News, Hackers make enemies of local cybersecurity teams
By CRAIG NORTHRUP
Staff Writer
HAYDEN Letters and numbers penetrated the white glare of the computer screen in the Hayden office, the hum of prop planes taking off from Pappy Boyington Field across the street. The letters and numbers sat in benign, simple, dead-center frankness: the full name of someone named Katherine, followed by a string of 16 numbers below it, followed by a few more below that.
At first glance, they meant nothing. But on closer inspection, they spelled out a credit card number and its security information.
Michael Meline sees those letters and numbers as a crime.
They share this information for other criminals to use, Meline explained. Then, once they validate the card information, the criminals will come back and buy more. This is just a taste.
In this case, a taste of 990 separate pieces of credit card information sold by an anonymous criminal.
Some packets of credit card numbers can cost pennies, Meline said, while some can cost $20 each. Hacking is a non-stop cottage industry with such an endless, constant barrage of attempts that it has created its own economy: cybersecurity.
Cybersecurity will be the worlds fastest-growing industry by 2026, according to a 2019 Industrial Market report. A 2017 Cybersecurity Ventures report predicts 3.5 million available job vacancies by the end of 2021. The Federal Bureau of Investigation, in conjunction with Hayden-based Exbabylon IT Solutions, met with the Coeur dAlene Chamber of Commerce April 16 to discuss the threat to local businesses. Meline said the dangers reach every corner of the business world.
Our clients range from health care to banks of every size to manufacturing, he said, and everywhere in between.
The range of potential victims is so wide, Meline said, because hacking never rests. The eight-year veteran of law enforcement from Yuma, Ariz., pulled up a website with what was supposed to be a map of the world. Lines stretching from one launch point to its target blanketed the digital view, obscuring almost every pixel of land. In the corner of another website, a counter boasted 134,620 hacks going on in the world that very second. On a Tuesday.
Meline said companies dont properly address the constant barrage of hacks because they ask the wrong questions at the wrong time.
Theyll come to me and say, We spent $7 million on this [prevention measure]. I ask them why they need it, and they say, Because Im going to be hacked. At Cyber Self-Defense, we enable a business through cybersecurity. We ask, What is this going to do for your company? What risks will it address, and how effectively will it address it? We look at the company as a whole and ask, What is it you want to achieve? And never needed to buy that $7 million [prevention] before they called us. Maybe they just needed better policies and procedures.
Meline added that fear often drives companies to digital and financial paralysis.
I can make your company so secure that you cant do your job, he said. But no one can make you so secure that a determined hacker wont get in. So I let the CEO know that, so we can re-balance risk. We try to find the proper threshold of risk. When we do that, your employees will be highly successful, but the criminals are going to get frustrated and go somewhere else.
While businesses are vulnerable to various intrusions like malware, spyware and data breaches, Meline said an unprotected business should expect to fall victim to ransomware, a program that encrypts a companys critical files and holds that data hostage, demanding payment for the promise of release. Global ransomware will attack a business every 14 seconds by the end of 2019, according to research conducted by Cybersecurity Ventures, adding that the technique cost businesses worldwide more than $8 billion in 2018.
Hackers, meanwhile dont target only businesses. In fact, Meline explained, hackers dont often target anybody.
When you look at the amount of attempts sometimes dozens in just a few seconds theyre not trying to get a hold of such-and-suchs information, he said. Theyre not trying to get into your computer. Theyre trying to get into any computer. Thats how they make their livelihood, and thats how people in my position make our livelihood.
Cybersecurity offers a livelihood people are learning at younger and younger ages from around the globe including, as it turns out, Rathdrum.
Ive been interested in computers since forever, said 15-year-old Hayden Carroll, a 10th-grader at North Idaho STEM Charter School, but these past two semesters, Ive gotten more involved in networks.
In a small wing of a larger North Idaho STEM classroom, Carroll sat with fellow computer science students Zander Land, Austin Kugler and Jordan Higgins. Higgins rejected the term hacker, calling himself a penetration tester while engaging in ethical testing.
Its wrong to go out and hack somebody and steal their information, Higgins declared. I only test frameworks and networks to find weaknesses, not to exploit them.
The four students are well-versed in computer programming language: Python, C, HTML and Javascript. Theyve already built up their certification credentials, and theyre currently using their talents to further their educations. For instance, Carroll developed an advanced calculator app for a 10th-grade class project, and Kugler wrote a program to encrypt and decrypt text.
You dont have to take a class to get started, Carroll said. There are apps and programs that will help you learn at your own pace.
Khan Academy offers one such program. Its an online learning platform North Idaho STEM students often use to learn. While all four boys predict college in their futures, cybersecurity experts urge experience as much as education.
Some of the best IT professionals are those with the passion and desire to want it, said Karl Betz, chief information security officer for TDS Telecom, a telecommunications company that announced earlier this week its plans to come to Coeur dAlene. Our best security guy, for example, just has a high school education. But he has the passion and the experience to handle the load.
Betz added that he has a constant need to fill cybersecurity jobs, which he said must include more than technical prowess.
You have to be flexible and open to understand the problem from a number of different viewpoints, he said. And communication skills are a must. You have to have that ability to communicate and interact with our business partners, from their front-end guys who build security to the board of directors. Ultimately, though, youve got to be a team player. You have to be able to brainstorm with others, troubleshoot the problem, find a solution and examine that solution after the fact.
Those problems and their solutions are not only for IT professionals in work environments to solve. Hacking affects residential bystanders, as well, Betz and Meline agree.
Anything is hackable if you have the time, persistence and funding, Betz said. Phishing for a customers credentials like passwords and account information is getting more and more creative. But your No. 1 vulnerability is you.
Betz gave an example where he will masquerade as TDS Telecoms CEO via phone or email, reach out to an employee and try to gain his or her information. While employees are usually mindful of the potential risk, he said that doesnt mean he should ever stop trying.
It never gets boring, he said, because you can never become complacent.
Meline agreed.
Most people have been trained to be nice, he said. Its what I call social engineering: I go in and pretend to be somebody Im not. Ill walk into a business or Ill call and ask for their password, or Ill bring in [an infected] thumb drive and ask them to plug it in. And they do it. That thumb drive will now give me all of their information. Its very, very simple.
Those random attempts flung from all around the world can come in the form of malware (software designed to harm your computer devices with viruses) and spyware (software designed to view or obtain information about your device activity), among other pre-programmed nuisances. They can rarely be traced, Meline said, because hackers will bounce their trajectories off multiple servers around the globe, and the sheer number cannot be handled by law enforcement, leaving consumers to fend for themselves. He warned that well-known should never be confused with trusted.
Dont mistake popular with safe, he said.
Meline added that hacking is about more than typing and sending code from a far-off corner of the world. Hacking ordinary consumers often involves a transaction at some point, either through email or social media to draw victims into a scam, including a well-known hoax people are still buying into today.
All its doing is preying on our kindness and preying on our greed, he said. Someone sends an email saying theres a prince who died in a country you cant pronounce with a family member youve never known, and hes leaving you all his money. All you have to do is give this small amount of money back your life savings and youll get this billion dollars. Its preying on people.
A version of this hoax nearly succeeded locally on Tuesday, when a victim walked into the Hayden Super 1 and tried to send money to one such scam. Customer service representatives onsite warned the customer of the scam and refused to comply, prompting the man to leave.
We are very trusting as human beings, and were taught that way, Meline said. But when we deal with hackers or criminals, we have to understand: Theyre doing their job. We expect them to do their job the best way they can. We have to do our job better than them. This is how I made it through law enforcement. I could very easily understand what theyre doing. I didnt agree with what they were doing, but they were just trying to be good at their job. Thats what they do.
Our job is to be better at ours.
Ultimately, Meline said its incumbent upon everyone to remain vigilant.
The worst thing you could do is close your eyes to it, he said. Hackers will hack, no matter what. Ignoring cybersecurity will not make the problem go away.
Gloss