Professional hackers reveal why most companies don’t stand a chance
It’s a typical Tuesday for Ben as he logs into his computer at work and starts to hack into a Fortune 500 company.
“If I take control of this, I take control of the modem at the bank,” said Ben, whose real name we are not using to protect his identity.
It’s dark, except for the blacklight and three LED Christmas light strings spraying dots of vibrant color across the ceiling of the 12-cubical office.
Ben is a senior information security analyst at Minnetonka-based FRSecure.
You could also title him as an ethical-hacker or legal burglar, because essentially, he gets paid by companies to break in and steal their information, then report back how he did it.
“To be an attacker you got to think like the attacker,” he said.
He has stolen health records, trade secrets, social security numbers, you name it. He says he has stopped counting how many businesses he has hacked. He can also speak binary coding language with his fingers (meaning, he knows computer code sign language).
Sign up for the daily Sunrise Newsletter
Sign up for the daily Sunrise Newsletter
Something went wrong.
This email will be delivered to your inbox once a day in the morning.
Thank you for signing up for the Sunrise Newsletter.
Please try again later.
“That’s one of the things that sets us apart from the bad guys, we have rules,” said Evan Francen, CEO of FRSecure, who started the company 10 years ago.
In that time, the business of benevolent burglary has boomed, growing from just one employee to 72.
“They might be doing some phishing attacks, they might be doing some penetration tests, they might be doing some reconnaissance on the next test they are going to run,” said Francen while overlooking the hackers at work.
The idea is to find any seam or weakness a company has and patch it before a hacker strikes.
Just last year, there were 1,579 data breaches in the U.S., a record, according to the Identity Theft Resource Center.
According to a report by Shape Security, last year more than 2.3 billion credentials from 51 different organizations were reported compromised.
But protecting businesses from online hacks isn’t only part of FRSecure’s business.
“We have a saying: It’s easier to go through your secretary than it is to go through your firewall,” said Francen.
Francen says that businesses are most vulnerable because they have people. Unlike a firewall with passwords and two-factor authentication, which can be quite secure, it is the employee who is always more vulnerable.
In one undercover video, a construction worker escorts Ben through a secure door while saying, “Yeah, I was told a three-piece suit or some bum off the street, don’t let them in unless they have clearance, so.”
In another video, Ben has gotten inside a company’s building and is looking to access the data center. In the video, a manager sees Ben’s fraudulent badge not working on the keypad to the server room. The manager then asks if Ben was the person who needed the new laptop. The manager proceeds to unlock the door with a higher-level badge and then types the four-digit passcode into the room in front of the undercover camera, giving Ben access to the business’s most sensitive data room.
“I could grab that, clone the badge, go back and have his code and have complete unescorted access into their most secure facility,” said Ben.
Sometimes, he doesn’t even need to show up.
Ben played a taped phone conversation between him and a Minneapolis business human resources manager whom Ben cold called. He tells her he is a contractor trying to get employees’ confidential ID numbers – which is actually the truth, Ben mentions.
At first, the manager asks the right questions.
“OK, what is your name again? Are you downstairs?” she asks. “I haven’t heard of this going on so I wanted to make sure I’m not giving out information I’m not supposed to.”
A few questions later, she gives up the information.
I asked Francen if he’s ever been arrested while doing these tests.
“Booked and charged? No. Arrested, yes,” he said.
His team carries a note from the company they’re breaking into with a phone number to the boss in the event security or the police question what they are doing, which does have to be used on occasion, they say.
So, why help companies when you have the know-how of any top-level nefarious hacker?
Why go the Superman route instead of the villain route?
“I love people. I love helping people. I hate cheating. I hate when people take advantage of other people. It bothers me. I take it personally,” said Francen.
So he’s made his life’s work personally breaking in, to keep the real criminals out.
Here are a few more stories from Ben and other “ethical-hackers”
Ben shares the story of a CEO who thought his company’s security was rock solid. But Ben and his team got right in.
“We tailed some of the IT personnel with badges. Found out that they had a bowling night. We pocketed one of the badges while they were bowling, went back to the office, and with that badge we had full access,” said Ben.
When they were done, they simply slipped the badge back to the employee at the bowling alley.
Here’s another con Evan Francen, CEO and founder of FRSecure, says works all the time to get into businesses: dressing up like an exterminator. Francen says he “got a clear plastic specimen boxes, put a scary looking spider in it.”
He then walked up to the front desk saying he was called to exterminate them. “Are there places around here that have high heat like a server room or electrical closet?” Francen said he would ask the receptionist. He said, every time, a person would lead him to the data security room where he would be left alone with a company’s most secure data.
Francen recalls once being questioned by a police officer while digging through a dumpster behind a company he was testing. He told the officer that he was hired as a contractor to test the company’s security. The officer bought it, and soon, Francen says, the officer was helping him in the search for sensitive documents.
Election security Q&A: What are bot farms and why do hackers target elections?
Election Hacking is a weekly series from News & CNET about the cyber-threats and vulnerabilities of the 2018 midterm election.
Over the weekend, CNET senior producer Dan Patterson hosted a live conversation on Twitter and . Viewers asked some of the biggest questions they have about potential hacking threats to our election system, and they also learned what is being done to prevent them.
Patterson joined N Wednesday with some of those questions and answers:
Q. Why don’t we just go back to paper ballots? At least they can’t be hacked.
Patterson: This was a very common question. And it seems like a common theme through the entire series was: Look, if it can be hacked it probably will be hacked at some point, and that includes election machines and election computers.
Through the course of our reporting, we learned a lot about how not just voting computers work, but the entire process. And as we move into this digital age of connected devices — we call it the IoT, the Internet of Things — more and more election systems probably are and will be connected in the future, which means that it probably is a good idea to have a paper backup or an audit trail — something that is a hard, non-digital receipt of your voting record.
Q. Why do Professional hackers target elections?
Patterson: So, the motives of hacking an election are kind of as broad as the number of vulnerabilities that exist and the types of hackers, and we did cover this in previous episodes. So, hackers attack elections for a few specific reasons. One is obviously political. Whether you’re a nation-state, a lone wolf or a hactivist, or you are a private organization, an oligarch, or a company like Cambridge Analytica, the goals kind of differ.
For China, Russia, Saudi Arabia, the goals are obviously political. For a hacktivist group or organization, those goals can be political as well, but a little more nuanced. And that can kind of vary, whether it’s Anonymous or New-World Hackers or a different group, those goals kind of depend on what they want at that particular moment.
With private organizations, it’s very easy for us to kind of look the IRA [Russia’s Internet Research Agency] or the GRU [Russian military intelligence agency] or Cambridge Analytica, but there are also companies like Devumi here in the United States that sold fake followers, and those tie into what we call social proof. So that is: if you have more followers, or it looks like you have more followers, you’re more influential and carry more weight. So, that ties into influence campaigns and the use of social media to not necessarily hack one particular vulnerability, but to kind of do what we call cognitive hacking, which is hacking our minds.
Q. Since 2016, we’ve learned about the various influence campaigns and have this new sort of dictionary of words that we never knew anything about before. You’ve talked about hacktivists and bot farms. Go over again what they are?
Patterson: So this again ties into the IRA and the GRU. We did see this in Saudi Arabia. What Russia did is hire almost like a company. [In Saudi Arabia] there were employees, they went to an office, they checked in, they had systems administrators. They had people who were coding algorithms. … They were paid almost $3,000 as individuals to create fake and spam accounts, and once one got banned or blocked they would start another one. Some of these companies and individuals create algorithms that will kind of do this at mass scale.
A bot farm is kind of colloquial language that refers to the organized effort to create spam accounts on social media.
Q. Some people wonder if whoever loses the election is going to blame hacking. If Republicans lose, they’ll say hacking. If Democrats lose, they’ll say hacking. What’s your response to that?
Patterson: So this is, again, a very common refrain, and it’s very important that we address this, because hacking and election security is a non-partisan issue. We spoke to dozens of individuals on both sides of the aisle who are experts and they want us to all understand that our democratic process is very important. It’s very important that we go and vote and feel a sense of trust and security.
Hackers can target particular systems, but they are not necessarily taking one particular side. They may take a side in individual elections and all of the actors that we have discussed may have their own agendas. But hacking is a non-partisan issue, and if we get mired into a mud-sling on the left or the right, or any particular issue, it’s a diversion from the real issue.