- il y a 5 semaines
Cybersecurity How Can Ethical Hacking Make Us Safer
Catégorie
🤖
TechnologieTranscription
00:00Okay, so yesterday we had two sessions on cyber security, one where we spoke about the preparedness of private companies
00:06and then another one of state actors, how states are preparing their infrastructure, their both private and public infrastructure against
00:13attacks.
00:14Today we're changing camps and we're going to join the attackers to discuss something very interesting which is called ethical
00:20hacking and for this I'm joined by Ricard Karlsson, co-founder and CEO of Detectify.
00:25So, hello Ricard.
00:27Thank you for having me.
00:28Welcome to VivaTech.
00:29How are you enjoying it so far?
00:32I arrived late, massive traffic jam from the airport.
00:35That's the morning you lie.
00:36That's when I expect sweet little lies.
00:38In any case, while you enjoy after our talk, the rest of you still have three days ahead of us.
00:43So, before anything else, before you tell us about Detectify, what is ethical hacking?
00:48Hacking for me is when you penetrate a system illegally.
00:50So, how do you make that ethical?
00:52I think you made a wrong assumption there in one of the words.
00:55You said illegal.
00:56And I think that's the clear thing between ethical hacking and not ethical.
00:59Of course, I guess ethical hacking has come more to the scene because organizations are inviting freelancers to, under different
01:09types of responsible disclosure programs, to attack their systems, to help with security.
01:15And you take, you know, use the public knowledge in a better way.
01:19But the problem is, I guess, in many countries, from a legal point of view, there's nothing thing as actually
01:25as ethical hacking.
01:27Because hacking is only defined as when you're trying to do something bad towards the system.
01:32And the question is then, how do you look at intent, whereas if someone has good intent versus bad intent?
01:38And that's typically when you start to look at ethical and unethical hacking.
01:42But from a legislative point of view, there's not so clear differentiation.
01:46So, if I said you correctly, the legislator is not looking at the intent, but at the action.
01:50They don't care if you're doing it for the right reason.
01:51But once you're hacked, that could be gray zone in some parts of the world.
01:55But why do we need ethical hacking?
01:57What kind of problem does it come to solve?
01:59Because the problem with cybersecurity, compared to many other industries, is if you're trying to build a system, you can
02:05do 999 things right.
02:07But there's enough that there's one person out there that has a new trick up their sleeve that will try
02:13to get into your system and can take it down.
02:15So, the more people that are able to help on protecting and finding issues, the better we are.
02:22Because it's about using the collective knowledge to make the general systems better.
02:28Okay. So, if there's an incident, if somebody now hacks my bank account and manages to steal the little money
02:33I have left there, whose fault is it?
02:35Is it myself for not putting the right measures?
02:38Is it the bank? Is it the infrastructure? Is it the state?
02:40Who's there to blame? Or is it a bit of all of us?
02:42And I think that's where you put the problem really clear, because most people in a society, they know very
02:51little about IT security.
02:53The only thing you can get them to, I mean, take your parents or grandparents or something like that.
02:58You can tell them to not click on shady links, maybe.
03:01You can maybe tell them if someone calls and tries to scam you, hang up.
03:06But then, where does the responsibility of the individual end?
03:11Because they cannot really protect themselves all the way.
03:13So, it's actually up to the people building and constructing systems to make, so to say, the system safe enough.
03:21So, in many cases, if someone steals money from your bank account, then I think it's actually a flaw in
03:27how the system is being set up.
03:28And if you look, for example, in different countries have come different lengths into this.
03:33If you look, for example, in the US, you still use a lot of these, oh, what's your grandparents, mom,
03:38what's your first school as identification?
03:41And it's been ruled out that that, of course, doesn't work.
03:44And that's because they are stuck in a system where they, for example, don't have a strong digital identity, like,
03:51I guess we're going to see in the next session after, that Estonia have.
03:53Because they've rolled out the e-residency to make, so to say, validation much better.
03:59So, it's both an individual problem, but I would rather say it's a problem in the system.
04:04To go back to the previous scenario of my bank being hacked, my account being compromised.
04:12If my bank had used ethical hacking in order to try to protect itself, what would that look like?
04:17So, what is the workflow of reaching out to the community of hackers, and how would a company, a bank,
04:23or any other, would actually integrate the results of what those benign hackers are telling it?
04:29I mean, there are different ways.
04:30People can use responsible disclosure programs, you can use different tooling, you can reach out to the community.
04:35But I think the difference is you need to understand, or you can use ethical hacking inside of your company
04:41as well.
04:41But I think what you need to realize is you need to involve much more people than normally.
04:48Because traditionally, organizations have seen cybersecurity information as something that needs to be protected to a small group of people.
04:56That is dangerous to spread.
04:58We have customers that are banks that are saying, no, no, no, we cannot trust the vulnerabilities directly with our
05:04software engineers, because they might exploit them.
05:07But if you don't trust your internal employees with information, how will they then be able to build safe systems?
05:13So, I would say you need to look at it from both an inside point of view, and also an
05:17outside point of view, to allow more people to help out in security.
05:22So, when you say our clients, you work at it, you founded Detectify.
05:26Can you tell us in a few words what it is that you're doing for your clients?
05:28We are sort of leveraging ethical hacking.
05:32We're not the classical responsible disclosure bug bounty platform.
05:36But what we do is we have a group of hackers, or sort of a few hundred people, that when
05:42they find new attack methods...
05:44They're not your employees.
05:45This is a community of volunteering hackers?
05:48Yep. So, when they find new attack methods for a new software or a new bug, they can send that
05:56method to us.
05:57We automate that method, and then we run those tests on our clients.
06:02And then we give the ethical hacker, in this case, a reward back for every time that their module finds
06:07a vulnerability.
06:08So, it's like the combination of automation and humans.
06:11Could that be a profession? Can I make a living out of finding new hacks and informing companies like you?
06:16You can decide if you want to do it on an ethical side or on an unethical side.
06:19Either you can sell it to shaded state-sponsored actors through platforms like Vupen, or when NSO was active, was
06:28buying things, or selling it on criminals.
06:31And then you can make millions.
06:33I suspect, I was going to ask, I suspect that the criminal side might be more lucrative.
06:37Might not always be.
06:38Not to encourage anybody here in the audience.
06:40Not might be, actually, because the non-criminal side or the more ethical side is actually starting to pick up.
06:48Because also, then you know the money is safe and clean, and you can actually use it.
06:53You don't have to have it on some strange Bitcoin account in places.
06:59And now with Bitcoin crashing, I think, yeah, criminals are losing money.
07:02So, in your case, you would get the recommendations that you crowdsource from your community.
07:08They would be in the form of some kind of a protocol.
07:10People would tell you, I discovered that this new problem now exists.
07:13You would run tests on it, on your clients, I presume.
07:16And once you found that the hacker was actually onto something, then they would get paid.
07:21Back to my example of the bank.
07:22What would your client then be doing with your new protocol?
07:25Then they would start preparing new defense protocols against that specific hack.
07:29They would hopefully try to route that information as fast as possible to the responsible team
07:34that owns that piece of software and fix that.
07:38Out of curiosity, do you also charge your clients based on specific solutions, or is it more of a retainer?
07:42More of a retainer.
07:44Okay.
07:44So, same thing.
07:45Maybe you have a Spotify over in France, now maybe you have a Deezer subscription,
07:51and then the artist gets paid based on what things you do.
07:53They need to make sure that your community is vibrant and active and sends you on a regular basis new
07:57hacks.
07:58Yep.
07:58Which is an interesting business model, which, I mean, there are many panels here about the future of work after
08:04the pandemic.
08:04So, here somebody could be sitting on an island someplace, spending their days looking for new hacks,
08:09informing you and getting paid for the next cocktail.
08:13And speaking about now the impact of the pandemic, the fact that so many of us are working remotely,
08:18has that created new vulnerabilities?
08:20I mean, I think, to be honest, I don't think the pandemic has impacted security at all.
08:26I think it's partially bullshit by some marketing agencies and journalists.
08:31It's not easier to secure a physical setting than devices that could be private or corporate.
08:36If you had your corporate defense based on the perimeter of your facility, you were a fool in the past.
08:45Say it again.
08:45So, if you said that just because you're inside a perimeter, then you should be trusted.
08:53That's a very naive approach to security because the best way is you can see it every year how people
08:58do social engineering
08:59and can get into the most secure places by pretending to be carpenters or handymans or the facility person
09:08or pretending to be an employee or tailgating someone in.
09:11So, if you did your security based on a perimeter, I think you were very naive.
09:17I was assuming maybe that's naive, but that it's a combination of having a corporate device on the premises of
09:23the corporation
09:24with my password and that all of those together are supposed to keep you more secure.
09:28Now, if I'm using a separate device, which I might use different apps that might try to compromise it, phishing,
09:34etc.,
09:34and then I do it from a network which is not secure, and that's where the problems arise, no?
09:38Yeah, but if you haven't had that in your threat model in the past, because all companies have had employees
09:42traveling in the past.
09:44Yeah.
09:45So, if you haven't had that as a threat model...
09:47Okay, so for you, there's no big alarming message based due to hybrid or remote working?
09:54Not really.
09:56It's more of the same.
09:56Yeah, because if you haven't considered it in the past, I think you have been naive.
10:00Okay.
10:01And for, I guess, the only thing that happened, well, I guess, the thing that pandemic, I guess, maybe then
10:07shifted was,
10:09you shifted, some people say you shifted 10 years in digitalization, so, of course, more of the economy became digital,
10:15and hence, because cybersecurity attacks the digital economy, of course, cybersecurity became more important.
10:21But I wouldn't say it was because of the remote work.
10:25It was more of the increased digitalization of the society.
10:28Is it easier for you to get hackers now through your community, now that people are working in different hybrid
10:33ways, digital nomads, etc?
10:34The hackers have always been digital nomads.
10:38They knew it all before.
10:40They didn't need the pandemic to discover that you can work from an island.
10:42Yeah.
10:43I understand.
10:44Any other trends other than the pandemic?
10:45If that hasn't impacted your industry, then do you see other trends in the past years that are changing, disrupting?
10:51I mean, I suppose that the entire ethical hacking concept is relatively new, or am I wrong?
10:58It's not fairly new.
10:59I think, I mean, the first company that's actually offered over reaching out ethical hackers, one of the first was
11:04actually PayPal.
11:05And they did it, I think it's almost maybe 10 years ago now, that they offered, you know, had a
11:09first saying that says,
11:11hey, please help us with our security, and we won't press criminal charges against you.
11:16But that you explained to me before is not exactly the same.
11:18That you called bug bounty, when a company is asking to be attacked.
11:22Yep.
11:22So you're saying PayPal was kind of the...
11:24They were the pioneers.
11:25They invented this concept, which is very bold, I have to say, to invite the public to go and attack
11:29it.
11:30Was it on some kind of a testing environment, or they actually invited people to attack their own...
11:35Yeah, they did it on their...
11:37And what happened? Did they collapse?
11:38No, no, no. I mean, I think they became safer.
11:41In the immediate term, when they just said, come attack us, what happened?
11:45I mean, of course, I don't know exactly.
11:48I don't remember exactly what, you know, what the cause, because I wasn't on the inside of PayPal back then.
11:52But in general, that created the whole notion of that we need to use the wisdom of crowds and of
12:02the masses in more ways in security.
12:04So crowdsourcing is everywhere, every kind of knowledge, including in how to protect a company from attacks.
12:13I mean, the first examples of crowdsourcing, I think, were when, for example, Lego started crowdsourcing Lego models 15 years
12:22ago or something, or maybe 20 years ago now.
12:24When they invited people to say, hey, Lego enthusiasts, please submit your drawings, and we might put them into production.
12:32Instead of having all their in-house people building and designing Lego models, they're starting to leverage the whole crowd
12:39and community to get in ideas for new models.
12:44So speaking of getting new ideas, do use the online platform of Viva Tech, because we are looking at what
12:49you're sending us, whether it's questions or new ideas or suggestions to our speakers now and ahead.
12:55Yesterday, we made the distinction between private and public actors.
12:59Do you see among your clients, or in ethical hacking in general, also states that are bold enough to say,
13:04come attack our servers, and we'll see what happens?
13:06There I am.
13:07Actually, I mean, also, the notion of leveraging the crowd has come to the state as well.
13:13I mean, of course, a lot of this started in the U.S., and they were, I guess, first Department
13:19of Homeland Security.
13:21The DOD, the Department of Defense, was fairly early out in these things.
13:24So I think the legislation is changing in more and more countries to say, because we have had examples in,
13:32we had an example in Sweden where a 16-year-old guy hacked a municipality, and he did it first
13:42to say, hey, I can access my grades.
13:44I can access the journal system.
13:46So he was an ethical hacker.
13:48That could only happen in Sweden.
13:50Yeah, but the problem was, the municipality did not react, because they were not expecting this.
13:55So they ignored him for a few months, and then he started to install cryptocurrency miners on the municipality servers,
14:04and he changed passwords.
14:06And then suddenly there, he, of course, broke a line, and they actually pressed charges against him, and he got
14:12convicted.
14:13And now he's your head of product.
14:14No, but he actually got convicted.
14:16Oh, really?
14:18Okay, so they did not see it as ethical at all.
14:20No, because it was not ethical, because he installed crypto miners on the...
14:23Although his initial intent was to make a point.
14:25Yes, but he felt that, okay, they're not listening to me.
14:30Interesting.
14:32We are nearing the end.
14:34I'd like to ask you if you have any call to action, whether for the general public who's concerned by
14:39their own cybersecurity,
14:41your community of hackers, your companies or states that are concerned, I would say one conclusion you take of your
14:48story is maybe municipalities and states.
14:50If you get hacked, yes, if it's criminal, you may have to take action, but it might also be a
14:55good moment to look inside and see how to make your systems more secure.
14:59In the case of a municipality, it's what they owe to their electorates.
15:02I mean, it's not even their own data.
15:03But any message, a bit less by now than mine, that you would want to send out on how we
15:09should all be more careful and perhaps how to use ethical hacking?
15:12I think there is often a question when security, oh, what's your number one tip?
15:17How can I be more secure?
15:19And I say, yeah, if you think there is a number one tip, again, it's very naive because the ideas
15:27varies, of course, depending on your threat model.
15:31So I guess, and it's a very theoretical thing to talk about the threat model.
15:36But if you are an individual with your bank account and maybe your Facebook or Instagram or Snap or TikTok
15:43account, of course, you have one threat model.
15:46If you are as an individual or human rights activist operating in Middle East or in Russia or something, then
15:55your threat model, even as an individual, is, of course, completely different.
15:58Because then you actually might have state-sponsored actors that are trying to access you.
16:03I mean, you have had, I guess, examples also with public officials, I think, in Spain that has been monitored
16:09by the intelligence agency of Spain through hacking with software from Israeli NSO.
16:18So depending on who you are, if you are a public person, a journalist, of course, your threat model is
16:24very different from the general person.
16:28One interesting question, or I know there's another one that came through the digital platform, is how do people learn
16:34how to hack?
16:35I'm sure there are a million different stories, but maybe from your experience, from your community of hackers, do they
16:41go through some kind of training?
16:42You mentioned they always tend to be very young.
16:44I don't know why.
16:46Not always.
16:46They seem to get better as they get younger, but, I mean, is there a typical kind of profile of
16:51hackers on either side, the ethical or unethical?
16:54Do they go through some kind of training, or do they just spend time on whatever platform they teach themselves?
17:01It takes time to, or, I mean, some people can get good at it in a few years, but it
17:07takes a bit, a lot of time and practice.
17:09Some people come in from a pure pen testing security point of view, but also some of the best hackers
17:16actually come in from a software engineering and a developing background,
17:19because they have done the mistakes through their daily life and when they're working and learned how to, I normally
17:28build systems this way, maybe I can find a way to break them,
17:31or I normally do mistakes this way, then I can break them.
17:34So they understand the inside versus a pen tester, a hacker that comes purely from the security.
17:39If I understand the intention of the person who sent that question, if somebody doesn't know much about hacking, but
17:43wants to become a hacking warrior, an ethical hacker, how does one become a hacker?
17:47YouTube, Google, GitHub, that's the best place.
17:52So there's no formal training, you actually need to get your hands dirty.
17:54Of course there are formal trainings like ethical hacking 101 on some universities that have it.
18:00In universities, ethical hacking 101 that exists?
18:02Yep.
18:03Because there's a massive cyber shortage of people that need to do it, and the industry, we need to have
18:09the formal education system also to educate some of them,
18:11even though there might not be the best route to do it.
18:16Perfect.
18:16Perfect. That brings us to the end of this third session on cybersecurity.
18:20As I mentioned yesterday, it should still be on the digital platform.
18:23We had one with corporates, one with state actors, and now we switch sides to the side of the hackers,
18:30but the good guys, the ethical hackers.
18:32Thank you very much.
18:32I learned a lot during this session.
18:34I didn't know there was such a thing.
18:36So thank you so much for being here.
18:38If you only arrived this morning, I strongly advise you to walk around and explore.
18:42We'll do that.
18:42Spy at the other stages, but don't forget where you come from, stage three.
18:46Thank you for being here with us, Ricard.
18:48We will be back in just a few short minutes for a few technical preparations for our next block, which
18:52is going to be on web three.
18:55So don't go anywhere.
18:56Stay with us, whether you're watching us online or here in the audience.
18:59We'll be right back.
19:00We'll be right back.