Accessed & Compromised: An Interview with a Hacker

Peiter 'Mudge' Zatko could smash your network in minutes. Learn from him before then.


Any action that I could advise upon without a context around it would most likely be incorrect. In some situations the correct response might have to be immediately disconnecting or stopping the transmission. In other scenarios the correct solution might be to communicate out of band from the video transmission and allow it to continue. In yet other cases intentionally falsifying the stream to mislead the interloper might be the prudent action. No matter what, the security response taken needs to be correct for that environment. This is one of the reasons I have become very disappointed with many third party vulnerability warnings and ranking schemas. Without knowledge of the value something is to my operations, it is remiss of people to apply seemingly arbitrary severity levels to autonomous technology threats. Worse yet, it is often misleading to people in that it might improperly elevate or degrade the perceived risk to a particular theater of operations.

What safeguards are on the horizon that an end user will be able to employ to deter and prevent unauthorized intrusion?

I have not been impressed with recent solutions from the industry on the defensive side. Oftentimes if an environment, or surveillance deployment, is thought through before being deployed then a large part of the risk and opportunity is mitigated at the outset. Unfortunately, too often people do not think about the environment they are deploying and simply use the most convenient and easiest solutions.

I am reminded of several wireless access point installers setting up commercial installations in the default entirely open and insecure settings. When asked why they did not enable any of the protective mechanisms and settings that the products offered they responded that nobody cared about it. Most likely, the recipients of these deployments did not know that their networks were being setup in entirely open/insecure modes and thus were accepting more risk than they were aware of. Similar situations have been stumbled across with wireless security video feeds inside biotech and other industries. These feeds are trivial to pick up with current Icom, or similar, radios.

The use of multi-factor authentication, i.e., such as having to provide a password and a fingerprint scan (and sometimes even the presence of a "smart" access card), is all the buzz in the industry right now and is being used by the companies that understand the importance of security on company networks. IBM even recently added the fingerprint scan to select versions of its ThinkPad series. What are you seeing in terms of trends for this kind of authenticated access? Will multi-factor authentication for corporate networks become a standard in the near future?

There are primarily two ways to approach biometrics: authentication, and identification. In the authentication approach the user states who they claim to be and then provides a biometric input. If the input is within an acceptable deviation of the stored "signature" in the database then it is accepted. If not, then it is rejected. With the identification approach the "signature" is compared with a database of stored "signatures" in an attempt to find a match (hopefully only one) within the accepted deviation allowance. While these approaches might seem obvious, it is surprising how many vendors use the wrong approach for their intended purposes.

I feel there is promise in this area but a fair amount of progress still needs to be made. When dealing with biometric devices I am more comfortable when there is an actual unique challenge/response mechanism in place and that the underlying database of information and the communications channels in use have been vetted and are well understood. After all, how many times can you change your password if it is your fingerprint and it is being stored unprotected or transmitted across the network in "cleartext"?

After years as a hacker, and a software developer and now a leading consultant, in your opinion, is the belief in a "secure network" really just an oxymoron?

Without an understanding of what it is that is attempting to be secured, how the network needs to be accessed to conduct business, why it needs to be secured in the first place, and what the ramifications, remediation, and reconstitution efforts would need to be if it were to be compromised... then "secure network" is not just an oxymoron, it is a non-sequitur.

Do you ever foresee a time when being a hacker will be as antiquated as being a blacksmith? What would it take for that to happen, or is that scenario even remotely plausible?

Not for the definition I have always attached to the phrase "hacker". From Eric Raymond's Jargon File a hack is described as follows (and I don't think either definition will, or should, ever become antiquated):

---

The Meaning of 'Hack'