Q&A: Michael Calce, Optimal Secure

He has since reformed, and established an information security and penetration testing company, Optimal Secure, about 18 months ago. He also recently participated in a documentary film with HP called “Rivolta” (the same name he gave his denial of service attacks in 2000), to raise awareness about the evolving digital threat landscape. Canadian Security spoke to Calce about what it takes to keep information safe today.

Canadian Security: How much more sophisticated are the threats today and how good are the defences?
Michael Calce: Obviously, it has evolved on both sides. If you’re a white hat hacker and a security professional, you’re kind of against the fence all the time, because, if you look at the way things have evolved — programs are so big now and there are so many things you have to worry about. The amount of lines of code that are in a program now leaves much more chance for a mistake.
It’s definitely increased in terms of the hacker aspect because a lot of these people are also state-sponsored; they have resources. It’s a lot easier to get into a hacking community today with all the resources and information that you have at your disposal. All these tools and exploits are available to you. You don’t really need to know anybody; you can just download it yourself and figure it out from the tutorials.
On the flipside… There’s a lot of security measures that are put into place. The way data is being put onto Cloud and people are more cognizant and using VPNs. It has evolved on both sides, there’s no question, but hackers are always going to have that edge.

CS: Are you seeing a lot of devices on corporate networks that are not properly secured or locked down?
MC: One hundred per cent. When I’m going to go do a pentest, a lot of these companies might have their front and back doors locked but the truth is, the hacker comes through the pipes. To me, when I do pentests and I see people’s security, they often overlook end points. There’s so many devices being connected to the network these days. It goes beyond mobile devices. Printers have become evolved as well. Printers have 240 functions these days. The way they operate on a network these days are a lot different than it used to be. I feel like a lot of these companies are not paying attention to that. Next to computers and mobile phones, printers are literally the largest group of devices in an office setting. It ultimately results in multiple blind spots if these devices are left unsecured.

CS: It seems like an almost insurmountable problem. What is the best way to tackle it?
MC: Really, you have to go to the root of what computers and the Internet are. If you’ve figured that out, you’ve realized that there never will be a 100 per cent fix, because the protocols that we developed the Internet and computers on do not have security built in. DARPA combined with CERN Laboratories are the people who developed this… It was meant to be a tool of communication [for] physicists talking to each other. Was it meant to be the tool of commerce that we’re using it as today? Absolutely not. We’re kind of just tacking security on as an afterthought. You can never make anything secure with that in mind, if your foundation is not there… The very best we can do is mitigate the risk… In most cases, it works. Unless a hacker is targeting you very specifically, they’re not going to spend too much time on you, because they would rather move on to low-hanging fruit.

CS: What about the social engineering aspect of hacking?
MC: Still to this day, it’s proven to be the most effective. The human element always proves to be the weakest. Social engineering is such a fantastic tool. It’s almost like people are begging to be manipulated. That’s proven time and time again. Just look at a lot of breaches that are going on. It’s through email phishing vectors. What is going on here? Either it’s people are not being trained enough or they don’t care. It’s still a huge issue. A lot of people are also doing this physically. You, for $50, can buy a [USB device] which will open a reverse shell or a number of things. People are dressing up… saying they work for an electric company and getting access to these companies. These attacks are still prevalent. In my experience, if someone hires me, I know for sure — any test that I’ve done, not once has social engineering not worked. It’s just that effective.

CS: A term that gets used a lot is “script kiddies” — people who may not have skills but are able to download exploits and deploy them. How big a threat are they versus skilled hackers?
MC: To me it’s equally a threat. Maybe the script kiddie might be even more of a threat because they’re much more destructive. Other hackers are dangerous, they they’re focused in what they’re doing. There’s structure there. With a script kiddie, it’s an unknown variable. You don’t know what they’re going to do.

This article was originally published in the May/June 2017 issue of Canadian Security magazine.