Ethical Hacker Inti De Ceukelaire talks about the biggest threats in the next 5 years, the best tips for security staff, the chances of being hacked and what to do when you are (not yet?) hacked.
If a Belgian - who is able to hack Google, Yahoo, Facebook, Playstation and yes even president Trump's Twitteraccount - wins the Most Valuable Hacker prize at the HackerOne conference, we feel it is high time for an interview about online security and vulnerabilities!
How are we doing?
As an ethical hacker you know your way around the security situation in our country. How are Belgian companies doing at the moment?
A whole lot better than five years ago. We have been making huge progress in recent years and I can only applaud that. We have also made significant progress in the legal field: GDPR forces companies to secure personal data. And, ethical hacking is finally legal. Large Belgian banks and retail chains are now working together with ethical hackers. We are on the right track, that’s for sure, but there is still a lot of work to be done. I think the work will never be completely done, of course, but we are on the right track and that is what counts.
Speaking about GDPR, is it more difficult for you to operate under these new regulations?
No. It's actually easier. Since companies want to do better on protecting their personal data, they turn to ethical hackers more often. As an ethical hacker, you limit the personal data that you might encounter to a strict minimum. Moreover, there are always clear agreements between the ethical hackers and companies about what can and cannot be done. So, customers of companies that work with ethical hackers have nothing to fear.
Which markets are most prone to security problems?
Security problems occur in every sector. Financial institutions have a large budget for safety tests, but on the other hand we know that they get more attention from hackers because hackers like to expose vulnerabilities in this market.
On the contrary, if you just look at the numbers, you’ll see that sectors that are less popular with hackers – think about local traders or sports clubs – have more security problems. But, the impact for them will be much smaller in case of a hack.
About threats now and tomorrow
Do you feel that companies today can adequately assess the consequences of a hacking attack on their company?
From what I gather, most companies mainly focus on their reputation in the event of a hack. They often forget about the financial damage or the data loss. Hackers can delete data or make them unusable and the fines in case of serious negligence can increase significantly. This is different internationally, I have seen companies pay just hundred euros for a leak that could have easily cost them a few million.
Which type of threats are most likely to occur – and will that change in the future?
Almost every hacker will choose the most convenient way. Vulnerabilities in your system are often easy to detect. But even if your system is waterproof, people are often your weak links. Remember when the US presidential election got hacked in 2016 – that all started when an inattentive party member clicked on a simple Russian phishing mail...
Who are - in your opinion - the biggest threat: Belgian cyber criminals or foreign criminals?
Foreign hackers. Simply because they outnumber the Belgian ones to such a degree that I'm not even sure there is an amount to express it. What’s good to know is that in many cases, hackers don’t explicitly opt for hacking Belgian websites. Their search is very focused on vulnerable applications, which then happen to be Belgian.
What are the chances a Belgian company will be hacked?
You can safely assume that there have been efforts to hack practically every company. There are vulnerabilities in every company, the question is not whether they will be misused, the question is rather when. Some companies are better protected than others. So the impact is different for every company. If they are well secured, hackers probably won’t get too far.
Are larger companies still able to secure themselves without the help of external partners?
I want to believe that there are companies that do their best to secure their IT-infrastructure without external help, but they will never be completely safe. But even if they were, they will most likely still use toolsets and services that may contain vulnerabilities. No IT-infrastructure is unhackable.
"IT-students who graduate today are insufficiently informed about security problems. In most courses, at most a few lessons are spent on this topic."
Is securing software a fulltime job?
Yes. Software security is extremely difficult. Even the IT-students – let’s call them the IT-staff of tomorrow – who graduate today are, in my opinion, insufficiently informed about security problems. In most courses, at most a few lessons are spent on this topic. Anyone who really wants to be informed about how to make something waterproof should be working on it almost every day. And even then it sometimes does not work: I discovered a serious vulnerability in my own code last week. Fortunately, I discovered it myself. Making mistakes is human, but it requires extra efforts to actively identify and improve them.
If you had to pick 3 security issues on which you cannot fail as a company, what would those be?
Above all: personal data. As a customer you entrust your data to a company and you expect that it is handled securely. Secondly: clear communication. If something goes wrong, this is a must. The PR team will always try to present things nicer than they are; go against this and be honest. Finally, every company must implement sufficient awareness and best practices for its own employees. Your system may be waterproof, as a hacker I only need one unwary employee to enter.
What will be the biggest security threat in the next five years?
This is very difficult to predict because the security landscape can be stirred up every day. Like last year for instance, when we suddenly had a ransomware epidemic. But we do know that it’s mostly new technologies that introduce new threats – like the cloud or the internet of things, if I can throw around some buzzwords.
Do you have tips for companies that have not been hacked?
Those do not exist. Next question.
Well, do you have a tip for companies that have been hacked?
Put your security in order. And start up a bug bounty program to attract ethical hackers so that we can be the bad guys.
How can you know your company has been hacked?
The best thing to do is just assume your business has been hacked. Ask yourself how big the damage would be and what you can do to reduce that damage, or to better identify the hackers, for example through extra logging.
Do you have a tip for people who work as security IT-staff?
Have your software regularly watched by external people. Often security problems are in right front of you but you do not see them because you are so used to your company and its workflow.
What about you?
For hackers with bad intentions, usually money is the motivation. How about you?
Believe it or not, money is also one of my drivers. With ethical hacking you can earn a lot of money – but in a legal way. Large companies reward hackers who report vulnerabilities in a responsible manner with a bonus. Of course, I also find it very pleasant, that prevails.
How much of your time do you spend on ethical hacking for companies?
Since I work for VRT, I do not have that much time to spend hacking outside of that. Currently I only hack during hack events. Every month I’m invited with a group of hackers by companies all over the world to test their software. It’s fun to work towards these kind of events. Next month it will be in Buenos Aires!
Which techniques do you use to hack?
If there was a guide on how to hack everything, software could be completely safe. But that’s not the case. Every hacker is different and has different skills. So techniques differ for every style. But good or bad – we all have the same goal: intrusion. Usually there is a large portion of creativity involved and that is one of my strengths.
Are collaborations between companies and ethical hackers already established in Belgium?
Most collaborations arise through companies or via bug bounty platforms like Intigriti. We receives new Belgian customers every week. I can imagine most companies are at least already aware of the existence of such collaborations.
How do you stay ahead of the hackers? How do you learn?
Personally, I just try to do my own thing. There is still a lot to be discovered. I mainly fool around with things and occasionally I end up discovering a new vulnerability. When I find something, I share it with the other ethical hackers so that they can inform their customers, and vice versa.
Do we have enough ethical hackers in Belgium? Is there enough interest?
My mailbox reveals that there is a lot of interest coming from young people to start with ethical hacking. Unfortunately, the resources to learn it are rather limited, although I may soon change that.
We haven't had time to congratulate you on your victory: you have been elected Most Valuable Hacker at the HackerOne conference. As far as awards go, this is one of the most prestigious ones. Are there ethical hackers you look up to?
Absolutely. Even though I won that title, I sometimes felt like a small fish against other - legendary - hackers who were present at the time. The nice thing about the hacker community is that we all look at each other a bit. Everyone is good at something. We often help each other when we are stuck somewhere and that is very nice.
You've already hacked Google, Yahoo, Facebook, Playstation - Trump's Twitter. Is there still something on your wish list?
Your company. Invite me via Intigriti (the Belgian ethical hacker platform) and I'll take a look!
Uh ow... ;-) Thank you for that generous offer and for sharing your great insights!