The Internet creates a wealth of economic opportunities--for corporations and criminals alike. Taking "know thy enemy" as our mantra, Debriefing spoke with a young Asian hacker who easily penetrated the databases of several large U.S.-based corporations, and whose exploits made him a top priority of the U.S. Federal Bureau of Investigation. His advice for dealing with foreign cybercriminals sounds strikingly like the hacker's own MO: Knowing what makes your antagonist tick is the key to getting the result you want.
CSO: Do you think it is more difficult to hack into U.S. corporate networks today than it was four years ago?
If we are talking about the network that existed four years ago and exists now, then it would probably be more difficult (especially if during those years a given target had experienced trespasses by hackers).
If it is a recently developed network, then chances to get access are probably better.
In general it is easier for hackers to get access to networks in countries with growing and well-developed economies, because such companies have resources to expand their networks. In third-world countries, the companies do not have the ability or resources to expand the networks, so they have to fine-tune them and work with what they have.
Should U.S. companies worry about hackers in Russia and other countries?
I think hackers from countries where the economy is less developed than the U.S. economy are more motivated by money than by pride when they start trespassing on U.S. companies--as opposed to U.S. hackers, who I believe are motivated more by pride than money. (There are many other ways that you can make money in the United States.) Also, money is a stronger motivator than pride. That's why people motivated by money are more dangerous. Hackers are businesspeople (if they are motivated by money). In most cases, they are probably just having difficulties in their countries finding and exploring opportunities to work.
If a company that is hacked into can explore with a hacker his or her talents in a more peaceful way, the victim can only benefit. If these hackers are businesspeople, they can be redirected by being offered a better deal than the one they might get by creating pressure through hacking. I deeply believe in this point. (It is hard, however, to generalize too much because every case involves different kinds of people and different circumstances.)
What security measures offer the best protection against hackers?
Keep the hackers occupied (if you recognize them as a threat). This might be somewhat similar to what some countries have done with their nuclear scientists--Russia, for example, keeps them under close supervision and treats them well, but above all keeps them busy professionally.
Is there a certain type of network that is particularly easy to hack?
There are two types. First, those that develop custom software. They usually invest money in developing the features that software provides, but often forget about securing parts of this software. (For example, an important difference is the one between public and custom-developed software.) The second type is where there is a breach in the company's infrastructure. It is not the hacking per se that is dangerous; what should concern the company is being taken advantage of by the use of that information. For example, if one got account numbers of users of PayPal, the hacker could then contact the users in huge numbers and attempt various kinds of fraud.
Will security technologies ever be able to keep hackers out, or will hackers always find a way into corporate networks?
Software and hardware can be improved to protect against trespasses. But then hackers will concentrate on security breaches in the infrastructure of a company, or do "social engineering." The ultimate goal is to obtain information for subsequent use, and hacking is just one of the many ways to obtain it.