a16z Podcast - a16z Podcast: How Hacks Happen (Let’s Just Say Mistakes Have Been Made)
Episode Date: April 18, 2015It seems like we hear about corporate (not to mention consumer) hacks in the news every week. Is this something new, or just a continuation of old patterns and we just happen to be hearing about it mo...re now? In this segment of the a16z Podcast, longtime security investigative reporter Kim Zetter of Wired -- who also wrote Countdown to Zero Day, the definitive account of Stuxnet, the first digital virus that wrought physical destruction (on a nuclear facility) -- breaks down how hacks happen. What's old (like phishing), what's new (like spear-phishing and ransomware)? How are players around the world -- whether for government or economic espionage -- becoming ever more sophisticated, coordinated, and organized? And what can companies do? Zetter shares her observations on how security models have changed -- for example, from defensive to offensive -- to how she susses out the truth when different players communicate about or claim hacks. (Which is one of the reasons that Zetter questions North Korea's role in the Sony hack...)
Transcript
Discussion (0)
Welcome to the A16Z podcast. I'm Michael Copeland, and I am here with my partner in crime,
Sonal Chuxi, today. And we are lucky to have Kim Zetter, a senior staff writer at Wired,
who covers all things security. Kim, welcome. Thank you very much.
So, Kim, you know, we wanted to actually talk to you about what's going with RSA coming up,
with what's going on in the security world. And starting with, like, all these hacks that have been happening
lately? Is it, is it like a lot more than what's been happening before? Or are we just hearing
about it more? I mean, I'm talking about big companies from Target to the Sony hack. I mean,
there's just been so many. Like, you could probably list more of them than I can.
Yeah, I mean, all of this has happened before. It's, what is happening here is the government's
focus on cybersecurity, and by government, I mean the Obama administration specifically,
has made cybersecurity one of its primary focuses. And that has been tricky. And that has been
trickled down and caused everyone else to focus on this more, because that means money now
is going into cybersecurity.
So the business world is focusing on it as well.
In terms of the number of hacks, you know, that's sort of the result of the media, obviously,
paying more attention and the public paying more attention.
But we've always had these kinds of hacks.
Even, you know, the hacks against Target and Home Depot, we had a series of hacks back in 2008 and
2010 against TJX.
and Barnes & Noble and companies like that.
So what changes is in some of these hacks
is that we get a little smarter with security,
and so the hackers have to go back and retool their techniques,
but they do come back again.
They come back with new techniques and new methods and new tools
just to achieve the same ends.
Are there any common denominators to what made all the most recent hacks happen?
Like, were they all through fishing,
were they through the entry point through email?
what was a common thread if there was one with all of them?
Well, fishing attacks is one of the primary ways that the hackers get in.
Oddly, that wasn't the case with the Target hack.
In that case, this was an interesting case study
because this involved a third-party company.
In this case, it was a heating and air-conditioning vendor.
And they had some kind of connection to Target's network for billing purposes.
I don't quite understand the whole reason for that,
why there needs to be some kind of connection there between the two networks.
But any time that there is connection,
hackers are going to be smart and they are going to root their way through those networks
and find the systems that they want.
So in this case, they went through the access that this third-party vendor had
into Target's network and used that as a pivoting point to then get themselves to the card network,
where the debit and credit card numbers were being processed.
So that was an interesting case, and that's something that I think we will see more of.
We sort of see, you know, victims get hacked, obviously, and their systems are insecure,
but a growing problem are the issues with third-party vendors, contractors,
other people that you work with that are going to become a conduit for hackers to get to you.
So even though they might not come to you directly, that is a vulnerability that not only
businesses have, but the government has
with its contractors. I have a
question. You know, you say that you don't think the
frequency has gone up, but is
there more at stake? So
you describe how there's more third-party
vendors, for example, who have access to these
systems, and systems get bigger
and bigger and more complex and more interconnected.
Is there
just more to go after and therefore
there's more at stake, or is it
have you not seen it change
that dramatically?
I think that
But obviously, you know, more and more stuff is getting put online.
So let's take the health records, for example.
Huge push from the government to digitalize all of our health records.
Well, there were always problems in some cases where you might have records or systems,
medical systems that were connected to the Internet.
But now we've just tripled and quadrupled that.
And so that creates problems.
More and more data, more and more systems are,
becoming digitalized, and then that creates new vulnerabilities and different kinds of data
for hackers to go after. And so that creates the new opportunities.
Right. So with like the recent hacks that have happened, what else have they shared in
comments? So we described fishing as one of the avenues, and you've said that the hackers have just
gotten smarter. But like, how does that happen? Like what, I mean, I don't mean to say that people
are stupid, but why are they not figuring this out? She was looking at me when she said, I don't mean to
if I sent an email to you, you would open it, right?
Yeah.
I hope so.
Yeah, I would.
I would.
Yeah, we're friends.
So hackers have the ability to send you an email in a way that it appears to come from me.
It can appear to come from your HR department or your manager, and they're not sending, you know, spam email about Viagra.
They're going to send you an email with an attachment that appears to be the new budget document,
that you were waiting for
or an HR document about benefits.
So walk us with the mechanics of that, though.
How can they actually do that?
Like, how do they know if they're not in the company
to be able to figure that out?
Like, if they're not inside the company,
like, let's say, okay, between you and me,
there might be more points of failure.
But if you're inside a company
and you have shared language
and you kind of know each other's lingo,
if I get an email from Michael,
and he sends me a sudden random attachment,
I would kind of know it's weird.
Like, how do hackers figure out?
Well, there can be multiple.
ways of doing this. And one is, I mean, the most simple way, and most email servers will catch
this if you've got good filtering on it. The easiest way is to spoof an email, but it appears
to come, and there are even websites that will spoof an email for you, so that it appears to come
from one domain. If your system is set up to sort of scour through the track that email has
come through, it will know that it didn't originate from the email that it purports to it. This
happens in your Gmail account where you'll get a message and Gmail will tell you this doesn't
appear to be coming from who appears to be sending it. So that's what they're doing in that case.
So those are those of the low-level phishing attacks. The more sophisticated ones can come
from someone actually hacking a system in your network so that it appears to be coming from the
same IP address, but also, let's say they hack into Michael's computer. And they
take over his address book, and they start sending out emails actually through his account
in a way that he doesn't even see it.
Right.
So that's another possible method.
The fishing attacks so become sophisticated when they do what's called spearfishing.
So fishing attack can be sort of, you know, a canon effect, like spam, where they just send out
a lot of random emails and hope that someone will open it.
Spear fishing is something that they put a little more work into their.
and the Chinese hackers are very good at this.
And they will, and the Russian hackers.
Actually, I just want to clarify, both of them are very good at this.
It depends on who the players are, which how many typos will be in the pitching attack.
Yeah, we want to hear my back back to.
What they will do is they can study you, if you're a really valuable target,
if your system administrator, for instance, if they can get into your systems,
they can get into everyone else's systems on your company, for example.
So what they might do is target assistant administrator, and they will do some reconnaissance on him.
They'll look at his LinkedIn profile, they'll look at his social networking.
They'll say who he's communicating with him.
They'll see what he's communicating about.
And then they'll send him an email that is going to be particularly targeted him.
Let's say he just come back from a conference that he tweeted about, or he tweets about a presentation that he's at a conference.
And then suddenly he gets a follow-up email that appears to come from the speaker of that presentation or something else.
So those are ways that they really intensify the sophistication to guarantee, you know,
greater probability that you'll open it.
But you don't actually need that much work.
You know, you ask if people are stupid, and they're not.
Some cases they are.
But, you know, a report came out this week from Verizon examining how long it takes
someone to open a phishing email after it's landed in a company's network,
and it takes on average about a minute and a half
because someone in that company is going to open the email.
And I'll point you to something that happened a few years back.
This was a security company, one of the top security companies, RSA,
that's having its conference next week.
They got hit in the fishing attack in 2010,
around the same time that Google got hit.
And in that case, they sent only a handful of emails
to some specific employees at the company.
And the email filtering system actually caught it
and sent it to the spam folder.
But one of these employees went through a spam folder
and saw the email, thought it was interesting,
pulled it back out into his inbox and opened it.
Oh, my God.
And that's how the attackers got in.
So is the kind of upshot of that story,
just never ever bother checking your spam filter?
Because I do that once every six months.
Yeah.
Oh, maybe something is good news.
I actually get useful newsletters and shopping emails and things like that.
That's what you think so.
You mentioned they, and you talked about the Chinese and the Russians,
and in these more.
sophisticated attacks. Who are they? And what do they look like and really how sophisticated are
they? And also like Kim, exactly, and also what, are they the different players now? Because I feel like
this more organized approach seems to be something new and different. Like they seem to getting
every more sophisticated. They are getting more organized. So, you know, in the early days, what you were
getting were random hackers on the internet. Sometimes they would gather in gangs to do
identity theft and get passwords and go up to credit cards and things like that.
And there was some organization then.
But what we really saw the change in was in the late 90s, actually, sorry, the mid-2000s,
where we started to see the cyber espionage emerged.
And that's where we're seeing nation-state attacks like China and Russia.
So cyber effingage then became a trade tool for traditional economic espionage.
has been supplanted in some cases.
So now nation states, like China, China has been accused of this,
of hacking into companies' networks to steal trade secrets
and give Chinese companies a competitive advantage.
That's in addition to already the national security stuff
that they're stealing for military weapons and things like that.
Those range in sophistication.
I mean, the Chinese don't necessarily try to hide their tactics
because they are supported by their government,
so they don't really have anything to worry about there.
In the case of the Russians, really, really sophisticated hackers are in East Europe.
Why is that, by the way?
Is it just that they're really code literate?
I think the technical training is really superb there.
I think that because of the economic conditions, a lot of people who weren't able to get a job during certain periods after the fall of the Soviet Union,
looked to develop these kinds of skills, you know, in the hacking underground.
And so it really paid off of them.
And it is very lucrative.
And, again, there's the issue of being untouchable in Russia.
It's so it's hard to go after Russians, a little cooperation with the government.
And so U.S. authorities have to wait for someone to leave Russia and go, you know, on vacation of Thailand or someplace, and now have them there.
So they're pretty protected there.
And in some cases, they may be supported by the Russian government as well.
But they're very sophisticated.
They're also doing national security stuff, but they're also doing economic espionage to sell it.
So economic espionage is based as justice, so you're saying to sell the product that they're hacking or to extract rents?
Because I've been hearing stories about ransomware coming from Russia as well.
Yeah, so that's a different kind.
That would be more on the criminal ground rather than the espionage ground.
Okay.
Yeah, somewhere is another interesting thing.
that's growing right now, and that started out very not sophisticated. Hackers would put malware
on your system that could then basically encrypts your whole hard drive. And then they send
you a message saying, give us, you know, this amount of money in order for us to let you have
access back to your data. And started out very unsophisticated. They become more sophisticated. They
got smarter about their encryption. It's harder to get around the encryption now. And also,
you know, we're seeing a different kind of ransom, such as the case of Sony, where they did ask
for money, or they appeared to be asking for money in Sony's case. But they weren't looking at
preventing Sony from accessing its data. There, the threat was if you don't comply with our
demands, we'll release the data. And I think that's what we're going to see more of. I think
that's a new trend that we're going to get. And so you question, in the case of the Sony hack,
whether it was North Korea or do we still not have a clear picture on who it might have been?
Well, the government is clear.
The government has been very adamant that North Korea is behind it and that they claim they have
evidence of it and they implied, although they don't tell us directly, that they know because
some kinds of perhaps signals intelligence that the NSA has collected, but they don't say
that.
Right.
connected. My issue with the attribution is
attribution is always difficult no matter, whether it's Sony hack, a
really loud hack like that, or a quiet hack, whether it's a sophisticated
hack or an unskilled hack. The way
we get hackers, the way we prosecute hackers, usually because they've done something
stupid. They've exposed themselves. They've used their real IP address
instead of going through a proxy, or they've bragged about their activity to
someone who's an undercover fed online, something like that.
You know, attribution in nation state, obviously, is going to be a lot more difficult
because they have a lot more resources and skills.
So the idea that the government would say definitively this is North Korea already is
a little shaky.
And what they've provided as evidence is an IP address that they say is, which they
haven't even disclosed the IP address.
All they've said is that an IP address was used to conduct the Sony hack.
that North Korea is known to have used,
or North Koreans are known to have used.
And that's a pretty vague statement
because they're not actually saying
this is an IP address assigned to North Korea,
this is an IP address that North Korea used to hack Sony.
They said this is an IP address
that North Korea is known to have used,
to have used in the past meaning.
So that's pretty fluency.
And also just if you can trace,
if you can trace activity back to an IP address,
and that's difficult in itself to find me,
the real originating IP address.
You also have to know
whether or not that machine
was hacked as well. So
just because we traced an attack to your
machine, Michael, doesn't mean that you were the one
sitting at that computer conducting the attack.
Hypothetically, let's be clear about that.
Hypothetically,
someone else could have
subverted your machine, hijacked it,
and deconducting an attack through it.
Right.
So that's another problem with IP addresses.
And until the government can provide
some more extensive proof,
It raises questions.
And why does it raise questions?
Because if you look at the communication from the attackers to Sony,
the first communication was about extortion,
and it wasn't about the movie that everyone in the end thought it was about.
They appeared to be asking the first communication for payment,
and they were demanding payment,
and if they didn't get it, they would release emails and other documents from Sony.
And subsequently, they did start releasing that.
But it was only after media reports started servicing, quoting anonymous government officials about the Sony movie,
that everyone then jumped on this bandwagon and said, this was about the movie.
But the hackers himself never mentioned the movie.
And by the way, the hackers, you know, they made that threat, that supposed threat,
what we would have termed a terrorism threat, but if the movie came out on Christmas Day,
they somehow kind of implied that there might be some harm at movie theaters.
and they also made some threats that if Sony released a movie they would release more of Sony's data
but the movie came out and we never heard from the hackers again no more data
so it's also interesting to me that the data that they released
a lot of it pertained to Sony's efforts against piracy
and that's an issue that I can't really see North Korea being all that concerned about
But it is an issue that the hacking community, the underground community of anonymous and groups like that,
have had a gripe with Sony for years over the antipiracy efforts.
And so it makes much more sense, given if you look at the communication from the hackers,
if you look at the data that they released,
and if you look at the fact that they never bought the movie up,
it really comes across as sort of a traditional kind of hack that we've seen before against Sony.
The only different here is that they took it to another level in destroying data and releasing
data, and they used some malware that had been used in attacks against South Korea.
So those are the only things that gave everyone pause.
So Kim, you're actually touching another interesting theme that I think we should talk about
for a brief moment, which is how people are communicating about the hacks.
I mean, you're interestingly on the other side of this, which is your job is to kind of investigate
the communication trails and source from different stories.
and talk to different, you know, get different facts to put together, like, what's actually
happening.
But there is this problem that companies face, which is they're in a world where they actually
don't know how to communicate about these things because they're facing them for the
first time.
Like, what are you kind of observing from that perspective?
Companies have been forced to be a little more transparent.
I mean, so we see, you know, Target obviously wasn't going to willingly disclose the hack.
What they do in the case of credit cards, it can become a little more obvious because
they're required under breach laws to disclose to customers
when certain kinds of data gets released.
So that's often the way we first learn about a breach.
But the company isn't going to necessarily announce it,
or at least they haven't in years past.
Now we're actually seeing blog posts, things like that,
where they are coming out and formally announcing the hack,
and sometimes even before they notify the customers.
So that's a growing trend,
and I think that companies are realizing that they have to get out in front of it,
they don't want someone else to expose it before they can.
And also, we see, you know, the push now from the government for more information sharing from companies.
Do you get a sense, though, in terms of that disclosure, that it's only, like, disclosure happens when it kind of gets out there already?
Or, you know, if nobody knows that this hack occurred, do we still sort of keep it quiet?
Well, that's what they would love.
I mean, that's been traditionally what's occurred,
is that we never learned about hacks until either the data started leaking online
or, you know, credit card numbers were stolen and they were used for fraudulent purposes.
So I think that companies also are becoming maybe less hesitant about discussing
because they see that everyone is getting hacked.
So you're no longer an individual standing out there alone
who's going to get a finger pointed at you for,
your bad security. Now we know that, you know, pretty much every level of security can be
subverted by a really determined attacker. So I think that there's a little less shame in getting
hacked, maybe. In Sony's case, maybe not so. Yeah, well, that's also because of what actually
came out, but right, exactly. So actually, Kim, one interesting theme here, you know, we've been talking
on the background here about, like, what's really changed in the security landscape, and
You've been saying a lot of these things been around for years,
but at the same time, the players have gotten ever more sophisticated,
and the hacks have gotten much more complicated.
But one thing that's kind of interesting that you and I used to talk about at Wired,
is this trend that sometimes companies are actually,
it's completely turning around the paradigm where before the model for security,
would you just defend to protect?
So are we seeing people go on the offensive, basically?
So we are within limits.
You know, there was a lot of talk a couple of years ago.
a company called CrowdStrike, actually, when they launched,
they had made this announcement that they were going to be talking about,
you know, what they called active defense,
which was attacking back to a certain extent.
And then I think they realized that some of the stuff that they might be advocating was illegal.
And there are companies that, I think, are just now learning
that some of the things they're doing could get them into hot water.
So there are some things in limitation.
I mean, one of the things that you can do is, you know,
You can sort of trace back the source of the attack and find the IP address and things like that.
But you cannot start routing around in the computer at the other end because that's unauthorized access.
You can't pull your back.
There's a question about whether or not you could actually pull back your data or delete your data on that server.
And I think that that would also be a violation of the computer fraud in the VueSact
because you don't know if it's performing an unauthorized action on a computer
and you don't know what the consequences
of deleting something on a computer might be.
And also I want to point out that, you know,
as I said, hackers root their way
through other computers to conduct their attacks.
So they could be on your computer.
And if your computer is used to attack me
and I go into your computer to erase data,
you weren't the perpetrator.
And I could cause damage to your system,
not to the original attacker system.
So there are a lot of legal and ethical issues around this.
But one way that companies are sort of, I guess, not attacking back,
but responding in a more active way, certainly not defensive,
is going through the courts and getting systems taken offline.
And so we've seen this a couple of times with Microsoft,
where they've gone to, they filed a civil action in courts
in order to get certain IP addresses or hosting companies taken down
in order to control botnets and other malicious activities
that's sort of congregating in certain IP addresses.
But what can companies do?
Because the fact is that, like, you know, 10 years ago
or even as recently as five years ago,
the security model was to defend and protect,
like the McAfee, antivirus firewall, you know, sort of thing.
But we're talking about very different types of hacks these days
that are going through various systems internally.
Like we talked about the intimacy of coming from your colleague
or your next-door neighbor.
So what can companies do then to sort of better arm themselves?
I mean, it seems like this is a whole brave new world of security.
Yeah, I think the shift is less from keeping attackers out,
although, I mean, you know, you still need to do that.
You need to do everything you can to keep them out.
But I think that companies are becoming more realistic
and realizing that they need to put a lot more resources
into discovering intruders that may already be in the system.
and so that means
improving their monitoring
and logging capabilities
and making sure that
when they have monitoring
and logging capabilities
that they're actually reading those logs
and they have them configured
in such a way that they can actually
distinguish between something
that is concerning and something's not
but that's a problem as well
Target discovered that
Target installed a multi-million dollar
security system
not long before it got hacked
and that system
was designed to detect anomalous behavior in the network, and it did.
It sent alerts to some people who were paid to monitor targets networks.
I forget what they were, I think, in maybe India or Singapore,
and they forwarded those alerts to the system administrators in the U.S.,
and those administrators ignored them.
And they ignored them because you can have a system like that
and get so many alerts that you get this battle fatigue from them,
and you stop looking, or you don't have the...
resources to look at everything.
Well, it also raises the fact that at the end of the day, the whole model of security
always comes down to the human error aspect as well at some point.
And speaking of human error, you know, flip it to the consumer.
Are you noticing, or is there a hope for us to do a better job or their behaviors we can
embark upon?
Finally, you know, two-factor authentication for everything?
I mean, is there anything on the horizon there that seems to help?
Yes, I think the move towards two-factor authentication.
medication, obviously, was long overdue, and I guess we have to think, we have Edward Snowden
to think for that, and encryption. But if an attacker is already on your system, encryption won't
necessarily help you, because they're going to see your data before it gets encrypted.
If you're, you know, changing passwords, strong passwords, things like that, you know, we see a
movement toward people demanding that passwords be eliminated and that we come up with new systems,
more biometric systems, things like that.
I mean, there obviously are a lot of people trying to look at this issue now
and figure out new ways.
But, I mean, for the consumer now, you know,
two-factor authentication for any site that offers it,
that's the way to go.
Kim, you talked to us about what we can do
and two-factor authentication sounds like a path
that we all need to go down quickly.
And even three-factor authentication,
if you think about adding the biometric component.
Yeah.
But are there, so what are some other things that, you know,
maybe companies should think about.
And also, do you have any sense of, like, kind of who's winning,
or is that not even a question that can be asked?
The hackers are winning.
Okay.
That's a sad reality, right?
So that's exactly the world we're in.
Do you have advice, then, Kim, for companies that are,
and consumers that are in this world?
Like, what do we do then?
I mean, if you put your data on the cloud,
which could be a lot more secure because you have, you know,
people, a lot more administrators who are dedicated to watching that,
what would...
I don't do online banking.
Okay.
So I don't have a lot of trust in those kinds of systems.
I don't have a lot of, I do very little, I don't put my health records online, that kind of thing.
So I keep it as much to the minimum as I can.
And I know that people don't like that because they like efficiency and they like convenience,
but they have to understand that there is that trade-off,
and you are making a security trade-off every time you do that.
So if you do make that trade-off, then what would your parting words of advice be for people?
like to be able to audit, like, the companies they're working with, whether they're a person
or a company?
I don't know that the average person can do that because the average person isn't going
to know, even if, you know, if you want to put your data in the cloud, do you know how
adequate that audit was?
So, you know, it's kind of a circular problem, but I think minimally, if you are a company
that's considering using a cloud company, cloud service.
storage, but there are something that you can do. You can see, you can find out if the company
has been independently audited and that their security is to a level that you're feeling
comfortable with. And another thing that you might do is seed some of your data so that if it's
stolen, seeding is sort of planting little flags, like a watermarking. Yeah. So that if the data
is stolen, you can see that it's the source of it. And then you can come back to the cloud company
and, you know, you may be able to tell them, hey, you've been hacked.
But that's some way, one way that you're not just completely feeding your control to someone else then.
That's great.
Well, Kim, on that somewhat somber note, I promise, if you get an email from me with an attachment, don't open it.
Don't actually open any email from him in general.
Yeah, don't know any.
Thank you so much.
You're welcome.
Scared me to death.
Thank you.
Thanks a lot.
Okay.
Bye.