The a16z Show - a16z Podcast: How Hacks Happen (Let’s Just Say Mistakes Have Been Made)
Episode Date: April 18, 2015It seems like we hear about corporate (not to mention consumer) hacks in the news every week. Is this something new, or just a continuation of old patterns and we just happen to be hearing about it mo...re now? In this segment of the a16z Podcast, longtime security investigative reporter Kim Zetter of Wired -- who also wrote Countdown to Zero Day, the definitive account of Stuxnet, the first digital virus that wrought physical destruction (on a nuclear facility) -- breaks down how hacks happen. What's old (like phishing), what's new (like spear-phishing and ransomware)? How are players around the world -- whether for government or economic espionage -- becoming ever more sophisticated, coordinated, and organized? And what can companies do? Zetter shares her observations on how security models have changed -- for example, from defensive to offensive -- to how she susses out the truth when different players communicate about or claim hacks. (Which is one of the reasons that Zetter questions North Korea's role in the Sony hack...) Stay Updated:Find a16z on YouTube: YouTubeFind a16z on XFind a16z on LinkedInListen to the a16z Show on SpotifyListen to the a16z Show on Apple PodcastsFollow our host: https://twitter.com/eriktorenberg Please note that the content here is for informational purposes only; should NOT be taken as legal, business, tax, or investment advice or be used to evaluate any investment or security; and is not directed at any investors or potential investors in any a16z fund. a16z and its affiliates may maintain investments in the companies discussed. For more details please see a16z.com/disclosures. Hosted by Simplecast, an AdsWizz company. See pcm.adswizz.com for information about our collection and use of personal data for advertising.
Transcript
Discussion (0)
Welcome to the A16Z podcast. I'm Michael Copeland, and I am here with my partner in crime,
Sonal Chuxi, today. And we are lucky to have Kim Zetter, a senior staff writer at Wired,
who covers all things security. Kim, welcome. Thank you very much.
So, Kim, you know, we wanted to actually talk to you about what's going with RSA coming up,
with what's going on in the security world. And starting with, like, all these hacks that have been happening lately,
Is it me? Is it like a lot more than what's been happening before? Or are we just hearing about it more?
I mean, I'm talking about big companies from Target to the Sony hack. I mean, there's just been so many.
Like, you could probably list more of them than I can.
Yeah, I mean, all of this has happened before. What is happening here is the government's focus on cybersecurity,
and by government, I mean the Obama administration specifically, has made cybersecurity one of its primary focuses.
and that has been trickled down and caused everyone else to focus on this more,
because that means money now is going into cybersecurity.
So the business world is focusing on it as well.
In terms of the number of hacks, you know, that's sort of paying more attention
and the public paying more attention.
But we've always had these kinds of hacks.
Even, you know, the hacks against Target and Home Depot,
we had a series of hacks back in 2008 and 2010 against TJX and Barnes & Noble,
and companies like that.
So what changes is
in some of these hacks
is that we get a little smarter
with tools or techniques,
but they do come back again.
They come back with new techniques
and new methods and new tools
just to achieve the same ends.
Are there any common denominators
to what made all the most recent hacks happen?
Like were they all
through fishing,
were they through the entry point through email?
What was a common thread
if there was one with all of them?
Well, fishing attacks is one of the primary ways that the hackers get in.
Oddly, that wasn't the case with the Target hack.
In that case, this was an interesting case study because this involved a third-party company.
In this case, it was a heating and air-conditioning vendor.
And they had some kind of connection to Target's network for billing purposes.
I don't quite understand the whole reason for that, why there needs to be some kind of connection there between the two networks.
but anytime that there is connection,
hackers are going to be smart,
and they are going to root their way through those networks
and find the systems that they want.
So in this case, they went through CAD into Target's network
and used that as a pivoting point to then to the,
where the debit and credit card numbers were being processed.
So that was an interesting case,
and that's something that I think we will see more of.
We sort of see, you know, victims get hacked, obviously,
and their systems are insecure, but party vendors, contractors,
other people that you work with that are going to become a conduit for hackers to get to you.
So even though they might not come to you directly,
that is a vulnerability that not only businesses have,
but the government has with its contractors.
I have a question.
You know, you say that you don't think the frequency has gone up,
but is there more at stake?
So you describe how there's more third-party vendors, for example,
who have access to these systems,
and systems get bigger and bigger.
and more complex and more interconnected.
Is there just more to go after and therefore there's more at stake,
or have you not seen it change that dramatically?
Obviously, you know, more and more stuff is getting put online.
So let's take the health records, for example.
Huge push from the government to digitalize all of our health records.
Well, there were always problems in some cases where you might have records
that were connected to the internet.
But now we've just tripled and quadrupled that.
And so that creates problems.
More and more data.
More and more systems are becoming digitalized.
And then that creates new vulnerabilities
and different kinds of data for hackers to go after.
And so that creates the new opportunities.
Right.
So with like the recent hacks that have happened,
what else have they shared in common?
So we described fishing as one of the avenues.
And you've said that the hackers have just gotten smarter.
But like, how does that happen?
I mean, I don't mean to say that people are stupid, but why are they not figuring this out?
She was looking at me when she said, I don't mean to say people are stupid.
If I sent an email to you, you would open it, right?
Yeah.
I hope so.
Yeah, I would.
I would. Yeah, we're friends.
So hackers have the ability to send you an email in a way that it appears to come from me.
It can appear to come from your HR department or your manager,
and they're not sending, you know, spam email about the Viagra.
They're going to send you an email with an attachment that appears to be the new budget document
that you were waiting for or an HR document about benefits.
So walk us with the mechanics of that, though.
How can they actually do that?
Like, how do they know if they're not in the company to be able to figure that out?
Like, if they're not inside the company, like, let's say, okay, between you and me,
there might be more points of failure.
But if you're inside a company and you have shared language and you kind of know,
each other's lingo. If I get an email from Michael, and he sends me a sudden random attachment,
I would kind of know it's weird. Like, how do hackers figure out?
Well, there can be multiple ways of doing this. And one is, I mean, the most simple way,
and most email servers will catch this if you've got good filtering on it. The easiest way is to
spoof an email. So it appears to come, and there are even websites that will spoof an email for you.
So that it appears to come from, if your system is set up to sort of scour through the track that email has come through,
we'll know that it didn't originate from the email that it purports to.
This happens in your Gmail account where you'll get a message and Gmail will tell you this doesn't appear to be coming from who appears to be sending it.
So that's what they're doing in that case.
So those are the sort of low-level fishing attacks.
The more sophisticated ones can come from someone actually hacking a system in your network
so that it appears to be coming from the same IP address,
but also, let's say they hack into Michael's computer,
and they take over his address book,
and they start sending out emails actually through his account
in the way that he doesn't even see it.
Right.
So that's another possible method.
But fishing attacks, though, becomes sophisticated when they,
when they do what's called spear fishing.
So fishing attack can be sort of a canon effect, like spam,
where they just send out a lot of random emails and hope that.
Spear fishing is something that they put a little more work into this,
and the Chinese hackers are very good at this,
and they will, and the Russian hackers.
Actually, I just want to clarify,
both of them are very good at this.
It depends on who the player is both will be in the fishing attack.
Yeah, we want to hear more about that, too.
what they will do is they can study you
if you're a really valuable target
if your system administrator for instance
they can get into your systems
they can get into everyone else's systems
on your company
for example
so what they might do is target assistant administrator
and they will do some reconnaissance on him
they'll look at his LinkedIn profile
they'll see who he's communicating with
and they'll see what he's communicating about
and then they'll send him email that is going to be
particularly targeted him
let's say he just come back from
a conference that he tweeted about
or he tweets about a presentation that he saw a conference,
and then suddenly he gets a follow-up email that appears to come from the speaker of that presentation
or something else.
So those are ways that they really intensify the sophistication to guarantee, you know,
greater probability that you'll open it.
But you don't actually need that much work.
You know, you ask if people are stupid, and they're not.
Some cases they are.
but, you know, a report came out this week from Verizon examining how long it takes someone to open a fishing email after it's landed in a company's network,
and it takes on average about a minute and a half because someone in that company is going to open the email.
And I'll point you to something that happened a few years back.
This was a security company, one of the top security companies, RSA, that's having its conference next week.
They got hit in the fishing attack in 2010.
around the same time that Google got hit.
And in that case, they sent only a handful of emails
to some specific employees at the company.
And the email filtering system actually caught it
and sent it to the spam folder.
But one of these employees went through a spam folder
and saw the email, thought it was interesting,
pulled it back out into his inbox and opened it.
Oh, my God.
And that's how the attackers got in.
So is the kind of upshot of that story?
Just never, ever bother checking your spam filter?
Because I do that once every six months.
I actually get useful newsletters and shopping emails and things like that.
That's what you think so.
You mentioned they, and you talked about the Chinese and the Russians, and in these more
sophisticated attacks.
Who are they?
And what do they look like and really how sophisticated are they?
And also, like Kim, exactly.
And also, are they the different players now?
Because I feel like this more organized approach seems to be something new and different.
Like they seem to getting ever more sophisticated.
They are getting more organized.
So, you know, in the early days, what you were getting were random hackers on the Internet.
Sometimes they would gather in gangs to do identity theft and get past.
And there was some organization then.
But what we really saw the change in was in the late 90s, actually, sorry, the mid-2000s,
where we started to see the cyber espionage emerged.
And that's where we're seeing nation-state attacks like that.
So cyber espionage then became, you know, a trade tool for, you know,
traditional economic espionage has been supplanted in some cases.
So now a nation-stays of this of hacking into companies networks to steal trade secrets
and give Chinese companies a competitive advantage.
That's in addition to already the national security stuff that they're stealing, you know,
for military weapons and things like that.
Those range in sophistication.
I mean, the Chinese don't necessarily try to hide their tactics
because they are supported by their government,
so they don't really have anything to worry about there.
In the case of the Russians, really, really sophisticated hackers are in East Europe.
Why is that, by the way?
Is it just that they're really code literate?
I think the technical training is really superb there.
I think that because of the economic conditions,
a lot of people who weren't able to get a job during certain,
periods after the fall of the Soviet Union looked to develop these kinds of skills, you know,
in the hacking underground, is very lucrative.
And again, there's the issue of being untouchable in Russia.
So it's hard to go after Russians.
A little cooperation with the authorities have to wait.
So they're pretty protected there.
And in some cases, they may be supported by the Russian government.
They're very sophisticated.
They're also doing national security stuff, but they're also doing, you know, economic
espionage to sell it.
So economic espionage is based as just to
so you're saying to sell the product that they're hacking
or to extract rents? Because I've been hearing
stories about ransomware coming from Russia as well.
Yeah, so that's a different kind.
That would be more on the criminal ground
rather than the espionage ground.
Okay. Yeah, so somewhere is another interesting
thing that's growing
right now. And that started
out very not sophisticated.
Hackers would put malware on your
system that old hard drive.
And then they send you a message saying
give us, you know, this amount of money in order for us to let...
It started out very unsophisticated.
They become more sophisticated.
They got smarter about their encryption.
It's harder to get around the encryption now.
And also, you know, we're seeing a different kind of ransom, such as the case of Sony,
where they did ask for money, or they appeared to be asking for money in Sony's case.
But they weren't looking at preventing Sony from accessing its data.
The threat was if you don't comply with our demand.
demands. And so you question in the case of the Sony hack, whether it was North Korea or do we
still not have a clear picture on who it might have been? Well, the government is clear. The government
has been very adamant that North Korea is behind it and that they claim they have evidence
of it and they implied, although they don't tell us directly, that they know because of some
kinds of perhaps signals intelligence that the NSA has collected. But they don't say that.
Right. So we're left to sort of connect thoughts that we're not sure can be connected.
My issue with the attribution is
Attribution is always difficult no matter,
whether it's Sony hack, a really loud hack like that,
or a quiet hack.
Hackers, the way we prosecute hackers,
are usually because they've done something stupid
and exposed themselves.
They've used their real type,
or they've bragged about their activity to someone who's,
you know, attribution in nation state, obviously,
is going to be a lot more difficult
because they have a lot more resources and skills.
So the idea that the government would say,
definitively, this is North Korea,
and what they've provided as evidence is an IP,
they haven't even disclosed the IP address.
All they've said is that an IP address was used to conduct the Sony hack
that North Korea is known to have used,
or North Koreans are known to have used.
And that's a pretty vague statement
because they're not actually saying
this is an IP address assigned to North Korea,
this is an IP address that North Korea used to hack Sony.
They said this is an IP address that North Korea is known to have used,
to have used in the past meaning.
So that's pretty flimsy.
And also just if you can trace,
if you can trace activity back to an IP address,
and that's difficult in itself to find the real originating IP address,
you also have to know whether or not that machine was hacked as well.
So just because we've traced an attack to your machine, Michael,
doesn't mean that you were the one sitting at that computer conducting the attack.
Hypothetically, let's be clear about that.
hypothetically,
someone else could have subverted your machine,
hijacked it, and deconducting an attack through it.
So that's another problem with IP addresses.
And until the government can provide some more extensive proof,
it raises questions.
And why does it raise question?
Because if you look at the communication from the attackers to Sony,
the first communication was about extortion.
And it wasn't about the movie that everyone in the end thought it was about.
they appeared to be asking in the first communication for payment,
and they were demanding payment,
and if they didn't get it,
they would release emails and other documents from Sony.
And subsequently, they did start releasing that.
But it was only after media reports started servicing,
quoting anonymous government officials about the Sony movie,
but the hackers themselves never mentioned the movie.
And by the way, the hackers, you know,
they made that threat, that's a termed a terrorism threat,
but if the movie came out on Christmas Day,
they somehow
they kind of implied that there might be some harm
at movie theaters.
And they also made some threats
that if Sony released a movie,
they would release more of Sony's data.
But the movie came out,
and we never heard from the Huckus again.
No more data.
It's also interesting to me
that the data that they released,
a lot of it pertained to Sony's efforts
against piracy.
And that's an issue that
I can't really see North Korea
being all that concerned about.
But it is an issue that the hacking community,
the underground community of Anonymous,
have had a gripe with Sony for years
over the antipiracy efforts.
And so it makes much more sense,
if you look at the communication from the hackers,
if you look at the data that they released,
and if you look at the fact that they never bought the movie up,
it really comes across sort of a traditional kind of hack
that we've seen before against Sony.
The only different here is that
they took it to another level in destroying data and releasing data,
and they used some malware that had been used in attacks against South Korea.
So those are the only things that gave everyone pause.
So Kim, you're actually touching another interesting theme
that I think we should talk about for a brief moment,
which is how people are communicating about the hacks?
I mean, you're interestingly on the other side of this,
which is your job is to kind of investigate the communication trails
and source from different sources and talk to different, you know, get different facts
to put together what's actually happening.
But there is this problem that companies face,
which is they're in a world where they actually don't know
how to communicate about these things
because they're facing them for the first time.
Like, what are you kind of observing from that perspective?
Companies have been forced to be a little more transparent.
I mean, so we see, you know,
Target obviously wasn't going to willingly disclose a hack.
What they do in the case of credit cards,
it can become a little more obvious
because they're required under breach laws
to disclose to customers when certain kinds of data gets released.
So that's often the way we first learn about a bridge.
But the company isn't going to necessarily announce it,
or at least they haven't in years past.
Now we're actually seeing a blog post, things like that,
where they are coming out and formally announcing the hack,
and sometimes even before they notify the customers.
So that's a growing trend,
and I think that companies are realizing that they have to get out in front of it.
They don't want someone else to expose it before they can.
And also, we see, you know, for more information sharing from companies.
Do you get a sense, though, in terms of that disclosure, that it's only, like, disclosure happens when it kind of gets out there already?
Or, you know, if nobody knows that this hack occurred, do we still sort of keep it quiet?
Well, that's what they would love.
I mean, that's been traditionally what's occurred, is that we never learned about hacks until either the data started leaking online.
or, you know, credit card numbers were stolen and they were used for fraudulent purposes.
I think that companies also are becoming maybe less hesitant about discussing
because they see that everyone is getting hacked.
Right.
So no longer that individual is going to get a finger pointed at you for your bad security.
Now we know that, you know, pretty much every level of security can be subverted by a really determined attacker.
So I think that there's a little less shame in getting hacked, maybe.
Uh-huh.
In some of his case, maybe not so.
Yeah, well, that's also because of what actually came out.
But right, exactly.
So actually, Kim, one interesting theme here,
we've been talking on the background here about, like,
what's really changed in the security landscape.
And you've been saying a lot of these things have been around for years,
but at the same time, the players have gotten ever more sophisticated,
and the hacks have gotten much more complicated.
But one thing that's kind of interesting that you and I used to talk about at Wired
is this trend,
that sometimes companies are actually, it's completely turning around the paradigm where
before the model for security, would you just defend to protect? So are we seeing people go on
the offensive, basically?
So we are within limits. You know, there was a lot of talk a couple of years ago, a company
called Crowdstrike, actually, when they launched, they had made this announcement that they
were going to be talking about, you know, what they called active defense, which was attacking
back to a certain extent. And then I think that,
they realize that some of the stuff that they might be advocating was illegal.
And there are companies that I think are just now learning that some of the things they're doing
could get them into hot water.
So there are some things in limitation.
I mean, one of the things that you can do is, you know, you can sort of trace that
force of the attack and find the IP address and things like that.
But you cannot start routing around in the computer at the other end
because that's unauthorized access.
You can't pull your back.
There's a question about whether or not you could actually pull back your data
or delete your data on that server.
And I think that that would also be a violation of the computer fraud in the VueSact
because you don't know if it's performing an unauthorized action on a computer
and you don't know what the consequences of deleting something on a computer might be.
And also I want to point out that, you know, as I said,
hackers root their way through other computers to conduct their attacks.
So they could be on your computer.
and if your computer is used to attack me
and I go into your computer to erase data,
you weren't the perpetrator,
and I could cause damage to your system
not to the original attacker system.
So there are a lot of legal and ethical issues around this,
but one way that companies are sort of, I guess,
not attacking back,
but responding in a more active way,
certainly not defensive,
is going through the courts
and getting systems,
taken offline. And so we've seen this
a couple of times with Microsoft, where
they've gone to, they filed a civil
action court in order to get
certain IP addresses
or hosting companies
taken down in order to control
other malicious activities that's
sort of congregating in certain IP
addresses. But what can companies do
because the fact is that like
10 years ago or even as recently as five years
ago, the security model was to defend
and protect like the McAfee Antivirus Firewall
you know sort of thing.
But we're talking about very different types of hacks these days that are going through your various systems internally.
Like we talked about the intimacy of coming from your colleague or your next or a neighbor.
So what can companies do then to sort of better arm themselves?
I mean, it seems like this is the whole brave new world of security.
Yeah, I think the shift is less from keeping attackers out.
Although, I mean, you know, you still need to do that.
You need to do everything you can to keep them out.
But I think that companies are becoming more realistic.
and realizing that they need to put a lot more resources into discovering they already be in the system.
And so that means improving their monitoring and logging capabilities
and making sure that when they have monitoring and logging capabilities,
that they're actually reading those logs.
And they have them configured in such a way that they can actually distinguish
between something that is concerning and something's not.
But that's a problem as well.
Target discovered that.
Target installed a multi-million dollar security system not long before it got hacked.
And that system was designed to detect anomalous behavior in the network.
And it did.
It sent alerts to some people who were paid to monitor targets networks.
I forget what they were, I think, in maybe India or Singapore.
And they forwarded those alerts to the system administrators in the U.S.
and those administrators ignored them.
and they ignore them because you can have a system like that and get so many alerts
that you get this battle fatigue from them and you stop looking
or you don't have the resources to look at everything.
Well, it also raises the fact that at the end of the day,
the whole model of security always comes down to the human error aspect as well in some point.
And speaking of human error, you know, flip it to the consumer.
Are you noticing or is there a hope for us to do a better job
or their behaviors we can embark upon finally?
you know, two-factor authentication for everything?
I mean, is there anything on the horizon there that seems to help?
Yes, I think the move towards two-factor authentication,
obviously, was long overdue,
and I guess we have to think we have Edward Snowden to think for that.
An encryption, but if an attacker is already on your system,
encryption won't necessarily help you,
because they're going to see your data before it gets encrypted.
if you are, you know, changing passwords, strong passwords, things like that, you know,
we see a movement toward people demanding that passwords be eliminated and that we come up
with new systems, more biometric systems, things like that.
I mean, there obviously are a lot of people trying to look at this issue now and figure out
new ways.
But, I mean, for the consumer now, you know, two-factor authentication for any site that offers
it, that's the way to go.
Kim, you talked to us about what we can do in two-factor authentication.
It sounds like a path that we all need to go down quickly.
And even three-factor authentication, if you think about adding the biometric component.
Yeah.
But are there so what are some other things that maybe companies should think about?
And also, do you have any sense of like kind of who's winning or is that not even a question that can be asked?
The hackers are winning.
Okay.
That's a sad reality, right?
So that's exactly the world we're in.
Do you have advice then, Kim, for companies?
that are, and consumers that are in this world?
Like, what do we do then?
I mean, if you put your data on the cloud,
which could be a lot more secure
because you have people, a lot more administrators
who are dedicated to watching that.
I don't do online banking.
I don't have a lot of trust in those kinds of systems.
I don't have a lot of, I do very little.
I don't put my health records online, that kind of thing.
So I keep it as much to the minimum as I can.
And I know that people don't like that
because they like efficiency and they like convenience,
but they have to understand that there is that trade-off,
and you are making a security trade-off every time you do that.
So if you do make that trade-off,
then what would your parting words of advice be for people
like to be able to audit, like, the companies they're working with,
whether they're a person or a company?
I don't know that the average person can do that
because the average person isn't going to know,
even if you want to put your data in the cloud,
do you know what that audit was?
So it's kind of this circular problem, but I think minimally, if you are a company that's considering using a cloud company, cloud storage,
that there are something that you can do.
You can see, you can find out if the company has been independently audited and that the security is to a level that you're feeling comfortable with.
And another thing that you might do is seed some of your data so that if it's stolen, seeding and sort of planting little flags like a water.
Sort of watermarking.
Yeah.
So if the data is stolen, you can see that you can come back to the cloud company,
and you may be able to tell them, hey, you've been hacked.
But that's some way, one way that you're not just completely feeding your control to someone else then.
That's great.
Well, Kim, on that somewhat somber note, I promise if you get an email from me with an attachment,
don't open it.
Don't actually open any email from him in general.
Yeah, don't have any.
Thank you so much.
You're welcome.
Scared me to death.
Thank you.
Thanks a lot.
Okay.
Bye.