Safety Secrets of Extreme Hackers
As a cybersecurity CEO, Chris Rock routinely slaloms the Matterhorn of cyber-paranoia. Here, he gives an inside look at how far some hackers go to keep their most sensitive data away from prying eyes.
A couple weeks ago, a magazine editor emailed me a standard payment form, asking for my bank account information and routing number. I asked if she wouldn’t mind just sending me a check in the mail. I’d done enough cyber-crime reporting over the years to hesitate when it came to sending the keys to my financial fiefdom over the Internet. Just the week before Google had sent me an alert suggesting I change my password because an unauthorized user had accessed my email. Sure a check can always be lifted from a mailbox, but it’s a lot better than having your entire bank account hoovered clean.
My editor’s reply began, “I see…” which in fact translated to: I don’t see. The magazine’s payment system was digitized and complicated, she continued archly, and if I wanted to work for them I would send over my account details, you know, stat. So I sent in the form, resisting the urge to upend a note reading, “Enjoy my rubles, Russian hackers!”
But my tiny failed analog resistance made me wonder: how do real hackers protect their own data? I’m not talking about well-groomed pen testers in air-conditioned offices, but hackers with real secrets to keep. Do they rely on the same off-the-shelf solutions — password managers, two-factor notification, ID theft protection — as the rest of us? Or is there some serious James Bond stuff going on that we would be wise to know about…?
To answer this question I turned to hacker extraordinaire, Chris Rock. By day, Rock is the CEO of Kustodian, an Australia-based computer security company, but his extracurricular pursuits involve hacking the Kuwait government and turning birth and death registries into virtual body farms. As a man who routinely slaloms the Matterhorn of cyber-paranoia, I thought he would be well-positioned to give me the goods on how hackers keep their stuff safe.
Let’s start with passwords. A normal person feels pretty proud of themselves if they use a password manager. Is that good enough for you?
It’s good for the general user — I recommend that sort of stuff — but in the end, if there’s data that you do NOT want to go out, you’re going to have to make a little more effort to protect it because it is your livelihood-slash-out-of-jail card.
See, the first thing a hacker is going to do is target you or your office with a Trojan, get access to your laptop, and then record the keystrokes to that master password you put into the system. Then they can unlock all of your systems.
Ok, so how do you approach passwords?
All my guys use a password complexity of greater than 64 characters for a password, which is never written down. It’s just something you remember. Mine, for example, is 72 characters.
How the Donald J. Trump do you remember a 72 character password?!?
You just remember it. Repeat, repeat, repeat. Make sure you type that phrase into an offline computer once every two weeks so you don’t forget what it is. We use encryption products where it’s five attempts and you’re gone, so you’ve got to be really careful about your passwords. And it can’t just be “Happy birthday Chris” blah blah blah blah, it’s got to be a mix of complex characters and passphrases and everything together just so you’re safe.
You’re not tempted to write it on a teeny scrap of paper somewhere…?
Never. If a judge says, “Chris, can you provide your password?” and the cops see what’s on my system, I’m going to jail for 25 years. But if I don’t provide the password, I just do the two-year minimum. If the only thing I have to do in life is remember this one password, then so be it. That’s what I need to do.
Ok, once you have your password memorized, how do you protect the physical device itself?
Our client data — and this is the boring part of the answer, by the way — is stored on a device with no internet so the only way that it can get captured is if it’s physically stolen and then signcrypted. That’s the industry way that we look after our customer data for example. None of it’s stored on cloud. None of it’s stored on file servers. None of it’s stored on laptops or desktops. We never travel with it. And it never is online. So that’s the ideal way of protecting customer data.
But the real way we protect personal data that we want no one to see, is we use those tiny little SSD cards. The 4 gig or 8 gig ones that you’d stick into Nintendo 3DS. They sit completely flat, they’re black and you can hide them anywhere. You can hide them in wall cavities. You can hide them in a cat bell.
A cat bell…?
When someone comes to your property, they’re going to obviously take your computer, your video recorder, anything that has a hard disk. So you make a hole in the wall and then you plaster it back up again with the little SSD cards within it. You put them in a lot of different places. You know in your head where they are. You may have ten places on your property, inside and outside. But if you lose them through heat or cold or whatever, you need to have a secondary system. For example, if I don’t want anything on my property that’s too dangerous, I might take it to a neighbor’s property. Or I might take it to a relative to take back to their property disguised as something else. Maybe it’s a photo frame with a little SSD card in it. Give it to my mom for example and then it’s offsite.
(And paranoia-wise, this is nothing by the way. I’ve got guys I work with who will not use the speaker at a drive-through restaurant, or answer if you knock on their hotel room door. Hackers and pen-testers are weird people anyway so it’s just the degree of weirdness we’re talking about.)
Other than cat bells and photo frames, what other analog means do you employ to keep data safe?
We just meet up. It’s called the “out of bounds” method, for out of the technology bounds area. If we need to provide an encryption pass phrase in order to move data between sources, we meet up at a cafe or restaurant and do a handover. You just can’t trust the phone system with Wickr and Telegram apps, and all. If the data is going to get you in jail, it’s easy to just put the transfer off until you can use the analog method.
People are understandably obsessed with protecting their identity. But I wondered whether for a hacker, the best protection might not just be multiple identities?
You and I spoke previously about how you can virtually “give birth” to someone or “kill somebody.” Having clean IDs is great. You can just put them on ice until they grow up. The virtual, or the “shelf baby,” is a great method. You can protect all your files, all your data and passwords, but as soon as government’s responsible for your ID, you’re toast. You cannot really protect your ID because the idiots at the births, deaths and marriages registry are the ones that’ll screw it up. By harvesting “shelf babies,” you’d never really lose your ID. Plus you’ve got a clean record, whether it be criminal or financial. If you screw up, you just move on the next one.
But do hackers actually do that, or is it just hypothetically a good idea?
It’s hypothetical. I only discovered it myself a couple of years ago. But the vulnerabilities in the system are there to exploit.
I am wracking my brains for a failsafe security protection that is good for clueless consumers. Is there any mythbusting to be done on the 2-step notification, or is that just a damn good thing?
It is just a good thing. Everyone should run it. Even if it’s just an app on your phone. If you go to a hotel and use wi-fi, having that two factor is a get-out-of-jail free card if someone does get your password. There’s a percentage of paranoid security knobs out there who will say it’s a problem because of weak encryption, but hey, that’s not what you want to worry about. For 99% of consumers, if they’re using passwords — Facebook, Twitter, even banking — they’re not going to have problems. Just having two- factor alone will get you out of the stuff and is a great thing to have.
