Selections of cybercrime information from expert Jim Stickley, Stickley on Security, keynote speaker at the CyberSecurity Conference sponsored by Exchange Bank and the North Bay Business Journal.
Hacking was cool
“Hacking was just cool. That’s all it was. By my late teens, early 20s, I realized, hey this stuff could get you in jail. As a kid, I didn’t pay for stuff very often — movies, Sea World, the zoo, Disneyland. If you give them a good story, they would let you in. Even if I had a date, I would tell them I lost my tickets. With corporations, I could pop my way into things. Five years ago, I had robbed over 1,000 financial institutions. I have robbed a lot of places (as a friendly hacker).”
“I talk very fast, like a monkey on crack. I got my first computer when I was 12, back in 1982, a Texas Instruments TI-99 (released 1981, 256 bytes RAM, 3 MHz speed, much slower than Stickley talks). I was immediately hooked. I couldn’t think of anything else I’d rather be doing than being at my little computer. For Christmas, I would ask my parents for programming books.” (By age 16, he was doing program development work for corporations.)
“I believe that there is always a way to solve a problem. When kids were mean to me, I was able to turn off their parents’ phone line (because he swiped programming manuals from telephone repair technicians parked in his neighborhood).”
“It’s not like I have some better widget that is better than the next guy who is breaking into stuff. We all follow the same trends. Cybercrime is a growth industry. Returns are great. Risks are low. It’s just a business now. This is not some kid hacking from a basement. This is organized crime, state-sponsored all over the world. Technology is way better than it has ever been.”
Email poses huge risks
“With very few exceptions, it comes down to email. Every major breach since 2014 started with an email. That led to the compromise on the network. Email is a huge, huge risk. Hacking is hard. It’s a lot of work. If I can send one of your employees an email and get them to do something dumb that ends up giving me access to their desktop, I have bypassed all the internal security and I am on your internal network. It solves all my problems for me. All I need is one person to make a mistake. Email is your biggest risk.”
“Emails are the devil, whether it comes from your mom, co-worker, best friend. Doesn’t matter who. Start with the assumption it didn’t actually come from them. Assume it’s bad. Figure out what it wants from you. There’s going to be some angle. It wants you to click on a link, download some attachment. If it wants anything from you at all, take a deep breath. You opening that document could be a very bad decision. Treat every email with a really skeptical view. The more you know, the better off you are going to be.”
“I send an email on behalf of IT security guys to one of your employees (using IT security employee’s name). The subject is an emergency security patch. The security ID is an important part of this whole scam. (There’s an 800 number to call.) It has no links, no attachments. There’s nothing that tells them this is a bad email. They pick up their phone and dial the 800 number. You can buy an 800 number for $10 or $15 a month.”
CyberSecurity Conference presentations
"The Legal Framework Governing Data Breaches" (PDF), Tony Schoenberg, partner, Farella Braun + Martel LLP
"Protecting Against Infrastructure Security Failures" (PDF), Francis Tam, CPA, CISM, CISA, CITP, CRISC, PCI QSA, Information Security and Infrastructure Practice partner, Moss Adams
Read more cybersecurity coverage at nbbj.news/cyber.