Swiss summit keynote speaker FC highlights “third-party risk”
Ethical hacker and social engineer FC aka FreakyClown has given insights on his 25-year experience of security breaching to delegates of the InvestmentEurope Swiss Summit at the Hotel Bellevue Palace in Bern.
FC has broken into hundreds of banks, offices and government facilities. He said businesses he has worked with have failed to understand that good business security is a balance between digital security, physical security and human nature.
“One bank we worked with had issues with people getting into their facilities. They bought the most expensive security door for £60,000 and asked me to test it and make sure it is secure. I have watched the door for three or four hours and on the day after, I walked to the door and it randomly opened without any need to hack it. There was an engineering mode that every 15 minutes does a revolution to ensure the door is working. All I did was getting that timing precise.
“The door was not the issue. People trusted the wrong people as they thought engineers would have correctly installed the door and engineers assumed that people running the door would use it correctly. The management had never thought of this risk,” FC told the Swiss Summit audience.
He added that it does not matter how much security you have, a very determined attacker will find his way to break into your building or your business.
A co-founder and head of Ethical Hacking at Redacted Firm, FC has worked with a lot of defence firms and government agencies. As a result, he had a target on his back as other nations wanted to know what he knew and used to travel with an armed escort to avoid being kidnapped.
Another story FC told was about a US company from which 30 million credit cards details and some $470m were robbed through air conditioning devices in 2014. Hackers targeted the air conditioning company as a third-party in their plans to break into the other business.
The air conditioning firm did not see the breach in its systems enabling hackers to have access to the systems of the company they targeted since no separation had been made between the systems of both businesses.
“There is a third-party risk. You cannot fully trust a third-party and perhaps you may be the third-party of someone else for other plans,” said FC, who underlined a number of companies are spending millions of pounds on digital security but forget that physical security is as much important.
“There was a bank with all the security in the world, and they have a policy regarding new starters. You are being handed a form at the reception that you need to fulfill and to get this signed by a manager in order to be given an access badge. I filled it with two different colored pen and two different writing styles. I went back to the main building, asked a security guard to have a badge since my form was filled. The guard never questioned me on where that form came from and brought me a badge,” FC explained.
Everybody in the company needs to think about business security, he highlighted.
Asked about nation-state cyber-attacks, FC said it was very unlikely they would be targeting companies or banks. He added criminals are not always looking after money, they might be after something even more valuable.
Regarding social networks, FC said he does not have a Facebook account but runs a Twitter account (@__Freakyclown__) with a cautious use, taking care of all details in pictures he would publish before their publication for instance.