Corporations and governments are at risk because they are not educating their employees and swallowing promises from vendors and consultants who are creating ‘false premises, false objectives and false formulas’ in the battle against hacks, security luminary John McAfee has warned.
“Vendors and consultants are trying to imagine what hackers are doing rather than doing it, creating false premises and false objectives and false formulas”, he told ComputerworldUK.
Firms need to focus on the human aspect of hacking, he added: “If you know anything about hacking, 99 percent of it is human engineering or social engineering. This is not simply about technology to break into the system, but how I break into your mind. How do I get you to divulge to me what would take me a year to get?
“I can do it through any number of ways through fear, through sudden confusion, through downloading three dollar piece of software from Google Play that lets me spoof a telephone number call you from your bosses number to tell them about a security breach and say ‘your boss might be involved’. Nine out of ten of the employees I call are going to give me the password, and suddenly I don’t have to do any work.
“I’ll have fifty of my friends call fifty people from that same number. While that employee is sitting there waiting for the boss to get back to them, I’m sucking up all your data. It had nothing to do with technology but with neuro linguistic programming.”
To counteract this, good security is all about “training and education and procedures”, McAfee said. At the moment, “enterprise is the weak link even though it doesn’t take long to do these things.”
Worryingly McAfee, who marketed the first antivirus software in 1986 which was since bought by Intel, believes that “there are many in the security industry who do not know these skills because they don’t want to test things. I say to them, get out of the business and shell shoes.”
The grey lines between white hat and black hat hacking is often blurred. While nurturing innovation amongst penetration tester and security researchers is ethically problematic, it is necessary McAfee added.
“Would you buy a lock from a company who said ‘we don’t know how to pick it?’”
This poses questions over condemnations of recent hacks across the world, including McAfee’s “very good friend” Chris Roberts who was able to log into a variety of US aeroplanes including Boeing 737-800, 737-900, 757-200 and Airbus A-320 models.
Roberts used Kali Linux to test the in-flight entertainment systems manufactured by Panasonic, Thales, according to FBI reports. He alleges that he was able to take over the plane’s flight controls during the hacks that took place between 2011 and 2014.
“The risk was very slim but was it right or wrong – I don’t know”, McAfee said.
“But the way the government reacted was not ‘Oh God we need to change the flaw, it was ‘Oh no, bad man.”
On the contrary, hacks on corporate and government departments where personal information about individuals is taken and sold on is “devastating”. Referring to the recent AdultFriendFinder (a stranger ‘hook-up’ site) hack, where four million user’s personal information – including the likes of UK MPs as well as high level executives, McAfee alleged – was breached.
“If it were simply financial we could survive it, but how can you survive the destruction of a life.”