13. November 2017
My USB flash drive knows everything about you
Juraj Bednár is an ethical hacker, founder of three startups and cryptocurrency fan. He can hack into almost any system, but he is doing it for a good cause. He told us about his unusual work at UP21.
Juraj, what is ethical hacking?
It is a way how to verify a system and improve its security. We first speak to the client, then hack into their system and eventually suggest them a solution how to secure it better.
Is it a common practice?
It is very common in financial sector and healthcare. I don’t know any bank that would release a system without testing it before. In my view, there are currently five companies that are doing it well in the Czech Republic.
How do hackers manage to hack into a website which had previously been verified?
Systems evolve quickly. It can easily happen that a bank changes something half a year after initial testing and this creates an error that had not been there before. That is why it is important to test regularly and continually. Our startup Hackatrophy rewards people who find an error on our website.
Can you think of any incident in which ethical hackers have recently intervened?
In October, scientists from the Masaryk University found a security flaw in Slovak identity cards that had an electronic signature. Even though the in-built chips were certified by a recognized German producer, it still did not help. Issuing of cards has stopped.
How can companies and institutions avoid these attacks?
In my view, it is more important to be able to react quickly to security incidents rather than rely on prevention. The means of attacks are continually evolving, and it is not possible to predict what they will be like. Our company guarantees that there won’t be any known errors in the system, however, we cannot ensure that someone won’t come up with something new.
What vulnerabilities are you trying to detect?
We follow a methodology which lists all the main flaws that exist and whenever a new one appears the methodology is updated. A fourth version has recently been released.
Do you think we only presume that our data is secured?
(laughing) I am convinced about that. When we test the security of systems and hack into them, our success rate is 80-90%.
Are email and Facebook also so unsecured?
It is not a problem of the systems, but of people not being able to protect their end devices. If I wanted to get access to someone’s Facebook, I would not hack into Facebook, but I would try to send them some program to run or a link to click on. People are usually not careful, and they will click on anything.
What would be your hacking strategy like?
I would use technique of the most famous hacker Kevin Mitnick. He did not base his strategy on technology but on social engineering. He dressed up as a messenger, walked around the company, collected some papers, called someone and said that he needed a password else something would happen, and people gave it to him. It is very easy. If I gave you my USB flash drive and told you that my presentation at 4 PM is on this flash drive and you should insert it in your computer, it would be the only thing I would need. I know very few people who wouldn’t insert someone else’s USB flash drive into their computer.
I suppose you wouldn’t.
I would never do that. It is like having sex without a condom with an unknown person.
Can you recommend what should and should not be done?
Never use the same password for several accounts. Instead, save them to the Password Manager. Do not have a simple PIN and pay attention to what you are opening and which websites you are visiting.
Thanks for an interesting interview.