Infosec witch doctors

Infosec community aren’t witch doctors, and not all hackers wear hoodies

casey pechan / 11.07.17

When a member of the general public hears the word hacker where does their mind usually go? For that matter, where does your own mind go? To a hooded figure banging away at a keyboard in a dark room? To the shadowy protagonist of Mr. Robot? Maybe to someone wearing a Guy Fawkes mask and making demands directly into a camera? Whatever it is, it likely isn’t someone sitting at a cheap desk, hacking away between bites of a turkey sandwich they made for lunch.

And while Hollywood props up the image of the hooded hacker, these are not at all the people behind most security breaches. If they were, how on earth could any major website or application go unbreached? Imbuing perfectly normal humans — who are nearly always simply exploiting basic, avoidable flaws — with imaginary super powers does incredible damage to Infosec by making it appear to be the realm of witch doctors and wizards instead of skilled technicians and well-designed software.

Major security breaches tend to come out of an issue that could have been easily prevented with the right security teams and processes in place. Just look at some of the most notable hacks from the past year alone:

  • Deloitte was breached simply because one of their email administrators wasn’t using two-factor authentication, even though it’s pretty easy these days to enforce two-factor security across an entire organization.
  • The WannaCry ransomware was able to spread in May because many firms hadn’t applied Microsoft’s MS17-010 patch that had been made available over a month prior specifically to close the very flaws that WannaCry later exploited.
  • CloudFlare inadvertently leaked sensitive information seemingly at random across the millions of sites that use its infrastructure services due to an internally introduced bug. Even though no third-parties noticed or got ahold of the information, but this was still a major issue that could have been caused by some minor (or at least minor looking) and catchable coding errors.

The point of all this isn’t to kick breached organizations while they’re down — practically every large enterprise has faced major bugs and breaches — it’s simply to reinforce the notion that these breaches and leaks were not brought about by brilliant hacker wizards launching complex assaults from all angles, but by easily fixable flaws that simply didn’t get enough attention.

In the case of CloudFlare’s breach, not all of their customers even faced a threat. Take 1Password. Their entire business model is essentially “trust us to manage your passwords.” And they earn that trust by being hyper-focused on data security. They don’t put their faith in SSL (if they did, all their customers could have been compromised by the CloudFlare bug), they instead use three layers of security, with SSL as one layer, SRP as another, and encryption whose keys are only turned while a customer is viewing their passwords as the last. This isn’t black magic. This isn’t the work of a genius sitting alone in a tower fighting non-stop against intruders using their proprietary anti-hacking spells. This is solid, best-practice-focused work and it manages to do the trick even as they paint a huge target on their backs by managing the password data for valuable customers.

The more we think of breaches and hacks as being in the realm of geniuses, the more we think of the counter to them as being in the realm of witch doctors and indecipherable dark magic, making security seem almost impossible to manage within the confines of a normal office. But this does not match reality. Providing top-level security is a matter of implementing the right protocols, running the right software, and hiring a staff that stays on top of changes as they happen. That isn’t dark magic. It’s just paying attention.