Profile of an ex-hacker: Mike Koss, head of IT security and risk, N-Brown Group
Former black hat hacker discusses his career hacking enterprises, and how he turned himself into a force for good (mostly)
"In Scotland you can work in oil, do drugs or die young," said Mike Koss, head of IT security and risk at retail operator N-Brown Group, speaking at Computing's recent Enterprise Security and Risk Management Live conference.
"We took the fourth option and started a hacking group," he continued. "Two of the four of my old hacking collective are now dead. You either take the corporate route and sell out, or drink and drink and die," he said.
Koss began his career working at one of Scotland's first ISPs. "We had over 16,000 connections per day, and I can still hear all those old baud modems," he said.
Outside his career he spent much of his time hacking, but personal profit was never the goal.
"We treated it as a game of chess, always trying to outsmart the other guys. I broke into a number of organisations, using a variety of techniques. But I'd always leave a note or a flag to say I managed to get into your network, and this is how I did it. I wouldn't steal, change or delete anything."
Listening in on drug dealers
One of his favourite techniques back in the 1990s was to insert a roll of tin foil into the third pin at the back of his phone.
"Then you had a handheld scanner that could scan all bandwidths in the area. I could listen in on all the converations going on around me. I was listening to banking people discussing sensitive stuff, drug dealers, all sorts. They were all having open conversations on unprotected channels.
"The we hacked old pay phones to call bulletin boards in the US for free to discuss the exploits we'd found."
For Koss, his favourite time in hacking culture was just after the Snowden revelations broke in 2013.
"That was when General Alexander [director of the US National Security Agency at the time]came to the Black Hat conference in Las Vegas. The NSA realised that damage needed to be repaired with the hacker community.
"On the one hand they're saying hackers are criminals, but then government agencies go to hacker conferences and apologise for their overreach. They asked the hacker community to help the NSA defend the US."
Koss describes IT security as being a lot like lock picking - which is itself a useful skill since often the sensitive systems hackers are interested in are often kept behind locked doors.
"Picking locks is all about the pins and tumblers. You apply pressure and push the pins up one by one. Each pin you push up, you can apply pressure and it won't drop back down. Finally they're all aligned and it opens. That reflects the hacker mindset.
"As a hacker I spent a year trying to break into one site. My girlfriend didn't like some pictures of her on a particular website, so she asked me to remove them."
Patience is a virtue
Koss started to take a look at the site, but was surprised to learn that it was one of the first internet forums to apply decent infosec principles.
"They patched and did things they're supposed to as an organisation. I said sorry I couldn't get in, and she didn't speak to me for three days. But a year later all the tumblers aligned and the pressure I applied paid off.
"What happened is they iupdated to some new software and I found a SQL injection on the website.
"I extrapolated on that over the next two to three weeks, going back at odd hours, and building up a fairly lengthy SQL injection. I wrote out a massive SQL injection on a whiteboard and entered it. It dropped the entire database. I was able to get the username and password table.
"They didn't know they'd been compromised unless they were looking at the logs,and they weren't. I downloaded a few tools and cracked the passwords. I could then log in, go to those pictures and delete them. Then bizarrely we split up!
"But the point is within a year of persistent attacking I was able to get those pins to align with enough pressure. And it happens all the time.
"Some of us don't understand you can be as secure as you want, but ultimately given enough time and commitment you're going to get compromised."
[Turn to next page]
Profile of an ex-hacker: Mike Koss, head of IT security and risk, N-Brown Group
Former black hat hacker discusses his career hacking enterprises, and how he turned himself into a force for good (mostly)
Why we're all getting security wrong
The current global approach to cyber security isn't working, according to Koss. He cited some statistics to back this up, stating that 4.8 billion records were compromised in the first half of 2018.
"People say the insider threat is the biggest risk, because of human error. I see human error all the time, but this year, 51 per cent of breaches were from external hacking. So it's overtaken the insider threat for the first time.
"How many of us are looking at our application security? How many of us are penetration testing everything, not just that critical system going live next month? No one. We don't have time. If I ask the board for two to three million pounds to pen test everything, they'll tell me to get lost."
He continued, telling a story about someone from his team at N-Brown who wanted to learn about offensive security.
"I gave him a run through. We signed up to a site and requested a password, and they sent it to me clear, not hashed. But I thought it was probably hashed at the back-end. I looked at the source code of the page and saw that password recovery was going out to a sub-domain. So we looked at it, and tried to figure out some URLs that could be at the end.
"We quickly found an admin page. So I added '%27' to the username, and hit enter. Bang, I found an SQL injection error. And it's a very big company."
Koss and his colleague played around with that vulnerability and hand-crafted an SQL injection attack and successfully broke in.
"We got 55,000 customer records from a single SQL injection. They used an open source CMS. It was encrypted, but they put the encryption key in open source which was on github. It took us 45 mins to get all those usernames and passwords, then two weeks to compromise them. That's without really trying, I was just showing my guys what can be done.
"How many of you have applications exposed to the web which you think you've thoroughly pen tested? No one."
Koss also voiced some controversial views around the EU's new GDPR legislation.
"Did the GDPR do anything besides make more money for the ICO?"
Koss said that one test of how security aware your organisation is can be how often the security team gets approached by the business.
"I found a queue of people waiting to speak to us after GDPR. My team's gone from a graduate and a risk guy to 16 people in 12 months. That's a luxury! A lot of that comes from me terrifying the crap out of the board."
[Turn to next page]
Profile of an ex-hacker: Mike Koss, head of IT security and risk, N-Brown Group
Former black hat hacker discusses his career hacking enterprises, and how he turned himself into a force for good (mostly)
Security skills in demand
He branded the number of people and skills organisations need in security today as "horrifying".
"The skills are hard to find, and my people get poached and it's very hard to replace them."
Koss also said there are too many vendors trying to fix the same things.
"I do champion a few vendors though, where I think the technology behind them is good, and the maths adds up. Darktrace is one we use. But if you don't know them and don't have the time or knowledge to analyse them, how are you supposed to know what's good and bad?
"Are you attending Black Hat and Defcon? How long do you spend dealing with the underlying core technology? Do you have time to do that with everything else you need to do? You don't have time, you just go with whatever you can get for the cheapest price that seems to do the right thing.
"Everything you do is a snapshot in time. It doesn't really matter from moment to moment, but mess up once and they will get in. It's scary and we are losing."
He went on to tell the audience how he goes about securing funding from the board.
"I show them a picture of North Korea at night. Only Pyongyang is lit up, everything else is dark. And that represents the one per cent of your organisation that you have visibility into.
"I then show them a picture of Las Vegas at night. Partly to show them what 100 per cent coverage looks like, and partly to show them that they're going to pay for me to go to Black Hat every year!
"I'm there for three years to deliver IT security transformation. I'm aiming to take them from 1977 to the year 2000 in terms of security.
"When I first joined we hadn't patched in three years. We now patch monthly. We have Darktrace, so the ingress and egress pieces are covered. We have CIS benchmarks we've tailored to our organisation. We've gone 'full bank' as a retailer. We're half-way to Vegas-style coverage and I'm 18 months through."