Ira Winkler (CBC)

To people who believe that computer hackers are nerds sequestered alone in a tiny basement typing away furiously on their keyboards, someone like Ira Winkler may come as a complete shock. Winkler began his career as an intelligence and security analyst for the U.S. National Security Agency and is now president of his own company, the Internet Security Advisors Group, and he spends more time smooth-talking receptionists and security guards than in front of a computer.

He has been dubbed a modern-day James Bond for his espionage-like tactics, which he uses in employ of major corporations as a "white-hat social engineer" — a hacker who breaks into a company both physically and technologically to test its security. Winkler was one of the keynote speakers at the first SecTor conference in Toronto on Nov. 20 and 21, which brought together numerous well-known white hats to share their thoughts and experiences with IT security professionals.

After his speech, Winkler spoke with CBCNews.ca about the dark art of hacking for the good guys.

Where did this James Bond stuff come from?

The first people to say that were the Christian Science Monitor. They were doing an interview with me on credit card fraud and they asked me what I do, so I told them I basically simulate break-ins and steal stuff. When I saw the article, they're like "modern-day James Bond" type of thing. When somebody calls you that you can try to make as much out of that as possible.

It's a good marketing title, isn't it?

Yup.

Can you give some examples of things you've done — you've stolen billions of dollars and broken into nuclear reactors, right?

The one [time] where we found a Chinese intelligence operation across the street, I was doing the black-bag operation. We targeted the main research facility of a…

Sorry, can you just explain what a black-bag operation is?

Black bag is like what you see in the movies, where you see James Bond or Sydney Bristow [the main character on the television show Alias] going in under a high-risk situation and purposely stealing something themselves. Normally, in intelligence you have spymasters like my friend Stan, and what they do is recruit people who already have access and get them to steal information on their behalf. So they would find someone inside a company and pay them and say, "Okay next time you do this, we want you to download a file and bring it to us." On the other hand, I would go in myself and download the files. I do the black-bag operations stuff, which is the glitzy part of it.

You mentioned in your keynote that it isn't really about crawling through air ducts, but there is an element of that, right?

It's not the way it's pictured in the movies, nine times out of 10. For example, I will figure out a way into a company. Say it's a research and development facility. Stan was assigned to go around on the outskirts and find things while I was doing the black-bag operation. I had a team of people that I was supposed to get inside, so I walked over to the reception desk and said, "We're here to visit so and so." And they're like, "Sign in." There were some temporary badges to fill in, so I motioned to my friends to grab two of those and tailgate somebody through the door.

They would go in and I would basically see what the sign-in process was and if they checked identities, which they didn't. So I went through the doors and figured out by asking people where the critical facilities were, like the network operations centre.

It's really easy to break in to most companies, even technologically. The problem is if you hack your way into a Fortune 10 company, how are you going to find the right information? What I do that makes me able to steal this type of information within an hour is that I walk into the right facility and I ask people where the specific information is held. Once I know that, then I can figure out what computer it's on and tell my hacker friends, "Here's where to go," or I download it myself.

In this case, I got people into the research and development facility and I figured out where the network operations centre was. We waited for someone to come out the door and as I was pretending to plug a passcode in on a keypad, someone came out and it was "Oh, thanks." I grabbed the door and went in as they went out.

In a lot of network operations centres, you'll see a whole bunch of computers logged on and they're the main network controllers, and they were logged in as super users. So I installed a new account on that system really quickly, got the address of the computer and then told my friends on the outside how to get into that system.

Another example is where I went into a company that created infrastructure systems. They created power-generation systems, not one of the larger ones, but they create them around the world. So we went ahead and where they had their receptionist, I just acted like I was on my cellphone and pretended to ignore her as she tried to stop us as we walked past her into one of the operational areas. We then walked into an empty room and called up the security desk and said, "Hi, I'm the CIO — we have two contractors here who need badges, can we send them down to get some?" So we went down to the receptionist, who we ignored, and she was like, "I tried to stop you earlier." And I was like, "Oh, I'm sorry, I was on the phone." And she was like, "That's what I thought."

So the guard takes our picture and as we're waiting for the badge to print out, the guard's like, "So what do you two do here?" And we say, "We work on computers." She says, "Do you need access to the server room?" and I go, "Why yes we do." So when the guard activated our cards, she activated privileges for the server room.

We just walked around the server room and again the primary domain controller for it, which is the main Windows system in the whole building, was left logged on and open inside the network centre that we were just able to walk into. We were able to add a new account with super-user privileges from that point on.

Two obvious questions come from that — who are you doing this for these days, and I have to imagine you've been caught?

I've never been caught. The only time I've been caught theoretically was after the fact, when I had left. The thing is, unless they stop you at the time, it's irrelevant and I've never been caught. I've had some friends that didn't last it out — some people don't want to push it as much I push it.

I'll give you an example. We were playing tag inside a company and were supposed to tag the network switching rooms where they hold the routers, the telecom closets, which were basically the same thing, and the computer operations centre. We pretty much raped and pillaged the whole main facility, and then went to an outlying facility across the country and got in by tailgating people in during the morning rush hour and got somebody to open up the computer operations centre.

We asked around for who was in charge of the room — I made up the story that we were doing a physical audit because somebody fell down in the headquarters facility tripping over a cable in one of the network rooms, so we were supposed to make sure that all the rooms don't have cables that are going to trip people.

My accomplice would chat people up while I would go in the back and put a label up behind a router or something [just to show I'd been there]. I could have plugged a box into that system and nobody would have known for years.

So we ask, "Who can get us into the network closets?" A relatively nice [worker] ends up walking us around. The operations manager for that site saw him walking us around in what essentially amounted to a tour of the place, so the guy gets a call on his cellphone from the operations manager, who says, "Who are those guys you're showing around?" He says, "They're some guys from headquarters," and the manager replies, "What are they doing here without telling me?"

He walked us to the lobby and my friend is saying, "What are we going to do?" and I'm saying, "Let's just see what happens." The manager comes over and introduces himself and I introduce myself and he asks, "What are you two doing here?"

I go, "Well somebody tripped at headquarters and they're sending us out to make sure we don't get sued." He goes, "How come I wasn't told you were coming out here?" I go, "I don't know, they just told us where to go. I assumed they took care of this for everybody."

It's like 8 o'clock in the morning [at this place] on the east coast and the headquarters is on the west coast where it's five in the morning …

This almost sounds like something out of Beverley Hills Cop…

It is, it's more comical than it is cloak and dagger. So the guy's like, "Who can I call about this?" and I say, "Call this guy," and he says, "Okay."

I'm thinking this is good because maybe he'll call the guy and maybe he won't, but either way the guy's not going to be in his office no matter what anyway.

That's the kind of stuff I run into all the time. The guy I was with was like, "I just would have told him what we were doing." Well, that's why I'm in charge.

And who are you doing this for these days?

I have my own company. We do this for the security managers or the CIOs, who generally want to see how bad they're off or how good. This is really good for testing if they could catch people, and if they can't catch them, how they would better prevent something like this.

Every company has had major intellectual property thefts. Everybody has computer break-ins, but if it's intellectual property that gets lost, that's the problem.

But even if you were caught, you wouldn't be doing hard time because you're essentially working for them, right?

Yeah.

What's your book about? Is the second one out yet?

Yeah, both of them are out. Spies Among Us is a more thorough look at risk management but I make it entertaining. I talk about the risk formula in the first part of the book — one chapter is on value, one chapter is on threat. I talk about the concept of risk optimization.

People honestly don't believe that a stupid password won't yield a billion-dollar loss, which is the first part of the book. The second part of the book is about actual case studies. Some of them, where I've stolen nuclear reactor designs or whatever, specifically [outline] how I did that step by step. And then I break out at the end of each chapter how it was the very simple vulnerabilities that enabled it, so that way people can see the last part of the book, which are the countermeasures.

I've interviewed people in prison to show how they got caught and did their work, and I've interviewed other professionals to see how they did similar work too.

The countermeasures show how the little things can cause the biggest losses. Spies Among Us is more like a 300-page book while Zen and the Art of Information Security is basically a 100-page book that I wanted to be a nice, short read. It's a lot of simple concepts, but not a detailed discussion.

Does it cover this idea you raised in your speech, that hacking is more a science than it is an art?

There is a science to everything people do. You have to understand and acknowledge the threat and not be overwhelmed by it because again, a lot of the book is dispelling myths. Too many people think they have cyber terrorists and all these things to worry about, and how do they protect themselves from all these evil things and people? I try to get people to focus on the basics and a lot of the miscellaneous topics, like why you shouldn't trust a criminal. For a while, everybody wanted to hire a criminal and that's so bad on so many different levels, it's unbelievable.

You mentioned earlier that the media tends to get things wrong, like painting China as the big threat right now. Why is that, and what are the real big threats?

I'm not going to say they necessarily get it wrong, but they tend to put focuses on really stupid places. That's because they're looking for new stories and don't hear how little things add up to a major loss, and get the reports from people and see people testify to Congress and Parliament. People look for sound bites because they're pushing a product.

Congressmen want to get quoted, and having somebody come out and say the government itself is responsible for 99 per cent of all attacks that it experiences is not going to be something that is fun to report. It may be hard to report there are fundamental vulnerabilities that aren't being addressed, but that may sound boring.

On the other hand, if I have a new report that says China is the biggest threat … well, China is not the biggest threat. Insiders in the Department of Defence are causing more loss than China ever will. But how do you say the average employee screws up like seven times a year and the average screw-up costs X-thousand dollars? Employee screw-ups are the biggest threat to security. China is just a ready group of people willing to take advantage of it.

If you want to look at which foreign intelligence agencies are stealing technology, [then yes,] China would be it. On the other hand, if you want to look at how is most technology being stolen or lost, then it's either human stupidity or malicious insiders — much more than China ever would. We're robbing ourselves more than enough, but China makes better press.

Do you think security companies such as Symantec are trying to overstate the threats out there to make themselves seem more necessary?

The problem is they're selling fear, they're not selling business necessity. It would be really great if a security company could go ahead and provide a cost justification for their products.

Symantec has a suite of products that overall are individually useful but how are they being applied and what is the business return on that? They're not demonstrating a business return, they're creating hype surrounding it. They're not saying, for example, "Use my product and you'll have a five-times return on investment," which is what security managers need. They're selling little pieces of hype. Symantec is the type of company, and whether it's good or bad — I frankly think it's neutral — their pitch to companies is, "This is something extra you need in addition to all the other little pieces in the suite of products you have from us." They might be right but nobody is out there saying here's a good cost-return model.

For home users, how do they understand this? They need to understand it's like driving a car. Everybody knows the biggest threat to them are fender benders, they're not afraid of an airplane dropping out of the sky and falling on them — which could theoretically happen — but that's the focus the computer world has. We have to start getting people to understand that. Yes, there's identity theft on the internet. However, if you install anti-spyware, anti-virus and personal firewall software, this is going to prevent 99 per cent of the problem. Also, if you're running Windows, make sure you update it on a regular basis.

I hate Apple for the message they're putting out. They're saying Microsoft's security efforts are a waste, they're only there because Microsoft is an insecure operating system. Apple is even more insecure because they're not addressing those concerns but they don't talk about it, they just point out the problems security adds and not talking about the reduced risk that security adds as well.

People have to realize that just like a car, where you change the oil and put in gas, you put in your firewall, anti-virus and spam [protection]. That's part of good security. If the average individual said, "What do you mean I have to put gas in my car? I just spent $20,000 on a new car and now you want me to put gas in it for $50 every other week? Are you out of your mind? That's more than the cost of the car by the time I'm done." But yet, people have that headache in spending $50 to upgrade their anti-virus software once a year. Security vendors have been very poor about that.

What do you think of this concept of a white list, where instead of anti-virus software working with an ever-expanding library of bad programs, it would instead use a much smaller list of good programs, and nothing else would be allowed to work on your computer?

Just as anti-virus software does slow down your computer, at the same time computer processing power is speeding up and there isn't as much overhead as there used to be. I think white lists are good but there needs to be a combination of both. It's much safer to filter out known attacks because your white list has to be as narrow as possible. That's the issue — your black list is getting huge, but your white list needs to be as narrow as possible.

That's getting less practical as time goes on because if you look at application software from web servers or Java or ActiveX code that runs on servers, that's hard to white list. Because there are so many thousands of varieties of it, unless you want to reduce the potential functionality, you're going to create problems.

There's going to be a lot more Type 2 errors. A Type 1 error is where you're missing something, like what a black list might do, but a Type 2 error is where you're marking something as bad when it's actually acceptable. You're going to have a huge number of Type 2 errors with a white list concept. It's a lot easier to say I know this is bad so let me stop it from the start. I wish what they would do is build security into the infrastructure a lot more.

[an error occurred while processing this directive]