With “hacktivist” groups like Anonymous and stories like the LinkedIn security breach constantly popping up in the news, it’s easy to grow numb to matters of digital security despite their seriousness. Individuals, businesses and even governments are vulnerable, and while the public is often privy to one side of the story thanks to security conferences and outspoken hacker groups, personal accounts of how the individuals responsible for protecting the networks, websites and devices that get hacked are few and far between.
In a fantastic post that gives the world an excellent insider perspective, security expert Henry Schwartz recently shared an intense experience in which an Automated Teller Machine system built by his company was hacked and he was tasked with responding.
“At the Black Hat conference in 2010, an ATM designed and built by my employer was setup on stage, and a security researcher demonstrated an exploit which emptied out all its cash,” Schwartz begins. “For many months prior, I had been my employer’s designated point-man in responding to this attack.”
The account continues, “I read [the security researcher’s] document. There should be a word in English for the pall of gloom that gradually descends as one reads a damaging report that will soon be made public, slowly shaking one’s head and increasingly muttering obscenities.It was immediately clear that before anything else our first task was to implement a defense against the attack. So to know mine enemy, my colleague Keith and I traveled to San Jose to debrief Barnaby, also with a mind to assassination by wooden stake through the heart should the opportunity present.”
Schwartz goes on to recount the entire experience, from the time he began working with the cooperative security researcher, Barnaby Jack, to developing and deploying a fix, to sitting in the audience while Jack demonstrated his exploit to the world. His account of his relationship with the hacker — whom he playfully describers as a “heinous moustache-twirling villain whose hobby is tying damsels to train tracks” — and the events surrounding the breach are nothing if not intriguing and insightful.
Schwartz’s post can be read in full on his blog, and a video of Barnaby Jack’s presentation from the Black Hat 2010 conference, which we recommend viewing only after reading Schwartz’s post, follows below.