Hacking to help businesses
Marc Maiffret used to be a computer hacker. Now he gets paid to break into the systems of Southern California businesses, testing for security weaknesses.
His client today is a major Los Angeles auto dealer, which sells fancy luxury cars to celebrities and corporate execs. The head of the company wants to check on the safety of his customer data.
It’s not an idle worry. Just days earlier, a 28-year-old Miami man was charged by federal authorities with hacking into multiple computer systems and stealing 130 million credit and debit card numbers -- the largest computer crime ever prosecuted.
Nearly 10 million Americans were victims of identity theft last year. One recent study put annual losses related to ID theft at $48 billion.
Maiffret, 28, wearing hipster eyeglasses and a black T-shirt, and with one eyebrow pierced, focuses on the Vaio laptop on his desk.
It takes just a few keystrokes to penetrate the auto dealer’s network. Maiffret runs some software. He uses it to locate the dealer’s main computer server and to give himself administrator-level access.
He now has the run of the system.
“That took just 60 seconds,” Maiffret says, grinning. “And there was nothing abnormal about this client’s system. This is how it is in most cases.”
He moves quickly through the dealer’s network to access its customer files.
Maiffret stops on a screen showing that the chief operating officer of a Fortune 500 company recently paid almost $250,000 for a sweet new set of wheels.
The screen includes the man’s name, address, phone number, e-mail address, Social Security number, employer and job title -- a one-stop shop for big-time identity theft.
“You could sell all that for a lot of money,” Maiffret muses. “Maybe $50,000.”
Earlier this week, Radisson Hotels & Resorts said its computer system was accessed without authorization. It didn’t say how many hotel guests were affected by the security breach.
In the case involving 130 million stolen credit and debit card numbers, authorities say the suspect, Albert Gonzalez, accessed people’s personal information pretty much as much as he liked from 2006 to 2008.
An unspecified number of stolen card numbers were sold online and used to make fraudulent purchases and bank withdrawals, according to an indictment filed in U.S. District Court.
Jason Lidow, founder of the L.A. computer security firm DigiTrust Group, says most people and businesses have no idea how easy it is for a cyber-thief to make off with sensitive data.
DigiTrust is the company that unleashes Maiffret on paying customers.
Lidow says clients typically pay anywhere from a few thousand to tens of thousands of dollars for an attack on their system -- in hopes that this will help protect them from real hackers.
“You can never be 100% safe,” Lidow says. “That’s not a message we hide from clients. No one can make you 100% secure.
“The target should be figuring out how you’re most likely to be accessed and then to block that access.”
Hackers can plant viruses and malicious software in people’s computers simply by getting you to open a PDF file attached to an e-mail, or by luring you to a legitimate-looking website where watching a video might sneak some spyware into your system.
Stan Stahl, head of Citadel Information Group, another L.A. security firm, says social-networking sites like Facebook and Twitter also have become hunting grounds for cyber-criminals.
He recalls one case in which a hacker took control of someone’s Facebook page and sent an e-mail to all of that person’s friends that looked like it was from the Facebook member. It said she’d just had her cash and passport stolen while visiting London -- please wire some money right away.
“And people sent money to the hacker,” Stahl says. “It’s a whole new world out there. You don’t know who to trust.”
There was a time when you couldn’t trust Maiffret. He says he spent much of his teenage years hacking business and government networks. His come-to-Jesus moment came when he was 17 and the FBI took an interest in his activities.
“I wasn’t arrested,” Maiffret says. “But that’s when I understood this wasn’t a lifestyle I could keep.”
So now he hacks on the side of truth, justice and the American way -- and a steady paycheck.
After compromising the auto dealer’s computer network, Maiffret sits down with the company’s chief marketing officer, whose expression darkens as Maiffret cycles through screen shots of the various files he accessed.
The exec’s eyes go wide as a shot of one of the customer files comes up.
“You got into that?” he asks. “The highest level of access?”
“Did you see the names of any movie stars?” the exec asks nervously. “We tell them that their information is secure.”
It’s not. The exec says he’ll have to think about this.
Afterward, I ask Maiffret how often he comes across a client’s computer system that he can’t hack.
He smiles sheepishly.
“Never,” he says.
That’s great for Maiffret. Very bad for the rest of us.
David Lazarus’ column runs Wednesdays and Sundays and occasionally in between.
Send your tips or feedback to firstname.lastname@example.org.