by Don Groves — 26/02/2020
Reformed hacker and cyber security expert, Bastien Treptel, is helping to highlight the dangers of online piracy for Creative Content Australia’s latest anti-piracy campaign. We spoke to him to understand why he is so passionate about warning others of the risks of cybercrime.
Bastien you agreed to front Creative Content Australia’s new anti-piracy campaign ‘Piracy. You’re Exposed’. Why?
It aligns with my personal mission to educate and protect Australian’s to cyber risks. Setting up a Torrent or Locker is so easy, and exposes so many ways in which a hacker can gain access to a computer or network. Hackers can cause serious harm and people need to be aware just how much of our life is digital now and pirating content can lead to long-term, mental, financial and reputational harm. I’d like to see that stop.
As a teenager in southern NSW you were given a computer by your grandfather when you were 12. At 14, out of curiosity you used the computer to access bank accounts and credit card details, which you used to buy pizzas. You stopped after the bank alerted the federal police. You ended up in court and had to do community service. After a business owned by a family friend went broke due to cyber fraud, you decided to help companies guard against the hacker you once were?
Seeing the impact of cybercrime makes me passionate about protecting businesses. Back then I was simply curious and it was all too easy. Sadly, it is still way too easy to breach many organisations. And many boards are guilty of the “she’ll be right” attitude.
More than 100 organisations have paid your company CTRL Group to test their security systems by hacking them, and you have never failed. Why are organisations, and, by extension, individuals so vulnerable to cyber criminals?
Organisations and people are so connected these days, be it via their phones, laptops or computers it provides so many attack surfaces for us to gain access. It only takes one mistake and we are in. It can be as simple as a phone call or as complex as an on-wire man in the middle of an attack.
But yes, every organisation that has paid us to date, we have gained access. Many of our attacks combine technical skills with social engineering, Australians in particular are very helpful people. Many times they will simply give us passwords over the phone when we pretend to be from the IT department for example.
One ruse you used was emailing employees at various companies with the offer to watch Game of Thrones, bypassing Foxtel or legal video-on-demand services. When they clicked through to the site, they saw the GoT trailer but this meant you got access to their personal information?
This is one of the most common attacks in Australia and a huge challenge for organisations. It’s called phishing, and like the name suggests we “phish” with various bait types in the hope people will click on the link. Once they do, they are ours! We can do so many things from remote access to their systems and files – like encrypting their data and demanding a ransom. Luckily, we are the good guys but many, many people fall victim to this style of attack every day.
You and your CTRL Group partner Steve Williams believe it is “terrifying” how at-risk Australian businesses, organisations and individuals are without even knowing it?
We’ve mounted attacks on organisations that, hand on heart, thought they were not at risk. But that attitude just doesn’t fly anymore. We should all be aware that we are all at risk. We’ve breached military organisations, data centres and some very well-known ASX listed companies. If a hacker targets you for long enough, they will gain entry to your systems. Boards at times can fall victim to an arrogant IT department, advising them all is well. It really often isn’t…
What steps can individuals take to prevent identity theft and other cybercrimes?
It’s all common sense stuff: If a service you use offers two-factor authentication – use it! If you use the same password for everything then – don’t! Use a password manager like LastPass. I don’t even know any of my passwords and neither should you. Don’t use simple passwords like your kids, football team or the like. Many times we can guess people passwords by looking at their Facebook accounts. Many times people will actually tell them to you. Remove that risk. Be aware of the data that’s needed to fake your ID and protect it. Put a lock on your mailbox. Shred important documents. Hackers like us are not above a bit of bin diving to steal your identity.
Would you advise people to avoid watching or downloading films and TV shows from illegal web sites due to the dangers of malware?
If you’re going to download a Torrent or go to a dodgy site then you really have no idea what you’re in for: code-scripts that take control of your device, ransomware that demands money, your important documents leaked online, your identity stolen. All, in most cases, without you knowing it until something nasty happens and then it’s too late.
Bastien Treptel is the founder of CTRL Group, an information security firm with operations in Australia, Singapore and Thailand, which protects businesses from cyber risk.