Cyber security expert shows how to find vulnerabilities through ‘ethical hacking’

American cyber security expert Tim Pierson recently gave sage advice to local tech workers: ‘to beat a hacker you need to think like one’.

Mr Pierson was delivering a ‘Certified Ethical Hacker’ course at the University of Gibraltar in an event organised by Rock Learning.

At the four day course he brought over 20 years of experience to the table showing tech professionals how to fine tune their cyber security skills.

The Dallas, Texas native said his tip and tricks was something that everyone who uses a computer should know.

“I show you how the hacker breaks into your home network and work network,” he said.

“I typically use the illustration that my mum is 85 years old and she knows I do something with computers. She asked what are you teaching now and I said I teach people how to break into computers.”

“The way I explained it is how could I possibly protect your home unless I first show you how a burglar breaks into it?”

Mr Pierson added that “ignorance is bliss”, but people really need to know how to protect their devices when online.

He described how people attending his courses find a “huge amount of vulnerabilities they never knew existed”.

The most common vulnerability he finds is people using the same password for many of their accounts.

A very easy fix for this is an online utility serves as a vault for all passwords, he added.

When hacking into a device his first move is to “footprint”, meaning the scan for information on the owner of the device.

“There are probably 40 different ways,” Mr Pierson said.

“When I showed them some even got on their phone and ran out of the room trying to fix it.”

“An everyday user will be blown away by the things that I can do.”

He described hacking passwords through WiFi connection or even using social media.

Keeping up with cyber security threats is something that is “daily” for Mr Pierson.

“Computers change. It’s a difficult job because I have to look at how things work and how things have changed.”

“In reality my job, breaking in is easier. I only need to find one hole in the system. The systems administrator has to patch then all.”

“I just need to find the one he’s missed.”

Mr Pierson added that it is “very rare” that he can’t find a vulnerability in a system.

“From the outside through the internet I can have a 50% success rate. If I am logged into your network then I have about a 99% success rate.”

“Somebody has dropped the ball somewhere. I guarantee it.”

Mobile phones are particularly insecure according to Mr Pierson. He estimates that by knowing a phone number he can track a person, interception their calls and see their messages.

“If your bank sends you a pin code, I can get that,” he said.

This is all because of a utility called ‘system signalling setup’ which is what “long distance carriers use to charge one phone company to another phone company”.

“On mobile phone you’re using the air so anything that is not encrypted going to the cell towers, you simply need to sniff the air and change it to whatever you want.”

“Phone companies know and this has been their dirty little secret.”

He added that an “imsi catcher” – a telephone eavesdropping device – is an antenna that collects your mobile data.

“What it does is it tells your phone: ‘I don’t know how to speak 3G or 4G could you relax it back to 1G?’ If you don’t have your phone set to ‘no I won’t’ I will see everything you are doing.”

“Most people’s phones are not set to that.”

He advised for people to set their phones to “not fall back”. This can be found on iPhone when searching ‘Handoff’ in settings and disabling it.

“If someone would try to get their information on a imsi catcher ‘it would say no’. The reason they want you to relax your security is so they can sniff your passwords. 3G and 4G is fine, anything else isn’t.”

“If you phone is set to regress they are going to monkey with your connection.”