60 years of cybersecurity in New Zealand
In this short chapter I wish to educate you in the mysterious and absolutely awesome world of cybersecurity over the last 60 years in New Zealand.
Now the first really important thing you need to know, is that no self-respecting cybersecurity professional would ever use the word! In fact we cringe and we mock the very words at every security conference that we attend. ‘So what phrase should we use instead of cybersecurity?’ I hear you ask. Well in our world it’s all about ‘InfoSec’ (Information Security), ‘AppSec’ (Application Security), ‘OpSec’ (Operational Security), etc. No-one goes around with ‘Cybersecurity Expert’ on their business card, instead the industry is full of Hackers, Security Researchers, Penetration Testers, Auditors, SecOps, DevSecOps and Security Analysts.
But ‘cybersecurity’ is what the world calls us and our industry, whether we like it or not. In this very simple point lies the biggest change in the InfoSec industry in the last 60 years. Our industry has gone from a highly scientific, mathematical, cryptographical, computational, forensic, highly secretive and clandestine club, into something that affects every human on the planet (either directly or indirectly). The old-school, secret, back room, dark art that the world has labelled ‘cybersecurity’ is now discussed in every boardroom, it is the theme of Hollywood movies, it is binge-watched on Netflix and is a hot topic across the kitchen table at breakfast. And rightly so, because I firmly believe that cybersecurity (and yes, I am going to keep using that word), is the single most important thing we need to get right in our tech sector over the next 60 years. You might think that AI and ‘internet of things’ (IoT) are pretty hot topics, but cybersecurity is the foundation that keeps all systems working as designed.
As our usage and reliance on tech to run our lives increases then the security of those systems is no longer a technology problem, it is a human problem that affects our lives and society as we know it. If you think I am a little over the top, then an excellent follow up book to read is, This is How They Tell Me the World Ends, by Nicole Perlroth (2021). It is an awesome insight into the world of ‘Zero Days’ (or ‘0days’, pronounced ‘oh days’), which I’ll discuss later. What’s very poignant is that I did not come across this book in some hard-core InfoSec conference or a deeply technical whitepaper, no, I was introduced to this book by one of the directors on my board, who read about the book in the Economist. Yes, doomsday books about how 0days might end the world are the stuff of Economist articles and boardroom chats.
To put the importance of cybersecurity in context, here is a phrase I heard at a conference in Washington DC, from John Brennan, who was at the time the Director of the CIA, ‘we have entered an era where more human interaction occurs in the digital realm than in the physical realm’. So of course I am biased, but I cannot help but think that we really, really need to properly secure the realm where most humans interact!
So how’s that going? Well, let’s see…
The history of hacking
Before we get our heads around the next 60 years of cybersecurity let us take a look back.
When I ask people, ‘When do you think the first recorded hack was?’, most teenagers think it dates way back to when Facebook was launched, which was 2004. Most oldies like me would say back in the ’90s when viruses start hopping around the boot-sector of floppy disks (for anyone under the age of 40 then you will have to Google ‘floppy disk’ and you will be horrified by how we actually carried around such tiny amounts of data on such large physical things).
But actually the earliest hack recorded, and this is a great one to remember for those random trivia quizzes, was 118 years ago in 1903. Guglielmo Marconi (who founded the Wireless Telegraph & Signal Company in 1897, which became the famous Marconi telecommunications corporation) was demonstrating the first capability of Morse code over radio waves from Cornwall to the Royal Institute in London, nearly 500 km away. Unfortunately for Marconi, a mischievous magician of the time, Nevil Maskelyne, had other ideas and at the very moment of Marconi’s transmission sent a stronger signal of his own and the audience in the Royal Institute found the words ‘Rats, rats, rats’ emitting from the Morse code receiver. Obviously Marconi did not consider that in 1903 he needed to concern himself with transport layer security (or TLS as we’d call it these days), nor message encryption, nor any form of message-sender authentication. He fell into the most basic cybersecurity trap of failing to assume a bad-guy would ever do something bad!
So anyone reading this chapter should learn this first core lesson from Marconi, there are bad guys (and gals) out there, trying to attack your systems every day, and if you do not take the threat seriously and do everything you can to protect yourself, you will be hacked. Then there is always the old cybersecurity advisory which is, ‘If you haven’t taken the threat seriously and didn’t do everything you could to protect yourself, you’re already hacked — you just haven’t noticed yet.’
So if we wind forwards a few years from 1903 to the 1960s then we see a new technique of telecommunications hacking, in the form of ‘Blue Boxes’ created by the hacker John Draper (AKA Captain Crunch). He coined this name after the USA breakfast cereal Cap’n Crunch, which gave away a blue plastic toy bosun’s whistle. This toy from your box of cereal emitted a whistle of precisely 2600Hz, which John noted was exactly the same frequency that AT&T used to signal that a trunk line was ready and available to route a call. In short, in the 1960s, you could blow your whistle into an AT&T phone and make a free phone call… In an Esquire article in 1971 John described a whole raft of phone system hacks using different frequencies played down the phone lines with devices coined the ‘Blue Boxes’.
Winding forwards a few more years, we hit the ’80s and ’90s, where the major trend of hacking was limited to viruses and hardcore hackers. In fact ‘computer virus’ was only really tagged in the 1980s. We saw a few viruses pop up, with the first major spread of a virus in the wild being the Morris Worm, one of the earliest viruses to exploit a buffer overrun vulnerability. We end the 1990s with things like the Melissa virus and the KAK worm. These viruses start to show us a glimpse of the future, as both viruses are email based. Melissa would email a malicious Word doc that ran macros and further spread itself. Whereas KAK exploited a flaw in how Outlook Express rendered HTML emails at that time using Internet Explorer, such that viewing or even previewing an email would exploit your Windows machine. Strange to think that just over 30 years on, we are seeing major corporates in New Zealand and globally being hacked by people clicking attachments on emails which hack unpatched systems. We still have some learning to do it seems.
In the new millennium we started seeing much more damaging attacks, such as SQL Slammer in 2003, which reportedly spread so fast it started causing internet outages globally only 15 minutes after its first victim! In 2008 a virus worth noting is Conficker, as it was the first virus that managed to infect millions of machines, with reports of up to 15 million machines being infected, a big number in 2008. In 2009 we had one of the first large scale DDoS attacks, using a botnet in South Korea to attack websites in both South Korea and the USA.
Now, there are few phrases here to understand, so here is a little educational content. DDoS is a Distributed Denial of Service attack, where the victim’s systems are flooded with more traffic than they can handle. Just imagine you run a shop in Wellington, down Lambton Quay, and you handle 100 people in the shop at once on a busy day. Well what if today one million people head to your store at exactly the same time. Not only do the doors to your shop get stifled, but Lambton Quay itself, back through the whole Wellington region and killing large chunks of New Zealand’s entire roading system (most of which is choked and broken with only normal daily traffic anyway). Your shop is basically offline and unable to do business as your legitimate customers have no way to get there. Attacks like this may have started in 2009, but they are as active as ever in 2021, just using newer techniques and much, much larger volumes.
The cybersecurity sector in New Zealand
So how does all of this relate to the cybersecurity sector in New Zealand? Let’s look at some of the companies operating in this space.
When I started Aura InfoSec in 2005 with my wife Diane the penetration testing and ethical hacking market in New Zealand was pretty niche. We had the large consulting firms offering security audits, but for real penetration testing (that is, ethical hacking of your networks and apps), you went to Security Assessment (SA). Without a doubt SA was the founding pen-testing company in New Zealand. So, when we launched Aura in 2005, we could see a lot of customers and projects were at the top end of town — the telco’s, the banks and the government. We could also see, however, that there was a groundswell in the market of every corporate in the country needing infosec and application security services, even if they did not know it yet. I remember in 2010 being approached by a hairdressers in London who had Royal family members on their books, wanting a full penetration test of their systems to secure the privacy of their clientele. So in five years we’d gone from offering security services to Govt Agencies and banks, to hairdressers.
From 2010 to 2015 Aura InfoSec saw amazing growth even being in the Deloitte Fast 50 as one of the fastest growing companies in New Zealand, and even the Deloitte Tech Fast 500, being one of the fastest growing tech companies in APAC. And it wasn’t just Aura. We saw our comrades ‘in market’ at SA being bought out, and starting up Insomnia Security, Lateral Security, then ZX security just to name a few. All of these pen-testing companies have now been successfully acquired, so if you are looking for a strong growth sector for investment in New Zealand, you should absolutely shortlist our cybersecurity industry!
Addressing asymmetry
But instead of just looking back at the changing world of cybersecurity, let us consider the outlook for the next 60 years. Well 60 years is a long way off, but we can see where the trends are heading over the next ten years. We have as a global society racing headlong down the technology adoption path like never before. McKinsey Research in the USA says that, ‘due to COVID-19, we have globally done ten years of Digital Transformation in twelve months’. We now as individuals, companies and governments utterly rely on technology and information, be it eCommerce, eBanking, eHealth, online education, eGovt services, you name it. The internet now holds all of our data, knows about every corner of our lives, and runs the systems that we rely on every day for our current quality of life. So you’d think that of course it has all been built securely, surely.
Unfortunately no, and there is an asymmetry that needs to be acknowledged and addressed, and it is an asymmetry on several levels.
First we have the asymmetry of attack and defence. Let us take the typical enterprise technology stack that many of us in the AppSec field deal with frequently. It’s large, it’s complex and it’s aging every day. Many of us in IT will know that any large enterprise will have active projects creating newly developed systems, with newly written, well designed and secured code, sitting in newly built, secure cloud environments. In fact, in a recent survey we did at RedShield, a number of our customers’ CISOs (Chief Information Security Officers) said that on average about 20 per cent of their enterprise was running new applications. Awesome. These new apps will tend to be more secure, deploying the latest security techniques, and if a new security flaw is discovered, then it is quick and easy to fix. As an analogy, just think of how a modern home will have used all of the modern building techniques and materials, and if an issue is found while the builders are still working on-site, then it is quick and easy for them to fix.
However, this same survey of Enterprise CISOs showed that 80 per cent of an enterprise’s application stack is not so secure, nor is it quick and trivial to fix. These are the legacy apps, third party apps, apps that contractors wrote then moved on, apps that came as part of an acquisition or merger. Back to our house analogy, now think of the house built in the 1960s, unmaintained, that has dodgy wiring. This is not cheap or quick to fix, quite the opposite, and you will constantly weigh up the cost of fixing the issue versus just risk-accepting the problem. This is the same with old, large and complex enterprise apps. These apps tend not only to be aging and therefore more likely to have security flaws, they’re often core business apps processing and holding critical data and worse of all, there is no quick and easy remediation path if a security flaw is found.
This is the first level of asymmetry, the speed of war. The difference in speed at which hackers can discover vulnerabilities in software and systems, and create exploits for them, battled against the speed with which an enterprise or government agency can apply a code fix or a patch. We are seeing trends now of exploits being released within days or even hours of a vulnerability being disclosed. Yet many enterprises take months to apply patches and fix security vulnerabilities.
Then we have the asymmetry of ‘attack surface’. The attack surface is the total number of apps and devices and users you have that can be attacked and compromised. For many organisations this number moves from the tens, to hundreds, to thousands very quickly. The bad thing is that the enterprise must keep every app secure, for every user on every device. If the attackers get in anywhere then their job is so much easier to move and pivot from there. Most breaches will involve several steps where the attackers will gain access to one device, or one user account and then move laterally to increase their access and breach in steps from one system to the next until they’re deeply in. So from an attack surface the bad guys are always searching for that one weakness, whereas the defenders must protect all the things, all the time.
Which brings us on to the third asymmetry — reward. As defenders your job is to keep all systems secure, always. If you succeed at your job there is no payday or major reward when you go home. No one high-fives you, pops a bottle of bubbly and shouts ‘well done for making sure we did not get breached again today’. No, it is just business as usual, that is your job. Not so for the bad guys. If they get a win then it is payday, and they have just succeeded in their goal of breaching your systems.
So, we have an asymmetry of speed, attack surface and reward structure where it is balanced against the defenders in favour of the attackers… Do we care? Well we should! Let us look at how we are embracing tech in our everyday lives.
If we wind back to the Love Bug virus in 2000, then it deleted your .mp3 and .doc files, which if you’d actually backed up your computer would be fine. Then as the internet became used by all we would worry that a website hack would expose passwords and credit card details. After a while this became less of a worry because if these are stolen then you reset your password, and cancel your credit card. What became far more impactful was a privacy breach.
In 2014 hundreds of nude celebrity photos were posted on the anonymous forum 4chan after being hacked from their Apple accounts. The Equifax breach in 2017 reportedly had the financial details and credit scores of 148 million Americans stolen. This is not information that you can reset and have cancelled. As soon as your PII (personally identifiable information), your finances, health records, personal life information, travel and location, photos, videos and calls are compromised then they are out — forever.
Exploits and 0days
On the subject of exploits, many have heard of the 0days that I used earlier in this chapter but aren’t familiar with what it means. So here is a quick educational segment on exploits and 0days.
Firstly, all software, ever made, has bugs. I challenge that never yet in human history have we written a completely bug-free system. Even a software system that tests clean when first written invariably has a bug discovered in the future either via new testing techniques or changing usage of the system or even the environment in which the system runs. Whenever a bug compromises the security of a system then we call it a ‘security vulnerability’. Therefore developers, penetration testers, security researchers, bug bounty hunters and hackers the world over, are trying to discover vulnerabilities in software every day. On its own a vulnerability is not an issue. The issue is an exploit, which is ‘attack code’ that takes advantage of the vulnerability.
For instance, let us say I have a simple vulnerability whereby my software was built with a default, simple admin username and password embedded in the code, say ‘admin, admin’. The exploit therefore goes around logging into systems using the default admin password and causing damage. This may sound like a dumb example, but unfortunately it was exactly how the Mirai botnet worked in 2016, when hackers built into their exploit a variety of default admin accounts of numerous devices including printers, cameras and home routers, and used it to take full control of the device and use them for their own nefarious purposes. The major usage of the botnet was as a DDoS platform, when the Mirai botnet used hundreds of thousands of compromised devices to massively attack numerous websites around the world. So indeed, if your printer was taken control by Mirai then not only would you no longer be able to print on it, but it would actually be using your home network to attack websites around the world, on demand. Hence the phrase ‘BotNet’, meaning a network of bots which will do as they’re remote masters wish.
So, back to vulnerabilities and 0days. After a vulnerability is discovered then the vendor has an amount of time to create and release a fix or patch. Then everyone who uses that software installs the patch and we are safe. So the trick is, the good guys find the vulnerability, patch the vulnerability, release the patch and we all install it, before the bad guys create an exploit and hit you with it. Simple. The flaw in this process is the lag time between when a patch is available and when it is applied. This is what hit Equifax in 2017, as they did not patch the system before the exploit hit.
Of course, the bad guys are smart. The issue with every patch is that it can be reverse engineered. Microsoft’s Patch Tuesday is a classic example, when in October 2003 they started releasing patches on the second (and fourth) Tuesday of the month. This was quickly followed by Exploit Wednesday (immediately following Patch Tuesday) which was when the bad guys reverse engineered the new security patch to see what it patched. Unfortunately and ironically every security patch risks highlighting the very security flaw it fixes. This is why in the security world we say ‘Patch everything, as fast as you can!’ and why Microsoft now releases security patches immediately and not only on Patch Tuesday.
However, this whole battle of, ‘can you apply the patch before they exploit hits?’, has one major assumption: the software vendor knows about the security flaw first. But when a vulnerability is found there are a few routes it can take. One path is that it is either disclosed freely, or sold to the software vendor in question who fixes it and subsequently releases a patch or update.
The other route is that a hacker or security researcher found the vulnerability in which case there are other options apart from just telling the vendor. These security vulnerabilities that no one else knows about, including the vendor, are called ‘0days’, or ‘zero days’. Why? Because when they hit the wild we have all had zero days to patch and do something about it. That is, they are working exploits for which no patch or fix exists. The process is exactly the other way around now. The live working exploit is out, the vendor finds out, then has to develop a patch, release the patch, and we apply it, all whilst the exploit is doing its thing.
There is actually huge value in these 0days. A working remote exploit against the iPhone, Android, Chrome, IE/Windows will earn you top dollar, being in the hundreds of thousands to a million-plus US dollars. The buyers of these 0days may be hacker groups, but they are also often governments.
Many of us naively think that governments around the world, especially the Five Eyes (FVEY) governments, being New Zealand, Australia, USA, Canada and the UK, in this age of privacy, strive to make sure that all the devices we use every day are secure and patched from exploit. However, the value of information warfare, it seems, trumps our online privacy and safety on many occasions.
The zero day market is in fact propped up by agencies around the world buying and stockpiling 0days, and instead of getting the software vendors (Apple, Google, Microsoft etc), to fix the flaws, they instead leave the systems we use every day wide open. Why? So that they can be the ones to exploit them for reasons of national security, to be able to spy on enemies of the state. It all sounds very clandestine, cloak and dagger, and tin-foil-hat brigade, but it is actually big business. If you have a secret, non-disclosed vulnerability in the right software (that is, a zero day) and you’ve developed a fully functioning exploit then at the time of writing this book, Zerodium.com has $2.5m USD as their top bounty.
So in many ways the world of cybersecurity has not changed in 60 years. We’re still writing software with bugs, and people are finding ways to exploit them. What has changed is that the way we now use and rely on technology globally, means the value and market for these exploits has skyrocketed!
Yet as a society we are still striving forwards with our needs, wants and desires of more tech, more IoT and internet connected devices. In 2014 and 2019 there was news from Australia of hacked baby monitors spying on sleeping babies. In 2015 a security researcher published how to hack Mattel’s new Hello Barbie, a Wi-Fi-enabled doll, including how to modify what she said, and how to turn on the microphone. In 2015/16 hackers demonstrated how to remotely control and disable a Jeep Cheroke.
‘How does this happen?’ you may ask. It is because more and more physical hardware devices, cars, planes, trains, boats, front doors, air-conditioning, cameras, traffic lights, power grids, damns, etc are all now software driven and internet connected. Therefore the attack surface that historically lost our passwords and credit cards, and then our private irreplicable information is now controlling the physical world.
So this may sound all a little doomsday-ish, and it is! Again, have a read of This is How They Tell Me the World Ends. Yet, with any global issue comes opportunity, and that is what we should focus on.
How New Zealand should compete
From an opportunity perspective, we have an awesome tech sector in New Zealand. Truly awesome! I have always said in every business I have run (which is five to date) that on the global scene we cannot easily compete on scale from New Zealand. For most New Zealand businesses there is a global giant out there who is bigger than you. I also never wanted to compete just on price. It is again safe to assume that there are global giants who could undercut your prices. I have never wanted to be in the race to zero — to be the first in the market to offer your service or product for free, just to get customers. Winning in the free product market is expensive!
When I was at a New Zealand Story session recently with NZTE then we looked at the three core value propositions of New Zealand, and how they relate to New Zealand tech. The three values are kaitiaki (care of our people and our place), integrity/trust, and ingenuity/innovation. When it comes to the cybersecurity sector then these are values that we can authentically own, build on and capitalize on.
As an entrepreneur in the cybersecurity sector for 20 years now I can see how a brand for innovation, trustworthiness and genuinely caring for the customer’s privacy are of huge value. With our current company RedShield we are seeing first-hand how New Zealand’s tech is trusted, and how we are ingeniously solving a problem of huge value to our customers. This is what we want to be supporting and growing as a sector. I am a strong believer and advocate that over the next few decades the world is going to need stronger and more effective cybersecurity than ever before, and that our New Zealand technology sector has the skills, brand and expertise to take a lead. I am hugely excited for the NZ cybersecurity sector, even if that’s not what the sector wishes to call itself!
has 27 years in the software development and IT industry, having worked in the UK, Germany, USA, Australia and New Zealand. His last eleven years have been focused in the cybersecurity arena, having founded companies including Aura InfoSec and RedShield Security. His companies have won numerous business awards, including the Australian / New Zealand Internet Awards for Security and Privacy, been in the Deloitte NZ Fast 50 and Deloitte APAC Tech Fast 500 for fastest growing companies, and Andy himself was the winner of the EY Entrepreneur of the Year in 2019 in the Services Business Category. Working around the globe Andy even represented New Zealand at Pitch at the Palace Commonwealth in London, UK, in 2018.
Behind the suit, outside of his IT world, Andy is a proud father of Josh and Autumn, and has been married to his teenage sweetheart, Diane, for 27 years. Living out in the wilds of both the Kāpiti Coast and the Marlborough Sounds Andy’s real passion is kayaking, hiking, hunting and native wildlife habitat restoration (‘re-wilding’). With a black-belt in taekwondo, Andy is taking up the fight of trying to help clean up cyberspace, and help make the internet a safer place for all us to do business and interact securely. Andy is a strong advocate of New Zealand’s awesomely innovation and trust brands, and strongly believes that we have a huge opportunity to further drive our tech sector into being one of our largest export industries.
Reference
Perloth, N (2021). This is how they tell me the world ends: The cyberweapons arms race. Bloomsbury Publishing