‘Plane Hacker’ Chris Roberts: I Never Assume I’m Not Being Watched
When it comes to big names in the security industry, Chris Roberts is certainly one. For the last couple of decades, he's been fighting to protect and defend businesses and regular people from cyber attacks. So much, in fact, that he's considered to be one of the world's biggest experts on counter threat intelligence and vulnerability research.
If his name sounds more than familiar, it's because a few years back he was dubbed "the plane hacker" by the FBI after the hacker said he commandeered a plane during the flight, making it turn a bit on its side and changing course for a short while. The whole point of this was to show that planes are vulnerable to attacks and that security needs to improve.
Nowadays, Roberts is the Chief Security Strategist at Attivo Networks, working with customers all over the world to develop and implement risk reduction strategies. Basically, trying to save companies and show them how to run a tight ship in terms of security.
Chris Roberts agreed to have a chat with TechNadu, so we discussed the biggest threats to our security nowadays, how best to encourage young hackers, how the threat landscape will evolve in the near future, and more. Go ahead and read it all!
TechNadu: You've been dubbed "the Plane Hacker" for a few years now. Is this something that bothers you in any way or do you take it as a way to draw attention to the security flaws in these systems?
Chris Roberts: It doesn’t bother me these days. I tend to take it as a way to have a talk with people about how AND why to do things right…what works, what doesn’t work AND what we can all do differently (communications, collaborations, etc.). The aviation stuff really isn’t a big issue. The larger and STILL current problems came out of the fallout with the company and relationships.
TechNadu: In recent years, you've also unearthed security flaws in everything from cars to NASA and beyond. Which do you think are the biggest threats we face nowadays? Which could cause the most damage?
Chris Roberts: The biggest issues are probably that we keep chasing technology, keep chasing solutions and “easy” fixes to the issues we see that quite simply don’t do much more than mask the underlying problems. Within our industry, we still believe in perimeters, in security and in “fixing” problems. However, the best we can do is help reduce risks and educate.
TechNadu: "There is no unhackable system," you said, and many other security researchers agree. But what type of systems posed the most difficult for you to hack?
Chris Roberts: Going to change this and say the EASIEST systems typically are where a company or organization hides behind obfuscation OR simply assuming that because THEY have not told anyone how it works…then it’s secure. The transportation industry is rife with examples of this and it’s an outdated, outmoded and uneducated line of thinking that is SO far removed from reality it’s simply dangerous.
TechNadu: In recent years, we've seen more and more bug bounty programs, giving good hackers like yourself a way to earn some money the right way. Do you think a lot of black hats have changed hats thanks to these?
Chris Roberts: So, the hat thing. Let’s change that to hacker or criminal….or hacker/researcher and adversary or something. When it comes to the bug bounties, those are nice. They are a reward, BUT they still take a lot of work, a lot of research sometimes AND it’s (arguably) still more effort than some of the more lucrative darker activities. The upside is that you CAN do well, earn a good living AND not go to jail for doing what you enjoy….
TechNadu: You have been working in cybersec for a couple of decades now, so what are some pieces of advice you have for young people who are just now discovering the field? Also, how should parents get involved to help keep them on the right track?
Chris Roberts: For young folks: ASK more questions, believe less and challenge the norm. Get involved with the local communities and give back…don’t be afraid of getting up on stage to share your thoughts and opinions with a wider community….and NO, college isn’t mandatory. NEITHER are certificates. Basically work your way up and into this industry 🙂
For parents: Encourage BUT also challenge them….give them an outlet TO be tinkerers, hackers and basically help guide them on the ethics.
TechNadu: What is one of the things that you are most proud of in your career?
Chris Roberts: Breaking into prison… 😉
All joking aside, it’s having had a couple of good mentors whom I listened to AND can now take complex subjects and (most of the time) weave a story or an abstract idea that everyone can understand.
TechNadu: As someone who deals with security issues day in and day out, what are some of the security measures you take to keep your devices and data safe?
Chris Roberts: Encryption on all devices, in some cases more than one layer of it…and then never assuming I’m not being watched….making sure that I do the right work ON the right device AT the right time…even if, sometimes it’s inconvenient… Taking the mantra of assuming breach and then working out HOW would I know.
Oh, and I’m typically armed…
TechNadu: Over a year ago, you joined Attivo Networks as the Chief Security Strategist. Why is deception technology important and what are some of the most common security flaws you encounter when working with the company's customers?
Chris Roberts: Simply because you/we/industry will never stop an adversary from getting in. Once you can accept that AND the fact you don’t have a perimeter…now we can have a sensible discussion over what DO you do….and detection and deception are the reference models for what organizations SHOULD be looking into insofar as taking the best advantage of the technologies they’ve already invested in. The fabric that makes up a well-built deception model is NOT out to rip/replace what you have…simply elevate it.
Common flaws? Not doing the basics (education, awareness, patching, defaults, VAR/Supply chain issues, etc.) ALL the things we’ve been talking about…Oh, and let’s not forget the “it’ll never happen to me” brigade of marching fools.
TechNadu: Finally - we're seeing a complex threat environment, with new phishing campaigns, big companies getting breached, millions of records stolen, and an upcoming US election that is bound to create some waves. What are some of your predictions for the following year? What should we be keeping an eye on?
Chris Roberts: I’m working on some tech around healthcare Bio/Nanotechnology, and EEG stuff (brain stuff) that is going to be rather interesting to see where it goes AND how far we can hack an actual human.
The convergence of IoT, transportation and other influences on the human’s going to continue. So expect to see more attack vectors and a lot more complexity around the home/vehicle/work hubs that we are surrounding ourselves with.
Enterprises might wake up in the coming 12-18 months to the realization that the rack of blinky shit they have is not going to save them. Therefore, embracing detection and deception and finally, we get to change the symmetry of an attack and place some control BACK into the hands of the defenders.
So, what do you think of what Chris Roberts had to say? Drop us a note in the comments section below the article and share the interview with friends and family and follow TechNadu on Facebook and Twitter for more tech news, guides, reviews, and interviews.