Take 5: Dave Chronister, local ethical hacker, on computer security
This article first appeared in the St. Louis Beacon, May 31, 2013: Dave Chronister's first hack happened when he was 8. The son of a St. Louis County police officer and a church secretary, he wiped out his parents' entire hard drive out. But it was an accident.
"I've never done the dark side, per se," says Chronister, founder and managing technology partner of Parameter Security, which is in St. Peters.
Chronister is one of several featured speakers at TakeDownCon, a hacking conference June 3 and 4 at Ameristar Resort Spa in St. Charles.
The conference, which was proceeded by training sessions, works to help information technology professionals understand how hackers are getting in to better protect companies.
During a lunch break at the training, Chronister talked with the St. Louis Beacon about hacking, ethical hacking and the realities of online security. (The interview has been edited for length and clarity.)
And even though his first hack wasn't on purpose, the path he's chosen since has been, he says. "At the end of the day, I'd rather help people than hinder them."
Beacon: The name and the work of TakeDownCon sounds ominous, with the promise of hackers invading St. Louis. Can you explain what this training and this conference are all about?
Chronister: It actually is hackers invading; a lot of conferences will actually teach you how to "defend" yourself. The problem is a lot of these IT people don't even know what the threat is. They don't understand a true attack. With the training and with the conference, we're actually showing attacks.
We're doing our certified ethical hacker class right now. I have 18 people from around the country, I'm actually teaching how to break into companies. If they can understand how their company will get broken into, it will better inform them to defend. It's a whole different atmosphere than what you're used to in these security conferences. They're learning what the bad guys are doing so they can better defend themselves.
Your company, Parameter Security, is an ethical hacking firm. What does that mean? What is ethical hacking?
Chronister: Ethical hacking is coming in and breaking into your company. We do the typical -- trying to see if your systems are secure -- to the unusual. I've broken into companies walking through the door as the bug guy and getting access that way. We're testing your security. We are doing the same attacks as a malicious person, a black-hat hacker. The big difference is at the end of the day, we're gonna give you a report so you can better secure yourself.
When I hear “hacker,” I don’t picture a specific person, but nameless numbers of people on keyboards in dark rooms who are up to no good. Who are hackers, the nonethical kind, and why is it important to first understand them?
Chronister: First, I hate the term hacker. It's been around thousands of years. A hacker is someone who makes something do what it wasn't originally intended to do. I hacked down a tree, I made a building.
For years the malicious attackers, or the black hat hackers, were white males between the ages of 16 and 24. Still, it's dominated by males 16 to 24, because quite honestly, these guys don't think. There's something in their brain and they don't start realizing risk until 25.
But it's gotten away from that. Everyone is starting to be malicious attackers.
Back in the 80s and 90s when this would happen, I would have to have an intimate knowledge of the technology and I would have to be able to write the tool to be able to exploit it. Now I can download someone else's tool and learn it. So you're getting a lot of the criminal element in there.
You have everybody in there. It's kind of like saying what is the typical profile of someone who's an alcoholic or robs bank? There's typical but you see it everywhere. One of the big differences I've seen over the past 20, 25 years is a lot of hackers back in the day, they were breaking the law, but to them, they weren't being malicious. And they may not have been malicious. They were trying to learn networks.
Now, it's gotten a lot easier and it's gotten a lot more profitable with people being online and with tools being available. A lot more is malicious, a lot more is criminal looking for a way to monetize it.
For consumers of all kinds, what are the most important steps we need to take to protect ourselves?
Chronister: One of the things to really understand is you're never going to be 100 percent safe. Get that out of your head. I always say that we're in the business of risk mitigation, not risk elimination.
With that being said, the recommendations I would give will help. Antivirus is amazing. Malware is huge. I have malware that I can watch what you're typing. I can turn on your web cam and look at you, I can listen to you, and I can take over everything in your network with that malware. I can make it undetectable to antivirus, but most of the malware out there, antivirus is going to detect it. It's better than having nothing.
The second is passwords. It's amazing how many people have short passwords that are very easy to crack. I always recommend 15 characters or more and people get crazy about that. This is why we look at pass phrases. Write a sentence. The past 20 years, we've actually been teaching people ways to create a password that's hard for humans to remember but easy for computers.
The phrase Mary Had A Little Lamb with spaces, that's actually a very strong password that you will never forget that's very hard for the computer. Make sure you have very strong passwords and you're not using the same passwords everywhere. You should have what we call personal password policy. The password for your bank should never be the same password for Facebook.
What are the biggest threats still out there and how have they changed since you first started in this industry?
Chronister: Social engineering has been big, and I'm talking from a consumer standpoint. To be honest, it's been the same threat the past thousand years. I can steal data from you, I can rob your bank, I can do whatever, but at the end of the day it's easier if I can get you to give it to me. It's just changed formats and it's gotten easier the more and more our lives have moved to cyberspace. The technology has changed a little, but the threats are still there, the old school threats.
Everybody wants the latest and the greatest. What you have to understand about the latest and greatest is it hasn't been tested yet. We call it the bleeding edge of technology. The bleeding edge of technology isn't always the best place to be. You want someone else to learn those mistakes. Give it some time.
Right now cloud is a huge area. That's scary. You're putting all your secret information, your most sensitive information, up on servers you don't know who has access to it. I don't know any security person who is very happy that essentially public clouds are being used as much as they are.