Alex Hogue portraits
News_

Social Engineering and Cybersecurity

10 September 2018
Hacking hotel wifi networks and faking staff IDs
Ahead of his appearance at the upcoming Outside the Square event, "Hackers, Breaches, Bots", graduate and white-hat hacker, Alex Hope, sits down to talk cybersecurity.

Today, I’m sitting in the offices of Atlassian, an Australian software company worth over $14 billion, and waiting to meet Alex Hope, Atlassian’s senior security analyst.

All I know about Alex is that he’s 25, the organiser of Purplecon (a cybersecurity conference) and studied computer science and pure mathematics at the University of Sydney.

Oh, and he’s a white-hat hacker: an IT specialist who breaks into protected systems to test and assess their security.

I expected dark and brooding but the moment Alex appears, it’s obvious he defies the easy stereotypes that surround hackers. With purple and indigo hair that looks like something out of a Japanese anime, the assumed uniform of black hoodie and jeans are supplanted by lavender shoes, rainbow patches and multicoloured nails. It’s a brilliantly complex realisation, especially once Alex announces, “I’m also a magician!”

For Alex, cyber security has always been a passion.

“I’ve always been interested in… I’d like to say hacking but that word is associated with crime, and I don’t want to say I’m interested in crime. I guess you could say that I've always been interested in learning how things get hacked. But I got started mostly by accident.

Picture a teenage Alex on holiday with his parents as they arrive at their hotel. Alex asks, “Which WiFi is our one?” To which they reply, “Oh none of them. We don’t have internet.”

I remember thinking, ‘Hmmmmm ok. Those WiFi networks all have passwords... I wonder if there’s a way to use it anyway.’ So that prompted a lot of research and really got in the way of our family holiday.
Alex Hope, BSc(Hons) 2015

Alex’s interests carried through to university where he studied Computer Science, Pure Mathematics, and Physics. What he discovered was that Computer Science was fun.

“When I was in Year One, I told the class I wanted to be a scientist. That wasn’t cool. In Year One, it was cool to want to be a policeman because they had guns. But scientists always save the day in the movie with their secret science.

"Computer science feels like playing a game or building something with LEGO. There’s so much creativity in it. I was like, 'This is amazing. This is a job? You can get paid for this? I’d do it for free.'"

Alex tells me about a security course that he did during his Honours year. Although the course contained a lot of theoretical content such as cryptography, it also had a war games component. In a class about social engineering, Alex and his classmates were required to obtain the staff ID of the lecturer.

“That was it, there was no further information. Basically, they said, ‘You can do anything you want in the world to get this ID; just don’t commit any crimes. If you can trick us into telling you - that counts. If you can trick someone else into telling you - that counts.’ I thought that was really cool because it let you be creative.

"We ended up finding out there was an admin portal which you logged into using your student number. The page had a part where it said, “If you’ve forgotten your Staff Number, call XXX”, so we did. We called the number and pretended to be this lecturer who had forgotten their number.

"We were the first team to try this but then, unfortunately, the other teams started doing it too. And, at some point, the person at the admin office caught on and realised, ‘Hold on… you’re not who you say you are. And neither was that other person. Or that other person!’ Eventually, the lecturer told everyone to stop calling the number.

"It was pretty non-traditional for a uni course but it actually helped a lot because it was so practical.”

After university, Alex tutored at the National Computer Science School before getting a job at Atlassian where his first job was to “buy the parts for a computer, build the computer on the floor, and use it to crack passwords.” Currently, Alex’s job is to detect and simulate hackers for Atlassian, exposing any potential flaws in their system.

Considering the most recent data breach of PageUp (which includes clients such as Telstra, NAB, Coles, AusPost and more), I ask Alex if the average user should be concerned.

“I think it’s the same as physical security in the sense that you shouldn’t have to worry about it too much. Not everybody is a security expert but there are people like me who are here to protect you.

"However, the strongest thing a user has in their favour for not getting hacked is the fact that people don’t really care. They’re usually not interesting enough."

Hackers aren’t going to spend a bunch of time hacking a random person and reading their boring emails. There’s not much value to them.
Alex Hope

However, Alex reveals to me that users should be worried about credential or keyword stuffing. According to him, hackers know that we all basically use the same two or three passwords for everything, so all they have to do is wait for a website to get hacked.

“Remember when LinkedIn got hacked in 2012? For some reason, the hack got published. It wasn’t on the Dark Web or anything like that - it was on the regular internet. You could just go and download anyone’s email and password.

"So the hackers get these lists of emails and passwords and they try them on other accounts. For example, they might try to use your LinkedIn password to get into your Facebook. The reason hackers do this is that they’re business people. They’re doing it for the money.

"A password by itself is not very valuable - it’s like $1 for thousand or something. But if you test them all out and find out that one works on Facebook, you’re not just selling an email password anymore. Now you’re selling a Facebook account, which is worth more money.”

According to Alex, there are two main things users can do to protect themselves. The first is to implement two-step or two-factor authentication. This requires you to, when signing in, input an additional password that has been generated and sent to your phone or other physical devices. The second thing is to use a password manager which can randomly generate passwords for your accounts, store, and auto-fill them for you.

“The internet is great, it lets us do so many things that weren’t possible before. But sometimes, I feel like computers are held together by nothing more than hubris.

"The average person can choose to learn more about security if they want to though and that will make them safer.”

Alex Hope will share his insights on cybersecruity during the Outside the Square discussion, Hackers, Breaches, Bots: How well do you understand the internet? on 11 October 2017 at The Old Rum Store, Chippendale. Book tickets here.

Article by Theodora Chan (BA, MECO 2010; BA, HONS 2012), Co-Founder and Content Director at Pen and Pixel.