By CRAIG NORTHRUP
HAYDEN — Letters and numbers penetrated the white glare of the computer screen in the Hayden office, the hum of prop planes taking off from Pappy Boyington Field across the street. The letters and numbers sat in benign, simple, dead-center frankness: the full name of someone named Katherine, followed by a string of 16 numbers below it, followed by a few more below that.
At first glance, they meant nothing. But on closer inspection, they spelled out a credit card number and its security information.
Michael Meline sees those letters and numbers as a crime.
“They share this information for other criminals to use,” Meline explained. “Then, once they validate the card information, the criminals will come back and buy more. This is just a taste.”
In this case, a taste of 990 separate pieces of credit card information sold by an anonymous criminal.
Some packets of credit card numbers can cost pennies, Meline said, while some can cost $20 each. Hacking is a non-stop cottage industry with such an endless, constant barrage of attempts that it has created its own economy: cybersecurity.
Cybersecurity will be the world’s fastest-growing industry by 2026, according to a 2019 Industrial Market report. A 2017 Cybersecurity Ventures report predicts 3.5 million available job vacancies by the end of 2021. The Federal Bureau of Investigation, in conjunction with Hayden-based Exbabylon IT Solutions, met with the Coeur d’Alene Chamber of Commerce April 16 to discuss the threat to local businesses. Meline said the dangers reach every corner of the business world.
“Our clients range from health care to banks of every size to manufacturing,” he said, “and everywhere in between.”
The range of potential victims is so wide, Meline said, because hacking never rests. The eight-year veteran of law enforcement from Yuma, Ariz., pulled up a website with what was supposed to be a map of the world. Lines stretching from one launch point to its target blanketed the digital view, obscuring almost every pixel of land. In the corner of another website, a counter boasted 134,620 hacks going on in the world that very second. On a Tuesday.
Meline said companies don’t properly address the constant barrage of hacks because they ask the wrong questions at the wrong time.
“They’ll come to me and say, ‘We spent $7 million on this [prevention measure].’ I ask them why they need it, and they say, ‘Because I’m going to be hacked.’ At Cyber Self-Defense, we enable a business through cybersecurity. We ask, ‘What is this going to do for your company?’ ‘What risks will it address, and how effectively will it address it?’ We look at the company as a whole and ask, ‘What is it you want to achieve?’ And never needed to buy that $7 million [prevention] before they called us. Maybe they just needed better policies and procedures.”
Meline added that fear often drives companies to digital and financial paralysis.
“I can make your company so secure that you can’t do your job,” he said. “But no one can make you so secure that a determined hacker won’t get in. So I let the CEO know that, so we can re-balance risk. We try to find the proper threshold of risk. When we do that, your employees will be highly successful, but the criminals are going to get frustrated and go somewhere else.”
While businesses are vulnerable to various intrusions like malware, spyware and data breaches, Meline said an unprotected business should expect to fall victim to ransomware, a program that encrypts a company’s critical files and holds that data hostage, demanding payment for the promise of release. Global ransomware will attack a business every 14 seconds by the end of 2019, according to research conducted by Cybersecurity Ventures, adding that the technique cost businesses worldwide more than $8 billion in 2018.
Hackers, meanwhile don’t target only businesses. In fact, Meline explained, hackers don’t often target anybody.
“When you look at the amount of attempts — sometimes dozens in just a few seconds — they’re not trying to get a hold of such-and-such’s information,” he said. “They’re not trying to get into your computer. They’re trying to get into any computer. That’s how they make their livelihood, and that’s how people in my position make our livelihood.”
Cybersecurity offers a livelihood people are learning at younger and younger ages from around the globe — including, as it turns out, Rathdrum.
“I’ve been interested in computers since forever,” said 15-year-old Hayden Carroll, a 10th-grader at North Idaho STEM Charter School, “but these past two semesters, I’ve gotten more involved in networks.”
In a small wing of a larger North Idaho STEM classroom, Carroll sat with fellow computer science students Zander Land, Austin Kugler and Jordan Higgins. Higgins rejected the term “hacker,” calling himself a “penetration tester” while engaging in “ethical testing.”
“It’s wrong to go out and hack somebody and steal their information,” Higgins declared. “I only test frameworks and networks to find weaknesses, not to exploit them.”
“You don’t have to take a class to get started,” Carroll said. “There are apps and programs that will help you learn at your own pace.”
Khan Academy offers one such program. It’s an online learning platform North Idaho STEM students often use to learn. While all four boys predict college in their futures, cybersecurity experts urge experience as much as education.
“Some of the best IT professionals are those with the passion and desire to want it,” said Karl Betz, chief information security officer for TDS Telecom, a telecommunications company that announced earlier this week its plans to come to Coeur d’Alene. “Our best security guy, for example, just has a high school education. But he has the passion and the experience to handle the load.”
Betz added that he has a constant need to fill cybersecurity jobs, which he said must include more than technical prowess.
“You have to be flexible and open to understand the problem from a number of different viewpoints,” he said. “And communication skills are a must. You have to have that ability to communicate and interact with our business partners, from their front-end guys who build security to the board of directors. Ultimately, though, you’ve got to be a team player. You have to be able to brainstorm with others, troubleshoot the problem, find a solution and examine that solution after the fact.”
Those problems and their solutions are not only for IT professionals in work environments to solve. Hacking affects residential bystanders, as well, Betz and Meline agree.
“Anything is hackable if you have the time, persistence and funding,” Betz said. “Phishing for a customer’s credentials like passwords and account information is getting more and more creative. But your No. 1 vulnerability is you.”
Betz gave an example where he will masquerade as TDS Telecom’s CEO via phone or email, reach out to an employee and try to gain his or her information. While employees are usually mindful of the potential risk, he said that doesn’t mean he should ever stop trying.
“It never gets boring,” he said, “because you can never become complacent.”
“Most people have been trained to be nice,” he said. “It’s what I call social engineering: I go in and pretend to be somebody I’m not. I’ll walk into a business or I’ll call and ask for their password, or I’ll bring in [an infected] thumb drive and ask them to plug it in. And they do it. That thumb drive will now give me all of their information. It’s very, very simple.”
Those random attempts flung from all around the world can come in the form of malware (software designed to harm your computer devices with viruses) and spyware (software designed to view or obtain information about your device activity), among other pre-programmed nuisances. They can rarely be traced, Meline said, because hackers will bounce their trajectories off multiple servers around the globe, and the sheer number cannot be handled by law enforcement, leaving consumers to fend for themselves. He warned that “well-known” should never be confused with “trusted.”
“Don’t mistake popular with safe,” he said.
Meline added that hacking is about more than typing and sending code from a far-off corner of the world. Hacking ordinary consumers often involves a transaction at some point, either through email or social media to draw victims into a scam, including a well-known hoax people are still buying into today.
“All it’s doing is preying on our kindness and preying on our greed,” he said. “Someone sends an email saying there’s a prince who died in a country you can’t pronounce with a family member you’ve never known, and he’s leaving you all his money. All you have to do is give this small amount of money back — your life savings — and you’ll get this billion dollars. It’s preying on people.”
A version of this hoax nearly succeeded locally on Tuesday, when a victim walked into the Hayden Super 1 and tried to send money to one such scam. Customer service representatives onsite warned the customer of the scam and refused to comply, prompting the man to leave.
“We are very trusting as human beings, and we’re taught that way,” Meline said. “But when we deal with hackers or criminals, we have to understand: They’re doing their job. We expect them to do their job the best way they can. We have to do our job better than them. This is how I made it through law enforcement. I could very easily understand what they’re doing. I didn’t agree with what they were doing, but they were just trying to be good at their job. That’s what they do.
“Our job is to be better at ours.”
Ultimately, Meline said it’s incumbent upon everyone to remain vigilant.
“The worst thing you could do is close your eyes to it,” he said. “Hackers will hack, no matter what. Ignoring cybersecurity will not make the problem go away.”