Former Hacktivist: Why Persistence Is KeyHector Monsegur Seeks Redemption by Offering Advice to Security Executives
For as long as Hector Monsegur has been online, he's broken the rules.
There's the teenage curiosity that got him interested in computers, progressing from Windows 95 and AOL dial-up to Unix systems and learning Perl, which eventually led to his first hacks. There's his ability to become a highly-paid system admin without a college degree or a certification.
Then there's the hacktivism and association with the Anonymous collective and LulzSec, which trained their sights on governments and corporations around the world, including distributed denial of service attacks that targeted among others PBS, Sony Pictures, Fox, Visa, MasterCard, PayPal and numerous others. In his role, Monsegur served as one of the lead hackers who stole and publicized confidential information, defaced websites, and helped shut down the internet in Tunisia during the Arab Spring.
Monsegur also broke the rules hackers had created themselves, including avoiding publicity. Eventually, he broke the ultimate rule: He cooperated with the FBI and turned on Anonymous and others.
"It was kind of against the ideas of the hackers and e-zines and the literature that was passed down from the 1980s to the 1990s, when I first got online. One of the first things I would read was that you should never attack the U.S. government - that's one. The second was never let anyone know what you are doing. And I kind of violated both of those," Monsegur told the Information Security Media's Group New York City Fraud Summit on March 19, as the event's keynote speaker.
Following his arrest and incarceration in federal prison several years ago, Monsegur has been on a redemption tour. He's spoken about his past experiences and how he lived with the consequences of his decision. As the chief researcher at Rhino Security Labs, the hacker once known as "Sabu" is now offering better security for corporate clients.
"But I do want to put out a disclaimer. I'm not here to glorify the past. I'm not proud of it and I'm actually very glad that I have made it this far and I have been able to get back to the industry and get working for my family," Monsegur said.
Persistence Is Key
During his talk on Tuesday, Monsegur used examples from his past hacking activities to illustrate a point: Attackers don't give up once a target is picked. It's a rule that Monsegur followed and it shows why persistence is key to understanding better cybersecurity practices.
"Attackers will get you regardless. You can have all the vendors and software you need ... The attacker is not going away, especially if they are focused on you. It's good to have insight and a perspective on this to move forward," Monsegur said.
In an interview with ISMG, Monsegur explained that many of the problems he sees with clients now center around asset management and not knowing what's on the network. As a hacker, Monsegur would spend weeks gathering intelligence about targets, noting what assets were sitting on these networks and what misconfigurations could be exploited.
"Not only do companies have problems with the external side of their security posture but also the internal side of their security posture," Monsegur said. "In many cases, they don't really know what they are running online. We're not even taking about shadow IT or something similar where you have employees coming in with different devices and are running devices that are not vetted or authenticated or given permission to access the network."
Another developing issue he sees: Insider threats.
"You also have things like insider threats, which is going to be a bigger problem going forward because there's no way to really stop that. Even if you were able to implement a DLP or data loss prevention software, there are still ways to circumvent those technologies," Monsegur said.
More recently, Monsegur and his colleagues have started to see the effects that new issues, such as DevOps, can have on enterprise security.
" What we do, when we start auditing a network for asset management, we are falling right into the whole DevOps slash security problem," Monsegur told ISMG. "It's a whole different beast. A lot of organizations that are bringing in-house developers, they are really opening the doors without really putting emphasis on security policies. Believe it or not, you can have a really secure infrastructure elsewhere, but then the DevOps team or the developers department starts bashing holes with ... weak passwords, public GitHub repositories, access to S3 buckets everywhere and permissions are a problem."
Why Trust A Hacker?
The one question that follows Monsegur around is of trust.
In conversation with ISMG's Senior Vice President for Editorial Tom Field, Monsegur was asked if he could be trusted. He did serve almost a year in federal prison and could have faced a maximum sentence of 124 years under sentencing guidelines if found guilty on all counts, although, in reality, he faced between five to 10 years.
His cooperation helped, but that meant turning on his former Anonymous collaborators, a decision that continues to impact him, as hackers occasionally disrupt his public appearances. However, reflecting on the possible loss of his family and a desire for redemption shows that anyone can change.
"It's all about the person's merit ... not everyone is a lifelong career criminal. Sometimes people make mistakes and they deviate and they make decisions without thinking about consequences and I was one of those individuals. Once I was in prison and I lost my family temporarily, I had made the revelation at the end of the day that this is not worth it and there's more to life," Monsegur said.
At the same time, his story holds lessons for CISOs and other security executives looking to protect against cyberattacks now.
"We do have a skill and a talent shortage. Former hackers have the skills and a talent. I'm not saying you have to hire them, but I am saying you should entertain the interview," Monsegur said. "At the end of the day, it's becoming harder to find workers who can follow your policy, enforce your policy and even understand your policies, including implementation and asset management, and developing documentation for your employees and educating employees that are not that technically savvy. It's a broad industry that is still in its infancy and we don't have enough workers."