The Angler & the Ethical Hacker

The Angler and the Ethical Hacker

Where are the fish? What motivates them?

What makes them move from curiosity to taking the bait?

Being a successful angler requires a unique set of traits - curiosity, strategy, and patience – along with a deep understanding of the target.

Where are the fish? What motivates them? What makes them move from curiosity to taking the bait?

Phishing for prey on the internet works the same way. Just ask Patrick Walters, a Bassmaster Elite professional angler, and Hector Monsegur, an internationally renowned “white hat” hacker who assists the FBI and other entities in preventing internet security breaches . Patrick and Hector sat down with LS3P’s Technology Leader Darrell Puffer to discuss fishing and phishing, with Patrick joining in person from Charleston and Hector joining remotely from Brooklyn.

To Catch a Fish

The experts had a lot to say about the process. To catch a bass, for example, it helps to have a real feel for the environment. Each lake is different, and the locals might know better than the pros where the fish are likely to be biting. It also helps to understand the social structure of the species; a large female is usually accompanied by a smaller male, and she won’t bite unless the male – not the prime target – shows interest in the bait first. There’s a good deal of psychology involved. Hooking a phishing target on the internet works much the same way. An expert hacker will identify the easy targets in order to get valuable information on a much bigger fish. For example, an entry-level employee of a small firm who clicks on a malware attachment might allow a hacker to establish a foothold and gain access to the firm’s much bigger clients, such as a federal agency or other desirable target. Once the network

is compromised, the hacker might lie low, stay under the radar, gather information, and wait for the right moment to make a move. The bait needs to be tempting enough to entice the fishing, or phishing, quarry to suspend their default position of healthy skepticism. For a fish, it might be the prospect of an easy meal, or something that piques its curiosity. For, say, a junior employee at a large company, it’s likely something that triggers anxiety that overrides the usual common sense security protocols. An email that looks convincing from the bank or from the HR department might prompt someone to click first and think later, if they’re worried that their rent check might bounce.

Only when the “problem” is solved do they slow down enough to realize they were targeted and compromised by entering their security credentials or clicking on a suspicious link.

Becoming an Expert

Our experts should know. Patrick has three B.A.S.S. wins and two Century Belts on his record in the last five years. He may have honed his craft fishing the Santee Cooper Lakes near Charleston, but he’s applied these skills to bigger lakes and high-profile tournaments in recent years, using a combination of research, instinct, and experience to find the fish.

Hector, too, has a fascinating personal story, and every chapter has brought him experience and knowledge that he now applies to helping prevent hacks that could cause major disruption (for example, to Congress, NASA, and other critical public and private organizations).

He leveled up during the Arab Spring, when he became a “hacktivist” orchestrating successful takedowns of governmental data systems in Tunisia, Egypt, Iran, and others.

His hacktivism efforts through Anonymous and its offshoot LulzSec also impacted some US federal contractors, which landed him in some hot water with the FBI, but that relationship fortuitously led to his current career as an ethical hacker. He knows how the system works from both sides, and he is instrumental in helping his clients be proactive about cyber security.

Passwordusername SUBMIT

Hector was making good money as an 18 year old systems administrator in Brooklyn, but his keen intellect and curiosity led him to begin experimenting with hacking foreign governments – not for money, but for knowledge.

Patrick and Hector both understand the research, tools, and patience required to catch a big fish, or a lot of smaller fish. A successful angler or a successful hacker will have the resources to outmaneuver their targets – sonar for figuring out where the fish are, or advanced technology skills far beyond that of the average person using a computer at work.

To elude capture, the target has to know the angler is out there, and know how to spot the bait.

High Stakes Sport

Just as an angler can go pro and make a successful career out of fishing, a hacker can develop the skills to get rich off of fraudulent activity. The most successful bait is emotion: an easy person to hack is typically someone who is new to a company and wants to build a career there.

For this target, an anxiety-inducing email that references a surprise

performance review capitalizes on the employee’s desire to be a good team member, and according to Hector, this bait works more often than not to deliver malware or gain access to a company’s systems.

Besides the low-hanging fruit of a business email compromise, hackers can also stage a ransomware attack in which they hold a company’s systems hostage in exchange for a hefty sum, or can target specific individuals who might have access to compromising information that

can be used against a political or celebrity target.

During the pandemic, hacking groups also began to target organizations responsible for critical infrastructure, creating attack paths to cause mayhem. The architecture industry was added to the list of infrastructure targets, escalating the potential threats to keeping our networks secure and our businesses operational. Because the systems of our clients, colleagues, and consultants are all intertwined, a

breach anywhere along the supply chain can have far-reaching impacts; it’s critical that we understand our points of vulnerability and work across organizations to defend our “one, secure, collaborative network.”

Staying safe in the water depends upon more than luck: drawing from the expertise of those

who know the sport best, we can stay mindful, learn from the masters, and avoid taking the bait.

About the Contributors

HECTOR MONESEGUR

“White Hat” Hacker

PATRICK WALTERS

Bassmaster

DARRELL PUFFER, IA, LEED AP, WELL AP Technology Leader

ASSOCIATE PRINCIPAL

Hector Monsegur is an internationally acclaimed computer hacker who now applies his considerable skills to preventing security breaches on major organizations such as NASA and the US Congress. Hector’s early career included “hacktivism” during the Arab Spring, when he disrupted governmental data systems in Tunisia, Egypt, and Iran. He was a member of the hacking group Anonymous and its offshoot LulzSec before running afoul of the FBI – a turn of events which ultimately led to his career as an ethical hacker assisting public and private clients in their cyber security efforts.

Patrick Walters is an acclaimed bass fisherman who has earned “Elite Series Angler” status. Patrick has three B.A.S.S. wins and two Century Belts on his record in the last five years. A South Carolina Native, Patrick has honed his skills through research, experience, and instinct in tournaments at the national level.

Darrell Puffer is a registered architect with over 20 years of diverse experience. He earned his Bachelor of Architecture in 1995 from Virginia Tech College of Architecture and Urban Planning. Darrell views the built environment as an asset to maximize human potential and likewise sees technology as an asset to maximize an individual’s creative potential.

As the firm’s Technology Leader directing both IT and Advanced Digital Design, Darrell takes a big-picture approach to innovative technology while employing a

thorough understanding of how the digital practice enhances and completes the creative design process. Having spent the greater part of his architectural career leading the design and project management of large-scale, mixeduse, corporate, education, and healthcare projects nationally and internationally, he now views his practice as an opportunity to work alongside design teams and projects supporting and enabling innovative design solutions through the use of advanced technology.

Darrell serves as a member of the AIA’s CIO Large Firm Roundtable and is a delegate on the Design Futures Council. His LS3P Technology team includes IT and architectural professionals who work together to manage a secure collaborative network and support the firm’s architectural practice.