Your passwords aren’t safe, the internet of things is ripe for abuse, and hackers don’t always wear hoodies – this is some of the wisdom shared by cyber security expert and creator of the Have I Been Pwned website, Troy Hunt at the ACS Reimagination Thought Leaders’ Summit 2022.

In an entertaining talk delivered to a full house at the Hilton Hotel Sydney, Hunt dispelled some of the myths about cyber security and offered a poignant reminder that keeping your devices and data safe isn’t always as complex or scary as it looks.

“What does a hacker look like?” he asked the crowd.

“I think everyone’s got a picture in their mind from movies or the press that hackers look a certain way, often wearing dark hoodies and with a dark setting in order to evoke a sense of fear.

“The press wants to make them look scary because that’s what they do, cyber security companies want to make them look scary so they can sell their products, but the reality behind this is often very different.”

Hunt described how, in the fallout of the 2015 breach of UK telecommunications provider TalkTalk, pundits attributed the attacks to “Russia-based Islamic jihadists” – with some news outlets naturally including the ubiquitous hacker-in-a-hoodie image trope in their reporting.

In reality, the breach that cost tens of millions of dollars was triggered by a 16-year-old who bragged about finding vulnerabilities in the company’s systems to show off to his friends.

Your passwords are bad

The point of much of Hunt’s Reimagination talk was to serve as a reminder that cyber security threats are varied and need not always be the result of nation-state hackers or nefarious criminal masterminds.

And it doesn’t help that so much of our online world is protected by passwords and the enforcement of restrictions on what your new password should look like.

“When you have that six-character password that you’re trying to use, something you use everywhere, and a website says you have to have to have at least one uppercase character – what do you do?”

Hunt posed the question to the Reimagination conference and noticed the audience looking nervously around at each other.

“You capitalise the first letter,” he continued. “And then you need a number, so you put a one at the end. And you need a non-alphanumeric so you put an exclamation mark at the end.

“I know you do it, I’ve seen all your passwords.”

The result of enforced password composition rules, Hunt said, is a series of common behaviours among users.

People take the path of least resistance, trying to find shortcuts around the system that is getting in their way, with the result being a weaker security posture.

“There are other things we can do to authenticate users that are much more clever,” he said.

“Such as ubiquitous transport layer security, second-factor controls, and user-behaviour analytics.

“Bob normally comes in, logs into work and starts on his Excel spreadsheet. But one day Bob remotes in from Beijing and starts poking around the firewall – that’s probably not Bob.”

Beware the internet of things

As part of his presentation, Hunt shared a story about testing a child smart watch sold by an Australian company in order to demonstrate why people should be wary when buying internet-enabled devices.

The watch markets itself as a way to safely monitor your child’s location through a cellular-enabled smart watch with limited features – including that it can only send and receive calls to limited users.

But when he and a fellow security tester started poking around in the watch’s software, they found some interesting uses of its APIs.

One problem was that user identification was done through by assigning user numbers which meant they could change the number in the watch app’s API requests and be able to track other children.

“It’s not like there was a complete lack of access controls,” he said.

“The access controls went like this: are you logged in? Yes. Cool, do whatever you want.”

“There was nothing like: are you logged in? Is this your family?”

A similar lack of access controls meant somebody could remotely call the watch and speak to the child directly, without the child even having to answer the call.

“Anybody could call a child because of a really, really simple programming mistake,” Hunt said.

“Disclosing these bugs to the company was very good in one way – they took it offline quickly – and in another quite bad because it was very hard to get the organisation to understand the gravity of their mistakes and the role they played in creating what was ultimately dangerous software.”