A trio of security researcher superstars -- including a one-time legendary teen hacker known as “Mafiaboy” who brought down some of the most popular sites on the internet, and a medical researcher who exposed a security hole that led to the recall of a half-million pacemakers -- are joining an HP Security Advisory Board aimed at making advances in the war against hackers.
HP announced the new panel of white hat security superstars at the start of its Reinvent worldwide partner conference Monday as part of its ongoing effort to deliver what it calls the most secure PCs and printers on the market. The members of the new board are chartered with providing "strategic input to HP's leadership team and security experts.
The three security superstars, who will receive honorariums for their service, include:
Michael Calce, who received the moniker "Mafiaboy" when as a 15-year-old in 2000 he shut down eBay, Yahoo and ETrade and others with a series of attacks. Calce – the chairman of the HP Security Advisory Board -- is now a white hat hacker who does penetration testing for companies.
Justine Bone, CEO of MedSec, whose firm exposed a security hole that led to the recall just last month by the U.S Food and Drug Administration of 496,000 pacemakers from Abbott, which has issued a firmware update. Bone is a controversial figure given her decision to proactively expose medical threats.
Robert Masse, who has been helping businesses stop security breaches as a strategic consultant for 20 years. Masse – who owned his own security consulting business – has agreed to donate his honorarium to charity and is participating separately from his duties as a partner for Deloitte Canada.
Calce, who recruited other security researchers for the assignment, said he was inspired to join the board in part by HP's commitment to "look at different angles" to create more secure products. "It was a natural pairing for us to team up and advocate [improved] security together," he said.
The board is not a symbolic gesture but rather a real-world panel to help HP create more secure products, said Calce. "There is no smoke and mirrors here," he said. "The members I assembled are to offer the best advice and input that we possibly can for HP to really develop the most secure products that will impact the world and negate what is going on in terms of hacking worldwide."
Calce, who already has been in the field working with several HP solution providers and their sales reps to increase awareness of security threats, said his independent third-party perspective as a security researcher has helped drive home the need for improved security in products such as printers.
"A lot of people are oblivious to the risks involved with printers," he said. "People don’t realize how a printer has evolved. … It has an OS, BIOS and firmware. It is a computer on the network. People fail to realize that."
Stephanie Dismore, HP’s vice president and general manager, Americas channels, said the Security Advisory Board is a big differentiator for HP partners. "It is hugely significant because we will have the cutting-edge advice, knowledge and transformational input to drive our innovation and provide our partners with the right level of information to talk to their customers," she said.
In the case of one national solution provider, HP pulled together a comprehensive security sales training initiative that included Calce and then backed it up with spiffs and other sales incentives. "It was one of the most exciting programs I have ever seen launched at one of our partners," she said.
Calce said he sees the type of attack that he used as a teenager as an "easier" proposition today given the increasing number of connected devices. That said, he stressed the hacking he engaged in was different than the attacks of today. "I was young and it ended up doing damage but that was not the intention," he said. "Whereas you look at today, the motivation is financial gain and complete destruction."
Calce’s goal now is to use his knowledge to help prevent attacks, he said. That is key to the HP Security Advisory Board's decision to engage directly with white hat security researchers like himself.
Bone, for her part, said that the "deeply technical vulnerability" researcher status of the board members is key to bringing real-world scenarios from the "perspective of an attacker" to products and services.
Bone said she is "excited" by the prospect of bringing "offensively minded" skills to the cybersecurity effort being mounted by HP. "I am excited about learning more about what is going on at HP and then applying my background to help HP navigate the future as it relates to the threat landscape," she said.
Bone praised HP for driving security at every layer in the stack including at the firmware level. HP's SureStart self-healing BIOS technology is exemplary, she said. That kind of foundation ensures the board with its deep ties into the security researcher community can "look into the future" to solve more advanced threats.
Among the biggest threats Bone sees in the future are with theoretical techniques that could take hold years from now -- "bizzare memory manipulation" to take control of systems. That is the kind of information HP can use to deliver more secure devices, she said.
Masse, for his part, said he was inspired to join the board because of HP's proactive effort to seek input from independent security researchers to challenge the company. "That showed me that HP wanted to push the limits of testing their thought process when it comes to cybersecurity and looking for the ultimate challenge to be the best at developing secure products," he said.
The security researchers on the board are on the front lines seeing the real-world breaches that are wreaking havoc on companies, Masse said. "A lot of the incidents we read about in the news are actually the tip of the iceberg," he said. "Many of the really bad ones nobody ever hears about. So I can provide a lot of insight as well as my colleagues on what is going on out there."
The new wave of attacks has escalated and focus on the confidentiality of the data and the threat of releasing that data publicly on the internet, said Masse. Hackers are "gaining access, staying within the company for months and then extricating the most confidential client data," said Masse.
Masse said he has seen a recent case where the hacker sent the company a "well-thought-out business proposal" detailing all the data that had been extricated and what the potential financial damages would be if it was released. "They actually put out a business plan, put out a proposal and the company actually accepted," he said.
How to stop such threats is the "multibillion-dollar question," said Masse. The big change in the security paradigm is a shift to proactive "monitoring and being resilient" rather than focusing 100 percent on stopping threats at the perimeter. He said HP's focus on making sure companies are "resilient" in their security focus "really resonated with me and made me" want to join the advisory board. "HP's position on that is ahead of the game when it comes to the rest of the industry," he said.
Boris Balacheff, HP Fellow and chief technologist for security research and innovation who is working directly with the new board, said HP has put security at the heart of its PC and printers for many, many years, but has accelerated that effort over the last few years.
One of the keys for HP as it builds future products is "staying ahead" of the ever-increasing threat landscape to directly influence product design and development. "This means we really need to understand the threat landscape," Balacheff said.
The emphasis is on what are the emerging threats five years down the road. "We are looking at what are the new threat vectors that we need to anticipate because it is going to take us some time to come up with the right designs to address those," Balacheff said.
The board will meet each quarter and will have a working relationship with HP's chief technologists and executive leadership team.
Calce, for this part, said the never-ending battle to stop hackers is an increasingly challenging proposition for HP and the rest of the industry. He said HP's leadership position should be embraced by other companies to help turn the tide on the increasing number of security threats.
"We are obviously losing the war right now," he said. "There are way more hackers than there are white hat security professionals. … In order for us to step it up, a lot of big companies are going to [have to] emulate what we are doing [with HP]. I am talking at a real level, not just creating a board to glorify [the company] in the media. I am talking about a board that will provide insight into what is going on in the industry."