Ethical hacking evangelist and public service broadcaster advocate Inti De Ceukelaire speaks to IBC365 on the importance of privacy, credible broadcasting and probing infrastructures for vulnerabilities.
As a 12-year-old Inti De Ceukelaire successfully “found a big security hole” in Sony’s back end infrastructure, admitting he came across it by accident as he was looking for a way to play Nintendo’s Super Mario on his Sony PSP.
He went on to work in various roles that included coding, social media and as an all-round webmaster at Flemish broadcaster VRT and prior to that he was at Belgium broadcaster SBS as an IT investigator.
Today he is the head of hackers at Intigriti, which is a crowdsourced security platform where hackers, researchers and companies can meet to explore bug bounty platforms and ethical hacking with the common aim to identify and tackle vulnerabilities online in a cost efficient manner.
Not understanding how “big technology companies worked”, he explains that as a 12-year-old “I wanted to understand what I found” so he posted it online in a forum which was later deleted after fellow hackers at the time commended him on stumbling across the hole they’d been looking into for months.
He explains how he became interested in hacking: “It was the best feeling in the world [being the first person to play Mario on PSP] because I found a big security hole and Sony obviously didn’t like that.
“I was raised in a good way and I didn’t want to hurt anyone, so I got into ethical hacking because I didn’t want to breach systems to steal data, I looked for vulnerabilities - even when it was illegal.”
He tells IBC365 about the “constant struggle because my emails were ignored” when he would inform an organisation of a vulnerability.
Hacking the perception of the hacker
De Ceukelaire began his hacking career full time when he was a teenager. Working in a shopping mall, he realised the potential to make money by finding companies’ security vulnerabilities.
He notes the likes of Facebook, Google, Uber and Snapchat have set up “quality programmes for skilled hackers in the world and if they stumble across a vulnerability there are accounts to report this to”. He says, more or less, these are ignored.
Facebook has been known to pay between $50,000 to $100,000 for information on a vulnerability that has been hacked in an ethical way.
As a self-confessed evangelist for ethical hacking across Europe, he says: “Of course most hackers are ethical, but the perception is that most are criminal but by default they are not. Criminals get the headlines but the main hackers are good and want to improve cyber security.”
He continues: “There is a big difference between criminal hackers and those who fight against the bad guys; I feel like we are slowly getting there.
“I am working on creating the biggest ethical hacking community in Europe.”
The public turns to public service broadcasters (PSBs) for trusted information – notably during times of crisis, such as today’s climate with Covid-19 spreading across the globe.
He says: “During a crisis, elections, governments changes and global events people look at PSBs and criminal hackers see broadcasters as natural targets.”
PSBs have a choice: ultimately to wait for a breach, or work with ethical hackers on preventing a breach.
However, he adds: “Europe is tough. With new media’s emerging and popular technologies spreading across Europe, it is especially hard [to evangelise] in an industry that was formally considered criminal.”
Looking at the ways in which user data is stored, content platforms use algorithms to curate content recommendations and it is a broadcaster’s responsibility to harness the public’s privacy. This means the need for PSBs to work with ethical hackers is critical.
Admitting his natural bias, he claims it is the “civic duty” of PSBs to listen to the public and take on board cyber security as an important matte -r up there with budget, business strategy and technology innovation.
“There will always be ways to steal content and piracy breaches across the film and television industry, but it is more important for broadcasters to look for alternative piracy solutions because they will not go away any time soon,” he adds.
Cyber warfare today
Broadcasters and studios are hot targets for criminal hackers and De Ceukelaire says that transparency is tremulously important.
“Hackers can change content on PSBs to target specific users and take over without PSBs noticing because they are not sure how to find vulnerabilities.
“Hackers can target specific people through news sites which is a threat to the great value PSB have in spreading information in times of need.”
He noted two of the high-profile attacks from previous years including Sony Pictures Entertainment and TV5Monde.
TV5Monde was victim of a malicious targeted software attack in April 2015 which saw 12 channels taken off air and the breach nearly jeopardising the entire company.
The attack corrupted and destroyed the internet-connected hardware that controlled the station’s encoder systems.
Following the attack, employees were unable to send emails, reverting instead to fax machines and computer-based workflows all required testing and virus scanning causing the company a loss of thousands of euros.
Initially it was believed to be a jihadist attack but was later suggested that the attack was carried out by a group of Russian hackers.
In November 2014 Sony Pictures Entertainment was hit with what the company described as “a brazen cyber attack”resulted in the cancellation of the 2014 theatrical release of The Interview, a comedy starring James Franco and Seth Rogen about the assassination of North Korean leader Kim Jong-un.
Hacker group named ‘Guardians of Peace’ stole large quantities of confidential and sensitive information from Sony, including current and former employees’ salaries, health care, pension information and contact details as well as obtaining information about films which were uploaded and released on file sharing websites for the public to download.
The North Korean government demanded that the film not be released, however it denied any involvement in the cyber attack.
He explains: “The hackers taking over Sony’s server is a bigger issue than serving digital content because people get curious about episodes and try to steal it ahead of its release.”
Unable to name the Belgium programme which leaked ahead of broadcast, but the finale was leaked announcing winners ahead of its scheduled air time, the impact is vast across the creative industry.
- Read more: Five global cyber attacks
Opening the can of worms
Constraints on PSBs including working with government and tax money means budgets are strict and often any problems with cyber security will have a higher cost of fixing it.
He says: “I am afraid some PSB companies don’t want to work on these cyber security issues because they cause a lot of problems and decent security costs a lot of money, but PSBs have a small budget to manage everything and cyber security gets forgotten.”
From his experience as a researcher, De Ceukelaire explains the vast opportunities for hackers to attack across the content ecosystem and the spread of misinformation particularly amid world crises is of greatest concerns.
“I see a lot of legacy applications that should not be around,” notably with many organisations storing user data from contests, on-demand content log ins and website registrations.
He points to the UK’s BBC who have a cyber security policy and programme with positive experiences across the ethical hacking community.
He says: “The main reason the public don’t trust hackers is because organisations are not transparent enough with what they can or cannot do with it with system vulnerabilities.
“There is an upcoming trend in the US with companies disclosing vulnerabilities people find and in Europe people are afraid of doing that as we have the wrong assumption that having security vulnerabilities in the system is something you should be ashamed about, but it is not.
“At least these companies are trying to acknowledge and fix these issues, transparency is very important when it comes to PSBs and if they have security issues tell the public what you are doing to mitigate them.”
Long live the ethical hackers
With PSBs serving such large audiences with so many assets the importance to security test its legacy networks is very important and something that is not possible to achieve daily or weekly.
He explain: “My main concern for PSB there is so much that makes it more interesting to hackers and easier because you just find weakest link and can be entry point into an entire organisation.
“Reviewing the ability to serve content and making sure content is properly protected with news, radio apps, website and on-demand content requires so many applications and we needs weekly review which is impossible.”
As such, he recommends PSBs “get familiar with setting testing schedules and hacking to help fight the battle because PSBs cannot win.
“My solution is the power of the crowd, open security vulnerabilities to the public and more eyes on product more concerns we need to listen and reply to with a mass of people and apps exposed to attention.”
- Read more: Ethical Hacker, Tony Gee