Ethical hacking can be the solution to some of our most serious cybersecurity issues. We interview Rickey Gevers, cybersecurity expert and founder of Scattered Secrets, a password breach notification and prevention service that is helping businesses and individuals protect their online accounts.
Here is how this Dutch security pro got into hacking, was arrested by the authorities, and went on to show how that his talents could also be a force for good.
🔊 Listen to the podcast version of this interview.
My dad was really the one who introduced me to tech. I’m not a typical technical person. I like to play outside and those kinds of things. So, not necessarily being behind a computer. But my dad bought a computer when I was young, so I started playing with it at a young age too. I liked the Internet a lot because you could search for anything you wanted. I am a very curious person, so I was looking things up all the time.
But an Internet connection was very expensive back then, and at one point my parents had to pay a lot of money because of me. So, they used a Windows password. But I managed to break into the Windows user account and started using the Internet again. They got mad again, and then my dad used a BIOS password, which was a proper measure to keep me out for a month or so.
Then I managed to take out the whole modem, put it in my own computer, install all of the drivers and use the phone connection from the moment they left the house. And I put my computer in such a position that if they came home, I could see them entering and remove the cable, remove the modem, and put them back in my dad’s computer just in time before they entered the house. That’s how I sort of started hacking, in a pretty natural way. I wasn’t really busy with hacking or anything. I just wanted to get the things done.
Usually, when I talk about the things that I have achieved, I see Waarneming.nl as the brightest thing that I’ve done. I didn’t make any money from it, but it contributes a lot to society. And at one point the website got hacked, which I will never forget. One guy just took it offline and put some defacement posters on it. I put the website back online but, after half an hour, the guy defaced the website again. It a lot of fun for him but, of course, it was not for me.
I decided I didn’t want this to happen anymore in the future. And the only way to stop it was to understand how hackers work. So, I started to learn to hack and, pretty quickly, I hacked my first computer. I kept on challenging myself. Back in the day, nobody got arrested for it. I didn’t break any computers ; didn’t delete any files or whatever you can imagine ; I just hacked the computer and that’s all I did. So I started aiming for higher targets. I went from one computer to a computer network. I went to universities because they had fast Internet connections. And I moved up the ladder and eventually was able to basically hack any network, move laterally within the network and become the main admin. And that’s sort of where my story ended.
For some reason, the University of Michigan did a forensic investigation, found me and arrested me. As I said, this was back in the day, so not a lot of hackers got arrested. I had also hacked NASA, to just give you an example. And I remember one guy got arrested for hacking NASA, but at that time, it was very normal to hack computers at NASA.
Well, the University of Michigan was sort of my playground, because the Internet connection there was very slow. So, if I wanted to try some new tools that I had found, I usually tried to do it on a network there, which is probably one of the reasons they caught me. But they did a proper forensic investigation and they determined that I was in the network, that I had full control of the network, but that I didn’t do anything else. So that’s why the FBI basically did not chase me.
Then the high-tech crime unit here in the Netherlands was established and they contacted the FBI and asked them if they had anything they could do for them. So that’s when the FBI said, well, we have a file here. We know its name, we know where he lives, so maybe you can pick up the case. And that’s basically what they did. I got arrested by the high-tech crime unit as one of the first hackers they arrested, I believe. They thought I was a really big hacker, which I wasn’t, of course. I did hack a lot of computers, but I never did anything with it. So, I was basically a huge disappointment.
At first, when I went on trial, I wondered “should I continue this?” But after two years, I was like “well, I’m only good at one thing, so let’s just fight back and show everybody that I’m on the good side and that I don’t have anything to do with criminals or whatever.” And I started hacking again.
I did a lot of penetration testing, and at one point I noticed that you can easily hack any company and you usually do it with the same trick. That’s when I started building Scattered Secrets, because I believe you can hack any company by simply looking at the passwords that have been leaked. So that’s what we’re trying to fight against right now. We’re basically doing the low hanging fruit for most hackers. It’s not that interesting. It’s not that advanced. But, in our opinion, it’s the most dangerous and easiest way to hack any company right now.
The funny thing is that most passwords are leaked through only a few databases. We have a few enormous leaks. One of them is MyHeritage. The other one is MySpace. And the third one is LinkedIn. That’s where most passwords come from. It’s often the small databases people are in, but once every two years, you have an enormous breach.
Often, if you talk to security experts, they say we’re not getting better. But in my opinion, there won’t be a single day without hacks. That’s simply because you have the human factor, and the human factor is always vulnerable. We can build secure systems, but there’s still a human using them, so it will always be vulnerable. So, we have to deal with the fact that there will always be hacks.
At the same time, when it comes to multinationals – back in the day, in 2014 or prior to that, we had these flat networks, and you could easily become the administrator. It was pretty easy to hack large companies. I think most multinationals now have a certain base level. And, sure, in the news we see the ones that don’t have that base level. But we’re getting more and more mature. I think that’s the most valuable lesson.
As a security researcher, I think the most challenging part is that you have to keep up with your knowledge, you have to continue learning and working. If you stop doing certain things, your knowledge starts to lag behind. It’s a constant battle to keep your knowledge at a certain level.
Without a doubt, the SANS Institute. In my opinion, they’re the only real experts. It’s very expensive, between six and eight thousand euros, but it’s absolutely worth the money. I try to do a course every year, but it’s not always easy to find the time.
Connecting Europe’s top IT talent with the most innovative brands