Meet the hacker given permission to breach Dubai Police's website

Marshal Webb, from the US, is a hacker-turned-security consultant living in the UAE

Beta V.1.0 - Powered by automated translation

It only took two leisurely minutes for Marshal Webb to hack into Dubai Police's website and take it offline – a move that would normally be a criminal act.

Fortunately for him, he had permission from senior officers.

The exercise was performed live on stage at the Gulf Information Security Expo and Conference (Gisec) as an example of how hackers can breach even the most secure of institutions.

Mr Webb, from the US, runs his own security consultancy called Path Network, which advises public and private entities on how to defend themselves against hackers, a problem he predicts will grow dramatically over the next few years.

A decade ago, he was a world-famous teenage hacker and a member of Lulz Security – a group of hackers who looked to breach business and government systems.

The group claimed responsibility for several high-profile attacks, including a hack in 2011 when the personal details of about 100 million PlayStation users were stolen from Sony's servers.

Former hacker Marshal Webb has helped the US military identify vulnerabilities in its cybersecurity. Marshal Webb

Where did the interest come from?

Mr Webb said he was 12 when he turned to hacking. He did so mostly out of boredom as he grew up in an isolated, rural community in south-west Ohio, he said.

"Computers were interesting, and it was a way to explore the outside world and get out a little bit – a chance to get access to things, to learn how things worked," said Mr Webb, 28.

Mr Webb was much brighter than most kids his age and he went to university aged 12.

He quickly advanced from hacking simple websites to more complicated projects, few of which he is willing to speak about, presumably because of fears of prosecution.

"My first publicised hack that was documented was Eidos-Montreal, for a game that had been released called Deus Ex," he said describing an incident uncovered in 2011.

Eidos-Montreal's parent company, Japanese videogame maker Square Enix, said 25,000 email addresses could have been stolen in the attack, along with the CVs of 350 potential employees.

Within a few months, Lulz Security fell apart in highly acrimonious fashion, and some members outed Mr Webb for his role in the Deus Ex hack.

"Hacking is a very highly competitive field," he said.

"When hackers work in groups, there's always a lot of false flag attacks and shenanigans and highly competitive actions against each other."

Mr Webb found himself on the radars of global law enforcement agencies and he realised he had to go straight – or to undertake what hackers call "white hat" activities.

The changing face of hacking

Computer hacker or Cyber attack concept background

Since then, he has been awarded a network security medal for uncovering vulnerabilities for the US Air Force, the military and the defence and control department.

He also hacked the Pentagon, which he said was easy.

"With the Pentagon and with any other organisation, the larger they are the easier they are to hack," he said.

"Hacking is really about finding mistakes, and the more assets an organisation has, the higher the chance that they've made some kind of mistake somewhere."

Many hackers are criminals who commit deeply intrusive acts, often for nefarious purposes.

Research group Cybersecurity Ventures predicted that cybercrime would inflict damage worth about $6 trillion in 2021.

It said the costs could grow by 15 per cent every year over the next five years, reaching $10.5tn by 2025.

State-sponsored hackers and organised crime gangs now dominate the market, with the introduction of digital currencies making it easier to extort money without getting caught.

"Hacking has really matured over the years," said Mr Webb.

"A lot of what we did a long time ago was not very destructive – it was very much exploratory by nature."

The growth of the industry is evident in the proliferation of news stories about hacking in the past few months.

In May, a group of hackers called DarkSide shut down the Colonial Pipeline, a critical US artery for the transport of fuel. The company paid a ransom of nearly $5 million in cryptocurrency to regain control of its systems.

DarkSide has since said it would disband, but it received more than $90m in Bitcoin from 47 victims, despite only being in operation since August, blockchain analytics company Elliptic said.

In 2019, another group of hackers hit technology company SolarWinds and gained access to the networks of several US government agencies and about 18,000 other clients. Its malicious software went undetected for nearly nine months.

Why your refrigerator could help a hacker

Cybersecurity Ventures predicted there would be a ransomware attack on businesses every 11 seconds by 2021, up from every 40 seconds in 2016.

Mr Webb said he agreed with that assessment because people had more web-enabled devices in their homes.

"In terms of sophistication on the attacking side, I think it'll get a lot worse before it gets better," he said

"We haven't seen the security position harden from the manufacturing side, so a lot of these commodity devices are just as insecure as they were 10 years ago."

Cybercrime has certainly increased over the past 12 months, in part because millions of people have been working from home because of the pandemic.

Dubai Police registered 25,000 e-crimes last year, up from 14,000 in 2019.

As habits change, many people may choose not to return to offices full-time, leaving businesses playing catch-up on their remote cybersecurity efforts.

Some companies may need to restrict their online activity in the future to stay safe, Mr Webb said.

"Businesses, governments and individuals can really help protect themselves by reducing the attack surface that they have," he said.

"The less material that they have online, the smaller their websites, the less computers they have hooked up to the internet, the less the chances that there's going to be way to get in."