Seventeen years ago, most of us geeked out over what we consider tech fossils today, like tiny PDA devices. Fifteen-year-old Michael Calce, however, wasn’t your typical teen with a dial-up connection. As his age-group peers typed “POS” into AOL instant messenger—an abbreviation of “parent over shoulder”—Calce assumed the online identity of MafiaBoy and took down the internet. He became a pioneer of the mass distributed denial-of-service (DDoS) attack, targeting some of the largest companies in the world. All in a day’s work, right?
Self-described as a “bratty kid,” Calce received his first PC at age six as a source of weekend entertainment. By 2012, MafiaBoy was a media sensation and described as the most notorious hacker to date. Today, Calce has a firmly white-hat position as a world-renowned security expert and head of a consulting and testing firm.
While his days of crime are long gone and buried in the past, Calce’s “hacker mindset” allows him to see information security a little differently than your average CISSP-certified tech pro. In an exclusive interview, the tech prodigy spoke passionately about information threats today and how IT should prepare.
Why a kid from Montreal decided to break the internet
For the 15-year-old Calce, Project Rivolta started out as a technical experiment to test the limits of massive DDoS attacks. While the concept of DDoS attacks existed, nothing on a large scale could enable a multi-target attack. His experiment proved a successful tool in an ongoing “hacker war,” and Calce programmed an attack that leveraged hundreds of university networks. He recalls, “When I saw the other hackers respond, I started to claim responsibility, because I wanted people to be scared of me. Obviously, I ended up disappearing and getting caught four months later.”
The evolution of hacking
When asked how the average modern hacker stacks up against the past, Calce points to monetization. In 2000, hackers experimented with new technology just to test its limits, while today’s hackers buy and sell services in a for-profit industry. The dark web, for instance, has transformed into a uniquely terrifying and dangerous beast—it serves as a marketplace for zero-day malware that’s released before software vendors have a chance to release a patch. Calce says these underground marketplaces offer malware sales in the six-figure range, likely due to the fact that “zero-day exploits are the most effective way of breaching an organization.”
Today’s tech created a hacker’s paradise
In 2000, the average hacker worked with fewer resources. “Today, you can Google anything,” Calce says. “I could only dream of having today’s technology at my disposal. I had to piece together my arsenal. I had to learn how to program certain things; I had to make connections with other hackers.”
Today, information is served up on a silver platter. Calce even admits he could theoretically teach any IT pro how to start hacking in 30 minutes. In other words, modern IT pros are fighting crime in a hacker’s paradise—a world where it’s easy to profit off crimes without even writing the code yourself. When you combine ease of entry with monetization, you’ve created a hacker’s paradise, which according to MafiaBoy, “is the most dangerous element today.”
Coming up next in cybercrime
“I like to stay on top of things,” Calce says when asked if he keeps up with hackers. To clarify, he’s not acquainted with any notorious hackers. Instead, MafiaBoy keeps some “loose ends” on the smartest criminal minds. “I want to know the people who are actually writing the exploits. I see what the latest trends are and what they’re focusing on. It’s essential as a security professional to know what your opponent is doing, before they’re doing it.”
What’s next? Calce believes cloud hacks are tomorrow’s greatest threat. “There’s so much data stored in the cloud. If you breach the cloud, you’re basically breaching a basket full of eggs. I can tell you firsthand cloud is really where hackers are focusing right now.”
Where IT pros go wrong
Calce’s security consultancy focuses on penetration testing, a “real-world ethical hack.” By simulating criminal efforts to breach a network, Calce sees knowledge and resources as two areas where companies are going wrong.
“They’re not really looking at different endpoints—for instance, a printer. They look at it as an output device that strictly prints documents.” Calce quickly rattled off just why your printer is a lot scarier than you think. “With 240 functions, it’s an operating system. IT isn’t paying enough attention to these devices, especially considering there’s often one printer per 10 employees,” he says.
Simple web searches can reveal millions of connected devices, including printers with ports that are known to be breached. Calce acknowledges many IT pros aren’t even aware of some vendors’ out-of-the-box risk, saying companies he tests “had no idea the printer was essentially a gaping hole” in their security. Unless your printers have built-in security, they’re a major vulnerability.
The scariest security risks
What should keep you up at night? Calce believes one of the scariest evolutions in information crime is state-sponsored or state-prompted hacking attacks, which he describes as warfare. In short, criminal hacking is typically designed to hit as many targets as possible to cause maximum damage, while state-prompted hacking designates a specific target, such as a large organization or high-value target, and dedicates their time and effort to finding an entry point.
“You can cripple a nation through technology,” he says. “It’s getting scary.” A hacker could use national technology infrastructure, like energy grids, to cause serious damage. Calce believes hacker groups are already gearing up and that, in full-blown war, malware has the potential to be “more effective than bullets.”
The tides are slowly turning
From Calce’s perspective, security isn’t taken seriously enough. “Huge companies are getting breached all the time,” he says. “Why are they not allocating the necessary budget to protect themselves?” To win, Calce is realistic about IT’s limitations and advises firms to “hire a third-party company to give you an assessment of critical to low-level vulnerabilities” at least yearly.
When it comes to information security, Calce says, “There’s a lot of things you might not be thinking about.” We’ll count ourselves lucky to have this former “notorious hacker” thinking about what’s next and, most importantly, how to fight it.