• United States




Time to destroy the hacker’s ballistic missile

Oct 17, 20164 mins
CyberattacksCybercrimeInternet Security

Which of the world's 7.5 billion people really clicked 'Send'? Anonymous email is a devastatingly effective delivery system for malware and the time has come to leave the 1970s behind and move on to a 21st century messaging standard.

Credit: Thinkstock

Welcome to Enemy at the Gates!

This inaugural post and those that follow will use real-world and hypothetical cybercrime, cyber-espionage, and cyber-terrorism examples to comprehensively explore this question:

What is the true real-world identity of the living, breathing human being standing at the intranet or internet gate and is that living, breathing human being an enemy or a friend?

The goals are to offer the reader different ways of thinking about how vulnerabilities are exploited by criminal, nation-state, and terrorist hackers and, more importantly, suggest paths forward to effective solutions.

Through many years of studying the cyber identity problem, I’ve noticed that cybersecurity discussions often focus on identity verification technologies and techniques in a context disconnected from the living, breathing human being standing behind passwords, multi-factor authentication procedures, and even biometric measures.  

Most serious cyber breaches start with an anonymous living, breathing bad actor sending a malware-laden email to a target company employee. Just this month, the cybersecurity company Symantec announced that a second group of hackers targeted banks that use the SWIFT global financial transfer system. The report suggests the attackers used phishing emails containing malicious file attachments to deliver malware payloads into their target banks’ computer networks. To illustrate the seriousness of this incident, the first group of SWIFT hackers successfully stole $81 million from the Bangladesh Central Bank.

The criminal hackers involved in the more recent attack may have used simple email phishing where they had only general knowledge of the banks’ operations or spearphishing where they may have used social engineering techniques to gather specific information about bank employees to design a very convincing email. Certainly the focus of investigators is finding an answer to this question: “Which of the world’s 7.5 billion living, breathing human beings really clicked ‘send’?”   

Email is the cyber equivalent of a ballistic missile carrying a nuclear warhead and is a devastatingly effective hacker tool. Consider that the human being sending the email can be anyone operating from any location with no authentication mechanism available to the email server receiving the phishing or spearphishing email. The email technology in widespread use does not, as part of the protocol, demand that senders identify themselves in any context much less one in the real-world.

But none of this is new. The vulnerabilities baked into conventional email technology are well known. The amazing thing is that newer, more secure messaging systems haven’t yet killed it off.

Setting aside the question of why email is still around, we can conclude that hackers will always have the advantage as long as 40+ year-old conventional email technology remains in widespread use. The only effective solution is to adopt a top-to-bottom replacement for conventional email messaging. Critically, any such replacement must comprehensively address the anonymity problem.

It will be a very long and difficult process but the way forward is a focused, coordinated effort involving government standards agencies, legislatures, private companies, and cyber insurance providers. Government standards agencies such as the National Institute of Standards and Technology (NIST) should strongly promote security-focused guidelines for email replacement technologies; legislatures can use tax credits to encourage faster adoption of new messaging systems; insurance companies can use cyber policy rates to further boost the economic benefits of change.

Large businesses may hold the key to quicker adoption of new messaging technologies by using their size and economic influence to incentivize supply chains to adopt secure messaging technologies for business-to-business communication. Such action on the part of coalitions of large businesses can accelerate the successful retirement of SMTP email messaging throughout the broader economy since employees will become familiar with messaging alternatives and begin to use them when not at work.

[ RELATED: How to craft a security awareness program that works ]

Pushback from those who say this task is too difficult, expensive, or disruptive must be challenged with the unarguable fact that current email technology cannot be made secure and hackers are a very determined species.

Until email replacements are widely adopted and before focusing exclusively on the relative merits of anti-malware systems and other technologies designed to deal with attacks after the phishing email attachment is opened, security professionals should always ask ‘Who are the living, breathing human beings sending emails to my company’s employees? Are they friends or enemies at the gate?


Jim Thackston is a computer security and engineering consultant based in Tampa Bay, Florida with more than 25 years of experience in software architecture, software engineering, network security, and cybercrime detection and mitigation.

In 2005, Jim set out to understand one of the most difficult problems facing the internet economy: online identity verification. Over the past 11 years, he has studied the problem from every perspective, focusing initially on the problem of knowing who is really ‘sitting’ at an online poker table.

To prove the weaknesses in poker identity verification, he built a full-featured system demonstrating how internet poker could be used to launder money in a way that is virtually undetectable. A briefing to senior FBI officials in May 2013 led to a July 2013 US Senate hearing on the money laundering threat posed by internet gambling. In December, 2013, Jim submitted testimony to the US House of Representatives Energy and Commerce Committee, Subcommittee on Commerce, Manufacturing, and Trade.

Jim took the insights gained from the intensive online gambling study and applied them to the much more expansive problem of online identity verification in all internet and intranet activity. He has studied the problem as it relates to corporate and government intranets, online banking, and cryptocurrencies and other blockchain applications.

Jim is the inventor of record for a number of patents important to cloud computing, manufacturing, renewable energy, and computer security. Most notable are 2 patents that anticipated aspects of cloud computing by 10 years.

His computer security expertise is reinforced by academic and career achievements.

In 1989, Jim graduated from the University of South Florida with a Bachelor of Science degree in mechanical engineering. After college, he served in the 101st Airborne Division and served in Saudi Arabia and Iraq during operations Desert Shield and Desert Storm.

After leaving active duty, Jim earned a Master of Science degree in aerospace engineering from the Georgia Institute of Technology. While attending Georgia Tech, Jim interned as a turbomachinery engineer in the Propulsion Laboratory at NASA’s Marshall Space Flight Center. He continued as a full-time engineer after his studies at Georgia Tech concluded in 1994. While at Marshall, he designed turbine components for both experimental and non-experimental liquid oxygen and kerosene fuel turbopumps.

It was during his NASA service that Jim became a skilled software engineer. He applied these skills at Eglin Air Force Base helping build a combat mission planning system used by the US Air Force and other US military services.

Jim has worked as a consultant ever since designing and building software systems in the manufacturing, energy, telecommunications, financial, and government sectors.

The opinions expressed in this blog are those of Jim Thackston and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.