[Interview] Konrad Jędrzejczyk, Credit Suisse: “We Now Have a Problem With Unsophisticated Cyber-Crime Being Profitable”

Konrad Jędrzejczyk defcamp 2018

Let’s get practical.
The best way to build your experience and expertise as an infosec pro is through practice. Many of the people within the DefCamp community, both speakers and even attendees, are self-taught specialists who’ve shaped their own education and even others’ along the way.
That’s why we believe you’re going to love Konrad Jędrzejczyk’s presentation at DefCamp!
He plans to show us how to obtain “clear text passwords to both home and corporate networks” with affordable equipment.
If it sounds right up your alley, then this interview with Konrad might be too!
Konrad has had the opportunity to work on some pretty exciting challenges as a Threat Detection Analyst at Credit Suisse. As an expert, he can help clarify some of the myths that circulate around Wi-Fi security and bring us closer to the real-life state of things.

I think the majority of technically savvy IT folks were interested in WiFi hacking at some point. The tools and methods are generally well described. However, without proper background and understanding of some maths and intelligence which is essential in forging proper masks, these attacks are not as successful as in YouTube demos.
Hence many assume that the entry level for practical attacks is mostly dependent on processing power which is not true in most of the cases.
As for regular users, ignorance is a blessing. Today’s entry level for using the computer is very different from the one we used on 8-bit machines. Contemporary users do not understand security nor do they care about it and because of them, we now have a problem with unsophisticated cyber-crime being profitable.
As a threat hunter, I think that this problem will only grow. Wi-Fi is only a small piece on a larger picture.

There’s no beating around the bush with Konrad. He likes to get straight to the point and his clear and knowledgeable remarks pinpoint the difference between perception and reality in data security from an end user’s perspective.

A fast lesson would be if someone feels that he or she has nothing to hide – I will take their credentials and be the judge of that.
I remember a case from several years ago when some reporter wanted to prove that disclosing some data like bank account number do not pose any threat. A few days later he found out that this bank account number was used to set up monthly standing orders for some charity.

As it turns out, the most powerful argument to help them change people’s minds about the value of their data is to let them experience a real-life attack. But that’s not the way we, as a community, would like that to happen.
Focusing on what we can do, here are two pieces of advice that are worth remembering from Konrad’s experience:

There are many things that need to be implemented properly. Wi-Fi is a layer that can be abused just like a physical one.
I think the most important tip would be for the corporate environment not to use open WiFi for employees’ laptops while transferring the security to endpoint clients or Kerberos servers.

Clearly, when it comes to Wi-Fi security and the educational effort around it, infosec needs all the help it can get. However, Konrad believes that the recent focus in legislation regarding data security haven’t amounted to much.

I think there will be no impact. Knowledge about Wi-Fi will not be taken into consideration nor will the fact that it is possible to track and identify a person just by network names his or her device stores and asks for. Some security features and practices will be marketed along with new WPA3 standard.

You may not be entirely ready for Konrad’s pragmatic perspective on the future of Wi-Fi security, but past experiences show that this is an angle that’s wise to consider.

I know that many will not agree with me now but we are talking about the global scale and not only IT folks.
The truth is that functionality is the drive and security is irrelevant, or, to be more precise, a false sense of security is good enough.
At some point, WPA2 was considered to be fairly secure and then the manufactures decided (on behalf of the customers) that inputting Wi-Fi passwords is too intellectually challenging, so they introduced WPS since it is easier to put some numbers than 8 char password…
We now live in times when to play with the computers you only need to push pictograms.
Very soon, with the introduction of VR for daily usage, the use of keyboard will be considered as something similar to writing a few pages on paper using a pen.
Endpoint key over NFC as a standard? – Maybe.
Weak passwords with simple hand gesture? – Most likely.

We feel like we’re just getting started to ask the DefCamp speakers everything we’d love to learn. If you’re experiencing the same levels of FOMO, there’s only one thing to do: meet us there!
This interview was made by Andra Zaharia. You can get in touch with her on LinkedIn or say hi on Twitter.
DefCamp is powered by Orange Romania and it’s organized by the Association “Research Center for Information Security in Romania” (CCSIR).
DefCamp 2018 is sponsored by Ixia, Keysight Business, SecureWorks and Intralinks as Platinum Partners and it’s supported by IPSX, Bit Sentinel, TAD Group, Enevo, Crowdstrike, CryptoCoin.pro, Siemens, Alef, UiPath, Atos and Kaspersky Lab.

    Related articles​

    Securing the cloud: insights on threats, ..

    BY Adina Harabagiu
    There is no mystery that everything nowadays has a digital component. A growing number of companies are ..

    Striking a balance between security updates, ..

    BY Adina Harabagiu
    The world of cybersecurity is fast paced, there’s no denying it. Innovation is constant and threats are ..

    Pentesting: a tool for empowering – not ..

    BY Adina Harabagiu
    You’ve likely caught wind of this rising tide – offensive security, pentesting, and #RedTeams are not ..