What does a hacker look like? Is he (or maybe she) a scary, faceless hoody-wearing figure who furtively lurks in dark corners or sits hunched over a laptop sporting an itchy balaclava and a pair of gloves? These Hollywood stereotypes couldn’t be further from the truth, especially where Peter Bassill, CEO of Hedgehog Security is concerned, although he does seem to be wearing a black T-shirt with PORT SCANNING IS NOT A CRIME emblazoned on it in white print.
This is apparently a reference to network port scanners and the fact that in some states and countries, the action of actively probing a network may be illegal. “My best work is done in a three piece suit,” he says. “If I want to walk in somewhere and I look like I belong, sound like I belong and act like I belong, then no-one questions you.”
Cyber security expert Peter Bassill is definitely a good guy though and not one of his devious counterparts. There are many terms for legitimate hackers, White Hat Hackers and Ethical Hackers being two of them, and Peter is justifiably proud of his published ethics policy. “If you ask me to do something illegal, one of two things will to happen,” he explains. “First of all I am probably going to put the phone down on you, or if I am in a particularly antagonistic mood and I get lots of information out of you, then I am going to report you to the National Cyber Crime Unit.”
Pete is ‘Hacker in Chief’ at Hedgehog, a company that he formed in 2010 in the UK and to which he added a Gibraltar office base in November last year. Having ‘been dragged up all over the world’ with a Dad who was in the air force, Pete then joined the Royal Anglians at the age of eighteen.
Since he was knee high Pete admits to always having: “this thing with computers, they make sense to me”. He goes on to say that there are a lot of people in cyber security, especially in the penetration testing world, whose minds aren’t wired in the same way as the general populous. “We are all a little bit weird in different ways,” he says. “I am letters dyslexic but I see patterns in numbers.”
After his time in the services and getting involved in what he calls ‘some crazy things’, Pete says that he needed a year out. “I ran a diving ship, The Caribbean Explorer 2, for a year just to get some head space and that was a wonderful experience.” Realising the hospitality industry was not where he was destined to be, Pete came to Gibraltar in 2001.
“This came about because in a job interview I foolishly said that I could be anywhere in the world tomorrow, so they said ‘OK, you start in Gibraltar on Monday’.” Pete’s career in the security world began when he came to work for Victor Chandler. He carried on to EuroBet and then to Coral (when they bought EuroBet), eventually becoming Chief Information Security Officer for Gala which saw him back in the UK working out of the Woking and Nottingham offices.
“I used to find any excuse to get down to Gibraltar,” Pete says and then relates how he was sitting around with some old army buddies on one of those occasions, moaning about the British weather, and the decision was made: “Let’s go to Gibraltar.”
Realising that nobody else in Gibraltar was doing the kind of cyber security work that Hedgehog was undertaking elsewhere, Pete saw a gap to set up here. “We had done work with the Gibraltar University, the Gibraltar Bank, as well as with a Gibraltar based Law Firm, and it was at a time when the Gibraltar Government was saying that they wanted to reinforce the importance of cyber security.”
The Hedgehog Security Gibraltar office was set up in November 2016 and Pete and his wife Issy now spend fifty per cent of their time here and the other half in the UK where they have a home in the Peak District.
It was Issy who originally came up with the name Hedgehog. “The unofficial strapline is something that I would like to use but can’t,” he says, going on to paraphrase the reasoning behind the name. “Hedgehogs are small, cute and cuddly but if you annoy them they are really prickly – and they also keep the ‘idiots’ on the outside.”
Although Pete describes Hedgehog as the smallest cyber security boutique company, they undertake work all around the world.
“Our client base is phenomenal,” Pete says proudly. “We undertake work for the largest reinsurance firm in Japan – Tokyo Marine – as well as Formula 1 teams and airlines, but we just happen to be headquartered in Gibraltar.”
Hedgehog is now looking at the local market and identifying potential clients who they want to talk to. “It’s a case of recognising who is feeling the pain or who is likely to get targeted by cyber activists, by hacking groups or by foreign governments, and then helping them to bring their level of security up,” Pete explains.
The online gambling industry has been a target for cyber criminals for many years and with an increasing number of Gibraltar based operators, Pete knows the risks involved if the right security levels are not in place.
“Companies may have cyber security in place, but do they get it independently verified?” he comments. “We were doing a security review, a penetration test, for a large gambling company here and we found a hole in one of the systems that would allow us to put a key logger on any of the appliance machines.” With cyber-criminal methods becoming even more sophisticated, Pete knows that it is too easy to let in-house procedures lapse. “In that particular instance the software should have been tested annually, but we detected a bug going back a good four years that no-one had found before,” he states.
Cyber security events can negatively impact a business and Hedgehog is seeing an increase in interest from merger and acquisition companies who want to know if a company is really worth the investment. “That is another side of what we do,” he confirms. “We have been asked to investigate a particular entity; see how secure it is, how people hack it and discover whether the intellectual property has been stolen.”
There are many types of cyber-crime and Pete outlines the most common cyber adversaries that he believes people should be aware of. “I always ask a client who they want to protect themselves against,” he states. “If you want to protect against a hacking group, a collective of people that download scripts and run them, then you have got quite a low value to get over. If you want to protect yourself against people that have got a genuine passion for what they are doing, ‘the hacktivists’, then they are generally quite clued up people with a lot of time but without a budget.” He goes on to mention the targeted hacking groups and the organised crime groups, those with a bigger budget, time and a higher level of sophistication. Then it goes up to Government level, where hackers can be motivated by economic, political, and military advantages.
“I often ask clients whether they want to defend against me, which makes them think when I tell them that their first problem is that I have walked through their front door,” he smiles as he says this, continuing “or is it as simple as you want to defend against the auditor that is coming in to write up an audit report on you?” If a client wants that we then put our audit hat on and we take the standard that you are planning an audit against and we really throw the book at you, we audit it with a lot of zeal and it gives the client a whole different perspective.”
Apparently, computer hackers also love picking locks and often utilise penetration testing exercises using a combination of digital and physical skills, including lock picking, to test the security of a facility. In response to the question ‘what has lock picking got to do with cyber security?’ Pete says: “Basically all you are doing is you are exploiting a weakness in the design and that is all cyber security does.” This is where Pete’s resemblance to a Hollywood stereotype in the guise of Tom Cruise in a Mission Impossible film comes into play as he unpacks his rucksack revealing the contents one by one.
“You never know when you are going to find a padlock that needs to be opened,” he says pulling out a case of lock picks, swiftly followed by his laptop and a USB key. “This looks like a USB in every way, but if I take it apart,” he says demonstrating how easily it can be done, “inside is a little micro-computer with a 32 gig storage card in it.”
Pete explains how all he has to do is walk into a business, plug the device into a USB port (where it will then attempt to work out what the keyboard could be and subsequently pretend to be the keyboard or mouse), at which point the computer will talk to it, eventually giving him access to all the systems, enabling him to steal whatever he wants. “Hollywood really mirrors us,” he says, “it is where they get all their ideas from.”
Admitting that he is an eight year old boy in an adult’s body, Pete bubbles over with enthusiasm as he talks about the rest of his kit, ranging from innocuous iPhones, “if I plug this into a computer it is going to start charging itself but it is also going to catalogue your computer for all your office files and copy them to the phone” to BlackBerrys. “Firms have white listed BlackBerrys because they can charge off computers, which is great, so now I can go and plug my BlackBerry in and not only will it start charging but it will also do something malicious in the background, dragging files down.” It’s not all risk free though. “I have looked down the wrong end of MP5’s a few times,” he states.
“I don’t mind getting arrested, and on certain engagements that is the correct response.” Pete explains how he and his colleagues carry ‘get out of jail free’ letters on a company’s headed paper signed by the stakeholder. “I have a massive amount of respect for the police, but there are times when a Taser has been pointed at me and I let the officer to arrest me and take me down to the station so that we can deal with the desk sergeant, it’s safer.”
Nor is it all digital security for Hedgehog, with technical security being by far the biggest issue; looking at web applications, people’s websites, and digital infrastructure. “Cyber security is really a buzz word,” Pete states, “but it is 70% people, 20% process, 10% technology – so I can carry out a purely digital cyber-attack but if I really want to employ a good attack, and humans are still the weakest point, I am going to target people electronically.”
The success of Hedgehog has given Pete an opportunity to pursue his passion for motor racing, one which he has instilled in his employees as well and there is now a Hedgehog team racing GT Sports with MX-5’s. “Everyone in Hedgehog is family to me so although we all work ridiculously hard and long hours, occasionally we go and do something really crazy and off-the-wall,” he says. “The only thing that I struggle with in Gibraltar is that there is no race circuit here.”
Starting off in the Monoposto series, Pete moved on to race in Formula Ford and Formula 3 and has locked horns with Lewis Hamilton and Damon Hill. “Racing is fun,” he exclaims, “and Lewis Hamilton just happened to be bombing round the same circuit as me. We had some really close races.”
Then, just like a Tom Cruise character, there’s the time Pete attempted to steal a 747 from an airfield, all in the name of penetration testing of course!
“The entire premise was how far into an airfield could you get and then to see if we could actually steal a plane,” he says. “That took eight weeks of research and three weeks of doing the job which is above and beyond what we typically do in cyber security, but we proved that stricter security measures needed to be implemented.”
Looking to the next five or ten years, Pete thinks that cyber criminals are going to be carrying out the same sort of attacks as at present but that they are going to get increasingly clever at doing so. “You have got cyber-crime and then you have got cyber enabled crime,” he explains, “and people are finding new and improved ways of doing it, especially with the rise of internet connected devices.”
His advice is that if people aren’t patching their machines and maintaining good levels of personal security for their own devices, there could be carnage with an increase in lost data.
Pete is now taking Hedgehog forward to the next level and the company is recruiting for local office staff in Gibraltar. “I am really excited about it,” he says.