Instead of landing a new client, a cybersecurity expert may land in jail after he hacked into two computer networks. Nicholas Michael Kloster of Kansas City, MO, was indicted by a federal grand jury this month for breaching the computer systems at an area nonprofit and a health club business.
In what sounds like something straight from a movie or TV show, Kloster sought to win new business for his cybersecurity services by exploiting the vulnerabilities he was alleged to have found.
The self-employed security expert was charged with one count of accessing a protected computer without authorization and obtaining information. Kloster had allegedly entered the premises of the health club operator after hours, and the next day sent an email to one of the owners, claiming he had gained access to the computer system.
The Missouri man also allegedly entered the premises of the nonprofit and accessed a computer in an area not available to the public. He was able to hack into the computer network via a boot disk, bypassing password requirements.
While the U.S. Department of Justice noted that the charges in the indictment are “simply accusations, and not evidence of guilt,” if he is found guilty, Kloster could face up to 15 years in jail – five years for authorized access and 10 years for reckless damages – in addition, he faces fines and will need to pay restitution to the victims for financial losses.
Don’t Try This EVER!
The guerrilla pitch for clients is about as ill-conceived as it sounds. Though it is true that some infamous hackers, notably the late Kevin Mitnick, have gained fame from some more nefarious computer exploits – few hackers are likely to find favor with clients from such antics today.
Mitnick only launched his consulting services after spending time in prison, and Kloster is now likely to end up serving time and shouldn’t expect to be nearly as successful in landing potential clients.
“The only kind of job you’ll get with this tactic is one inside a prison,” warned Willy Leichter, chief marketing officer at application security and vulnerability management firm AppSOC.
The hacking is essentially digital breaking and entering.
“If a store accidentally left a door unlocked, that does not make it legal to go inside, wander around, and look at people’s private information,” Leichter told ClearanceJobs and suggested that this is the worst possible way to pitch services to a potential client.
“If you discover weaknesses in an organization’s security, there are plenty of legal ways to report this and demonstrate your expertise,” Leichter continued. “But what this person did is not much better than a ransomware attack.”
Bad Way To Show Those Cyber Skills
There are plenty of options today to show one’s cybersecurity knowledge and that includes taking part in bug bounties and hackathons. Instead, what this cyber professional attempted was to offer his own hackathon on the health club and nonprofit.
If Kloster was hoping to build a reputation he may have accomplished his mission, but likely not as expected. Former NSA Cybersecurity Expert Evan Dornbush told ClearanceJobs that anyone pulling such a stunt likely won’t be seen as someone who has good judgment.
“The cybersecurity community is very small and breaking the law to get attention doesn’t seem like the most prudent path to building the trust required to be effective in the industry,” explained Dornbush.
“Ironically, this particular job seeker probably had all the necessary pieces to put together a compelling job application without resorting to criminal acts,” Dornbush added. “He was able to map a network from the outside and determine vulnerabilities.”
He should have pitched his talents through more legitimate channels.
“Even if the health club or nonprofit weren’t hiring, he could have potentially found a competing firm that was hiring,” said Dornbush, “and legally used select portions of the same research to showcase knowledge, skills, and ability.”
