Discussion Post
Discuss how an attacker looks at the system.
Sorry for the late post, having too much fun at the ServiceNow Knowledge18 CreatorCon (ServiceNow, 2018) this week; heads down “hacking” some Javascript and Groovy for the past three days and just coming up for air.
What is a hacker? In the context of this class, at least thus far a “hacker” is probably best defined as a person who uses computers to gain unauthorized access.
In his 2004 essay “The Word ‘Hacker’,” Paul Graham states that the word “‘hacker’ connotes mastery in the most literal sense: someone who can make a computer do what he wants—whether the computer wants to or not.” I much prefer this definition.
Before I begin to dig into this weeks post, I want to say how much I love Open Source and the community, but every now and again I am reminded how important vigilance is. Earlier this week, there was an article about a Python library called “ssh-decorate” luckily I make extensive use of “Paramiko” (Paramiko, 2018) and not ssh-decorate, but I could have just as easily used the “ssh-decorate” library, and my ssh creds could be sitting on some server with a .cf domain. (Cimpanu, 2018)
Open Source has created this model where people (developers like me) grab a library; they grab a Docker container, etc. from the community and they build and roll to production. The backdoors metastasize so quickly because a library like “ssh-decorate” is embedded into millions of applications.
Before I get into the research on how an attacker looks at a system, let me say that I see a system like as the best puzzle game on the planet, one that enraptures me. These puzzles can hold my attention for sleepless days fueled by heavy metal and coffee with the only goal being to solve the puzzle. I consider myself a hacker, a builder, a creator, a developer, an instigator and quite often an agitator. For as long as I can remember I loved taking things apart, learning how they work, making something new from something old and accessing systems which I had no explicit permission to access. I am obsessive (apparently a common trait) and I like to think of myself as a digital explorer and everything from RF hacking to hardware hacking interests me. It’s a great day when you’re sitting on your lawn and have control of your neighbor’s wirelessly controlled devices, like their garage door, car, etc. I like to think of myself as the neighborhood watch, teaching people about the danger that lurks around them. 🙂
If you have never seen an RF hack this is a pretty good video: https://www.youtube.com/watch?v=oGfRAbJ0u0Y
Incredibly easy to execute with the right device, the HackRF One SDR (Software Defined Radio).
Subjectively I believe that hackers regardless of motivation look at systems like a puzzle. Regardless of objectives like financial gain, espionage, FIG (fun, ideology, and grudge), other (errors, glitches, etc.) (calyptix, 2018) I don’t believe a hacker can successfully execute unless their motivation is far more intrinsic, a motivation where the journey is far more interesting than the destination. A McAfee blog (McAfee, 2018) lists seven types of hacker motivations, I agree with these as the motivation for a hack, but I think the motivation of the hacker is far more ubiquitous and foundational. Deep down the separation between a whitehat hacker and blackhat hacker is not that great, one found a legal way to satiate their desire, and one is a bit more mischevious, but the underlying motivation is the same.
In “Understanding the hacker psyche” Steve Gold states that early hackers were motivated by “beating the system”, the next generation of hackers become more destructive and finally the 21st hacker who became cyber-criminals looking for focused on financial gain. (Gold, 2011)
“Hackers have a compulsion to analyze, to explore and to be curious to the point of obsession.” (Kropko, 2015) I agree! This quote conveys who hackers are, and they look at systems as the only puzzle capable of satiating their compulsion.
References
calyptix. (2018, March 19). What Motivates Hackers? Money, Secrets, and Fun. Retrieved March 09, 2018, from https://www.calyptix.com/top-threats/motivates-hackers-money-secrets-fun/
Cimpanu, C. (2018, May 09). Backdoored Python Library Caught Stealing SSH Credentials. Retrieved May 09, 2018, from https://www.bleepingcomputer.com/news/security/backdoored-python-library-caught-stealing-ssh-credentials/
Kropko, M. (2015, April 16). How Hackers Think: Researcher studies the hacker mind | think:blog. Retrieved from http://blog.case.edu/think/2015/04/16/how_hackers_think_researcher_studies_the_hacker_mind
Gold, S. (2011). Understanding the hacker psyche. Network Security, 2011(12), 15-17. doi:10.1016/S1353-4858(11)70130-1
Graham, P. (2004, April). The Word “Hacker”. Retrieved May 09, 2018, from http://www.paulgraham.com/gba.html
McAfee. (2018, March 16). 7 Types of Hacker Motivations. Retrieved May 09, 2018, from https://securingtomorrow.mcafee.com/consumer/family-safety/7-types-of-hacker-motivations/
Paramiko. (2018, April 19). Paramiko/paramiko. Retrieved May 09, 2018, from https://github.com/paramiko/paramiko
ServiceNow. (2018, March 09). Find Your Happy Place At Knowledge18. Retrieved from https://knowledge.servicenow.com/sessions/creator-con.html
Discussion Response 1
I like how you framed the perspective in which an attacker looks at the system, by stating that “an attacker looks at the system through its most vulnerable entry point.” I think this was a tricky question because of the nuance between how someone looks at something vs. how some sees or perceives something. I think both perspective and what attacker sees (perception) once the information is processed is are critical details. I liked your opening because it got me thinking that different attackers will look at the system differently, their perspective and how they see the system will vary based on who they are. Some attackers may be more adept at social engineering while others prefer writing malware. Today we think about attackers as human beings, but this may not be the case in the future, with projects like Deephack (https://www.youtube.com/watch?v=wbRx18VZlYA) and other AI-driven attacks frameworks are adopted. WIth AI the attacker likely looks at the target based on their motivation, like curiosity, criminal activity, etc… and then just targets the AI-driven attack.
Discussion Response 2
I enjoyed reading your post. Do you think the primary motivation of attackers (aka hackers) is malicious intent? Or do we just tend to only hear about the attackers who have conducted malicious activity? I suppose the word attacker may imply a blackhat hacker with malicious intent, but I believe that the number of hackers who are more focused on curiosity dwarf the number of hackers with malicious intent.
Maybe the answer here lies in not using the words attacker and hacker synonymously. Paul Graham’s 2004 essay The Word “Haker” is a great read. Great innovators have been called hackers, but they attacked nothing more than a problem no one else had or could solve. Steven Levy’s book “Hackers: Heroes of the Computer Revolution” chronicles hackers such as Bill Gates, Mark Zuckerberg, Richard Stallman and Steve Wozniak. OK, maybe Zuckerberg attacked our privacy. 🙂
Discussion Response 3
I liked your mention of pre-prod, unit and functional testing. Based on your description doesn’t sound like you are yet doing continuous delivery and blue-green deployments? You’ll enjoy this read: http://blog.christianposta.com/deploy/blue-green-deployments-a-b-testing-and-canary-releases/
Regardless, when it comes to security in a world increasingly dominated by developers (“The New Kingmakers“, another great read) the vulnerabilities are entering the system really early, like this weeks issue you with the ssh-decorate Python library, how many developers were leveraging that library, how many apps were impacted, a lot.
References
Cimpanu, C. (2018, May 09). Backdoored Python Library Caught Stealing SSH Credentials. Retrieved May 09, 2018, from https://www.bleepingcomputer.com/news/security/backdoored-python-library-caught-stealing-ssh-credentials/
Discussion Response 4
Very interesting perspective. It would be interesting to contrast hacker demographics with drug lord demographics (E.g. – Gary McKinnon vs. Pablo Escobar). I haven’t done the research, but I suspect a comparison of hackers and drug lords night reveal some motivations that might provide some insight into how the wealth created through cybercrime might look different than the wealth created by the drug trade. It is my hypothesis that the primary motivations differ, curiosity being the hallmark of the hacker and survival being the hallmark of the drug lord, again I don’t have the data so just hypothesizing. With that said there’s the case of Kim Dotcom and Mega, which supports your argument. 🙂
Kim Dotcom, The Good Life: https://youtu.be/oDiili2Gs-0
Time will tell, it’s likely that the computing power and human intellect will deliver a combinatorial explosion of both good and evil. Let’s hope there’s more good than evil.
Discussion Response 5
Sharing – good read based on last weeks strong password discussion
Hacker Kevin Mitnick shows how to bypass 2FA
Essay Assignment
What are the vulnerabilities in the boot process? What can an attacker exploit?
[google-drive-embed url=”https://docs.google.com/document/d/1BX5ki_Yx06w_OmGfr0WQIMywXShzeZ3ucf9C0x464AY/preview?usp=drivesdk” title=”Bocchinfuso – FIT – MGT5156 – Week 2 – Assignment 1″ icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.google-apps.document” width=”100%” height=”400″ style=”embed”]
Boot Process Module Assignment
[google-drive-embed url=”https://docs.google.com/document/d/1RAwapIthRL__Pv_dglQmq-4kKvJymzoAbN5PS-j3mYs/preview?usp=drivesdk” title=”Bocchinfuso – FIT – MGT5156 – Week 2 – Assignment 2″ icon=”https://drive-thirdparty.googleusercontent.com/16/type/application/vnd.google-apps.document” width=”100%” height=”400″ style=”embed”]