{"id":551,"date":"2018-05-10T00:00:06","date_gmt":"2018-05-10T00:00:06","guid":{"rendered":"http:\/\/bocchinfuso.net\/?p=551"},"modified":"2018-06-24T22:37:04","modified_gmt":"2018-06-24T22:37:04","slug":"fit-mgt5156-week-2","status":"publish","type":"post","link":"https:\/\/bocchinfuso.net\/index.php\/2018\/05\/10\/fit-mgt5156-week-2\/","title":{"rendered":"FIT – MGT5156 – Week 2"},"content":{"rendered":"

Discussion Post<\/strong><\/p>\n

Discuss how an attacker looks at the system.<\/em><\/p>\n

Sorry for the late post, having too much fun at the ServiceNow Knowledge18 CreatorCon (ServiceNow, 2018) this week; heads down “hacking” some Javascript and Groovy for the past three days and just coming up for air.<\/p>\n

What is a hacker? In the context of this class, at least thus far a “hacker” is probably best defined as a person who uses computers to gain unauthorized access.
\nIn his 2004 essay \u201cThe Word \u2018Hacker\u2019,\u201d Paul Graham states that the word “‘hacker’ connotes mastery in the most literal sense: someone who can make a computer do what he wants\u2014whether the computer wants to or not.” I much prefer this definition.<\/p>\n

Before I begin to dig into this weeks post, I want to say how much I love Open Source and the community, but every now and again I am reminded how important vigilance is. Earlier this week, there was an article about a Python library called “ssh-decorate” luckily I make extensive use of “Paramiko” (Paramiko, 2018) and not ssh-decorate, but I could have just as easily used the “ssh-decorate” library, and my ssh creds could be sitting on some server with a .cf domain. (Cimpanu, 2018)
\nOpen Source has created this model where people (developers like me) grab a library; they grab a Docker container, etc. from the community and they build and roll to production. The backdoors metastasize so quickly because a library like “ssh-decorate” is embedded into millions of applications.<\/p>\n

Before I get into the research on how an attacker looks at a system, let me say that I see a system like as the best puzzle game on the planet, one that enraptures me. These puzzles can hold my attention for sleepless days fueled by heavy metal and coffee with the only goal being to solve the puzzle. I consider myself a hacker, a builder, a creator, a developer, an instigator and quite often an agitator. For as long as I can remember I loved taking things apart, learning how they work, making something new from something old and accessing systems which I had no explicit permission to access. I am obsessive (apparently a common trait) and I like to think of myself as a digital explorer and everything from RF hacking to hardware hacking interests me. It’s a great day when you’re sitting on your lawn and have control of your neighbor’s wirelessly controlled devices, like their garage door, car, etc. I like to think of myself as the neighborhood watch, teaching people about the danger that lurks around them. \ud83d\ude42
\nIf you have never seen an RF hack this is a pretty good video:\u00a0https:\/\/www.youtube.com\/watch?v=oGfRAbJ0u0Y
\n<\/a>Incredibly easy to execute with the right device, the HackRF One SDR (Software Defined Radio).<\/p>\n

Subjectively I believe that hackers regardless of motivation look at systems like a puzzle. Regardless of objectives like financial gain, espionage, FIG (fun, ideology, and grudge), other (errors, glitches, etc.) (calyptix, 2018) I don’t believe a hacker can successfully execute unless their motivation is far more intrinsic, a motivation where the journey is far more interesting than the destination. A McAfee blog (McAfee, 2018) lists seven types of hacker motivations, I agree with these as the motivation for a hack, but I think the motivation of the hacker is far more ubiquitous and foundational. Deep down the separation between a whitehat hacker and blackhat hacker is not that great, one found a legal way to satiate their desire, and one is a bit more mischevious, but the underlying motivation is the same.<\/p>\n

In “Understanding the hacker psyche” Steve Gold states that early hackers were motivated by “beating the system”, the next generation of hackers become more destructive and finally the 21st hacker who became cyber-criminals looking for focused on financial gain. (Gold, 2011)<\/p>\n

“Hackers have a compulsion to analyze, to explore and to be curious to the point of obsession.” (Kropko, 2015) I agree! This quote conveys who hackers are, and they look at systems as the only puzzle capable of satiating their compulsion.<\/p>\n

References<\/strong><\/p>\n

calyptix. (2018, March 19). What Motivates Hackers? Money, Secrets, and Fun. Retrieved March 09, 2018, from https:\/\/www.calyptix.com\/top-threats\/motivates-hackers-money-secrets-fun\/<\/p>\n

Cimpanu, C. (2018, May 09). Backdoored Python Library Caught Stealing SSH Credentials. Retrieved May 09, 2018, from https:\/\/www.bleepingcomputer.com\/news\/security\/backdoored-python-library-caught-stealing-ssh-credentials\/<\/p>\n

Kropko, M. (2015, April 16). How Hackers Think: Researcher studies the hacker mind | think:blog. Retrieved from http:\/\/blog.case.edu\/think\/2015\/04\/16\/how_hackers_think_researcher_studies_the_hacker_mind<\/p>\n

Gold, S. (2011). Understanding the hacker psyche. Network Security, 2011(12), 15-17. doi:10.1016\/S1353-4858(11)70130-1<\/p>\n

Graham, P. (2004, April). The Word “Hacker”. Retrieved May 09, 2018, from http:\/\/www.paulgraham.com\/gba.html<\/p>\n

McAfee. (2018, March 16). 7 Types of Hacker Motivations. Retrieved May 09, 2018, from https:\/\/securingtomorrow.mcafee.com\/consumer\/family-safety\/7-types-of-hacker-motivations\/<\/p>\n

Paramiko. (2018, April 19). Paramiko\/paramiko. Retrieved May 09, 2018, from https:\/\/github.com\/paramiko\/paramiko<\/p>\n

ServiceNow. (2018, March 09). Find Your Happy Place At Knowledge18. Retrieved from https:\/\/knowledge.servicenow.com\/sessions\/creator-con.html<\/p>\n

 <\/p>\n

Discussion Response 1<\/strong><\/p>\n

I like how you framed the perspective\u00a0in which an attacker looks at\u00a0the system, by stating that “an attacker looks at the system through its most vulnerable entry point.”\u00a0 I think this was a tricky question because of the nuance between how someone\u00a0looks at something vs. how some sees or perceives something.\u00a0 I think both perspective and what\u00a0attacker\u00a0sees (perception) once the information is processed is are critical details.\u00a0 I liked your opening because it got me thinking that different attackers will look at the system differently, their perspective and how they see the system will vary based on who they are.\u00a0 Some attackers may be more adept at social engineering while others prefer writing malware.\u00a0 Today we think about attackers as human beings, but this may not be the case in the future, with projects like Deephack (https:\/\/www.youtube.com\/watch?v=wbRx18VZlYA<\/a>) and other AI-driven\u00a0attacks frameworks are adopted.\u00a0 WIth AI the attacker likely looks at the target based on their motivation, like curiosity, criminal\u00a0activity, etc… and then just targets the AI-driven attack.<\/p>\n

 <\/p>\n

Discussion Response 2<\/strong><\/p>\n

I enjoyed reading your post. Do you think the primary motivation of attackers (aka hackers) is malicious intent?\u00a0 Or do we just tend to only hear about the attackers who have conducted malicious activity?\u00a0 I suppose the word attacker may imply a blackhat hacker with malicious intent, but I believe that the number of hackers who are more focused on curiosity\u00a0dwarf the number of hackers with malicious intent.<\/p>\n

Maybe the answer here lies in not using the words attacker and hacker synonymously.\u00a0\u00a0Paul Graham’s 2004 essay\u00a0The Word “Haker”<\/a>\u00a0is a great read.\u00a0 Great innovators have been called hackers, but they attacked nothing more than a problem no one else had or could solve.\u00a0 Steven Levy’s book\u00a0“Hackers: Heroes of the Computer Revolution<\/a>” chronicles\u00a0hackers such as Bill Gates, Mark Zuckerberg, Richard Stallman and Steve Wozniak.\u00a0 OK, maybe Zuckerberg attacked our privacy. \ud83d\ude42<\/p>\n

 <\/p>\n

Discussion Response 3<\/strong><\/p>\n

I liked your mention of pre-prod, unit and functional testing.\u00a0 Based on your description doesn’t sound like you are yet doing continuous delivery and blue-green deployments?\u00a0 You’ll enjoy this read:\u00a0\u00a0http:\/\/blog.christianposta.com\/deploy\/blue-green-deployments-a-b-testing-and-canary-releases\/
\n<\/a>
\nRegardless, when it comes to security in a world increasingly dominated by developers (“The New Kingmakers<\/a>“, another great read) the vulnerabilities\u00a0are entering the system really early, like this weeks issue you with the\u00a0ssh-decorate Python library, how many developers were leveraging that library, how many apps were impacted, a lot.<\/p>\n

References<\/strong><\/p>\n

Cimpanu, C. (2018, May 09). Backdoored Python Library Caught Stealing SSH Credentials. Retrieved May 09, 2018, from https:\/\/www.bleepingcomputer.com\/news\/security\/backdoored-python-library-caught-stealing-ssh-credentials\/<\/p>\n

 <\/p>\n

Discussion Response 4<\/strong><\/p>\n

Very interesting perspective.\u00a0 It would be interesting to contrast hacker demographics with drug lord demographics (E.g. –\u00a0Gary McKinnon vs. Pablo Escobar). I haven’t done the research, but I suspect a comparison of hackers and drug lords night reveal some motivations that might provide some insight into how the\u00a0wealth created through cybercrime might look different than the wealth created by the drug trade. It is my hypothesis that the primary motivations differ, curiosity being the hallmark of the hacker and survival being the hallmark of the drug lord, again I don’t have the data so just hypothesizing. With that said there’s the case of Kim Dotcom and Mega, which supports your argument. \ud83d\ude42
\nKim Dotcom, The Good Life:\u00a0https:\/\/youtu.be\/oDiili2Gs-0<\/p>\n

Time will tell, it’s likely that the computing power and human intellect will deliver a combinatorial explosion of both good and evil.\u00a0 Let’s hope there’s more good than evil.<\/p>\n

 <\/p>\n

Discussion Response 5<\/strong><\/p>\n

Sharing – good read based on last weeks strong password discussion
\nHacker Kevin Mitnick shows how to bypass 2FA<\/p>\n

Hacker Kevin Mitnick shows how to bypass 2FA<\/a><\/p><\/blockquote>\n