Cybersecurity Expert Answers Hacking Questions From Twitter | Tech Support | WIRED
Summary
TLDRIn 'Hacking Support,' Amanda Rousseau, aka @malwareunicorn, tackles common cybersecurity questions with wit and expertise. She dispels myths about hackers' omniscience, explains the roles of white, black, and gray hat hackers, and offers advice for aspiring pen testers. Rousseau also addresses malware trends, the motivations behind hacking, and the importance of security in IoT devices. With a blend of humor and insight, she provides a unique perspective on the ever-evolving world of cybersecurity.
Takeaways
- đ Passwords remain essential for protecting personal information online, despite the common belief that hackers know everything about us.
- đ The terms 'white hat' and 'black hat' describe the intentions of hackers, with white hats working for good and black hats being cyber-criminals. 'Gray hats' operate in a moral gray area.
- đ Becoming a penetration tester involves learning through courses, workshops, events, and finding mentors within the cybersecurity field.
- đž Malware primarily targets money, with victims often being collateral damage in a broader attack strategy.
- đ Malware trends evolve like fashion, with different types emerging periodically and security professionals needing to stay updated.
- đŻ Hackers target individuals or organizations for various reasons, including financial gain, reputation, information, or destruction.
- đ« The complexity of student loan aid login processes is to deter hackers from accessing and manipulating accounts, not to assist them.
- đ€ Bot accounts on social media perform 'account aging' to avoid detection by simulating legitimate user behavior.
- đ IoT devices often have security as an afterthought, leading to ongoing vulnerabilities that hackers can exploit.
- đ Debugging is a skill best learned through hands-on experience and practice, similar to learning to ride a bike.
- đš A background in graphic design can enhance the ability to communicate complex cybersecurity concepts visually.
- đ The portrayal of hackers in stock images as wearing ski masks and hoodies is a stereotype that doesn't reflect the reality of the profession.
Q & A
What is Amanda Rousseau's profession and Twitter handle?
-Amanda Rousseau is an offensive security engineer, and her Twitter handle is @malwareunicorn.
Why does Amanda suggest that passwords are still necessary despite the prevalence of hacking?
-Amanda suggests that passwords are necessary because hackers don't actually know everything about everyone; it depends on the information individuals put out on the internet.
What is the difference between a white hat hacker and a black hat hacker according to the script?
-A white hat hacker hacks for good, often working in the security industry, while a black hat hacker refers to cyber-criminals.
What does Amanda describe as the purpose of malware?
-Amanda describes the purpose of malware as typically going after money, with victims often being considered collateral damage.
How does Amanda suggest one can begin learning to excel in the field of penetration testing?
-Amanda suggests that one can start by finding content online such as courses, workshops, and attending events and conferences to meet others in the field and find a mentor.
What does Amanda mean by 'account aging' in the context of bot accounts on social media?
-Account aging refers to the process where bot accounts perform minimal actions to avoid detection by social media platforms, making them appear more like legitimate accounts.
Why does Amanda believe that IoT devices will continue to have security issues?
-Amanda believes that IoT devices will continue to have security issues because they are often developed with the lowest possible cost of manufacturing in mind, making security an afterthought.
What is the first step Amanda recommends for someone looking to start debugging?
-Amanda recommends jumping right in and practicing, comparing it to learning to ride a bike, where it takes time and practice to get it right.
How does Amanda respond to the question about changing job titles in a company profile?
-Amanda humorously suggests naming oneself 'Safe for Work' in response to the user's request for a job title that is obviously safe for work.
What is Amanda's view on the use of embedded cameras in smart TVs and video streaming apps?
-Amanda informs that the misuse of embedded cameras has been happening for several years already, implying that it's not a new concern.
Why does Amanda say that hackers are not likely to pay off someone's student loans if they were to break into their account?
-Amanda explains that hackers are more likely to use the system for their own gain, such as paying off their own tuition, rather than paying off someone else's debt.
Outlines
đ Passwords and the Role of Hackers
Amanda Rousseau, known as @malwareunicorn, introduces herself as an offensive security engineer and discusses the necessity of passwords despite the prevalence of hacking. She clarifies the difference between white hat (ethical) hackers and black hat (criminal) hackers, and introduces the concept of gray hat hackers. Amanda also addresses the question of how to start a career in penetration testing, suggesting resources like courses, workshops, events, and finding mentors in the field. She touches on the purpose of malware, which is often financial, and compares it to a fashion trend that evolves over time.
đŻ Hacking Motivations and Cybersecurity Measures
The script continues with a discussion on why hackers target certain individuals, such as celebrities, and the various motivations behind hacking, including financial gain, reputation, information gathering, and destruction. Amanda also addresses the complexity of the login process for sensitive accounts like student loans, explaining that security measures are designed to prevent unauthorized access, not to facilitate it. She then talks about the purpose of bot accounts on social media, explaining that they are used for account aging to avoid detection by automated systems. The paragraph concludes with a reflection on the persistence of security vulnerabilities in IoT devices due to cost-cutting measures in manufacturing.
đ©âđ» Cybersecurity Careers and Hacking Misconceptions
Amanda responds to questions about her choice of using a Mac for security work, drawing parallels between Mac and Linux, and noting that there is less malware targeting these systems compared to Windows. She discusses the ineffectiveness of spam emails from a criminal perspective, explaining how even a small percentage of successful targets can be lucrative. The paragraph also includes her experience in creating visual content for incident timelines, leveraging her background in graphic design. Amanda addresses the difference between phishing and bad pick-up lines, emphasizing the effectiveness of the former. She also discusses the WannaCry ransomware attack on the NHS, highlighting the challenges of upgrading critical infrastructure without causing downtime.
đ€ Encouraging Youth in Cybersecurity
In the final paragraph, Amanda reflects on how she became aware of a career in cybersecurity and the importance of exposing young people to such opportunities. She emphasizes the hacker mentality of creative problem-solving and thinking outside the box, suggesting that this mindset could be fostered in young people through workshops and content that challenges them to solve unconventional problems. The script ends with a humorous note on the stereotypes of hackers wearing ski masks and hoodies, which Amanda playfully adopts as part of her persona.
Mindmap
Keywords
đĄOffensive Security Engineer
đĄHacking
đĄWhite Hat Hacker
đĄBlack Hat Hacker
đĄGray Hat Hacker
đĄPenetration Tester
đĄMalware
đĄCyber-Criminal
đĄIoT Devices
đĄPhishing
đĄRed Team and Blue Team
Highlights
Amanda Rousseau, aka @malwareunicorn, introduces herself as an offensive security engineer and the host of Hacking Support.
Discusses the misconception that hackers know everything about everyone and emphasizes the importance of not sharing personal information online.
Explains the difference between white hat and black hat hackers, with white hats hacking for good and black hats being cyber-criminals.
Introduces the term 'gray hat' for hackers who may act as IT admins by day and engage in malicious activities by night.
Advises on how to become a penetration tester, suggesting courses, workshops, events, and finding a mentor in the field.
Describes malware as usually targeting money and considering victims as collateral damage.
Compares the evolution of malware to a fashion trend, with different types emerging seasonally.
Explains the motivations behind hacking, including money, reputation, information, and destruction.
Addresses the complexity of the student loan aid login process as a security measure against hackers.
Clarifies the purpose of bot accounts on social media, which is to bypass automated detection systems through account aging.
Discusses the security vulnerabilities in IoT devices due to the focus on low manufacturing costs.
Advocates for jumping right into debugging as the best way to learn, comparing it to learning to ride a bike.
Suggests naming a job title 'Safe for Work' in response to a Twitter user's question about changing their job title.
Warns that smart TVs and video streaming apps have been collecting and sharing data, with embedded cameras potentially being misused.
Responds humorously to a question about C#, stating that C# hates her, not the other way around.
Refutes the idea that hackers would leak Taylor Swift's private recordings, referencing her alter ego @SwiftOnSecurity.
Differentiates between the terms 'hacker' and 'cyber-criminal', preferring to call malicious actors cyber-criminals.
Answers a question about using a Mac for security work, comparing it to Linux and noting the relative lack of Mac-targeted malware.
Explains the purpose of spam emails, which is to profit from a small percentage of targets who respond to the scams.
Shares her background in graphic design and its influence on her work in computer science, including creating 3D videos for network layouts.
Compares phishing to bad pickup lines, arguing that phishing is more effective due to its potential for financial gain.
Discusses the WannaCry ransomware attack on the NHS, attributing it to a lack of system upgrades.
Describes the roles of red and blue teams in cybersecurity, with red teams finding vulnerabilities and blue teams defending systems.
Advocates for introducing hacking as a career at career fairs to inspire young people to enter the cybersecurity field.
Humorously addresses the stereotype of hackers wearing ski masks and hoodies, suggesting it's for warmth and to avoid identification.
Concludes the episode of Hacking Support with a reminder for viewers to stay safe.
Transcripts
- Hi, I'm Amanda Rousseau aka @malwareunicorn
and I'm an offensive security engineer
and this is Hacking Support.
[dramatic music]
[keyboard clicking] [dramatic music]
This Twitter user, @cloud_opinion, asks,
"At this point, hackers know everything
"there is to know about every one of us.
"Why do we need passwords now?"
Why keep going to the gym if you're gonna die anyways?
Passwords are kind of a necessary evil.
And hackers really don't know everything about you.
It all depends if you put that
information out there on the internet.
"Congrats.
"I know what a white hat is, I know what a black hat is.
"What is a red hat?
"Angry hacker?"
I don't think I've heard the term red hat hacker before.
When you're a white hat hacker, you hack for good.
A lotta people in the security industry
are white hat hackers.
And then, for the cyber-criminals, we call them black hats.
There's also this other term called a gray hat
where they could be a IT admin during the day
while moonlight as a black hat during the night.
[mouse clicking]
@hacker4life asks, "@malwareunicorn, how do you even begin
"learning and exceeding in this field?
"I'm trying to become a
"penetration tester and need inspiration."
So, a pen tester is kind of like an attacker
that goes and checks all of the external ports,
any openings within someone's network.
But if you really wanna be a penetration tester,
there's a lot of content out on the web right now.
Courses, workshops, they even have events and conferences
where you can meet other people in the field.
You can find a mentor, learn from them.
They would point you in the right direction.
I feel like the hacker culture is pretty open and diverse,
so there's a lotta content out there.
[mouse clicking]
"Malware's the worst.
"What is its purpose other than wasting my time?"
Usually, malware is going after money.
And, if anything, you're considered collateral damage.
When malware is delivered, they're usually
just spraying all the malware to many people as possible,
so it may not be intended for you.
I think of malware as a fashion trend.
You know, there's different malware
every season, every quarter, and you have to
stay in fashion and on trend all the time.
When you think about older malware
that used to occur a couple years ago,
sometimes it comes back in fashion.
[mouse clicking]
This twitter user, @naima, asks,
"Jessica Alba is an interesting choice for hacking.
"How do hackers decide who they're going to target?"
Jessica Alba's a beautiful woman and she's also a celebrity,
so she sounds like a great, shiny object
for cyber-criminals to go after,
but a lot of them have different motivations.
It could include money, is probably the biggest one.
Another one would be reputation.
They would be like, "Ha ha, I hacked this person."
It could be information, kind of like corporate espionage,
and then we have destruction, which is kind of rare.
Basically what it is, they try to destroy
all the systems to put that company out of business.
[mouse clicking]
@KyleeMinaj asks, "Why do they make the login process
"for your student loan aid so difficult and tedious?
"If some hackers want to break into my account
"and pay off all my student loans,
"please don't make it difficult for them.
"Y'all are gonna ruin this for me.
"Let them run wild in there."
Kylee, these hackers are not gonna go and pay off your debt.
If anything, they're gonna go
into the system to pay off their tuition,
so a lot of these controls are in place
to hinder hackers like that to get into your account.
It's an unfortunate thing to do
but, you know, it's necessary.
[mouse clicking]
@AxelBlazen asks, "Speaking of [beep],
"what is even the point of these bot accounts
"that follow you but, well, that's it.
"No messaging or anything, no spam, just follow.
"Like [beep] sake, it's dumb."
Well, these accounts are doing something
that may not pertain to you, what we call account aging.
So what that means is they're trying to
bypass a lot of automated detections from social media
that they have in place to look for fake accounts.
And so, by tweeting or messaging
or making any type of action,
they're trying to bypass detection
to look more like a legitimate account.
[mouse clicking]
This Twitter user, @andrewcheeky, asks,
"What will they think of next?
"Is there anything that has been corded in the last decade
"that hackers haven't found
"a vulnerability to do some damage?"
If you think about your fridge at home
being able to connect to the WiFi or your pressure cooker
being able to connect to an app on your phone,
a lot of these devices are developed
in a way where they're looking for
the lowest possible cost of manufacturing,
so when they get to the security part,
it's kind of like an afterthought,
so until things change, we're gonna
still have these problems with IoT devices.
[mouse clicking]
Twitter user @sifbaksh: "@malwareunicorn,
"what should my first step be in debugging?
"Should I just get a file and a book and start doing?"
The best way is to just jump right in.
Think about it as riding a bike.
It takes time, it takes practice,
but eventually, you'll get it.
There's a different debugger for every operating system
but they're not easy to learn unless you start, you know,
just doing it yourself and training yourself and practicing.
Like, I don't remember every single command in a debugger.
I have to use a cheat sheet.
[mouse clicking]
Twitter user @stormwuff_: "My awesome boss says that
"I can request to change my job title
"to whatever I want it to be
"in our company profile [obviously safe for work].
"Could anything random like
"Pokemon Hacker or Cybersecurity Wizard.
"What do you guys think it should be?"
Well, I can see you just said, "Obviously safe for work,"
so I think you should just name yourself Safe for Work.
[mouse clicking]
This Twitter user, @SuB8u, asks, "Your smart TV
"and your video streaming apps are collecting and sharing
"tons of data, just because they can.
"How long before we can start having embedded cameras
"that malware triggers surreptitiously?"
I have unfortunate news for you.
This has been happening minus six years
and it's gonna continue to happen, so too late for you."
[mouse clicking]
@Alessan82718685, that's a mouthful: "Why do you hate C#?"
Man, his handle looks like a bot. [laughs]
I don't hate C#, C# hates me.
[mouse clicking]
@theonlyoneofyou asks, "Why can't hackers do anything useful
"like leak Taylor's recordings of Babe and Better Man?
"Grow up, hackers."
Well, if you don't already know, Taylor Swift has
an alter ego that we call @SwiftOnSecurity
and she's considered a security pro
in the cybersecurity industry,
so no one actually wants to hack her.
But if you're in the know and you know
who that is, then you know who it is.
[mouse clicking]
This Twitter user, @zer0wn asks, "Can we stop calling
"people who DDoS [beep] hackers?
"Journos, why the hell do you even
"call them hackers to begin with?
"Looking for legitimate answers as I am confused as hell."
Well, let me set the record straight.
There's a difference between hacker and a cyber-criminal,
so if we were to refer to the bad guys,
I would rather prefer to call them a cyber-criminal.
There's a lotta people in the security industry
that consider themselves hackers.
There's a lotta people that hack for good.
@WMRamadan asks, "@malwareunicorn,
"I have a simple yet daunting question.
"Why do you use a Mac for your security work?
"I mean, a lot of people argue the fact
"that Linux is the way to go in terms of security."
Mac is similar to Linux.
Think about two different brands of cars.
They look different on the outside
but they could be sharing the same chassis underneath.
There's not a lotta malware out there for Mac and Linux.
I mean, it's there, but, you know,
currently most of the malware is on Windows.
[mouse clicking]
The Bishop, or @JoshHarris25:
"What is the point of spam emails?
"Are they profiting from it?
"What do they gain from spending random unnecessary emails?"
When people send out spam emails,
they're sending it to thousands and thousands of targets.
Say you had a million emails sent out
and they're requesting $1.
These cyber-criminals are expecting
that 1% will actually bite.
A lotta these cyber-criminals will treat this as a business,
so it becomes very lucrative for them.
@Cybor_Tooth: "@malwareunicorn, if you were to
"create a timeline for an incident, what would it look like?
"Just curious because your design skills are cray cray."
Well, a lotta people don't know this,
but before I got into computer science,
I was actually pursuing a degree in graphic design,
so a lot of it, from my time doing that,
carries over into my work.
Back when I used to work at the Department of Defense,
I used to create these 3D videos
to describe different type of network layouts.
I didn't know 3D design at the time,
so I spent a weekend, taught myself,
and the next day, started, you know, making content.
If you can make things look nice and be able to
communicate the actual abstract content, it helps.
[mouse clicking]
@dontlook asked, "Yeah, but bad pick up lines
"and phishing really any different?
"Low effort, easy reuse, and rarely do you get a success."
I really think phishing is more effective
than saying a pickup line.
@ivladdalvi: "I studied WannaCry case in NHS hospital.
"A disaster seemed totally preventable.
"Why didn't they patch?
"Were they lazy? Stupid?"
In the case of this incident, a hospital
in the UK was under a ransomware attack.
It happened because they didn't
upgrade their servers or their computers.
And this is the whole reason
why upgrading is really important,
but when you think about it, some of these infrastructures
like a hospital or a power plant,
a lot of 'em cannot experience any downtime.
So when you do do an upgrade, you have to
shut down the systems for a little while.
[mouse clicking]
@Tyro733 asks, "As someone who doesn't work in Infosec,
"what are red and blue team?
"I'm assuming red are the pen testers."
These terms actually come from the military
where they would perform military operations,
they have a team that acts as a red team doing the attacks
and the blue team serves as the defense team.
Similar to what we have in cybersecurity in that
the red team is hacking the blue team's systems.
The whole point of what the red team does
is to enumerate holes within a network.
We wanna find the holes before the bad actors do.
Think of it like we're sparring partners.
So, we're really not there to antagonize the blue team
or anything like that, we really wanna
work together with the blue team.
[mouse clicking]
@r00tzasylum: "Hacker kid interviewed his mom
"about what it's like to build a career in Infosec.
"Something @defcon parents often think about:
"how do we inspire kids to go into this space
"and see it for the fun and challenge that it is?"
Well, when I was young, I had no idea
I was gonna be in this job.
I actually had to know that this job existed
in order to actually go into it.
If there was a chance that, at a career fair,
you would have someone who gets to hack for living,
I think that would be a really cool thing to have.
You have to have the correct
mentality to be in this industry.
The whole hacker mentality is
creatively thinking outside the box,
solving a problem that's out of the standards
or norms of how it's supposed to execute.
If we kind of use that type of mentality
in some of the content or workshops
or anything that we reach out to these kids with,
it'll kind of inspire them to
wanna solve problems in this field.
[mouse clicking]
This Twitter user, @Arfness, asks,
"Why do stock image hackers
"exclusively wear ski masks and hoodies?"
Well, I think the photographer was going for
a feel of an actual robber or a criminal,
but there is a reason to wear something on your face.
They're trying to hide their face
from cameras or any type of identifier
that will attribute them to a crime.
And why they're wearing hoodies,
I can imagine that some of these server rooms are super cold
and they need to cover their ears.
[mouse clicking]
If you don't already know, you know,
some of us actually dress like this to work
and I actually have a ski mask for all of my outfits.
Lemme put it on for you guys.
And it's not complete without the glasses.
We're good to go, it's time to hack.
[keyboard clicking]
This has been Hacking Support with Amanda Rousseau.
You guys stay safe out there.
[dramatic music]
5.0 / 5 (0 votes)