Cybersecurity Expert Answers Hacking Questions From Twitter | Tech Support | WIRED

00:00

- Hi, I'm Amanda Rousseau aka @malwareunicorn

00:03

and I'm an offensive security engineer

00:05

and this is Hacking Support.

00:06

[dramatic music]

00:08

[keyboard clicking] [dramatic music]

00:10

This Twitter user, @cloud_opinion, asks,

00:12

"At this point, hackers know everything

00:14

"there is to know about every one of us.

00:16

"Why do we need passwords now?"

00:19

Why keep going to the gym if you're gonna die anyways?

00:21

Passwords are kind of a necessary evil.

00:23

And hackers really don't know everything about you.

00:25

It all depends if you put that

00:27

information out there on the internet.

00:28

"Congrats.

00:29

"I know what a white hat is, I know what a black hat is.

00:32

"What is a red hat?

00:33

"Angry hacker?"

00:34

I don't think I've heard the term red hat hacker before.

00:37

When you're a white hat hacker, you hack for good.

00:40

A lotta people in the security industry

00:42

are white hat hackers.

00:43

And then, for the cyber-criminals, we call them black hats.

00:47

There's also this other term called a gray hat

00:50

where they could be a IT admin during the day

00:53

while moonlight as a black hat during the night.

00:56

[mouse clicking]

00:57

@hacker4life asks, "@malwareunicorn, how do you even begin

01:00

"learning and exceeding in this field?

01:02

"I'm trying to become a

01:03

"penetration tester and need inspiration."

01:05

So, a pen tester is kind of like an attacker

01:08

that goes and checks all of the external ports,

01:12

any openings within someone's network.

01:14

But if you really wanna be a penetration tester,

01:17

there's a lot of content out on the web right now.

01:19

Courses, workshops, they even have events and conferences

01:23

where you can meet other people in the field.

01:25

You can find a mentor, learn from them.

01:28

They would point you in the right direction.

01:30

I feel like the hacker culture is pretty open and diverse,

01:35

so there's a lotta content out there.

01:37

[mouse clicking]

01:38

"Malware's the worst.

01:38

"What is its purpose other than wasting my time?"

01:40

Usually, malware is going after money.

01:42

And, if anything, you're considered collateral damage.

01:45

When malware is delivered, they're usually

01:48

just spraying all the malware to many people as possible,

01:51

so it may not be intended for you.

01:53

I think of malware as a fashion trend.

01:55

You know, there's different malware

01:56

every season, every quarter, and you have to

01:58

stay in fashion and on trend all the time.

02:01

When you think about older malware

02:02

that used to occur a couple years ago,

02:04

sometimes it comes back in fashion.

02:06

[mouse clicking]

02:07

This twitter user, @naima, asks,

02:08

"Jessica Alba is an interesting choice for hacking.

02:10

"How do hackers decide who they're going to target?"

02:13

Jessica Alba's a beautiful woman and she's also a celebrity,

02:16

so she sounds like a great, shiny object

02:19

for cyber-criminals to go after,

02:20

but a lot of them have different motivations.

02:22

It could include money, is probably the biggest one.

02:25

Another one would be reputation.

02:28

They would be like, "Ha ha, I hacked this person."

02:29

It could be information, kind of like corporate espionage,

02:33

and then we have destruction, which is kind of rare.

02:35

Basically what it is, they try to destroy

02:37

all the systems to put that company out of business.

02:39

[mouse clicking]

02:40

@KyleeMinaj asks, "Why do they make the login process

02:43

"for your student loan aid so difficult and tedious?

02:46

"If some hackers want to break into my account

02:48

"and pay off all my student loans,

02:50

"please don't make it difficult for them.

02:52

"Y'all are gonna ruin this for me.

02:53

"Let them run wild in there."

02:55

Kylee, these hackers are not gonna go and pay off your debt.

02:59

If anything, they're gonna go

03:01

into the system to pay off their tuition,

03:03

so a lot of these controls are in place

03:05

to hinder hackers like that to get into your account.

03:09

It's an unfortunate thing to do

03:10

but, you know, it's necessary.

03:12

[mouse clicking]

03:13

@AxelBlazen asks, "Speaking of [beep],

03:14

"what is even the point of these bot accounts

03:16

"that follow you but, well, that's it.

03:18

"No messaging or anything, no spam, just follow.

03:21

"Like [beep] sake, it's dumb."

03:23

Well, these accounts are doing something

03:25

that may not pertain to you, what we call account aging.

03:30

So what that means is they're trying to

03:32

bypass a lot of automated detections from social media

03:36

that they have in place to look for fake accounts.

03:40

And so, by tweeting or messaging

03:42

or making any type of action,

03:44

they're trying to bypass detection

03:46

to look more like a legitimate account.

03:48

[mouse clicking]

03:49

This Twitter user, @andrewcheeky, asks,

03:50

"What will they think of next?

03:51

"Is there anything that has been corded in the last decade

03:54

"that hackers haven't found

03:55

"a vulnerability to do some damage?"

03:57

If you think about your fridge at home

03:59

being able to connect to the WiFi or your pressure cooker

04:02

being able to connect to an app on your phone,

04:04

a lot of these devices are developed

04:07

in a way where they're looking for

04:09

the lowest possible cost of manufacturing,

04:12

so when they get to the security part,

04:14

it's kind of like an afterthought,

04:16

so until things change, we're gonna

04:18

still have these problems with IoT devices.

04:21

[mouse clicking]

04:21

Twitter user @sifbaksh: "@malwareunicorn,

04:24

"what should my first step be in debugging?

04:26

"Should I just get a file and a book and start doing?"

04:28

The best way is to just jump right in.

04:30

Think about it as riding a bike.

04:33

It takes time, it takes practice,

04:35

but eventually, you'll get it.

04:36

There's a different debugger for every operating system

04:39

but they're not easy to learn unless you start, you know,

04:42

just doing it yourself and training yourself and practicing.

04:46

Like, I don't remember every single command in a debugger.

04:48

I have to use a cheat sheet.

04:50

[mouse clicking]

04:51

Twitter user @stormwuff_: "My awesome boss says that

04:53

"I can request to change my job title

04:55

"to whatever I want it to be

04:56

"in our company profile [obviously safe for work].

04:59

"Could anything random like

05:00

"Pokemon Hacker or Cybersecurity Wizard.

05:03

"What do you guys think it should be?"

05:04

Well, I can see you just said, "Obviously safe for work,"

05:08

so I think you should just name yourself Safe for Work.

05:10

[mouse clicking]

05:11

This Twitter user, @SuB8u, asks, "Your smart TV

05:14

"and your video streaming apps are collecting and sharing

05:17

"tons of data, just because they can.

05:19

"How long before we can start having embedded cameras

05:21

"that malware triggers surreptitiously?"

05:24

I have unfortunate news for you.

05:26

This has been happening minus six years

05:28

and it's gonna continue to happen, so too late for you."

05:31

[mouse clicking]

05:32

@Alessan82718685, that's a mouthful: "Why do you hate C#?"

05:38

Man, his handle looks like a bot. [laughs]

05:40

I don't hate C#, C# hates me.

05:43

[mouse clicking]

05:44

@theonlyoneofyou asks, "Why can't hackers do anything useful

05:47

"like leak Taylor's recordings of Babe and Better Man?

05:50

"Grow up, hackers."

05:52

Well, if you don't already know, Taylor Swift has

05:54

an alter ego that we call @SwiftOnSecurity

05:57

and she's considered a security pro

05:59

in the cybersecurity industry,

06:01

so no one actually wants to hack her.

06:03

But if you're in the know and you know

06:05

who that is, then you know who it is.

06:07

[mouse clicking]

06:08

This Twitter user, @zer0wn asks, "Can we stop calling

06:10

"people who DDoS [beep] hackers?

06:12

"Journos, why the hell do you even

06:13

"call them hackers to begin with?

06:15

"Looking for legitimate answers as I am confused as hell."

06:18

Well, let me set the record straight.

06:19

There's a difference between hacker and a cyber-criminal,

06:23

so if we were to refer to the bad guys,

06:25

I would rather prefer to call them a cyber-criminal.

06:28

There's a lotta people in the security industry

06:30

that consider themselves hackers.

06:32

There's a lotta people that hack for good.

06:33

@WMRamadan asks, "@malwareunicorn,

06:36

"I have a simple yet daunting question.

06:38

"Why do you use a Mac for your security work?

06:41

"I mean, a lot of people argue the fact

06:43

"that Linux is the way to go in terms of security."

06:45

Mac is similar to Linux.

06:47

Think about two different brands of cars.

06:50

They look different on the outside

06:51

but they could be sharing the same chassis underneath.

06:54

There's not a lotta malware out there for Mac and Linux.

06:58

I mean, it's there, but, you know,

07:00

currently most of the malware is on Windows.

07:02

[mouse clicking]

07:03

The Bishop, or @JoshHarris25:

07:05

"What is the point of spam emails?

07:07

"Are they profiting from it?

07:08

"What do they gain from spending random unnecessary emails?"

07:11

When people send out spam emails,

07:14

they're sending it to thousands and thousands of targets.

07:17

Say you had a million emails sent out

07:21

and they're requesting $1.

07:23

These cyber-criminals are expecting

07:24

that 1% will actually bite.

07:27

A lotta these cyber-criminals will treat this as a business,

07:30

so it becomes very lucrative for them.

07:32

@Cybor_Tooth: "@malwareunicorn, if you were to

07:34

"create a timeline for an incident, what would it look like?

07:38

"Just curious because your design skills are cray cray."

07:41

Well, a lotta people don't know this,

07:42

but before I got into computer science,

07:45

I was actually pursuing a degree in graphic design,

07:47

so a lot of it, from my time doing that,

07:51

carries over into my work.

07:52

Back when I used to work at the Department of Defense,

07:54

I used to create these 3D videos

07:57

to describe different type of network layouts.

08:00

I didn't know 3D design at the time,

08:02

so I spent a weekend, taught myself,

08:05

and the next day, started, you know, making content.

08:08

If you can make things look nice and be able to

08:11

communicate the actual abstract content, it helps.

08:15

[mouse clicking]

08:15

@dontlook asked, "Yeah, but bad pick up lines

08:18

"and phishing really any different?

08:20

"Low effort, easy reuse, and rarely do you get a success."

08:23

I really think phishing is more effective

08:26

than saying a pickup line.

08:28

@ivladdalvi: "I studied WannaCry case in NHS hospital.

08:33

"A disaster seemed totally preventable.

08:35

"Why didn't they patch?

08:36

"Were they lazy? Stupid?"

08:38

In the case of this incident, a hospital

08:41

in the UK was under a ransomware attack.

08:44

It happened because they didn't

08:45

upgrade their servers or their computers.

08:48

And this is the whole reason

08:49

why upgrading is really important,

08:52

but when you think about it, some of these infrastructures

08:55

like a hospital or a power plant,

08:58

a lot of 'em cannot experience any downtime.

09:01

So when you do do an upgrade, you have to

09:03

shut down the systems for a little while.

09:05

[mouse clicking]

09:06

@Tyro733 asks, "As someone who doesn't work in Infosec,

09:09

"what are red and blue team?

09:11

"I'm assuming red are the pen testers."

09:13

These terms actually come from the military

09:17

where they would perform military operations,

09:19

they have a team that acts as a red team doing the attacks

09:23

and the blue team serves as the defense team.

09:25

Similar to what we have in cybersecurity in that

09:28

the red team is hacking the blue team's systems.

09:33

The whole point of what the red team does

09:35

is to enumerate holes within a network.

09:37

We wanna find the holes before the bad actors do.

09:40

Think of it like we're sparring partners.

09:43

So, we're really not there to antagonize the blue team

09:45

or anything like that, we really wanna

09:47

work together with the blue team.

09:49

[mouse clicking]

09:49

@r00tzasylum: "Hacker kid interviewed his mom

09:52

"about what it's like to build a career in Infosec.

09:54

"Something @defcon parents often think about:

09:56

"how do we inspire kids to go into this space

09:59

"and see it for the fun and challenge that it is?"

10:02

Well, when I was young, I had no idea

10:04

I was gonna be in this job.

10:05

I actually had to know that this job existed

10:07

in order to actually go into it.

10:09

If there was a chance that, at a career fair,

10:11

you would have someone who gets to hack for living,

10:15

I think that would be a really cool thing to have.

10:18

You have to have the correct

10:19

mentality to be in this industry.

10:21

The whole hacker mentality is

10:23

creatively thinking outside the box,

10:25

solving a problem that's out of the standards

10:28

or norms of how it's supposed to execute.

10:30

If we kind of use that type of mentality

10:33

in some of the content or workshops

10:36

or anything that we reach out to these kids with,

10:40

it'll kind of inspire them to

10:42

wanna solve problems in this field.

10:44

[mouse clicking]

10:45

This Twitter user, @Arfness, asks,

10:46

"Why do stock image hackers

10:47

"exclusively wear ski masks and hoodies?"

10:50

Well, I think the photographer was going for

10:52

a feel of an actual robber or a criminal,

10:54

but there is a reason to wear something on your face.

10:57

They're trying to hide their face

10:58

from cameras or any type of identifier

11:00

that will attribute them to a crime.

11:02

And why they're wearing hoodies,

11:03

I can imagine that some of these server rooms are super cold

11:06

and they need to cover their ears.

11:07

[mouse clicking]

11:08

If you don't already know, you know,

11:10

some of us actually dress like this to work

11:12

and I actually have a ski mask for all of my outfits.

11:15

Lemme put it on for you guys.

11:17

And it's not complete without the glasses.

11:21

We're good to go, it's time to hack.

11:22

[keyboard clicking]

11:23

This has been Hacking Support with Amanda Rousseau.

11:26

You guys stay safe out there.

11:27

[dramatic music]