SDL Episode101

From Paul's Security Weekly
Jump to: navigation, search

Recorded on March 5, 2019 at G-Unit Studios in Rhode Island!

Hosts

  • Russell Beauchemin
    Cybersecurity & Network Security Program Advisor and Director of Instructional Support & Learning Innovation at Roger Williams University.
  • Doug White
    Cybersecurity professor, President of Secure Technology, and Security Weekly network host.
  • Announcements

    • RSA Conference 2019 is coming up March 4 – 8 in San Francisco! Go to rsaconference.com/securityweekly-us19 to register now using the discount code 5U9SWFD to receive $100 off a full conference pass! If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
    • Join us April 1-3, at Disney's Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Visit https://infosecworld.misti.com/ and use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass. If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
    • Registration is now open for the first Security Weekly webcast of 2019! You can register for our "Rise Above Complex Workflows: Practical Ways To Accelerate Incident Response" webcast now by going to securityweekly.com/webcasts.

    Topic: Overview of Hacking

    • So, the term hacker came about to describe someone who was basically an engineer and cobbled together pieces of code to achieve some task. I first started hearing the term hacker in the 1980s and it was very much publicized by the media and in movies. Everyone loves an anti hero.

    • In the early 80s most of the people who would come to be called hackers were either systems administrators, programmers, or telco specialists (called phreakers later). A lot of the early hacks were simply people taking advantage of the fact that several key things went on:

    1. There was simply little or no security. There is a term called "security through obscurity" which was basically the idea that very few people knew such things and subsequently, there was simply no need. Take, for example, the rlogin. rlogin was added in 1982 to create a way for admins to get into the system without needing credentials! Seriously. Since almost no one knew about this stuff, it was safe for a brief while. Remember, in 1982 there was no internet, no 4chan, no facebook, nothing. So, how did I learn about rlogin, well, a friendly engineer told me about it and boom. A great deal of early hacking relied on these horrific lapses in judgement and as more people got wind of it, all of a sudden big problems ensued.
    2. People were trying to find ways to facilitate and access technology since there was very little to go around. In 1982, bbs (bulletin boards) relied on dial up modems to access. Everyone wanted to use these places to interact but telephone calls cost money by the minute and next thing you know, you spent a bundle. Just being able to compile a program for fun meant paying someone by the minute to use their compiler or mainframe. But, with a little creativity, and reliance on STO, a lot of us found ways to access resources without paying for them. A really common "hack" of the day was called a dial out. If you could find a system (at a university say) that you could connect to for free, you could use their system to dial the distant bbs and use the resources.
    3. The idea of pranks, games, and exploits was not considered a negative thing since the only people involved were also playing. For instance, I had a CS course where you were asked to break into the instructors account and steal the assignments. This was considered training.
    4. Digital actions couldn't really be considered criminal since there were no laws relating to this type of activity and most courts, police agencies, and legislators were ill equipped to even begin to talk about any of this sort of thing best left to nerds and engineers. It would literally take decades before the capability to investigate this sort of crime would be possible for law enforcement.



    • So, the early hackers were really just tech people who knew a lot a about tech. If they didn't get to annoying, they mostly got left alone and hassled other tech people. A famous hacker named Kevin Mitnick used social engineering and other tactics to exploit telco companies and ended up being one of the first people to get charged with a crime for "hacking". Technically, Mitnick was mostly a phreaker and like Al Capone, didn't get charged with what he actually did. Instead, he basically was charged for stealing long distance service and was convicted. That was in 1995.



    • At that time, the CFAA (Computer Fraud and Abuse Act) was in place and had been since 1984 but it didn't really get used since law enforcement didn't have much traction in this area. I was starting to get questions by then but there was very little know about the mysterious world of hackers since it relied on esoteric knowledge, strange equipment, and there was no google so you could type in SQL injection. A great deal of digital evidence was suspect in the eyes of the court and treated as hearsay evidence so usually it just didn't go anywhere unless you started costing someone a lot of money.



    • By the end of the millenium, lots of movies and media had started talking about technology. The threat of Y2K brought up more attention on the tech world and technology was starting to leak into the mainstream. Early internet and home computing had raised the profile of tech and tech people in the world. Hackers started to be described as white hat and black hat hackers along about 2000 although it may be been used before then. Wargames came out in 1983 and started to glamorize the idea of being a hacker. The matrix came out in 1999, Hackers came out in 1995 and set a sort of "tone" for the look and feel of hacker culture that persists to this day. The Matrix came out in 1999 and all of sudden a feature film with a huge budget, a list celebs, and a real "style" that began setting culture ideas for at least pseudo hackers into motion.



    • During all this real "hackers" were also starting to form communities using the BBS world. Sites like Platinum net and Well of Chaos were online gathering places for tech people. Jeff Moss started DEFCON in 1993 and was derived from the US military Defense Condition codes and the movie Wargames. Today, DEFCON is one of the largest hacking conferences in the world but is one of many many cons that go on each year.



    • Through all of this there persisted basically the three main types of hacking. Black hats, white hats, and grey hats.



    • Today, white hat hacking refers typically to people who believe in respecting the law and others and essentially abide by the rules. Certs like CEH, OSCP, and GPEN pretty much openly train people in "pen testing" which is a nice way of describing hacking. In 1999, I started a program at The University of Northern Colorado called initially "hacking 101" and found that the term already had a seriously negative connotation in the press. We quickly renamed it Computer Security. The CFAA from 1984 originally just forbade "unauthorized access to computers" but it has been revised repeatedly to reflect both the growing threat to the general public as well as the growing knowledge of the government about technology.

    • Now, black hat hackers tend to be more circumspect than their white hat counterparts. The skills are the same, it's just the ethics that vary. Black hat hackers tend to advocate that you get hacked because you failed to prevent it from happening and as such it is justified. This pragmatic view in the early days expanded to what I call "gold hat hackers" who are black hat hackers who are breaking into things for a profit. These things are typically illegal as well but it's somewhat of a different mindset than the black hat hackers glorified in movies and the media who are often portrayed as robin hood types. Likewise, script kiddies, (hackers who don't really have skills but either buy on the dark web, or download hacking tools they don't really understand tend to be neither but rather fall into the category of what I call "no hat hackers" who want to be black hats or gold hats but don't really have any skills.

    • Grey hats, well, that's a complicated category. It really describes people that are part black and part white. In many ways, most real people in the industry are white hats but they certainly keep in tune with the black hat world and as such could be called grey hats. THis category is harder to live in as laws and rules become more sophisticated. Today, even a category called hacktivists exists. These are people who believe they answer to a higher cause and as such try to right wrongs, perceived or otherwise.



    - I don't have much of a problem with it. When they let all the "users" into the game, well, it wasn't so much fun and quickly became illegal to exploit them.

    - Today, you as a potential "hacker" need to be aware of the difference in glamor, fact, and fiction. While the felonious hacker used to be a glamor figure who then got hired by the FBI, today it's just another person who goes to jail.

    • So, how do you become a hacker? Well, start learning. The one common trait I have observed throughout all these years of being involved in this community is that everyone likes to experiment and learn. Set up your lab and start learning. All the tools are out there for you to use. CTF, trainers, you name it and it's mostly avialble for free. Wow. Don't ply your skills on the innocent and enjoy. All that said, protect yourself at all times and don't forget to have fun. Go to some cons, make some connections and get in the game.