Hacker Mindset

all right so our last speaker for today is Dave Anne he's gonna be giving us a talk on how hackers think past present and future thank you this is it I waited all day I know what it is there's beer out there in there yeah I heard that rumor too high so bearing in mind the fact that you've all been here for at least eight hours including the wonderful fire alarm event I want to try to make this brief or at least as brief as I possibly can so we're gonna talk a little bit today about the mindset of a hacker first we'll talk a little bit about what a hacker is what they have been what they

are now what we call a hacker they go by a lot of different names by the way anyone can identify the logo yeah you don't count anybody else there it is now you now you have to google that to figure out what that is close but not quite so what do we call it you know we use the terms hackers and crackers and freaker's and you know white hat hackers and black hat hackers and grey hat hackers and then we got script kiddies anybody want to admit to being one of those nobody yeah really you got to start somewhere right and then of course there's the infamous 3 1 3 3 7 s or did it kind of progressed

as we went along and we got into the computer age and it became anybody who has an understanding of code or programming and enjoys you know D compiling and modifying and recompiling code and then we shortened it down to just somebody likes to break into computers this is a classic hacker when you say the word hacker at least to a lot of people this is what they think of do they not except for the folks that are hooked on mr. robot and he missed the robot fans in the room almost everybody yeah they lost me after season 1 it got a little too you know well too dark we have to watch out for stereotypes not

all hackers are 20-somethings living in the mom's basement living on Mountain Dew Red Bull and cold pizza believe it or not there are hackers who wear suits when they go to work there are hackers who wear uniforms when they go to work there are some that don't wear anything when they go to work those are the ones you have to be really concerned about but we have to watch for the stereotypes because if you're thinking that you can use the profile of a hacker and use the stereotype you're gonna be sadly sadly mistaken right oh yeah another tidbit not every hacker uses a Mac even though a Mac is the only known laptop that can actually

successfully negotiate a network protocol connection with an alien mothership oh come on guys it's 5 o'clock in the evening on a Friday night we've not had beer yet what influences those stereotypes where do they come from ok why is it that the public when they think of hackers this is what they think of where do these perceptions come from how are they generated how are they applied to us for the security professionals in the room somebody asks you what do you do for a living what do you do for a living

doctor a university professor ok you sir what do you do for a living your student ok you network engineer have you ever asked anyone hey what do you do for a living they say Omaha I'm a hacker no they don't

dangerous for the industry and I'm gonna put my businessman hat on for just a minute when we're trying to bring people into this industry your network administrator right how hard is it to recruit a network administrator all right you're a student do you want to be a network administrator when you graduate yeah no I just want a job I don't care what it is I just got this heavy debt load I gotta get rid of it now if I come to somebody and I say hey Ben how would you like to be a pen tester for a living oh yeah I'm in man I get to be a hacker and I get paid for it

what what could be better well that would be to be a hacker get paid for it and not have to get dressed to go to work we make it glamorous and the media the movies they make it all exciting are there any pen testers in the room is it exciting is it a little bit more like being a firefighter you ask a firefighters like oh man that must be the most exciting job ever well it is at about 2% of the time the rest of the time you're sitting around cooking dinner for everybody else and polishing your truck all right pentest same way you spend a lot of time doing the mundane work before you find that just

little bit of excitement but if you look at the stereotypes and you look at how its portrayed in the media it's all this exciting and every exploit you use works immediately without fail first click boom need a password no problem got it oh you need you need me to shut down the security system in the 200 story office building next door let me whip out my iPhone and do that for you right now they make it look easy they make it look glorified and it's not necessarily that way and I'm not doing that Emily there's not an earthquake going on or something you should know that yeah okay all right so we're going back to our D&D character

any D&D fans all right you get a room out of any type of a tech conference there's gonna be at least one person there has to be or wait a minute is that a stereotype hmm is the personality traits that come along with that character being the tinkerer one of the things that we will find is that there are some commonalities when we're talking about hackers and I'm going to use that generic term alright because hackers can be multiple things and what we're looking at here it can be the guy that's trying to break into a system the writing and malicious code it can be you know of a wide variety but they do have

some similar traits who knows the name of famous hacker is he good or just famous famous who is he kevin Mitnick now see that's a guarantee all right you asked that question is he famous or is he good is he a hacker no he was a great social engineer right right he wasn't the most technical person on earth but he was a great social engineer yes sorry don't need to speak him past tense his excellent social engineer but he's not a hacker in that he's not on the keyboard you know breaking things but what does a social engineer and a coder what are they have in common as far as a personality trait I'm sorry they think

outside the box that's number one the first personality trait you're gonna look for throughout the history of hackers is creativity [Music] the next is critical thinking think back to the hackers who broke the Enigma machine who broke the code were they hackers you saw the movie would you call them hackers absolutely right they wanted to break something to figure out what made it work how it worked reverse engineer that's hacking so you've got to have this critical thinking process in order to break things down into smaller segments see how they work and then break them apart again to figure out how you can make it better a little bit of logic helps because you do have to think

in a sequence because eventually you're going to have to reverse that sequence right most hackers social engineers freaker's crackers whatever you want to call them most of this type are going to be very orderly in their thinking but maybe not so in their actions and I gotta tell you that's a that's a tough room to be next to if you can't hear me in the back let me know wait a minute if you can't hear me in the back and you care let me know okay good all right last key feature or personality trait that you have to have in a hacker they got to be persistent has anyone broken anything on the very first try ever no you have to stay at it

persistence perseverance and eventually it becomes an accession but that's what drives the mindset so how do we identify this mindset what are we looking for everybody's hurt now but of some sort of profiling in criminal investigations psychological profiling and criminal investigations and it may be a TV show or two about it the same theory applies and you can apply some of this same theory if you're investigating an event or an incident it can tell you a bit about the type of individual that you are dealing with or the type of group or at least to help you identify some attributes within the attack because behavior reflects personality in most cases if you've get someone who

is highly sophisticated and executes an attack with a high degree of difficulty do you think they're going to be more or less meticulous about their work I watch the presentation where a gentleman stood up and said I have absolute proof that the dnc hack from last year was conducted by the Russians you I heard that claim okay he had some evidence he said first the code was compiled in the same time zone as Moscow so it must have been the Russians secondly we found Cyrillic characters in the source code well the only people who used Cyrillic characters it must have been the Russians and then within the code we actually found the name of the very

first head of the KGB so there it is definitive proof that attack was launched by the Russians I mean the most some of the most sophisticated and trained and talented hackers in the world left three major clues to show that it was them I don't know about you but I don't buy it

when you're conducting an investigation and you're trying to think about the profile you also have to watch for the obvious because in some instances it's a red herring I know I've actually done that I have written things and I have planted red herrings within them to attribute them to others mine were somewhat less subtle than the people who perpetrated the dnc hack all right so some other things it'll tell you a little bit about the profile of the personality of the individual who's conducting an attack is it old code if I'm using an old piece of code what would it say about me other than the fact that I'm old yes I know what's it say if I'm using old code does

it mean that obviously I don't know what I'm doing because I'm not using the latest and greatest it worse exactly don't they there you go if something works and it's tried and it's proven and it's true why not use it again I'm not going to use any names but we had a very large recent breach that did not use brand new zero-day code did it no it had been out for years why did they use that to get in because it works what's it say about the individual well probably tells you that whoever launched that knows a few things about who they were going after ie a lot of large organizations don't have the most effective effective patch

programs in the world a lot of patches were missed within this certain time frame this exploit would actually take advantage of multiple miss patches and if I start with old code and it doesn't work I just work my way up so you see the critical thinking the thought process that goes along with that some of the other things that you want to consider would include a motive what's the primary motivator of most people who hack today it's money or is it for those of you who've actually studied the history of cybersecurity or at least read about it what was the initial motivation of the first hackers fame it started out I wanted I wanted to

be the guy who broke into NASA or I wanted to put my group's logo on the website of the NSA it was all about fame some of it was about I want to be the first to do this oh you're a man of your word I know it's cruel but they didn't have any bottled water when the next generation of hackers started looking at why they wanted to do these things it became a cause the cause became a few things it was information should be free and accessible to everyone right that's their cause that's their agenda so we want to we want to make it available to everybody source code should just be published and

everyone should have access to it nobody should be able to start a Microsoft company let's that everybody have the DOS operating system other agendas that came out of it free Kevin do you know how many viruses and worms and Trojans had that message embedded in them free Kevin and how many people that actually launched those out had no idea who kevin Mitnick even was they just knew that he should be free right and the fame of it right that 15 minutes of being the guy who did this hey I'm the guy that shut down the New York subway system for two and a half hours oh wow that's cool man yeah how'd you do that and

unfortunately we took that fame and we turned it into money because there was a time when if you got if you got busted and you were the guy who did something new it was like having instant resume go to whoever you want they give you a job except for maybe some of the three-letter agencies so where do these threat ranges come from it's no longer just the guy in the basement all right drinking drinking the Mountain Dew eating the cold pizza and I just want to deface your website because I think your company is just terrible or I don't like your particular operating system or you've put flaws in your operating system and you haven't told

people about it so I'm gonna expose it to the world there's still the lone Wolf's out there they still exist but that's not the preponderance of where the threats are coming from we now have nation-states we have trained professional teams of hackers that represent our country do you think the United States does that do you think we have trained hackers do you think there's anything or was anything that was once called the airforce information warfare Center in San Antonio Texas yeah doesn't exist anymore but it used to we've been doing information warfare as a country since the 60s in various forms the Russians are doing it the Russians have been trying to hack as a military tool since they first got

computers who are some of the other nation states that we hear about Iran China North Korea you notice a trend that for a period of time we'll have a digital boogeyman and you hear about them all the time you know China's is hacking everything China is not hacking everything folks not China is selling us stuff so we can hack ourselves you don't believe me go on to eBay buy the cheapest tablet you can possibly buy and see if that thing doesn't reset its timezone a Hong Kong at least once a month when it phones home North Korea this is the country that we could launch a denial of service attack on and take out most of the internet within the

entire country overnight not saying we did that but I'm saying we could okay maybe we did do they have pasady then to hack into our systems sure they did are they focusing on that as an attack vector I would if I was them it's a lot cheaper than building a nuclear weapon and it can be just as effective so we have to consider the sources we've got the lone wolf we've got nation-states we've got industrial espionage as a hacking platform the French will tell you if they can get a hold of your corporate secrets on the Internet they're going to take them you put it out there why not give them access to it they're going to

pick it up the other question have we have to ask ourselves is are we becoming more paranoid as we see these things happen or is the opposite happening are we actually becoming numb to this the more events that we see the more we hear about it in the news the more we see it in the media are we just becoming numb to it is that our new norm alright this has all been going on for a while this is nothing new is it what's changing it is the technology the motivation has changed ever so slightly the tools are getting better easier to use but the personality type doesn't change it's an interesting thought you get different

people involved you get different people who want to do this but the type those treats are still there and you can watch for them look for that degree of complexity look for how neat and tidy the attack is right is it broad-based alright was it a you know spray-and-pray or was it really narrow focused and targeted I had some actually a couple of a couple of friends in the industry we're sitting around having a couple of beers one night talking about some of the recent events and one said you know I wonder what would happen if you were to launch a massive ransomware attack within an organization that really wasn't about the ransomware that it was

a smokescreen anybody had to respond to a major ransomware attack that's a little intense and then you're doing a lot of scrambling 1.6

so they did some research little ol diligence up front right there's that critical thinking there's that mindset coming out she's ever wonder while you were responding to that ransomware what else is happening on your network right the guy who proposed this was just just a touch on the devious side he said wouldn't that make a great smokescreen because everybody's launching ransomware you don't have to be really you know talented to do that you could go up by it release it spray a bunch of that out and while they're reacting to that hit him with another attack or plant some other code in there that they're not looking for again back to the mindset and thinking a little bit outside the

box I worked with a really good hardware tester was great at you know the sort you know code embedded code in hardware and one of the smart meter companies brought him a box and said hey we want to see what you can do with this what they were expecting him to do was to try to break in and reset it try to lower the numbers on it try to instead he recognized one of the chips he said you know what I've seen this before if I overclock this chip just enough I bet I can make it overheat and he did and he wrote a little piece of code and he launched it into a network of these

smart meters and it caused every one of them to overheat that chip burn it out shut the meter off and shut power down to the facility outside of the box thinking creativity not what people expect you to do so how do we respond to this what do we need to do ask somebody in this industry what keeps you up at night are you worried about being hacked yeah anybody else worried about being hacked yeah me not so much who's going to come after me as an individual and why trust me this helps me sleep at night that and large quantities of alcohol I am NOT as an individual a target for someone with that level of

sophistication or that type of tools now a lot of us represent organizations that are and we do have to think along those lines right we have to consider how much do we put into protecting ourselves all right there's the old axiom I don't have to outrun the bear I just have to outrun you I don't have to be the toughest target on the web I just have to be a little bit tougher than the easiest target on the web putting on the mindset of a hacker again what if you as a hacker are out trolling and you find this huge firewall with encrypted data behind it with three layers of authentication all this newfangled protection what are

you gonna think right away come on it's got to be worth something nobody's going to put this much money and effort into protecting something unless it's really valuable and worth protecting so applying an appropriate level of countermeasure is actually a good thing overkill may or may not be something to consider

sowhat's hackers look like today what's changed what's new now new is a relative term there are new motivators out there for example if you disagree with someone's opinion that they post on social media does that then make that person a target that you would want to hack are you hacking or an a country a company or an individual if I want to expose you on the web do I have to hack your PC or just your Facebook account or Twitter account we're changing the threat surface I keep wondering in the back of my mind we're all moving to the cloud are we not everything's going to the cloud anyone else concerned about the consolidation of the cloud because now I don't have to

attack a hundred different companies to get their data I just got to attack one and we need to be really really good at protecting that and I'll throw this nugget out there folks do not rely on your cloud provider to provide your security entirely and completely please think about it when you migrate to the cloud think about your protection level once it gets there and the fact that it is still your data to protect and finally where are we going what's next better faster easier tools you can go out and buy yourself a ransomware package right now be careful which site you use because not all of them are actually there to sell you usable

ransomware some of them are actually there to see who's going to pay for it the latest buzzword biohacking heard it right biohacking means a few different things to a few different people it could mean actually biological hacking and creating in the next virus that's resistant to all of its antibiotics or hacking a piece of technology that's embedded in someone's body pacemaker adrenaline pump obviously these are going to be wireless are they not well yeah pretty much you go to you get a pacemaker in now and I have friends that are half-baked pacemakers installed they go to the doctor the doctor comes over with the RFID or the Bluetooth and gets the readings those can be hacked the one

that scares me to most is in bio hacking now they're talking about actually hacking the brain and how we think and being able to control that and it's bad enough to hack and manipulate technology but the hack and manipulate people is scary and if you think about the mindset of a hacker and the motivation of a hacker there is someone out there that wants to be the first to do that that is going to apply the resourcefulness the out-of-the-box thinking the persistence and the perseverance to make it happen and I went in with one thought and mark this one down there will be a day when hacking will be used as a tool for murder don't know when don't know how

but it's going to happen folks that scares me all right it's 5:30 on a Friday night it's been a long day any questions before we break let's first give a round of applause to

sir it's not period not really question but as much as commentary okay feel free I noticed that you're throwing in some movie references earlier oh yeah there's a clip from down periscope okay commander or the Admiral is talking to the captain asking you know I want a person that thinks like a pirate right I want somebody with a tattoo on their junk do I have that man that might be a good clip daddy really you know I may have to break that one out but I'll say this too just like the Jolly Roger flying on your boat does not make you a pirate ship tattoos and hoodies do not make you a hacker you'll see I don't

have tattoos I have scarves scarves are just tattoos with better stories other questions or thoughts I could remember that one down periscope Matthews I'm like just a sir nobody else great David thank you for your presentation thank you earlier this morning that I'm a military intelligence officer and using my limited critical thinking correct me if I'm wrong but I think I heard you say you might have perpetrated a DNC hack by program red herrings VI for the NSA folks across the hall davi DB r o WN but on behalf of besides filly team thank you very much for your talking here's a challenge coin oh thank you so much [Applause]