I get hired to hack into computers now and sometimes it’s actually easier than it was years ago.
Social engineering is using deception, manipulation and influence to convince a human who has access to a computer system to do something, like click on an attachment in an e-mail.
I think it goes back to my high school days. In computer class, the first assignment was to write a program to print the first 100 Fibonacci numbers. Instead, I wrote a program that would steal passwords of students. My teacher gave me an A.
Security is always going to be a cat and mouse game because there’ll be people out there that are hunting for the zero day award, you have people that don’t have configuration management, don’t have vulnerability management, don’t have patch management.
It’s actually a smarter crime because imagine if you rob a bank, or you’re dealing drugs. If you get caught you’re going to spend a lot of time in custody. But with hacking, it’s much easier to commit the crime and the risk of punishment is slim to none.
When I was in prison, a Colombian drug lord, offered me $5 million in cash to manipulate a computer system so that he would be released. I turned him down.
I made stupid decisions as a kid, or as a young adult, but I’m trying to be now, I’m trying to take this lemon and make lemonade.
It was used for decades to describe talented computer enthusiasts, people whose skill at using computers to solve technical problems and puzzles was – and is – respected and admired by others possessing similar technical skills.
Any type of operating system that I wanted to be able to hack, I basically compromised the source code, copied it over to the university because I didn’t have enough space on my 200 megabyte hard drive.
The hacker mindset doesn’t actually see what happens on the other side, to the victim.
Should we fear hackers? Intention is at the heart of this discussion.
I’m still a hacker. I get paid for it now. I never received any monetary gain from the hacking I did before. The main difference in what I do now compared to what I did then is that I now do it with authorization.
When an attacker fails with one person, they often go to another person. The key is to report the attack to other departments. Workers should know to act like they are going along with what the hacker wants and take copious notes so the company will know what the hacker is trying to find.
I can go into LinkedIn and search for network engineers and come up with a list of great spear-phishing targets because they usually have administrator rights over the network. Then I go onto Twitter or Facebook and trick them into doing something, and I have privileged access.
No way, no how did I break into NORAD. That’s a complete myth. And I never attempted to access anything considered to be classified government systems.
Both social engineering and technical attacks played a big part in what I was able to do. It was a hybrid. I used social engineering when it was appropriate, and exploited technical vulnerabilities when it was appropriate.
No company that I ever hacked into reported any damages, which they were required to do for significant losses. Sun didn’t stop using Solaris and DEC didn’t stop using VMS.
I saw myself as an electronic joy rider.
I was addicted to hacking, more for the intellectual challenge, the curiosity, the seduction of adventure; not for stealing, or causing damage or writing computer viruses.
Choosing a hard-to-guess, but easy-to-remember password is important!