Question of the Day: How do I become a security specialist (ethical hacker, malware researcher, digital forensics, etc.)

First things, do you like solving puzzles, do you like a challenge, can you stare at a screen for many hours, poring through code, logs, etc?

Were you the sort of child that liked to take things apart to understand how they worked, and more importantly could you put them back together again, without having left over pieces, and did the thing still work at least as well as it did before?

Do you look at things and think, well that should work as expected if I follow the logic, but, if I do this instead, it will bypass that logic and let me access another part of the site/code or infrastructure?

Or, maybe when hearing about a new threat, you quickly see how it works and how you can either slow it down, or stop it dead in its tracks using simple techniques or processes, or by using an existing security control in a different way?

If you answered yes to several or more of the above, then you might have the right mindset for a career in cyber security as an ethical hacker, social engineer, malware analyst or in digital forensics and incident response. If you didn’t answer yes to one or more of the above, don’t worry, you can still work very successfully in other areas of cyber security, just probably not as an ethical hacker or in incident response or malware research.

“If you have the right mindset, you can be taught the skills,
but it is very hard to teach a mindset…”

So, if you do have the right mindset, how should you develop the required skills to get into cyber security?

First, decide, do you like technology or the human side of the problem. That will be your first step. If you are lucky you might be able to do both…

The next step is dependant on the answer to the first question. If technology, then you need to become very familiar with as many operating system, applications, programming languages as you can (you don’t have to be proficient in all of them to start off, just pick one or two for starters).

If the human side is more your bag, then learn about cons, social engineering, and psychology in as much depth as you can. Then try some of the techniques on friends and family (without breaking the law).

After that, find a mentor, someone that is skilled in the discipline you want to learn, soak up as much knowledge from them as you can.

Read everything you can on the subjects, if available, go on courses, go to events, conferences, local meets to meet likeminded people, be they newbies like you, or security professionals with a decade or more of real world experience to mine for tips and tricks, etc.

If you are looking at doing malware research, ethical hacking or forensics, you will find lots of CTF and analysis challenges that are freely available, do as many as you can; when you fail (and you will) learn from the failure, it won’t be the last time. Even the best fail often, but they always learn as much (if not more)  from the setbacks ass the successes. Often doing security work is hard and even boring, but when you solve a problem (reverse a malware and understand how it works and how to stop it, or gain access to a system or network, or identify how a bad guy or girl got in, the rush is amazing).

Expect to have to start in a junior role, maybe even working on an IT Helpdesk, doing patching, hardening, server/system builds, etc. We all have to start somewhere.

I started by building and configuring PC’s (building them and installing the OS and applications, configuring them, etc.) Then I moved on to reviewing hardware and software for the same company (doing research, etc.), then I got involved with security (malware at first), worked on the IT Helpdesk, did AIX support (a Unix flavour), and finally I built and ran the Internet Security team (defence, as well as ethical hacking). It takes 5-10 years to become proficient enough with a wide range of operating systems, applications, hardware, networking, security tooling, attack methods, malware analysis, and so on. Be patient, don’t take shortcuts, as it will not help you in the long run.

You don’t need degrees or certificates to do well in this area, you do need the right mindset, be willing to learn and experiment, and work long and odd hours, as the job will not be your usual 9-5 one. I left school at 16 and have no degrees or diplomas and have only been on two cyber security courses in over 31 years of working in this field. (One on advanced hacking and the other on advanced digital forensics, both of which I attended to confirm that what I had learnt and been doing for over 20 years (at that time), being mainly self-taught, was right after all, it was! In fact I taught the course instructors a few things that they didn’t know)

Be very wary of the problem of stress; this is a major risk when working in cyber security, especially in Incident Response. Burn out is quite common, if you don’t manage stress correctly.

One thing I will strongly recommend is to look back in history, see what has happened in the past, both from breaches, attack methods, malware types and tricks, etc. There is very little that is “new”, most of the things you will encounter will build on old (tried and trusted) tricks and methodology; usually just updated to the latest OS versions, applications, etc. or re-used to take advantage of the new victim pool (ones that were not around or didn’t take notice the first, second or third time that technique was used).

If you want to learn about web application testing, then there a several training VMs out there, such as SecurityShepherd that will test your skills in a safe and secure environment quite legally.

On the subject of legality, whatever you do, do not be tempted to step over the line and do something illegal with your skills, as you will constantly be looking over your shoulder waiting for law enforcement to apprehend you. It will also make you less employable in the cyber security world.

You don’t have to be a black hat to be a skilled hacker or to understand how an attack is done or how malware works. As I said earlier in this episode, good ethical hackers may be able to think like a bad guy or girl, they just don’t act like one, in other words you don’t need to break the law to be very skilled in any security field.

After that, expect a lifetime of learning, building on and refining you existing skills, and as things are right now, you will have a long and productive, well paid career helping to counter the bad guys and girls, rather than being one of them…

Anyone that states that you “need to be a thief to catch a thief” or that you “need to be a poacher to be a gamekeeper” or any of the other examples, I say to them, rubbish! There are very few real world cases where being an ex-criminal has made a difference that hasn’t or couldn’t have been made, more effectively by a good researcher that can think like a bad guy or girl, but hasn’t gone over to the dark side to prove their skills.. In fact many of those that were caught, even though the press made them out to be some form of Uber hacker or malware writer, the vast majority had very poor skills, they often used other criminals code/techniques to carry out the attack… what most of us in cyber security would call “script kiddies”…

You can make a difference, be on the right side, help defend and protect those in society that are often the victims of the many cyber crimes that happen each and every minute of every hour or every day…

To quote Del Boy Trotter, from Only Fools and Horses, You know it makes sense, don’t be a plonker

If you think I have missed anything important, or I should add something to this article, please let me know.

Ransomware – Extortion by any other name, would be as bad!

This is a companion blog posting to my Episode 0.5 (the Teaser) Podcast about Ransomware, etc. which can be found on the Podcast page of this site, or on all good podcasting platforms, including Google, Apple, Spotify, Pocket Casts, etc.

Ransomware is not new, but how many of you actually know when it first appeared?

Believe it or not, the very first Ransomware appeared in 1989; yes you read that right! Want to know more, then read on, and I’ll explain the history and major changes that have occurred since that very first Ransomware way back in 1989…

Back in Time

The very first Ransomware was the so-called AIDS Trojan which was supplied on a 5.25″ Floppy Disc to thousands of  attendees of the World Health Organisation’s AIDS Conference and also mailed out to over 20,000 individuals across Europe.

The disc was created by PC Cyborg which was the company run by Dr. Joseph Popp and it contained a program that claimed to work out your risk/chance of catching AIDS (now called HIV). If you inserted the disc into your IBM (or compatible) PC and ran the program, it would indeed do what it claimed; however after 90 boots/reboots the malicious payload (encryption) would trigger and you would see the following:

AIDS Trojan Ransomware

Ironically, if you actually read the EULA that came with the disc, it clearly explained that you needed to pay a licence fee to use it and that it would encrypt your system if you didn’t pay, sound familiar?

Here is part of the text of the supplied EULA:

"If you install [this] on a microcomputer...
then under terms of this license you agree to pay PC Cyborg Corporation in full for the cost of leasing these programs...
In the case of your breach of this license agreement, PC Cyborg reserves the right to take legal action necessary to recover any outstanding debts payable to PC Cyborg Corporation and to use program mechanisms to ensure termination of your use...
These program mechanisms will adversely affect other program applications...
You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement; your conscience may haunt you for the rest of your life...
and your [PC] will stop functioning normally...
You are strictly prohibited from sharing [this product] with others..."

Here is the full version:

EULA from the AIDS information diskette

Luckily the program used trivial encryption and soon a decryption tool was written by Jim Bates and given away for free. He also wrote up his analysis of the Trojan (the term Ransomware didn’t exist in 1989).

An arrest warrant was issued by New Scotland Yard and Popp was eventually arrested at Schiphol airport in Amsterdam during a routine baggage inspection.

From that date his behaviour became very erratic; he was held in Brixton prison until he was due to go to appear at court. There have been reports that he was known to wear a cardboard box whilst in prison, and that when he finally appeared in court, that he had curlers in his beard and a condom (prophylactic) on his nose, allegedly “to ward off radiation”. Whatever the real state of his appearance in court, he was declared “mentally unfit to stand trial” and returned to the United States without charge.

Other researchers (Yung and Young) analysed the Trojan in more detail and wrote a paper on it (in 1996) pointing out its many flaws, but the major one was that is used Symmetric (single key) encryption rather than Asymmetric (Public Key Cryptography, that uses two keys, a Public and a Private key). Most modern Ransomware uses the latter, and this means that unless you have access to the Private key, you can’t decrypt the encrypted data (unless the encryption methodology used is not properly implemented).

The Rebirth…

Not surprising, the Bad Guys n Girls were taking notes, and in the early Noughties we saw the re-birth of (or birth of modern) Ransomware. Of course it used Public Key Cryptography (PGP/GPG). Some of the early new versions were named PGP or GPGCoder. However, the problem was how to get the money from a victim without being caught or unmasked (always a tricky issue for any extortionist or blackmailer in the days before cryptocurrencies existed).

We saw a small (compared to the explosion that was to follow) number of these new Ransomware, but all was about to change in 2009 with the first launch of a little cryptocurrency called Bitcoin (invented in 2008).

It took a few years for the cyber-criminals (the Bad Guys n Girls) to catch on to the value of Bitcoin as a method of payment for Ransomware and other crimes, but by around the start of 2013, they had started to embrace Bitcoin and Ransomware exploded over the next 4-5 years. The first modern Ransomware that took full advantage of not only Public Key Cryptography, but also Bitcoin was known as Cryptolocker. Many saw the success of this malware, and promptly developed their own Ransomware strains.

The Business

Once Cryptolocker had arrived, Ransomware quickly became a thriving way to make money for the Bad Guys n Girls. Estimates appeared that claimed that in 2015 Ransomware netted (according to the FBI) over $24 Million USD, in the first three months of 2016 this had grown to over $209 Million USD, and Kaspersky claimed that Ransomware attacks tripled in 2016. Things just got worse in 2017 as we saw the first Worm-enabled Ransomware (which can move from system to system without human help). 2017 is remembered for two major Ransomware attacks, Wannacry in May, and then NotPetya in June (both Worms). The problem with NotPetya was although it acted like Ransomware, it was in reality a wiper, so even if you paid up, you wouldn’t get your data back!

According to Cybersecurity Ventures, they predict that Ransoware will cost $6 Trillion USD annually by 2021.

But read on dear reader, things are about to change, in 2018!

The Future?

As mentioned previously things were about to change in 2018 (actually from the last quarter of 2017)…

During 2018 we saw the number of Ransomware attacks shrink, but the average Ransom being charged increased (significantly), why?

  • The Bad Guys and Girls moved to a more targeted approach, often manually hacking an organisations infrastructure, mapping out there network, and then encrypting the organisations “crown jewels”. Often part of this mapping would identify where the backups were and these would either be erased (securely) or encrypted too. They started to look for high value targets, rather than use the previous scatter-gun (mass-mailing) approach they had used during 2015-2017.
  • Writing Ransomware is not trivial (if done properly), so the Bad Guys n Girls were also looking for other ways to monetise vulernable systems (ones they can hack, either manually or via an automated script). They decided to steal the processing power of compromised systems to “mine” cryptocurrency. Less work, less risk and more profit; it was a match made in heaven!

I blogged about the “Curse of Cryptojacking” recently.

However, I don’t think we have seen the back of Ransomware, the Bad Guys n Girls may have moved on to Cryptojacking and Sextortion scams, however, they will continue to hold data and systems to ransom where the payout is worth the effort. Increasingly this means Public Services (Government), Healthcare, Education, and Law Enforcement (including Law firms), as well as the more traditional targets (Retail, Travel, Finance, etc.)

Update March 20th: Ironically less than 24 hours after I posted this blog, Norsk Hydro was hit by manually deployed Ransomware (in this case is was LockerGoga) which uses the same approach as other manually deployed Ransomware (such as SamSam); the victims infrastructure in penetrated via a vulnerability or insecure open port, and the Bad Guys n Girls map out the network and then deploy their Ransomware personally.

Protection?

  • Harden and patch all systems, applications and Cloud infrastructure.
  • Use unique passwords for all access; even better use two or multi-factor authentication (not SMS based).
  • Install and run anti-malware, end-point/server protection, and on servers enable and configure the firewall and if it is a web server protect it via a Web Application Firewall too.
  • Remove all default accounts and sample content on web and database servers, etc.
  • Close off ports for remote administration, or put them behind a VPN. That includes RDP (Terimal Services), Telnet, SSH and others
  • Stay aware of new threats and countermeasures, both specific and generic.
  • Train and test your staff; they are often the first and last line of defence.
  • Take BACKUPS, and store them physically off-site (not in the Cloud), and test that they work (do a RESTORE). That way you have the option to recover your systems and data without having to pay the Bad Guys n Girls.
  • If you are using O365 or GSuite enable 2FA/MFA and do NOT allow the services to be accessed via IMAP or POP3, as this will bypass Multi-Factor Authentication (you have been warned!)
  • If you have cyber or crime insurance, check that Ransomware is covered by the policy (most cyber insurance policies currently do cover this, but Property and Casualty policies usually don’t)…

Until next time, stay safe out there!

Have the Spammers Become Lazy?

Is it just me or are spammers getting lazy?

I ask as the latest trick being used by them, that I’ve seen recently, seems to be to get the recipient <victim> to click on one of two buttons in the spam email. Nothing odd about that right? Normal tactics to get victims to go to a fake or booby-trapped website.

However, this is not the case, and there appears to be no malicious code or links in these, so what does it do when you click on one of the buttons in the email?

If you hover over the button, you will see lots of mailto: links (which will send email to the intended recipient specified), in this case it includes not just one mailto: but usually between 10 and 30! So if you clicked on one of the buttons, it simply sends the same email to a bunch of other email addresses…

Furthermore, It makes no difference which button you select as they both do the same thing!

Here’s an example using Facebook as the spoofed sender, but I’ve also seen ones that use FedEx, Google and a whole load of other well known brands….

 

And here’s one claiming to be from Google:

Most odd!

Please be careful out there…

Anyone out there have any idea why they are using this technique?

 

Sextortion – Your Money, or Your Pride!

I have been hearing about the recent wave of sextortion emails (these are not a new phenomena) that many are receiving and I was feeling a little left out, as I haven’t received a single one of the new campaign…..until the other day!

Here’s an edited screen shot of the sextortion email I finally received on the 11th of October, 2018:

It included what it claims is not only my email address, but also my user ID and password for the site they claim I accessed.

Let’s look at this in a bit more detail…

Should I be worried, panic, and pay up?

Of course not, why?

  1. The credentials (user id and password) are ancient and lifted during one of the many data breaches over the last 10 years.
  2. I don’t visit porn sites (yes, really!)
  3. There is NO video, it is all a bluff to get you to panic and pay up, just in case…
  4. I stopped using FaceBook a while ago, in fact I closed my account and requested all my data to be deleted weeks ago (well before I got the sextortion email).
  5. I have been working in anti-malware and malware analysis for over 30 years, and I’m used to catching and analysing new malware; guess what, there is no malware on my systems (unless I put it there to analyse it, in a safe environment).
  6. There is NO unique pixel in the email (it is just pure plain ASCII text, no graphics, no HTML, no scripting, no risk). They do not know if you have received or read the email (there isn’t even a receipt request in the email).
  7. The Bitcoin address is not unique, it is used for the whole sextortion email campaign, so they have no way to see if you have paid or not. This is how many modern ransomware attacks and DDoS extortion attempts work; they have no intent in giving you back your data or actually carrying out any DDoS attack. It is all about getting you to believe in what they are telling you, so that they can make lots of money by frightening you in to paying up…

At the time of publishing this article, over 5 days had elapsed (so my pay up deadline had expired) and guess what happened?

NOTHING, NADA, ZILCH, etc.

Update 1st November, 2018: Well I checked out the Bitcoin Wallet this scammer was using, this wasn’t a very profitable scam as they had only two victims pay up, which is around 1,600 USD. A later variant of the scam I received managed to get thirteen victim to part with 700 USD each, netting around 9,100 USD.

I was at a conference last week and one of the delegates there approached me after my talk and showed me yet another variant of this scam, he was really concerned that his phone and system had been hacked (it hadn’t). I analysed the email and found no trace of any beacon, malware or any active content. This new scammer was more successful as he/she was asking for 803 USD per victim and eighteen paid up, netting the scammer almost 14,500 USD

Update 8th December, 2018:

More new campaigns and a few of them are starting to get more bitcoin payments, but others are getting almost nothing. Hopefully the word is getting out and less people are falling for this?

A new twist (but not unexpected), the Sextortion scammers are now including links to booby-trapped sites/files that contain Malware (mainly Ransomware, at the moment, but this will change). This means that clicking on ANY links in these Sextortion emails is now far more dangerous; just delete the email or report it, don’t click on any links in them, not even on how to buy Bitcoin!

Here is a screen shot of the activity for a number of Bitcoin wallets that were involved in Sextortion scams:

I will continue to monitor these Bitcoin Wallets and investigate new versions of this scam; stay tuned!

Update 18th March, 2019

A new version has just started to circulate, this time claiming to be from the CIA accusing you of accessing child pornography,  I’m naming this new variant “pextortion”, see the screen shot below of the version I received overnight:

Where you see (victim-email-address) that will be your email address that you received the pextortion for.

You might want to add the following IP address to your blacklist: 51.68.91.127

Again, I am tracking the Bitcoin Wallet(s) linked to this new campaign. I’ll post updates if anything interesting happens.

Update 15th April, 2019

More new campaigns with many of them using graphics (of the text) instead of plain text; this is an attempt to bypass spam filters. I must have received over 50 of these new variants in the last few weeks. The problem is that because even the Bitcoin Wallet address is now graphical, the chances of anyone taking to time to write down or transpose it manually to actually pay is almost nil.

Here’s a screenshot of one of the all graphics version (not plain text at all), as you can see it is spoofing my own email address as the sender (this is not real, it is just spoofed):

I’m also seeing lots of versions with both plain text and graphics, including a QR code image!

There are also versions running around that have a password protected ZIP file attached, supposedly with “proof” of your naughty activities inside. As the ZIP is password protected you can only see the folder and file names inside, not the actual file contents. This is yet another smoke screen to make you believe the lies they are telling you.

However, this is a growing crime wave and victims do fall for it, look at the statistics below to see how bad it can be, and what you should do if you receive such as threat:

  • What is sextortion?
    – Being blackmailed by cyber-criminals that claim they have got hold of explicit material of you or one of your children, including: Photos, Video, Chat, Text messages, etc.
  • How common is it and who are the main victims?
    – Over 1,304 reported cases in 2017, up from 428 in 2015, although the number is likely to be significantly higher as many of these crimes go unreported. This is just in the UK (not globally, and it is a global scam).
    –The target is usually male, in their teens or twenties. Although some girls have also been targeted.
  • How do they work?
    – Victims are usually groomed for weeks/months before the blackmail attempt.
    – Often this happens via fake social media accounts or via targeted phishing emails.
    – Occasionally this may start with a video call, such as via Skype.
    – Many are just scams, they have no data/video of you or a family member.
  • What should you do?
    – Don’t Panic.
    – Don’t Pay.
    – Call the Police (sextortion is a criminal act). It is a form of blackmail.
    – Don’t contact the blackmailers (stop all communication).
  • What are the costs?
    – Amounts requested vary, but typically between £300 and £3,000 is asked for
    – At least 5 males have taken their own lives due to being a victim of this type of blackmail/extortion

Stay safe and educate yourself about the risks and ways to reduce your own attack surface; that will make it harder for the Bad Guys n Girls to succeed.