Two months ago, the ROOTCON 5 hacker and security conference took place in Cebu, Philippines. I am honoured to have been invited to give a presentation on ‘Cyberwarfare in the Age of #Anti-Sec’ and panel list for the following discussion on ‘Cyberterrorism: Is the Philippines ready?’. However, the conference with its great speakers and nice and hospitable people provoked some thoughts. I spent quite some time with beer and discussions in order to figure out for myself why having a hacker conference is a very good thing. Well, first of all, white hats, the information security, go to learn new tricks and also share protection mechanisms with each other. On the other hand, having an event like that, in broad daylight (or the fancy Cebu Parklane Hotel for that matter) raises awareness.
Awareness of hacking for me, is a very crucial point in developing security solutions. I do not mean awareness by the private companies or the state – what I usually mean – but also and predominantly by the people. Why is that? Basically there are two major attack vectors of a cyberattacks. The first one is vulnerability probing and trying to get hold of admin rights in order to install a backdoor and proceed from there. That happens against company server systems or webhosting but not necessarily against private individuals (if there is not a particular person you have a grudge against). If private computers are targeted it is most likely either to make money or to make them become part of a botnet. From there it goes further. In order for a botnet to be powerful it needs to have the numbers (and be hardened against take-downs and take-overs). you don’t get the numbers by individually probing and hacking into systems. You get the number by – what I would like to call the – Single Point of Entry (SPE) or: Social Engineering.
As I have already written on Social Engineering, I am not going into details anymore. It functions as SPE in two ways: 1. a forged email with an infected attachment is send to you and somehow tries to convince you to open the attachment or 2. websites (genuine or fake) are infected with a code that enables malware penetration of your system by simply clicking on the link ‘you need a new codec to watch this, please install’. However, in both ways, it needs you, the user, to actively do something wrong. Therefore, it has to be convincing enough and has to convince you. If we are past the SPE, most likely you are already screwed. If the malware is already in the library of your security suite or the exploitation target already patched you are lucky. If not, you are doomed. What can happen then I described already in ‘your picture, my hostage’ amongst other articles. Sound and video capturing, key stroke capturing, data theft, identity theft, an empty bank account and so on, and so far. If you are lucky, your computer will only become part of a zombified network of computers attacking some governmental website or become a platform for Warez exchange. In the worst case, you will lose all your money, all your files and because your computer acted as the last proxy of a cyber attack against the Pentagon you might also lose your freedom..for a couple of hours or days.
I do not ask anyone to become a computer pro. If there is an unpatched exploit in the software you are using and zero day is applied in order to get hold of your system without you even getting the chance to not click the new codec download, that it is bad luck. Or the wrong operating system for that matter. However, the SPE can be protected against when you learn how to anti-social-engineer. And that is a matter of awareness. If you know how things work and you always get told only open attachments from sources you know etc. you might end up with a far better chance to keep your computer individualistic and not having tea with other zombies in the cloud.
Hacker conferences raise awareness. Become aware. Now.