Cybersecurity Expert Answers Hacking Questions From Twitter

Hi, I'm Amanda Rousseau aka @malwareunicorn

and I'm an offensive security engineer

and this is Hacking Support.

[dramatic music]

[keyboard clicking] [dramatic music]

This Twitter user, @cloud_opinion, asks,

At this point, hackers know everything

there is to know about every one of us.

Why do we need passwords now?

Why keep going to the gym if you're gonna die anyways?

Passwords are kind of a necessary evil.

And hackers really don't know everything about you.

It all depends if you put that

information out there on the internet.

Congrats.

I know what a white hat is, I know what a black hat is.

What is a red hat?

Angry hacker?

I don't think I've heard the term red hat hacker before.

When you're a white hat hacker, you hack for good.

A lotta people in the security industry

are white hat hackers.

And then, for the cyber-criminals, we call them black hats.

There's also this other term called a gray hat

where they could be a IT admin during the day

while moonlight as a black hat during the night.

[mouse clicking]

@hacker4life asks, @malwareunicorn, how do you even begin

learning and exceeding in this field?

I'm trying to become a

penetration tester and need inspiration.

So, a pen tester is kind of like an attacker

that goes and checks all of the external ports,

any openings within someone's network.

But if you really wanna be a penetration tester,

there's a lot of content out on the web right now.

Courses, workshops, they even have events and conferences

where you can meet other people in the field.

You can find a mentor, learn from them.

They would point you in the right direction.

I feel like the hacker culture is pretty open and diverse,

so there's a lotta content out there.

[mouse clicking]

Malware's the worst.

What is its purpose other than wasting my time?

Usually, malware is going after money.

And, if anything, you're considered collateral damage.

When malware is delivered, they're usually

just spraying all the malware to many people as possible,

so it may not be intended for you.

I think of malware as a fashion trend.

You know, there's different malware

every season, every quarter, and you have to

stay in fashion and on trend all the time.

When you think about older malware

that used to occur a couple years ago,

sometimes it comes back in fashion.

[mouse clicking]

This twitter user, @naima, asks,

Jessica Alba is an interesting choice for hacking.

How do hackers decide who they're going to target?

Jessica Alba's a beautiful woman and she's also a celebrity,

so she sounds like a great, shiny object

for cyber-criminals to go after,

but a lot of them have different motivations.

It could include money, is probably the biggest one.

Another one would be reputation.

They would be like, Ha ha, I hacked this person.

It could be information, kind of like corporate espionage,

and then we have destruction, which is kind of rare.

Basically what it is, they try to destroy

all the systems to put that company out of business.

[mouse clicking]

@KyleeMinaj asks, Why do they make the login process

for your student loan aid so difficult and tedious?

If some hackers want to break into my account

and pay off all my student loans,

please don't make it difficult for them.

Y'all are gonna ruin this for me.

Let them run wild in there.

Kylee, these hackers are not gonna go and pay off your debt.

If anything, they're gonna go

into the system to pay off their tuition,

so a lot of these controls are in place

to hinder hackers like that to get into your account.

It's an unfortunate thing to do

but, you know, it's necessary.

[mouse clicking]

@AxelBlazen asks, Speaking of [beep],

what is even the point of these bot accounts

that follow you but, well, that's it.

No messaging or anything, no spam, just follow.

Like [beep] sake, it's dumb.

Well, these accounts are doing something

that may not pertain to you, what we call account aging.

So what that means is they're trying to

bypass a lot of automated detections from social media

that they have in place to look for fake accounts.

And so, by tweeting or messaging

or making any type of action,

they're trying to bypass detection

to look more like a legitimate account.

[mouse clicking]

This Twitter user, @andrewcheeky, asks,

What will they think of next?

Is there anything that has been corded in the last decade

that hackers haven't found

a vulnerability to do some damage?

If you think about your fridge at home

being able to connect to the WiFi or your pressure cooker

being able to connect to an app on your phone,

a lot of these devices are developed

in a way where they're looking for

the lowest possible cost of manufacturing,

so when they get to the security part,

it's kind of like an afterthought,

so until things change, we're gonna

still have these problems with IoT devices.

[mouse clicking]

Twitter user @sifbaksh: @malwareunicorn,

what should my first step be in debugging?

Should I just get a file and a book and start doing?

The best way is to just jump right in.

Think about it as riding a bike.

It takes time, it takes practice,

but eventually, you'll get it.

There's a different debugger for every operating system

but they're not easy to learn unless you start, you know,

just doing it yourself and training yourself and practicing.

Like, I don't remember every single command in a debugger.

I have to use a cheat sheet.

[mouse clicking]

Twitter user @stormwuff_: My awesome boss says that

I can request to change my job title

to whatever I want it to be

in our company profile [obviously safe for work].

Could anything random like

Pokemon Hacker or Cybersecurity Wizard.

What do you guys think it should be?

Well, I can see you just said, Obviously safe for work,

so I think you should just name yourself Safe for Work.

[mouse clicking]

This Twitter user, @SuB8u, asks, Your smart TV

and your video streaming apps are collecting and sharing

tons of data, just because they can.

How long before we can start having embedded cameras

that malware triggers surreptitiously?

I have unfortunate news for you.

This has been happening minus six years

and it's gonna continue to happen, so too late for you.

[mouse clicking]

@Alessan82718685, that's a mouthful: Why do you hate C#?

Man, his handle looks like a bot. [laughs]

I don't hate C#, C# hates me.

[mouse clicking]

@theonlyoneofyou asks, Why can't hackers do anything useful

like leak Taylor's recordings of Babe and Better Man?

Grow up, hackers.

Well, if you don't already know, Taylor Swift has

an alter ego that we call @SwiftOnSecurity

and she's considered a security pro

in the cybersecurity industry,

so no one actually wants to hack her.

But if you're in the know and you know

who that is, then you know who it is.

[mouse clicking]

This Twitter user, @zer0wn asks, Can we stop calling

people who DDoS [beep] hackers?

Journos, why the hell do you even

call them hackers to begin with?

Looking for legitimate answers as I am confused as hell.

Well, let me set the record straight.

There's a difference between hacker and a cyber-criminal,

so if we were to refer to the bad guys,

I would rather prefer to call them a cyber-criminal.

There's a lotta people in the security industry

that consider themselves hackers.

There's a lotta people that hack for good.

@WMRamadan asks, @malwareunicorn,

I have a simple yet daunting question.

Why do you use a Mac for your security work?

I mean, a lot of people argue the fact

that Linux is the way to go in terms of security.

Mac is similar to Linux.

Think about two different brands of cars.

They look different on the outside

but they could be sharing the same chassis underneath.

There's not a lotta malware out there for Mac and Linux.

I mean, it's there, but, you know,

currently most of the malware is on Windows.

[mouse clicking]

The Bishop, or @JoshHarris25:

What is the point of spam emails?

Are they profiting from it?

What do they gain from spending random unnecessary emails?

When people send out spam emails,

they're sending it to thousands and thousands of targets.

Say you had a million emails sent out

and they're requesting $1.

These cyber-criminals are expecting

that 1% will actually bite.

A lotta these cyber-criminals will treat this as a business,

so it becomes very lucrative for them.

@Cybor_Tooth: @malwareunicorn, if you were to

create a timeline for an incident, what would it look like?

Just curious because your design skills are cray cray.

Well, a lotta people don't know this,

but before I got into computer science,

I was actually pursuing a degree in graphic design,

so a lot of it, from my time doing that,

carries over into my work.

Back when I used to work at the Department of Defense,

I used to create these 3D videos

to describe different type of network layouts.

I didn't know 3D design at the time,

so I spent a weekend, taught myself,

and the next day, started, you know, making content.

If you can make things look nice and be able to

communicate the actual abstract content, it helps.

[mouse clicking]

@dontlook asked, Yeah, but bad pick up lines

and phishing really any different?

Low effort, easy reuse, and rarely do you get a success.

I really think phishing is more effective

than saying a pickup line.

@ivladdalvi: I studied WannaCry case in NHS hospital.

A disaster seemed totally preventable.

Why didn't they patch?

Were they lazy? Stupid?

In the case of this incident, a hospital

in the UK was under a ransomware attack.

It happened because they didn't

upgrade their servers or their computers.

And this is the whole reason

why upgrading is really important,

but when you think about it, some of these infrastructures

like a hospital or a power plant,

a lot of 'em cannot experience any downtime.

So when you do do an upgrade, you have to

shut down the systems for a little while.

[mouse clicking]

@Tyro733 asks, As someone who doesn't work in Infosec,

what are red and blue team?

I'm assuming red are the pen testers.

These terms actually come from the military

where they would perform military operations,

they have a team that acts as a red team doing the attacks

and the blue team serves as the defense team.

Similar to what we have in cybersecurity in that

the red team is hacking the blue team's systems.

The whole point of what the red team does

is to enumerate holes within a network.

We wanna find the holes before the bad actors do.

Think of it like we're sparring partners.

So, we're really not there to antagonize the blue team

or anything like that, we really wanna

work together with the blue team.

[mouse clicking]

@r00tzasylum: Hacker kid interviewed his mom

about what it's like to build a career in Infosec.

Something @defcon parents often think about:

how do we inspire kids to go into this space

and see it for the fun and challenge that it is?

Well, when I was young, I had no idea

I was gonna be in this job.

I actually had to know that this job existed

in order to actually go into it.

If there was a chance that, at a career fair,

you would have someone who gets to hack for living,

I think that would be a really cool thing to have.

You have to have the correct

mentality to be in this industry.

The whole hacker mentality is

creatively thinking outside the box,

solving a problem that's out of the standards

or norms of how it's supposed to execute.

If we kind of use that type of mentality

in some of the content or workshops

or anything that we reach out to these kids with,

it'll kind of inspire them to

wanna solve problems in this field.

[mouse clicking]

This Twitter user, @Arfness, asks,

Why do stock image hackers

exclusively wear ski masks and hoodies?

Well, I think the photographer was going for

a feel of an actual robber or a criminal,

but there is a reason to wear something on your face.

They're trying to hide their face

from cameras or any type of identifier

that will attribute them to a crime.

And why they're wearing hoodies,

I can imagine that some of these server rooms are super cold

and they need to cover their ears.

[mouse clicking]

If you don't already know, you know,

some of us actually dress like this to work

and I actually have a ski mask for all of my outfits.

Lemme put it on for you guys.

And it's not complete without the glasses.

We're good to go, it's time to hack.

[keyboard clicking]

This has been Hacking Support with Amanda Rousseau.

You guys stay safe out there.

[dramatic music]