VICE and I recently worked together to create a 10 Questions You've Always Wanted to Ask An Ethical Hacker.
We created it to briefly introduce what is Ethical Hacking. Being only a 5 minute video it was a challenging to get everything covered, and I wanted to make sure that, even though things often seem doomed to be hacked, there is still hope in keeping yourself secure.
Let's dive into the questions asked:
1. What is an ethical hacker?
Hacking isn't malicious in itself, it's finding new ways to do something. An Ethical Hacker is an innovative person that looks at something for what they can make it do vs what it was created to do.
When preparing for a talk David Prince and I did on Offensive Security, we had Dean do a sanity check. We wanted to express how, whilst we were teaching people how to hack, we weren't building our own hacker army. Dean was able to summarise that into a sentence.
"Just because you have the skills doesn't make you malicous." - Dean Kelshall
The thing is, all ethical hackers, security researchers and specialists I know aren't out there to harm, they're using their skills to educate and help.
2. What's the biggest misconception about hackers?
The media likes to portray hackers as these mythical creatures with wizard-like skills, we're unicorns that can manipulate technology into giving us their secrets.
I don't see the world in binary, I can't use my lenses to find Password in the Matrix... Unfortunately, I haven't received my wizard robes just yet, so for me, I'm a normal mortal human that generally is just curious. I get distracted easily, and am not great at doing what I'm told. When I look at something I think, what can I do?
Breaches that state highly sophisticated hack often aren't, there are highly skilled person(s) out there, but there's also people that re-use code or exploit old vulnerabilities that simply weren't patched.
The zero-day may sound exciting, but often it's the two-hundred-day exploit that gives access. Patch management is quite a large aspect of Cyber Security. That means, you don't need to know all the cyber jargon, but simply updating your software, that can make a difference.
3. What exactly do you do?
A lost of failing, trying again, and eventual success.
When a client comes with a question, we review what they have and what they want to achieve. Ethical Hacking is simply one part of bigger plan to secure you and your environments.
There are three approaches:
Black box: the hacker knows nothing about your environment, or even people. All information is gleaned from open-source information, including IP addresses down to employees names. This form is the most real-life, however it can take the most time and often costs more.
White box: the hacker is provided all information needed including: IP addresses, emails, document naming format, etc. This is used in times that time is limited, budget tight, etc.
Grey box: as you can image, it's between white and black. This approach is the most common that I've seen, some details are given, but some are researched.
However, there's many many types of an ethical hack. You can review software, a website, you can break into an office, or even test network configurations. It depends on what the end goal is for the client, for how it is approached.
4. What's the weirdest thing you've heard of being hacked?
As stated in the video, adult toys. I'm not saying don't use them, have fun how you like, but be aware.
If it connects to the internet, it has the potential to be manipulated. If you want to use it, look at the reviews and the company's reputation.
5. What's the most common hack?
Phishing leads the way! Phishing emails can be targeted, see Spear-Phishing, as well as general campaigns with the largest scope of targets. Phishing is efficient because basically everyone has an email address, and combined with social engineering, extremely effective.
6. Do people underestimate the dangers of social media security?
Scott Helme and I filmed two different episodes in late 2017 dealing exactly with this, how much personal information available online is provided by us.
The challenge is humans are social beings. We want to share our achievements with our friends and family, the Internet has just made this easier. Our communities are larger because of social media sites, our ever more connected world. Unfortunately not everyone liking our photos have innocent intentions.
We need to recognise that the information we put online.
We can enable private settings, limit our audience on our social media accounts. However, remember platforms can be compromised, when you're uploading images or information think before you post. Are you happy with the world to know this information? If not, is there any way you can minimise this information?
I'm not saying don't use social media at all, I mean I was hired off of twitter! I'm just saying be mindful of the information you are making available, and if you are comfortable for others to know.
7. How safe is sexting and sending nudes?
It's your life, and your body, and you have a right to do as you wish with it. My advice here is simply think before sending.
Realise when you send data to someone, no matter what it is, you are losing control of that data. If you're sending photos, you should trust the person(s) you're sending it to will honour your wishes with it.
Secondly, the company that owns the software you and the receiver use will also need to be trusted. Using apps such as Whatsapp, Threema or Signal will assist in keeping the communication secure. This is because these chat platforms are not just encrypted, they're end-to-end encrypted; which means only your end devices in the chat can.
My friend Dr. Jessica Barker also made a great point of, if you're sending nude images, removing identifying points can help if this image is lost. Such as not including your face, or things like birthmarks or tattoos.
Remember, when you put things online there will always be a risk it is lost, even big sites fail sometimes. In the event that your image is lost or someone is attempting to use it against you, see sextortion, remember that no matter what you are worth more than the number of people who have seen you naked. It's just skin, and although at the time it may feel like your world is ending, I can promise you it isn't.
Many people have fallen victim to malicious people doing the exact same thing. If someone is attempting to shame you for a decision made, remember that you are not alone!
8. Have you ever been hacked?
Using services such as Have I Been Pwned? can help with monitoring your online accounts.
I am human, even worse I'm an outspoken woman, I've had an abuser target me but also there's communities out there that simply don't like success of others.
Nothing is 100% secure, but you can take back control by enabling things such as multi-factor authentication, auditing information you have online, and more. (working on a post currently)
9. What advice do you give to people to keep them secure online?
a. Review what accounts and information you have online. Close accounts you no longer need, remove information that you don't want shared.
b. Enable multi-factor authentication when able, review security settings such as Trusted Contacts.
c. Terms and Conditions are hard to understand, but using resources such as the Children's Commissioner campaigns to keeping children safe online.
d. Be proactive. The unknown can be absolutely terrifying, but knowledge can enable you and your family to be more secure.
10. What's it like being a women in this industry?
When I started I didn't know where to look for support. I didn't have role models in industry, and I was told so often that women couldn't succeed. I was told so often I would often believe it.
There are communities online, meet up groups, and brilliant organisations that promote diversity; this was one of the main reasons I choose Baringa.
Reach out. We all have to start somewhere, and I promise you asking for help will make a difference. I personally have 5 Cyber Heroes I wrote about previously who made a huge impact on my career.
When you're alone, anything can feel insurmountable, but as a community we can overcome.