- Hi, I'm Amanda Rousseau
aka @malwareunicorn
and I'm an offensive security engineer
and this is Hacking Support.
[dramatic music]
[keyboard clicking]
[dramatic music]
This Twitter user, @cloud_opinion, asks,
"At this point, hackers know everything
"there is to know about every one of us.
"Why do we need passwords now?"
Why keep going to the gym
if you're gonna die anyways?
Passwords are kind of a necessary evil.
And hackers really don't
know everything about you.
It all depends if you put that
information out there on the internet.
"Congrats.
"I know what a white hat is,
I know what a black hat is.
"What is a red hat?
"Angry hacker?"
I don't think I've heard the
term red hat hacker before.
When you're a white hat
hacker, you hack for good.
A lotta people in the security industry
are white hat hackers.
And then, for the cyber-criminals,
we call them black hats.
There's also this other
term called a gray hat
where they could be a
IT admin during the day
while moonlight as a black
hat during the night.
[mouse clicking]
@hacker4life asks, "@malwareunicorn,
how do you even begin
"learning and exceeding in this field?
"I'm trying to become a
"penetration tester and need inspiration."
So, a pen tester is
kind of like an attacker
that goes and checks all
of the external ports,
any openings within someone's network.
But if you really wanna
be a penetration tester,
there's a lot of content
out on the web right now.
Courses, workshops, they even
have events and conferences
where you can meet other
people in the field.
You can find a mentor, learn from them.
They would point you
in the right direction.
I feel like the hacker culture
is pretty open and diverse,
so there's a lotta content out there.
[mouse clicking]
"Malware's the worst.
"What is its purpose other
than wasting my time?"
Usually, malware is going after money.
And, if anything, you're
considered collateral damage.
When malware is delivered, they're usually
just spraying all the malware
to many people as possible,
so it may not be intended for you.
I think of malware as a fashion trend.
You know, there's different malware
every season, every
quarter, and you have to
stay in fashion and on trend all the time.
When you think about older malware
that used to occur a couple years ago,
sometimes it comes back in fashion.
[mouse clicking]
This twitter user, @naima, asks,
"Jessica Alba is an
interesting choice for hacking.
"How do hackers decide who
they're going to target?"
Jessica Alba's a beautiful woman
and she's also a celebrity,
so she sounds like a great, shiny object
for cyber-criminals to go after,
but a lot of them have
different motivations.
It could include money, is
probably the biggest one.
Another one would be reputation.
They would be like, "Ha
ha, I hacked this person."
It could be information, kind
of like corporate espionage,
and then we have destruction,
which is kind of rare.
Basically what it is, they try to destroy
all the systems to put that
company out of business.
[mouse clicking]
@KyleeMinaj asks, "Why do
they make the login process
"for your student loan aid
so difficult and tedious?
"If some hackers want
to break into my account
"and pay off all my student loans,
"please don't make it difficult for them.
"Y'all are gonna ruin this for me.
"Let them run wild in there."
Kylee, these hackers are not
gonna go and pay off your debt.
If anything, they're gonna go
into the system to pay off their tuition,
so a lot of these controls are in place
to hinder hackers like that
to get into your account.
It's an unfortunate thing to do
but, you know, it's necessary.
[mouse clicking]
@AxelBlazen asks, "Speaking of [beep],
"what is even the point
of these bot accounts
"that follow you but, well, that's it.
"No messaging or anything,
no spam, just follow.
"Like [beep] sake, it's dumb."
Well, these accounts are doing something
that may not pertain to you,
what we call account aging.
So what that means is they're trying to
bypass a lot of automated
detections from social media
that they have in place
to look for fake accounts.
And so, by tweeting or messaging
or making any type of action,
they're trying to bypass detection
to look more like a legitimate account.
[mouse clicking]
This Twitter user, @andrewcheeky, asks,
"What will they think of next?
"Is there anything that has
been corded in the last decade
"that hackers haven't found
"a vulnerability to do some damage?"
If you think about your fridge at home
being able to connect to the
WiFi or your pressure cooker
being able to connect
to an app on your phone,
a lot of these devices are developed
in a way where they're looking for
the lowest possible cost of manufacturing,
so when they get to the security part,
it's kind of like an afterthought,
so until things change, we're gonna
still have these problems
with IoT devices.
[mouse clicking]
Twitter user @sifbaksh: "@malwareunicorn,
"what should my first
step be in debugging?
"Should I just get a file
and a book and start doing?"
The best way is to just jump right in.
Think about it as riding a bike.
It takes time, it takes practice,
but eventually, you'll get it.
There's a different debugger
for every operating system
but they're not easy to learn
unless you start, you know,
just doing it yourself and
training yourself and practicing.
Like, I don't remember every
single command in a debugger.
I have to use a cheat sheet.
[mouse clicking]
Twitter user @stormwuff_:
"My awesome boss says that
"I can request to change my job title
"to whatever I want it to be
"in our company profile
[obviously safe for work].
"Could anything random like
"Pokemon Hacker or Cybersecurity Wizard.
"What do you guys think it should be?"
Well, I can see you just said,
"Obviously safe for work,"
so I think you should just
name yourself Safe for Work.
[mouse clicking]
This Twitter user, @SuB8u,
asks, "Your smart TV
"and your video streaming apps
are collecting and sharing
"tons of data, just because they can.
"How long before we can
start having embedded cameras
"that malware triggers surreptitiously?"
I have unfortunate news for you.
This has been happening minus six years
and it's gonna continue to
happen, so too late for you."
[mouse clicking]
@Alessan82718685, that's a
mouthful: "Why do you hate C#?"
Man, his handle looks like a bot. [laughs]
I don't hate C#, C# hates me.
[mouse clicking]
@theonlyoneofyou asks, "Why
can't hackers do anything useful
"like leak Taylor's recordings
of Babe and Better Man?
"Grow up, hackers."
Well, if you don't already
know, Taylor Swift has
an alter ego that we call @SwiftOnSecurity
and she's considered a security pro
in the cybersecurity industry,
so no one actually wants to hack her.
But if you're in the know and you know
who that is, then you know who it is.
[mouse clicking]
This Twitter user, @zer0wn
asks, "Can we stop calling
"people who DDoS [beep] hackers?
"Journos, why the hell do you even
"call them hackers to begin with?
"Looking for legitimate answers
as I am confused as hell."
Well, let me set the record straight.
There's a difference between
hacker and a cyber-criminal,
so if we were to refer to the bad guys,
I would rather prefer to
call them a cyber-criminal.
There's a lotta people
in the security industry
that consider themselves hackers.
There's a lotta people that hack for good.
@WMRamadan asks, "@malwareunicorn,
"I have a simple yet daunting question.
"Why do you use a Mac
for your security work?
"I mean, a lot of people argue the fact
"that Linux is the way to
go in terms of security."
Mac is similar to Linux.
Think about two different brands of cars.
They look different on the outside
but they could be sharing
the same chassis underneath.
There's not a lotta malware
out there for Mac and Linux.
I mean, it's there, but, you know,
currently most of the
malware is on Windows.
[mouse clicking]
The Bishop, or @JoshHarris25:
"What is the point of spam emails?
"Are they profiting from it?
"What do they gain from spending
random unnecessary emails?"
When people send out spam emails,
they're sending it to thousands
and thousands of targets.
Say you had a million emails sent out
and they're requesting $1.
These cyber-criminals are expecting
that 1% will actually bite.
A lotta these cyber-criminals
will treat this as a business,
so it becomes very lucrative for them.
@Cybor_Tooth: "@malwareunicorn,
if you were to
"create a timeline for an
incident, what would it look like?
"Just curious because your
design skills are cray cray."
Well, a lotta people don't know this,
but before I got into computer science,
I was actually pursuing a
degree in graphic design,
so a lot of it, from my time doing that,
carries over into my work.
Back when I used to work at
the Department of Defense,
I used to create these 3D videos
to describe different
type of network layouts.
I didn't know 3D design at the time,
so I spent a weekend, taught myself,
and the next day, started,
you know, making content.
If you can make things
look nice and be able to
communicate the actual
abstract content, it helps.
[mouse clicking]
@dontlook asked, "Yeah,
but bad pick up lines
"and phishing really any different?
"Low effort, easy reuse, and
rarely do you get a success."
I really think phishing is more effective
than saying a pickup line.
@ivladdalvi: "I studied
WannaCry case in NHS hospital.
"A disaster seemed totally preventable.
"Why didn't they patch?
"Were they lazy? Stupid?"
In the case of this incident, a hospital
in the UK was under a ransomware attack.
It happened because they didn't
upgrade their servers or their computers.
And this is the whole reason
why upgrading is really important,
but when you think about it,
some of these infrastructures
like a hospital or a power plant,
a lot of 'em cannot
experience any downtime.
So when you do do an upgrade, you have to
shut down the systems for a little while.
[mouse clicking]
@Tyro733 asks, "As someone
who doesn't work in Infosec,
"what are red and blue team?
"I'm assuming red are the pen testers."
These terms actually
come from the military
where they would perform
military operations,
they have a team that acts as
a red team doing the attacks
and the blue team serves
as the defense team.
Similar to what we have
in cybersecurity in that
the red team is hacking
the blue team's systems.
The whole point of what the red team does
is to enumerate holes within a network.
We wanna find the holes
before the bad actors do.
Think of it like we're sparring partners.
So, we're really not there
to antagonize the blue team
or anything like that, we really wanna
work together with the blue team.
[mouse clicking]
@r00tzasylum: "Hacker
kid interviewed his mom
"about what it's like to
build a career in Infosec.
"Something @defcon
parents often think about:
"how do we inspire kids
to go into this space
"and see it for the fun
and challenge that it is?"
Well, when I was young, I had no idea
I was gonna be in this job.
I actually had to know
that this job existed
in order to actually go into it.
If there was a chance
that, at a career fair,
you would have someone who
gets to hack for living,
I think that would be a
really cool thing to have.
You have to have the correct
mentality to be in this industry.
The whole hacker mentality is
creatively thinking outside the box,
solving a problem that's
out of the standards
or norms of how it's supposed to execute.
If we kind of use that type of mentality
in some of the content or workshops
or anything that we reach
out to these kids with,
it'll kind of inspire them to
wanna solve problems in this field.
[mouse clicking]
This Twitter user, @Arfness, asks,
"Why do stock image hackers
"exclusively wear ski masks and hoodies?"
Well, I think the
photographer was going for
a feel of an actual robber or a criminal,
but there is a reason to
wear something on your face.
They're trying to hide their face
from cameras or any type of identifier
that will attribute them to a crime.
And why they're wearing hoodies,
I can imagine that some of these
server rooms are super cold
and they need to cover their ears.
[mouse clicking]
If you don't already know, you know,
some of us actually
dress like this to work
and I actually have a ski
mask for all of my outfits.
Lemme put it on for you guys.
And it's not complete without the glasses.
We're good to go, it's time to hack.
[keyboard clicking]
This has been Hacking
Support with Amanda Rousseau.
You guys stay safe out there.
[dramatic music]
