The Hacker Mind Podcast: Hacking Ransomware - Security Boulevard

The Hacker Mind Podcast: Hacking Ransomware

The Hacker Mind Podcast: Hacking Ransomware

Robert Vamosi

·

May 18, 2021

What if you discovered a flaw in a ransomware payment system that unlocked the data without paying the ransom? Would you use it? Would you help others?

In this episode, Jack Cable talks about hacking the Qlocker ransomware and briefly interrupting its payment system. He also talks about his infosec journey hacking cryptocurrencies, joining the Digital Defense Service and CISA, and helping secure the 2020 presidential election… all before the age of 22. 

Vamosi: With the Colonial Pipeline criminal attack, we’ve seen that ransomware is an urgent national security risk that threatens schools, hospitals, businesses, and governments across the globe.

Krebs:  We are on the cusp of a global digital economy driven by greed, a vulnerable digital ecosystem, and an ever widening criminal. 

Vamosi: That’s Chris Krebs, former director of the Cybersecurity and Infrastructure Security Agency under the US Department of Homeland Security. And he’s rightRansomware is malware that blocks access to the data on a computer until a sum of money is paid. Usually a certain amount of Bitcoin. Failure to pay, and your data is encrypted forever. Sometimes, even when you do pay, your data still might not be recovered.  In response to this increasing plague upon the internet, there’s a public/private partnership that has created a task force designed to disrupt the ransom payments, thereby disincentivizing the attacks.  The Ransomware Task Force urged the Biden White House to make finding, frustrating, and apprehending the parties responsible for ransomware a priority within the U.S. intelligence community, and to designate the current wave of digital extortion as a national security threat. In a moment we’ll hear about someone who successfully interrupted the ransom payment process all on his own. Oh, and, our hero, he’s just 21 years old.

[music] 

Vamosi: Welcome to the hacker mind an original podcast from ForAllSecure. It’s about challenging our expectations about the people who hack for a living.  I’m Robert Vamosi, and in this episode I’m going to talk about hacking cryptocurrencies bug bounties, securing our election systems, and yes ransomware and how a high school student has already gained valuable experience in all of the above

[music]

Vamosi: Everyone’s journey and information security as you need. We all start from different places for jack cable. He started when he was maybe nine years old, and it wasn’t by playing computer games. He was watching over his older brothers shoulder

Cable: I got into computers, this was when I was in middle school, so maybe seventh grade or so. So, for context I have a brother who’s four years older, and he had started when he was in seventh grade, maybe nine or so around the time he took this Stanford class intro to programming there CSP and a sixth grade class, and I saw him doing this and it was just really amazed at everything he gives making his didn’t like that. Amen game kind of a Facebook thing. And all this was just super cool to me seeing how he was able to program these things from scratch. Of course I was nine, I knew nothing about how it worked, I would just watch him do it, and really want to get more into it. So then when I was the same age as he was so I called her so I started doing this, Stanford course as well just all the lectures were up on YouTube. Falling through those doing the assignments and that was kind of my first introduction to programming, seeing how really I could, I could build whatever I wanted and that really excited me.

Vamosi: Still at an early age, Jack exposed in a cryptocurrency app, a security flaw, one that he discovered one that opened the door to a world of bug bounties 

Cable: This was then when I was in high school as a sophomore, was working on building an integration for a cryptocurrency website. To let people with a Chrome extension I wanted to let people pay money to other people, like namely through Twitter. So he’s working with their API, and notice that, first of all I could send $0.00 Bitcoins. And that was weird right because it’s not really doing anything. And then I tried sending like negative Bitcoin. And to my surprise what actually happened was instead of sending money to them it would take money from their account, so I could effectively steal money from anyone’s account. And what was really portion was that they had a bug bounty program, so I was able to actually work with them to get fixed, that I had a really positive response for got paid for it, which was nice and that was my intro to kind of the world of security

Vamosi:  bug bounties are programs where vendors pay researchers for finding new vulnerabilities in Episode Seven Tim Becker talked about specializing in certain types of vulnerabilities in bug bounties and in episode nine stoke echoed that as well. Does Jack look for anything in particular in his bug bounties,

Cable: So I think it definitely changed over time. Kind of Initially when I started doing this, I of course knew very little, so a lot of it was just looking at the standard vulnerabilities out there, cross site scripting, direct object references all that. One of the interesting ones that caught my eyes early on was I read this post about someone who this is what Starbucks, they found a way that they could exploit a race condition to redeem a gift card multiple times, and in doing so they could get, I think it was kind of the infinitive balance with Starbucks sites not bad and that was really crazy to me because it was, wasn’t something that was immediately apparent you’d have to do something kind of intricate to test for that

Vamosi:  A race condition is when a device or system attempts to perform two or more operations at the same time, but because of the nature of the device or system, the operations must be done in a particular sequence in order to be done correctly, knowing about race conditions helped Jack with his bug bounties.

Cable: So, that one in particular I’ve seen a lot more race conditions state, sometimes like with that for instance you can spend your downs twice and then kind of keep doing that back and forth to get into balance. I’ve seen less the negative amount because because in some ways it is so trivial that you would think everyone would hopefully think about it like you shouldn’t be able to send the negative one dollars to somewhere else. But of course soccer is complex, and these bugs do happen. So while I’ve seen it. Last I certainly wouldn’t rule it out anywhere, so I think if you were to try it on Pay Pal right now I thought that

Vamosi: He also applied this knowledge to cryptocurrency research,

Cable: But I started looking at that, particularly for companies cryptocurrency companies that had bug bounties, because of course, the impact of a race condition for cryptocurrency is potentially being able to steal all the money held by say that x chain. And I ended up finding a couple of really weird vulnerabilities that had exploited them I think in one case like the wallet had maybe $100,000 Like I’ve just withdrawn, right then and then if I wanted to, they’d made a fraction of that in bug bounties but the important part was just knowing that I could have done that and that now that’s cashed up exploit that

Vamosi: Today bug bounties are hosted on a variety of platforms. Vendors host their own, but there are also third parties that act as brokers.

Cable: So yeah, there’s a bunch of platforms out there. So the one I actually started out, this was the one that hosted its cryptocurrency company was a platform called cobalts.io. I think they’ve pivoted they said two years ago, more to kind of doing like crowdsource pen testing was like Downey’s, but at the time they had these open bug bounty programs that anyone can participate in. Most of them happens to be cryptocurrency companies, which was a lot of where I started out,

Vamosi:  Ultimately Jack settled on Hacker one

Cable: Hacker one had more programs on there. I started doing that. And it’s I think it’s kind of interesting how like each of the bug bounty platforms has this incentive structure in place to keep you hacking on their platform, like I just as well as since start out doing this and bug crowd there and start getting more invitations to private programs, but I think that there definitely are strong incentives to like once you’re, you’ve done reasonably well on one platform to keep focusing on that, because you get access to more private programs, I’ve done a bunch of dumb wireless hacking events at least pre COVID, which are really great experience. And yeah you get back by kind of in a way, staying loyal to platform.

Vamosi: So let’s keep some context here. Jack is still a teenager in high school. Most hackers his age are trying their hand at CTF, such as pico CTF, or seesaw. So did Jack try to play any CTF,

Cable: So not really. I did did some ones I got more into bug bounty and so these were things to do but that wasn’t how I got into it, really most of what I did was just looking at different bug bounty programs across the board, seeing what I can find. Of course, I started from a position of like knowing some development I’d make, like, read about SQL injection, whatnot, but had never actually seen that in practice. So a lot of it was just kind of figuring out the landscape, looking at different people’s blogs tutorials about what they’d found and then going out and trying that out against different companies with bug bounty programs. So in that way I think they were really effective way for me to learn in the real world. Here’s what companies actually care about. Here’s what they’ll actually pay for it, which is nice, but yet CTSI did a little but they weren’t telling I didn’t do it. 

Vamosi: Hacker one has elevated bug bounties to live events spectacles, if you will, they fly people such as stoke around the world and hacker one live events. They even invited Jack. In this case, Jack was invited to hack the Pentagon.

Cable: So that’s kind of a funny story and that’s something I, again, never thought I would have gotten into. This was shortly after I’d started bug bounties. So I started that maybe when I was 15 and then maybe six months later, when I, by the time I’d turned 16 I got an email from hacker one, I think the subject was what if I told you the Pentagon wanted you to hack it. And this was the first tech Pentagon program. So I was invited to participate in that. I, since I was just starting out. I didn’t know much I found maybe two things both that other people already found two didn’t get paid for those but still got acknowledged and got to see just like how cool this was that like I was going to first people being invited to actually hack into the Department of Defense’s networks, and people are getting paid for it,

Vamosi: Hack the Pentagon was the first bug bounty, in the history of the US federal government is spearheaded by the digital defense service, DDS, a god team charged with bringing in private sector talent and best practices to transform the way the department approaches its technology. 

Cable: So I started with that one. And what that led to I participated in another one called Hack the army. Later that year, just slightly better than that. And at that point, the the fun part was I was in this slack group called the bug bounty Forum, which is kind of where a lot of bug bounty people were getting together and it’s growing significantly. In the time since, and someone from hacker one had posted that they were looking for people who had participated in the Pentagon program to fly out to their San Francisco office to meet with people from the DMV. Before the launch attack the airport. So I took them up on the day flew me out to San Francisco I was 16 years old, my parents just gave me the blessing sent me off. 

Vamosi: Okay, so you’re 16, still in high school, and the Department of Defense is introducing you to members of the military and the Air Force. Whoa, how cool is that. 

Cable: There I met a defense digital service for the first time, and just really, I had until that point I’d never seen myself doing work for the government, it seemed kind of just this bureaucracy that you can’t really improve it’s just always gonna be mediocre. but I saw what they were doing, I saw that they were actually taking these practices that kicked off in industry, bug bounties engaging hackers who can do a much better job of identifying where flaws were. So that really stuck with me, and after that I did the hack the Air Force competition where I ended up placing first in finding around 30 bugs, which eventually led me to working for defense digital service out of high school.

Vamosi:  A moment ago I mentioned the digital defense service DDS, it is according to its website dds.mil, a team of highly technical nerds from the private sector and government inclusive of designers, product managers, engineers, and data scientists, drill down into the engineer category, and you’ll find the engineers are defined as visible pillars of the project teams, whether they’re coding hacking are physically engineering hardware, DDS engineers or patient collaborative leaders on a project. And under that engineering category, you’ll find hackers who are described as discovering exploits and possible avenues of malfeasance, by employing the tools of those who would do us harm, and preventing it.

Cable: So I did some work with a DDS over the summer after high school it was the coolest thing to be able to work at the Pentagon right out of high school, I don’t think too many people get that experience. So that was great I helped organize some of the Pentagon events so the one we did was called Hack the Marine Corps, where we had 100 hackers and a bunch of brain core cyber servers in a room, kind of collaborating to see what we could do on the Supreme Court networks. So that was really great, and I’ve been doing. The way I was hired, I still can work in a kind of hard time advisory capacity for DDS

Vamosi:  Somehow Jack ended up working on security behind the 2020 presidential election. 

Cable: When I was registering to vote in Chicago, Illinois, I noticed that there was a pretty bad. SQL injection vulnerability in the voter registration system. And this was especially bad this was 2018 or so by the time I was, yeah, the first time I was registering to vote, I’d seen in 2016 that the Russians had exploited SQL injection vulnerability in the Illinois voter registration system. So it was really bad that I seen this two years later, apparently unpatched, and that kind of set off a pathway of trying to actually disclose this to the right people. I think to a lot of people the way elections work is kind of opaque and close to as well. So I had no idea who actually to get this to I tried going through like the Illinois governor’s office through some congress people eventually figured out the right context with the help of Sousa, and guides to them, and they were able to patch that, but that kind of set off my involvement with elections and led me to the end, working with CISA,

Vamosi:  At the top of the episode we heard from Chris Krebs, former director of CISA. Now Jack is working for CISA

Cable: Yet for context there for people who might not be as familiar with says his mission. This is a coin itself as the nation’s risk advisor, that it’s helping the defenders do a better job. From these adversaries that are targeting us. It’s tasked with protecting these 17 critical infrastructure areas from span everything from health care to electricity to dams and military. All of this is under says as per view for each of these areas there is typically in, I said that yes Information Sharing and Analysis Center that coordinates a lot of the work among these critical infrastructure areas. So for instance, with elections. there’s called the difference, can the broader umbrella of the MSI SEC the multi state iSAC and then under that you’d have the EIC the objections and personal drives that, and they’re housed under the Center for Internet security, and what they do is kind of get pulled together on not only state but all the large amounts of people local jurisdictions. And that was actually the main way that we interfaced with them just because it says it doesn’t have all those relationships with some of these tiny counties so the ISAC was a helpful partner there to actually be able to reach some of these smaller places for instance if we’d found a potential vulnerability and need to get their attention. And what was relevant for the elections was when I was there so I worked there from June of 2020 to January, 2021 is the government sector, because of course elections are highly decentralized by the nature of the Constitution, the states manage their own election systems. So you have all 50 states DC territories, and then under that you have counties or whatever, local jurisdictions are placed every state does a different way. And in total. I think there’s something like 8000 or so. Individual election jurisdictions, and that’s dependent on how the state is set up, it might be the county, it might be a patrol town who has a staff of five and part time IT specialist. See really had huge variance across the elections landscape in terms of the capabilities that these, these districts had. And of course when it’s dumb against mess we’ve seen a nation state actor like Russia, that is not a fair fight. So they need whatever help they can get. That’s kind of where CES, comes into play. And a large part of my focus at Sousa was helping to roll out this tool that I’ve started building, add defense to build service, it got turned into more of a larger project

Vamosi:  Crossfeed is an asset discovery tool used to monitor and gather information about vulnerabilities on public facing assets, supporting national critical functions. Cross feeds, like data from a variety of open source tools, publicly available resources and data feeds. 

Cable: What it does is, nothing too special kind of, if you’re following like the acid in inventory attack surface footprint space. It’s an open source tool that maps out an organization’s online footprint so seeing what their interests are, what evidence are you would be seeing if they were to be part in your organization. And the nice part with Crossfeed is. It’s kind of given us this outside view, and something that one attackers are already doing and to isn’t anything that kind of someone on the internet could just go and do it just as visiting your websites like scraping using some external tools like showdown.

Vamosi:  Shoden is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters. For example, by typing in open SSL 1.0 point one that will return all the devices still affected by the Heartbleed vulnerability.

Cable: So we were able to put that together and offer it, what we call it an opt out basis to states and counties. So instead of it being a program that they had to choose to do with just kind of houses and services had been to this day. They were instead praised as roll star doing this unless you would prefer us to, and that allowed us to get much broader coverage, reaching especially these smaller counties, or jurisdictions that don’t have the staff to actually reach out and talk to us. Instead, we would just tell them if we found anything that immediately reflected their attention. So we did that and had some successes in kind of warning, states and counties about vulnerabilities. And the cool part too is that no one actually ended up opting out, everyone found value in it when we told them that funner abilities and I think appreciate this extra average effort from SIDS, to tell them where some third most critical vulnerabilities were ahead of the election.

Vamosi: Election security improved substantially in the 2020 US elections. Shortly afterwards, Chris Krebs announced that the November 3 election was the most secure in American history. There is no evidence that any voting system deleted or lost votes, or changed votes or was in any way compromised. This was in part to tools, such as Crossfeed,

Cable: And we got a lot of feedback that that was something they really want, because it gave them kind of a live view of what they had out there, even if there wasn’t a pressing vulnerability then there might just have been like a website that had existed a few years ago they still had some trails left on the internet. So I think that was a really valuable and fortunate to to be able to kind of give them something that they can actually go and use and use that to better support their security.

Vamosi: Somewhere in our stories, a typical rite of passage, graduating from high school and settling into a university program. Jack did those things while continuing to work in the federal government.

Cable:  So, some of this was concurrent so I started, or I did a summer at defense civil service and then start at Stanford at all. But I continued doing some part time work with them and then continued participating in bug bounties that as well, a junior at Stanford.

Vamosi:  It would seem given Jack’s many accomplishments thus far that university was perhaps, nice to have. I mean, it could have just gone into the workforce for the government, for Google for Facebook. But fortunately, he did not.

Cable: Yeah, I think that certainly college degrees are not needed for this kind of work. The vast majority of kind of practical security work I’ve done the skills that I’ve learned have come from outside of college outside of school. I do think that there’s really no better way to learn than to learn by doing. When it comes to security. but at the same time there is certainly value on and going to school, not just for security, I think that there’s a long way to go and proving this kind of stuff is taught, because for instance at Stanford right now there’s maybe two or three classes that are focused on security, and everything else is kind of happens without thinking of security at all. So, so that does need to be improved, but at Stanford I’ve definitely been exposed to not only kind of more fundamentals of computer science. All the underpinnings of how stuff works, and deeper understanding there, but then also some of the policy level implications of okay so stuff is vulnerable network, how do we make this better at a wider scale. 

Vamosi: There needs to be a balance of real world experience, and university work, but are we doing enough to teach computer security at the university level. Is it mandatory for example for those learning code today.

Cable: Yeah, the answer to that is no right now we’re not doing not with on cyber security. So this was something I looked into a year or two ago and out of the top 20 universities in computer science. In the United States only one of them, I think, UC San Diego, requires undergrad students in computer science to take a cybersecurity course. So given this and given that, from what I’ve seen at Stanford, you can kind of go through your undergrad degree without thinking of security at all. There’s a lot missing here not only for people who are going to be working in cyber security, but also people who are working in software engineering, Because of course, if you’re a software engineer, security is still your responsibility if you write a bug that gets exploited. Then harm can be done. So thinking about how we can better lead future software engineers to at least be aware of some of the security consequences so they can have an intuition. So even if they don’t know everything about security to say like hey maybe I should ask the security team at my company about this before something bad happens. So I think that there certainly needs to be both a focus on increasing the cybersecurity workforce but then beyond that people working in technical roles should have some minimum understanding of security consequences.

Vamosi: There’s some great people working academia today such as Alex Stamos who runs the Stanford internet observatory. He previously was with iSEC partners, then Yahoo then Facebook arriving at very interesting times and both of those ladder companies, I would think were very cool indeed.

Cable: Yeah, a lot of interesting stuff kind of both on the security side also closely related area of disinformation doing work with the Stanford internet observatory, and really just working to eliminate arms on the internet. That’s what Alex Stamos came to Stanford to do he teaches a class called Trust and Safety Engineering where security is maybe two weeks of that, but his argument is there’s so much bad stuff that’s happening on the internet, we can’t just go back to security. We need to address kind of the everyday harms that come that in some ways, hurt a lot more people than just cyber security breach

[music]

Vamosi: Ransomware. So we started out talking about ransomware, invariably, anybody who works in security gets asked about it, or they get asked to help out in Jack’s case, it was a call from a family friend, 

Cable:  Yet. So this was I think, yeah, last week so I got a call. This was Wednesday night, I believe, from a family friend. Basically, this like network attached storage device that we’ve been using he’s a doctor also so I think he might have had some patient information there as well as his family photos on it, and it got hit by this new strain of ransomware, everything on it was encrypted, and they were demanding a ransom of 0.01 Bitcoin, which is about $550. So he called wind to see what I could do, of course, my response was like That sucks.

Vamosi: Ransomware is malware that copies the contents of your hard drive, then encrypts it then demands a ransom paid before the data can be recovered. If you don’t have anti malware on your computer that protects against these types of attacks, or if you don’t have good backups. Often there’s not much you can do.

Cable: I want to see if I could help, though. Yeah, his view was, yeah, worst case, pay this tomorrow morning $500 To get that kind of stuff that he didn’t necessarily hung up elsewhere was a no brainer, but it’s still $500 And I would prefer to avoid that if possible.

Vamosi: There are lots of different ransomware families out there. This was the cue locker ransomware. So what does that.

Cable: So yeah, from my understanding the way it works is so there’s this product called made by cue nap called their tempered restored. Um, so you can use that to manage, store files from your network. So this is a consumer product and vulnerability came out. Maybe this was like one day sort of two days before the Reds were hit. Sometime around then. And this was I believe the one that was being exploited with either. There were several vulnerabilities, there’s one SQL infection and one command injection vulnerability in the device and this was completely unauthenticated so if your device, or since its network cashed in a lot of cases it’s probably attached to the greater internet as well. So that’s the case, and if people can see your device, then they could remotely exploit it. In order to hit you with this Rennsport. And I think what happened was, it was just, just a super basic thing, were they, to my knowledge, they didn’t even install anything on your device they just kept running commands and the device to kind of go and encrypt all of your files. So, in kept doing that using seven zip. To do so, just supplying a password, and DNA would hit you that way. One of the things that someone found was that like if you were able to catch this before your device reboot or shut off, which is probably the first thing that people do, which is unfortunate so might not have been able to talk to many people, but there’s a log file that kept a list of all these commands that had been run off the sevens of commands and I included the password method being used in files. So if you were able to catch that, then you’d be able to decrypt the files on your computer without paying it, but for most people that was kind of too late since they’d already restarted their device, and the log file got cleared.

Vamosi: So that was if Jack couldn’t do what Jack.

Cable: So that’s the call that I got from him. And he sent me kind of like the readme file that they had put on his computer saying like here’s where you go, here’s your key that you enter in, get the password. So I started looking at that, we left it he was gonna like tuck his kids into bed is in Chicago so it was a while later, and like I was looking into it but didn’t have much faith I was Googling around to see if I want to have found anything, they hadn’t. So then I went to the room for more websites, which was a tour website.

Vamosi: There are different types of internet, there’s the Common Internet that browsers such as Chrome or Firefox can navigate easily, type in google.com and you get a search engine. Then there’s the deep web, which is the intranet systems behind passwords and authentication. Then there’s the dark web and abyss that requires special browsers such as ITP or the onion router, better known as Tor. With ITP and Tor browsers, you can access the dark web servers where these ransomware payments can be made, anonymously.

Cable: So I go on there and see kind of a sense flow. And the way it works, which I think is pretty typical for ransomware they give you this client key they call it. That appears to be. It’s like RSA encrypted key of your RSA encryption of your password, the private key with these ransomware operators servers, if you supply it you know that you correctly pay the bitcoins and they’ll decrease that for you and give you back your password. If you don’t, then you’re out of luck.

Vamosi: What Jack found was that in this particular case, the setup was different, different enough that he can manipulate it into thinking that he had paid the ransom, saw that

Cable: Way the flow work quite bad. You had to send 0.01 Bitcoin to the address, they provided, and give them your transaction ID. The first thing that I noticed was bad. Bitcoin addresses using or shared the bitcoin address they gave me, maybe 10 or so people had already kicked around so the first thing I tried doing of course was just taking one of those transaction IDs already pasting it in to see if maybe like they weren’t solving that already been used. Unfortunately, They were so I got a message I couldn’t do that because someone could already cheated. But then this really dumb thing I tried that didn’t expect work was, I changed like at the end of that to help her case fee, and submit that and to my surprise, it gave me back the password immediately.

Vamosi: Here’s an example where case upper and lower becomes very important. A system that confirms that a particular transaction code has already been used can be misconfigured to not recognize a change in case of the single character.

Cable: So I think what was happening there was that they had kind of these two checks for it, these kids. The first was, was this a transaction ID that we’ve already seen before that was case sensitive, so they made that check it didn’t look like one they’d already seen because uppercase B is that a lowercase b. But then the second step is taking this on the Bitcoin Blockchain they supply that transaction ID, and when they do that it’s probably normalized to lowercase. That looks like a valid transactions they let it go. So that was kind of what I found and he tried the password and behold it worked.

Vamosi: Jack didn’t share much about the vulnerability he discovered he didn’t, for example, want the criminals to know anyone had found the flaw.

Cable: So at that point it was kind of an interesting dilemma right because you want to help as many people as possible files matching events more operators that there’s the honor system because of course, if they can find you, they can patch it and suddenly I can’t get people to keep that. Because fundament actually apply in the tourist site they’re operating. So what I decided to do was I just put something on Twitter also captured on the forum, essentially saying like hey if you’ve been hit with this, I might be able to help send me a message. And I started getting this quiz almost immediately from people with their keys. Now the thinking there was this word allows people to find me without immediately revealing what follows. Of course, since they are likely storing logs on their server as they start to see this kind of traffic, they can probably figure that out so it’s not a permanent things at least I can help some people. And I got messages for maybe 50 or so people within an hour of doing this, and I was able to help them. When through the flow didn’t share the plot with them I just did their password and then from there. So I did this. And at that point, I also started starting talking with companies that kind of are more experienced with this. Their plan was to gather everyone’s keys upfront and then unexploited all the points before they caught on. But the unfortunate part was right as we were hearing up to this, maybe like two hours after I discovered this. So kudos to him for being on top of this. It was coincidentally 9am or so, last time, so no clue where they’re located, but they’re kind of Eastern Europe as a lot of these people are dying and, yeah, what’s happening is surprising in the blind. But, yeah, unfortunate part is that I’ve gotten hundreds of messages from people still going on to this day saying like hey can you help me, and there’s not much I can do other than pointing them to ransomware, best practices. But yeah, I was able to help 50 people. But yeah, there seems to be a whole lot more who I was not able to help. Yes, still are struggling with this.

Vamosi:  Often as an InfoSec security person, I get asked whether or not a particular malware is super sophisticated, often it is not the elements are cut and pasted from other sources, or there’s a kit that allows you to create your own ransomware, so it was queue locker super sophisticated created by elite

Cable:  I think, just based on kind of the super simple pod that I found with payment I think it’s fair to say that this is probably not a very sophisticated factor. And likewise, like with the method of attacking this, they found a vulnerability that’s published, they reverse engineer the fix, in order to find out what the portability was and start explaining this, so they probably didn’t have to do any actual like research into this system other than just kind of monitoring for the CD, seeing that and then looking at what the flaw was and targeting people who have yet to deploy the patch. So yeah, I think that this isn’t very sophisticated behavior, and kind of goes along with a broader point that, like this was a very simple plot and I did not expect it to work but ended up allowing me to help. Around 50 people, paintings and collected $27,000 or so. So I think that really any way we can use the sloppiness of these attackers who are infected can go a long way. Because even though we might think of that runtime as being these ultra sophisticated adversaries nation states who are coming up with deer dance but I think getting into everything. The reality is that so many of these are just financially motivated, they’re looking for what is the quickest way they can make money. So if we can make it harder for them to do their job, then that can deter them from doing in the first place.

Vamosi: I mean, we’ve seen this break in sophistication before wanna cry for example used to NSA exposed tools, internal blue and double pulsar. In order to land on as many computers as possible. But on the backside. It wasn’t very sophisticated. First, the payment system wasn’t really set up. So people who pay didn’t necessarily get their data returned, and then no one actually would do the payments that were made, which is another story. But then, within the sophisticated wanna cry. There was a kill switch in the code. The malware reached out to the internet to see if a particular domain existed, and if it did, and shut down.So research Marcus Hutchins did that–he registered that domain, really just a sequence of alphanumerics–and WannaCry shut down. Puff. Like that.

Cable: I think that’s a great point. Even like if we do as an actor, they will make mistakes too because, I mean, if you look at DEFENSE. We’d like to think they have pretty good teams, Google, Facebook, all these big companies, the best people in the world protecting their systems. So much so it’s very unlikely that kind of, without any flies to. So, yet really, I think that’s one of the key parts of fighting this is that security researchers can identify not only places where we can very secure our own systems but also there’s any old stuff, like with wanna cry. A simple mistake name name that can stop the whole thing. These are things that we have to be working on.

Vamosi: So Jack managed to stop a financial transaction, Actually, he stopped 50 of them probably worth about $27,000

Cable:  Yeah, that was kind of one of the concerns that had also kind of tweeting about this talking about it, articles, stuff like that, that is a kind of disrupt them and not that they’re not going to be very happy with me, and that that of course is a real concern. I think at least with this. I’m not too concerned because the way it was punch me is that it’s an addressing bucket that they’re making millions of dollars a year of not a month doing stuff like this to me stopping 50 People from paying $27,000 isn’t going to sufficiently impact that. But I too think that kind of like, yeah, it’s one word to start doing this more that that that couldn’t certainly be a concern that it’s much like drug cartels afraid that if you get in the way, then they won’t be very happy with you. So I think that that’s certainly a consideration that has to be made. I’m not personally concerned with this instance but definitely something to keep top of mind, as happens.

Vamosi: So what’s next? In a year he’ll graduate, and either think about graduate school, or a job which might include the government or silicon valley.

Cable:  There’s a lot of estimating areas with security. I have seen that. I think that I’ve never seen. But now, having done it at DDS and it’s clear that there are places where you can make a very large impact. I do think he plays because a lot of people aren’t empowered and don’t have to actually go and do the good work that they’re capable of doing. But I’m certainly hoping grows in government that has allowed me to continue doing this kind of stuff. To better shape how we do up security on the federal level, engaging with critical infrastructure partners. So I’m open to that. I think I’m less inclined to. I know that within Silicon Valley of the word care. I think that’s important, too. But I think kind of the guiding principles here is that so few. There’s such a large need with a government for this type of work. And, kind of, this is somewhere where, yeah, I can’t I want to be able to help.

Vamosi: What advice does Jack have for somebody else, starting out, information security.

Cable: So I don’t think by any means limited to the government. And for instance, even add on the social media companies I think just like course people have opinions about certain parts of government of the military how that works. But one of the guiding principles is really, even if you have some disagreements with how that works, it’s better to have a table or to shape how things go and to be able to call for it all in my opinion at least. And I think that there’s, there’s of course yeah government that you can work in really cool places in the private sector to beyond the entire industry, I think, even at like Google or Facebook is similar to government in that, if you disagree with what they’re doing there might still be places that you can make better. So for instance they’re they’re starting to focus more on customer safety where they’re actually trying to help users, and reduce from other platforms. So if you’re able to do that and you’re able to make impact then I think, by all means, that’s that’s to go on. But of course, they companies don’t have an incredible track record here so I think it’s approaching that with skepticism, understanding that you can go and try and help you may or may not be successful. But that’s I think that’s definitely a worthwhile area to do that as well. If you’re in a position where you might be able to make.

Vamosi: At the beginning I said Jack got his start with computers, not through games or CTS, but because his older brother was taking the course might Jack still ended up with computer security.

Cable: That’s a good question. I think I certainly like might have been exposed to it. Minimally, but I do think that that can prove me to get into this early rather than also determined by. So my college decisions. So while I might have found my way into it somehow I think it’s safe to say that it is certainly set me on the path much earlier on and drove me to working in this area. So, I think, certainly, to whatever extent we can start earlier, not just to coding which I think there’s a lot of good work being done there, but also to test the basic security can. Yes, young people.

Vamosi: I’d like to thank Jack for talking about his journey. He’s found some incredible opportunities to programs such as BTS, and through scissor make significant gains in information security, and his efforts to support the Q locker ransomware, even for a few hours is remarkable. I look forward to following Jack in the future, as he decides what he’ll do after graduating college, I think we’ll hear from him again.

Stay Connected


Subscribe to Updates

By submitting this form, you agree to our
Terms of Use
and acknowledge our
Privacy Statement.

*** This is a Security Bloggers Network syndicated blog from Latest blog posts authored by Robert Vamosi. Read the original post at: https://forallsecure.com/blog/the-hacker-mind-podcast-hacking-ransomware