Goddy Ray Devoted online security and privacy advocate 6 min read

Any connected device can be hacked. But our perception of cybersecurity is messed up, and we don’t pay enough attention to our digital lives even if malicious actors compromise them.

Last week we published part I of our exclusive interview with a “White Hat Hacker.” He told us about hacking social media accounts and the differences between hacking and crime. In the second part, the hacker answered us a few questions about hacking aircraft, the most promising cybersecurity trends and, of course, VPNs.

– How did you learn to hack?

– That’s a tricky one. My background is technical. I started out as a forensic scientist. I was always into technology. I broke a lot of things trying to find out how they worked when I was a kid, but I started my professional career only about 3 years ago when I got the offer to join a cybersecurity company. I accepted it, although I did not really have neither the skills nor the experience.

The first year was a nightmare for me. I felt I didn’t know anything even I though I did. They only let me learn for that long because the demand was extremely high and the market was exhausted with only a handful of hackers in my country.

– When was your first hack?

– I was 15. The internet was quite slow back in the day (it was around 2005). Our ISP installed a wireless network, but not in a way we use it today. It was an outside antenna pointed directly to the ISP.

The thing was, I needed to share my internet connection with a new desktop, so I connected it to my router’s free switch port. But there was a problem: I couldn’t use the same static IP that was already taken by the first computer, so I just used a random IP address within the same subnet.

As it turned out, the ISP hadn’t assigned specific IPs for their clients and did not limit the connections from the same access point. So I found a working IP address that had around 1mbit/s uplink (as compared to our 256Kbit). And that’s how I got the fastest internet in the neighborhood. I didn’t consider it as a ‘hack’ back then, and the ISP was not aware of it as well. I used it for a few years until the ISP upgraded us to fiber internet.

– What motivates you?

– Appreciation and acknowledgment. Everyone wants to be the coolest kid in the playground. Personal achievements and successful attacks keep my spirit up.

– What tools do you use for hacking?

– There are many. All hackers have their own and personalized set of tools they use. Almost all of them use Linux distributions specialized for hacking. I use Kali Linux for my daily routines. Also, a powerful desktop is a must for some in-depth researches. As well as a laptop for mobility. I have a few of those.

Some use Kali Linux as their primary OS and some specific devices like internal WiFi cards that are capable of running in monitor mode. Also, there are some specific devices like external WiFi adapters, network tap devices, small ARM-based computers. The list goes on.

– How does a hack happen?

– There are 3 stages. First, reconnaissance. Every security audit starts with reconnaissance. It’s passive and, later, active information gathering. At this stage, hackers observe running services and applications in their scope, check software versions, open ports. Also, hackers use search engines like Google or even Bing to find potentially sensitive data indexed by them. Then, they enumerate all the vulnerabilities and prepare for the exploitation stage.

Second, exploitation. At this stage, hackers try to exploit vulnerabilities which they’ve found. Depending on their findings, hackers can compromise systems on different levels. If the vulnerability is low in risk, some configuration data can be gathered, or some sensitive information disclosed. Critical level weaknesses often provide attackers with full access to the systems.

Third, post-exploitation. Post exploitation is something that is done after the vulnerability is successfully exploited. At this stage, hackers gather all the data that they find interesting, try to use compromised systems to reach other systems, run malicious software on compromised systems.

– What is the damage that leaks from federal institutions can cause?

– After a group of hackers called The Shadow Brokers leaked the NSA’s hacking tools, criminals used one of the exploits (known as EternalBlue) to create malware. Some of the most dangerous havocs, such as WannaCry ransomware, etc. were released, and an entirely new ‘era’ of malware began. From my personal experience, for a long time after the disclosure, it was still possible to use the tools to break into almost any Windows system. Just because users were slacking and didn’t patch their systems in time.

– How can we help people improve their cybersecurity habits?

– The understanding of cybersecurity is crooked. If somebody breaks into your house, you immediately change the locks, secure your home. Yet, when your account is pwned, most of you don’t even change your passwords. The attack surface is extensive, and exploits can be used against you in so many ways – like damaging your reputation, etc. Everything depends on how ambitious the attackers are.

What I know from my experience, cybersecurity awareness can be raised if people get some personal information about them – like a password or a webcam screenshot.

Once we audited a young company in Western Europe. They wanted our report to be a bit more interactive. So we used a zero-day exploit, hacked every employee’s computer camera and took screenshots. Hence, instead of welcome cards employees got screenshots of their webcams. This was effective immediately.

– Maybe that’s why ‘sextortion’ scams work as well? One recent case was when scammers sent people their passwords from previous data breaches, claiming they also have a screenshot of them watching porn and asked to transfer a few thousand dollars to their crypto wallets. There were a lot of people tricked and a lot of money extorted.

– Yes, indeed. When scammers don’t have enough information about their ‘targets,’ the so-called social engineering is a common hacking method. It’s toying with emotions, because the scenarios are super convincing, and that triggers the panic.

Similar scamming models emerge all the time. There’s one when people receive emails from ‘themselves’ – i. e. scammers are able to impersonate existing email addresses without having any access to them. And this is so easy to do! For example, my email is [email protected], and I get an email from the same address. Sometimes there’s a ‘?’ mark by the fake address when mailbox is unable to verify email signature, but overall impersonating you isn’t difficult at all.

– How much is different data worth in the black market?

– Zerodium is an example, but it’s not a part of the black market. They buy zero-day vulnerabilities. One good exploit (like EternalBlue) can earn you a million dollars. The rumors go that platforms like Zerodium actually belong to federal institutions.

Mobile exploits are about twice as expensive. For example, iPhone remote jailbreak costs around two million dollars, browser exploits go for around 100K-500K.

– What about aviation. How safe it actually is?

– An aircraft flight control system has a backup system which has its own backup system which also has its backup system. Therefore, there are at least 4 flight computers. Passengers use completely isolated systems, for example – to charge their phones, use multimedia, etc.

But there are a lot of signals and data links that send and receive particular telemetrics. For example, double-decker planes have thousands of sensors for GPS/GPWS/TCAS/ILS, flight surfaces and other systems which transmit information to the manufacturer using satellite data links and can produce 2-6TB of telemetry data per day. And all of this data can be compromised. For example, if a hacker knows how to use Software-defined radio (SDR), he or she can intercept aircraft signals. For instance, the well-known project flightradar24.com is seeded by radio equipment deployed by some aviation/radio tech enthusiasts. The equipment captures and parses ADS-B signals from aircraft.

Furthermore, aircraft communication signals aren’t encrypted and still use UHF. For like $15 you can make a kit to listen to air traffic control, so anyone can do it at home. As of now, it’s just too difficult to implement encryption – it would make the communications with airports or other aircraft so much more complicated.

Thus, there are so many attack vectors. A hacker can send fake GPS signals to the airplane and get it off its route – it’s just one example.

– Internet security guru and academic Bruce Schneier in his new book ‘Click Here to Kill Everybody’ discusses severe cyber attacks, gives examples of remotely hacked cars, etc. Schneier claims – the more devices we connect, the more vulnerable we are. Do you agree with his point?

– Indeed. To his point – a few examples. Not so long ago researchers tested smart kettles – the ones that users can remotely turn on from anywhere via a smartphone app. They found that by overheating it, you can start a fire. Furthermore, let’s take a smart garage gate control system – using a good-old brute force attack, it’s kind of easy to hack remote controllers. Or, if your car is connected to the internet, it’s a potential target for hacking attacks.

– What security trends do you find the most promising?

– I think people are getting more aware of the importance of passwords, and how easy it is to compromise them. Especially, think of the massive breaches in the last few months. Like Collection #1, according to the estimations, over 8 billion combinations (approximately 5 billion unique) were leaked. I have a database of around 4.8 billion email and password combinations which I got from publicly available data breaches. Hence, the increasing popularity of password managers, in my opinion, is a good start.

– Finally, what is your opinion on VPNs?

– I personally use them. A lot. It’s a great way to hide your traces and stay anonymous. Naturally, I do have a bit of paranoia over some stuff I do on the internet, so staying incognito is a must for me.

I also tested many providers for certain things that could compromise trust. Some were better than the others, but at the end of the day, I think it’s a matter of personal preference. I choose well-established providers just because I know I can trust them.