Listen to this podcast on iTunes, Spotify or wherever you find your favorite audio content. In this edition of the Beyond the Perimeter Podcast, we discussed the Twitter hack which saw many famous celebrity accounts being hijacked which resulted in spreading a cryptocurrency scam. We also interviewed Len Noe who is a white hat hacker and cyber security specialist.
On July 15th we saw one of the most high profile breaches of the year. At least one hacker known for hijacking high-profile Twitter usernames gained access to an internal “admin” tool on Twitter’s network, hijacked a ton of celebrity accounts — Joe Biden, Bill Gates, and Elon Musk to name a few — to spread a cryptocurrency scam. The hacker made over $120,000 in just a few hours. But how the hacker got in and whether an employee helped remains a mystery. It is likely the hacker found their way into Twitter’s Slack account where they found a set of credentials.
Twitter announced that the hack was done through social engineering. In this type of attack, hackers tend to trick their victims into providing their login credentials for access. Some 130 accounts were affected by the breaches. Twitter later said eight users had their data downloaded — including their DMs. But the company refused to say if the hacker read anyone else’s DMs — even though they’re believed to have had access. The breach could’ve been so much worse, even having serious implications for national security, given that this is an administration that frequently uses Twitter to dictate policy. On July 31st, authorities arrested the 17-year-old hacker who was behind the hack.
In this episode, I talked to white hat hacker Len Noe to get a better understanding of why hackers might transition into becoming a white hat hacker and why organizations should look into implementing white hacker programs,
Most hackers will tell you that their interest in hacking started at a young age. In Noe’s case, it started when he learned he could make small code edits which would change the outcome of a program. “I got into hacking early on. It all started for me back in the Commodore 64 days and the truth is there was a magazine that you could get that would actually give you some very simple, rudimentary programs that you could write for your Commodore 64 and the one that got me was Frogger, the old video game.
“During the time where I was trying to code the game, I messed up some of the code while I was programming and for some reason my frog would not die. It just opened up a whole new world to me if you do something in the background, it can affect what’s going to happen. So that was kind of what really sparked it for me was the idea that I was in control and even though the way that the game was supposed to be played, I could play the game the way I wanted to play it.”
Unlike today where hackers can easily find online different how-to guides and learn from other hackers, back in the ‘80s, Noe had to learn the trade through trial and error. “It was mostly trial and error. I mean you got to remember, this was back in like the pre-Pentium days. We’re talking 386 DX2, 486 with the math coprocessors so you could have the floating decimal point. There were a lot of bulletin board systems and many techniques came from a good understanding that I don’t think a lot of people get these days.
When I was going through this originally, this was when the personal computers were first coming out. You learned how to use a terminal and it was before any real GUI, before OS was available. I just knew how things worked and it was a lot of trial and error and logging in to other like-minded individuals like myself who are into this kind of thing and it was kind of the pre-birth of the hacker collectives. I mean we weren’t hackers at the time because there really wasn’t a term. At the time, we were just geeks.”
Life as a black hat hacker early on wasn’t as dangerous as it is known today according to Noe. “Being a black hat was simpler, at the time, there was no real hacker. There wasn’t any kind of GDPR or any type of disclosure laws in the US. You know, if you got caught hacking, they would slap your hand. Maybe you weren’t allowed to use a computer until you were 18. But it wasn’t until after the 9/11 incident in the United States where any type of hacking really started to become a major issue and started to command heavy jail times and fines.I was always very interested in hacking and I always have had that innate sense of wanting to know not just the fact that it worked but how it works. My father was a mechanic and always told me if you understand the basics, then any of the complicated things become very simple if you break it down to its rudimentary form.”
When asked why he transitioned from a black hat hacker to a white hacker it was simple for Noe. “I don’t like the idea of state-funded vacations. The idea of being locked away just really didn’t appeal to me. I mean I’ve never been one of those – even when I was a black hat, I was never one of those kinds of guys that would go after people and try to steal their personal information or try to ransomware somebody or blackmail somebody. For me, it has always been more about just the puzzle and I like those people who always say, ‘I’m secure.’ Really? Let’s test that theory and I’m a firm believer. If you think you can get into my stuff, come on. If you can get past the securities and the preventative measures that I’ve put in place, then you deserve it.
“For me, it was always am I smarter than the guy that set up the security? I know there are people better than me and there’s an old expression, Those who exalt themselves will be humbled but those who humble themselves will be exalted. Be humble with your security. Know what you’re doing and don’t brag. I’ve seen it so many times in my life where they’re those people who are basically taunted to attack and they always wind up sorry for it in the end.”
Over the past decade, we are seeing more organizations stepping up their internal security team. Noel believes implementing white hat hackers in the internal security teams comes with its advantages. “I think having a red team and white hats on staff is a great idea. It keeps you fluent. It keeps people updated on the types of attack factors that are new and it’s going to keep fresh eyes and people that are actually in this community.
“But at the same time, I also think that even if you do implement a red team or a white hat on your payroll, I think once a year, it’s still a good idea to get an external pen test done or invoke the services of a third party just to keep everybody honest. Always look at security from the sense that it is going to always be as strong – only as strong as your weakest link. Get those fresh eyes and unbiased opinions every now and then. Keep your red teams and your white hats on staff just because these are people that are going to be tuned into what’s going on and what’s current.”
When asked what his advice is for young security enthusiasts looking to become a white hat hacker, Noe emphasized on the importance of taking advantage of the numerous resources online. “ Play, get out there. YouTube is an amazing resource. But study up on YouTube. The one thing I will say about the cybersecurity community is for the most part, we are pretty open with our information. Go to our GitHubs. Go to our YouTube channels. You will find gists of information. You will find example videos of different attack scenarios and different attack applications.
“I have a GitHub repo on my GitHub that is just links for new cybersecurity people. You know, sites like Packet Storm, Vulnhub. One of my biggest recommendations for newbies and a lot of people think I’m stupid for making this recommendation. Vulnhub, if you’re not familiar with it, is a site where you can just go download premade capture-the-flag VMs for VMWare or VirtualBox and a lot of the times, you can actually go to Google or DuckDuckGo and you can search for a walkthrough of that capture-the-flag. For newbies, it’s a great way to actually see and walk through the entire process and at the end of it, you actually are able to complete the capture-the-flag.”
To hear the entire interview with Len please listen to the full podcast here. You can follow Len on Twitter, Github, Youtube and SlideShare.
If you enjoyed listening, don’t forget to subscribe so you never miss a new episode. Please also consider rating the podcast or leaving your feedback on iTunes or wherever you listen.