What We Should Know About Hackers?

As security guy, I get involved with hackers (black, white and gray hats), hacking incidents, security issues and so on. One of the interesting thing is you will see a well reputable company or website get hacked, not because hacker is so smart but the company forgot one of the key security best practices. Here are some notes you should know about hackers and hacking incidents:

  • Gap Between Academic and Industry Security: There are several people doing PhD in area of security and governments spends millions of budgets for academic research and you will see their outcomes on as published paper. Unfortunately, academic research doesn’t have much impact on industry security. They end up with playing with numbers and mathematical formula and makes things complex but they failed to provide a actual solution to industry. For this reason, you will see several university professors who have been hacked by teenage hackers. It is because they have different understanding about security compare to industry about security. In Industrial research things are different. They normally won’t publish their result, because they don’t want hackers to figure out a way to bypass it. Their research will directly adapt into industry. Therefore, if you see a professor or PhD student in security, don’t leave your company to them, you will gain nothing but embarrassment when a teenager takes over your company’s network.
  • We are the smartest Guy: Most people won’t know how hacking works, they just see a guy play with black screen with a lot of codes and then get a lot of data and we will see wow they are cool. Even though, hacking required certain talent and expertise, but not all hackers all that super smart. In most cases, they just know some codes and scripts which is available publicly and they just copy and paste and modify it to get the job done. Because they have a dark screen with some code, they are not super. You should see what they are doing to see whether they are real smart hacker or just someone who is playing with some scripts.
  • I could hack into everything: We know in world of security, nothing is unbreakable. No matter how well you secure your systems, there could be a way to break into it. But it doesn’t mean every hacker could hack into everything. They required to have expertise in certain areas and they need to try and do research to figure out how to hack into your system. And they might get more failure than success or they might not be able to hack into your system at all.
  • Linux is the most secure operating system: Several people mentioning, we are migrating to Linux, which is absolutely WRONG. If you have any friend or you know any hackers, just ask them about hacking Windows or Linux. If you are hacker yourself, you will know what I am saying. Hacking Linux is a lot easier than hacking the latest version of Windows. Just have a try on it. It doesn’t mean there is no way to hack a Windows but to do that, you need to spend a lot of effort and normally, you couldn’t hide your identity after hacking. This is one of the reasons that top secrets servers and systems like NSA, US Army, NATO, CIA, FBI, Europol and so on all running on Windows.
  • No one ever knows about my hacking: Sun won’t stay under the cloud for too long. Even the best and most professional hackers have been discovered by authorities and internet is not just free place without any trace and detection. In the other hand, authorities are getting new tools to better discover cybercrimes and hacking incidents. Therefore, if you are a black hacker who hack into companies and damage them, it is better to switch to become white hackers who help companies securing themselves and be a good hacker, otherwise, you won’t have a nice future.


Hacking is interesting journey, if you want to be a hacker, try to be a good one. Try help companies with their security issues. If you are a black hacker, you may also switch to become good guys.


How to Protect Your Home Wireless Network?

Hacker and Cybercriminals interested in hacking Wi-Fi network. It is much easier since they just need a Wi-Fi connector and they don’t need to connect their device to a physical cable. If they have right tools and right skills, they could use laptop, tablet or even a mobile phone to hack into wireless network. There are some tips, which we could follow as home users to protect ourselves against Wireless hacking.

Encryption Protocol and Passwords: There are protocols to encrypt connections like WEP or WPA, if you look into encryption algorithm in your modem, you could check them and see which one is supported and is more secure, normally WPA2 is more secure than WEP and WPA. The enterprise standard would use digital certificate which is more secure but for home user you might need to use simple and cheaper way of encryption which is password. You should look into your modem specification and see what standards are supported and use the most secure one. Then you also need to select strong password. It should be long and complex. Normally, I suggest to create a long and complex password and save it in notepad and put it into a flash memory and paste it in your connected devices and save password. It is good idea to change your password regularly at most every 90 days.

Number of Connected Devices: In some routers, you may set the maximum number of connected devices. In this case, you could count how many devices are being connected to router and set that as maximum number of connected devices. So let say, if you are connecting 6 devices to the Wi-Fi router at the same time, if someone else tries to connect, the connection will be rejected (unless you have fewer number of devices connected at that time e.g. 5 devices).

MAC Address Filtering: MAC address is the physical address on devices, on some routers you may set MAC filtering , where you could set MAC address of your devices which are being connected to router and set rule that only accept devices which match the same address and reject the rest.

Hide SSID: If you already used Wi-Fi, you might have seen that when you turn on Wi-Fi, you will see name of access points. This is actually their SSID, in some routers you may set to hide this name. So when you turn on Wi-Fi, you won’t see the name of your access point and you have to manually type it and then it will be asked for password.

Guest Wi-Fi: Let say someone is visiting you and you want to grand him or her access to your Wi-Fi. Some Wi-Fi routers has Guest Account and normally you should leave it disable and only enable it when guest is coming. This account would create some restriction on the guest user and protect access against your own internet access and you could set some limitation like amount of time allowed to use Wi-Fi or bandwidth limit.

Router Login Page: In order to make any changes to the router, you should login to the router page. It is recommended to change the default username and password for login. Some routers has ability which you could set to only allow access through LAN and block access from Wi-Fi, make sure you set this option. In addition, you should set to only grand access from local network and block remote access. This basically means, you could only change router setting when you physically connect through direct LAN connection.

Reduce Signal Frequency: Above methods would provide great helps to stop hackers, for example hiding SSID, would hide your router from cybercriminals, MAC filtering, block external device access to router, strong password will stop bad guys against hack your router. However, hackers always working on ways to bypass these and there is a way when no one could hack into your router unless they are close to your router. It is by set frequency of connection. When you reduce frequency of signals, you only could connect to your router when signal is within range or you are close to your router. It is recommended to place your router in location where you could get signal inside your home but you are unable to get signal outside your home. In this case, only if someone manage to get into your home, then he or she is able to connect to your Wi-Fi.

It is also recommended to enable Wi-Fi logging and check log files regularly to check for suspicious activities.

Have a safe Wi-Fi connection.


Hacking Cars !

Computer technology came to car manufacturer and makes our life better. A central computer could play video, monitor activities in fuel system and so on. Then communication comes to place, when we could connect our mobile device to a car and then view SMS, play music and even answer calls. As we go forward, these technologies are getting smarter, for example HERE propose a way to have a better life with cars, by monitoring traffic, see which places are prone to damage your car, find place to park cars. I strongly recommend you visit demos in HERE website. Going forward are cars getting smarter, thanks to IoT. It is actually good thing, because soon we will have cars to drive us, our government would have a better data to create rules and monitor situation. So next time, when your car break down, you just need to press a button and it automatically log the problem and request for service to your location. So you don’t need to call a number, share several information, send your location and explain what happens. As we are moving our cars into internet, it promote new risks too. What if someone hacked into our cars and perform some malicious actions and intentionally break down our cars, even damage the breaking system and cause injury and even in worse case, cause dead. There are proof-of-concept about hacking cars out there and it is challenge for car manufacturers to keep their consumers safe on the internet-connected-cars. Why this problem started in first place, we could classify the cause of car-hacking in the following categories:

Lack of expertise: Just if someone could connect to internet and write a bit of python codes, doesn’t make him or her, expert in field of cybersecurity. The problem raised, when people from other backgrounds like mechanical engineering, physics, electronics, design a system which required expertise in software engineering and computer security. Building a safe car which safe passengers against accident is not same as building a car to protect them against hackers.

Requirement Changed but Design Method Doesn’t: When they design cars, they care about safety of cars and protecting passengers against accident, they calculate possibilities to protect passengers against failure of break system. But when they connect cars to other devices and even internet, they just perform a basic security test and create a system which could just work. There is no regular update or emergency response to cyber-threats in internet-connected-cars yet.

Lack of Threat Modeling: They will investigate and create a system which is safe by design, but no model has been proposed to simulate attack scenario to cars. The closer model, would be Microsoft Threat Modeling, but they are not even use it.

To overcome these problems and build a safe internet-connected-cars, car makers, should hire people with expertise in cybersecurity and work with car manufacturer’s designers. They should create a new test cases to evaluate safety of the car from physical security and cybersecurity perspective. Special team should be there to continually evaluate and response to threat, targeting cars which are connected to internet. In new design, risks related to cyberattacks, must be identified and prioritize and method to mitigate and defend them, should be defined. New model should be created to define attacks and propose defense and also create a cycle to identify new threats and combat them regularly. Updates also should be patch to cars without harming the user experience. Update also could be installed during regular PC maintenance.

As conclusion, internet-connected-cars are new opportunity and if they design well, they could even prevent death and accident. Just imagine, in your city, if majority of cars are internet connected, when you are too close to other car, it will automatically detect and press the break. But, if risks of cyberattacks targeting these cars, wouldn’t be identify and mitigate properly, it would create greater risk. Therefore, we need to identify them and prepare ways to protect ourselves against them.


What is Cyberterrorism?

If we want to define Cyberterrorism in one sentence, it is when someone sit behind his/her PC and use internet to conduct terrorism incidents. In other terrorism, they need to gain access certain location and place some bomb or hijack airplane, take some hostage and they should be physically there. But in case of Cyberterrorism, no physical present required. It is not simple that everyone could do it and public information as today, didn’t explain the real case of cyberterrorism , but as internet become global and by adaption of new technologies which are dependence to cyberspace, we will face cyberterrorism in future, if we don’t take right action today. Let discuss about some possible example of cyberterrorism, to show the risk of it. There are nuclear reactors which relays on connection to a device running operating system, they might not be connected to internet, but Stuxnet proof that they could get infected. Attacker could just infect a PC of a company which is collaborator to nuclear facility and if their PC get infected, then one infected USB drive could get there and stop operation there. But in worse case, a virus might blow up the nuclear reactor and kill people. Many of people are relay on GPS to navigate between cities and the GPS usually relays on internet to detect areas with terrific in real-time, so could recommend user a way with less traffic. What if someone hack this system and fake traffic data , so force the driver to go to the direction that they want and there , they perform terrorist attack. What if they hack into terrain system and modify the system so cause accident between trains. Same for aviation system, so they force airplane to crash by providing them the wrong direction. In the more advance case, they might create some virus to change breaking system in your car and let say when you are in high speed, the break doesn’t work. Or maybe they hack a drone (drone-jacking) and while you are driving in highway, jump directly into your car and cause crash. Cyber-terrorism could use cyberspace and internet to perform their crime easier from far location and sometimes, they just create a malicious code and send it over the net and just wait to see what happens. In such situation, we need to understand the risk of cyberterrorism and fight against it. Some people might say, when let stop all internet and all about IoT, so we are safe. Well, this is not a wise solution, because terrorists just use other means. For example, let say if we didn’t invent airplane or at least we didn’t put it to public access 9/11 would never occurred. But certainly 9/11 would have happened in other form or using other tools and we couldn’t blame all in airplane. In addition, airplane did a lot of great thing for us. Also consider electricity, some people are dying because of electricity. But, if electricity and cyberspace wasn’t there, I was unable to share the risk of cyberterrorism and ask you to prepare to defend against it.

How could we defend against cyberterrorism? Well, we need to understand and analysis it and create resources to defend against it (this is something that all governments must do today), we shouldn’t wait for another terrorist attack, so we could wake up and say , hey lets defend it, we should prepare before such attack occur. In other side, we need to create our tools (software, hardware, network, etc.) in a way that it is ready to defend and mitigate such attack. To get ready to combat against cyberterrorism, we need knowledge of criminology and IT and we need special taskforces to prepare and train people so make sure our devices are protected against known and unknown cyberterrorism attack. I request researchers, government, IT professionals and other stakeholders, get ready with all forces before it is too late. Looking forward to safer internet.

How to Bypass AI-Based Security Systems

It is not very difficult to bypass security systems which are based on Machine Learning and AI. Here attack-based scenario of how it could be done will be explained. Due to security reason and since the objective of this blog is only to show you risk and not teach hacking, we won’t explain everything in details but we just show you blueprint of attack to understand the risk. Firstly, let see how AI and Machine Learning based system are working. Basically, you need to send them very big amount of data and classify which one is safe and which one is harmful. Then keep doing this so the system get smarter (what they say) and it could figure out how classify the future and possible unknown data based on previous decisions and it is automated. This is simple to say but in background it required huge amount of data and required complex mathematical equation and large database to store and large processors to analyze them. Let say, we have a large sample of network package send to our Instruction Prevention System (IPS) and in this sample we classify these behaviors are harmful so it will block them and others which are safe and should be pass, then we send other samples and based on previous decisions, it will classify them. So the system will say I see this file in the past, so from its behavior, it seems to be harmful so block it and others consider safe and pass it. In this way, some safe packages incorrectly being blocked and we call them false positive and some harmful package will pass through it and we call them false negative. All experts in AI and Machine Learning just say these are false positive and they might either try define exception or get some bigger data or improve their algorithm to improve classification but still they are agreed, they are unable to stop false (positive or negative) and to improve their algorithm , they need to spend a lot of resources. But just imagine one and only one of package which is malicious manage to bypass the IPS and then this package could damage a system in a way to open backdoor for other malwares and take complete control of the system. Same issue will happen for Anti-Malware products which they incorrectly allow a harmful program to run and take a complete control of the system. Improving algorithm to stop such issue is so hard and time consuming and required heavy resources. But bypassing such systems is very easy, you just need to send some files (e.g. malware or malicious package) and based on block or not block figure out the algorithm and then design you malware or malicious package in a way so it classify it as a safe. You may also turn the security protection (IPS or Anti-Malware) into your friend, for example just send some safe package so it won’t be blocked by IPS and try change it a bit and send it so the system will learn about the package and then while you are sending this, add your malicious command inside it slowly, you may also send it encrypted so IPS won’t notice anything, just send some encrypt file along with safe package so IPS identify it as safe and bypass it and then once you did for a while and IPS detect it as safe , then send your malicious one. You may do the same for Anti-Malware software, send some safe file and once user get it just send some files and update it and when Anti-Virus trust it, then send malicious update in a way which Anti-Malware learned to classify as safe. Similar scenario is applicable in all other security products, you don’t need to be a great mathematician or have much knowledge or resource to bypass Machine Learning or Artificial Intelligence based security system but to build such system or change your existing algorithm you need to do a lot. This is why we keep calling security experts around the world to move from AI and ML to new ways which we could easily deal with cybercriminals. We don’t need AI or ML, we just need to see how to build weapon using our technology and analysis cyber-attacks and build strong counter-measure.


Machine Learning is the Enemy of Security

Recently, I have seen cybersecurity experts discuss about Machine Learning and how to use big data to protect cyber-attacks. Using Machine Learning is not a new concept, it has been used for many years to protect people against cyber-attacks. But it is time to change our approach toward a new method of protecting our users and it is wiser to abandon machine learning in cybersecurity. Here, I will discuss the reason behind it.

First of all, we never could say we have a model in machine learning which could give us complete protection. We always has something known as false-positive and false-negative, it means there are always sure ways to bypass machines. In addition, one false-negative could cost us millions of dollars. Consider a protection engine for Anti-Malware product which detects spywares and as you may know spywares are capable of stealing personal information. Just imagine a case when your Anti-Malware product missed only one spyware and this spyware is powerful enough to steal all your secrets. Anti-Malware vendor might say it was only one false-negative while it detects and removed 1000 spywares but only once false-positive cost a lot. One other problem with machine learning is they depend on past to predict future. They will say, because past spywares works this way, the other once might work in similar way. But consider a case when we have innovator hacker (actually we have many of them) who could come up with new intuitive idea to do something which never occurred in the past. Consider Stuxnet as example. In addition, machine learning, depends on data and learning. And smart hackers could fool a machine learning algorithm by sending fake data and machine learning algorithm classify it incorrectly and in the real attack, it perform different way. Let say someone performing attack on port 20-50 of the PC, so machine learning algorithm become sensitive on these ports and enhance protection on these ports and notify administrator about it. While everyone is worried about port 20-50, the real-attack would occur in port 90. Hacker just perform such action to fool the machine learning. Machine Learning would have been a way to solve security problems but with modern technologies and hackers who are getting smarter we couldn’t rely on it anymore.

So what is the solution? We need to understand anatomy of attack and ask ourselves how attacks are being performed. How people manage to bypass our protection engines and then create a threat model to combat them. We don’t need pass millions of data to some complex mathematical algorithm to come up with some results. For example, when we look into email spamming, people just think about which machine learning algorithm is better to compare text and classify it as spam or not spam and use some other complex math equations and at the end we would say sorry we have some false positive and false negative. Instead of this why not into anatomy of spam. We just have to look into sample of spam messages and create list of questions of why user would believe this is safe, what are actions which user might likely preform (reply with message, click on link) . Who is the sender? Then we could create set of roles and we could implement a software to manage those roles and share it with other security experts. In general we could just create a smart cybersecurity framework based on facts and innovation rather than prediction to protect ourselves.

Also remember, Machine Learning is increase complexity for analyze a system. And “Complexity is the enemy of security”. So why not we develop a simple framework which is more understandable to security community and instead spending so much resources on something complex and then facing false-positive and false-negative and waiting for hackers to bypass our system with few lines of code. We could just develop a simple and adaptable security platform or security framework based on roles, facts and innovation. Machine learning also block the innovation, you should just play around dataset which you have while hackers create their own dataset.

Therefore, I am requesting cybersecurity experts to work together in order to build a new way to combat cybercrime together based on our own mind not the machine one.


Stuxnet: Well-organized Cybercrime

Stuxnet was among one of the most interesting case of organized cybercrime. Most likely it is organized crime by government. I am going to discuss possibilities of how they start developing Stuxnet based on information available in media, blogs and technical articles and analyzing organized crime.

You should keep in mind information related to Iran’s nuclear program consider as confidential and top secret within the Iran’s nuclear agency and other related external sources like Siemens, IAEA and so on. You need to have certain clearance and access control to be able to access such information. In order to be able to damage Iran’s nuclear facilities using a computer malware, you should perfectly know the infrastructure of Iran’s nuclear facilities. In top secret places like Iran’s nuclear program, staff are highly train when it comes to access information and sharing them to people they know. They went through a deep background check through intelligence ministry and you couldn’t expect, they come to the office and visit Facebook or other internet website. For this reason, there is no way to access information related to Iran’s nuclear program through remote hacking the staff or placing spies because it would have a greater risk of exposing the infrastructure of Iran’s nuclear program. In addition, restrictions imposed on sharing and control information related to Iran’s nuclear program to third-parties who are working with Iran’s nuclear program including IAEA and Siemens through government agreements. However, Iran has less control over the information protection for third-parties outside Iran because they hosted in another country. The first phase of coming up with idea of Stuxnet was to understand the exact environment of Iran’s nuclear infrastructure. People who develop Stuxnet, look into information gathering of Iran’s nuclear operation and staffs. They gathered information like they are using Windows and PLC, it is possible to bring USB device from outside the nuclear facility and so on. Then they developed a worm which fit the environment. Now, the problem was how to get it inside the nuclear facility. Of course no one intentionally take infected USB inside the nuclear facility knowing all restrictions and monitoring and securities. So they target infecting PCs in Iran which is not a very difficult process. There are many Iranian who are living outside Iran and they visit their families once a while and just infecting a public computer which regularly being used by Iranian would have been easy to get this worm inside Iran. Since Iranian are the citizen of Iran , they aren’t difficult immigration inspection on them and if there is any immigration inspection no one would ask you to check your USB or removable devices and even they do , Stuxnet is still undetectable. One common way to get Stuxnet inside Iran is to infect a university’s public library PC with Stuxnet and one Iranian student insert a USB to visit check some document and Stuxnet would have been copied there. Therefore, Iranians who live outside Iran has been the first target of Stuxnet and to make investigation difficult. Because, they have no clue of their USB infection and it is difficult to find its origin. This way worm kept spread from one user to another users just when they inserted their USB in another PC. The timing of start infecting was also important, the cybercriminals probably look into immigration records to check when usually most Iranians who live abroad leave their country. For example for students, they usually travel to Iran during semester break so if you check immigration record of people with Iranian passport who leave the country and then return and they have resident permit like Student Visa or Work Permit, you could come up with idea of when and where you should spread Stuxnet to make it harder to investigate this case. The investigation would be hard when you have several suspects and you couldn’t easily filter out to few and since there is no conclusive evidence, you couldn’t issue arrest warrant.

With right timing, Stuxnet manage to infect several PCs just by spreading over USB device. It could be a flash memory, external hard disk or other device like a mobile phone and so on. Among all PCs who have been infected with Stuxnet, there was a high possibility that one of the infected PCs would have belong to someone who is working in Iran’s nuclear facility or their relatives. It is possible that they work from home and for security reason, they never transfer any data or code using internet but rather USB device due to security reason and just inserting one infected device would have infected the system. This way, one USB device of personnel of Iran’s nuclear facility have been infected and he or she allowed to bring USB inside the nuclear facility. Of course all devices from outside would have been scanned for malware but at that time Stuxnet was unknown and inserting the infected device would start infecting the Siemens PLC device and causing damage to the reactor. Stuxnet also try to establish connection to remote servers and it was just for redirecting the investigation and buy some times to cover up the incident. When Stuxnet discover and it code has been inspected, they discover these connection to remove servers and those servers just setup so investigator think they have to start the investigation with those servers. While they actual objective of Stuxnet was to work offline and without showing any connection or help to discover any conclusive evidence against developer of Stuxnet.

People who develop Stuxnet has a good knowledge of Microsoft Windows Operating System and they probably have access to Windows Source Code through some NDA agreement or through black market and they also has a good understanding of Siemens PLC and it was a group work of people expert in various field and such a team required a skilled team leader to have them coordinate and work closely and of course loyalty to their governments and making sure they won’t leak information regarding to Stuxnet.

Even though, Stuxnet was top secret government operation and will remain as a mystery for some time but it raise a big question in area of cybersecurity. When we will see the next Stuxnet and what would be the damage. If we look closely in Stuxnet, we will see there is a possibility to harm any devices which is using computer system. When we look closely into the Stuxnet, the next Stuxnet could be the one which paralyze the economics of a country. Just imagine a day you are going to an ATM and you are unable to withdraw money and this is an issue for all ATMs around the nation. It is scary but we could prepare.