Dr.Hack’s Interview: How to Be Ahead of The Times in Hackology
Finally, we talked to Dr.Hack — a well-known free hacker who knows everything about cyber attacks and cybersecurity. Our conversation turned out to be very interesting and useful.
We hope you’ve already read the previous David Moadel’s Interview. David is a famous crypto trader. He shared with us a few secrets of successful trading.
But, today, we’ve prepared an interview for everyone interested in computer security issues. Learn how to protect your data online and stay one step ahead of any hacker.
1. Dr. Hack, you are a free hacker. You deal with hacker attacks, study them, and help people protect themselves from cyber threats. But why have you decided to devote some of your time to the issues of Internet security? Why did you choose to take up cybersecurity?
First of all, I would like to thank Utopia.fans for having me here. I must appreciate the high-quality content Utopia Fans have been producing lately, especially the graphic art of blog posts is simply outstanding.
Coming over to your question, every human being’s natural instinct is to ‘help’ others. Justify my statement whenever we do a good deed or help someone in life; we feel a sense of achievement and satisfaction fill our hearts. Ever wonder why? That is because of the course of action we opted, which is in line with our species’ nature – Helping Others. In the cyber realm, the same help exists, while the only change is the medium through which help is provided.
The best way to help someone is to educate them — what better way of educating people by talking and writing about Internet Security issues. Writing about Internet Security also benefits me, in an attempt to cover a topic, I need to research it further and in-depth so that I am able to provide a wholesome picture to the readers and this process of research greatly improves my knowledge, there is always something new to learn about.
Out of all the domains of Internet/IT Security, Cyber Security always fascinated me the most. Cyber Security helps people with issues that have real-life consequences. Daily I get emails ranging from “hack my bf/gf id” to “I found some hidden surveillance equipment, what do I do” … At times helping out has its toll and is not always easy. Whenever someone ends up thanking me after being helped the feeling cannot be mentioned in any form as that feeling of being able to help matters a lot.
There are organizations and people who have no idea that they have been hacked or they need professional help. This is most dangerous for the organization, Former Cisco CEO John Chamber’s quote, “There are two types of companies: those that have been hacked, and those who don’t yet know they have been hacked.” It is very relevant here and in all the cyber cases where either the identification of a compromise or cyber attack happened once all private data was lost or no one ever noticed that they have been compromised. Organizations and people approaching me for help at least show that they are among those who have identified that they have a problem and that is 50% of the solution in itself.
2. From your personal experience, how often various cyberattacks occur? How do you think about why cyberattacks happen? Could you name the most often happened cyber threats that exist today in the World Wide Web?
Cyber Attacks are happening every second of every minute throughout the day. At times, many cyber attacks are kept hidden or not reported due to the nature of data being exploited until the hackers themselves expose the hack. Every day there are around 25 million attacks of various vector while Industries, Governments, and ISPs are among the list’s top. These cyber attacks never stop as internet has made the world a global village, making it virtually distance-free, thus discarding the “day night” difference.
Cyber attacks happen for varied reasons, but they always have something common in them. Without taking any side, every attacker of a cyber attack believes in a cause or purpose and thinks that their actions are justified, which might not be the case in reality. Advanced Persistent Threat (APT) is used by governments and nations who target their adversaries or groups of activists that target institutions while fighting for a cause. USA based cyber attacks with Russia, China and North Korea are something we are familiar with which fall in the same category. At the same time, this also shows that some of the most advanced countries resort to cyber attacks to gain information or even damage critical infrastructure. StuxNet may be termed one of the most damaging cyber attacks on a nation with effects lasting for decades.
Before I start to list cyber threats, we need to know what a cyber attack is made off:
Compromise — The best cyber security practices of an organization can be rendered useless if the chain’s weakest link is exploited, and that chain is the ‘user’. In every hack majority of cases occur due to human error or due to efforts done through Social Engineering. Twitter Hack is one recent example to support my case.
- Infiltrate — Once hackers compromise the weakest link, the next step is how they will plant payload in victim’s system or tunnel session etc. This step involves installing a RAT or something which gives easy access to the machine, which has been compromised.
- Privileges — Even after compromising a machine, there is no guarantee that the victim session is currently running as an administrator or normal user (the reason I tell people not to log in as administrator all the time) and the hacker to escalate the privileges.
- Info Gathering — Once in, Hackers around browsing in as many directories as they can and searching the computer for any saved passwords or sessions will give a lot of information and may even lead to getting access to other machines on the same network.
- A Worm — Ensuring that their payload is persistent and stays active once after privilege escalation has occurred.
- The Exit — Once the task is complete, one can delete all traces that may have been left behind by the hack and Exit.
If you read the steps involved mentioned above, you will notice that all the steps involve Hacker-to-Computer interaction except one, ‘Compromise’. Compromise is where the weakest link of the chain is involved, which is the human interaction and Social Engineering comes here. As I have mentioned in many of my blog write-ups, social engineering, also known as “the art of human hacking” cannot be patched, making it the most dangerous and most effective for hackers.
Before I mention the top cyber threats or top attack vectors, I am glad that OWASP list has stopped listing XSS among their top of the list. In my opinion, XSS is only relevant for bug bounty hunters for their bounty claims and I have not seen an actual hack being pulled off. Since 2012-2014 XSS got special attention, prior to that XSS was actively used for cookie-jacking leading to account takeover and it was very simple as well.
I still remember how a two-liner cookie logger I used on programmingtalk.com (A decade ago it was one of the most famous tech talk platform associated with hotscripts.com) led me to various Admins/Mods account. And I was able to embed the cookie logger right into the signature block of the forum profile. While I reported the exploit to the team, they fixed and never replied back. I guess that is one reason I never prefer bounty hunting. Top Cyber Threats in no particular order in my opinion are:
- Social Engineering
- Crypto Jacking
The list can go on with SQLi, dDoS and MITM attacks, but I consider the type of threats mentioned above to be the most potent and effective.
3. The main topics of your blog are diverse. They include hacking, cyber threats, cryptography, cyberattacks, internet security, and much more. How do you improve and get new knowledge on such topics?
Everyone is attracted to a certain hobby. Since childhood, I was fascinated by computers, before we had the luxury of Windows and the time when Intel 80286 felt like enough computing power for a lifetime. Even then, an i386 with its 32-bit processor felt something out of this world. My first interaction with networking was when I made my own server hosted on a Dial Up connection (before Broadband connections were a thing). Troubleshooting and tinkering with the system let me into a rabbit hole — A place I am still happily trapped.
Gaining knowledge or staying abreast of the latest techniques and trends is not difficult in this technology era. ‘Reading’ helps me improve my knowledge base and understanding about the latest concepts while practicing them in my own spare time allows me to polish the skillset further and add new skills to the arsenal.
4. Imagine that you need to prepare the top 5 advanced protection methods against cyber threats on the internet. What points would you include in this must-do list?
“Human stupidity Detector” would be listed at the top if something of this sort exists. When I’ve listed social engineering as the most potent threat, I would list Social Cyber Awareness at the top of the preventive methods as well. People have given up their actual passwords in exchange for a chocolate bar, sounds stupid, right? But it has happened.
Let’s talk about the Twitter hack, which took place on July 15, is a clear example of how people can be swayed into sharing information that they are not supposed to and the same information can have long-lasting effects. Some people may be wondering how making some tweets can render any effects on real world matters. In 2013, the Associated Press news wire service’s Twitter account reported “Breaking: Two Explosions in the White House and Barack Obama is injured.” The SEA Activists had hijacked AP’s Twitter account. The Impact? US stock exchange crashed, the tweet was sent at 1:07 p.m. At 1:08 the Dow started the nosedive.
Moving on with a direct answer to the question that I will answer, focusing on end-user and not the corporate industry as their protection methods are different, being more exposed to the internet.
– Cyber Awareness: Knowing how easy it is for someone to manipulate and get information out of us unknowingly is a very crucial step in preventing such attacks. Always stay vary of the fact that someone might be interested in your personally identifiable information for their own vested interests. Social Engineering is a huge threat and it needs that everyone is aware of how it is done to stay protected and safe.
– Update Software: I am sure you must have seen a co-worker or friend who is very comfortable without updating their software and end up saying that it wouldn’t matter if it is delayed for some time. Such behaviour allows cyber perpetrators to get access to unpatched and outdated machines. Updating software allows a system to fix critical bugs. At times, the vendor identifies and is not publicly known, but it will be known publicly as POC of zero days exploits is a reality and happens often.
– What you Download: Being hired in various cyber prevention contracts, I have seen numerous cases where one employee downloaded a pirated software on work system which was intended to be used at his home but to save time and confirm prior to leaving the work machine, it was tested on the office system and that downloaded software embedded ransomware which resulted in a loss of critical and sensitive organizational data.
– Control Your Devices: Our digital identity is as important as our real world and protecting digital identity should get the same attention. No device which you use should be without a password / Pin / Patten. Always keep your devices locked when not in use, making this a habit will go a long way in ensuring that your data stays safe
– Shared Internet: Secure your internet/ Wi-Fi communication and do not share it with people you consider “stranger”. Just giving access to your Wi-Fi to someone else makes it very simple to perform a Man In The Middle (MITM) Attack, and they can see what you are doing on the internet and in some cases, they may be able to steal your web-based sessions. The use of public Wi-Fi is BIG NO. NEVER EVER use public Wi-Fi, read about EvilAP Wi-Fi, and you will understand how easy it is to access data from your smartphones while you are not even aware of it. Our Smartphones are meant to connect to all the internet devices saved in their list to make it convenient for us. This convenience comes with a cost: when you go to a restaurant your phone sees a Wi-Fi connection and it probes the router with “Are you My Home Router”. In ordinary case the router will say “No, I am Starbucks router” but if that place has an Evil AP the response will come “Yes, I am your Home Router — Let’s connect”. This connection will give you internet and all your internet traffic will be passing through a middle man who will be logging it down.
I understand I have shared 5 aspects already. Still, I would like to mention one more aspect: to use strong passwords to your email / online account and review the reset information. It is very important because if you have a weak password or reset information — there is no stopping cybercriminals from escalating from hacking your one account to each and every account you ever had. The last informative point is that you can check from HIBP if any current email has any publicly available data on various hacking forums with your email address or passwords.
5. We are living in a time of the pandemic. Please, tell us whether cyberattacks have become more frequent than the previous years since most employees switched to the online mode of work?
This year, since the pandemic has hit us, there has been a 6 times increase in the cyber attacks. As per statistics shared by INTERPOL, the most dominant attacks are Misinformation, Bad domains, Harvesting Malware, Phishing / Scams & Ransomware.
Cybercriminals make use of ways to exploit us. In times of uncertainty, misinformation is spread and believed that cybercriminals use techniques that give them the greatest chances of success in their objectives. Ransom wares are also increasing at an alarming pace while the majority of ‘Online Infection Methods’ have no fix as of now except rolling out backups if you have made any.
6. It’s no secret that you are already familiar with such a decentralized ecosystem as Utopia. You probably have used Utopia during the beta testing phase. Today, the ecosystem has more than 100K active users. Can you evaluate this ecosystem from the reliability and security of user data?
I have already shared how I was introduced to Utopia. Still, since its start, I have been using Utopia and providing valuable feedback to the team and help the community in whatever way possible, as I greatly admire the effort done on Utopia p2p. Utopia’s core values are something that everyone would admire and appreciate, as these are the basic rights we all deserve and have the right to demand.
Over the period of 1 year since I have been using Utopia, I have provided feedback to the team on various aspects of the ecosystem and I must admit that the team has been very active in making improvements in the ecosystem, Utopia Alternate Miner (UAM) is a clear example on how effective the team has improved the reliability of the mining procedure. Utopia software is still very new and has a long way to go. Utopia is fully functional program where all the aspects of the software work as they are supposed to, which is something great as it makes it a reliable platform. Decentralized peer to peer systems has an advantage that they cannot see network outages as a single server is not controlling them rather all communication is routed through nodes, which is the case of Utopia.
While talking about User Data Security, I will be highlighting the same aspect here — a decentralized platform does not store any “user data” on any “cloud” or a server as there is no such concept, instead all the user data is stored inside the “Encrypted Containers” which are saved on user computers.
Decentralized systems meet a lot of resistance as it goes against the internet of today where, as Utopia Intro sums it up neatly “Billions of people are turned into trillions of dollars”. Our privacy is sold for their profit. Why would such a profit structure ever be interested in something decentralized?
7. What would you change in the technical or functional component of the ecosystem? Perhaps you have noticed some shortcomings?
As I mentioned above Utopia has a long way to go and Utopia in its current state is very stable and working in all regards from Channel and Chat to Crypton and Crypto Transactions. But if I were to answer this question, on the technical side, I can think of having a new Utopia Light version that lacks the “mining components” and provides more responsive behaviour of the client. Lately, I have noticed that no one is mining Crypton through the Utopia Client (excluding me ;> ) so a “light” version that can be responsive and add more fluid behaviour would be a welcome addition.
Functional components are already under consideration, which I will mention here: Mobile App.
The amount of mobile users has surpassed PC users for general purposes for browsing. This means there are more chances for people to use a mobile based version of a program; this makes it very important that a mobile version of Utopia Client.
8. Can Utopia take a leading position in the entire Internet security industry? As we can see, every year, popular messengers and search engines lose a large part of their audience due to issues of data security and confidentiality.
Before I started using Utopia, I did a thorough scan of various types on Utopia Client, The Miner and packet inspection to see if anything which shouldn’t be sent is being shared and if there are any “non peer nodes” and once I was confident that things are OK, I jumped in using this platform. As of now, Utopia is home to people of various believes and many activists gather to discuss their issues and concerns and being a privacy centric platform what I am able to tell is only what someone has made public, accessible through the advanced search feature of Utopia. I do not see why Utopia will not become the application of the trust of every privacy-focused individual or every activist who would seek absolute privacy and data protection.
Just one example will tell how centralized Internet is: 90% of the services used by participants of a survey were owned by 2 companies — Google & Facebook.
How can you think that they will provide you free services and not want anything in return? Facebook has been found selling user data various times in the past. It is a matter of time before people will start moving towards Utopia Ecosystem for privacy and data protection.
9. One of the main areas of your interest is cryptocurrency. How do you assess the global cryptocurrency market today? Do you think the future belongs to cryptocurrency? Will a Crypton (the internal coin of the ecosystem) compete with well-known cryptocurrencies like bitcoin?
I use to read Satoshi posts on his forum when Bitcoin was mineable on a laptop and the concept of “decentralized ledger” fascinated me at that time and when I started exploring Bitcoin it seemed such a beautiful concept. People may differ with bitcoin and they may have a preference backed by another coin, which is very natural, but Bitcoin being the pioneer will have its place as the Coin that started it all. Cryptocurrency is already a thing and way to make a guesswork for future when we are already seeing that the present belongs to cryptocurrency. Banks are so against crypto is that gives more power to cryptocurrency.
I have been asked this question a lot, is there any potential or future of Crypton? My answer has always been the same. Crypton is the only coin that already performs all the tasks it is meant to do. Crypton is meant to be the mode of payment while not revealing any real life information or identity. Right now, I can send uVouchers, request payments through users or even setup automated payment requests through the provided API. To give these statements a context.
Imagine a whistle blower has some information, but he wants to sell it to a famous news reporting agency. Utopia would be the whistle blower’s choice of platform as knowing that the coin cannot be traced, unlike other coins. The majority of coins that are launched have a roadmap that stretches over 2 years at time with promises that after 2 year the coin might be able to do something and invest like crazy. Imagine a coin which made no promises but simply works for all the purposes it is meant to work for. So Yes! Definitely, I see great prospects for Crypton while I can easily say that it will surpass the majority of coins in terms of utility.
10. Today, only a few people seriously think about cyber threats. Is it possible to change the attitude of internet users to the issue of cyber threats? Can you make your forecast for the next 5 years? What exactly will the internet look like?
Unfortunately, I do not see that people will be changing their attitude towards cyber threats until someone is affected by cyber criminals’ actions. People do not realize that allowing cyber criminals to gain access to their account because they use weak protection measures affects them and all their acquaintances, which should be punishable by law. If my account is hacked and it results in a data leak of my conversation with my friend, that friend should be able to sue me for not protecting his data. The only way I see people might start taking some interest is by following something on such harsher lines — Other option is to switch to Utopia.
Internet will not change much in the next 5 years. Cat Memes, Trump signing Meme and Condescending Wonka will all be something we will be seeing in our feeds. In the cyber security front, attacks will get more advanced as IoT and smart devices get more common. These devices use older technologies to keep the price low and are connected with routers with weak or no protection. IoT based hacking and even crypto mining is already a thing. But these things will greatly increase. Imagine a ransomware note read out by Alexa on Alexa Dot that all your Home appliances will not work until you pay a certain ransom, which seems scary right? It is plausible and such things will happen until we start educating ourselves and move at a pace that is being followed by the cyber criminals. British Television Series “Black Mirror” might seem scary for now but that is the direction which we will end up with if we continue advancing at this speed. I am all for advancement, but cyber threats are serious and should be dealt with preventive measures.
I hope I have covered all the queries and hope readers find it interesting and enjoy reading it the way I enjoyed writing it. Utopia Fans is doing a great job by spreading awareness about the internet and cyber security, focusing on its privacy. I would like to thank Utopia for the opportunity and I tried to keep things a bit simple and not go into technical details so that every reader finds it equally interesting.
Our team is very grateful to Dr.Hack for the interview and his support of the Utopia project. You can learn more about Dr.Hack and its activities following his website and blog.
Besides, we’ve prepared even more surprises and interesting interviews with other well-known and experienced people in information security topic.
Stay tuned and follow the news!