Do you give us permission to include this interview in our products?
Can we use a photo of you in our materials? (If so, please include.)
What name should we call you?
Al (as in AL)
What do you do, professionally? Do you have any certifications? How did you become an ethical hacker/security expert? What is your background?
[An “ethical hacker” is someone that gets paid to try to hack into a client’s software. This way the client will know how safer their software/website/systems are. They will also learn where their security problems are, so that they can be addressed.]
Currently I am working as an ethical hacker with a CISSP certificate. I focus on testing the security of web platforms, mostly commercial sites/applications, databases and the servers they’re on, for the sole purpose of hardening their security as much as possible. I have gone into ethical hacking mainly because it’s the only way to monetize my talents in a legal way. Formerly a blackhat hacker, money was relatively easy to come by, but as always there were a lot of risks involved. Then came a person that needs my care, someone that relies on me to bring food on the table every day. Obviously I cannot care for someone if I’m in jail, so I decided to leave my past behind and turn a new page, start working legally even if it means bringing in less money.
Where do you live? Why did you choose that particular country/region/state?
I am born in Macedonia and this is where I’ve spent my entire life. I have traveled a bit and I would gladly move to a country where life is easier, but immigration is near impossible due to a stupid loop in the way the world works. Namely, if you’re from Macedonia, nobody would grant you citizenship in any EU country or US state, fearing that I would become a burden. Macedonia is not particularly wealthy so there’s a stereotype that if you’re from Macedonia, you’re not very useful to the society. Try as I might, my request for citizenship would be rejected, leaving me stuck in this country. It’s as bad as it sounds, but there’s no time to complain, I give my best to use my entire day in the most productive way.
What is the state of personal privacy as you see it?
To be brutally honest – nonexistent. There is no such thing as privacy. My clients are usually small and medium businesses and during the testing procedure I often have a chance to take a peek in parts of the code that shouldn’t be seen by the public. Most of those companies promise some form of privacy but the reality is very different. Data is gathered without user’s permission and you’d be shocked on how technology has progressed, they have perfected their espionage methods to an art. Alas, even if companies didn’t do this, there are always hackers that can obtain this information very easily and then resell it. Now don’t get me wrong, I do recommend that everyone should watch out for their privacy. I’m just saying that they shouldn’t feel 100% safe just because they have taken a few precautionary steps.
Tell us about some of the tricks you use (or others you know use) to find out confidential information.
Back in the day, the simplest way for a blackhatter to obtain personal information is to plant a Trojan horse in the victim’s computer. Crypters were readily available, making the Trojan undetectable to all antivirus software, albeit short-lived. Depending on how the hacker spreads the Trojan, it would last anywhere from a few months to just a few days. In example, some hackers would use the Trojan to gain information from a short list of targeted customers, usually less than 10 people. In this case, the Trojan would be undetectable for a long period because antivirus companies would have yet to encounter a copy. In other cases, the hacker would go all-out and do a mass infection, getting thousands of victims in hours. Then they would gather all information from all victims. The information is later sifted, sorting out the useful from the useless. The Trojan gets detected quickly, but by the time it is detected, the damage is already done. The hacker already has the information he needs and he can sell/abuse it to get thousands of dollars quickly. Whichever method the hacker would choose, profit is pretty much guaranteed. Nowadays however, the Trojans are less common and effective because antivirus companies have learned from their mistakes. Even if a hacker was to perform a mass infection, the gathered data would be pretty much useless. Credit cards cannot be abused due to sophisticated protection systems, paypal (and similar payment system) accounts get blocked quickly as soon as any suspicious activity is detected, so hackers steal and sell whatever else they can. Social network accounts and e-mails are especially valuable nowadays.
What steps do you take to track people who have really gone the extra mile to protect themselves?
[Through] Social engineering. Ah, social engineering is a whole another science that I could talk about for days. [See the end of this interview for a clarification from this hacker on what he means by ‘social engineering.’] You see it everyday, mostly in politics. It’s what people commonly call “manipulation” but in a very different form. Social engineering combines manipulation, human behavior and psychology in order to maximize the effect. It is a spooky art. Not much is known about it in public and this is why it’s so successful. In example, magicians use some basic social engineering techniques to perform their tricks. When a hacker decides to combine technical hacking with social engineering, the results are devastating. It never fails and the target has no way of defending. This is why hackers frown upon it, partly due to jealousy since not all of them can use it, partly because it’s very unethical and it’s often compared to “taking a candy from a child”.
Having fancy tools and ninja skills is all fun and games, but when faced with a difficult target that has battered down the hatches hard, social engineering always works like a charm. It is a very rare talent among hackers. Most try to use it but only few can make it work every time. It takes a lot of knowledge in human psychology in order to use it, but when one masters it, there is no limit on what it can do. Even a half-decent social engineer can make the victim simply give out all information willingly, making the “hack” pretty much legal. In the right hands, this is a very scary tool. Amateurs would use social engineering to convince a victim to open a page or a file which is infected with a keylogger but the concept is the same. You manipulate the victim to do whatever you want them to do. How good it works out and how far you get depends only on your skills. There’s no protection against this, and these people are the ones you should fear. After all, what can you do to protect yourself against a person powerful enough to make you commit a suicide just by talking to you?
Can you give us 2 or 3 simple things that Americans can do today that would dramatically increase their personal security and privacy?
First of all, use a false identity at any given opportunity. Take your time to come up with a complete identity, first and last name, address, phone number, gender, height, weight and every other detail. Memorize this and use it whenever possible.
Do not, EVER, store passwords on any computer or personal device. Think of a password that is 7 to 14 characters and has at least 1 uppercase and 1 number in it. Make it easy to remember. Password crackers are mostly useless nowadays anyway, so the main thing you should worry about is someone seeing the password over your shoulder. Of course, if you get hacked and you’ve stored passwords on your computer or had the browsers memorize the passwords, they’re pretty much gone.
Use virtual keyboards to type passwords. Even though they didn’t receive the attention they should have, virtual keyboards can be a lifesaver. Most keyloggers can only log keystrokes from physical keyboards. If you type your passwords with a virtual keyboards, there’s a big chance that it won’t be picked up even if the machine is infected with a keylogger. [A ‘Keylogger’ is a program running on a computer that tracks all of your keyboard entries. So, it will track when you type in a password.]
Perhaps most important of all, don’t spread your info around. In most cases if your info is stolen, it’s your own fault. Accepting or sending friend requests from/to unknown people, replying to suspicious e-mails, clicking links from sources that are not legitimate – they can lead to data theft. If you receive an e-mail with a link, don’t click it. Instead type it, paying close attention to top-level domain. Facebook.com is not the same as Facebo0k.com.
For someone new to this, what is the one thing you would want them to know about their own privacy?
As depressing as this may sound – don’t get your hopes up. Chances are that no matter what you do to protect your privacy, data will eventually leak out. Instead of trying to defend a huge amount of private information, try a different approach – don’t provide a lot of private information. This way you won’t have a lot to guard. Even if it gets stolen, the damage would be minimal. It’s like having a million dollars in cash. You can store it under the bed in which case the risk of having it stolen is huge even if you put an alarm in your house. Another option is to save only what you need and put the rest in the bank. Even if you get robbed, you lose only a small portion of your valuables.
What is one thing that you recommend that people are continually resistant to actually do?
Change passwords often and for god’s sake, use different passwords for different accounts. You’d be surprised how much people lose everything online just because they used the same password on one account. Stealing a facebook account nowadays is relatively easy, but if the password on the facebook account is the same as say, the paypal account – it doesn’t take a rocket scientist to see how much more damage can be done.
How can our readers use this information to protect themselves from similar tactics?
The best way to protect yourself from hackers is to try to think as one. Read a lot of articles about hacking in order to gain inside information on how data is stolen. Learn how a hacker would try to get your information and eliminate the easiest ways to do it. Usually hackers would eventually give up and move to an easier target if they find you too hard to hack. There’s definitely no deficit of targets so they would much rather spend an hour hacking 3 victims than spend a week hacking you. Of course, this doesn’t apply in situations where your issues with a hacker is personal but then again, you should’ve known better before making enemies with such shady characters.
For someone that has very little money to spend, is concerned about their privacy, and doesn’t know where to start, what advice would you give them?
It’s really more of a common sense, it doesn’t take a lot of money. Like previously said, people need to learn how a hacker steals personal information and maybe more importantly, why. You cannot hope to defeat someone in a game that you don’t understand – especially not if your opponent is a master of that game. The more you learn about your enemy, the easier it is to protect yourself.
Can you give us three simple things that people can do to dramatically help protect themselves.
1- Stay away from social networks, especially facebook. If you absolutely must have it, enter with a false identity.
2- Have a good antivirus that is regularly updated. Make sure your operating system is often updated as well.
3- Don’t click around the web aimlessly. A click is like a step in real life. You need to see where you’re putting down your foot. It would be quite illogical to step on something you don’t see and don’t know anything about. If you’re in such situation, you’d probably go around,
Most importantly, do you have any horror stories about online privacy and security? Funny stories? Stories about the ridiculous/dumb/bad things that people do online or in terms of privacy and security?
Back when I was a blackhatter, my customers were usually businesses that wanted to get ahead of the competition. They would hire me to take down a competitor’s site, steal their database where customer info is and so on. Payments were upfront and in full and clients had no problem paying. Of course, eventually there would be a person with the “bright” idea to hire me and then when the job is done, open a paypal dispute and get the money back. Needless to say, paypal would approve the refund but what the client didn’t think about is who he’s messing with. Immediately his site would go down or get defaced. He would then get an e-mail, asking politely to return the money they owed. They always obey. They all learn the lesson, it’s just that some of them learn it the hard way.
When I got into ethical hacking, customers that are being difficult were a lot more common. I no longer had that ace up my sleeve though, I couldn’t simply take down his site/email/facebook in order to force him to pay. One day while exploring the Deep Web I found out about a hacking group called Emagare. I tracked them down and found out that this little bunch of hicks is the most deadly hacking group, hands down. They offered similar services to mine (when I was a blackhatter) but their clients were entire countries and governments. They had a history of putting countries in complete darkness. Their last victim was Greece which they left without any informational interconnection for about a week.
Nevertheless I decided to contact them and found out that they’re surprisingly friendly. They accepted my job offers for a really good price and I’ve been hiring them ever since. Nowadays they deal with my difficult customers and I’ve yet to meet someone that hasn’t come to reason after being confronted with Emagare.
What are the top 2 or 3 questions you get asked about security and privacy, and what are your answers?
Q – Can you make my site unhackable?
A – No.
Q – Can you hack someone’s e-mail/facebook/whatever?
A – Yes; but that’s a service ethical hackers cannot provide.
Q – Why are you charging so much money for 3-4 hours of work?
A – It’s not 3-4 hours of work that costs so much, it’s the decade-long experience that you’re purchasing.
What are the top 2 or 3 questions you SHOULD get asked, and what are your answers?
Q – Can you help me harden my site’s security to the point where most hackers would consider it not worth the effort of hacking?
A – Absolutely.
(This level of customer understanding, although rarely seen, gives me extra motivation to provide a much better service and always over deliver, giving much more than what they paid for. )
Q – When hiring an ethical hacker, should I look for hackers with certificates and diplomas?
A – No. The diploma is not the one that does the testing, it’s the hacker himself and in a world where cash is king, you can easily purchase certificates and diplomas. A common penetration test starts at $600 and can quickly go up to $2000, making the ethical hacking a very lucrative business. People are increasingly purchasing these certificates and offering penetration testing services with no knowledge to hacking whatsoever. When a client orders a testing service, he would simply hire some mediocre hacker with no extensive experience to do a shallow test using automated tools found on the internet. The result would be a report with a lot of false-positives which is pretty much useless, but hey, the certificate increases its value. So when hiring an ethical hacker, test his experience and practical knowledge. Certificates and diplomas are only ink on paper, worth nothing at all. Take this from a person that has a certificate.
Q – What should I do if I’m attacked with DDOS?
A – Pray that it ends soon.
To clarify for our readers, what do you mean by “Social Engineering” and “DDOS”?
The simplest example of social engineering would be this.
A hacker decides to take down a site that is very difficult to hack by conventional means. The owner has battered down the hatches and invested thousands in all sort of protections. DDOS (explained below) is not an option because the hacker doesn’t have access to a botnet. The hacker only has an undetectable trojan virus to his disposal. If I were the hacker, here’s what I would do…
I would first find out a bit of personal information about my target. His facebook/twitter/other social network profile is a treasure trove for me in this case. What I’m interested in is his marital state, gender, age, living location etc. I would do my best to find out what kind of girls he likes. I would then open a new fake, female profile with about 60% to 70% matching to his preferences, with only 2-3 vague pictures. Not too much though, simply because if it looks too good to be true, it probably is.
Next, I would add some of his friends to my friend list. I would NOT add him directly, this would be way too suspicious. Instead, he would eventually notice me when browsing the lists of his friends’ friends. I would start communicating intensely with one of his best friends in case he doesn’t notice me quickly enough.
When I’m noticed, he would probably want to add me as friend since remember, I’m mostly everything what he likes about girls. While talking with him, he would eventually ask for more pictures of me. It always happens, even with married people, simply out of curiosity. I would say that I don’t trust facebook/whatever and that I would very much prefer to chat on skype or msn. Normally, he would accept.
When on skype/msn, I wouldn’t send the pictures immediately. Instead, I would wait to be reminded again. Sending the pictures immediately would look like I’m trying to push something. So when he reminds me, I would send a zip package with 10 real pictures of me. What he doesn’t know though is that one of those pictures would have my trojan virus binded to it.
After infecting him, I would have all his passwords including the website’s control panel. I would cut off his access, dump the database, delete all his backups both from the computer and online repository and finally deface the site itself. The damage is total. Even if he has some hidden backup to restore, I still have his database which means that I can simply hack it again. Even if he starts with a new database, his customers/visitors would see the defaced site for a day or two, ruining his reputation permanently, so there’s no use of restoring. This is what you do when you want to end the life of a site.
That’s one example of social engineering used in conjunction with hacking.
As for DDOS, that is a variation of Denial of Service attack. The DoS attack is mostly an attack where you overload the server/victim with too much data or requests until the server cannot handle it anymore. In example, there’s a server where you can request a page to open and then the server runs several checks before displaying it. To take the server down, I would make a custom script which would request the page thousands of times per second. The server probably won’t be able to cope with so many requests and would eventually freeze, effectively taking down the site. It’s very much similar to opening 100 programs on your computer at once.
However, there is a form of protection against this. The owner of the site can simply ban my IP and I won’t be able to make new requests unless I change my IP. By the time I change my IP though, the server would be refreshed and ready to accept new requests.
This is where DDOS comes in play. It stands for DISTRIBUTED denial of service. It is very simple – you make a virus and infect thousands of computers with it. Those computers don’t show symptoms of being infected, there’s nothing going on so victims have no reason to suspect anything. You however, have total control over these computers. When you want to attack a site, you simply instruct all of these computers to open the site all at once. The victims still don’t see anything, the browser is hidden. The target site however gets too much traffic and the server freezes. If it doesn’t freeze then the hosting will suspend it temporarily for overloading. If even that doesn’t happen, the bandwidth will get exhausted. In most cases however, the server overheats and crashes or shuts down.
There’s no real protection against DDOS. Banning IP’s is useless because the attack is coming from thousands of machines. It’s like having a private army, ready to attack when you give the word. And you’re attacking a single person. What can possibly that single person do to defend? Absolutely nothing.
That’s about it 🙂