What's the scariest thing about hackers right now?
One person particularly qualified to answer this question is Robert Hansen, better known as RSnake, the vice president of WhiteHat Labs at WhiteHat Security.
"Currently what's worrying me the most -- and I don't know where everyone else is -- is the speed at which [hackers] are able to attack us. Previously, if someone wanted to find and exploit every single website that had some vulnerability in it, that could take months. … As of about a year and a half ago, now we're talking like 4 to 16 minutes, somewhere within that range. And that's the slow way to do it."
This is one of the more alarming hacking trends RSnake addressed in this interview with SearchSecurity at the 2015 RSA Conference. However there is a small window to prepare for such speedy attacks.
"Fortunately there aren't that many bad guys who understand how to do all that stuff, so for now I think it's not as bad as it could be, but I think that's on the not-too-distant horizon."
Less fortunate is the trend showcased in the Sony Pictures attack, which could be a signal of a new era of attacks intended solely to destroy their targets through any means possible.
"It's a fantastic change in our industry, and I don't mean fantastic in a good sense. It's just fantastic. It's really amazing to watch nation states start to go after physical, tangible assets that are owned by private entities," RSnake said. "We've seen that type of thing happen in the past, but traditionally it's in wartime. You don't typically see that sabotaging happening outside of wartime. Because the Internet doesn't feel dangerous, it doesn't feel like things are actually blowing up, it's not quite seen in the same way… [but] I think this is definitely something that the government takes very seriously." As to whether this was a one-time event, or the start of a trend, RSnake posed that "when you have the highest levels of multiple governments talking about security, that signals a pretty interesting change in our industry."
RSnake also discussed his personal experience in the security industry after choosing to step away from the spotlight a few years ago.
"Certainly it's nice to be recognized and have people take you seriously -- for what you're doing, your research, not just being a pretty face, right? But it turned into a bit of a nightmare. I was getting a lot of attacks and death threats and lot of terrible stuff. I never really wanted that."
But he still came back into the security game with an even higher profile than before. "It's definitely hard to stay out of that limelight, but I have a different view than I did back when I was starting this whole thing, I'm definitely doing it for different reasons. I'm not trying to promote myself anymore, that's not where I'm at."
Transcript - Emerging hacking trends worry seasoned security professionals
Eric: Hi, I'm Eric Parizo from SearchSecurity.com. It's great to have you with us. Joining me today is Robert Hansen, also known as "RSnake." Robert is the vice president of WhiteHat Labs at WhiteHat Security. Robert, thanks for spending some time with us today.
Robert: Thanks for having me.
Eric: So let's talk about attacker trends for a few minutes. Black hats, grey hats, and everything in between. You're well-known for having one of the strongest networks of grey hat and black hat hacker connections. What's the scariest thing you've learned from them lately that security pros either underestimate or don't even know about?
Robert: Yeah, I think currently what's worried me the most, I might not know everyone else, but it is the speed at which they are currently able to attack us. So previously, if someone wanted to find and exploit every single website that had some vulnerability in it, that could take months for them to scan the entire internet and find all the targets and attack them. As of about a year, a year and a half ago now, there's been some changes the Linux kernel that allows scanning to happen much, much faster than it did prior. So now, theoretically, if I want to scan the entire internet for a single port with a four-machine, cluster or something, hundred meg connection, whatever. We're talking more like between 4 and 16 minutes. Somewhere in that range.
But, I think that's the slow way to do it. The fast way to do it is to scan the entire internet ahead of needing the data. So the bad guys now have the availability to do and take all that data and throw into a database of some sort that they've created. So have the data ready to go. So they have a new vulnerability that comes out, it may exploit...create a new exploit. They immediately just put it in their thing, press the button, and effectively, as fast as they pressed the button, they've compromised every single machine that's out there.
So the problem with that is it makes it nearly impossible to patch in time. Nearly impossible. Like before, you might have had a month before you need to worry about it, and that's a long lead time really, but a lot of companies need even more than that. Now, relying on your ability to manually do anything at this point is totally game over. At least the theory, that's where things are going. Fortunately, there are not that many bad guys who understand how to do all that stuff. So, for now I think it's not as bad as it could be, but I think that's [inaudible 00:02:18].
Eric: Two follow up questions on that. One, I think the obvious take away seems to be that zero-day suddenly are even more important and urgent for enterprises to address when they can. And two, I'm curious, based on your knowledge, what kinds of adversaries are we talking about? Is that restricted to the nation, state cyber-espionage world or are we talking about the for-profit attackers too?
Robert: Yeah. So... boy, that's a good question. I don't actually completely know who is going to use this tool, and in what context, but for sure 0-days are getting much worse than they used to be. A value of an 0-day, once upon a time, was... something for sure, but now, for several reasons: ubiquity of the web, and how hard it is to exploit things if you don't know what you're doing compared to what it used to be. It actually has gone harder if you're trying to do it from scratch. If you have no background in the security. So having 0-days, having someone else do the work for you is very valuable. You're going to attack a lot of targets right away. It's worth more.
In terms of who has the capability of doing this, I would love to tell you this is really hard. I would love to tell you this is something you need a ton of time and resources to do. In practice, I have an example of one of these things living in one of my labs and it cost me about 15 grand to set up. In practice, that is I spent way too much money. That was not the right way to do it. In fact, for the most part, they don't really care about spending that kind of money because it's all fake credit cards that they just spin up on Amazon [inaudible 00:03:55] or whatever. They don't need to worry about spending money, a couple grand here and there. It's just not important, but in practice, I think realistically, to do everything I did has an example prototype of this kind of thing, maybe five grand.
Eric: So clearly, that opens it up to a pretty broad audience.
Eric: All right. Shifting gears a little bit, Bitglass recently conducted what it called a dark web study in which it tracked how data quickly spreads across the Internet underground. How closely do monitor the dark web, so to speak, and what do enterprises need to know about how it works?
Robert: So, my insight into it is purely anecdotal from my friends, from my contacts. I try to distance myself from the actual practical digging in and unfortunately you see things and that gets on your computer and then you go to jail for those things. So you have to be a little careful.
But, anecdotally, I got quite a bit intel on that kind of stuff and it really depends on what kind of data we're talking about, but really you have to think of it...instead of thinking about the underground as being like a really slow community-driven thing that's like word of mouth or sneakernet or whatever. It's not in the shadows. It's much more like a stock exchange. So things happen very quickly. There's different exchanges so it's not one centralize thing but you can...if you have a bunch of friends who are occluding on let's say transferring credit cards to one another or something. That is something that can happen in minutes. It's not something you have to wait a long time. Really, the real delay is in the money transfer part of that. It's not the decision to make the transit...what's it worth and what I'm willing to buy for, that's quick. It's the actual exchange of money that's slow.
So, I think what people need to know about it is really that it is a very fast, fluid thing that is much more business-y than what we typically think. It's much...I mean they've got CRMs, they've got case management systems, they've got full billing and procurement systems. I mean, it's just like any old business, just like you'd expect, and when you meet them you'd be surprise they look just like you and me. They wear suits, they show up with big smiles in their faces, and they drive fancy cars, and...we would not notice them in RSA for instance.
Eric: Kaspersky recently observed some odd activity between two rival threat actor groups, Naikon and Hellsing. Seeming that they were attacking and counter attacking each other. How often does that sort of black hat on black hat crime, if you will, take place? And does it signal any kind of change in how these threat actor groups are operating?
Robert: Oh sure, it does. In terms of frequency, I mean, that's been happening since the very beginning of hacking so there is really nothing that's new there. Typically, there's a lot of advantages in taking out your competition. It's A, easier than hacking other people. B, they're not going to call the police. So the risk is actually less if you think about it than going after a big e-commerce site or something. And like I was saying, because it's a...because...think of it like a market, if there's only, let's say, a million credit cards in the world then somebody suddenly puts a hundred thousand of the credit cards of the million on the internet suddenly, the value of those things goes down.
It's just like flooding the market with oranges or something. The value of oranges goes down significantly when you do that. So by taking out your rivals, it makes it much easier for you to predict what things are going to be worth. So when you go do a big heist, and you break into a big target or something, you steal a bunch of credit cards, you know exactly what the value of those things are when you sell them. If other rivals are coming in and suddenly burst and give a whole bunch of credit cards out there, suddenly something you spent, made months doing and preparing for, and getting all the stuff ready, is worth half what you thought it was going to be. That's...we're talking millions of dollars here so it's definitely worth their time to take out competition.
Eric: So I have to ask you about the big hacking incident of late 2014. I know you can't talk about specific companies, but let's say it's no coincidence that we're doing an interview. Anyhow, really what seemed to be notable there is that it was an attack that wasn't necessarily based on financial gain or hacktivism in the traditional sense. It seems to be about destroying a specific organization in every way possible. What's your reaction to that? And does that signal any kind of change among what digital adversaries are doing now?
Robert: Yeah, it's a fantastic change in our industry, and I don't mean fantastic in a good sense. It's just fantastic, Yeah, it's really amazing to watch nations, states start to go after physical, tangible assets that are owned by private entities. In any traditional war time, we've seen similar things. Somebody's building a train, manufacture something, they're going to get bombed. They're just a train company but they help supply troops to the front line, provisions, or whatever.
So we've seen that kind of thing happen in the past, but traditionally that's in war time. You don't really see that sabotaging happening outside of war time. But because the Internet doesn't feel danger, it doesn't feel like things are actually blowing up, it's not quite seen in the same way, and it's just easier, frankly. It's much harder to penetrate air defenses and drop bombs than it is to press a button on the keyboard and making possibly veiled threats or blatant threats, and pretending that it's another country or whatever. That's really easy. I mean that cost practically nothing. Way less than the cost of a bomb. Let's put it that way.
I think this is definitely something that the government takes very seriously, There's a conference here a couple days ago -- information, data sharing, exchange -- where people from the White House were, "What do we do about this? Where are we going? What should we be doing?" And one of those guys is the one who sponsored the cybersecurity legislation to do sanctioning against foreign hackers. So I was talking to him a little bit about it, and frankly, I think, they got a lot of flak from our industry. Not outside the industry. Outside the industry, most people don't have the nuance view that I think we do.
But even the people who were talking negatively about it really, you have to understand, this could be just nothing more than veiled threat. Like, please don't do this. We can come after you directly, we can actually make it impossible for you to have a bank account. Maybe we are not doing that today, but maybe we could, and even if they never actually use that a lot, it's useful one to put out there, but we take this seriously. So when you have the highest levels of multiple governments talking about cybersecurity that signals a pretty interesting change in our industry.
Eric: Indeed. Finally, on a personal level, you chose to step away from the spotlight a few years ago and now you're back with arguably a higher profile than ever.
Robert: I don't know how that happened. Not intentionally.
Eric: I mean, you're a key member of the WhiteHat management team, and yet you're a hacker at heart. So, tell me a little bit about what you learned from that period and what you're hoping to accomplish in this phase of your career.
Robert: Yeah, I definitely had personal issues with being a celebrity. I really had...when I started, I wanted to be famous as everyone does when they start something like that, It's like "Oh, wouldn't it be great if everyone knew who I was?" But gradually, I realized that was definitely a mixed blessing. Certainly, it's nice to be recognized. Then, have people take you seriously for you, for what you're doing, your research, you know, not just being a pretty face. But it turned into a bit of a nightmare. I was getting a lot of attacks, death threats, and all kinds of terrible stuff.
I never really wanted that. I never really wanted...I thought I did, but I never really did once I realized what that actually would entail, and so I definitely tried to limit my exposure as much as possible. Now, being back in the security industry as much as I am that's harder than it...here we are. It's definitely hard to stay out of that limelight, but I have a different view than I did back when I was starting this whole thing. I'm definitely doing it for different reasons. I'm not trying to promote myself anymore. That's not where I'm at.
Eric: Well, I think the industry is better for it at fertilizing a little bit, but with that, Robert Hansen of WhiteHat Security. Thank you so much for spending some time with us.
Robert: Thanks for having me.
Eric: And thank you as well. Remember, for more information security videos, you can always visit searchsecurity.com/videos and until next time, I'm Eric Parizo. Stay safe out there.