“Hustle beats talent, when talent doesn’t hustle.”
I was just using twitter and found this quote on someone else’s twitter feed status. It got my mindset in the mood for a bit of safe grey hat programming and script coding to show and solve an IT security issue. Something worth solving & sharing that is useful.
I was thinking about writing a current and relevant IT Security exploit and the accompanying fix for it as a personal programming project in my spare time using a programming script language that is native to the target’s operating system such as Microsoft Windows using VBS or PowerShell scripting, and perhaps be able to run the proof of exploit and cure on other desktop and laptop computing platforms such as Apple Macintosh OSX and Linux operating systems such as Redhat and Tails.
Perhaps write a multi-platform exploit using a script language such as Python, although for each platform to run the code, it would depend on the run-time software being installed on each platform first to make it work at all, and that can be done only if the user is not alerted to the run-time software being installed due to them seeing or hearing security alerts which points out something is suspicious. The fix to prevent or clean the effect of the exploit ideally should be available on the same platform being attacked to make it simple. Maybe I will be looking at exploring other platforms like smartphones and tablets, and / or web browsers and their webpage scripting languages and later look into exploiting more secure and challenging file-server operating systems. Wireless and Bluetooth could be a good protocol to attack, or could be used to demonstrate the ability of my code to jump from one device such as a mobile phone to a computer that is not even connected to the internet (also known as an AirGapped machine), and never had any USB sticks, CD’s or other media used which could have been used to infect that target. I could use a phone, tablet or smartwatch to copy a file from one airgapped machine to another airgapped desktop, with no wires connecting the two together, and neither system having bluetooth or wireless capability. It has been done, and the smartphone is the bridge that was used. It’s a widely understated risk, and allows an attacker to steal files from a computer without having or needing logins and passwords for access, and if the phone was giving out a strong wifi or bluetooth signal, it should prevent the attacker needing to be located right next to the target computer including touching the machine at all to copy from it or install bad code to it.
This type of attack leaves any past, present and future CCTV video footage examined to identify who gained unauthorized access to a computer a fruitless task, and will bear no evidence to support a legal case without their smartphone being examined that was used as they walked past the machine while the phone was hidden in their pocket. If the attacker doesn’t even get seen on a security camera’s footage as touching the compromised computer, no evidence using CCTV footage should prove their attack. Might be worth coding 😉
I wanted to build the project’s programming source code files into two separate sub project programs that each in turn succeed in completing the demonstration of two very opposite & related goals:
Program 1) It does something naughty on my own personally owned computer(s) that is an undetected threat either locally or remotely
Program 2) It prevents the naughtiness & vulnerability I have proven by demonstrating the weakness using Program 1. This 2nd section of the project is aimed to not only stop and reverse the security hole and scale of the attack now but also in the future by fixing it. To find and clean any unwanted changes the unwanted exploit caused in files, folders, networks, disk & memory, to stop the bad code from running now & patch the hole, preventing the same attack repeating.
As a side note to that, I wrote my University project the same way and I miss the challenges and fun that it occupied me with. I hope to share my findings with my workplace now I am allowed to since given the title of “IT Security Ambassador”, because if I gave them something like this without permission to think and work on the dark side of IT, it would have been professional suicide for sure, especially if worked on during normal hours as a 1st,2nd,3rd,4th line support techie. IT Consultant is my title, but call me the tea boy for all I care, money and title of jobs mean nothing at the end of the day. What matters to me is the ability to identify and fix problems, both regarding IT Support and IT Security.
Look at my Anti-Virus final year project dissertation from 1999 that not only got me writing a brand new Microsoft office word document macro computer virus by using a virus construction kit that gave me lots of options my virus could have, and it generated the source code of the virus for me. I had to change the order of several chunks of the code known as procedures, just by cutting and pasting the order of the parts my code was split into, so that when it infected the first file, it was unique enough not to be a known pattern that bad code is found and stopped by examining with an Anti-Virus product. It could not be detected or killed with any virus scanner at the time, but then going on to write the virus scanner for part two of the practical coding half and also served as a cleaner that detected and killed it. That was what I wanted to prove, but the way I saw the issue and method to fix it was a real bonus over all other word virus scanners at the time, because it also detected and killed every single Microsoft word macro virus in existence, known or unknown, it was a generic approach, no updates were ever needed.
You can download the whole project, including source code in Visual Basic v5, the full write up & documentation and working program from my own website space here:
I aptly dedicated the titles that presented the virus code and the scanner code after “The Prodigy” – The virus being “The Poison” and the scanner “The Remedy” 🙂 Lol. The given name of my virus was Big Bertha. It was a big and nasty bitch, I wanted the threat to be serious enough to prove my point. It changed the appearance of its code every time it infected a new document making it hard to scan for viruses using a scanner, and the payload caused ball ache for the user infected with it on the 13th day of any given month. You open any document then, it selects the whole doc, deletes it, and saves it. No word recovery, undelete or recycle bin is going to save you at all. A recovery utility might fail too, since the file is still there but now empty. A disk editor might be the only way, and a difficult way at that, of getting your work back.
The scanner was called “GW-Scan” standing for “Generic Word Virus Scanner” but unfortunately since then other people have used the name I did for completely unrelated software programs. No loss or hardship my side, I gave it away with the source code for free from the start, and always wanted to share it at no cost. It solved the biggest type of computer virus infection at the time, when Microsoft hadn’t rewritten or patched the security issues that word documents and other office file types like spreadsheets and presentations allowed anyone to open and didn’t prevent an attacker from being able to run any code they wanted on the poor victim’s computer they used to open an office document with. Sharing the document shared the virus, and email system spread these types of macro virus quickly, in large numbers of files used in business and home computing systems on a global scale affecting many people, companies and systems. It became such a large issue of security that I could have made some money with the idea if the program underwent drastic improvements to graphical appearance, global language support for all of the programs menus, labels and messages meant I would have needed to hire many expert language translators for each country I wanted to display my program in. To sell it as a useful product it also needed a better way of handling the processor, allowing the user to carry on working while it scanned, as it always hogged the CPU full whack when it ran, preventing the user from doing anything else while it searched and cleaned viruses.
It ran quicker as a result of hogging the processor, and I thought at the time I wrote it that I wouldn’t want to do anything else with a PC that I suspected of having a virus on it until I scanned it first. I learnt that it was an improvement it needed, to prevent other tasks from freezing while it carried out the scan. I live and learn from early inexperienced under-sights like that, and would write it very differently today if the final version was to be sold in order to legally own a fully working version of it that behaved itself. It also needed to be TSR (Terminate Stay Resident) which means it runs as a process inside memory in the background of the operating system, maybe also show an icon in the system tray to let you know it’s there next to the date and time in windows, with the option to turn off the system tray icon by closing or hiding the app, change the settings of the program to suit the end user’s requirements or open the manual interface to it which allows custom locations to be scanned and cleaned. It would have prevented the need of the user having to scan drives, folders and files manually having it always check every document for me without the need to instruct it on where to scan. The process would have been automatically scanning every document the user opened up, copied or saved to and from any disk or network space. It would then have needed a website with a PayPal store front to allow the sale of my program as a downloadable software product, and would have needed better documentation including a professional user guide, a contact phone number and email address to write to me for support if needing help or advice using it, and the list goes forever on. It was a full time job.
I didn’t want to make all of that effort with potentially no payout from it because I find during development or shortly after release of my money making product, that Microsoft patched the issue and my scanner / cleaner was now defunct and worthless. It was eventually when Office 2010 came out due to .doc and .dot files being split into .docx and .docm and for templates split into .dotx and .dotm on the end of the document filename to show the additional letter of either “x” for no macros and “m” for macros. This improvement from Microsoft meant that before opening a document, you knew if it had any macros in it that would run, they would only run as a program at all if the document ended with the .docm extension. Even a virus infected document opened as a .docx file will never run the code. At last, they must had read my project and took it seriously. I had emailed them a copy of it. They also made the document warn you if it had unsigned code in it, but that was badly written and people still managed to circumvent legitimate documents containing macro code that users needed to run for their job or home life. It’s pretty much a defunct issue now since they made Office 2013 and 2016 versions, the security is tight enough by default to prevent easy spreading and running of bad code in word documents, or excel, access and PowerPoint too.
As a measure of safety, I made sure before displaying the project openly, which we had to make sure our project was available for anyone else to study, I emailed EICAR (the European Institute for Computer Antivirus Research) who were at the time responsible for sharing known virus strings all virus scanners used to find known threats with. I sent them a copy of my whole project, an example of an infected file that no virus scanner could find, a covering letter explaining my purposes of doing so for research towards my degree, and that I wanted them to add the search string of the new undetected virus to the leading virus scanners, which they kindly did for me, with no difficulty or delay, and funny enough without a reply! It was important to me that my project didn’t cause a virus problem itself, especially since Christopher Pile from Plymouth was famous that year for being the first UK virus writer to get 18 months in prison for writing two viruses, SMEG.Pathogen and SMEG.Queeg which were classed as “Polymorphic” viruses like mine was. It means that it aims to change it’s pattern each time it infects a new file, in order to prevent the virus scanner being able to use search strings to find it easily. It had a vicious payload too, which intended to overwrite documents and cause data loss. It bent a few rules already, and leaving it documented as an unknown virus could have haunted me, so I didn’t fancy taking any chances. Despite being legally protected by the academic facility that sanctioned the project, if it got out globally and caused damage, I doubted any right to freedom.
So that leaves me with a new problem to think about demonstrating, and solving. I don’t think you can be taken seriously and be treated safely and not considered a risk by a person, a company or an IT department that wants to hire IT Security and Support services from you, or give you a full time position in that capacity if all you want to think about, demonstrate or show to them that you only work and share exploits and weaknesses unless you are a fully employed ethical hacker who only gets hired to break into systems and not fix them. You would still have to write a detailed and accurate report of what you found to be a security risk to them if you wanted to make a living out of selling and safely using highly developed hacking skills.
Never hack anyone, any department or any company without fully authorised, written, signed, dated, company headed paper, get them to include the scope of the attack or access you will be looking at, along with location of target(s) and the date and time windows they will allow you to explore their security holes clearly in the letter. Using what would normally be considered breaking the law by using these skills and techniques without permission, you now have the ability to get paid for something that is considered illegal, but now it’s not only allowed because you are authorised by the right owner of that system, it’s only being tested with a view to presenting the facts they need to know, and that what they are paying you for, showing them how to stop someone else using the same method of attack perform it for real, where damages to you can be unlimited. With IT Security, it’s too dangerous for me to approach with anything other than honesty and integrity. If you make a living out of what normally would be breaking the law, it makes using the same skills being used in a dishonest way an unnecessary risk, being legal about it brings no guilt for you, no fear of getting caught, no evidence left behind anywhere to worry about being examined, no lack of freedom when eventually caught and punished, and gives you the ability to share with others openly about your enjoyment in legally exploiting systems in a safe and controlled manner that doesn’t cause anyone harm, loss or hardship. It makes the system more resilient to being hacked if you can throw a lot of known and new attacks to test the stability, security and privacy of the information being protected.
If possible keep emails to and from the company you want to explore and document their own vulnerabilities they need to correct, before a dark hat hacker comes along and takes money, causes damage, disrupts service, erases data, holds data to ransom, you name it. If you let anyone run their own programming code on your machine, you had better hope it’s not the modern day virus, spyware, malware, worm, Trojan, botnet, spammer or key grabber.
Back in the day I grew up, we did that for fun only, and never for profit or personal gain. I still hold those values. It’s just not worth being imprisoned and sharing a jail cell with “Big Bob” the male rapist when you happen to be a straight male who once enjoyed the love of a wife and pets, friends and family, the great outdoors, visiting the seaside, going on holiday, whatever most people enjoyed doing easily when they were once free to roam, but because they chose the wrong path of security, they now become choices today that are unavailable, denied, impossible or no longer fun. Because the existence of a long jail sentence becomes a very stressful and painful punishment for most people, but some people actually enjoy it surprisingly, and can’t cope without being locked up. For most people regretting the decision that changed their life for worse, thinking about the previous life experiences and memories you had traded for nothing but painfully missed abilities and lost happiness.
A screen, keyboard and mouse, or a smartphone, or tablet can lead to the difference between a life with freedom and luxury turn into misery and suffering. most people suffer with the experience of prison. I believe incarceration caused by getting legally caught using a computer or device to access and abuse information illegally is going to be more commonly detected and punished for sure. There are so many new laws created in recent years that can be broken by ignoring simple rules like gaining or denying access to something you were not allowed to interfere with and were caught by doing so.
And since the penalties for abusing IT information systems can now cost you more time being incarcerated for than committing murder, it seems that it’s gone too far when punished compared to what I would consider a much worse law to break compared to hacking. But that’s what happens if the rich have money stolen from them. They punish it more than the loss of someone’s life, which I don’t agree is right within a justice system that seems to have their priorities wrong about so many things, I give up trying to defend it making sense. I couldn’t justify giving a greater prison sentence to a hacker instead of a killer just because they were caught playing on the dark side of computing for fun, to see if they could beat the system, but were unable to provide solid proof of authorisation that allowed them permission to waive the law. If the owner gives verbal permission to hack anything, always get it in writing to prevent their verbal denial of the permission they gave you later on down the line when they tell authorities they never gave such consent. That lack of having a letter to cover you could have cost you everything you worked for and enjoy, for a very long time. Trust nobody with that.
Don’t get me wrong, I love playing all 3 security hats of white, grey and black, and mixing with the shades in between, but I do so only breaking into my own computers that I legally bought and own. I avoid affecting any other internet sites, services, servers or other people, companies, authorities, charities, financial institutions etc. Creating and preventing an attack from myself to myself only, and by using only my own hardware and software, doing so in my own time, at my own home, even down to using my own electricity, developing my own programming assets such as source code, not using source code that is illegal or restricted for use by anyone other than the programmer or company owning rights to prevent me using it legally. I find that most security issues and fixes can be achieved using free methods, be it in freeware or in house written code.
The fact I am very strict with myself when it comes to learning, practising and teaching others about what many perceive as the darker side of behaviours and laws to observe, and any electronic information systems and telecommunications I experiment in such a way completely belong to me in every way. As long as it bears no consequences to others that may be relying on my machines running normally in order to provide them a service I have a contract with them to uphold, I don’t need permission from anyone. It’s not breaking any law that I know about here in the UK. Still, I wouldn’t be surprised if some countries made even copying, keeping, downloading, writing and sharing any type of computing, electronics or telecoms exploit source or object code highly illegal. It seems that companies are too focused on litigation risk to defend themselves as they should, by testing the boundaries and limitations of their security solutions. Simply auditing financial figures quarterly doesn’t stop a break-in. It may leave companies and their directors who hired them to balance the books to tick boxes have much less money to count, and the figures still won’t balance anyway since funds are lost. There is no room for this old hat thinking if you want to secure the money held within a financial system of any businesses today.
My home machines are strictly legal for English law, I don’t need to worry about other places unless I start sending it to people around the world or sharing it via a website I may own. Then it’s best to do your homework before breaking the laws of other countries online. Extradition orders to have you transported to a country because you broke their laws by coding something they want to punish you for are not uncommon when it comes to global law and the internet.
There is a good example in the next link of a London UK hacker named Gary McKinnon who was found guilty of unauthorised access into a number of US military computers including NASA and the Pentagon, over a time frame of two years that he spent looking for secrets about anti-gravity and free energy technology he thought the US were hiding. He believed it could benefit the world by finding and disclosing it. I wouldn’t have made such a decision myself to look for that information or even consider releasing it. Not only for the sake of freedom, breaching the official secrets act is not good for anyone’s health if found. For the sake of a quiet and peaceful life, I would advise against anyone doing what he tried. Worse still in my mind is that if that information was found and shared by anyone regarding those secrets, and could have been used to create mass destruction by causing an explosion of a much greater magnitude that makes a nuclear weapon detonation look very mild compared.
His extradition was rejected by our then UK home secretary, who went on to become our current UK Prime Minister, Theresa May. His extradition order from the UK to face charges for the hack in the USA was denied by her, but strangely for the reason of a medical condition of Gary’s mental health condition of Asperger’s Syndrome and a depressive illness which put him at risk of suicide had the US succeeded in detaining him with their proposal of 60 years hard labour. Because it was deemed unfair to his human rights due to a risk of life, it finally won him the case after 15 long years of a costly and stressful legal battle his mother fought well. It is also known that the US charging him with damage to the systems he broke into was entirely fabricated. All evidence of damage costs made by his hacking was just to meet the requirements of his extradition being valid to the US courts, and was never proven. He says in interviews about this, and it’s clear he was being made to look as bad as possible by the US legal team who lied. He was lucky to escape a harsh punishment, much worse than our legal system would of given him as a sentence for computer misuse. He faced no charges here in the UK either after the extradition was cancelled. It is known as one of the biggest hacks against the US military ever performed. Most people wouldn’t have got away with the magnitude of his actions.
It’s also just too easy for anyone to have power over you or get you punished for hardware that was bought cheap because someone selling it to you stole the computer, and handles stolen goods. Best to buy a new one, get a receipt with the purchase and keep it safe. Also applies to software piracy, intellectual property of source code, paid for software needed to develop it, and many other rules you must follow to ensure that anyone inspecting your computer knows you are legally compliant, because you can prove it.
The penalty for legally getting charged for abusing IT, telecoms, privacy, access rights, copyright, ownership and causing disruption or damage doing so is something most punishment sentences for breaking those laws today in most countries charging someone for that is well over the top, and not treated as a less serious crime like it may have been treated as 20 years ago. In order to try and discourage people committing crimes online, and doing so on purpose for personal or financial gain, don’t expect to get away with it, and don’t expect a night in the police station and a verbal telling off for getting caught with that will happen. Authorities can and usually will ruin freedom and peace of a hacker if they can find you, they can prove activity like this against you eventually, so my advice is don’t hack anything illegally, practice the skills safely and carefully in accordance with the laws you need to respect depending on the countries that may be involved in your project. It’s best to protect your freedom now and while you can by doing this to prevent someone easily blackmailing you or getting you imprisoned, for whatever reason, to get you back for an argument or because they find it’s easier to get you locked up than compete with you over power, money, people and status to name but a few. It could be down to jealousy they have against you because you really rock at something they really suck at, and some people are just bad losers.
Information can be potentially the worst weapon that can be used against you, or that you can use against others. Here is an article I found that depicts the possible outcome caused by real black hat illegal hacking used to attack a country’s IT infrastructure computer systems. Some systems that are hacked are agreed to be more dangerous to them being cyber attacked than the threat of nuclear war. An example would be causing a nuclear power station to explode. The size of the explosion would easily beat any nuclear missle attack, and the radioactive fallout would cause bigger losses.
I think they are right, but it would either take a hacking expert or one that just got lucky to be able to cause national grief that created a serious setback or ended up ruining a country. But then you have underground hacking groups that can hack different systems individually and collectively, they can split the effort and skill needed up between them, when to attack, what to attack, how to break in, how to make changes or prevent service, when to get out, and staying untraceable to their defenses and security auditing records.
That’s a very tall order for any hacking group, and a huge task for an individual unless it was organised to hit specific targets that caused the required disruption the attack was looking to cause. It could be written in a way to spread itself specifically into their country using a targeted and focused attack, and by doing so it helped to infect itself for the attacker by copying itself around using a virus as a mechanism to spread around their country. It could perform a variety of payloads and stealth tactics depending on what type of machine it infected and what it did when it found the machine it targeted. If it finds what it is looking for, it can be set to cause chaos.
An excellent example of such a targeted attack springs to my mind to demonstrate this possibility. Not only was this malicious code specific to a particular country as the target, but also aimed at the shutdown of a particular type of infrastructure within that country only. The virus was called “Stuxnet” and the target affected the most was mainly that of Iran, and their nuclear facilities were rumoured to have been attacked accurately enough to shutdown their ability to produce weapons grade nuclear materials from one of their Nuclear facilities. Iran were deemed a risk that the material the plant produced could be used in a targeted nuclear war missile against other countries they wanted to fight a dangerous war with.
See the YouTube video below about the accuracy and intelligence displayed by the programmers who wrote it alleged to be the CIA working with Mossad by some experts, although this was never proven without a doubt to be truth about the origin of the code. It is thought that it’s creation had a purpose from the start to solve concerns of Iran being able to create nuclear weapons that could be used to cause mass destruction to the US or other countries they may have been able to reach using an ICBM (Inter-Continental Ballistic Missile) with a warhead payload if detonated correctly and the destination was reached accurately, that it may cause a potential death of millions if they were not prevented from being able to make enriched Uranium from one of their Nuclear power plant facilities that the US and Israel suspected that Iran were making to use in war.
The virus contained 4 separate “Zero Day” attacks (vulnerabilities unknown to the vendor as an exploit, in this case the security holes were not disclosed with Microsoft on purpose). Because the methods it used were unknown to Microsoft, Virus Scanners, firewalls and so on, the virus was not detected, it easily ran the code it wanted to inject and execute onto any machine they wanted to, and without the target user’s knowledge. It was suspected to be USA intelligence that created the virus with the help of Israel who mutually worked on making the goal achievable. Their security concerns about Iran were shared, and their level of programming excellence was shared making it a very impressive, complicated and accurate at achieving it’s purpose, which was to prevent production of something Iran could abuse in a very devastating way for them.
Each zero day attack could have been sold to Microsoft as exploit source code to prove it was a risk to Windows, and Microsoft would have at that time paid a reward of $100,000 per zero day attack that qualified and you submitted it formally to Microsoft for them to examine and keep for their study. That bounty is now $200,000 for each qualifying zero day attack found and submitted to the vendor. Because Microsoft want to write security updates to patch their operating systems, they reward and prevent attacks they know about. Microsoft need to be seen stopping holes they know exist, in order to prevent hackers exploiting the vulnerabilities used for unauthorised access & online crimes. Doing so gives Windows customers more confidence in using their Windows and software they use with it.
It made a big statement, that someone wanted to stop the intended target so much, they were preventing themselves as the programmers of it being able to cash in a $400,000 reward (now doubled to $800,000 for the 4 attacks used in Stuxnet) by sharing the code of the zero day attacks they created and used for Stuxnet to be operational as a stealth virus. A reward from Microsoft instead of creating a virus with it would make financial sense to many people capable of finding or writing a zero day attack. It was a surprise to many that learnt about the virus that most people would have not thought twice about cashing it in, which is why it points towards code written by a government for political or national security purposes. It’s a drop in the ocean for most governments, and if they managed to stop a nuclear attack that would have killed millions of their citizens, it was money well spent to prevent a mass destruction on their soil. At the same time it shows that the creators of it were serious about the intention of it, and put what many people would consider to be some big money on the table, not only in order to make it secret and sneaky, and bypass security blocks that would have prevented it from spreading and working, but to me I felt that it proved to Iran and the rest of the world who later learnt about the code, that they meant business.
Stuxnet could spread stealthily between computers running Windows—even those not connected to the Internet. If a worker stuck a USB thumb drive into an infected machine, Stuxnet could, well, worm its way onto it, then spread onto the next machine that read that USB drive. Because someone could unsuspectingly infect a machine this way, letting the worm proliferate over local area networks, experts feared that the malware had perhaps gone wild across the world.
A good write up of how advanced it was, how expensive it was to make, the skill and accuracy involved in knowledge required to manipulate and control the systems it was written to target and how good it was at achieving it’s intended purpose made it famous globally and is regarded as one of the best code created cyber attack weapons ever created. I found an article below that explains it well.
The Stuxnet Wiki page provides more detailed information about it.
There were errors in Stuxnet which made it obvious when over 40,000 computers crashed, so it was not the best example of coding I have ever seen. There was a version 2 of Stuxnet which had the errors removed, and allowed the worm to infiltrate, do what it needed to do, and properly cover it’s tracks when done by using expiry time limits that cleaned it’s own infections up before discovery. I believe that if that corrected version was used, it was in and out so quick that it disrupted only the systems it was intended to affect. Little is known about the 2nd version ever being found in the wild because it did it’s job so well, that was the intention. Clever!
In October 2012, U.S. defence secretary Leon Panetta warned that the United States was vulnerable to a “cyber Pearl Harbor” that could derail trains, poison water supplies, and cripple power grids.
Most viruses, worms, Trojans and spy/malware programs and scripts are just too obvious, as they usually give the game away before too long because they slow down a system too much by hiding itself or running in a badly programmed way, and to be effective, it has to run in memory copying itself and waiting for the trigger the virus writer decided would activate the payload when that condition become true. Payloads that show the system is infected with bad code too early on won’t travel far. Infect other files too quickly, cause too much memory, disk light flashing or disk space hogging, high CPU or lots of network activity and traffic slowing shared networks and internet away from others will also be quickly found. Dr Alan Solomon the Anti Virus expert who made a living out of detecting & stopping bad code coined the phrase “If you spot it, you’ll squat it”.
So for bad code to be a success, hard to detect, resists showing itself off in any way at all, is written in a language that runs quick, using efficiently written small code which is accurate, compatible across all known versions of Windows, Apple Macintosh, Linux, and maybe android/windows/blackberry/apple phones and tablets could be in scope for a target platform to demonstrate it with. From a Black Hat perspective, writing a cross platform exploit and fix to it will generate a much wider audience that could spread the malicious code further, quicker and sneakier if the exploit was implemented well. You would possibly look at operating system stealth from the user being able to see it or feel their normal tasks are slower than usual, or manipulates web browsers in a way that most browsers will run the code and not complain with security warnings when visiting a website that runs a proof of the exploit without causing any damage.
This is important to avoid the risk of litigation when playing with malicious code, especially if sharing it with the world via a website or selling media with your programming source or object code written on it and distributed to others that wanted to buy, share or learn from it. It would be risky to your finance and freedom to ignore the possibility that you could end up legally disadvantaged, potentially in a lengthy and costly way if the exploit didn’t manage to contain any damage it caused when trying to highlight the vulnerability you sought to resolve, even if the intention was intended as educational.
Internet Explorer, Microsoft Edge, Google Chrome, Mozilla Firefox, Opera, Apple’s Safari internet browsers are an example of the current popular audiences to test the exploit and the fix with, if the program is or needs to be written in web page scripting language to gain entry into the target system and perform it’s unauthorised and unannounced access for educational purposes only when playing the game legally and safely. The code that performs the naughty action(s) is much more prolific, spreadable quickly, globally and likely to work on many different systems, affect and travel across a much wider range of users and be out in the field for a long period of time before it eventually becomes eradicated by antivirus updates, operating systems like Microsoft windows being automatically set to update itself, which if Microsoft write a fix to cure the security hole, it no longer becomes a problem to a computer, and requires little or no action to defend computers that are set to update themselves.
I personally like IT Security projects that use the two pronged “double whammy” approach to the presentation of a problem and the solution rather than staying stuck in either the “White Hat” good person mode or “the Dark Hat” bad person mode and sticking to only one side of the fence. It’s a subject in my mind that needs to be sometimes a balance and show both sides of the coin at times in order to improve skills. This includes finding exploits, patching them and in stopping yourself and others from being hacked in what seems to be an infinite number of possible and complicated ways . I’m more comfortable with the Ying and the Yang balanced approach to the whole subject of IT or physical security, as I personally found that being good at one will improve the other, when both are learnt.
So my conclusion on how I need to think about IT Security problems and fixes from a technical and practical level becomes:
“Given the choice of being White Hat or Black Hat, I choose neither, Grey Hat seems to be a logical start”
By Roasty – November 2017