Over the last few weeks, we have gone down the rabbit hole of entering the world of hacking. There are two paths when we come to the point of finalizing strategies and this decision is ultimately one of the hardest decisions you will need to make. This decision could result in a lifetime of problems, it could result in fame, or it could result in a payday. The execution of an exploit can be quite simple, but the decision to do so without the proper weighing of the situation will result badly. Let’s take a look at a few real-world examples.
Kevin Mitnick
Kevin Mitnick is one of the most famous hackers in the world. This does not imply he is the best hacker in the world, his cases ended up drawing a lot of public attention. The attention was drawn to Mitnick because of the controversy surrounding his trial and ultimate sentencing. There are a lot of interesting pieces around this case and it could take weeks and months to cover this in- depth. Many already have covered his story, so I plan to just hit some of the highlights and some of the injustices that allowed for a redemption arc for Kevin. If you remove the controversies around his being held without bail or a bail hearing and the ridiculousness of some of the theories as to why he was denied calls and such, there is nothing special about the case.
These injustices are what drew special attention to the case along with the FBI publicizing the pursuit. There was a lack of understanding at the time about what was possible with computers and the word hacker was being used as a scary term to intimidate the masses of the technically capable. This would all culminate in a large-scale shitshow, to say the least. Now, Kevin did commit some crimes, and a lot of his tactics revolved around the use of social engineering to obtain information needed to obtain access to certain systems. This would later be something Mitnick would disclose in his book, The Art of Deception. Mitnick also deployed this tactic to win various contests as well.
The “Free Kevin” movement was gaining a lot of national attention in and out of the hacker communities due to the injustice. There is a lot to research around the case and I would recommend that you do. There is always a lot of speculation and romanticizing around hacker cases so you will want to stick to the facts of the case or you could end up down several rabbit holes. There was also an infamous film adaptation made about Mitnick, called “Takedown”, it was pretty horrible but funny to watch. Kevin now runs a pretty successful consulting firm and can be found giving talks around the world on corporate security. Kudos Kevin!
MalwareTech
Say you sinkhole one of the biggest ransomware attacks ever. The world is cheering you on. You go to DefCon for a hero’s celebration, but as you are trying to board a flight back home to England, your past catches up with you. This is exactly what happened with MalwareTech aka Marcus Hutchins. Marcus had written some malware code that was later used in attacks on banking software, he was liable, even though he was not the developer who added certain functionality to make that possible. His case becomes much more interesting as he got a federal judge who understood the situation and allowed him to be free to continue his work as an ethical hacker and researcher. This is an almost fairy tale ending, but this is a rare case, and not the norm.
WannaCry was a large-scale ransomware attack and some variants are still found in circulation today. During the time of the initial attack, Marcus was able to find a domain that WannaCry was using that was not registered, so he registered it to sinkhole or stop the ransomware. He was cheered and invited to talk at DefCon, to which he had a great time as stated in numerous interviews. As he was preparing to leave to go back to England he was apprehended and charged for an old malware he wrote called Chronos. The details of the case and more about Marcus can befound in the following documentary, which I do recommend you watching.
Marcus was facing a prison sentence over malware written years before his sinkhole for WannaCry. In the months leading up to the trial, it became clear that he could be facing serious time, there was also an insurmountable cost of the case, and in the end, he would plead guilty. The judge showed mercy and explained that people like Marcus are needed to help secure the systems they understand and that he may have made software when he was younger that was used for nefarious purposes, but he had demonstrated that he had moved on from that life. The full transcript can be found here of what the judge stated. This would be considered a rare case and not the norm as we will see a couple of other examples where it wasn’t.
Jeremy Hammond
Hammond aka sup_g, anarchaos, or yohohoho, ended up serving time to which he is currently in a halfway house in Chicago all thanks to an informant for a 2011 Christmas day hacks. Hammond was part of the #AntiSec op during this time and was working directly with Sabu, who would later be found out as an informant when he testified against Hammond. Hammond hacked Stratfor as well as made some interesting donations to some charities utilizing a credit card of a former FBI agent, this information was found in the Stratfor email dumps from that day. The entire story around AntiSec and Sabu is wild in its own right, I cover a bit of it here.
There is a lot to still unpack here, as Hammond was a known activist and hacktivist. He has spoken at DefCon and was a big supporter of civil disobedience. This would all be used against him and still is in a lot of cases as the perception of Hammond by most is that he was a nefarious hacker. Hammond will not have a redemption arc as Mitnick or Hutchins will, it will be a different route. Again, one of the only reasons most may even know of Jeremy is due to the injustices around the case. As Sabu was an informant they knowingly provided 0-day exploits to Sabu, to which Hammond and Sabu were conversing daily while working together on the exploits. Hammond became the fall guy for the hack. This raises several questions on the legalities around the FBI involvement with regards to the Stratfor hack.
Overall, I do hope that Hammond will have his redemption arc. We are about the same age and I would hate to see someone with his spark and talent miss out on a bright future. He was setup and an informant helped in sealing his fate. Again, this is a drop in personal OpSec that led to a terrible outcome. I do hope once he is done serving out the rest of the sentence in the halfway house, that he can begin a fresh start, but it will be a long hard road ahead. He was and still is an inspiration to many for his views on hacktivism and his actions. I am sure his twin brother and the rest of his family are glad he is at least no longer inside. Good luck Jeremy!
Jeremy Cushing
In January 1995, Operation Cybersnare was setup. The sting was setup by an undercover informant to find cellphone cloners and hackers. The bulletin board system was heavily advertised on many other boards in other to entice hackers and cloners from around the world and country to join. In the ’80s and ’90s, it was quite common for hacker bulletin board systems to be advertised. The threat of law enforcement in these circles was known but the idea that enforcement would run a board themselves was thought to be silly, as someone would figure it out as a honeypot.
The Secret Service would later find and indict several hackers including Jeremy Cushing aka “ALPHABITS”. Along with cellphone cloning and hacking, charges of credit card theft and fraud were brought against some of the others arrested in the sting. Specifically, Cushing was arrested and charged for trafficking cloned cellular telephone equipment and stolen access devices to programming cellular telephones. Cushing, like many others during the time, did not gain the notoriety of Mitnick. They were all simply tried, convicted, and sentenced without much coverage, if any, on their cases. There is little documentation on Cushing and the case with Cybersnare and subsequent arrests for other high tech capers involving hacking and phones.
Unlike Mitnick, Hutchins, and Hammond, there is little discussion on Cushing. There is often this concept that hackers must have many wanting to contact them about technology and current news. However, as you are about to see even in today’s time most prisoners have to resort to requesting contact through personal ads. Similar to this one for “ALPHABITS” in the back of the hacker magazine 2600.
Decisions, decisions, decisions
From our previous article left off, we now have the execution strategy based on our findings. However, we now must make a very large decision. Do we execute the flaw in the wild or do we go about proper disclosure? Both of these options have a series of consequences associated with them. I would always suggest spending a significant amount of time making your own decisions about which path. Freedom is something that you can lose as we have seen with the others we have covered. There are a variety of things that could happen, always err on the side of caution. When in doubt, contact a lawyer. The choices are to stop altogether, perform the exploit, or do proper disclosure.
Exploiting in the wild can be quite rewarding and empowering, it can be a giant adrenaline rush. That being said, some inherent problems come into play once we execute an exploit in the wild. The first being what laws and in what jurisdiction has responsibility for this now crime. As the target can now contact law enforcement and often will, it will be investigated by either the agency they contacted or if it is across state lines the FBI will then get involved. Dependent on the target it could become a much larger investigation with more alphabet soup agencies getting involved. Cybercrime is a serious issue and the times have changed, if your OpSec has weaknesses they will be found.
As investigations can be timely, it may take a few months or even years with little to no public news in some cases on the progress from said agencies. This is where your OpSec will continue to be tested, often many hackers will brag with others. This bragging could become a lead for investigators. This again goes back to understanding your threat model, however, in many cases agencies will continue to follow up on leads even long after the hacker may have thought they were no longer going to be in any issues. This has resulted in many, including MalwareTech to have their pasts catch up with them.
If you are apprehended for hacking, dependent on what you have done you could essentially prevent yourself from being a desired employee in the future. Unauthorized access and computer hacking charges are seen as a badge of honor. Computer and Wire fraud charges are not seen as a badge of honor as it does have it’s own set of implications. There are far too many hackers that are ethical and when employers are looking at a candidate this is something that is weighed as well as when it happened. For example, if you caught hacking charges when you were in your early 20’s less scrutiny is applied than getting caught in your late 30’s. Just some things that you should keep in mind when weighing your own decisions.
The other decision is to follow proper disclosure. I highly recommend this method, there are a couple of caveats with it and I am going to highlight them here. Proper disclosure is the process of contacting the service provider, hosting company, or owner of a service for which you have found an exploit. This could also be an open-source project and you will need to reach out through their preferred contact method. I will go ahead and let you in on this trade secret, it can take serious amounts of time from proper disclosure to a bug bounty if that is what you are after. Oftentimes a nondisclosure agreement is agreed upon after initial contact and in some cases, there will be a need for lawyer discussions for the disclosure. Company handling of security is not as serious as they would have you the consumer think.
Bug bounties can range from nonexistent to several hundred thousands of dollars. What is missing in this model so far is the risk of prison time or tarnishes on your record, this is a better outcome. I will forewarn you that there are times when some companies will take your disclosure as a threat, consult with legal counsel for this when possible. There is a myriad of different responses a company or entity may have, each is different. Do keep your cool and be patient, it can take in some cases a few weeks or months to collect your bug bounties or finalize a proper disclosure so that you can do a proper write up on it. Be patient, each proper disclosure that you are part of will add to your overall understanding of the process.
You can sell your exploits as well, it is not the preferred model as often it can lead back to you as was the case with MalwareTech. It can and does happen. Avoid selling exploits when possible as you are not always privy to what it may be used for in the future. Again, OpSec becomes much more critical in a lot of these choices, so take it seriously.
Closing
Now we can see that weighing our choices can have serious effects on our lives, and we should not make rushed decisions on the matter. On one hand, you may find that the thrill of running exploits is addictive and on the other, you realize that the potential loss of your freedom should outweigh the potential rush. As with most rushes, the high can be extremely addictive and some will not be able to fight these urges to exploit. In these cases, I would recommend that you run environments on your local and exploit them versus risking your freedoms, again this is your life and not mine. YOU are responsible for YOU, I am not.
Bug bounties, proper disclosure, and ethical hacking are a booming business in this day and age. You may not get the street cred so to speak of a blackhat hacker, however, you will have your freedom. There will always be a benefit of adding to your skillset and your accomplishments while possibly even getting a payday from your work. Hacking is not always about security either, this is something many are confused about. You can be a hardware hacker who just builds projects or a developer who is a hacker and just builds projects. Hacker is a term of endearment not just related specifically to security, though the media has associated the word to security and most just assume so.
Your choices are just that, YOUR’S. I hope that this series has shed some light on understanding the foundational pieces of hacking, OpSec, research and analysis, and of course the decision-making processes. One of the biggest takeaways from this article is that you should see not all hackers get recognition, a redemption arc, and many will go unknown to most. Take extreme caution in your decision making. There are still a few key pieces I will cover later in other writings including the bug bounty process and proper disclosure, these will come after more progress is done with the recent vulnerability that was found in doing this series. I will be moving on to other topics. One write up many have been waiting on, which is the VPN deep dive will be coming out next week. I look at and review several VPN services, their privacy review, as well as validating their claims. It has taken a while to get completed but it is finally ready and I hope you all will enjoy it as the other articles I have written.
I want to thank JACE for proofreading. I also want to thank all ofyou who read my writings and reach out to me about various subjects and those of you with questions. Thank you. Feel free to reach out to me on the following platforms:
Signal:(867–675–1041)
Tox: D7D264EA7541C4324625A8360267C3C54F9C1AF564D4266FE4 5F2BCB68924E21CB2A75746D51
