Kinda on a journey to find me to do with myself, to make myself feel meaningful in the world. I think all people deep down want the ability to feel absolution and meaning to life and without it depressive phases are so much harder to recover from. We could always debate the ongoing medical research around all of that but I much prefer philosophy. In my mind, there is a way of life that may make you forever outcast, but always learning. I find that I used to walk down the streets looking to the telephone poles and anything around that i wanted to learn about.
"Can I get a phone and connect to the wire exposed by this gas station for free calls?"
"How do the cables jump to and from each transformer and why do the transformers seem to blow most commonly near the end of one power station's capable distance to provide power?"
"why do people driving cars always turn towards you before turning away from you, if you're walking along the side or even ditch?"
"That fancy new sign outside the school, how do they control it? is it networked?"
No matter how many people try to argue their defense of what they believe "real hacking" is, I've always found that hacking is a philosophy, far far more than mimicked strategies, paid services, corporate bureaucracy, or studied behaviors. That said in today's world hacking is a business. As a business, any business, understanding threat landscape has become more valuable than money. It's reasonably believed that you cannot have a fully secured anything, while similarly you will find things you cannot accept being a risk to you or your company. Criminal and state sponsored hacking functions just like any business. Far different than the artistic hacking, lets see what we can do, of the 1980s and 1990s. Hackers want to run low cost, high gain, with solid operational security and unlike most businesses don't have to care about laws they break doing so. This includes infrastructure, scripts, tools, whatever, and can be exemplified by the case of the NSA leaked data that was originally believed to be because kaspersky was on their system. The investigation publicly found that kaspersky did flag on a tool they were using because it was a backdoored version of a paid tool. That, or any of the "countless other" cracked software they downloaded that was backdoored is believed to be the real cause of the leak. But just assuming kaspersky did because their service flagged around that time for an unknown file to scan, kaspersky was massively restricted in the united states and blackballed from the us government's systems ending contracts immediately and plausible costing the company millions (the court ruled that despite more than 3,000 contracts being voided by the government, the idea of "future funds" the contracts would have entailed didn't merit repayment by the us government). This little bit of history is a great example because USA hackers using illegally downloaded and cracked software because they were too lazy to crack it themselves, turned around and dealt a blow to the entire infosec community by preventing one of the largest contributing companies to threat intelligence methodologies and sourcing from having a platform they'd even be heard anymore on. To put it another way, they saw a rival (russia) and said we're going to impose costs on our rival due to the leaking of this data which we don't claim was actually from us despite all evidence.
That is really the name of the game with security, to impose costs and control risks. You will accept some risks, but wherever possible those risks should come at a high cost to bad actors.
When securing a platform, you'll often hear layered security and things like this. But perhaps think of it another way. A firewall is free, on every platform, takes minimal resources, is generally easy to configure and can prevent a wide majority of unwanted traffic on the internet. The cost it puts on would-be attackers is mostly longer scan times. So it's reasonable to say it's a very easy thing to use, with a high rate of success but its also relatively easy by itself to get around. Single protections are always like this. So lets step it up a notch, you have a website running and your business relies entirely on that site to do business. You can manually program everything needed to flag suspicious queries that make it past the firewall blocking, but the upkeep for such stand alone projects is usually more than affordable and puts risks of unknown code vulnerabilities going completely unknown unless you catch someone exploiting it. For many companies this is where the web application firewall (waf) comes into play. So lets say you hop on over to cloudflare and setup ddos protection and waf along with a wide set of rules and protections and alerting. But you did all that, and never setup your original server to only receive requests from the waf, enabling attackers to have fair game at your system while you're expecting your waf to catch it. The costs currently on the attacker is simply to know the host ip, the virtual host name the web server will answer to (some just default even on the ip of course), and to the find an exploit with your site. Assuming you don't use some 3rd parties to run your site or known vulnerable features. Maybe that's enough for you. But the change from that to fixing the firewall and web server configurations is like a $10 charge on upwork/fiver/etc... just like 3 line changes to supply you with "the attacker has to come through the waf, undetected, and unmitigated completely through their attack cycle". which, if they have an lfi and simply work it until it bypasses your detection they can have their gold but the expense overall has multiplied. Now what if you also ran each part of your web service in containers (docker, kubernetes, vagrant, etc...) so that your web server can talk to your database server, and database server to storage server, but never talking to the host. You could have your site exploited, backdoored, waf detects it, pause that instance (for review) and spin up a new one that was never exploited, as soon as they make their way in. This does take a bit of automation scripting between your waf and your container host(s), however any admin with the time to do it can. so, cost for you just went up. But cost to attackers also went up and following that you have evidence to identify what happened in order to patch the image and reload the web server from the new, non-vulnerable image. Kubernetes has features that enable this to process smoothly as new connections come in and old ones end, many tools also exist for this.
Now in our story we've reached the point where we'd all like to be from the start. Able to detect, take action, prepare rapidly for next attack, and more frequently impose greater costs. Companies like facebook, who's security team has publicly discussed this in many talks, use this style of technique as a honeypot tool. Keep them running their exploited version but disconnect it from the active databases, or active storage. This gives tremendous intel about what they're trying to do, how they achieve their goals, and frankly a real insight into each attack. This along with their rotating authentication mechanisms, attempt tracking, system uuid, and client side password hashing all just to prevent brute forcing, makes facebook today so hard that most attackers would give up dead stop, don't even bother trying. I don't know if anyone has seen but on github there's around 2000 different facebook brute forcing tools. 0 of them work. At all. 0. But facebook does respond with 200, 300, and 302 error codes while still failing authentication because most of these only check that it reaches one of these error codes giving them false positives enough so that script kiddies will boast about it on github, facebook groups, instagram, whatsapp, etc... All of which facebook can monitor for attacker attribution, including affiliates and gangs. They successfully trick low level folks into revealing themselves and others associated, prevent real attacks, and gather intel on every single piece.
What I'd like to see, is small companies be able to make that same attestation, without the massive costs and overhead. For home users to be able to simply live in an online world without daily fraud, phishing, or swatting. I believe most people want that, but don't know how to reach that.
If you feel that way, you should give me a call, lets discuss your situation and see how much costs we can put on bad actors for as little cost to you and your business.
For making it to the bottom, here's a yara rule for your troubles.