Episode: 3603
Title: HPR3603: Who the heck is Evil Steve? Part 1
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3603/hpr3603.mp3
Transcribed: 2025-10-25 02:03:54

---

This is Hacker Public Radio Episode 3603 for Wednesday, the 25th of May 2022.
Today's show is entitled, O'Hack is Evil Steve, Part 1.
Hello, welcome to Hacker Public Radio.
You're listening to Abin Abin with Lurking Pryon.
This week's episode, who the fuck is Evil Steve?
Um, I mentioned in my last episode that security is a people problem.
And this is one of the biggest things the security community has forgotten.
We focus on viruses, worms, ransomware.
We focus on the things.
What we don't stop to think about is that those things are initiated by a person with a specific
intent.
Now, sometimes that intent could just be generally to cause damage to any random person or it
could be going after very specific information that a company or a set of companies owns.
For example, if they're going after corporate data that you are using to show how it is that
you keep a competitive advantage, like trade secrets or research and development on a new product
or state secrets, um, all depends on who the threat actor is and what it is that they
are after.
The important thing is you as an organization have information that is valuable to someone
else in some shape, way or form.
Now, you as a person, you have information that's valuable.
You have your social security number or your identification number.
You have your name, your address, your birthday.
This information can be used for identity theft.
Well, your organization also has information that is valuable to someone else.
What we need to start thinking about is, first of all, what information do we have as
an organization that is valuable to us and then what kind of people would be interested
in that kind of information.
So then we can start putting controls in place that would allow us to properly protect
those assets.
Now we for years have been depicting hackers as this teenager wearing a hoodie, sitting
in mom's basement, eating cheetos and drinking Mountain Dew or Red Bull.
Those days are gone.
Are those threat actors still out there?
Sure.
But that's not the evil Steve of today.
The thing is, there is big money in crime, big money.
So what we need to understand is that these are criminal enterprises, these are state sponsored
actors, these are military units.
These are sophisticated units that are developing their own malware, their own ransomware.
They are looking for weaknesses and developing exploits.
They are not just passively sitting by using tools that were developed by someone else.
There are people out there that are building these exploits.
There's also a commodity market for this.
For example, today, if you wanted to go to the dark side, you don't have to develop all
of this stuff yourself.
You can go to a black market and you could purchase pre-built ransomware that's already set
up.
Crypto wallets already set up.
There's a crypto server set up, all you have to do is put in your crypto wallet when
somebody gets ransomed, then hey, the information is transferred and they get a cut of it.
If you wanted to build a botnet, you don't have to build a botnet.
Today, you could rent a botnet or if you want, you could buy a botnet that someone else
has already built.
Crazy.
Evil Steve is not a kid in a hoodie hacking you.
That's the biggest thing that we need to understand is that we are dealing with a threat
actor that really has their eye on a prize and they are looking to make good money off
of it.
A lot of times I say that Evil Steve works for Evil IBM.
Literally, criminal enterprises that are run like IBM, you go in.
There is a boss that works above you.
You get vacation time, you punch him Monday through Friday, you work, whatever hours that
you work, you get benefits, you get vacation time, it's Evil IBM.
It's just the downside is, when you get fired, things don't always go as well depending
upon which part of Evil IBM you work for and in what country.
Of course, you may have to be very careful about where you take vacations because extradition
treaties.
Hopefully, this gives you a better idea of when we talk about somebody attacking us or
something that is occurring on our network.
We need to not just look at this as a thing that happened.
Don't look at this as just a static event or a static tool that occurred.
This is a threat actor, a person or a group of people, an Evil Steve that is trying to
get specific information out of your network.
We need to think about who these people are, what they are after, so that we have a better
idea of what the end game actually is and what they are after.
This will give us a much better backdrop on which to build a security program that can
actually protect our people and our information.
I came up with Evil Steve years ago when I was trying to explain to young security practitioners
how to go about protecting because everybody was focused on the things that Evil Steve
did rather than Evil Steve himself.
For those of you who came out of the intelligence community, you are very familiar with understanding
human intelligence and the people that are trying to do things.
The things that they do are all in line with the plans, the objectives or whatever else
it is that they are trying to achieve.
We lost that in cybersecurity.
We forget all about the human element of the threat actor and we focus solely on the tools
that we see surfacing within our environment.
We can't do that.
We have to go back to the basics and we have to think about who are the bad guys that
are actually after our information and of course there are still the people out there
who are just randomly scanning the internet and just looking for opportunities.
You may be something that they are after or you might be something else.
Who knows.
Keep in mind whenever we are talking about protecting our network, protecting our information, be
at home or at work, we need to think about the kind of information we have, who that
would be valuable to.
And then what are the typical ways they go about getting that information?
Once you know who the bad guys are and how they operate, their tactics, techniques and
procedures, TTPs, then it becomes easier to not only build defenses to protect against
it, but more importantly to start looking for evidence that they are already there.
It's a pretty safe assumption to look at an organization that has been around for a minute
and say, look, if you haven't been hacked yet, you will be.
It's not if you're going to get hacked, it's a matter of when.
It's going to happen.
So what we need to do is focus on finding the threat actor as quickly as possible so that
we can minimize the amount of damage that's done.
The longer an evil Steve is in your network, the more damage is going to be done, the more
information that can be stolen, and this is what we are ultimately trying to do.
We are trying to stop the bleeding.
Let's perform triage.
So we need to do something called active threat hunting.
So again, we know the TTPs of the threat actor, we know what they're doing, and we know
what kind of things to look for on our network and within our devices.
So let's go out and start actively looking for signs of an evil Steve in our network.
Don't passively sit by and wait for a system to tell you that they found evil Steve.
Go looking for evil Steve.
We call this active threat hunting.
And yes, if your organization is not doing this, then I would highly recommend that you
look into this and try to get it implemented.
It will pay off in dividends.
If your organization isn't focusing on threat actors, then I would highly recommend that
you look into the threat actors that are out there.
There are a lot of information sharing sites.
If you're in a critical infrastructure within the U.S., then there are ISACAs information
sharing centers where you can get information about threat actors that are coming after your
specific industry.
Governments, militaries, businesses, they have started to learn that sharing information
about threat actors and what they are doing is actually very valuable for the security
community.
Sharing that intelligence, you need to avail yourself of that information so that you can
go about looking for signs of indicators of attack within your organization, understanding
who the threat actors are that would be trying to attack you, and how you could defend
the organization against them.
So again, who's evil Steve?
Not the kid in your mom's basement.
Nope.
Could be Chinese.
Could be Russian.
Could be Belarusian.
Could be American.
Wait, what?
Yeah, threat actors come in all shapes and sizes.
So at the end of the day, it's not things that attack us, it's people that attack us.
We call this bastard evil Steve.
So hopefully you all can take a little bit of time and learn who the evil Steve is attacking
you so that we can all give Steve a big fuck you and make his job a bit harder.
Security isn't really about being secure.
It's about being more secure than the next potential victim.
Kind of goes like that joke where the two guys are running down the mountain from the
bear.
The one guy stops to put on his running shoes.
The other guy says, what are you doing?
You can't outrun the bear?
The guy putting on his shoes says, nope, I don't have to outrun the bear.
I just have to outrun you.
Yes, it's not about being the most secure.
That doesn't exist.
What does exist is your security being better than the next potential victim.
Consider your wireless network at home.
If you're sitting there and you're running WPA2 with a long passphrase and your neighbor
has an open Wi-Fi, well, whose network do you think is going to get hacked?
Same for your business.
It's not so much about being the most secure.
It's about being more secure than the other victims.
And yes, I know that sounds like a low bar to set.
But you would be surprised how often that bar is much lower than it should be.
So hopefully all can do a little bit of homework and find out about the evil steves that are
threatening you.
For those of you that have experiences with evil steve, I would appreciate it if you
would share those experiences.
What are the types of evil steves that you have dealt with in the past?
Which ones are you currently dealing with?
I would like to hear so that we could share some of those experiences.
We don't focus on the threat actors enough in security.
This is something that I would like to be able to share.
So for those of you that have experience, I would appreciate it.
My tip of the day is if you see anything coming out of the Republican Woldavia, it's probably
not any good.
Yay! So, this is the conclusion of who the fuck is evil steve and this concludes another
episode of Admin Admin.
Until next time, I'm Lurking Pryon.
Thank you all for listening and supporting Hacker Public Radio.
Have a great day.
You have been listening to Hacker Public Radio.
Hacker Public Radio does a walk.
Today's show was contributed by a HBR listener like yourself, if you ever thought
of recording podcasts, and click on our contribute link to find out how easy it really is.
Hosting for HBR has been kindly provided by an honesthost.com, the internet archive
and our sync.net.
On the Sadois status, today's show is released under Creative Commons, Attribution 4.0 International
License.