hpr-knowledge-base/hpr_transcripts/hpr3612.txt

Episode: 3612
Title: HPR3612: Who is Evil Steve? Part 2
Source: https://hub.hackerpublicradio.org/ccdn.php?filename=/eps/hpr3612/hpr3612.mp3
Transcribed: 2025-10-25 02:10:28

---

This is Hacker Public Radio Episode 3612 for Tuesday the 7th of June 2022.
Today's show is entitled, Who Is Evil Steve, Part 2.
It is part of the series' privacy and security.
It is hosted by Lurking Private and is about 16 minutes long.
It carries an explicit flag.
The summary is, we take a closer look at the types of evil steves attacking us.
Good morning, good afternoon, good evening, wherever it happens to be, where you're listening
to this on this little planet that we call Earth.
You are listening to another episode of Abin Admin.
I'm your host, Lurking Pryon.
Today's episode is going to be Who Is Evil Steve, Part 2.
This week I spoke generally about who Evil Steve was and the kind of things that they
do.
He, they, I'm going to use all those pronouns and mix them up, look, just understand
that there's a human that's attacking you.
That's the important thing to understand.
Now there's really two classes of attackers.
Now I know that people who are in cybersecurity are going to get a little bit defensive about
this, but just bear with me for a second.
First of all, we have the low level hackers who are really just interested in your data.
They're using tools that they don't develop, they just find them online, they can follow
a quick tutorial and use them, or they can even just hire as a service on the dark web.
The barrier to entry as far as hacking goes is almost zero today for a vast majority of
the attacks that you would want to launch on people.
So at this point for these attackers is simply a matter of finding information that they
can turn around and monetize.
So let's sit around for a minute and think about the information you have that could be valuable
to someone else.
First of all, valid email addresses.
These are something that is very valuable, there are resellers that will buy these.
Granted the payout on isn't very much.
Not when you compare it to things like credit card numbers, banking information, social security
numbers, or other identification numbers that you have that would allow for different kinds
of identity theft.
When it comes to identity theft, we're going to get more into this another episode, but
I do want to point out that there are a couple of different kinds of identity theft.
Well identity theft is a big one.
I had a troop when I was in the military, he was deployed to somewhere stand.
And when he came back, he started getting past due notices for medical bills from a hospital
in Seattle.
Apparently, while he was deployed to somewhere stand, he'd had breast augmentation.
So even with orders proving that this person was out of the country, was not the person
who had the surgery, it took him months to get this cleared up and get it off his credit
report.
So keep in mind that once identity theft happens, it is incredibly hard to get it fixed.
The other kind I want to mention real quick is child identity theft.
It is very easy to get a hold of a kid's, so security number, and then use their identity
to rack up all kinds of death.
The problem is most parents don't find out about this until their kid turns 18, they
go to college, they apply for financial aid, only to find out that they have a whole bunch
of stuff in their credit history that is not theirs.
And long story short, you are not getting that loan anytime soon.
So I would recommend if you haven't done it, and if you have children, today go and
do a credit check on your children.
Go and look at the credit score, go look at their credit reports, and see what's there.
Transunion, experience, and I can't remember the other one on top of my head.
Those are the three major ones in the US.
You can get a free credit report from each one once a year.
Hit up experience, get a credit report, and then set a calendar reminder, four months
later, get one from experience, four months later, get another one, and then you can keep
rotating through so that you're checking on your kid's current score on a regular basis.
The thing with identity theft is the sooner you notice it, the easier it is to fix.
This is really the basis behind life lock.
Life lock doesn't stop identity theft.
Life lock identifies you and alerts you to the fact that identity theft probably is happening
at an early enough stage that you can fight it effectively.
The longer it goes on, the harder it is to fight.
These are the kinds of information that people are looking for when it comes to the low-level
hacker.
Keep in mind if you are somebody that may generate some kind of animosity toward other people
on the internet, they may target you specifically looking for information about you that could
be detrimental to your image.
There's all kinds of stuff that's out there that you probably don't want falling into
other people's hands.
I would recommend doing a good check of your social medias, trying to see what's out there,
trying to see what other people have about you out there, do a Google search, and then
those things that you really don't want other people knowing about.
How about going and checking where you have that data, how it's protected, and maybe
at the very least, change your passwords for all of those things.
I'll talk more about passwords in another episode.
The bariter entry when it comes to being a hacker is extremely low.
The payout, it could be pretty good depending upon how much effort a person is willing to
put into it, and what kind of a target audience they happen to be hitting.
The second level is what we call the advance persistent threat.
These are the attacks that have a person actively sitting behind.
What they are doing is they are not just looking for things like your social security number.
What they are doing is they are getting into your organization, they are using tools that
are already installed.
They're not installing malware or anything like that.
They're using things like PowerShell that's already there.
What they are doing is they are pivoting through your network to find information that would
be valuable to them, things like intellectual property, trade secrets, and they are not
a quick smash and grab.
They are in there for the long haul.
They're going to create multiple points of entry so that if one is found and closed,
they have another way to get in.
They really want to get in, stay there covertly, and watch what's going on, and slowly
steal information from your network.
This is where identifying the who becomes very valuable from a security standpoint.
When it comes to these kinds of attackers identifying a profile on who they are, how they go
about doing their business, what tools they use, different ways that they go around doing
precursors to an attack, the things that they do once they're in the network will help
you identify other times or other places that they may happen to target you.
A lot of these APTs are already known, and there's information out there, there's information
sharing centers if you're in a critical industry, and there's other information if you're
willing to look around for it.
The advanced persistent threats, these are really not the attackers that are going to show
up on your alerts.
It's not going to show up on your SIM, and if it does, it's probably going to be an anomaly.
Most of these, you're going to have to go find.
You're going to have to go look for signs that they are there.
They are very good, and a lot of them can go years without being detected.
These are state actors, these are well-funded criminal groups, these are threat actors
that have a very strong ideology.
We like to think about people like ISIS, and we say, oh, well, they just go and blow
themselves up.
Well, I'm going to tell you right now that not every extremist in the world wants to
blow themselves up.
They have some very skilled hackers, and yes, there's a lot of terrorist groups out there
that are hacking different sides and different companies for different reasons.
So again, the who that is attacking you really plays a difference in how you look for
signs of an attack and how you defend against those attacks.
My recommendation is for your business, your organization, the industry that you're in,
I would highly recommend doing some research into the current act of threat actors, who
are the ones that target your industry, who are the ones that are targeting the information
that you are trying to protect and keep secret.
Those are the people that you're really going to want to study and take a look at and
other threat actors that may be in the same space, but maybe aren't quite as active to
give yourself a better threat profile.
Now the thing that I want to caution you with is when it comes to gathering intelligence
about threat actors, tactics, techniques, and procedures, and all of the different things
that you can look for.
You can very quickly overwhelm your security team with the amount of information that's
coming in.
That is not effective at all, which is why I always recommend let's start with the very
most active people in our sector, who are the ones that are most likely to attack us
and go through research them and rack and stack them and start with number one and work
your way down to number 99, whatever happens to be.
And then start with number one.
All right.
So here's this threat actor.
Here's what they do.
Here's the tools they use.
Here's the way they get in.
Let's take our analysts and let's go out and let's start looking to see if there's any
signs of compromise that would indicate that we've already been attacked.
Always work under the assumption that you've already been attacked.
If you think that you are not already vulnerable, chances are you've been attacked and you just
don't know it yet.
It's not a matter of if you're going to be hacked.
It's going to happen.
It's not a matter of if it's when.
It's going to happen.
The name of the game is getting the attacker out as quickly as possible.
There's something that we call dwell time.
This is the amount of time that an attacker is in a network undetected until they're removed.
And the last time I checked, I believe it was, I think, a 2019.
The global average for dwell time was 99 days, just shy of four months.
There's a lot of time that an attacker has undetected in a network.
We've gotten better.
I believe the last time I checked, we had come down to, I believe, the 50s for the number
of days.
Still 50 days in a network is a long time.
Let's talk about ransomware.
What we have found is that with most of the ransomware attacks over the last two years,
there's about a two-week delay between the time they actually get into the network, to
the time they actually take action and start going about doing the damage to your network.
So if that attack had been found and stopped in those two weeks prior to them actually
activating and doing damage to your network, the attack would have effectively been stopped.
That's really the name of the game.
Let's find them as soon as they get in.
It's really trying to limit that dwell time, limit the amount of time that they have to
do damage to you.
So it's not about keeping them out.
I really want to drive this point home.
It is not about keeping hackers out.
That is an impossible task.
You can't do it.
There is no such thing as security.
It does not exist among men or in nature.
That's a quote from Helen Keller.
I don't believe I got it quite right, but that's the genital just of it.
So security doesn't exist.
It's a myth.
We can't make something secure.
If you don't believe me, watch Oceans 11, Oceans 12, Oceans 13, Oceans 8, Oceans
92.
How many they made?
But basically, no matter how much security you put, if someone has enough time, enough
determination and enough resources, they're going to get in.
And you have limited time, limited termination, and limited resources.
That's an asymmetric battle that you will never, ever win.
So we need to focus on the flip side.
Okay, let's go and we recognize the fact that they're going to get in.
What can we do to identify them as soon as they got in, so that we can minimize and stop
that attack at its earliest stage possible?
So who are the evil steves out there?
We've talked about that.
I'm hoping that this gives you a better idea of who the attackers are out there.
And keep in mind, it's not things that are attacking you.
It's people.
Behind every single one of those attacks, there's a person.
Now, they may have targeted you specifically, or you may have just been caught in up in
the mess of IP addresses that they found.
It really doesn't matter at the end of the day.
So people attack you, not things, people cause damage to your networks.
At the end of the day, it's people that we have to worry about.
Security is, and always will be a people problem.
And I think if we can start changing our focus and security to thinking about security as
a people problem, we will go much further in our ability to protect our organization.
And I'll talk about this in future episodes where I talk about personnel relationships
within your organization.
Again, security is a people problem.
So keep that in mind.
So talk about different threat actors, hoping that you guys found this useful and helpful.
I'll be back again with another episode looking forward to hearing your feedback.
And until next time, this has been Abin Abman, and this is Lurking Pryon, signing off.
Have a good week.
You have been listening to Hacker Public Radio, and Hacker Public Radio does work.
Today's show was contributed by a HBR listener like yourself.
If you ever thought of recording broadcast, click on our contribute link to find out how
easy it needs.
The HBR has been kindly provided by an honesthost.com, the internet archive, and our sings.net.
On the Sadois status, today's show is released under Creative Commons Attribution 4.0 International
License.