GhostShell, On the Record – On criticisms of “simple” hacks
This post is part of an extended interview conducted by DataBreaches.net and CyberWarNews.info with the hacker formerly known as “GhostShell.”
Every single public project was done using the simplest type of attacks out there. They were nothing special. Anyone could spend a couple hours of their time to learn the basics of penetration testing and go from there in studying how and why these types of attacks work.
I was compelled from the get go to prove to everyone that you don’t have to be some sort of internet guru with over 30 years of experience in computers in order for you to go breach a top website.
If I could do it with a half burned computer and a cheap internet connection then anyone could do it if they really wanted to.
Phishing was never used. In fact malware insertion, ddos, defacement, none of these were ever used. Data inside the networks was never altered in any way.
Social engineering was a given however. One of the key factors that could be related to it was something called “speech pattern changes”. It is something that I picked up and refined many years ago. It deals exclusively with the shift in the way I type while using the idea of “faces and masks” that I discussed in Dark Hacktivism.
Every person has usually a specific way of talking which acts as their base. Due to it they reveal certain “patterns” in their behaviour which makes it easier for others to recognise, even more so online. “Speech Pattern Changes” deals with this issue by working around it with the help of multiple other patterns added to your repertoire.
In a sense it is like adding layers upon layers of unique features to your identity. You have a new name, you validate it with an account, email address. You cast away your past vocabulary and adopt a new one. If you can’t do it completely then simply adopt original elements and incorporate them into your everyday speech. Instead of using a favourite saying switch it with another and go from there. Keep building upon it until it becomes believable enough.
It isn’t social engineering exactly but rather it is what you should do before you attempt to pretend you’re someone you are not.
He also had some advice for young hackers:
The most faulty thing anyone can do is brag about what they know. You never do that under no circumstances. The moment you reveal a form of attack or just some general intelligence that others don’t know about, then that idea/intel no longer belongs to you. It’s up for grabs and all the effort that you put into obtaining/attaining it is gone.
Think about it like this: If you brag about an exploit that you know how to perform that other entities don’t, then as soon as you reveal it and they have it then what good are you to them anymore? You’ll just come out looking like a clueless tool.
It is far better to do your OpSec using some of the most common and known types of attacks out there. Don’t let yourself be intimidated or made fun of because of this. I’ve seen it countless times in the media where the topic changes to “hacker kids use weak attacks on innocent site”. This is called “shifting the topic” or simply “changing the topic to fit a certain narrative”.
They try to break away from the main story of someone hacking a website to “this hacker used basic attacks to infiltrate this place, nothing to see here, move along”. But think about it like this, if a teenager with no previous formal training in infosec managed to break into private military servers related to the Pentagon by using just simple type of attacks then what does that say about the Pentagon? Or about the people that were supposed to have those places secured? Or about the antivirus/cybersec people that were providing the software for protection in the first place?
This is where a lot of hackers need to pay attention and not make any stupid mistakes based on knee jerk reactions from the media. The feds and co. will always try to social engineer you into giving them valuable information. Just be sure to always keep it safe, keep it hidden. If you are on a battlefield you don’t just walk up to the enemy camp and hand off your weapons to them in an attempt of showing off how much better you are than them.
Try to learn more about THEIR attacks rather than give them opportunities to obtain private information from you. Here’s a good hint on where to start: federal agencies have to do things legal which means it will always leave a paper trail, find it. Look at the vendors they might be buying from and figure out what they already did get. Even if you won’t get the actual exploit you can still find what type it is that way you’ll know where to look in your computer if they ever try to hack you.
Which leads me to my final observation on this, study forensics. It’s the first thing you need to do for you to better understand on how they operate.
The hint here is to first learn about the “recovery files” on your computer and how they use them to extract data from you.