• United States



by Anthony Caruana

AusCERT 2017 – How to break a social network and make a career?

Jun 01, 20175 mins
Access ControlCareersCloud Security

The story of how Samy Kamkar made his reputation in information security is the stuff of legend. After getting his first computer as a ten year old, he started exploring the Internet through message boards, IRC, gaming and creating hacks and cheats for the games, before moving on to other forms of online activity.

He spoke about this and what he has learned about cyber attacks at the 2017 AusCERT conference.

One of the earliest lessons he learned was when he entered an online char and asked a question about The X Files. He was summarily told to “shut up” but another person who then sent a packet to his computer, causing it to suffer a Blue Screen of Death.

“The blood was pumping through my veins. That was the coolest thing ever. How do I do that”.

After a period of panic, Kamkar turned his new computer off, waited a while and then turned it back on, breathing a sigh of relief when all was OK. He did some digging and discovered the person on chat used something called ‘WinNuke 95’.

Kamkar’s curiousity was piqued.

“There was something really cool about having this capability,’ he said.

By the time he had reached his teens, Kamkar had stopped attending school, devoting all f his times to playing games and developing cheats for Counter Strike.

Faced with the need to find a job, Kamkar was offered a job programming on the strength of his hacking skills with Counter Strike, which had gained a strong online following.

“You can make money programming,” he said, surprised at the revelation.

Still aged just 15, he needed to find a place to live. However, he was too young to rent a property legally unless he was legally emancipated. Discovering the process was quite complex, he falsified the documents and signed a judge’s name.

He started using Myspace, which was the most frequented website in the world at the time and developed a piece of code that would automatically add someone as a friend if they visited his Myspace page. But, as that didn’t add enough friends to his network, he found a way to insert that code onto other pages.

Although Kamkar though what he was doing might be “a little wrong’, he didn’t feel he was crossing any significant lines. At this stage, he was honing his Java and Ajax skills in, what he felt, was a fairly harmless way.

Suddenly, he had thousands of friends as the code would propagate from each visitor to his page, onto those of his visitors and then who they visited and so on. The number was increasing by 3000 friends every hour.

Soon, Kamkar was getting thousands of requests each minute as the worm spread. Panicked at what he unleashed and unsure what to do, he contacted Myspace’s technical support and told them he found some code on his page that he didn’t know anything about. He then described, in detail what the obfuscated code did.

He decided to delete his profile but this had an unexpected effect. Not only was his profile down, but so were the profiles of people who had received the software that had propagated from his account. In a short time, Myspace was completely offline.

Days, then weeks, then months passed. Kamkar was recognised but at no point did Myspace contact him. Eventually, six months later, the law caught up with him.

He was confronted by four law enforcement officers from the Secret Service, LAPD, US Attorney and California Highway patrol with a search warrant. They took every storage device and media from his home.

“It was illegal to write viruses – or have that many friends,” Kamkar joked.

Eventually, Kamkar was ordered to pay restitution, go on probation, carry out community service by collecting roadside trash and was banned from using computers – a challenge as by this time he was running a technology company. But he complied with all the conditions and eventually could legally resume using a computer.

Following his court-enforced technology sabbatical – Kamkar boasted that he was his probation officer’s “best” client – he decided to look at using his skills in a new way. He is looking at how systems are unsecured and finding ways to protect users. For example, he developed a system for ensuring the EXIF data on photos didn’t reveal locations when published online.

He discovered how mobile phones are used to track location even when Location Services are disabled. He created a mapping app that sent false location information to Google so people couldn’t be tracked but the app was eventually blocked from the Play Store. But it made the point that our privacy is being compromised.

Kamkar demonstrated how new techniques can read keystrokes by using a sensitive laser to read the vibrations made when hitting different keys. Similarly, microphones can be used to achieve similar results. He also showed how magnetic strips on credit cards can be read, with the naked eye, using fine iron filings on credit cards.

As a closing salvo, Kamkar sounded a warning. Many IoT devices are so low cost that they aren’t being built with any real security. And this represents the next area we need to focus on to secure our businesses and private lives.