Topic Guide
What Is Hacking?
Hacking is a subject covered in depth across 3 podcast episodes in our database. Below you'll find key concepts, expert insights, and the top episodes to listen to β all distilled from hours of conversation by leading experts.
Key Concepts in Hacking
Macro virus
A type of computer virus written in a macro language, typically for office applications like Microsoft Excel or Word. Greg created one in high school to automatically alter his grades and attendance, demonstrating how seemingly innocuous features can be weaponized for malicious purposes [13:42].
Fuzzing
A software testing technique that involves inputting large amounts of semi-random or malformed data into a program to expose vulnerabilities and cause crashes. Greg describes manually fuzzing Microsoft Word with a hex editor to identify unexpected behaviors and potential zero-day exploits [31:53].
Zero-day vulnerability
A software flaw unknown to the vendor, meaning there are 'zero days' for a patch to exist. Finding these is a high-stakes endeavor for security researchers like Greg, as they represent novel threats that can be exploited before defenses are in place [29:29].
Boot-root
A technique to gain elevated (root) access to a system by booting it from an external device (e.g., USB drive) and replacing a system component, such as Sticky Keys, with a command shell. Greg used this method to compromise servers during a physical pen test [89:27].
Arp poisoning (layer 2 attack)
A network attack where an attacker sends fake Address Resolution Protocol (ARP) messages over a local area network, linking the attacker's MAC address with the IP address of a legitimate device. Greg successfully employed this to steal crucial credentials during a red team engagement, highlighting the effectiveness of foundational network exploits [62:08, 80:11].
Data broker
Companies that gather vast amounts of information about individuals from various sources (public records, social media, phone trackers, purchasing history) and compile it into profiles to sell to other businesses, law enforcement, and government agencies [27:30]. This episode highlights their pervasive, often hidden, operations and the ethical dilemmas surrounding their legal status, as Hieu Minh Ngo exploited and later impersonated users of such services.
What Experts Say About Hacking
- 1.Greg Linares was arrested at 14 for creating a macro virus in Excel that changed his grades and attendance in high school, making him the youngest person in Arizona arrested for a computer crime [13:42, 16:54].
- 2.While at cybersecurity company eEye, Linares initially found a 'zero-day' in Microsoft Office 2007 that only triggered with a debugger attached, nearly costing him his job due to company embarrassment after a press release [39:53, 40:58].
- 3.To save his career and the company's reputation, Linares and his eEye team worked for three consecutive days to find a legitimate zero-day vulnerability, eventually succeeding with an exploit in Office Visio [43:07, 46:16].
- 4.During a challenging red team engagement, Linares and his coworker, on the verge of failure, used ARP poisoning to sniff a plain text credential for a build system, allowing them to roll out code to production that marked customer credit card data as '*stolen last four digits*' [62:08, 63:13].
- 5.Tasked with exfiltrating DNA data, Linares used a hollowed-out printer and a shopping cart full of hard drives purchased from Best Buy to covertly remove petabytes of sensitive genetic information from a client's facility over several days [68:09, 70:42].
- 6.In a physical penetration test against a venture capital firm, Linares gained entry by climbing a tree to a balcony, prying open a security door, using a cloned badge, and disarming an alarm with a stolen code from an employee's onboarding email [88:22, 89:27].