Summary
Highlights
David Bombell introduces John Hammond, who discusses the current state of hacking. He notes that while traditional threats like ransomware and info-stealer malware persist, AI is increasingly a factor. Hammond acknowledges using AI tools himself for coding, finding them fast and efficient for orchestrating code from existing ideas. He then pivots to discussing AI's impact on cybersecurity.
Hammond confirms that AI is being used in developing malware, with telltale signs appearing in code. He describes a recent sample that embeds an LLM in its runtime, allowing malware to mutate based on its environment. He estimates that 20-30% of current attacks, particularly phishing and online scams, leverage AI due to its effectiveness in crafting believable deceit.
Hammond introduces the 'ClickFix' technique, a social engineering tactic where users are tricked into executing malicious commands by following seemingly innocuous instructions, often presented as a CAPTCHA or verification step. He admits to inadvertently popularizing a sophisticated version of this technique through a video he made. This method is becoming increasingly prevalent, especially with new privacy regulations requiring ID uploads, making less tech-savvy individuals vulnerable.
Hammond elaborates on how 'ClickFix' works, describing scenarios where users are prompted to perform actions like pressing Windows+R or using the 'Save As' dialogue to paste and execute malicious payloads. He highlights that while technically savvy users might recognize the danger, the average person is highly susceptible. He also mentions that system administrators can mitigate these attacks through Windows registry tweaks, but emphasizes the need for broader education and awareness.
To combat the growing threat of 'ClickFix', Hammond is developing a 'clickfix.wiki'. This platform will document and catalog various 'ClickFix' techniques and applications to raise awareness and provide a resource for defenders. He acknowledges the ethical dilemma of potentially enabling malicious actors but believes the benefits of educating the public and defenders outweigh the risks, echoing the sentiment that vulnerabilities will be discovered whether or not security researchers publicize them.
Addressing concerns about AI taking away jobs, Hammond assures that there are still ample opportunities in cybersecurity, possibly even more due to increased education and innovation. He advises aspiring professionals to 'show their work' by sharing their learning journey on platforms like GitHub or YouTube. He also recommends pursuing certifications like the OSCP (Offensive Security Certified Professional) as a valuable industry-recognized credential, and emphasizes starting with capture-the-flag challenges to gain practical experience.
Hammond introduces 'Just Hacking Training' (JHT), a new venture designed to provide structured cybersecurity education. This initiative brings together various industry experts ('all-star instructors') to create course-like content, hackalongs with virtual lab environments, and archived capture-the-flag events. JHT offers free 'upskill challenges' and 'name your price' options, covering topics from OSINT and operational security to Windows malware development, cryptography, and Active Directory.