How do hackers hack?
What tools and techniques are commonly used against organizations to gain unauthorized access to their systems?
Where can I learn more about how hackers think and how to best protect my personal and professional data?
How can you stop (or stop) information theft?
Who is Mishal Khan?
A few weeks ago, I was in Las Vegas attending the World Game Protection Conference as an invited keynote speaker covering the topic of ransomware. The presentation that I just gave on the main stage was given by Mishal Khan, and he talked about how hackers “do what they do”, often using information that is publicly available to everyone online. I gave a fun keynote speech where I explained how to use it.
Not only did I enjoy and learn from Mr. Khan's presentation, but I also had several follow-up conversations with him about cybersecurity, hacking, industry trends, and more. I was impressed by his passion, expertise, and his role as a vCISO and cybersecurity practice leader in addition to his hacking role. Mishal is also an advocate for improving privacy online, offering tips to his viewers on how to protect their data.
To learn more about Khan, check out his website bio.He is a co-author of The phantom CISOAnd he leans into the “hoodie-wearing hacker” persona that many in the cybersecurity industry shy away from. His website also offers many presentations, podcasts, and other online cyber resources.
Dan Roman (DL): Did you always want to be a hacker? When did you realize you “think like a hacker”?
Mishal Khan (MK): Since middle school, I've been immersed in the world of gadgets and computer parts thanks to my father's computer repair shop. Surrounded by the noise of computer fans, I couldn't help but be drawn into the complex workings of computers. As I learned more about the hardware, I found myself tinkering endlessly by overclocking the CPU, boosting the cooling system with additional fans, and expanding memory and storage capacity. But it wasn't just the hardware that fascinated me. What really ignited my passion was the fascination with unlocking the potential hidden in software.
When I started playing PC games, I stumbled across cheat codes for classic games like DOOM and my curiosity was piqued. What if I could manipulate the very structure of the game itself? This would allow me to dig into source files and tweak lines of code to bend the game to my wishes, or skip levels with a few keystrokes. I went on a path of exploration.
But my journey didn't end there. With the dawn of the Internet, I found myself stepping into the unexplored frontier of web design. Here, the boundaries were even more fluid and the possibilities seemed endless. As I developed my skills, I discovered the thrill of tearing down a website and rebuilding it stronger and more resilient than before. It was a dance between creativity and chaos, and every bug squashed and every glitch overcome only whet the appetite for more.
That's when I realized I was thinking like a hacker. I don't mean it in a malicious way, but in a relentless pursuit to understand how things actually work. I became addicted to the rush of cracking codes and unraveling intricacies, and each new challenge drove me to push the boundaries further. And I haven't stopped since.
DL: Please tell us about your career path in hacking/professional cyberwork.
MK: I started my professional career in networking and learning how information travels on the Internet. Understanding this process, from typing on the keyboard to seeing the results on screen, became my greatest skill and formed a strong baseline of my expertise.
Although I knew a lot about ethical hacking, I couldn't find a job in the cybersecurity field because I didn't have the relevant qualifications or experience. So I decided to start my own company. I provide free basic cybersecurity services to non-profits and startups, including assessing their security posture, making their devices more secure, setting up security tools, testing their systems for vulnerabilities, and performing penetration tests. did.
I worked hard attending events, blogging, speaking, and building my personal brand. Slowly but surely, I started getting noticed and getting some decent business. Eventually, a larger company took notice and hired me to lead their cybersecurity efforts. At that time, I started a virtual CISO practice to provide security services to other organizations. This was the peak of my journey from small beginnings to becoming an industry leader and eventually publishing a book about it.
DL: What is OSINT?
MK: One of my first interests was participating in online surveys and mining the Internet for information. Whether it's uncovering hidden data in image files or piecing together clues from social media profiles, use these skills to help others facing problems with hackers and stalkers. I felt a sense of satisfaction. Over time, this field evolved into what is now known as Open Source Intelligence Collection (OSINT).
OSINT revolves around collecting publicly available information and transforming it into actionable intelligence. This intelligence can be used for a variety of purposes, including identifying criminals, establishing facts, finding missing persons, conducting due diligence, and uncovering the truth behind complex situations. The large amount of data available these days makes it a powerful tool for both individuals and organizations looking to effectively navigate the digital landscape.
DL: Why is it easy to hack individuals and organizations using OSINT?
MK: Most hacking today relies heavily on social engineering tactics, where hackers exploit human vulnerabilities rather than directly targeting systems. Hackers use publicly available information to manipulate individuals into unwittingly supporting their plans. This is where his OSINT comes in as the first step in the hacker's reconnaissance process.
The more information a hacker gathers about a target, the more powerful the attack becomes. Imagine if a hacker knew your specific interests and even your whereabouts based on your social media activity. Armed with this knowledge, they can craft convincing phishing emails and cold calls to trick users into clicking on malicious links or divulging sensitive information they wouldn't normally share. This is a solemn reminder of how important it is to protect our online presence and remain vigilant against such tactics.
DL: What are two or three things the average person can do to keep their life more private (and secure)?
MK: If you adopt a hacker mindset, you must prioritize protecting information that could be misused. An important defensive tactic is to avoid sharing personal information on social media platforms, such as location information, phone numbers, personal email addresses, and family information. These simple steps can stop the majority of social engineering attacks.
Additionally, removing yourself from notorious data brokers and people search websites can make it more difficult for malicious attackers to obtain your home address or personal cell phone number. We highly recommend going one step further and freezing your credit on the websites of leading credit bureaus. This proactive measure can help prevent common identity theft scams that rely on the use of Social Security numbers.
Finally, it's most important to strengthen the security of your important online accounts, such as email, banking, social media, and utilities. Leverage strong passwords generated by a password manager and implement multi-factor authentication whenever possible. These simple measures will greatly increase your protection against unauthorized access and potential breaches of your account.
DL: You have recently spoken at several state cyber summits and other events. Please tell us about what you have published.
MK: We love entertaining our viewers with simple yet awe-inspiring hacks and putting them at the center of the action to witness first-hand the intricacies of cyberattacks. My mission is to raise awareness about the techniques used by hackers so that individuals can take meaningful steps to protect themselves. By revealing how hackers hack, we aim to make security measures more impactful and meaningful to everyone.
I believe it is important for everyone to develop security awareness across the boundaries between cybersecurity and other domains it affects. Bridging this gap can foster a safer digital environment for both individuals and organizations.
DL: Is there anything else you would like to add?
MK: The battle over privacy and security is real, but we are far behind. We collectively have a responsibility to use our skills to protect those around us, even if it's just one person at a time. Let's face challenges and create change, one step at a time.
