One-On-One With 'Life Hacker' Petko Petkov
The last was discovered by Petkov in September. Adobe released a patch for a vulnerability of the "mailto:" protocol in its products Tuesday. But within hours Symantec was warning that a malicious PDF file carrying a Trojan phisher called "Pidief.a" was being spammed to exploit the bug.
For Petkov, beating the bad guys to the punch and warning increasingly attentive vendors about holes in their products is all in a day's work. The twenty-something calls himself a "life-hacker" -- by day he's a "Senior Security Analyst for a leading penetration testing company," by night he runs the "ethical hacking" outfit GNUCitizen.
ChannelWeb spoke with Petkov Wednesday via his preferred method of communication, Google Talk. The following is lightly edited for clarity.
So, the Adobe vulnerability ... good catch!
Well, it wasn't much. But now it seems that the entire industry is under fire because of the recent findings from Symantec.
ChannelWeb: My security sources are saying they haven't yet seen too much exploiting of the vulnerability out in the wild. Would you agree, or are you seeing a lot of attacks through this hole?
I haven't personally seen any attacks that involve the PDF vulnerability but I won't be surprised if it goes mainstream. Adobe Acrobat and Reader are not the type of software you can upgrade over night. Both products are key assets to a lot of business. Every update is prone to a failure. Therefore, organizations that are dependent on either of the products will remain vulnerable in the following months.
Now, this is a huge opportunity for the bad guys. PDF documents can easily sneak into the organization under attack. We've seen what PDF spam can do. This vulnerability could lead to a lot of problems. This is one of the reasons why I will withhold any details [of my research] on the issue, if I ever release the POC's. However, anyone with enough technical knowledge can reverse engineer the path and as such come up with the attack vector originally disclosed to Adobe.
It seems like holes in mission-critical applications that are very common in business environments like the Adobe products would be a goldmine for the bad guys ... do you think they are focusing on finding those flaws in those types of apps more than ever?
I think that most of the research done today is being done by the good guys. But definitely, yes. People will try to target business applications more then ever. PDF seems to be like one of the best targets " a portable document format tailor-made for mass exploitation.
It seems like the whole malware community is pretty specialized, like you have virus writers who are really technical, but also the marketers of the botnets or spammers who really aren't.
Most spammers are highly non-technical and do not understand most of the stuff they do, although once in a while you get an exception that really surprises you.
So two quick questions, to kind of wrap this up, because I know you are busy. First, what is your philosophy of ethical hacking? Second, when will people finally learn to stop opening suspicious email attachments?
On the first question, it's hard to say. Sometimes it means to go with full disclosure of your research. Sometimes it means to withhold any details until the storm is gone. I believe that those people who work as professional security consultants know the best about which way to go. There is no black and white. There is a huge gray shade in between.
On the second question, unfortunately, I have to say never. First of all, we need to define what looks "suspicious." If we can define that, then we can definitely program a mechanism to prevent these suspicious files from being opened. But we can't, because we are confused ourselves.
We don't have any definition of what is "suspicious," and there's no way we can educate the user, either. I mean, how suspicious is an e-mail attachment that says "invoice.pdf"? Of course, for people who don't deal with PDFs on a regular basis, it is very unusual, but for many out there this is part of their daily routine.