Creating the fastest-spreading virus of all time: My Interview with Samy Kamkar

September 7th, 2018   |     |  security and compliance, culture & news

I recently got the chance to chat with Independent Security Researcher and OneLogin Connect Keynoter, Samy Kamkar. We spoke about how he inadvertently created the fastest spreading internet virus in history, some of the most interesting hacking techniques that are emerging today, and his perception of it means to “think like a hacker.”

Here are the highlights from our conversation.

Thanks so much for chatting with me, Samy! Can you start by telling the story of how you created the fastest spreading virus of all time?
Sure, so when I was younger the social media platform, MySpace, was very popular - even more so than Google. And one day I was playing around with the website and modifying my profile when I discovered a vulnerability in the browser and in the MySpace website. This vulnerability allowed me to edit the javascript code on the page, and even control the user’s web browser.

So at the time, I thought it would be funny to alter my page with some code that made it so any time someone viewed my profile, they would automatically add me as a friend. And this just seemed like a fun little prank that would get me a handful of friends.

But when I woke up the next day, I had about 10,000 friends. And in less than 24 hours, my friends list had exploded to more than a million people.

Why was that virus able to spread so quickly?
It could spread so quickly because it didn’t just infect people who visited my profile. Anyone who was touched by this code by visiting my page also had the code copied to their profile. So anyone who visited their page would also add me as a friend, and so on. It was exponential.

It all got much more out of hand than I had intended, so I tried deleting my MySpace profile to put an end to it. But that didn’t stop the spread of the virus because so many other profiles were already infected. And it all eventually resulted in the MySpace website being completely shut down for a few hours.

This sounds like a pretty serious vulnerability you found. Are these types of vulnerabilities common?
At the time, yes. This type of vulnerability is called cross-site scripting, which was a common means of executing web-based attacks. But before this point, cross-site scripting wasn’t really top of mind for security professionals.

This was the first time that anyone demonstrated this vulnerability as a serious issue that could have major consequences. My virus wasn’t deliberately malicious, but it definitely made people aware that they should take these types of vulnerabilities seriously.

Did you face any consequences for creating this virus?
Yes, so after a few hours, MySpace came back online, and everything seemed fine. But about six months later, I was confronted by the police who searched my apartment and confiscated all of my electronics.

I was actually at real risk of facing prison time. But instead, I was able to take a plea that involved me paying a fine, doing community service, and being on probation that restricted my computer use for three years. After that probation period was over, everything was off my record, and I could freely use computers again.

Are there any lessons that the Samy Worm incident can teach today’s organizations about cybersecurity?
Definitely. There weren’t a lot of options for building secure websites back then, but the technology has since come a long way. My advice would be to take advantage of security professionals who are trained in how to best leverage modern security features for building sites. It takes a lot of time to learn the ins and outs of security, which is why it’s great to have someone with that specific job on your side.

This all happened over ten years ago. What do you think are the most exciting trends in the worlds of hacking and security today?
I think some of the coolest types of cyber attacks right now aren’t based around system vulnerabilities at all. Rather, they involve side channels that can be physically exploited in some really interesting ways.

For example, think of someone typing on their computer keyboard. Each key makes a unique sound. Now imagine a piece of software that can listen to the unique sound of each keystroke. The software may not be able to tell exactly which key is which at first. But over time, it may be able to recognize the same ones being repeated. After a 100 characters or so, the software can analyze the sound patterns to form a pretty good guess as to what the user is typing.

What’s really crazy is that you would expect this to be something only well-funded organizations or governments could achieve. But in reality, this is a budding type of cyber attack that is becoming much more affordable for a wide range of people.

How can organizations defend themselves against that type of threat?
It’s easy; you just have to live in the woods with no internet connection.

No, I’m totally kidding.

Fortunately, these types of attacks are still tough to pull off. My recommendation is just to follow best practices like keeping your software updated, keeping your offices physically secure, and making sure your login credentials are kept safe.

Your talk at OneLogin Connect is called ‘Think Like a Hacker.’ Can you share what ‘thinking like a hacker’ means to you?
For me, it’s all about the perspective I have when tackling a project. By that, I mean assuming that there is a solution to every problem, even if the answer isn’t obvious right away. I don’t think being a hacker means being an inherently good problem solver, but rather believing that you can uncover the solution to any problem with enough investment in time and thought.

If you go in with the mindset of, “Nobody has solved this problem before, so there’s no way I can,” then there’s no way you’ll succeed. But if you have the attitude of, “I know there’s a solution that no one has thought of yet,” then it’s only a matter of time before you find the answer.

And of course, you can apply this mindset in a positive way to do something constructive, or you can use it for negative purposes. To me, that’s ultimately the essence of what it means to think like a hacker.

See Samy at OneLogin Connect

A very special thanks to Samy for taking the time to chat with me!

You can hear more from Samy Kamkar as well as OneLogin CSO Justin Calmus on September 12 during their “Think Like a Hacker” keynote at OneLogin Connect in San Francisco. Got a question for our speakers? You can submit your questions in advance using the #AskAHacker hashtag! Full details here.

Not registered for OneLogin Connect yet? Click the button below to register now.

About the Author

Jack Shepherd joined the OneLogin team in Summer of 2015, and is now the Content Marketing Lead at OneLogin. Jack specializes in producing thought leadership pieces around the latest cloud technologies, cybersecurity, and the evolving role of unified access management.

View all posts by Jack Shepherd

About the Author

Jack Shepherd joined the OneLogin team in Summer of 2015, and is now the Content Marketing Lead at OneLogin. Jack specializes in producing thought leadership pieces around the latest cloud technologies, cybersecurity, and the evolving role of unified access management.

View all posts by Jack Shepherd

Secure All Your Apps, Users, and Devices