A

Chatgpt AI Machine Satellite engine ignition. Click here and lift up. From recorded future news and prx, this is Click Here's Mic Drop. A longer listen to one of our favorite conversations of the week. I'm Dena Temple Raston. Today a story about a coder who built something powerful and then watched it slip from his control. Kubogretsky designed a hacking tool to help companies protect themselves. But when he released it to the public, it fell into the wrong hands. What happens when a tool meant to make the Internet safer starts helping the bad guys make it more dangerous? So, do you know the story of Frankenstein? Yes, Dr. Frankenstein. Do you ever worry that as you're doing this that you might accidentally be building a Frankenstein?

B

Was the doctor killed by its creation, if I remember correctly? Yeah.

A

I'm not focusing on your death so.

B

Much, but at least I'm not worried about being killed by software. So, yeah, that's good.

A

Stay with us.

C

This show is supported by Blueland. You've probably heard that most of us are eating a credit card's worth of plastics every week, but you probably don't know that you're cleaning with microplastics every day. It's time to make the switch to Blueland. Blueland is on a mission to make it easy for everyone to make sustainable choices. From cleaning sprays and toilet bowl cleaner to dishwasher and laundry detergent tablets. Blueland's formulas are 100% microplastic free, made with certified clean ingredients, and free from chlorine, bleach and harsh chemicals. All Blueland cleaning products are safe to use around your family, your pets, your plants. Plus, Blueland was named an EPA's safer choice partner of the Year. So they're good for the planet as well. Blueland is trusted in over 1 million homes by people who love not having to choose between the safe option and and what actually gets their home clean. Blueland has a special offer for listeners right now. Get 15% off your first order by going to blueland.com prx make the switch to blueland now by going to blueland.Com prx for 15% off. That's blueland.com prx to get 15% off.

A

I'm Dina Templewost and this is Click here's mic drop. It's 2006 and Kuba Gretzky is in Poland sitting at his computer playing an online video game.

B

So essentially it was an MMO game, a very popular one.

A

Mmo, that stands for Massively Multiplayer Online Game. And one of those circa 2006 sounded like this. Think World of Warcraft or RuneScape, the kind of game where you can battle strangers from halfway around the world. My, you're a tall one. Can I help you? Off and away. Bakuba saw a flaw in the system. When you step away from your computer to sleep or work or eat, your character just stops. You lose momentum. No points, no progress. What can I do for you? So he wondered, what if the game could keep playing without him? Safe travels.

B

Like, all in all, it would allow to play the game on its own, like by itself, so that you can go to sleep, leave it on, and it would just run around killing different mobs that run around in the forest and gather all the items.

A

So Kuba started tinkering with the game's underlying code, reverse engineering its zeros and ones, until he built a tool that could automate it all.

B

So the automation tool Tyrote would interact with the game, process and gather all the information from inside of game memory to interact with the game without requiring the user to use any kind of input.

A

In other words, built a bot. His character fought, leveled up, collected loot, all while Kubo was sleeping in the next room.

B

I just started the game and I never actually played for more than several hours. I would just have fun just watching it play on its own.

A

And you did that because you wanted to make money or just because you could?

B

I think it was more because I could.

A

So it wasn't about profit, it was all about possibility. And that curiosity, that urge to understand how a system really works would follow him out of gaming and into cybersecurity. Cuba became what's known as an offensive security developer, someone who builds tools for ethical hackers or red teams.

B

So I try to understand how red teams work, and I create tools for them to help them behave an attacker and to simulate the attacks before the bad guys actually do it for real.

A

So essentially, you're trying to think like a bad guy to be one step ahead.

B

Exactly, yes.

A

And one of his most famous creations is something called Evil Jinx. It's a tool he built for white hat hackers, the cybersecurity teams who are trying to protect networks from bad guys by breaking into them first.

B

Evil Jinx is a proxy that allows the attacker to bypass multi factor authentication.

A

You know, that little extra step when you log into your bank or your email, typing a code that's texted to you? That's multi factor authentication. And Evil Jinx's secret power is that it can intercept those codes. Think of it like a game of catch with your bank you throw a password and the bank catches it and tosses back a verification code. The token. But before you catch it, Evil Jinx steps in and snags the ball in midair.

B

The attacker can grab the decision tokens from the captured cookie and import it into their own web browser and thus be signed in and authenticated as the user.

A

And just like that, the hacker is inside your account. It's a process called reverse proxy phishing, and Kuba says that many multi factor systems are vulnerable to it, especially those that use text messages, push notifications, or authenticator apps to send tokens. So when Kuba created Evil Jinx, he started ringing alarm bells, telling people that if he could develop a tool that could fool multi factor authentication, then somewhere out there, the bad guys would also be able to.

B

Every time I go to conferences and give talks about reverse proxy phishing, I try to inform users, and I think I've been pretty, pretty vocal about it in the last couple of years.

A

So in 2017, he did something bold. He uploaded Evil Jinx to GitHub for free. He wanted to give everyone a tool that would allow even small security teams to test their defenses. But the Internet being what it is.

B

When I released the first version of Evil Jinx in 2017, the bad guys started using it to do evil.

A

Up next, when good intentions meet bad actors. Stay with us.

D

What the hell is going on right now? And why is it happening like this? At Wired, we're obsessed with getting to the bottom of those questions on a daily basis. And maybe you are too. I'm Katie Drummond, the global editorial Director of Wired, and I'm hosting our new podcast series, the Big Interview. Each week I'll sit down with some of the most interesting, provocative and influential people who are shaping our right now. Big Interview conversations are fun.

B

I want a shark that.

D

That eats the Internet, that turns it all off, unfiltered and unafraid. So in a lot of ways, I try to be an antidote to the unimaginable faucet of reactionary content that you see online. And to the best of my ability, every week, we're going to offer you the ultimate luxury of our times. Meaning and context. True or false. You, Brian Johnson, the man sitting across from me, one day, at some point, as of yet undefined, in the future, you will die. False. Tell me more. Listen to the Big Interview right now, in the same place you find WIRED's Uncanny Valley podcast. Subscribe or follow wherever you get your podcasts.

A

Do you remember the first time you saw Evil Jinx? Being used for bad instead of good.

B

I remember this year it's been used from what I read in the reports by Microsoft, by essentially Russian APTS APT.

A

Advanced Persistent Threat Nation state hackers. In late 2023, a hacking group calling itself Scattered Spider broke into MGM Resorts. A hacker group called Scattered Spider has claimed responsibility for the MGM hack. MGM is still having problems with systems because of the attack, including. The fallout was immediate. The hotel key card stopped working. Slot machines froze in mid spin. Guests couldn't cash out. The company said it lost over $100 million. Scattered Spider's members were a mix of hackers in the US and the UK, but investigators say the group has ties to Russian ransomware gangs and one of their favorite tools, an Evil Jinx fishing kit. Then later that year, another cyber gang, a Russian espionage outfit known as Voltage Blizzard, started using that same tool. But they were targeting NGOs and defense groups helping Ukraine in its war with Russia. And they too were stealing emails and other sensitive data.

B

So that was a pretty not fun thing to read. I felt especially bad that Russia is using it because I specifically would never want to aid this country because I live in Poland. We have the bad history about what Russia is capable of. So giving them anything is something I would never actually want to try to.

A

Prevent that from happening. Before Kuba released Evil Jinx out into the world, he stripped out its most dangerous features and even hid Easter eggs in the code so researchers could spot it in the wild.

B

In the public version, I try to add this specific string of characters with every request made to the website. That just indicates that Evil Jinx is being used so that users that may be attacked can check and then they know that this connection is actually coming from Evil Jinx so they can block it.

A

It's similar to the way my mother in law shares her favorite cake recipe. She leaves one ingredient out.

B

The cake made with the full recipe is the one that is being sold privately to Red team companies.

A

That full recipe for Red teams is Evil Jinx Pro, the paid version. Kuba sells only to vetted security firms.

B

It is basically like a pro version of eviljinx. So it's eviljinx Pro and this is already out available for Red Team companies to purchase, which I also do all the vetting and verification. If someone is really working for a legitimate company. Yes, exactly.

A

Still the public version stays online for anyone to download and that decision weighs on him.

B

I know that I'm basically by proxy aiding the bad guys and giving them something to use as well. But on the other hand. I would like also to support the people who cannot use the private version of evil Jinx Pro to also make them able to strengthen their defenses and.

A

In the process search for vulnerabilities in places they hadn't considered before. Kuba argues that openness, the willingness to expose flaws that bad guys might find on their own, is what ultimately keeps.

B

Us safer by actually being open about the methods that can be used. Attackers can hack people and steal information, because otherwise they would just be sitting in the dark and just waiting for the attacks to happen without anyone knowing the technique is actually up there.

A

And even after all this, he still believes that shining a light on flaws is better than pretending they don't exist. And maybe he's right, even if that light sometimes spills into the wrong places. Security, after all, isn't one person's responsibility is a chain, and every link, from the coder to the company to the person who clicks the link has to hold fast. It's messy. It's human. And for now, that might be the most honest kind of security we've got From Recorded Future News this has been Click Here's Mic Drop. It was written and produced by Megan Dietre, Sean Powers, Erica Gaeda, Zach Zach Hirsch, Lucas Riley and me, Dina Temple. Rest it was edited by Karen Duffin. We'll be back on Tuesday with an all new episode of Click Here. Have a great weekend.

E

If you're looking for a daily guide to cybersecurity news and policy, sign up for the Cyber Daily from Recorded Future News. It serves up today's most interesting and important cyber stories from our sister publication the Record, and then aggregates all of the big cyber stories you might have missed from news outlets around the world. Just go to the Record Media and click on Cyber Daily to get all you need to know about the world of cybersecurity right in your inbox.