Nothing New Under the Sun?

This morning I saw this article: https://room362.com/post/2016/snagging-creds-from-locked-machines/ and it really blew my mind. The simple, but incredibly effective method is tremendous. I know, physical access means you own everything one way or another, but this example is elegant in its simplicity.

This simple article has been running around my head all day, and have struggled to figure out why. A little background, I’ve been following Rob, or Mubix as he’s also known, for a couple years now. When I first heard of him it was a talk he gave about how to create a career for yourself in infosec. As I was desperately looking to do that, I must have watched his talk a dozen times. And I followed his advice. I started creating a brand for myself, I started talking to more people. I’ve continued to follow Rob, learning by picking up the scraps he drops around him with his career. He is a very busy man. He has a day job, a part time job, and a family. I’ve met him once in passing at Derbycon and he’s a great guy, quiet, humble, but very open. He’s one of the many people that have inspired me to take my career seriously.

I fell backwards into infosec like a lot of folks have, by generally being interested in tech, getting some jobs I didn’t like, some I did, and slowly adding security into it. As I have recently come into more of a mentor role than a mentee, reading Rob’s first line in that article is what sent my mind spinning all day.

Also, there is no possible way that I’m the first one that has identified this, but here it is (trust me, I tested it so many ways to confirm it because I couldn’t believe it was true)

One thing I’ve found to be true among almost every competent tech person is discomfort with their abilities. They’re not scared really, just unwilling to boldly lay claim to things without research, testing, and if possible, independent third party verification. I have suffered from this my whole life, and it somehow makes me more comfortable with peoples skills if they ask you to verify things rather than trust them.

The important thing about this feeling is, that’s what makes the industry not just great, but incredible. I have found myself doing the same things I was shocked to find people I looked up to doing. Giving back. Replying to questions from strangers with annotated lists of resources and interpretations.  I’m sure at some level there is community to many career paths, but in security, community is the only way to succeed. Rob inspires me every day because he may not be right, or new, or original, but he’s working hard and putting it out there for other people to learn from. This takes all forms. Conversations, blogs, podcasts, conference talks, sample code, tutorial videos, vulnerable vms, encouragement. It’s not hard to find someone doing something inspiring, or someone that can easily be inspired. Infosec has taught me community is not the gathering of people. I spent a great deal of my life thinking that simply a group of like minded people creates a community. This is not the case. Community is the action of building each other up so that the whole is greater than the parts.

Be Humble

I was lucky enough to get selected again to speak at the local BSides this year. It was a fantastic experience, better than last year. I got a lot of good feedback and discussion from my talk, entitled, “DIY Hacker Training, a Walkthrough”. I just went through the things that I use for learning resources and keeping track of news around the infosec community.

The second keynote of the day was … unexpected. Chris Nickerson is typically the first person people point to when the topic of “rockstar” in the community is raised. He tells funny stories, he’s often seen with a drink in hand, and he’s always talking about this time he got into some shit. Saturday Chris got up and put his story out there for everyone to see, as a lesson, almost a confession, and a pledge to get better. He talked about the highs of leading in the infosec community for 20 years, attaining that “rockstar” status; TV shows, board positions, leading companies, owning companies, pwning companies. He also talked about the hard parts, the rough patches, the terrorizing that he and his loved ones are enduring every day. It’s a hard lesson to learn and I’m sure an even harder one to teach. I am grateful for the lesson and for Chris’ sacrifice. He has taught me more than a few things over the last few years as I have grown up into this field. The message I got from him awhile ago, that he underscored again on Saturday, is universal. No one can claim to live a full life without it and absolutely no one can have a decent career without it. Be humble. Don’t be cocky. Everyone, no matter how smart, no matter how dumb, no matter where they’re coming from, everyone knows something you don’t, and can teach you things.

It’s often said that the key to succeeding in Information Security is mindset. You have to think like an attacker, think about what it can do, rather than what it should do. Since the first time I heard Chris say this in a talk, I’ve watched him and others in the community live it at cons, on twitter, in their blogs. Everyone can help you get better. As they can help you, so can you help them. Share your insights, share your experience, share your knowledge. There’s not a better message to take home.

Be Humble.

How I got here and where I’m going

Last night I was catching up with an old friend, and in refreshing the last 24-36 months I told him what I had been up to. In hearing his story, it is striking how close it is to my own. He has a decent job, wonderful wife, and if the construction ever finishes, a lovely home. He told me he doesn’t dislike his job, but it feels like he’s not getting there quick enough. I told him about my trials with work, and how I got to where I am now.

After college I had no idea what I wanted to do. I suffered from nearly terminal lack of motivation. I watched my friends move out to jobs and grad school, while I just stayed put, working in a Bob Evans. Eventually it was time to move, so I got a short-term job as a liquidation manager in New Jersey of all places. This was a few months of intense work, sales at that, which gave me enough money to move to Cleveland. Once I got to Cleveland, I still had no job, and very little professional motivation to follow my college degree career path. I did, however, have the motivation of rent. I did a little construction, building decks and installing siding for a few months, odds and ends contractor stuff as a laborer. This was nice through the summer, but wouldn’t work in the winter.

I applied and got hired at CompUSA, to work in the warehouse. This was a blessing, because if there’s anything I do not like, it is trying to sell things to people. I made a few friends in the “Tech Shop”, where customers could bring their computers for repair or upgrade. This started to teach me both how much I already knew about troubleshooting and how much fun it would be to do that as a job. I started to see how being “into computers” could result in a paycheck. After about a year there, a friend said I should send my resume to his company, he would recommend me and they were a great place to work. I did, and was interviewed to do QA for their internal and external websites. The interview went great, but apparently shortly following it the manager who I interviewed with left that company. My application was left hanging as one of his open items, and it took me a few months of following up to get a second interview. This interview was even better than the first. I talked with a lead developer and the VP who was running the IT department temporarily. I was offered a job with no real description or title, but they said with my graphics experience I would be inbetween their IT department and digital print shop, not QA. I gladly accepted, this was my first full-time, for real job, with benefits, perks, salary, everything.

I was in that role for about 3 years. Flux in the company bounced me around to 3 or 4 managers, a few different desks, and many, many projects. I learned a great deal about digital pre-press work, and how to configure the web and print graphics for their custom print-on-demand solution. The biggest thing I learned there was that I had no desire to pursue this any further, and that it was worth a gamble to get out of the print/graphics career field. After talking it over with my wife, we agreed that now was the time to gamble. I had experience enough to get another prepress job, but no interest in it.

Finding a low-level IT job with no experience or certifications is pretty difficult. I applied to anything IT related that said “junior” or “entry-level”, with nearly no success. One company, an information security consultant firm, replied to my application with “you’re the second or third person with graphic design experience we’ve had apply, what makes you interested in this?” So I started a dialog with this person, who I later found out is the owner/lead consultant, about how unsatisfied I was with graphics and print, and my ever increasing interest in computers, networks, software, etc. We setup an interview and I went. After a little smalltalk, they got down to it and explained what they were expecting from the position, then provided examples of the work environment and the tasks that would be assigned. During this I only had the faintest notion of what they were talking about, and said so. I thanked them for their time, but told them I was woefully under-equipped for the position, no matter how interested I was. They respected this and gave me a few pointers to build up the skills and knowledge to get to that level. One of these was attending the local infosec group, NEOISF.

I’ve been attending meetings ever since. I’d like to say i’ve been every month, but life gets in the way sometimes. The first few meetings I attended I felt like the speakers were using a different language. I typically got lost in the talks right after the “Hello, my name is…”. Taking notes, reading blogs and tech articles discussed in the talks, trying out some of the things demoed, they’ve all slowly built up my knowledge and skills.

I had one other interview that went well, and resulted in a job offer as a “systems operator”. I optimistically thought this would be a path to a real systems administrator position. Sadly, this was not the case. The job amounted to a little bit of software and website QA, running a few reports, and monitoring the monitoring system so we could alert people if something broke. After about a week of this, I started looking for jobs again. Over the course of the next 18 months I tried to build myself up professionally. I got the A+ and Network+ to actually add IT things to my resume. Finally my constant applications paid off. I had two interviews that went great, one at a colocation facility, and another at the company I had done the graphics work. Both companies had a great offer. The colo said they support linux & windows customers of every different stripe, and that I would get a ton of hands on time with server administration, but it would be 3rd shift only for at least the first year. The other company offered me a spot on the IT admin team. They were expecting an acquisition to be completed soon, which would amplify the day to day work, and would be an excellent time to start my IT career. Between the normal schedule offered and my experience working for the company, I took the safe bet and went back.

The next 18 months were fantastic. I worked on a team of people who gave me difficult, challenging projects almost every day. They were great to work with and I added an dozen lines to my resume, things like .NET website setup and migration, QA/Dev/Production environment configuration and maintenance, desktop support(Mac OS and Windows), SQL Server maintenance, version control migration, and much more. I didn’t know it at the time, but here’s where I became a sysadmin, the title I had been reaching for since I discovered it existed. Other events forced me to leave that job, unrelated to the team or the work. It was a sad day, and I still miss working with a team where everyone is challenged together. This environment taught me how to be self sufficient with new technologies and just how valuable another set of eyes at the crucial moment can be.

In my current role, I’m straddling the QA and sysadmin roles at an enterprise software company. I spend a good bit of time administering a large virtual machine farm, creating/configuring/upgrading machines, monitoring the environment, and maintaining access. Other tasks are replicating customer environments to repeat problems for development and QA, so that we can verify the software gets fixed. QA tasks are pretty limited compared to the rest of the QA department. My team is responsible for a very small set of features, mostly authentication and database related, because we have access to create complicated test environments at will. The big perk of this job is professional development. Previous employers of mine were either not at all interested in this, or only superficially. Now it’s a full time item, they will supply budget and educational materials to support my goals.

Now I’m looking at where I want to be. After working into the IT field and attending NEOISF meetings for roughly the same amount of time, it’s infosec, or Information Security. Bringing this up with my current manager met great enthusiasm, as building out an accountable security team is one of the company’s current goals. So now I have an environment to grow in, a company enthusiastically supporing my growth, and no experience. Oh, and I have the same workload as before, just with the added action item of “get better at security”. I’ve started attending conferences and asking for training, reading as much as I can get my hands on, and researching certifications that can be used as a milestone to show development. Outside of work I’ve built a test lab machine to house VMs for testing “red-team” attacks and analysis. Rather than watching TV or movies, I tend to spend my free time watching talks recorded at infosec conferences. And I started this blog to just add one more point of forcing myself to both do something new and keep track of it.

A group of like-minded individuals in the QA department have started meeting to try and figure out both what kinds of things our software has been vulnerable to in the past, and discussing what it would take to find these sorts of problems going forward. I think our biggest problem is no one has any real experience with security.

Does anyone know how to build a QA security program or team?

BSides Cleveland – Afterwords

07.13.2012 – Attended BSidesCLE

Now that I’m a grown-up and actually have held a job that requires growing, I’ve gone to off-site meetings or demo days. So far they’ve always been in nice hotels, provide breakfast, lunch and refreshments, but what they really are is a sales pitch. Some better disguised than others, but none the less, for a professional function, during the work week, held in a hotel, they were fancy sales pitches.

This was the first time I felt strongly enough to use paid time off to attend something. Turns out, my current job is fantastic, and when they found out it was a Security conference, told me to cancel the PTO request and just go on the clock. I don’t know much about what happens at “hacker” cons, but the atmosphere at BSides was incredible compared to other off-site functions for work. Every other one was a sales pitch.

BSides, and I hope others match this experience, is a place to hang out. There was a lovely breakfast with plenty of good food, big, open tables and areas to gather and converse, and a schedule events to learn things. Oh the things to learn; building an awareness program, lockpicking, anti-forensics, industry politics, and general pentesting. These presenters came from all walks, authors, executives, admins, pentesters, developers, they were as varied as the attendees. Before I got to the event I was feeling intimidated, I know I am a novice in all things InfoSec, but I want to learn, and that’s what the day was full of, learning. I was given an outpouring of information about how to do things, learn things, and think about things different. All the speakers drove the point home, “we can do this, why aren’t you?” about their dayjobs, about their hobbies, about their lives in and around the community. No one was unapproachable, no one was concerned when things had to change last minute; re-write a talk, have someone sub with one of their old talks, let’s just keep the show running. It was great to experience this and take away the feeling I can get to that point.

What did I really take away? The same thing this blog is built to enforce. Changing is hard work. Sometimes the hard part is plugging away with no end in sight until something just clicks, sometimes it’s learning 100 new skills at once and trying to balance. I learned that I’m always one click, one video, one blog post away from learning all the secrets, but really what it takes is DOING. More and more I know how to learn things; do them. Now I have a job that will PAY ME to go to things to learn. They will pay me to prove that I know things by getting certifications. They do this to keep me happy, but to also give me a path. They do not dictate that path, I am open to choose these topics, choose these certifications. I have to pay this back by following a path. Doing more than just watching something pass by and reading about it.