Mentors

I’ve taken a bit of time over the past week or so to contemplate my life and how it is I’ve gotten to this point in my professional career. This opportunity for reflection came about in the calm before the storm. In a week or so, my small family and I are jumping on an airplane to relocate to California; stepping away from business-ownership and consulting life in Perth, Australia, to join an app sec team in a large “Internet” organisation. While the past few days of packing up the house have been frantic, I did get a chance to clear my mind and relax slightly after my last day.

In our industry of information security, and I presume in others too, it’s unusual for people to accomplish anything without mentors. While I understand that the term can sound ‘official’, and may carry some baggage, when I talk about mentors, I refer to the formal and the informal. If you’re lucky, you’ve worked somewhere where they have formal mentoring programmes, and while I do believe in their value, I think in the end the more informal mentor-relationships will yield stronger results. It’s the relationships with these people where it’s almost unspoken, but the message is clear: I want to learn from you.

Since I started working in the security field, about 12 years ago now – which is still fresh compared to many, I’ve had two distinct people I would call mentors. Lets call these people Peter and David. Because that’s their names.

I was fortunate at university. A lot of people I studied with didn’t directly go to work in the field. But during a computer forensics unit I met Pete, who was driven to expand his security knowledge from the physical-realm into the logical and so was taking a bunch of computer security units as a mature-aged student. Pete firmly believed that you couldn’t protect physical assets (such as diamonds) without appropriate logical and IT controls as well. Just as university was finishing up he happened to have a position opening up in his team and he invited me to interview. Over the next 3 years, Pete took me under his wing and taught me so much. He brought me into the corporate environment and showed me how large enterprises work (politics and all), he really helped me understand the importance of quality and rigour, especially when dealing with high-value assets (be it expensive IT systems, managing downtime, relationships, business information and so on). He also introduced me to the wider world in ways I would never have imagined as a student – projects in Antwerp and the Arctic circle in the Northwest Territories of Canada. I wouldn’t be where I am now if it wasn’t for Pete, and his patience and willingness to teach me and challenge me in ways that university couldn’t.

Towards the end of my time with Pete, I had a drive to learn more about pure information security, and while Pete was always a manager of mine – I would still consider him one of my most important mentors. I still understood the importance of physical security, but I had a passion for application development that wasn’t getting itched. This is around the time I met Dave, and got my introduction to the exciting world of security at a bank.

While Pete had driven me to expand and broaden an understanding of networks, windows environments and digital security systems, my time with Dave really expanded the concepts of ‘thinking like a hacker’. Through my career working with Dave I’ve only formally reported to him once, and while we never discussed his role as a mentor of mine, that’s exactly what he became. Dave was the first person I met that demonstrated to me a clear process in divulging in something really fun and challenging, of breaking stuff. As the years flew by, he was probably one of the best people I knew that helped me turn my understanding of software into an understanding of how to break software, how to find vulnerabilities, and more importantly, how to describe these weaknesses to the people that could do something about it. No matter how often I’d shake my head at how he did things behind a computer, his strive for pragmatism has left a mark on my approach to security that I’ll never shake.

When Dave asked me to start a security consulting company with him it was a no-brainer. The person that I was learning the most from was going to start something else, and I had to be there. It’s gut-wrenching when I stop and think about leaving the company I helped start, but I’ve got that itch again, and when an amazing opportunity presents itself I’m generally not the kind of person that wants to look back with regret.

So if you want to become a better practitioner, try and understand who your mentors are, and do everything you can to leech as much of their experience and wisdom as you can, whether it be in a formal or informal manner. Don’t worry yourself with whether their older than you or not, I’ve been constantly surprised with younger hackers I’ve met over the past year or so. Just find that person who inspires you to be better, and is willing to lend you a hand in improving yourself, and latch onto them.

Collective noun for ‘hackers’

Sometime last year I pinged out on twitter what people thought were appropriate collective nouns for ‘hackers’. There are a few that had done the rounds, the rest are collected here from various people.

I don’t know why I didn’t post this last year, but the conversation came up again on twitter (thanks @wireghoul).. so in no particular order, here they are!

A Cloud @mikeforbes
An Array @wince84 & @Ar0xA & @wireghoul
A Murder @VirtualTal (plus some offline peeps .. I’m unsure what these people are trying to say..)
A Cruft @bringer128 – apparently the top GOOG hit, from Eric S. Raymond (Thanks @wireghoul)
A Gaggle @Kxyne
A Con @lordparody (and a Conartist – the guy who does the advertising? – @silviocesare)
A ‘Know-it-all’ @TheColonial
A Vendor @TheColonial
A Buffer @TheColonial
A Fnord @TheColonial
A Fumble @TheColonial
A Heap @andrew_barratt & @wireghoul
A Drunkard @nanomebia
An Overflow @mdjnewman & @RobertWinkel & @sintixerr
A Cough @luddite_sue
A Permute (or Permutation) @TomSellers
A Cacophony @TheColonial < OJ is on a roll
A Horde @0x6D6172696F
A Kernel @TheColonial < he’s pretty much unstoppable at this point
A Conference @jack_daniel
A Corporation @jack_daniel
A Trouble @jack_daniel
A Shot @TheColonial
A Bottle @TheColonial
A Crawl @TheColonial
A Hangover @TheColonial < now he’s just saying random words…
A Bastard @rich0H
A Mischief @pipes
An Ugh @OaklandElle
A Heckle @Jofo
A Slosh @OaklandElle
A Coven @thedarktangent
A Den @thedarktangent
A Conspiracy @thedarktangent
A Hive @0x6D6172696F < you can see Mario is keen on alliteration.
A Schadenfreude @TheColonial < yep, OJ has lost his marbles.
An Escalation @nopulent
A Litre (41337R3) @Joflixen
A Disagreement @bonsaiviking
A Hacki @ethicalhack3r < although .. I’m unsure if this is what I think it means?
An Intrusion @psiinon
A Gaggle @securitysetup
An Exploit @hacks4pancakes
‘Anonymous’ @fabiospelta
A Packet @astcell
A ‘Defcon’ (According to Maria at the Rio http://it.toolbox.com/blogs/securitymonkey/lesson-learned-never-ask-strangers-about-defcon-lulz-edition-47809) @0x7eff
A Cluster Fuck @mattrix_
A Spoof @sintixerr
An AND @sintixerr
A Curiosity @sintixerr
A Flood @sintixerr
A Leet @munin
A Set @_ZPH
A Bar @dhw

Bonus points to @wireghoul for nominating that it’s obviously a ‘ring’ of phreakers.

UPDATE 12:02pm
A cyber .. thanks 0x1c

UPDATE 12:52pm 13th June
A Stack @CaptainQwark and @greymaiden
A Hash @JPatONeil
A System @wireghoul (Did I miss this last time? can’t remember)
A Packet @greymaiden (Once again, surprised this didn’t come up last time)
“A Fix A Patch A Root A Snark Or, like alcohol, a Solution” –@marasawr < hahaha
A Bus @dlitchfield (Dave was surprised this hadn’t come earlier too)
“A 2600 of hackers, a hacker collective, a community… …actually, it depends on how they’re organized (if at all)” –@XioNYC
A Foo @carmoca
A Kludge, an ‘optimise’ @mhackling
A Glitch, a Brood @pegasusepsilon (A Brood sounds like vampires?)
A Clan, a Band @paulpols

As is highlighted, this list could potentially go on .. FOREVER EVER ever ever…

Thoughts on 2013

marriedI awoke at the start of 2013 and life was spectacular. I was a few months married (bank accounts reset), had put together a rough plan for honeymooning around the US and even started executing the purchasing of flights etc (bank accounts reset take two). I had also recently had some really interesting discussions with @WadeAlcorn regarding a potential “little” side-project, and of course all the other bits and bobs I was spending time with, various Rails, jQuery and AWS projects. I can’t forget to mention my continued efforts on what I was doing in the 9-5, providing the absolute best information and application security consulting advice and services to our customers that I could.

On the personal front, 2013 saw my love and adoration for my wonderful wife Tenille continue to grow and flourish. We had our highs and lows, moments of despair and absolute joy. Some of the best times of my life I’ve experienced over the past few years, and 2013 was no different. Our trip to LA, Portland, Seattle, New Orleans and Hawaii was nothing short of absolutely spectacular. We got to experience some fantastic music events (The Bronx in their hometown, LA, in an amazing art deco theatre; Local Natives in a 100 year old ballroom in Portland; The New Orleans Jazz Festival), some fantastic meals (in particular the cuisine we sampled in Portland and New Orleans), some breathtaking beers (once again, thank you Oregon you wonderful state of beer) and amazing scenery, particularly in Hawaii.

Shortly after returning home we were welcomed with the news that we would be having a little baby within about 9 months. With excitement and trepidation we both knew that our lives were about to change for ever.

new life

Throughout the entire year I also found myself spending more and more time on that side-project with Wade, co-authoring the Browser Hacker’s Handbook. Working so closely with Wade and Michele @antisnatchor was also filled with amazing highs and lows. As far as challenges go, working on this book has easily been one of the more difficult things I’ve been involved with. Not just from a research point of view, but re-discovering how to apply a high degree of rigour in writing in a consistent, concise and clear manner. Oh, and lets not forget the endless cycles of reviewing and reviewing and reviewing. I would be lying if there weren’t a few moments where I wanted to throw in the towel, but working with these two brilliant security researchers and professionals (not to mention the other talented contributing authors and reviewers we’ve been fortunate enough to get involved) has been such an amazingly fulfilling experience I’m glad I didn’t. Over 1,100 emails and 2,000+ commits later and the book is getting very close to completion.

On other projects I continued my efforts with BeEF (various back and frontend commits, with a focus on the rex console UI, (mobile) browser detection, LastPass SE modules, and an implementation on the WebRTC internal IP detection).

I also released my first version of the SAMM Self Assessment tool, which immediately got some interest from the OpenSAMM project leads for further inclusion with the official OWASP Project. I really enjoyed hacking this together, not only because I got to spend some time with jQuery, but also getting a really good opportunity to play with deploying and scaling this Rails app on AWS services with the excellent Rubber tool (a cloud-wrapper for capistrano). With a few clicks of a button I’m able to scale app servers and DB servers, and then add/remove them from the Amazon’s Elastic Load Balancers. Combine this with S3 and CloudFront to provide a CDN for all the static assets (once again, automatically pre-compiled during a deploy to EC2) and voila. I must admit, it was really fun to spend some time seeing how the app would go throwing loader.io against it.

I can’t forget the ongoing maintenance of the Devise Google Authenticator gem for Rails’ Devise. Hopefully one of the quicker ways to provide 2FA to your Rails apps. The GH project has 83 stars and the gem has been downloaded over 7,000 times from rubygems, so that’s not too bad.

I’ve also been spending a fair amount of time working on a simple threat modelling application, but you’ll have to watch this space for more on this throughout the year.

browser hacker's handbookOn the professional side of my life Asterisk has continued to grow and grow. We’re in the process of moving into new premises and we’ve grown by a couple of excellent consultants too. Our first employee is not only someone I deeply respect, but I would consider a good friend, so I’m super happy that Jarrod agreed to dive into the exciting ocean of boutique information security consulting with us. We’ve been beating our targets, and things are feeling really positive, I’m very excited to see how we continue to grow in 2014.

2013 ended on the highest peak when Tenille brought our little baby girl into the world. We’ve only been home with her for a few days now, but I’m so amazed with how well both she and Tenille are doing.

Here’s to 2014 being even better!

SAMM Self Assessment Tool

This is primarily a reblog from our Asterisk Labs post here: http://labs.asteriskinfosec.com.au/samm-self-assessment-tool/.

Over a year ago I wanted to have more of a play with Rails and jQuery, at the same time, I was also interested in providing a really quick way for people and organisations to perform a lightweight OpenSAMM self-assessment. And so SSA was created.

–Original Post–

Asterisk are happy to be releasing their first public beta of the SAMM Self Assessment Tool, or SSA. One of our favourite OWASP projects is the OpenSAMM project, and for those who haven’t seen OpenSAMM before, it is a framework to help organisations to evaluate their current software security practices, and build measurable targets and plans for improving these practices.

Part of OpenSAMM includes conducting assessments (you can’t manage what you can’t measure right?). The OpenSAMM methodology categorises these assessments as either Lightweight or Detailed. SSA aims to provide a very simple way to perform this Lightweight assessment, and compare your current status with some pre-canned target states. And literally, that’s it.

We’ve used this tool on a number of engagements to quickly gauge where an organisation is, and it’s certainly helped with figuring out the ‘current state’ of an organisations software security maturity.

There’s currently two different ways you can use SSA:

  1. You can visit https://ssa.asteriskinfosec.com.au/ and complete the checklist directly. You don’t even have to save your assessment anywhere if you don’t want. On the other hand, if you want to store your results, there’s a few ways to do that, such as in your cookies or online in a database. For online storage you need to Sign Up, either with a username and password (please don’t re-use your passwords folks), or you can sign in with a Google account too.
  2. Clone a copy of the Rails app and spin it up somewhere locally. We recognised quite early on that some organisations may feel uncomfortable with tracking this sort of information on the Internet, so, if you have the capability, sure, feel free to clone the repository locally and do what you wish.

SSA is being released under an MIT license, and our intent is to give it back to the OWASP community for further enhancements. We have a high level list of proposed features available on the GitHub page, but currently they’re being developed on a ‘When Christian Has Time and is Sober’ timescale. SSA forms part of our Toolkit, of which we’re slowly publishing other tools and utilities too. So watch this space!

As always, we’re really interested in your feedback, queries, concerns, issues. So feel free to send us queries via @asteriskinfosec or as Issues on the GitHub project.

Week of Big Data Sec Viz (hehe), Android Assessments, Rubygems Compromise, Phishing and a bunch of awesome vids

Security

Just some security things that I’ve found interesting (read: they rocked)..

5 Minutes with the Packetloop Beta – The Packetloop presentation at Ruxcon last year was one of the highlights for me, Michael Baker did a really good job of demonstrating (even last Nov) utilising compute clusters to analyse and give the security defender a heads up of large data sets. This video is a really good look at the UI and yeah, it combines a bunch of stuff I enjoy, especially visualisation, and large-data-set analysis. (Phew, got through that without saying cloud or big data!)

Android Application Assessment – A fairly extensive walkthrough of performing an app assessment against apps on Android. Nuff said.

Rubygems Site Recovers from Compromise – I’m a little slow in posting about this, but the community driven rubygems site suffered a breach due to the recent Ruby YAML issues that surfaced a couple of weeks ago. Apart from the article, I actually found their incident response process of shifting their ‘working’ log to gdocs (check it here).

How do I phish?@Zeknox‘s (Brandon McCann) writes up a fairly in-depth look into how he performs phishing campaigns as part of penetration testing exercises. A good one to bookmark for when you need to perform these sorts of assessments yourself. (Thanks again to Rob Fuller for this).

Bill Shocker – hits 600,000+ Android phones! (Exclamationpoints). (In China only?) From what the article seems to be stating is that this malware turns the phones into a botnet of phones, although currently it appears to be using them for sending SMS’ at the profit of the attackers.

Non-Security

… and then a bunch more non-security stuff …

It’s All AcademicAndy Budd writes up a great article on the disjoint between academics and those working in the web industry. The ‘paraphrased’ conversation is great, and something that I found very odd when I shifted from academics into the industry.

The larger our past gets the smaller our present feels – A great short film that Kottke posted the other day. Great style, and, interesting message about time, and our perception of time as we age. This is certainly something I’m starting to perceive as I get older, and things get more and more difficult.

Valve & JJ Abrams Working on a Movie – I’m a gamer, well, when I have time (which, this year is looking very unlikely), and this news is fairly interesting .. but .. the cynic in me is sort of assuming it’s just gonna suck.

Mockumentary on Physically Unlikely Amusement Park Rides – .. this .. this was fantastic. I really enjoyed the style, the scientist, the ridiculous rides, and how it starts off and is ‘almost’ realistic, but then just plummets into the ‘wtf’. It sort of made me think of Cube.