I'm interested in changing careers right now and I like getting into the nitty gritty low level stuff (but not to the point of actual hardware) and security sounds like the best field for that. But how's the job market, and I assume a CS degree is required to even be considered, right?
>>42815675 I have an EE degree - from what I can tell they care more about skills than credentials.
there's manual hacks and code reviews. manual hacks are hacking mobile apps/websites in whatever way you can. my company provides me a shitlist of the most common that I have to be sure to look for - beyond that it's up to me how I decide to attack the app. After that is the report writing which is boring but is only 20-30% of time spent on it.
code reviews are like manual hacks except you can actually call out all their shitty crypto and authentication schemes. it's hard to analyze those things through a manual hack alone.
everything i work with is either mobile or webapp - i dont know anything about embedded security, sorry.
the market is amazing - at the owasp meetup i go to at the end of the meeting they ask if anyone is looking for a job because everyone is always hiring.
>>42815764 also if we don't have a job going on, everyone's job is just to learn more about security. they're okay with you cracking open a book or reading 2600 or something as long as it has to do with security and you are learning
>https://www.gnu.org/philosophy/words-to-avoid.html#Hacker >A hacker is someone who enjoys playful cleverness—not necessarily with computers. The programmers in the old MIT free software community of the 60s and 70s referred to themselves as hackers. Around 1980, journalists who discovered the hacker community mistakenly took the term to mean “security breaker.”
>Please don't spread this mistake. People who break security are “crackers.”
In June 2000, while visiting Korea, I did a fun hack that clearly illustrates the original and true meaning of the word "hacker". I went to lunch with some GNU fans, and was sitting down to eat some tteokpaekki (*), when a waitress set down six chopsticks right in front of me. It occurred to me that perhaps these were meant for three people, but it was more amusing to imagine that I was supposed to use all six. I did not know any way to do that, so I realized that if I could come up with a way, it would be a hack. I started thinking. After a few seconds I had an idea.
First I used my left hand to put three chopsticks into my right hand. That was not so hard, though I had to figure out where to put them so that I could control them individually. Then I used my right hand to put the other three chopsticks into my left hand. That was hard, since I had to keep the three chopsticks already in my right hand from falling out. After a couple of tries I got it done.
Then I had to figure out how to use the six chopsticks. That was harder. I did not manage well with the left hand, but I succeeded in manipulating all three in the right hand. After a couple of minutes of practice and adjustment, I managed to pick up a piece of food using three sticks converging on it from three different directions, and put it in my mouth.
>>42817794 It didn't become easy—for practical purposes, using two chopsticks is completely superior. But precisely because using three in one hand is hard and ordinarily never thought of, it has "hack value", as my lunch companions immediately recognized. Playfully doing something difficult, whether useful or not, that is hacking.
I later told the Korea story to a friend in Boston, who proceded to put four chopsticks in one hand and use them as two pairs—picking up two different pieces of food at once, one with each pair. He had topped my hack. Was his action, too, a hack? I think so. Is he therefore a hacker? That depends on how much he likes to hack.
The hacking community developed at MIT and some other universities in the 1960s and 1970s. Hacking included a wide range of activities, from writing software, to practical jokes, to exploring the roofs and tunnels of the MIT campus. Other activities, performed far from MIT and far from computers, also fit hackers' idea of what hacking means: for instance, I think the controversial 1950s "musical piece" by John Cage, 4'33" (****), is more of a hack than a musical composition. The palindromic three-part piece written by Guillaume de Machaut in the 1300s, "Ma Fin Est Mon Commencement", was also a good hack, even better because it also sounds good as music. Puck appreciated hack value.
It is hard to write a simple definition of something as varied as hacking, but I think what these activities have in common is playfulness, cleverness, and exploration. Thus, hacking means exploring the limits of what is possible, in a spirit of playful cleverness. Activities that display playful cleverness have "hack value".
>>42817822 Hackers typically had little respect for the silly rules that administrators like to impose, so they looked for ways around. For instance, when computers at MIT started to have "security" (that is, restrictions on what users could do), some hackers found clever ways to bypass the security, partly so they could use the computers freely, and partly just for the sake of cleverness (hacking does not need to be useful). However, only some hackers did this—many were occupied with other kinds of cleverness, such as placing some amusing object on top of MIT's great dome (**), finding a way to do a certain computation with only 5 instructions when the shortest known program required 6, writing a program to print numbers in roman numerals, or writing a program to understand questions in English.
Meanwhile, another group of hackers at MIT found a different solution to the problem of computer security: they designed the Incompatible Timesharing System without security "features". In the hacker's paradise, the glory days of the Artificial Intelligence Lab, there was no security breaking, because there was no security to break. It was there, in that environment, that I learned to be a hacker, though I had shown the inclination previously. We had plenty of other domains in which to be playfully clever, without building artificial security obstacles which then had to be overcome.
Yet when I say I am a hacker, people often think I am making a naughty admission, presenting myself specifically as a security breaker. How did this confusion develop?
Around 1980, when the news media took notice of hackers, they fixated on one narrow aspect of real hacking: the security breaking which some hackers occasionally did. They ignored all the rest of hacking, and took the term to mean breaking security, no more and no less.
>>42817839 The media have since spread that definition, disregarding our attempts to correct them. As a result, most people have a mistaken idea of what we hackers actually do and what we think.
You can help correct the misunderstanding simply by making a distinction between security breaking and hacking—by using the term "cracking" for security breaking. The people who do it are "crackers" (***). Some of them may also be hackers, just as some of them may be chess players or golfers; most of them are not.
>>42817794 hacker has been used to describe computer crackers since before stallman was born
>>42817855 somewhere on tor. try to find some black hat seo people
>>42817885 because i love 4chan and will never stop love reading retarded posts on /g/
>>42817921 i will use website for example -conference call with client and establish scope of testing. get some overview data on the website such as what techs it uses and get a few accounts setup for it. MOST IMPORTANT: find out if theyre having you test a production server or test server -start hacking --map out website with a proxy like burp or zap --check for owasp top 10 --see if i can get shell on their webserver --rip their website source code if i got shell --pentest the source code if applicable
theres a lot to it; most manual hacks take about a week to do then 3 days for the report
>>42817995 i found out about them through a posting on /r/netsec i did not have insider help
>>42817947 i dont have it anymore, but im gonna use a sql example. on microsoft sql servers theres a command called xp_exec that lets you do exactly the fuck you think it does. most new microsoft sql versions have this turned off by default - but you can turn it back on without ANY elevated privs. I turned it back on, ran xp_exec and added my own user account with admin access (their app was run as admin), and set up remote desktop and got onto their server through that
get knowledged: a baseline competency at my company involves absolute fresh people knowing the following -knowing how to identify and exploit owasp top 10 (seriously these are fucking everywhere) -being familiar with the different kinds of crypto (symmetric/asymmetric), cipher modes, and weak crypto schemes (and why theyre weak) -knowledge of networking stuff like: --how ipv4 works --how dhcp works --how tcp works --http protocol -----ie: what is the difference between http post and http get?
99% of hacking is because some retard did something really retarded. if you're even semi-conscious of security then youre probably immune from a vast majority of hackers out there
heres an example of what i usually deal with on a daily basis: --ruby on rails app --log in as standard user --go to settings page --website.com/settings/?id=435352 --change it to id=1 --admin's settings page shows up and i can edit it --go back to home page --mfw im logged in as admin because i visited admins settings page
almost all of my work is done through virtual machines - the host OS isnt used for literally anything
when i tried it out the t440 with linux i found the visualization to be much slower than with windows. i dont know why but since i dont care about defense im more than happy to use something like windows
ask someone else for recommendations - i almost never use my home laptop so im not really at privilege to recommend it
>>42819667 ive read over how they interview new people. they ask you in what ways youve taken security into consideration when you worked at company x or designed application y.
before this job, virtually all of my experience was with webgoat and capture-the-flag competitions
>>42819679 almost never. the big clients who we get most of our contracts from dont use php at all.
the biggest vuln in php (and most langs/frameworks) is not decoupling input from storage from output
dont put this in a fucking sql query:
when you receive _any_ kind of input from a user whether it be http post url, text fields, cc numbers, dropdown menu selections, you need to consider that data to be malicious. all input data should be sanitized so that you are absolutely sure that the data you put in your database isnt malicious..
when data is retrieved from your database, you sanitize it AGAIN to prevent malicious data from being sent to other users - you dont want an attacker to use your database to reflect attacks onto others
>>42819707 seriously if you just go through webgoat and have a good idea of how to do most of the exploits it talks about then you're golden for an entry position. webgoat is buggy as fuck so sometimes the way to proceed wont make sense so dont feel shame in googling
>>42819816 mobile security is a fucking joke - talking about how to secure sensitive data on mobile is always a crowd pleaser. the #1 solution right now is to use the user's 4 digit pin plus a hardware secret into pbkdf and encrypt with that - but it's still trivial to break it if you can brute force it with your own hardware. recent phones have tied the pbkdf input with a hardware secret so it's a bit harder to break now if you had to do it (i never have). no matter how good their crypto is, it will never save the user's data from a cold-boot attack either
if you want to focus on how bad security is then put a bunch of recently released web frameworks in a black bag and pick one at random - new stuff always has juicy exploits
another fun topic is webgl - boy i cant wait to run all that untrusted code in kernel mode!
if you want to focus on community unawareness, get a list of startups next time techcrunch does a startup fair and pentest each site. startup faggots are the worst security conscious people i have ever seen
>>42819999 my company does do physical security. it's usually called "red teaming". security people tend to love the physical side of things, the common mindset shared by virtually all sec people is a love of breaking things. my office keeps a set of community locks and lockpicks just for everyone to fuck around with.
ive never done red teaming/social engineering for work, but i have used it to get out of more than 1 ticket. most of the resources i have on this are internal, but you can probably find some good books on trust-building or reading body language on amazon
my probably-incorrect understanding is that blackhat has a bigger focus on workshops and professional networking, and defcon is more focused on the fun security fuckups and is a place for people to show off
>>42819968 also heres a good crypto overview: https://www.crypto101.io/ theyll be releasing the full book within a few months owasp is the best source for generalist stuff. there are also exploits for individual frameworks/langs that you can get through google (your mileage may vary) or through dedicated sec books for those frameworks
>>42820092 i dont know of any security specific irc channels. the big crypto/sec channels on freenode are pretty trash as well. my hexchat is pretty much just weaboo shit on rizon right now
>>42820124 also once you cover webgoat/top 10 in reasonable depth, almost all of the knowledge after that is specialized.
this isnt official but theres pretty much 4 fields of hacking -network -website -native programs -java/C# programs
each has different tricks and methodologies, choose one and google it to fuck. sometimes you get good results by just googling "network hacking technical". adding a technical keyword is important so you dont get skiddie shit
if you have no idea what to do next try to find an owasp/2600/security meetup in your area and do some serious networking
>>42820208 i never used kali linux because i wanted to set up stuff on my own and had company resources to draw off of. since you're starting absolutely fresh and have no idea of what kinds of tools you need, you could use kali linux to help in that department. you should go through each tool kali provides and learn what it does, what it exploits, how it works, etc.
VMs are used to completely isolate anything that goes wrong during the auditing process. The last company i worked for had a community hard drive that had a few dozen VM images on it, each image with programs and such installed for different kinds of penetration tests. one for webapps, one for native, one for android, one for ios, etc.
basically you use the VM to separate your testing environment from your personal environment - like not accidentally autocompleting your credit card on a website youre pentesting. thanks firefox.
If I put an ad on craigslist and say "hello I am [anon] and your computer may be at risk" and then make a report on their stuff after using Kali how much money could I make by "protecting" people's small business websites from being not targeted?
>>42820296 about half the company works remote (from home)
theres a few people who work remotely in a state that doesn't even have a company office. people who work remote are fun hating killjoys who give me shit for shitposting on the company security mailing list.
all the cool kids come in to work. we usually do shots on friday because yeah its friday. sometimes the girls in marketing buy ice cream and throw the office an ice cream party.
>>42820305 c-f the thread smartie pants. tldr: nobody cares about certs since theyre just rubberstamp bullshit that doesnt show that people are actually capable of pentesting. having "i hacked my friends bitcoin site" on your resume will carry infinitely more weight than a bunch of certs
>>42820309 depends on your presentation i guess. if youre charging them anything significant they may be able to hold you liable if you half assed the job though and they get hacked for real. in addition, most people are very scared of the idea of meeting a "hacker" in person. ive found thats its almost impossible to get people to meet up with me irl if i introduce myself as a hacker online, but people seem okay with it when i only use the H word when introducing myself in person. try to avoid using the word hacker as much as possible because it makes you look like a tool
How big of a problem are skiddies? I've heard they're the most common "hacker". If I wanted to protect my computer or websites, should I just look at the most common pentesting software are guard against that?
>>42820348 i had zero experience with webgoat but had experience with a cryptography CTF that matasano ran awhile back. i only picked websec because i saw the ad and thought "why not im probably not going to get a response from them anyways"
>>42820351 this covers 95% of all exploits: -sql injection -xss -csrf -broken auth (see >>42819569 -attacking outdated software that has had vulns announced -misconfiguration (admin panel is publicly viewable, etc) -shitty admin passwords
if someone is targeting your website specifically, you will probably be fucked unless someone experienced has looked through it for you
So I should just say Internet Security Contractor or something like that and wear nice clothing to give and air of confidence if I meet them in person. Theoretically couldn't I do this all remotely and have them pay a different account not using my actual name? I have a pseudonym I use for different things.
P.S. how would I write a report or make it look relatively official?
>>42820451 i ask client if they want daily reports of business critical findings because youre probably gonna find some of those
report basically goes like this -vulnerability name -exploitability of vulnerability (how much shit does it reck) -easy of exploitation of vulnerability (does it require a skiddie or a super hacker) -explanation of how the vulnerability works and why it's dangerous -explanation of how they can remedy and fix their shit -screenshots as proof of their incompetence
CVSS score is a nice thing to include too
if youve ever done a big lab report just do it like that with a table of contents and shit and a summary
idk how well this would work for small businesses because they dont control the vulnerable code. theres not much you can pentest on some business's static wordpress site
>>42820627 3 years ago there was a bank based out of certain second world country that did ACH transfers over its internal network in plaintext and unauthenticated. their network was connected by ethernet hubs so you could MITM any device on the network using ARP spoofing. it would have been trivial for an attacker to enter their network and start transferring large sums of money to external banks
the ruby story i posted earlier is pretty good too
>>42820855 no - the only thing ill say is that my company has a posting in that /r/netsec job thread
the security consulting industry is surprisingly small - there are only a few dozen companies i can think of in the entire industry that offer these kinds of services. there are many more jobs working the security shift for single companies
>>42820867 the worst part is how resistant they are to fixing these problems. I even remember bringing up the issue in my daily call with them and they tried to write it off as "no realistic attacker will ever have access to our internal systems". it took me a few days before i could actually convince them it was worth fixing
>>42820893 There's so little security industry because most of the skilled people don't want to deal with the bullshit, bureaucracy, and idiocy of their employers/contractors. Like your short story about the bank.
>>42820941 yeah for sure - consulting is absolutely grueling work but it's nice not having to pentest the same site every day. i have a friend who does security at akamai and basically he just tosses his feet up and watches netflix all day waiting for something to do.
All trademarks and copyrights on this page are owned by their respective parties. Images uploaded are the responsibility of the Poster. Comments are owned by the Poster.
This is a 4chan archive - all of the content originated from them. If you need IP information for a Poster - you need to contact them. This website shows only archived content.
If a post contains personal/copyrighted/illegal content you can contact me at firstname.lastname@example.org with that post and thread number and it will be removed as soon as possible.