Tag: cyber security

Soft Skills

When we talk about developing a career in the tech industry, we have a tendency to only focus on one side of the coin. The technical skills. This is very important to anyone wanting to enter the field.

In my opinion, soft skills are as important but it is rare that we talk about how to improve these necessary traits. This post attempts to offer some ways to do just that for three skills: Research. Writing. Speaking.

Research

This is perhaps the most obvious soft skill that needs to be developed for anyone hoping to make a career in tech. Researching is more than hopping onto Google and finding a Stack Overflow article. It involves understanding what answer you are looking for.

Here are things to think about as you scour the internet for a solution.

  • What are you trying to achieve?
    • Making it work should not be good enough. Describe the behavior you want from the solution.
  • What is the main roadblock to your solution?
    • Understanding the problem is the best way to finding a solution. If you don’t know what the problem is, try looking it up or asking for another set of eyes.
  • How old is the post/comment?
    • You may find a solution to the problem you described but the post is from 2006. Systems and methods change over time. Are there any newer ones that fit your situation?
  • Do I trust this site?
    • Sometimes, Stack Overflow does not have the answers. Sometimes, the answer is on an unsecured blog webpage. You may have to take a chance on some sites but keep track of sites that have been reliable.
  • What does my found solution do?
    • Blind copy pasta can be dangerous. Especially if it is code related. Take some time to go over the solution to figure out what it does.
  • Is this the only solution?
    • Problems can have different ways of addressing it. Looking for variant solutions can help you choose the one that may be best.

Writing

Why should anyone develop their writing skills when they are in the matrix blasting malware?

Fair.

You don’t need writing skills while blasting malware. But what about afterwards when asked for a report on your findings? What if you are the only one with a foolproof method for resolving network issues? If there are problems while you’re out sick and someone else has to fix it, will they have documentation to work off of? Or will they have to call you? Worse yet, do you have to go in?

Effective writing reduces confusion and wasted time. This applies to code comments, investigation summaries, client emails, documentation, how-to guides and more. Keep these thoughts in mind when writing.

  • What’s the goal?
    • Is it to teach? Relay information? Get information? A memo?
  • Who’s your audience?
    • Is this only for yourself? Will colleagues/supervisors see it? Is this for your client? Who is your client and what do they do?
  • How much detail is needed?
    • Some people want a simple yes or no. Others may want to know exactly what was wrong and how it was fixed. Another group of people may want to know how a problem affects their goals.
  • Will they understand you?
    • Not everyone will know what a SIEM is or what port 80 is for. Try to avoid technical terms unless it is needed or there is no other way around it.
  • Can this be repeated?
    • This one is more for guides and how-to’s. Make sure the steps are as clear as possible for your audience. No point to writing a guide that no one can follow.

Speaking

This skill is deceptively hard. We all do it but we don’t always think about what we say or how it’s said. Besides communicating information, speaking can also garner trust from your audience.

Think about this.

You’re at a conference. A speaker gives a presentation on how quantum computing threatens modern-day encryption as we know it. Sounds interesting, right? But the speaker is constantly saying “umm” and does not sound like he knows what he is talking about. How would you feel?

Now, imagine being that speaker and seeing your audience take out their smartphone to play Pokemon Go.

Even if you are not giving presentations, it is important to take time to develop speaking skills. Doing so improves your chances during interviews, helps to build a good relationship with clientele, and prevents your audience from falling asleep.

Here are some things to think about before speaking.

  • Are you sticking to the point?
    • The point may take time to get to but don’t ramble…unless that’s what the audience wants.
  • Who’s your audience?
    • Same as with writing.
  • What words to use?
    • Is it safe to use technical words? If you’re giving a talk to accountants, do you know any of their words? Are some phrases better than others?
  • Do you know what you’re talking about?
    • How comfortable are you with the topic at hand? Do you rely on Powerpoint slides? Do you portray confidence?
  • What’s your tone?
    • Does the combination of words and tone sound like you’re blaming someone? If it is an emergency, does your speech convey urgency? Does your speech let the client know that they are in capable hands?

Conclusion

Developing these three skills takes time and does not always come easy. Myself included.

Fortunately, there are plenty of books, websites, and classes designed to develop these skills since they are found in just about every other industry in the world. So, if you want to take your career to the next level, definitely improve you soft skills and stay current in your field.

Fake Identities

Imagine going to a social scene of your choice and meeting a cute guy or gal. They give you a name, a background story and you both seem to be hitting it off. You exchange numbers, text each other to make sure it goes through and make plans to chat later.

What if everything but the number given to you was made up?

This is what happened to a friend of mine. We’ll call her Z and I double checked to make sure she was alright with me talking about her story.

A guy, we’ll call him A, walked up to her in a social setting, gave a name and a background story and the two really hit it off. Because I was acting as a chaperone of sorts, I also met A and heard the background story which sounded too incredible to be true. But, I have heard crazy true stories before.

Throughout the year, Z told me about how her relationship with A and it was progressively getting worse. Eventually, with help from other friends, I finally convinced her to leave A. She did and that was that…so we thought.

A few months later, Z and I was talking and she mentioned that another woman dated A and had similar experiences. Suspicious, Z decided to ask if I could find as much information on A as possible. All I had was a name, a number, and a picture.

It is an obvious but often overlooked fact that we leave footprints on the internet. This is especially true for social media. With a simple search, you can find out where someone lives, their job title, email address, age, birthday, hobbies, fears, and more. It all depends on what that person shares in addition to publicly available records. The best part is that this is completely legal. No hacking. No social engineering. No threats or blackmail. Just searching.

I started the information search with the picture. It was of Z posing outside in the city. On the bottom right was writing. A new name, B. I immediately suspected that A was a fake identity but I still needed to find as much information as I could.

Rewinding a little.

A couple of months before I was asked to do this, I had made up a fake identity as well. Largely for playing on Capture-The-Flag sites and out of curiosity as to what will happen to social media accounts under this name. As a result, my fake persona had an email account, an internet phone number, a LinkedIn page, and a Facebook page. This fake identity of mine came in handy for information gathering later.

Back to the search.

My search for A and B both produced a website and a Twitter page with little information on it for each. The search for the phone number told me that it was a VOIP number and belonged to some small company. With the information I had, there was little I could find which came as a shock but raised more questions. Why would A/B, who has told people about his amazing life, barely have any information about himself online?

Fast forward a year and some months.

Z came across new information about A. Another woman was given a different name by A, C. This time, I was asked to see if C was A’s real name. I had three names, one phone number, and the previous findings.

Using my fake profiles, I searched Facebook and LinkedIn to see if I can find a page for C. Unfortunately, C was a pretty common name so I got hundreds of results back. Time for Google! The results did produce a twitter page which I did not need an account to view. On the page, I saw references to the small company that the phone number is registered to. A clue!

Back to Facebook, I checked for that company. It was a 2-5 man shoestring team with a heavy focus on machismo topics that only horny teenage boys would indulge in. I checked the company’s friends list and found a page for A. Following the link, I checked his friends but no mention of C. Found B but we all know that A and B is the same person.

A few hours later, I had exhausted all of my leads. I knew that A was connected to C through a phone number and the company. I had confirmed this by visiting the company website and searched for staff names. Beyond that, I had nothing but more questions.

Throughout the whole experience, I kept noticing the lack of pictures of A on social media profiles. Not one! It suggested that someone really took time to remove himself from the internet and replace it with at least one fake identity. Maybe two?

I gave my findings to Z who was planning to present it to the leaders of her social circle. I thought that was the end of it until days later, Z gives me a new name, D! It was a name I had come across before searching for C but did not explore because I felt it was outside the scope of the search. Now, it was fair game!

I already knew D was a part of the company A/B and C were a part of. A quick Google search produced a Facebook page for D. Using my fake persona, I viewed his page. The first thing that struck me was how similar D’s page was to the company’s Facebook page as well as A’s. I checked for D’s friends. Soon, my palm hit my face. There he was, C!

I followed the link to C’s profile. It was an old and bare profile. Fortunately, it did not matter. At the top of the page was a picture of a familiar face. I immediately recognized it as A! I had the proof I needed to show that A was in fact C!

I quickly wrote up my new findings and sent it to Z for her presentation. As far as I know, the social circle leaders were going to take action against C though I do not know what that action would be.

Looking back on the whole experience, it was a little unsettling that an amateur like myself could sift through multiple fake identities and find the real person. And it is not like the guy wasn’t trying to hide himself. Only one picture of his face on a hard to find profile page. An internet phone number belonging to a questionable company. Profile pages with very little information. Fake names. No physical address given. Yet, all it took was one forgotten link to uncover the truth.

The experience also reminded me of another simple truth. Fake identities are just that. Fake. Maybe there is some truth in the identities but there is always something fake. My fake identity does not share my name, age, birthday or job title with me. At the same time, I do not use my fake identity to represent myself in the real world as C had done.

My final thoughts on fake identities?

You can’t stop fake identities being created online. In fact, I just gave mine a twitter account this morning. I personally believe there is nothing wrong in creating a fake persona for online usage. Sometimes, you want to order something and have all of the following spam sent to the fake account. Other times, you’re researching questionable and have to provide an email address. Fake personas and internet numbers are great for that. The real issue comes about when that persona is used to represent you in the real world or legally. If I used my fake identity to represent me in the real world, someone will dig into it and find cracks. Eventually they will find me. Because I actually exist.

Another Place To Hack Legally

First things first.

Since Covid19 has been declared a pandemic, we should do everything we can to help limit the spread of the virus. The CDC has great information on how to do so.
https://www.cdc.gov/coronavirus/2019-ncov/about/index.html

And please. Don’t buy up all the toilet paper and face masks!
************************************************************************

With Covid19 spreading in the US, a lot of companies are changing they way they continue business. Cybersecurity businesses are no different. I’m going into my 3rd week of remote work and there are company memos about what is being done to accommodate people and what our state is doing to combat the spread. Since I live near Seattle, you can imagine that daily life has been impacted greatly.

However, it is my belief that if you’re in the cybersecurity industry, you continue to find ways to improve your skills or to take time to mentor others. There are many ways to accomplish this. For me, I like learning about pentesting methodologies to help with my network traffic investigations. To that end, I want to share a new website I recently ran across via Reddit.

The site is called tryhackme.com and I have been addicted. Cutting myself off from the general public most days due to the virus doesn’t help with the addiction either. The easiest way to describe the site is something of a cross between HackThis, Cybrary, and HackTheBox in all the good ways! Since I have started playing on the site, I have improved my nmap and metasploit skills as well as being introduced to new tools and concepts. Even got to do my very first privilege escalation! It is one of those things you always hear about but never quite sure how it is done. And that is what I love about this site!

The main feature of TryHackMe is the different “rooms” you can join to learn. Each room has an overall objective and, like Cybrary, there are steps on how to complete the objective. Each step has some kind of confirmation that you completed it. Sometimes it is as simple as clicking the “completed” button. Other times, you need to submit the correct answer. One thing I like about these steps is that it does not feel like it is holding your hand through every little step. When I used Cybrary’s virtual machines for learning (roughly $100/month), I got annoyed when the steps told me how to logon to a machine with a username and password. This wasn’t through something like SSH or RDP. I was already interacting with the virtual machine and had the username/password on hand. Yet, I often would find tutorials instructing me how to login. Or how to open Windows command line…I digress.

Like HackTheBox, in each room you can deploy a virtual machine and connect to it through an OpenVPN tunnel, but unlike HackTheBox, you are not completely alone when trying to hack into the machine. The steps are usually well written and easy to follow that even a novice, oh say like me, can get that sweet forbidden access to the machine. If you get stuck, there is sometimes a “hint” button to point you in the right direction. Similar to HackThis. Another similarity to is that TryHackMe has something for absolute beginners to more advanced users. Plus, no need to hack the site to get access! (I’m looking at you, HackTheBox.)

Although you can use the site for free, I would recommend the subscription plan if you can. It is about $10 a month and gets you access to all of the content including the “learning paths”. I’m currently on the OSCP path which has got me thinking I should take the exam one day. And some of the subscription rooms have been a real joy to work in!

If you have an interest in pentesting or just want to see hacking concepts in action, I highly recommend giving the site a try!

Now, to go back and finish the Kenobi room!



Let’s Talk Certs

Looking to get an IT certification?
Have questions about them?

Obtaining an IT certification can be a boost to your IT or cyber security career. And there are certifications for all levels! Whether you are just beginning your journey or well into your career, there is a certification for you!

I recently obtained a new certification which is forcing me to consider my options moving forward in my career. But this post isn’t about my career…mostly. Instead, this post highlights observations I had as I prepared, took, and passed the exam. I would like to make clear before going further that I will not be discussing any test questions from exams nor am I offering 100% guarantee advice on passing your exam. I will be talking about ways to prepare for exams, what I believe to be an unspoken culture of IT certifications, and how certifications are used in our careers. Besides, you don’t need my advice for passing that CISSP exam that seems to be on almost every IT job posting.

Let’s move on though to exam preparation.

After choosing the exam you want to pass, you need to get good study materials to increase your confidence for the actual exam. This is where things get a little tricky as there as a plethora of materials “guaranteed” to get you that pass. The two most common paths of preparation are guided study and self-study. A typical guided study is structured as a lecture where the class last a set amount of time and is taught by someone who holds that certification and has been in the industry for a while. One great thing about guided study is that you can ask questions, get clarification and get study partners to share in your pain of preparing for the exam. Plus, many courses come with an exam voucher! Hard to beat that!

However if you’re like me, self-study can be the better option. There are usually a good number of books and exam guides in your local bookstore (or Amazon) written by professionals in the field. There is also a seemingly endless amount of material online for further explanations and practice. You can study at your own pace and there is nothing like saying “I read a 1000 page study guide to prepare for this”. True story!

Despite all of the information out there to help people prepare for exams, I have heard of some people not passing their exams. And it is not from a lack of trying!

An important aspect that seems to be missing from the exam prep talk is what exactly the exam is looking for. The way I like to look at it is this: “Cool! You know the OSI model! How do you use it?”
To be very generic, there is a difference between “What layer is the network layer on the OSI model” and “Bobby can’t get to the internet but still can print to the company printer. What layer of the OSI model should you troubleshoot”. The answer (Layer 3) is the same for both questions but the framing changed from “do you know what this is” to “do you know how to use this”. I believe when preparing for an exam, studying from this point of view boosts the odds in your favor for passing. Perhaps, this is what the practice tests are for but it would be nice to see this talked about more regularly.

Another thing I have noticed with the preparation phase is that as you move up in the certification hierarchy, there seems to be less material on that topic. Let’s take CompTIA’s A+. You would be hard pressed to walk into a Barnes&Noble and not find a study guide for it. Search online and you will get an avalanche of guides, books, videos and practice tests. Now try (isc)2 CCSP. It’s not a trickle but there is definitely less material online for the CCSP than for the A+. And I don’t know about you but I cannot recall a time of ever seeing the CCSP study guide in a Barnes&Noble. At a glance, one would think that the A+ is more important than the CCSP however the former is an entry-level certification while the latter is more mid-level. The only difference is one appears to be more marketable than the other. This makes moving up the certification ladder a little harder.

This brings us to an unspoken culture of IT certification. Passing is not free. No matter how you choose to study, you will likely pay for something besides the exam voucher. I have found that even though you can find a lot of free material online, they are often outdated or not a complete study of the topics covered for the exams. Or scams. At the very least, you will have to buy a book. A good practice test can also cost your a pretty nickle. This is on top of exam vouchers. The exam vouchers vary in price depending on the certification. Some can be as low as $220 to over $1000. Fortunately, the entry level exams are on the low end and having any certification gives you the opportunity to earn the money needed for a higher costing one later. In addition to understanding the material, exam and training costs are major barriers to achieving that goal for people who are not in school or who have their costs subsidized by a company or government organization which in turn makes it harder to create a more demographically diverse industry.

Let’s say that you are not in IT, working in a generic retail store and thinking about getting the A+ to break into the world of IT. According to the CompTIA website when it comes to the exam cost:

“[The] quick answer is that each exam voucher you’ll need to acquire to take your test is $219. You will need two vouchers to pass two exams to certify.”
https://www.comptia.org/faq/a/how-much-does-the-a-plus-certification-cost

That is not an easy amount to depart with on a minimum wage job. Not to mention taking the time to study, whether it is with a book or a structured course. And the bar seems to get higher as you go deeper into the field. The ECC’s CEH exam voucher is $950 plus a $100 application fee if you want to do self-study. It’s $850 if you want to attend the official training course.
https://cert.eccouncil.org/application-process-eligibility.html

If you have an IT job though, this barrier becomes easier to overcome over time so let’s talk what certifications do for your career. It is a misconception to believe that having a certification means you can do a job. It’s probably true but it is not the end all to be all. A certification acts more like an insurance policy. It increases the confidence of others who rely on your expertise or service. This is probably why some entry-level jobs post that a CISSP, one of the highest certifications available, is desired. That company is looking for assurance that whoever they hire can definitely do the job. Overkill? Absolutely. In fact, there are positions asking for certifications that are not necessary to the job…kinda like needing a bachelors degree to do a job that requires a high school level of education.

However, do not let that persuade you into thinking certifications are not worth it. Since it is acting as an insurance policy, a certification gives you a a stronger foothold to get that job interview or to ask for more pay. If you want to give a talk or mentor the next generation of cyber sleuths, your audience won’t write you off as some quack with a low budget webcam on Youtube.

A great comparison is the restaurant world. Think about going to a new restaurant that has no health inspection certificates hanging on their walls. How comfortable would you be eating there? A restaurant with a passing health inspection gives you more confidence that the food is safe to eat (taste is opinion) and that it holds itself to a higher standard than the before mentioned restaurant. IT certifications work in the same way.

Still looking to get that certification? Great! Getting just one is enough to get the ball rolling. It seems like a pain and a hassle to do so (and it is) but it is worth it in the long run.

PDL Data Breach

How often do you check Troy Hunt’s site haveibeenpwned.com?

I’ll admit that I don’t check it often but once in a while I would get a weird phone call or email that makes me check the site to see if I have been pwned. So when Apple calls my phone without warning, I had to check.

Incoming call from Apple

If you are unfamiliar with the site haveibeenpwned, it is a site where you can enter your email address and see if it has been involved in any data breaches. If your email is found, it tells you which breach your email was discovered and some of the information that may have been exposed as a result of the breach. It is important to know that exposed data points does not mean that it is true for you. For example, a data breach could have exposed where people work but it may not have where you work. It depends what was associated with the email address and where the breach took place.

Checking the site for myself, I entered one of my email addresses and as expected, it came out red. No surprise. This email address was part of two breaches back in 2014 and 2018. On top of this, it isn’t really used for my professional life. Time to check another email address I use frequently. It too came out red! I was a little surprised since I actually take extra care with email address.

Scrolling down, I saw how my email address was pwned.

HaveIBeenPwned breach explanation.

The PDL (People Data Labs) breach is one of the largest recorded breaches and was made possible thanks to an unsecured ElasticSearch server. Another way to think of this is if you stored all of your tax documents under your bedroom mattress and left the door to your house unlocked!

I suppose it is important to note that PDL were not the ones to leave the server unsecured. That responsibility fell on the customer PDL gave the information too. That still feels icky to see not only how careless this entity is securing an important server but also that our data is being passed around third-parties.

So what about me was exposed? Hard to say though according to a Wired article, sensitive data was not exposed. Nevertheless, if someone is trying to impersonate, they could potentially have enough information to get started.

It seems likely that whatever data was exposed on me surrounding my email address came from my LinkedIn profile. It is one of the few social media accounts directly tied to the address. So one would be correct in assuming that someone out there got my number from information taken from my LinkedIn account. Except, my phone number is not visible on my profile. My number is tied to my account though which really makes me wonder what data is associated with my email address from this PDL breach.

There are ways to find out. According to Troy Hunt’s article, you can go to PDL’s site, sign up for a free API key, and query their database. I tried to sign up using an alias (because why give them more info on me) but the site requires a work email. So, I used an email that I know no longer exists just to see if I could get a little further. And I did…sorta.

PDL login fail

I find this pretty annoying.

The next best thing would be to send them a contact form requesting my data which of course means I need to use my actual name and email though I refuse to give them my current work email.

I gave this a try…again to no avail!

I don’t know if this simple contact form failed because I used “NA” for my place of work (a required field), used my personal email instead of work email, or PDL doesn’t want to be contacted. I’ll keep trying to see what information I can get and post in the future.

Some good news. I couldn’t query the server that was exposed so it looks like that had been patched up at least.

Terminal query
Worth a try.

Where To Hack?

Five years ago I got my first taste of a real IT job. I was teaching in China for an English boarding school in China and a new firewall needed to be installed. The manual was all in Chinese and the school didn’t want to bring in an outside technician to set it up. So I gave it a try and managed to get ACLs and other rules up and running. Soon after that, I would find myself securing the networks, cleaning USBs and recovering important financial data from a highly corrupted computer that no longer booted!

Needless to say, China got me interested in cyber security as a career field. In the following months after leaving China, I studied the basics and slowly grew my knowledge of security concepts and best practices. I learned a lot. Occasionally this information flowed out of my mouth like a glorious fountain when I did helpdesk and consulting work. Despite all of this knowledge I slowly realized that everything I have learned did not address the must crucial element to defending any point of information. I had absolutely no clue how to hack! Even if I did, I didn’t know where to hack…legally.

Sure I could go home, spin up a VM and try to attack but how would I even begin? I did find tutorials on hacking but there are so many exploits out there. Which ones do I want to try? Can I set up the victim machine properly so that the attack works? What if I wanted to try a different exploit? What will I need to do the configure the victim machine so that would work? Where does it end? I realized I would be spending more time configuring VMs than actually learning penetration techniques. Thus, I walked away…

Only to return a year later. I still wanted to know how to exploit systems. Places like ITProTV and Cybrary are good places to get some hands on training but it costs money which builds up over time. There are training seminars that cost thousands of dollars. Maybe on the job experience or going back to school is a good option to learn? These choices can limit who can get hands on ethical hacking training which seems to be the opposite of what the industry needs.

Fear not! It is not all gloom. If you are willing to self-study, there’s hope!

There are free sites online that offer hacking challenges from absolute newbie (me) to advanced (Hackerman?). I am going to go through some that I found pretty helpful even if some of these sites are already well-known.

Over The Wire

If your Linux skills aren’t great, OTW can help with the Bandit challenges. You’ll learn things like ssh, file traversal, netcat, and general command line usage. It is not hacking per se but knowing some basic Linux is a must for the field. I am sure that Windows or MacOSX are capable of performing hacking techniques. However, a lot of tools are designed for Linux and nine times out of ten a hacking tutorial is designed for a Linux environment. Give it a try!
https://overthewire.org/wargames/

Hack This!

Probably one of my favorite sites, HT! has challenges from webpage exploitation to steganography to cryptography. It is beginner friendly with a hint for almost all of the challenges and a forum where you can ask for help. It is also a great way to improve researching skills as you learn about different security concepts and how they can be exploited. The only downside is that you won’t actually be penetrating any VMs. Regardless, this site is a definite must!
https://www.hackthis.co.uk/

Hack This Site

Similar to HT!, HTS offers challenges from newbie to advanced in a similar categories. It also offers a forum and hints that point you in the direction you should go to learn about a concept. As before, you won’t be hacking into VMs but the experience hacking web apps should not be passed up. Another must!
https://www.hackthissite.org/

Hack The Box

Another favorite is HTB. HTB has different challenges much like before but it also has VMs just waiting to be hacked into! That’s right! Legal hacking! HTB is a step up from HT! and HTS. There are still challenges for newbies though newbie is a bit relative for this site. If you’re like me, I would recommend going through walkthroughs for retired challenges while attempting an active challenge. There is a monthly fee for access to retired challenges but it’s less than $15. The one catch is you have to hack your way into the site. If you feel up to the task, hop on, hack on.
https://www.hackthebox.eu/

Microcorruption

Although it is not hacking in the conventional sense, reverse engineering is a great way for to learn how to pick something apart and exploit it. MC is essentially an online game where you have to trick security locks to open and let in your operatives. The challenge here is that you will be working with assembly language and a simple debugger. It adds an extra twist to analyzing code and understanding what is happening. Relatively speaking, this site is accommodating for beginners.
https://microcorruption.com/login

There are a couple more sites and resources that can be helpful learning hacking with hands on experience that I do not have a lot of experience with but worth looking into.

I’m sure there are other wonderful resources out there that won’t break the budget and still give a bang for your buck. But you get what you don’t pay for. There will be little hand holding and the learning is largely up to you. But if you don’t give up and dedicate the time, the rewards are worth it!

BSides Idaho Falls – Day (n where n > 2)

I’m back home from from BSides Idaho Falls which was an amazing conference. I hope to go to more like it and back to Idaho Falls next year. Now that the initial excitement of the conference is a little more tame, why not write a “lessons learned” post? Since this blog is focused on cyber security and my personal journey in the field, I will mainly stick to those topics but want to clarify that this conference also affected me on a more personal level. With that said, here are my after-conference thoughts.

Participating in the Cloud Forensics training seminar had the largest impact on me. This course made me reconsider my career focus. From first hand experience with AWS, I can definitely say that setting up a cloud environment is both a blessing and a curse. Yes, it is ridiculously easy to spin up a machine and hop on it in a matter of minutes. The documentation of implementing different features is pretty reliable and its modularity makes it very powerful. At the same time, that modularity makes it easy to misconfigure the setup and can accidentally allow unwanted access to your resources. It’s not enough to setup an environment and load up all of your stuff on it. You need to work out the security settings and infrastructure which often seems to be overlooked when using cloud services. Remember, cloud services like AWS will protect their infrastructure. You have to protect your resources. Having a deeper understanding of cloud security in my back pocket will not only benefit me but it will allow me to help others navigate this relatively new territory.

A somewhat less career-focused benefit of this seminar is that it pointed out some skills I can improve on. During the CTF (Capture The Flag) challenge, I realized that I can learn a lot more about encryption. I already know the main concepts of encryption but I do not know of the numerous ciphers and techniques that can be used to encrypt data. I am aware of some but there are a lot more I can know! This is important to me since I currently inspect network traffic for breaches and occasionally see encrypted text that could be remote code executions. In the long run having this knowledge during investigations means less guessing and more knowing which in turns improves how I report suspicious or compromising activity. This fits firmly with my belief that in order to defend something, you need to know how to attack it.

The seminar was not the only thing that had an impact. The different villages inspired me to do more. For example, the tinkerer’s village renewed my interest in hardware and circuit boards. I doubt that I will ever make that my career focus but it is fun to play around with and to have a better understanding of how machines physically work. I have to see if I actually do have an Arduino board in my tiny collection of circuitry tools so I can access the microprocessor of my conference badge. The lockpick village was a reminder that my skills have seriously atrophied…not that they were really good to begin with. However, a high school kid gave some pointers that I have to try out on my sets at home. Kudos to that kid!

The career village was the one village I forced myself to go into and I’m glad I did. Much like networking with people, writing resumes does not come naturally to me. Also like networking with people, it is a needed skill with great benefits. I received advice on how to craft a resume for my industry which is quite different from all of the other resume workshops I ever attended and what to think about as I move forward with my career. So, I will be rewriting my resume to make it stand out even more for future positions.

Finally, the talks. Honestly, I did not see many talks this time but the ones I did see really inspired me to one day present a topic myself. I don’t know what I would present on but the idea is enticing. I’m thinking maybe something about cloud security. Or maybe how hacking has improved my defending skills? Or maybe I find an unknown exploit and present it after responsible disclosure and a patch has been released? I really don’t know at the moment but I do feel that one day I will be in front of an audience to give a presentation.

Going forward, I want to keep learning so that I may help others. That’s what started this blog in the first place. Finding a way to contribute and help others even if it is a small contribution. I plan to continue going to conferences like BSides that focus on cyber security and technology as a whole instead of ones that focus on a specific tool or product. There is nothing wrong with those conferences. I’m just not that into them at the moment. I like being able to switch from one area of security to a completely different one that does not explicitly endorse one tool over another. My view is that if I know my end goal or have an idea of what I want to do, I can research the tools along the way. And there are generally multiple tools that provide the same basic functions. It’s a matter of features/bugs. Anyway, I hope to continue contributing to this amazing community one way or another.

BSides Idaho Falls – Day 2

The second annual BSides Idaho Falls conference is now done and it was great! There were many things to do but I kept things relatively low key in comparison to yesterday. Nevertheless, I got a lot out of this conference and once again it had me thinking of my next steps going forward in my career in cyber security.

Most of my time today was dedicated to the Tinkerer’s Village to learn more about my badge. Since the badge is a circuit board with LED lights, a resistor and a microprocessor, I just added one extra resistor to the circuit board to produce different colors than what the badge originally came as. This was nice but I was not quite satisfied. My badge periodically flashed red which indicated that an error had been tripped. That was no fun. Also, I wanted to get access to the microprocessor to tweak the coding. I’ve learned that the best way to do this as a beginner is to connect the badge to an arduino board and tweak it from there. I have some research to do once I am home again.

In second place for where I spent most of my time goes to the Career Village. As someone who feels that everything sounds interesting, it was good to get some grounding and a sense of direction. I learned about resume writing, a bit about self-marketing, and really got a sense of what I can bring to the community at large. Learning about these things were not new. If you have ever been to a class about resume building or mock interviews, you have probably experienced these lessons as well. What made the lessons from today different for me is that they were specifically designed for people in cyber security. This changed how I would talk about myself and how I present my job history. These are skills that people in the industry (IT/CyberSec) should have.

In third place, the memory forensics seminar. Thanks to my time trying out digital forensics in the past, I had some exposure to memory forensics though I had never delved into it. This seminar introduced tools like Volatility, DumpIt, RedLine, and LiME. I also learned concepts specific to memory forensics. A good example is that memory from a peripheral device gets mapped to the system memory address space. If I remember correctly, system memory address space is notwhat software programs load into to run because that address space is used by the OS and messing with it could cause the machine to crash. Instead, programs use a virtual address space where it thinks it loads at slot number 0 when in reality it is loading at some completely different slot nnumber in actual memory. It seems a peripheral makes it more difficult to capture data from memory. It was a good lecture to attend!

By the end of the conference, I began networking (another soft skill worth knowing) and gained a new mentor: my instructor from the cloud forensics seminar! Having a mentor feels as if it will boost my career and give me more opportunity to contribute back and help others. Speaking of which, networking also gives me chances to help others, collaborate, and learn. Networking is not a trait I naturally have but developing it has been a big boon. Technical people need connections too!

One last major thing happened that I cannot skip over. Due to my performance as team lead during the CTF (Capture The Flag) challenge yesterday, I received a challenge coin! It is the first time I received one and it was unexpected! Now I feel I have to get even better in this field.

I likely have more to say about my thoughts on my experience at the conference but it is getting late and I am saving all of my final thoughts for the next blog post. Stay tuned!

BSides Idaho Falls – Day 1

Today, I woke up to ominous clouds and chilling rain. Not what I was hoping for the first day of the conference. In my mind, I could only think this was a sign that I would be an embarrassment to the cyber security community. Not to mention that my frustrations with setting up my AWS machine for the seminar continued after writing the blog post yesterday. That is another story that I plan to write about more since it sparked a new blog idea.

Overall impressions of the conference? Amazing!

I joined the seminar on Cloud Forensics taught by Kerry Hazelton. There were concepts in the seminar that were familiar: The different kinds of cloud. What is cloud computing? Who owns the data you put into the cloud? Then there were things like vendor-locking or the CLOUD Act that I absolutely did not know about! The seminar definitely had me thinking of ways to expand professionally and tinkering with cloud security more.

Another thing the seminar made me ponder about is getting new certifications. He mentioned a few but the CCSK (Certificate of Cloud Security Knowledge) seems like a good place to start. And since this was focused on forensics, I wondered about trying my hand at forensics again. It might be easier to practice on instances in the cloud. Not to mention, I can blog about that too!

I also got to meet some really nice people as well. One thing that I found amazing when meeting people was how humble everyone was. There was the sense that everyone felt they did not really know anything and wanted to learn as much as possible. How much of the former is true is legitimately questionable but the latter was definitely true. No matter what the skill levels were, everyone wanted to be better. It was refreshing!

Then came the CTF (Capture The Flag) event for our seminar. We were all split randomly into teams…then I moved to a different team to help even the numbers…then more people came late and just joined our team. In total, we were a massive nine person team compared to the average size of four! And guess who was elected as team leader?

We all did not really know how to go about the CTF but I may have had best idea of what was expected. I did capture the first flag for our team which was pretty cool but I still tip my hat to the team member who got the 1000 point flag! That was amazing and really pumped the team!

Meanwhile, I had to keep track of at least three different challenges the team as a whole was working on. I’ll tell you. Working on an encryption, network and two stenography challenges at the same time is not easy. However, I found that I was a pretty good resource of random information and often could point people in the general direction to solving the challenges. I also taught a few new linux commands to one of my teammates who I am soo happy he had a linux vm on his computer! There were a couple challenges that were easier to do thanks to him!

In the end, our team came in 2nd place! My imposter syndrome kicked in and told me that we didn’t deserve it because there were nine of us. A few seconds later, I disregarded that thought and replaced it with a new one. Our team consisted of people who mostly have never done any kind of CTF challenge and were new to cyber security. And we came in 2nd! We congratulated each other and the team member who solved that 1000 point challenge got a custom challenge coin! We did really well!

At the end of the day, many of the conference attendees gathered together to play board games. It was relatively relaxing and we continued to meet more great people. There were a ton of games but I opted to play only one game called “Jamaica”. It was great looting gold from people and attacking ships on a gamble.

Despite the deathly looking clouds and the freezing rain, this was a great start to the conference. I’m looking forward to tomorrow. Especially the Tinkerer’s Village. Stay tuned!

BSides Idaho Falls – Day 0

This weekend, I am attending the BSides conference in Idaho Falls. This is the second BSides I have ever attended and I thought it would be a great idea to write a post for each day of the conference. I have been to other conferences (not many) before and each time I wish I had some way to express what I am feeling, what I learned, and just the sheer inspiration the conferences give me. In which case, why not do what other people do? Blog about it!

This post is day 0. I’m not at the conference but I arrived in the city and checked into the hotel. And most of the evening was spent wrangling my computer to be ready for the seminar I signed up for.

Generally, I am pretty nervous about attending a seminar or taking a test. I always assume that I will make a laughingstock out of myself and possibly get chased out for not being talented enough…my brain. This time, thanks to computer wrangling, I am more livid than nervous. I never knew setting up a virtual Windows machine in AWS to use for a seminar would be so annoying! Normally, I spin up Linux machines, SSH into them, and I’m good to go. It is the easiest thing to do! Windows is a different beast! At least Windows Server 2012 R2 is.

Before my rant, I want to acknowledge that I know 2012 R2 is showing its age but in my mind, why do I need something like server 2016 if I am just loading up some tools that should work no problem with a slightly older OS? I think AWS may have sensed my thoughts and has decided to make my life miserable. I digress.

Back to my frustrations.

I created the Windows 2012 machine, decrypted the pem key for the password, and logged on without a hitch. Cool! Except, when I tried to use Internet Explorer to download Firefox, the OS happily told me that the built-in Admin account does not have permission to use the browser. How and why is this a feature!? This makes me think of theSpongebob meme with Patrick and Manray where Patrick tells Manray that he cannot perform a task because of insufficient permissions even though he has the permission to do it!

Well fine then! I created a new admin account and logged in as the new account. Now I had access to the internet browser! Time to get Firefox. Except, for some reason I did not want to try to figure out, I could not get the download prompt. In fact, I could not get a download prompt for any program I wanted to download. They did not make it to the downloads folder nor were they scheduled for download. Blank.

Frustrated, I did the next logically thing I could. I obliterated the vm and created a new one using Windows Server 2016. And almost as if nothing ever happened, I could access the browser as the built-in admin and download programs. I was even allowed to install the programs! Can you imagine? Performing simple commands as an admin without the OS telling you you can’t! It is a beautiful thing…Not to mention how much time and the headache it’s going to save me!

For the rest of the evening, I’ll be installing and testing different forensic software so I can be as ready as possible for the seminar. Still nervous about it all. Until tomorrow!