// BLOG
Business Intelligence- A Students Perspective
January 17, 2012
This week I got to do the first module in the “Reconnaissance” module, “Business Intelligence” and I have to admit, I was blown away.
In this module we covered various ways to gather intelligence about a target (business), and I learned a lot of methods that I didn’t know previously. I knew some of the more basic techniques such as looking at LinkedIn profiles and looking at job posts, but this module took it to the next level. I had never heard of EDGAR, I had never thought about going through archived mailing lists, in my world “theHarvester” was a syslog gatherer (It’s actually a cool tool that polls search engines results to get email addresses for various social engineering schemes), and then there is Maltego. I learned a lot of great methods and tools in this module that I will have to employ against my employers to gather info (For white hat purposes obviously).
And then, there was the lab. Man, I think this was the longest lab to date. It really caught me off guard how much time it would take. The lab in this module was to do business intelligence gathering on four targets. And expect to spend 90-120 minutes minimum per target. Yeah, that’s 6 hours minimum. But, it did definitely teach me two key things: It is scary how much information you can gather on a target from just the Internet, and the importance of note taking. I can’t stress the importance of note taking enough (And neither can The Hacker Academy, as it’s come up in multiple modules). Even though the lab took some time to complete, it was a lot of fun and it was extremely eye-opening.
Looking forward to the next module: Network Intelligence!
Professional Penetration Testing
January 4, 2012
For the longest time, I’ve always wanted to be a penetration tester. That, to me, would be my dream job. This module was focused on the beginning steps of becoming a penetration tester. There was a lot of great knowledge passed down by the instructor in this module. What separates an entry level, good, and great penetration tester? The answers may surprise you because what separates good from great really intrigued me. The instructor also provided some insight into what to expect from the job (Don’t expect to only work from a basement hacking companies with techno blasting and drinking Jolt). This disclaimer was very helpful, and is pretty much what I expected.
The lab was pretty simple: Doing research and answering some questions on your career goals. While these questions are simple on the surface, they are really important questions you should be asking yourself in general. Having a concrete plan of what you wish to accomplish in your career and thinking through the steps to achieve it has served me immensely, and I recommend for anyone else to do the same.
This concludes me working through the “Hacking Fundamentals” course. These weren’t technical modules, but they were still very valuable to me because they changed the way I thought about penetration testing and my career as a whole. While browsing through the material, I can see there are plenty of technical modules I’ll get to later. But right now I’m appreciative of the difficult-yet-simple things I learned; Such as, what makes a great penetration tester? What makes you great overall? Have an insatiable curiosity, the importance of CIA++, STRIDE, different types of learning, the importance of interfacing with the customer. These are the fundamental things that will play a role no matter what facet of security you work in, and I’m glad I spent the time to reflect on them.
The Mind Of A Hacker- A Students Perspective
December 18, 2011
The next module, “The Mind Of A Hacker”, was another great module. This time we were focused on the mindset of being a hacker. The video included in this module was short and sweet, but contained some pretty powerful lessons. The difference in Convergent Intelligence versus Divergent Intelligence, and the three types of Reasoning used in Problem Solving: Deductive, Inductive, and Abductive. Convergent Intelligence is basically what we have learned in western schools of thought: Taking multiple pieces of evidence and forming a fact. Whereas Divergent Intelligence is taking a fact, and coming up with multiple ideas and solutions. Divergent Intelligence needs to be developed in order to be a great penetration tester.
When it comes to Problem Solving, there was a focus on Inductive and Abductive reasoning. Inductive reasoning is taking evidence and then forming a rule with the evidence, and Abductive reasoning is looking at a set of evidence and forming a “best guess” answer to it.
Recursion was also brought up, which was interesting. I really had only heard this term thrown around in terms of programming, but taking that next step and applying it as a method of analysis was definitely intriguing. Lead Instructor, Mike Murray mentioned that this would come up again in future modules, so I’m looking forward to what role this will play.
These are simple lessons but they are definitely challenging to put into practice. The lab with this module was also pretty interesting, just some short multiple answer quizzes with immediate feedback. This was a huge eye opener for me. I actually got a headache from the questions being asked, even though they were pretty simple. But it challenged me to think in ways that I hadn’t in a long time and it felt great. I have a lot of work to do in these areas to say the least.
My biggest takeaway from this module is to always think outside of the box and to question everything. Just because something is assumed to be secure, don’t make the same assumption. Case in point: SSL. Look at how the fabric of the SSL system has crumbled in recent months due to all of the recent hacks. These flaws surfaced due to those who continued to question and not to just simply accept that something was impossible.
-Kevin
Security Fundamentals- A Students Perspective
December 5, 2011
This weeks module, “Security Fundamentals”, was a great starting point in explaining the very important fundamentals that all security professionals need to know and understand thoroughly. What is a vulnerability? What is a threat? What is an attack? What are security controls? When is it appropriate to use X control over Y control? These questions may seem easy, but you would be surprised how often you have to explain this in the real world. A couple more great topics were CIA++ and STRIDE. As you can guess, CIA++ builds upon the classic CIA definition, and STRIDE maps perfectly to CIA++ in terms of possible attack vectors. Great way to discuss and map out security.
Moore’s law was also discussed, and it’s impact on the security community. As technology is rapidly progressing, so is the attack vectors available to malicious hackers. Security always needs to be forward thinking, and paying attention to the industry and what new technologies are being introduced. As part of this discussion, the vulnerability cycle was brought up. This cycle discusses the trend that attack vectors take, and I really thought this was profound when researching the next possible hack, or trying to keep yourself bleeding edge. Staying “in the know”, I feel, is a HUGE part of security because how can you secure something you know nothing about?
The basics of qualitative risk assessment was also big in this module and made clear during the lab. I was expecting the lab to be me doing my own research, but to my surprise it actually included interaction with the instructors. Being able to explain basic security concepts clearly, explaining risk, and then being graded on the answers submitted. I can’t wait to hear the feedback.
-Kevin
The Hacker Academy from a student’s perspective- The set up
November 16, 2011
Today, I finally got to dig into the very first module at The Hacker Academy. I was excited to dig into the material and find my way around. The first module is appropriately titled “Introduction to The Hacker Academy” and an accompanying lab for setting up your home environment.
As I watched the introduction video I was glad to see that there would be a strong focus on penetration testing. And not just “run this command, now this command, and now this command”, but the actual mindset that it takes to conduct a great penetration test. Penetration testing is a field I want to get into, but unfortunately I was never sure how. Now I feel like through lessons learned at The Hacker Academy, I will be that much closer to getting into my dream job.
After I finished watching the video I started the lab, “Set Up Your Environment”. I read through the steps and thought to myself a few things:
1) This shouldn’t take long. Looks like I just download VirtualBox and a VM and verify the VM runs correctly. (Yeah, jinxed myself).
2) I get to learn VirtualBox, which is a virtualization technology I have never touched. So I get to learn a new tool. Cool.
3) It became readily apparent that Backtrack 5 would be the primary tool of use for my labs. I have very limited experience with Backtrack, so I’m definitely looking forward to becoming a master of Backtrack.
If you have any experience working in IT, you should know that no matter how simple something is there is always the chance that something will go wrong. I was quickly reminded of this fact.
Setting up VirtualBox was a breeze. Your typical “Next>>Next>>Finish” type of install. I downloaded The Hacker Academy’s Backtrack 5 VM as well and added it to the VirtualBox repository of VMs. I then started up the VM and was prompted with “hd0 read failure” and thrown into a “grub rescue” terminal.
Great. So much for this being easy.
I did the typical troubleshooting steps. Restarting VirtualBox, restarting my computer, running VirtualBox as an administrator, removing the VM from VirtualBox and readding it, etc. etc.
The fix ended up being simple: Downloading the VM again and extracting it to a new folder and not the folder that is created by Windows using the same name as the archive. After that it was easy, Backtrack booted right up and I confirmed the correct IP address was assigned to eth0 and startx ran properly.
Murphy’s Law is always fun to deal with. But at least it’s a great teacher. Looking forward to what unique challenges I’ll deal with in the next module.
-Kevin
