In life there are many paths that individuals take to be successful. Some of which are very easy, and carefree. While others can be very daunting and stressful from time to time. I would say that journey to being a Cyber Security professional is a very challenging and rewarding career path. Being a cyber security professional is like playing with a Rubix cube, if you don’t like a good puzzle or game of chess you should never start down this path. My reasoning for this is because every path you take in this career will land you with a new challenge or riddle you may need to solve. And, very little times will it ever come with an easy answer.
I have been in the Cyber Security arena now for almost 20 years. And, while I consider myself seasoned, I have also come to the conclusion that is only in the government sector of things. But thankful I have found a way to collaborate, and work with an outstanding group of individuals that allow me to share what I know, and learn a lot from them as well. Who is this group of individuals you are probably asking yourself, well let me tell you about them.
About a month and a half ago I joined Joe McCray Jr.’s Intern Program called “The Security Rookies”. I have known Joe for many years, and have had the opportunity of talking with him, and taking several of his classes. So when I heard he was putting together this program I was all in. Who could pass up an opportunity to learn something new, contribute what they know, and build relationships with colleagues across the profession. I have had the opportunity to be a team member and a project manager and thus far, have gotten to work side by side with some of the brightest people in the business, mentor new recruits, and gotten to collaborate on an effort that Joe has that I think will aid in revolutionizing generations to come in the Cyber Security Profession.
My path to becoming one of the best starts with learning from one of the best. An old proverb I was taught as a child, but got chopped up over the years-” When the student is ready, the teacher will appear, and when the teacher is ready, the student will appear, in hopes that every student will be studious in the learning process to be better than their teacher” (Author Unknown) As a r00kie in Joe’s r00kie program, I opted to be on the video team for (2) main reasons. First, given the content of the program, I will be learning another part to add to my evolving IT career. Secondly, it allows me to learn yet another skill set often forgotten about in IT. IT meaning Information Technology ahs as many or more sub-sectors than being a doctor. There are all types of specialized fields of IT. As a Network Administrator graduate, I quickly found out that there are many specialized parts to this field. Hardware, software, infrastructure, security. As an IT professional, do I feel like a r00kie in this program, YES. The interaction with my fellow r00kies is a really humbling experience. I went from being top of my class, and a valued source of knowledge to my underclass mates, back to a student seeking knowledge from more experienced individuals, who are willing to share that knowledge, while we all strive to excel and better our respective knowledge in this industry. More to come…..
We’ve taken a long break from bringing on new rookies because we were working so hard to create an environment that would allow us work with all of the rookies more effectively.
People generally became r00kies because they wanted to gain some experience in the IT Security field. When the r00kie groups were small – this worked perfectly. I’d meet with the rookies on Skype or on IRC a few times a week, give them tasks to do, and they’d put their work in dropbox.
As the word spread about the r00kie group we had grown to well over 70 r00kies and we were still trying to communicate with all of them via email and skype and still share files with Dropbox. This just didn’t work. Sharepoint and similar solution ideas were kicked around, and we even tried a few of them before eventually giving up on that direction as well.
The second thing that a project management system like Sharepoint didn’t address was helping r00kies actually document their experience as a r00kie so they could show potential employers.
- r00kie group goals:
- Provide us with a project management solution so we could task r00kies with projects and track the status of those projects.
- Provide us with the ability for r00kies to collaborate on documents
- Provide us with a mechanism to allow r00kies to show what their contributions to the r00kie program have been
- IT Security Community Goals
- Provide us with a mechanism to give back to the IT Security Community
- Provide the IT Security Community with a vehicle to learn and keep up with the industry
The Website Concept
So for the last few months we’ve been working on the new website IT Security Professionals (it-security-professionals.com). It’s like a combination of LinkedIn, Facebook, Monster.com for IT Security Professionals only. It will allow you to learn the technical areas of IT Security for FREE, keep up with the industry, post/apply for jobs, and contribute to the industry as well.
There is a lot more to come so please check out the website, and give us feedback so we can make it better. If you’re looking to become a rookie – just join the website and then join the r00kie group there. Next week we’ll start organizing all of the r00kies and giving them tasks to complete.
As a Rookie, Joe provides us with plenty to do. We are always asked to give some “cycles” for work. These cycles go towards a multitude of things. Things like blog posts all the way to constructing lab manuals. Most of the time Joe needs the work done yesterday and we spend countless hours trying to accomplish the tasks he provided. Sometimes we have a little bit more time to work on projects and what not. It’s evident that as a Rookie I possess very little skills and understanding regarding information security. Because of this, I personally have become great at working but getting nothing done.
How do I work yet get nothing accomplished? Easy, I get lost trying to figure out what’s going on or where I am. Sometimes I feel like just got thrown into a foreign country where they speak a language that I don’t know. I spend more time figuring out what the heck they are talking about then I do actually producing work towards the goal. For instance, pretend you knew nothing about security and the tools that come along with the trade. Now envision you see this:
SSH Login into your Asterisk VM as root
Get the exploit scripts
DNS running on UDP port 53
we will use netcat’s UDP mode (-u) for the transport.
perl dproxy1.pl | nc -u xx.yy.aa.bb 53
gdb -core core.9999 — load core files
info registers — inspect registers
x/64x $reg — examine memory at a particular register
x/64x $esp — examine memory at ESP
q — quit
x/10i $eip — disassemble 10 instructions beginning at EIP
perl dproxy1.pl | nc -u 192.168.128.140 53
gdb -core core.8888
What the heck is this? First I have to install Virtual Machine (VM) software. Then download a VM, extract it, run it up, and configure the network so I get into it. Where the heck do I get these scripts from. What the heck is Netcat and how do I make it work on Windows. What’s Perl. Do I run these commands on the host or the guest? GDB…..thats going to take a lot of Googling before I know what the !#@ that is. For what it’s worth, gdb is GNU Debugger. Why can’t I see these so called registers? What the heck is a register? Am I doing this right? My head hurts! All this right here, took me about 2.5 hours and I am no further now to completing a lab manual then I was when I started. Better yet the clock is striking 1 a.m. and I have to get up for work in 4.5 hours. This is how I get nothing done.
Being lost in a fog of confusion and the amount of time spent configuring machines is exactly how I get nothing done. This is why I get to tell Joe that I did absolutely nothing for him during our weekly call. Let me take a step back and re-evaluate quickly though. While there is no tangible lab manual produced, I did learn a ton. This is why it’s great to be Rookie. I have learned how to configure VM’s, install and run Perl, and now know what gdb is. I consider myself the sole beneficiary of this supposed fail operation. Being a Rookie is about learning and about late nights. As mentioned by another Rookie, all this work is a trick to teach us by doing. Being thrown into this “foreign country” is the perfect recipe for success by learning for survival. It can be stressful to feel lost and to have your work call you names because the notes are smarter than you. But it pays off in the end. As I burn through “cycles” I spend a ton of time learning, but getting nothing done.
One of the assignments that the rookies got was to go through the various broken web applications, such as WebGoat, WebMaven, Hacme Casino, Hacme Bank, and Hacme books and complete them. While we worked through our various tasks we were to thoroughly document the steps, take screen captures and ensure that all steps necessary were shown on how to exploit these applications. Joe had asked for volunteers so I stepped up and picked WebGoat.
Prior to Joe handing out this task I had worked with WebGoat for about 15 minutes and I really liked it, hence why I choose it. What I did not realize at the time was the scope of WebGoat and just how large it was. Unlike the broken web applications like WebMaven, WebGoat covers a lot of content including: SQL injection, XSS, session cookie manipulation, hidden forms and fail open authentication just to name a few. Webgoat covers all of this in somewhere around 30 lessons.
Being able to get the WebGoat work done in a timely manner is very important to Joe and working on WebGoat was going to be a learning experience. In typical Joe fashion I got my deadline for this project; he wanted it done in two days, which in fact is better than his usual “I need this yesterday.” I start working on this project having no real experience with any of the covered concepts. After two very long days report balloons to over 45 pages of documentation outlining the steps. I winded up having to call in for some help on a few of the lessons due to some issues with WebScarab not working for me but we pulled it off.
After completing this task I was one, tired; two, sick of seeing WebGoat; and three, pretty well educated with the low level, fundamental hacks on web applications. While I do not think I could hack a website there is some significant value add in understanding the lessons contained in WebGoat. Also I will say that while I tried as much to avoid the built-in documentation, WebGoat has a very comprehensive built-in documentation guide for any beginners looking to learn these concepts. I have to say that the developers or this OWASP project did a fantastic job on building a system that can teach you how to hack web applications and more importantly how to help secure them through understanding. I would encourage anyone looking to get into the Infosec career field to check out WebGoat.
OWASP WebGoat – https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Maven Security WebMaven – http://www.mavensecurity.com/WebMaven/
McAfee Hacme Casino – http://www.mcafee.com/us/downloads/free-tools/hacme-casino.aspx/
McAfee Hacme Books – http://www.mcafee.com/us/downloads/free-tools/hacmebooks.aspx
McAfee Hacme Bank – http://www.mcafee.com/us/downloads/free-tools/hacme-bank.aspx/
Being a part of Joe McCray’s Security Rookies program has been a blessing and a curse. The man will work you. He will give you stuff to do that needed to be done yesterday and keep you pumping out material. It’s all a trick though. The entire time you feel like you’re slaving away editing or creating docs, VMs, networks, etc, you’re learning and progressing. I’m a senior systems engineer by title. I know systems, networks, how to build, how to fix. I didn’t have any idea how to hack four months ago. That’s changing now little by little and it’s due to this program. It started with doing simple web based challenges on enigmagroup.org. Then it was on to exploiting ready-made VMs such as Ultimate Lamp. For me, the coolest thing I’ve gotten to do so far was going through and updating two Metasploit course documents. First off I learned how to manipulate the framework and make it work for me. Secondly, how cool is it to realize Chris Gates produced the document you’re editing? I’m learning from the best trying to be the best. It’s a lot of work but it’s definitely worth it.
And don’t worry the fun never stops. When it comes to SQL injection there’s plenty of work to be done. Updating all the screenshots for Joe’s SQL courses was brutal. By the time I was all done and had everything up to Joe’s standards I actually felt like I was starting to understand how it worked. Who knew there was so much power in just a little tick’. You will learn in this program what you’ve been trying to learn on your own from scrapping IRC, googlefu, and staring at code. You’ll also learn Joe will need something done on a Friday and it needs to be done that night. If you can’t commit don’t sign up. We work as hard as we play.
The Path to Infosec
Information technology has always been an area of study that I have enjoyed. I have jumped around a bit with my college coursework from network administration for my Associates degree, programming for my Bachelors degree and I finally settled with information security and assurance for my Master’s degree.
Right before I decided to continue my education with my Masters degree I started to get into Infosec pretty heavy, reading and watching a lot of videos, understanding the concepts but not really knowing much. Most of the videos that I watched were of DEFCON talks, Jeff “The Dark Tangent” Moss’ CiscoGate talk (Defcon 15. 2007), Renderman’s “How Can I Pwn Thee? Let Me Count the Ways“ (Defcon 16. 2008), Iftach Ian Amit’s “Down the Rabbit Hole: Uncovering a Criminal Server“ (Defcon 17. 2009) and Joseph McCray’s “You Spent All That Money And You Still Got Owned…“ (Defcon 19. 2010) really stood out, mostly because of the entertainment value in their talks. (By no means is this some kind of plug for J0e, I firmly believe that that this talk was one of the more entertaining ones)
This is about the time that I hooked up with Joe McCray on LinkedIn and saw that he was putting on an online course called “Hackers Boot camp.” I had messaged Joe about it, gotten a response and was just waiting for the class to come up so I could enroll. Then I noticed that he was accepting interns to work for him. Initially I thought, the guys in Maryland and I’m in California, there is no way this is going to work. So I had the first phone call and was really surprised that the internship would actually work out, there was no real need to meet at a physical location to participate which was awesome.
After all of that we have our first scheduled Skype call which was run by a few of the more senior guys on J0e’s team. This is where we find out just how big this internship is and how difficult it is to manage. After J0e accepted the initial interns we had somewhere around 75 individuals. Now I don’t know if you have ever tried to have a Skype call with that many people but there are two problems with this: first you cannot have that many people on Skype (think the limit is 50), and for some reason people do not know how to mute their microphones which makes for a very problematic conversation. In short, disorganized chaos was in full effect.
About three weeks from receiving the initial e-mail from J0e we get tasked on our first assignment. We are tasked out with compiling an open source intelligence (OSINT) report for a client. The true madness really begins here. This was tasked out to all 75+ interns via e-mail and was told to be completed as soon as possible. I tend to have this innate ability to of picking the absolutely most difficult tasks that exists and this was no different. Not having much knowledge about doing an OSINT report I went for something I felt I could contribute to the group. I volunteered for compiling the report based on the information from all of the interns. This turned into a giant time-sink/nightmare for me. By the end of the second day I had to dig through over 150 emails to compile the report and when it was completed it sat right about 45 pages. This seems to be the norm for interning, getting an insanely large document done in a time-frame that, in normal circumstances, just would not happen. If you are looking forward to interning with J0e I would caution you, be prepared to get an e-mail at three in the morning telling you to get something done by tomorrow.
Moss. J. (2007) CiscoGate. via Defcon.org Jeff “The Dark Tangent” Moss – CiscoGate
Renderman. (2008) How Can I Pwn Thee? Let Me Count the Ways. via Defcon.org Renderman – How Can I Pwn Thee? Let Me Count the Ways
Amit. I. (2009) Down the Rabbit Hole: Uncovering a Criminal Server. via Defcon.org Iftach Ian Amit – Down the Rabbit Hole: Uncovering a Criminal Server
So far the rookie program seems to be going pretty well. It’s been 2 weeks now and we’ve got just under 30 rookies. They cranked out a lot of simple work over the past 2 weeks and already asked for some harder stuff. I gave some updated tasks to the senior rookies for them to hand out at tonight’s Skype call.
Looks like we have about 14 or 15 new potential rookies and I’ll be contacting them tonight.
Here is a sample of what rookies have been doing over the last 2 weeks:
You can call it an internship, you can call it slave labor, or you can call it a bunch of hackers hanging out. The Security Rookies – aka – “the rookies” are a group of people that are interested in learning hands-on security concepts from Joe McCray. They are tasked with doing security research, writing documentation, proof-reading/editing IT Security courseware, and assisting on penetration tests and incident response engagements.
What is required:
- Regular meetings shall be held on Tuesdays and Thursdays via Skype. Best effort shall be made to attend. If one cant attend, prior notice shall be given to team lead asap.
- Special meetings may be held at any time when called for by the team lead. Best effort must be made to attend or otherwise obtain the information from the meeting.
- Agendas will include discussing assignments, penetration tests, etc …
- If more than two consecutive weeks are missed with no contact, team member shall be dismissed.
- Best effort to complete assignments by due date shall be made. Notify team lead of any expected delays.
What are the Benefits/Perks:
- Free access to IT security courses from Strategic Security (access granted based on work output)
- Joe McCray will pay for your certifications exams based on work output
- You may assist Strategic Security consultants on pentests, and other security engagements
After 1 year of being a rookie with satisfactory work output – Joe will take you to conference (ex: Black Hat, Def Con) and pay the basic travel expenses such as Airfare, Hotel, and Meals.
If you are interested in joining – you can contact Joe McCray via email at: joe [ -at- ] strategicsec.com