image credit (with permission): Matthew Michael Stits

Have you ever taken part in a Capture the Flag (CTF) hacking event?

CTF is an intense and at times wholly frustrating experience. Some of the qualities you need include a technical and/or tactical bent, a puzzle solving mindset, competitive tendencies, mental and physical stamina and a mini fridge stuffed with Red Bull.

Every year at Defcon, the CTF contest takes place over a 2 day period. For many this won’t be news - what is new is that a rare opportunity has just opened up. You and your friends have a chance to be the group running the CTF. That’s right, you could be the team that designs, develops, deploys and runs the contest in Vegas.

All things must change, and after years of hard work and consistent advances Kenshoto has decided that it is time to let someone else have a chance to run CTF. We will forever miss their crazy videos and clever configurations. After taking it to the next level, creating a spectator sport out of geeks sitting at their keyboards 0wning machines, and helping CTF gain fabulous recognition around the world, Kenshoto has officially retired as the organizer and hosts of DEFCON’s CTF. The contest is not over, merely in transition to the next keepers of the flame. This is the opportunity you and your crew, company, or government have been waiting for!

You too can pour your heart, countless thousands of hours into planning, producing, and executing the world’s most famous contest of hacking skills. All of the contests at DEFCON are run by volunteers, and CTF is no different.

My intent is to make a game that’s fun for its participants. Kenshoto did a fabulous job of allowing CTF to be a team and spectators sport through scoring visualizations, commentators, game updates. They took it to a new level in one area, and you can take it to another. The heart of hacking has many facets!

CTF is made of many parts from the actual teams, the organizers, observers, third party supporters, the press, con attendees wanting in on some action, and those newbies wondering WTF.

If you have ever participated in a CTF and found yourself disagreeing with the way it was run or walking away with lots of nifty ideas for how you’d run one, now’s your chance to put those ideas into action at Defcon in Vegas. Find out more at the Defcon 17 blog. Deadline for submitting your concept is the 28th February.

What If I’m Not Ready To Lead

Now, if you’ve never participated in a CTF contest and you enjoy attack and defense then I highly recommend you consider taking part in one. It doesn’t have to be Defcon, although that would give you an unforgettable experience that few can claim.

I see CTF as an excellent opportunity to learn more about yourself. You can’t beat the cut and thrust of a live, competitive event to help you discover your strengths and weaknesses and to experiment with different tactics. If you play in a team you stand to get even more from it as you learn from your peers (and they learn from you). What you learn may surprise you. Everyone brings something unique to the table and you may find some of your assumptions about the caliber of other players challenged (for better or worse). Oh, and don’t think you have to an uber-hacker to take part - you don’t. Sometimes our feelings of pride or perfectionism stop us from taking part in the very things that we stand to gain the most from. As they saying goes: ‘Get over it’ :P.

The Side Benefit of CTF That Few People Talk About

Oh, and did I mention the benefit CTF has on your CV/resume?

To a hiring manager faced with inexperienced candidates applying for an entry level penetration testing position, it demonstrates you have experience dealing with emotions frequently accompanying a pen-test. Reading tech books and RFCs is vital, practicing your hands on skills on your home test lab is beneficial, attending conferences to learn new techniques is great but the real winner is demonstrating you can apply what you learn in the face of real-world constraints.

Your CTF experiences are a great talking point for the interview - especially if you are fresh out of college and have little real world experience to point to. Besides, any hiring manager worth their salt is going to give you a hands-on technical challenge as part of the recruitment process. Does that sound stressful? It should do - its not just your technical skills that are under scrutiny. It’s your ability to assess a situation, make decisions and act on them within a timeframe you may feel is insufficient and with less information than you’d ideally like. In other words, its a lot like real world penetration tests (and Incident Response!).

Participating in CTF gives you an edge on those candidates that have never had their back to the wall trying to answer 3 questions: Which target? What tactic? Which tool/exploit? That is when you lean on your CTF experience and help them decide that your name belongs on their shortlist.

What Is Your Question?

If you have a question about some aspect of working as an IT security professional, send it in and I’ll reply right here on the blog. I’ve been in this industry for 10 years and am happy to share my learning/experience. To understand a little about my background, check my about page.

As guidance, the question should be short and to the point with enough context that I can give you a meaningful answer. By context I mean a few sentences about your situation - enough that I can have a good shot at giving you an answer.

My promise to you is that if you send in a reasonable, well thought out question, I *will* post a reply right here on this blog. Plus I’ll leave comments open on the blog post so other readers can chip in and give their perspective. I won’t publish your email address and will scrub any other personal identifiers except your first name.

What’s a good question?

Simple: anything that helps someone else answer their question

Yeah baby, this is all spreading good karma…

Send your questions to: craig.balding@gmail.com

P.S I’m treating this as a 28 day experiment - I’ll extend the experiment if people find this useful.

image credit: coscurro

I stumbled across a great video on a blog post from the SOURCE Boston conference.

Careers in information security are often difficult to navigate, with the industry changing more and more radically every year. This is even more true in an economy that isn’t necessarily thriving. We’re going to talk about the important skills, traits and knowledge that a security pro needs to build a long-term and successful career – not just the usual stuff (like “get certified”), but the real-world knowledge that teaches you how to have the job that keeps you challenged, growing and well-compensated.

If you are even thinking about a role in Information Security or wandering about your next step in the industry - this in-depth talk by Lee Kushner and Mike Murray is for you.

How do you keep yourself special? Share in the comments…

photo credit: нσвσ

1. Be A Security Cool Cat: Place penguin stickers on every surface in your cubicle. Stick at least 3 on the dual boot company issued laptop (that hasn’t had a kernel upgrade in 6 months). Use BlackHat stickers for bonus points.
2. Be An Undercover Open Source Evangelist: Unfailingly, recommend open source solutions as more secure. Be sure to quote ‘more eyes, less vulnerabilities’. Recite frequently . Always forward security advisories about commercial products to your boss.
3. Walk the Tech Talk: Learn at Least 10 Bash Keyboard Shortcuts. Treat this as a party trick. Perform rapidly in sequence whenever anyone watches your screen. Giggle and pass the keyboard over and say ‘Your turn!’.
4. Be All Knowing, Jedi Warrior!: Say ‘Trust but verify’ whenever you are asked a question you do not understand. Make it clear in meetings that you trust no-one and “verify” solely through a Google/Secunia search.
5. Impress with a Penetration Test!: Download Metasploit, spend 7 hours modifying the web interface: create custom graphics and hack up the CSS files. Start Metasploit running before you leave for the day. Use Camtasia to capture all screen activity so you can review in the morning. If all went well upload to YouTube and link out via facebook.
6. Practice Defense In Depth’: When you are asked ‘What is the Risk?’, grin inanely and say ‘I’ll tell you after I break out the vulnerability scanners’. Run at least 3 vulnerability scanners to get ‘defense in depth’.
7. Latest *Is* Greatest!: Clipboard stealing attacks are *always* a bigger issue than the CISCO infrastructure with default passwords (how did they get there?!).
8. Educate The Great Unwashed with a Deep Dive Security Awareness Program. Educate end-users about Cross Site Scripting and SQL injection attacks. Don’t invite the outsourced developers - they already know this stuff and have deadlines to meet.
9. Impress Your Peers - Perfect the RFC Shoutout: Pick at least 10 common protocols and learn the associated RFC numbers. Intimidate IT colleagues by shouting out the RFC numbers whenever they mention the protocol.
10. Start A Security Blog: What Can I Say?

image credit: Lady Pain

When you picture the future, what do you see yourself doing? If you find the subject of IT security fascinating, you may be considering a career as an IT Security Professional. To help you decide, here are 10 myths about life as an IT Security Professional.

1. IT Security is basically about Passwords and Anti-virus.  This is completely untrue.  You may hear this from people that don’t get paid to do security, but think they know all about it.  Security is a very diverse field covering a wide range of skills including; threat modeling, risk analysis, policy creation, security awareness, incident response (wide field), forensics (desktop, server, network), platform specific security (e.g. Windows, UNIX, Linux, OS/400), network security (WAN/LAN/Internet/wireless/telco), vulnerability assessment, penetration testing, application security, reverse engineering, malware analysis, vulnerability analysis, exploit development, social engineering, physical security, cryptography, crisis management, disaster recovery, 3rd party security reviews etc etc.
2. You get to bark security orders.  Some people feel that holding a security policy in their hand means they get to call the shots.  Do this on a regular basis and not only is it counterproductive but its a surefire CLM (Career Limiting Move).  Some years ago, this may have been possible but these days its much more myth than fact.  From my experience, you can get a *lot* further in the long term through a mix of explanation, persuasion, technical demonstration (”look how easy that was to break into!”), humour and relationship building.  And sometimes, the policy is wrong and you have to big enough to admit it and fix it.  One thing to note: in a crisis or other time sensitive incident, it may be time to bark the orders.  Most reasonable people will understand that after the event.
3. You don’t need any technical skills.  I believe you do need *some* technical security skills to be effective.  However, that doesn’t mean you need them before you start the job, just you should be prepared to develop them.  If your role is writing general security policies - frequently seen as a non-technical role - you will write better policies if you have an appreciation of technical issues.  What’s the right level?  Hard to say as it will depend on the composition of the team. If its just you, a strong grasp of technical security will be vital.
4. You won’t learn as much as someone doing a “normal” IT job.  Possibly the biggest myth.  From my own experience: I used to manage very high-end UNIX and ORACLE servers.  At the time, I thought I was pretty knowledgeable - I was working on the latest kit, worth millions of dollars.  I was considered something of an authority.  But then I stumbled into IT security and soon realised that despite my deep system administration knowledge I didn’t understand the detail of what was going on “underneath the surface” and specifically, how it could be subverted.  From that day forward, I made it my mission to learn everything I could.  I am still learning now, a decade later.  It was the best switch I could have made.
5. Your friends will disown you - IT security is geek - but not “cool” geek.  Thats a funny one.  Some people get hung up that their friends will think their job is boring.  If you work in the IT industry, your non-IT friends probably think you are boring already - get over it :-).  Who are you doing this for, you or your friends?  Besides, over time, you will develop new friends who work in the same industry as you and by definition, they will think you’re cool ;-).  Plus, if you get to do really cool security stuff at work, your friends will ultimately be jealous of you.
6. You get to read security mailing lists and RSS feeds all day.  Ha!  Drinking from the firehose of the Internet is generally not recommended.  A few gulps a day is definitely helpful, but the reality is that organisations typically have a slew of security issues to deal with.  Wrapping your head around those and figuring out creative ways to handle them is more fulfilling and why you got hired.  Staying up to date is important, but unless you are a full time researcher, its 20 minutes to an hour per day on average.
7. Security is a dead end job.  Firstly, there is so much scope within IT security you will never run out of career options within the Industry.  Secondly, if management is your thing, large companies frequently have a CISO (Chief Information Security Officer).  The CTO (Chief Technology Officer) position is a popular jump at some large companies or leaving the fold and becoming a ‘consultant’.  Either way, your options will not be limited. 
8. You get to snoop on employees under the pretense of ’security’.  No-one I know gets to ’snoop’ on fellow employees just because they ‘feel’ like it.  From time to time you may have cause to investigate the activity of company employees.  Company security policy likely requires that certain criteria be met first and HR and senior management must be informed - prior to any monitoring taking place.  Failure to follow that kind of policy could easily get you fired.
9. You get to write exploits all day.  Its true that some people do get paid to write exploits but for most people in the Industry its a definite myth.   Developing reliable exploit code for non-trivial vulnerabilities can be time consuming and hence expensive from the employers perspective, hence there are few opportunities.  Unless you can demonstrate talent and strong potential, its unlikely you’ll get hired to develop exploits all day.
10. You get to break into company systems when you feel like it.  A dangerous myth these days!  Even if your boss thinks its a good idea, you’ll be needing a legal sign off letter from an authorised party (typically a CIO) before running *any* attacks.  This is your ‘get out of jail free’ card.  The sign off should include specific dates, IP ranges and any specific limitations.  No company is interested in having random attacks that potentially crash key operational systems or hinder development schedules (let alone open themselves to the accountability issues).  A desire to test security is understandable, but its very easy to break things, especially when you don’t have much experience.   Even if you don’t crash anything,  if you were not specifically authorised, you would likely get fired (and maybe arrested) if you got found out. 

7 years ago, a Cambridge Professor called Ross Anderson published a book called ‘Security Engineering’.

Up until that time, it wasn’t often you would hear anyone talk about ‘Security Engineering’ - let alone find an entire book written on the subject.

As soon as the book came out, it made a real and lasting impression on the security community.

Richard Bejtlich summed it up with his review on Amazon:

This book changes everything. “Security Engineering” is the new must-read book for any serious information security professional. In fact, it may be required reading for anyone concerned with engineering of any sort. Ross Anderson’s ability to blend technology, history, and policy makes “Security Engineering” a landmark work.

Ross has now finished a major update and the new edition is just hitting the stores. Security Wannabe caught up with him to find out more about Security Engineering 2.0. We managed to cover a lot of ground in 8 questions…

1. In essence, what is ’security engineering’?

   Security engineering is about building systems to remain dependable in the face of malice, error or mischance. As a discipline, it focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves.

2. Why is security engineering important?

   It’s often a showstopper when people get it wrong - for example, a $20bn program to computerize healthcare in the UK looks set to fall to pieces, because the lack of adequate protection for privacy and safety is leading doctors to reject it. And poor security engineering leads to huge waste of resources. The USA has spent $14bn harassing airline passengers since 9/11 but has failed to complete a $500m program to reinforce cockpit doors - and many US airports still don’t do background checks on ground staff.

3. What prompted you to write the book ‘Security Engineering’?

   There were no good books - just specialist works looking at some aspect or other of locks, or ciphers, or access controls. Yet security is a system-level property.

4. The 1st Edition covered an incredible range of topics. How much research went into the book?

   Fifteen years of academic research, plus teaching materials developed for undergraduate courses over the same period.

5. What motivated you to pick up the virtual pen again and write a second edition?

   The world had changed a lot in seven years - not just 9/11 and all its sequelae, but also the fact that the Internet had become mainstream, and all sorts of devices that were previously dumb or standalone started acquiring CPUs and connectivity.

6. For owners of the 1st edition (Ed: selfish question), how much new core content is there in the 2nd edition vs “bug fixes”?
   

   It’s about 50% bigger. I won’t know the exact page count until I get the first paper copies on Monday, but in the draft it had gone from 600-odd pages to 900+.

7. The 1st edition was chock full of real world examples - personally, I found these very engaging. Can you give a taste of new examples?

   There are plenty new examples from postal meters through API security to terrorism. I’ve also expanded the scope, so that physical security doesn’t just mean alarms but also locks (including recent results on lock bumping) and environmental security - why it is that some neighbourhoods have crime and others don’t. In addition, I’ve added chapters on economics and psychology which open up new examples of different kinds. Both approaches are needed in a world where the most rapidly-growing types of fraud involve deception and where systems are less and less under the control of single organisations.

8. What is your vision for security engineering in the next 5 years?

   We’ll be dealing more and more with complex socio-technical systems, in which we have to consider people as well as servers and software, and which will evolve over time in response to all sorts of economic and political pressures. This isn’t just about security and its cousin dependability, it’s much broader than that. It’s something truly new, that hasn’t existed before. Anticipating both the opportunities and the threats will be really important for companies, for governments, and for everybody.

I’d like to thank Ross for agreeing to do this interview, especially as he was on holiday at the time.

Frankly, I’m just blown away by the 300 pages of extra content. How many respected Infosec authors even get close to that?

[Update: Ross just emailed to say he received his first copies of the book - the actual page count is 1040!]

If you enjoyed this interview, vote Ross for some Slashdot action

Today, there are more IT security books in the shops than ever before.

But what IT Security books can make a real difference to an aspiring Security Wannabe?

These are my Seminal 7…

Photo Credit: tanakawho

The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage

The book that ignited my passion for IT security. Clifford Stoll stalks the wily hacker Markus Hess in a true edge of the seat thriller. Computer security books boring? Then you haven’t read this one.  Be prepared to read in one sitting!

TCP/IP Illustrated, Volume 1: The Protocols (Addison-Wesley Professional Computing Series)

I remember the day I read that the author of this book - Richard Stevens - had passed away. I was shocked and saddened. This may sound strange as I’d never met him, nor had any correspondence with him. The reason is simple: through his writing, he had an uncanny ability to meet you where you were and take you on what feels like a personally guided tour of TCP/IP. Simply put, this is essential reading. I’ve read some great networking books since, but none that give you the feeling that the author wrote the book just for you. A revered classic.

Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition

The so-called bible of Crypto. With good reason too: Bruce Schneier provides a seriously comprehensive introduction to cryptography. Refreshingly, he starts at the ground floor - you don’t need a degree in maths to benefit from this tomb - its very accessible. Digest this and you will learn about the most important crypto protocols and algorithms in existence today. I still reference this book at least once a month - I’ve owned it for about 5 years now. How many books can you say that about?

Security Engineering: A Guide to Building Dependable Distributed Systems, 2nd Edition

Ross Anderson teaches us how to avoid repeating the mistakes of those that went before us. Another author with real passion for the subject, his intelligence and pragmatism shine through. This book will introduce you to IT security as an engineering discipline. Don’t let those last two words put you off - Anderson is a master at telling you what you need to know, when you need it. The book itself underlines why effective security design is all about “the human element”. Fascinating case studies that will make you thank your lucky stars you don’t have to design security for prepayment meters or ATMs.  Want to read online?  Click here.  Aside from the book, I highly recommend his papers on the Economics of Information Security.

Hacking: The Art of Exploitation, 2nd Edition

The majority of the security books on my bookshelf are pretty thick. Thick books give an air of authority - “wow, this must be a very serious book by a very knowledgeable author, if I read this, I will breathe in the knowledge of the gods and impress anyone willing to listen to me for long enough”. The author of this book - Jon Erickson - somehow manages to pack an incredible amount of content into less tree than most (he even manages to get root on the cover!). You will learn techniques that shave hours off exploit development time.  A great introduction to blowing (precise) holes in software.

The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities

The holy trinity of Software Vulnerability Researchers deliver a mammoth treatise on why my eyes would bleed if I had to do what they do all day. This book will change the way you see software security auditing. If it doesn’t, you probably need to read it more carefully. This should be mandatory reading for people that get paid to do software vulnerability research. For more, check the Taossa blog.

Silence on the Wire: A Field Guide to Passive Reconnaissance and Indirect Attacks

Michal Zalewski is refreshing because (a) he does his own thing (b) those ‘own things’ tend to be interesting and (c) he enjoys the subtle/obscure/funny. And he can write! For a non-native English speaker he writes with great charm and wit. Reading this book is like stepping into the Matrix - everything we take for granted can be unwoven, refactored and turned inside out. Buy this book and read it cover to cover then go check out his lair, where he shares his ongoing digital experiments.

###

What security books would you recommend to an aspiring Security Wannabe and why?  Tell us in the comments…

I, Craig Balding, Am A Former Security Wannabe.

Well..that’s not entirely true.

The truth is that you never really stop being a security wannabe - no matter how others perceive you. Its simply that if you keep moving forward, you become less of a wannabe than the people moving slower than you :-).

In the course of my security journey I have been privileged to meet and work with some of the smartest security people across the globe.

From reverse engineers at the cutting edge, to digital crime fighters of the highest caliber. All of these people shared one thing in common - at some point, they too were a ’security wannabe’.

The Questions This Blog Will Try To Address

• How do you make the transition from security wannabe to paid security security wannabe?
• What skills/experience do you need to pick up along the way?
• Are there ‘fun’ jobs in the IT security industry? What “cool stuff” do people get to do? What is a typical day like for someone employed as a ‘your-future-job-role’
• How do you do some of the things you do? (e.g. Incident Response, Penetration Testing)

If digital security sounds exciting to you, or you’re already an aspiring security wannabe then you are at the right place!

Or if you’ve always been told that security is just about ‘passwords’ and ‘antivirus’ then let me show you behind the curtain.

Finally, if you - like me - claim to be a former security wannabe…welcome home ;-).

Enjoy the blog,

Craig

P.S Something you want to see? Leave a comment or email me.