W0m3nWh0HackM3lb0urn3: Monthly Ethical Hacking Sessions

W0m3nWh0HackM3lb0urn3: Monthly Ethical Hacking Sessions

W0m3nWh0HackM3lb0urn3 is a safe space for women who are keen to learn to ethically hack. We are a community of women identified hackers who support each other to increase our skills and hack all the (legal) things.

Why?

There’s a worldwide shortage of skilled cyber security professionals and there’s a massive lack of women in the industry too. Depending on the statistics you look to, both locally here in Australia and globally, women either represent 11%  of cyber security workers according to a University of New South Wales Study, or 20% to 25% according to Cybersecurity Ventures and McAfee respectively, if you count those who do what are considered cyber security tasks more broadly.

W0m3nWh0HackM3lb0urn3 wants to change this lack of representation and needs you to make it happen. Come and join us every 1st Thursday night of the month in Melbourne from 5:30pm – 9:00pm and you can learn to hack into machines legally and not end up on the 5pm news. Hacking is challenging, it’s a massive learning curve but it’s also super rewarding. You are quite literally learning how to get into systems and dump databases in order to one day teach businesses what to do to make their websites, applications and networks safer.

If you want to change the world, which for most of us encompasses the digital world, learning the skills to become a penetration tester, otherwise known as, an ethical hacker, is one real and concrete way to do it. I follow in the footsteps of brilliant women hackers who have opened doors for me to learn hacking, Esther Lim and Pamela O’Shea. Esther ran a hacking group to train women who wanted to compete in the university cyber security challenge (cySCA) which was my first real taste of hacking culture. Pam ran a web application penetration testing workshop I attended as part of the 0xCC training conference for women which is where the idea for W0m3nWh0HackM3lb0urn3 was born.

But also

I established W0m3nWh0HackM3lb0urn3 because I wanted a crew of hackers to hack with in real-life and not just over the internet. I wanted face-to-face connection and to learn quickly with people who could explain every step of why we’re running this command and using this program so I could understand deeply and that’s what W0m3nWh0HackM3lb0urn3 enables. I’ve got a history as a Social Anthropologist who loved teaching and what I learned from that experience is the best way to really comprehend something is to be able to explain it to someone else and we really encourage that way of learning in our sessions.

What do you do in your sessions?

We use a platform called Hack The Box which has lots of different vulnerable systems packaged up that we can choose in order to attack. We pick one each couple of months and go through a step by step process of learning how to hack into it, get into accounts that we shouldn’t have access to, accessing passwords we shouldn’t have knowledge of and finally taking full control of the system by getting what is called “root” or full privilege access.

How do I sign up?

Our next session is the first Thursday of the month from 5:30 – 9pm in Melbourne’s CBD. Get in touch with me, Brigitte Lewis on Twitter @briglewis for an invite to our Slack channel and the location. It doesn’t matter whether you’re a beginner or have been taking down boxes for years. W3 W@NT Y0U! LGBTI friends and allies very welcome. Please BYO Dinner, VirtualBox and Kali VM.

Want more data?

Women in Cyber Security Literature Review (2017)
https://www.pmc.gov.au/sites/default/files/publications/cyber-security-literature-review.pdf
Women Represent 20 Percent Of The Global Cybersecurity Workforce In 2019 (2019)
https://cybersecurityventures.com/women-in-cybersecurity/
Cybersecurity Talent Study (2018)
https://www.mcafee.com/enterprise/en-au/assets/reports/rp-cybersecurity-talent-study.pdf

Originally published by the Australian Women in Security Network (AWSN).

Burp: A Quick Installation Guide

In order to execute a SQL injection, for example, we need to see what’s going on in the code behind the interface when we enter our username and password and send it over the internet or from the login page to the database.     To do that we need to use what’s called...

Mad, criminal or straight: Female desire in film and TV

  When it comes to representations of lesbians in film and television, sometimes they're there, mostly they’re not. And if they are, they're mostly confined to cells. The lesbian in popular culture is usually mad, criminal or she’s really, actually, heterosexual....

Penetrating Real-Time Threat Behaviour: Cyber Analytics and the Pen Tester

Penetrating Real-Time Threat Behaviour: Cyber Analytics and the Pen Tester

It’s the wild, wild, west out there in cyberspace, except the feral camels[1] that once roamed Texas are the hackers, and they’re roaming beyond borders and through firewalls on the daily.

At present, cyber threat intelligence gathering is a mish-mash of intrusion detection system logs, port scans, IP addresses, information sharing platforms, Twitter feeds and traditional write-ups. There is no one consistent language used across these platforms to refer to attacks, techniques or procedures and there’s no one single source of data. Much like post-truth America, you’ve got to look in all the right places to piece together the whole story and even then it’s hard to know if you’ve put the puzzle together the way it was intended. What this means is while there’s massive complexity when trying to understand the path an attacker has taken, it also means that there’s huge potential when it comes to leveraging the data or bits (pun intended) of evidence a hacker leaves behind.

Information Gathering and the Penetration Tester

Penetration testers, who are my focus here, do much of their work when it comes to figuring out attack paths and new ways to penetrate, based on historical data or tried and true ways to compromise a system or application. They might listen to a few podcasts, keep an eye on social media, follow a hacking news website and sign up to a mailing list, but all of this is hugely labour intensive and no one person has the hours in the day to keep on top of, let alone be well versed in, all the latest attacks. The dream, of course, is to have a program or Artificial Intelligence learn the tactics, techniques and procedures of hackers out in the wild, bring it all back into a nice table where all the data is the same data type, turn into a visualisation with a gorgeous dashboard and then teach the team new attacks on the fly as they happen in real-time. This, dream, as wondrous as it sounds, is hanging above the Magic Faraway Tree and yet to be written down and sold as a four set gold embossed collection. What we do have, and I’m focusing here on open source data and software, are many tools and data sets that can bring us just that little bit closer to a rousing monologue that could change the history of how we prevent cyber-attacks in the future.

Big Data Big Complexity

For data analysts, one of the problems with data on the internet is that it comes in many forms, with many definitions and no one universal dictionary to look-up in order to know for sure what a word or a phrase means. Structured Threat Information Expression[2] or STIX, which created by the United States Department of Homeland Security) and is used here in Australia by our own Cyber Security Centre, was created to address this issue. It’s useful in order to try and start standardising the way we talk about cyber threat intelligence so that we are all in fact, having the same conversation, in the same language. Some platforms, like MISP[3] which is a Malware Information Sharing Platform created by Christophe Vandeplas who was working for the Belgian Defence Department at the time, allows users to export the Indicators of Compromise (IOC) that they and others share on the platform in the STIX format. This actively aids the development of a threat intelligence language so that we may use it to talk back to one another and share with the various systems we all use. MISP itself is an interesting platform with the public instance of it boasting more than 1000 organisational users from the across the globe, including the big players like Google, Apple, and our own Federal Police. It’s great at gathering threat feeds that are readily usable for other machines to digest but like every feed I’ve found to date, it tells only one part of the story of an attack or attempted attack. To tell the whole story, human research, interpretation and reasoning is needed, along with further data and frameworks in order to be able to map or make sense, of what actually happened blow by blow. Therefore, mapping attacks is where MITRE’s ATT&CK Framework comes in. ATT&CK describes why an action was performed and the technique used to do it, which is often missing in publicly released reports or write-ups that gloss over the specifics of an attack. MITRE have even produced a STIX version of ATT&CK so you can output the data in a standardised format.

So Many Data Types So Little Time

Using a common language is not the only challenge when it comes to data mining threat intel because when you’re out in the wild looking for feeds that deliver indicators of compromise or information, not all data is created equal. You’ll find XML, JSON, JavaScript, images and if you’re lucky, APIs to query data in a more programmatic way. At this point you’ll need a good grasp of either Python or R to make HTTP requests to get the data like you would if you’re looking up a regular web address, and then you’ll sometimes find purpose built libraries which are often built in Python. So depending on your language preference, R for beauty and simplicity or Python for a more smash and grab approach, both are good to have in your tool belt. Once you’ve pulled the data from various feeds and platforms, you’ll then notice that you’ll have to transform it into something much easier to work with, than JSON key-value pairs which is where data frames come in. Each data set will have particular information that doesn’t always match information in other data sets so cleaning the data is a crucial activity too. After this, you’ll then need to push it to an unstructured database of your choice. Then and only then, can the magic happen. The magic being a genius, yet simple way to collate masses of data and turn it into easy to digest threat intel, served with a side of sweet visualisation and predictive analytics in the making.

The future of cyber analytics is now and I am excitedly working towards making the internet a more hospitable place. I would love to hear from you if you are too.

[1] https://www.history.com/news/10-things-you-didnt-know-about-the-old-west

[2] https://oasis-open.github.io/cti-documentation/

[3] https://www.misp-project.org/index.html

Originally published by the Australian Cyber Security Magazine.

WTAF is IoT?

From space, to transport, to the design of cities, IoT is the latest acronym to sweep the cyber landscape. IoT is short for Internet of Things and was coined by Kevin Ashton in 1999.  IoT is any device, be it your phone, laptop or Raspberry Pi that is connected to the...

Kneel

I’ve knelt down and opened my mouth to check the heart beat of many women it lives there louder than the organ that sustains us but only this time have I opened my heart wider than my legs and said   I love you for the way you make my eyes widen before our lips have a...