King Root

Since 1983

there has been more than one way to make a connection

an intricate dance called a three-way handshake

one way to ask for permission

one way back to ensure what we have is stable

another to acknowledge our transmission

this is the language written from every keyboard that has ever called the internet and landed on someone else’s home

funny that my job title is penetration tester

not the sex kind

the ethical hacker kind

the root boxes and finger networks kind

the kind that uses language that is not kind or ethical

a reflection of a world

where master and slave are used freely

and black hats are bad and black lists are bad

and all things white are good

like white lists and white hats

and the white goods in our office kitchens

where the only kind of attack on your network is done

by a Man-in-the-Middle

and all anyone wants to do is make things fall over

and crash

so they can exploit every service you’ve ever stood up

to own you

with a root your mobile program called KingRoot

google it

the first response you get:

how to safely root your iphone

from oneclickroot.com

 

but like all things built in this world

digital or not

the voice of the Other

has always been running across the cables since the first communication

like a long held breath that meets an exhale

a Zoom call that stutters my voice as it enters your lounge room

and whispers

I don’t want you to root my box without permission

like a 16 year old kid learning to hack with both their hands and their discourse

playing out the history of oppression through ownership and submission

 

I want a new language to describe this position

because how do we open up this boy-in-the-hoodie world

if all the moves we see are white hands pushing on black keys tapping white letters to create sentences only a few us fit into?

how do we move from a one way highway to new roads with new words that are not heavy with a history built on subjugation?

we make way for neighbourhoods that house nomads looking for a new place to rest

to wake up and resist

because the first words of the internet were not mummy or daddy but hello world

or at least the world with the means to listen

and now we know the power of the hashtag

SOSBLAKAUSTRALIA
METOO
SAYHERNAME
BLACKLIVESMATTER

 

because the world wide web launched to bring us closer

but the digital divide is getting deeper

and while we mount attacks on politicians and nation states from the streets

the missiles we launch from our beds when we hold each other

the grenades we push from our hearts when we hear each other

the bullets that rain from our eyes when we see each other

these are the parts of the story that hold us together when the internet is down

and there’s nothing left but to keep one fist in the air and the other re-telling stories of resistance that strut from our lips when we kiss each other.

Originally published by Bent Street.

 

 

 

Burp: A Quick Installation Guide

In order to execute a SQL injection, for example, we need to see what’s going on in the code behind the interface when we enter our username and password and send it over the internet or from the login page to the database.     To do that we need to use...

King Root

Since 1983 there has been more than one way to make a connection an intricate dance called a three-way handshake one way to ask for permission one way back to ensure what we have is stable another to acknowledge our transmission this is the language written from every...

It’s Hammertime: SQL Injection For Beginners

Oh hey! I presented at the Australian Information Security Association (AISA) Conference in 2019 with a presentation called SQL Injection for Beginners: It’s Hammertime. Peeps asked for the slides so here they are as a YouTube experience with all the vids and giph’s and as a bone dry SlideShare experience minus all the fun stuff.

What The Actual (Fuck) is Blockchain?

The idea for blockchain came from a now germinal paper written in 2008 by the man known as Satoshi Nakamoto, what his or their real name is, no-one knows which just adds to the mystery and intrigue around the whole community. Nakamoto referred to "blocks" and "chains"...

Burp: A Quick Installation Guide

In order to execute a SQL injection, for example, we need to see what’s going on in the code behind the interface when we enter our username and password and send it over the internet or from the login page to the database.     To do that we need to use...

W0m3nWh0HackM3lb0urn3: Monthly Ethical Hacking Sessions

W0m3nWh0HackM3lb0urn3: Monthly Ethical Hacking Sessions

Mass

W0m3nWh0HackM3lb0urn3 is a safe space for women who are keen to learn to ethically hack. We are a community of women identified hackers who support each other to increase our skills and hack all the (legal) things.

Why?

There’s a worldwide shortage of skilled cyber security professionals and there’s a massive lack of women in the industry too. Depending on the statistics you look to, both locally here in Australia and globally, women either represent 11%  of cyber security workers according to a University of New South Wales Study, or 20% to 25% according to Cybersecurity Ventures and McAfee respectively, if you count those who do what are considered cyber security tasks more broadly.

W0m3nWh0HackM3lb0urn3 wants to change this lack of representation and needs you to make it happen. Come and join us every 1st Thursday night of the month in Melbourne from 5:30pm – 9:00pm and you can learn to hack into machines legally and not end up on the 5pm news. Hacking is challenging, it’s a massive learning curve but it’s also super rewarding. You are quite literally learning how to get into systems and dump databases in order to one day teach businesses what to do to make their websites, applications and networks safer.

If you want to change the world, which for most of us encompasses the digital world, learning the skills to become a penetration tester, otherwise known as, an ethical hacker, is one real and concrete way to do it. I follow in the footsteps of brilliant women hackers who have opened doors for me to learn hacking, Esther Lim and Pamela O’Shea. Esther ran a hacking group to train women who wanted to compete in the university cyber security challenge (cySCA) which was my first real taste of hacking culture. Pam ran a web application penetration testing workshop I attended as part of the 0xCC training conference for women which is where the idea for W0m3nWh0HackM3lb0urn3 was born.

But also

I established W0m3nWh0HackM3lb0urn3 because I wanted a crew of hackers to hack with in real-life and not just over the internet. I wanted face-to-face connection and to learn quickly with people who could explain every step of why we’re running this command and using this program so I could understand deeply and that’s what W0m3nWh0HackM3lb0urn3 enables. I’ve got a history as a Social Anthropologist who loved teaching and what I learned from that experience is the best way to really comprehend something is to be able to explain it to someone else and we really encourage that way of learning in our sessions.

What do you do in your sessions?

We use a platform called Hack The Box which has lots of different vulnerable systems packaged up that we can choose in order to attack. We pick one each couple of months and go through a step by step process of learning how to hack into it, get into accounts that we shouldn’t have access to, accessing passwords we shouldn’t have knowledge of and finally taking full control of the system by getting what is called “root” or full privilege access.

How do I sign up?

Our next session is the first Thursday of the month from 5:30 – 9pm in Melbourne’s CBD. Get in touch with me, Brigitte Lewis on Twitter @briglewis for an invite to our Slack channel and the location. It doesn’t matter whether you’re a beginner or have been taking down boxes for years. W3 W@NT Y0U! LGBTI friends and allies very welcome. Please BYO VirtualBox and Kali VM.

Massive shout out to our sponsors as dinner and drinks are provided by Microsoft and the space is provided by TypeHuman.

Want more data?

Women in Cyber Security Literature Review (2017)
https://www.pmc.gov.au/sites/default/files/publications/cyber-security-literature-review.pdf
Women Represent 20 Percent Of The Global Cybersecurity Workforce In 2019 (2019)
https://cybersecurityventures.com/women-in-cybersecurity/
Cybersecurity Talent Study (2018)
https://www.mcafee.com/enterprise/en-au/assets/reports/rp-cybersecurity-talent-study.pdf

Originally published by the Australian Women in Security Network (AWSN).

What The Actual (Fuck) is Blockchain?

The idea for blockchain came from a now germinal paper written in 2008 by the man known as Satoshi Nakamoto, what his or their real name is, no-one knows which just adds to the mystery and intrigue around the whole community. Nakamoto referred to "blocks" and "chains"...

The era of Lesbian Bed Death is over, long live Lesbian Fuck Eye

Sex is an art. And one that lesbians in particular have apparently, according to myth, taken a few decades to get their heads and legs around. Let alone actually in their beds. Today however, lesbian women have more orgasms, better sex and sex that lasts longer than...

Penetrating Real-Time Threat Behaviour: Cyber Analytics and the Pen Tester

Penetrating Real-Time Threat Behaviour: Cyber Analytics and the Pen Tester

It’s the wild, wild, west out there in cyberspace, except the feral camels[1] that once roamed Texas are the hackers, and they’re roaming beyond borders and through firewalls on the daily.

At present, cyber threat intelligence gathering is a mish-mash of intrusion detection system logs, port scans, IP addresses, information sharing platforms, Twitter feeds and traditional write-ups. There is no one consistent language used across these platforms to refer to attacks, techniques or procedures and there’s no one single source of data. Much like post-truth America, you’ve got to look in all the right places to piece together the whole story and even then it’s hard to know if you’ve put the puzzle together the way it was intended. What this means is while there’s massive complexity when trying to understand the path an attacker has taken, it also means that there’s huge potential when it comes to leveraging the data or bits (pun intended) of evidence a hacker leaves behind.

Information Gathering and the Penetration Tester

Penetration testers, who are my focus here, do much of their work when it comes to figuring out attack paths and new ways to penetrate, based on historical data or tried and true ways to compromise a system or application. They might listen to a few podcasts, keep an eye on social media, follow a hacking news website and sign up to a mailing list, but all of this is hugely labour intensive and no one person has the hours in the day to keep on top of, let alone be well versed in, all the latest attacks. The dream, of course, is to have a program or Artificial Intelligence learn the tactics, techniques and procedures of hackers out in the wild, bring it all back into a nice table where all the data is the same data type, turn into a visualisation with a gorgeous dashboard and then teach the team new attacks on the fly as they happen in real-time. This, dream, as wondrous as it sounds, is hanging above the Magic Faraway Tree and yet to be written down and sold as a four set gold embossed collection. What we do have, and I’m focusing here on open source data and software, are many tools and data sets that can bring us just that little bit closer to a rousing monologue that could change the history of how we prevent cyber-attacks in the future.

Big Data Big Complexity

For data analysts, one of the problems with data on the internet is that it comes in many forms, with many definitions and no one universal dictionary to look-up in order to know for sure what a word or a phrase means. Structured Threat Information Expression[2] or STIX, which created by the United States Department of Homeland Security) and is used here in Australia by our own Cyber Security Centre, was created to address this issue. It’s useful in order to try and start standardising the way we talk about cyber threat intelligence so that we are all in fact, having the same conversation, in the same language. Some platforms, like MISP[3] which is a Malware Information Sharing Platform created by Christophe Vandeplas who was working for the Belgian Defence Department at the time, allows users to export the Indicators of Compromise (IOC) that they and others share on the platform in the STIX format. This actively aids the development of a threat intelligence language so that we may use it to talk back to one another and share with the various systems we all use. MISP itself is an interesting platform with the public instance of it boasting more than 1000 organisational users from the across the globe, including the big players like Google, Apple, and our own Federal Police. It’s great at gathering threat feeds that are readily usable for other machines to digest but like every feed I’ve found to date, it tells only one part of the story of an attack or attempted attack. To tell the whole story, human research, interpretation and reasoning is needed, along with further data and frameworks in order to be able to map or make sense, of what actually happened blow by blow. Therefore, mapping attacks is where MITRE’s ATT&CK Framework comes in. ATT&CK describes why an action was performed and the technique used to do it, which is often missing in publicly released reports or write-ups that gloss over the specifics of an attack. MITRE have even produced a STIX version of ATT&CK so you can output the data in a standardised format.

So Many Data Types So Little Time

Using a common language is not the only challenge when it comes to data mining threat intel because when you’re out in the wild looking for feeds that deliver indicators of compromise or information, not all data is created equal. You’ll find XML, JSON, JavaScript, images and if you’re lucky, APIs to query data in a more programmatic way. At this point you’ll need a good grasp of either Python or R to make HTTP requests to get the data like you would if you’re looking up a regular web address, and then you’ll sometimes find purpose built libraries which are often built in Python. So depending on your language preference, R for beauty and simplicity or Python for a more smash and grab approach, both are good to have in your tool belt. Once you’ve pulled the data from various feeds and platforms, you’ll then notice that you’ll have to transform it into something much easier to work with, than JSON key-value pairs which is where data frames come in. Each data set will have particular information that doesn’t always match information in other data sets so cleaning the data is a crucial activity too. After this, you’ll then need to push it to an unstructured database of your choice. Then and only then, can the magic happen. The magic being a genius, yet simple way to collate masses of data and turn it into easy to digest threat intel, served with a side of sweet visualisation and predictive analytics in the making.

The future of cyber analytics is now and I am excitedly working towards making the internet a more hospitable place. I would love to hear from you if you are too.

[1] https://www.history.com/news/10-things-you-didnt-know-about-the-old-west

[2] https://oasis-open.github.io/cti-documentation/

[3] https://www.misp-project.org/index.html

Originally published by the Australian Cyber Security Magazine.

Searching Twitter Data with R and Grep

Learning how to use R Studio, R and then all the libraries and functions inside it can be hell(ish). But there's good little ways to search your Twitter data for whatever you're looking for, and give you some instant satisfaction in the process. Step 1 You will need...

Penetrating Real-Time Threat Behaviour: Cyber Analytics and the Pen Tester

It’s the wild, wild, west out there in cyberspace, except the feral camels[1] that once roamed Texas are the hackers, and they’re roaming beyond borders and through firewalls on the daily. At present, cyber threat intelligence gathering is a mish-mash of intrusion...