Oh hey! I presented at the Australian Information Security Association (AISA) Conference in 2019 with a presentation called SQL Injection for Beginners: It’s Hammertime. Peeps asked for the slides so here they are as a YouTube experience with all the vids and giph’s and as a bone dry SlideShare experience minus all the fun stuff.
W0m3nWh0HackM3lb0urn3 is a safe space for women who are keen to learn to ethically hack. We are a community of women identified hackers who support each other to increase our skills and hack all the (legal) things.
There’s a worldwide shortage of skilled cyber security professionals and there’s a massive lack of women in the industry too. Depending on the statistics you look to, both locally here in Australia and globally, women either represent 11% of cyber security workers according to a University of New South Wales Study, or 20% to 25% according to Cybersecurity Ventures and McAfee respectively, if you count those who do what are considered cyber security tasks more broadly.
W0m3nWh0HackM3lb0urn3 wants to change this lack of representation and needs you to make it happen. Come and join us every 1st Thursday night of the month in Melbourne from 5:30pm – 9:00pm and you can learn to hack into machines legally and not end up on the 5pm news. Hacking is challenging, it’s a massive learning curve but it’s also super rewarding. You are quite literally learning how to get into systems and dump databases in order to one day teach businesses what to do to make their websites, applications and networks safer.
If you want to change the world, which for most of us encompasses the digital world, learning the skills to become a penetration tester, otherwise known as, an ethical hacker, is one real and concrete way to do it. I follow in the footsteps of brilliant women hackers who have opened doors for me to learn hacking, Esther Lim and Pamela O’Shea. Esther ran a hacking group to train women who wanted to compete in the university cyber security challenge (cySCA) which was my first real taste of hacking culture. Pam ran a web application penetration testing workshop I attended as part of the 0xCC training conference for women which is where the idea for W0m3nWh0HackM3lb0urn3 was born.
I established W0m3nWh0HackM3lb0urn3 because I wanted a crew of hackers to hack with in real-life and not just over the internet. I wanted face-to-face connection and to learn quickly with people who could explain every step of why we’re running this command and using this program so I could understand deeply and that’s what W0m3nWh0HackM3lb0urn3 enables. I’ve got a history as a Social Anthropologist who loved teaching and what I learned from that experience is the best way to really comprehend something is to be able to explain it to someone else and we really encourage that way of learning in our sessions.
What do you do in your sessions?
We use a platform called Hack The Box which has lots of different vulnerable systems packaged up that we can choose in order to attack. We pick one each couple of months and go through a step by step process of learning how to hack into it, get into accounts that we shouldn’t have access to, accessing passwords we shouldn’t have knowledge of and finally taking full control of the system by getting what is called “root” or full privilege access.
How do I sign up?
Our next session is the first Thursday of the month from 5:30 – 9pm in Melbourne’s CBD. Get in touch with me, Brigitte Lewis on Twitter @briglewis for an invite to our Slack channel and the location. It doesn’t matter whether you’re a beginner or have been taking down boxes for years. W3 W@NT Y0U! LGBTI friends and allies very welcome. Please BYO Dinner, VirtualBox and Kali VM.
Want more data?
Women in Cyber Security Literature Review (2017)
Women Represent 20 Percent Of The Global Cybersecurity Workforce In 2019 (2019)
Cybersecurity Talent Study (2018)
Originally published by the Australian Women in Security Network (AWSN).
It’s the wild, wild, west out there in cyberspace, except the feral camels that once roamed Texas are the hackers, and they’re roaming beyond borders and through firewalls on the daily.
At present, cyber threat intelligence gathering is a mish-mash of intrusion detection system logs, port scans, IP addresses, information sharing platforms, Twitter feeds and traditional write-ups. There is no one consistent language used across these platforms to refer to attacks, techniques or procedures and there’s no one single source of data. Much like post-truth America, you’ve got to look in all the right places to piece together the whole story and even then it’s hard to know if you’ve put the puzzle together the way it was intended. What this means is while there’s massive complexity when trying to understand the path an attacker has taken, it also means that there’s huge potential when it comes to leveraging the data or bits (pun intended) of evidence a hacker leaves behind.
Information Gathering and the Penetration Tester
Penetration testers, who are my focus here, do much of their work when it comes to figuring out attack paths and new ways to penetrate, based on historical data or tried and true ways to compromise a system or application. They might listen to a few podcasts, keep an eye on social media, follow a hacking news website and sign up to a mailing list, but all of this is hugely labour intensive and no one person has the hours in the day to keep on top of, let alone be well versed in, all the latest attacks. The dream, of course, is to have a program or Artificial Intelligence learn the tactics, techniques and procedures of hackers out in the wild, bring it all back into a nice table where all the data is the same data type, turn into a visualisation with a gorgeous dashboard and then teach the team new attacks on the fly as they happen in real-time. This, dream, as wondrous as it sounds, is hanging above the Magic Faraway Tree and yet to be written down and sold as a four set gold embossed collection. What we do have, and I’m focusing here on open source data and software, are many tools and data sets that can bring us just that little bit closer to a rousing monologue that could change the history of how we prevent cyber-attacks in the future.
Big Data Big Complexity
For data analysts, one of the problems with data on the internet is that it comes in many forms, with many definitions and no one universal dictionary to look-up in order to know for sure what a word or a phrase means. Structured Threat Information Expression or STIX, which created by the United States Department of Homeland Security) and is used here in Australia by our own Cyber Security Centre, was created to address this issue. It’s useful in order to try and start standardising the way we talk about cyber threat intelligence so that we are all in fact, having the same conversation, in the same language. Some platforms, like MISP which is a Malware Information Sharing Platform created by Christophe Vandeplas who was working for the Belgian Defence Department at the time, allows users to export the Indicators of Compromise (IOC) that they and others share on the platform in the STIX format. This actively aids the development of a threat intelligence language so that we may use it to talk back to one another and share with the various systems we all use. MISP itself is an interesting platform with the public instance of it boasting more than 1000 organisational users from the across the globe, including the big players like Google, Apple, and our own Federal Police. It’s great at gathering threat feeds that are readily usable for other machines to digest but like every feed I’ve found to date, it tells only one part of the story of an attack or attempted attack. To tell the whole story, human research, interpretation and reasoning is needed, along with further data and frameworks in order to be able to map or make sense, of what actually happened blow by blow. Therefore, mapping attacks is where MITRE’s ATT&CK Framework comes in. ATT&CK describes why an action was performed and the technique used to do it, which is often missing in publicly released reports or write-ups that gloss over the specifics of an attack. MITRE have even produced a STIX version of ATT&CK so you can output the data in a standardised format.
So Many Data Types So Little Time
The future of cyber analytics is now and I am excitedly working towards making the internet a more hospitable place. I would love to hear from you if you are too.
Originally published by the Australian Cyber Security Magazine.