Security – Хакер, що біжить

Як писати резюме в кібербезпеці

Кожного разу після події типу Nonamecon чи OWASP Kyiv в мою поштову скриньку та месенджери надходить багато повідомлень приблизно такого змісту: чи є у вас вакансії? як потрапити до вас в компанію? ось моє резюме. А отримавши відповідь, найчастіше питають, як його покращити.

Так, на жаль, відкритого набору в Berezha Security не існує: ми не настільки великі, щоб тримати вакансії відкритими та оголошувати на них “конкурс”. Коли ми ростемо, про це перш за все дізнаються наші підписники в Facebook, LinkedIn та Twitter, ну і звісно ж наші друзі та партнери по суспільно-професійній діяльності. Але резюме я все одно читаю, і ось що я мушу вам про це сказати.

Написання “ефективного” резюме – це окрема навичка, яку треба прокачувати. Я не вірю в “кар’єрних коучів”, хоча не виключаю, що деякі з них вартують свого гонорару. Як на мене, то для спеціаліста з кібербезпеки такий засіб підготовки резюме це занадто. Вимоги до текстів в нашій галузі зараз невисокі, адже людей критично не вистачає. Але CV все одно мати треба, і скласти його вам допоможуть такі прості поради.

1. Пишіть про досягнення, а не про досвід. Дуже часто доводиться читати пачку булетів по кожному місцю роботи, зміст яких зводиться до того, що автор мав справу з тими чи іншими методиками та інструментами. Ця інформація може бути корисна, але її краще десь узагальнити в одному розділі документу, а в описі місць роботи вказати досягнення, які демонструють вашу траєкторію в конкретній компанії. Прийшов першим ІБшником, за два роки побудував нормальні операції та автоматизував процеси. Або розпочав молодшим пентестером, а за рік виріс в автономну одиницю та виступив лідом в надцяти проєктах. Щось таке, що характеризує вас як працівника, який прогресує та росте, а не просто отримує досвід.

2. Уникайте списків. Булети розстрілюють ваше резюме. Хочете навести приклади – робіть це через кому або крапку з комою. І ніколи не перетворюйте розділ в вичерпний опис. Адже мозок сприймає інформацію дуже своєрідно: з усіх перерахованих пунктів він залишить в пам’яті середнє враження. Тому краще навести два найкрутіші приклади, ніж вичерпний список. Наприклад, не варто перераховувати усі ваші професійні сертифікати, починаючи з CCNA та адміністратора Windows 2012 Server. Звісно ж, краще перерахувати найбільш релевантні та найсвіжіші здобутки.

3. Слідкуйте за граматикою. Багатьом відома така штука як Grammarly, але й MS Word з ввімкненими параметрами граматики відпрацьовує досить ефективно. Уникайте зайвих та складних термінів. Якщо слово можна спростити або видалити без суттєвої зміни змісту – це варто зробити.

4. Навчання без сертифікації нікому не цікаве. Якщо пройшли протягом трьох років 5 найкрутіших та найтоповіших навчальних програм, але не склали іспит – краще не вказуйте їх в резюме. Поки не складете іспит. Натрапляючи на назву курсу без відповідного сертифікату, читач почне розпитувати вас про причини такої незавершеної дії. І якими б вони не були, це не на вашу користь.

5. Рекомендації. Якщо маєте дозвіл вказувати імена, позиції та контакти в резюме – зробіть це. Але спробуйте обмежити список людьми, з якими працювали в останні рік-два. Адже інакше вони матимуть дуже загальне уявлення про вашу ситуацію та вагатимуться робити припущення. Найкраще в резюме виглядають рекомендації прямого керівника або внутрішнього чи зовнішнього “замовника”, який безпосередньо отримував користь від вашої роботи.

6. Волонтерський досвід та суспільна активність. Навіть Forrester та Gartner беруть до уваги ці критерії, коли оцінюють компанії, а про конкретних професіоналів годі й казати. Якщо ви здатні підняти п’яту точку та піти зробити щось для спільноти – це обов’язково треба вказувати в резюме. По-перше, це унікальний досвід, а по-друге, так ви засвідчуєте, що на вас можна покластися не лише тому, що вам за це платять гроші.

7. Медіа-активність. Якщо маєте блог, акаунт на GitHub, фейсбук-сторінку чи ще десь ведете професійну або колопрофесійну діяльність – не соромтеся вказувати це в резюме. Просвітницька діяльність, коміти в опенсорс проекти, виступи на конференціях тощо – все це може бути цікаво потенційному роботодавцю. Адже цілком можливо, що він шукає не просто працівника, а ще й представника компанії в медіа та на профільних заходах.

Якщо маєте питання на тему складання резюме – тепер для цього є спеціальний канал #career-advice в Discord-сервері Ukrainian Cybersecurity. Молодші колеги можуть ставити там питання, а досвіченіші – відповідати, в тому числі приватно, або навіть голосом.

Своєю чергою, я спробую допомогти покращити якомога більше ваших резюме. Досвід відбору більше сотні спеціалістів з безпеки треба якось використовувати. Але зважайте, що останній раз я писав CV років зо 10 тому, отже розцінюю цей процес виключно з точки зору роботодавця. Тому моє власне резюме не є зразковим прикладом.

My thoughts about Pentest vs Bug Bounty debate

I have been in pentesting and appsec business for a while. For the last 10 years, I am more or less involved in security assessments of various kinds. I have started as a junior security engineer in a large international firm, where I did my share of scanning and translating the reports. Then I had to leave the infosec industry for a couple of years that I spent in IT audit, but I continued occasional freelancing. After that, I joined a smaller firm where I grew my first pentesting team, then another one. Currently, I run my own company and I can finally focus on building the security assessment practice the way I see it right. One question that I am regularly asked by clients, friends, and colleagues is:

Why do you still do appsec and pentests when Bug Bounties are so much more profitable?

Sometimes I joke about it, sometimes I try to explain, but normally I limit the answer to “bug bounties are overrated”. Simply because it’s true. I will not dig deep into the difference between classic consulting services and security assessments in particular, and the crowdsourced approach implemented by contemporary bug bounty programs. Instead, I will point your attention that both leading bug bounty brokers have lately introduced a new service: the so-called “next generation pentest”. Which in fact is just a pentest, but provided to you by a broker that uses bug hunters as human resources. Of course, we can argue about the differences in methodology that supports the two approaches, but after a few minutes I will most probably convince you that this difference is negligible. What really matters is who does the job.

A few words about the history of the discipline. For many years the pentesting firms were so small, that they were not considered actual market players. Simply because big clients were not the fans of the idea of giving such a sensitive job to a pentest boutique. Instead, they offered contracts to the entities who already had built trust with them: accounting firms, system integrators, and even software vendors. Then, slowly but surely, smaller companies have started to gain trust too: sometimes because of a deeper focus on the subject, sometimes because they were founded by the individuals who had built trustworthy public profiles throughout their carriers. And then bug bounties emerged.

Bug bounties have offered the market the crowdsourced security assessments of unlimited scale. In other words, now “thousands of eyes” could review the security of your software and report issues, while only the first report complete according to the program rules could win the reward. Many customers were quick to jump into the bandwagon that seemed an economically good idea. Pay as you go? Better: pay as you get value! Who in possession of required funds would resist the temptation?

But as it turned out, not every customer was ready for the “thousand eyes” attention. A few did not go through any formal appsec practices prior to posting the bug bounty brief. As a result, a thousand eyes quickly emptied the budget of a program that had not had a couple of eyes looked at its scope first. So the paradigm had to evolve: now the bounties were only good for the “mature” products, that had some in-house appsec. After this and some other improvements, the balance has been found.

The ingenuity of the idea and the trajectory of its success made bug bounties a nice thing to invest in. And the investment capitalism, in short, means that fsck dividents — the growth is all that matters. But the growth has not been as intensive as expected: the market has quickly reached its capacity in both clients and human resources. Not that many customers are declaring bounties now, although many pilot the service in a private mode. Not many bug hunters become professional and dedicated full-time appsec researchers. There are super effective 1%ers on both sides. Apparently, the investors are not OK with “the flow” of operations and revenue that the field has reached. Thus, the rewind to the classic dedicated consulting/pentesting kind of services is being attempted — albeit with a certain facelift. And it will most probably work out, as the bug bounty brokers have the required trust and quality controls out there and are able to deploy trustworthy, background-checked resources. I am not sure that this will allow the brokers to sustain the growth rate that is expected from them, because the next “bug bounty boom” is not necessarily arriving any time soon. But the combination of public and private bounties and classic pentests would secure the flow.

In conclusion, I will sum it all up as I see it. Bounties offered the market the promise that Bitcoin once gave: the elimination of trust from the equation. Bitcoin never made it: not only because now you had to trust Bitcoin itself, but more importantly because people are willing to trust each other and the independent third parties who would enforce rules in case one of them decides to cheat. Neither will bounties make it. Instead, the brokers will have to take trust into account and diversify their offering accordingly.

Hackers don’t give a shit about your excuses

Most of security breaches happen because of lack of effort on security prioritization.

Most corporate security departments are engaged with procedural burden which is documented in policies and is required by management. Instead of fulfilling their direct duties, which is to protect business from cyber threats. Why is it so? Because execution of procedures is easier, as well as it is easier for them to justify their existence in such a way. We exist because of PCI DSS, GDPR, SOX, ISO 27k etc.

Most of the companies that were hacked had some sort of security policy. Why have they suffered a breach? Because paper doesn’t protect from hackers. Only rules and actions protect from hackers and malicious software (aka viruses). Rules and actions separately — do not protect, only both combined: rules + actions. Moreover, you don’t have to invent neither rules nor actions — they were invented a long time ago and are publicly available.

Based on my experience, I’ve reached a conclusion that an enterprise cybersecurity practice should start neither from a corporate security policy nor from a new firewall or antivirus. Management gets “paper tigers” and “blinking boxes” well, however this is a bad, even unprofessional start. The right thing would be to start from applying simple rules and actions and demonstrate their effectiveness. We must not have outdated OS versions in our network. All users must have long and strong passwords. Network and resources must be segmented based on business needs. Remote access should be supplied with two factor authentication. Interactive administrative access to systems should be prohibited. And so on, and so forth. One rule at a time, one action after another.

And then you will have chances not to become a victim.

Instant Messengers and URLs

What happens when you send a link?

Various stories about malware spreading over SVG files sent on Facebook were circulating over the interwebs lately. You can read more about this vector and the methods used by malicious hackers in this post, but what caught my interest was not the attack itself.

As you probably know, SVG is a vector image format that is, in fact, an XML file containing various drawing instructions and, surprisingly to some, capable of containing and running JavaScript code. For example, when opening in most modern browsers, this SVG will show you a blue circle and run an external script loaded from the redacted host.

SVG XML file — SVG file containing external JavaScript code.

This will work only when the browser is explicitly pointed to the SVG file URL or if the file is open from the disk; <img src= does not work anymore for obvious reasons.

So, when this SVG topic has popped up again, this time in the context of poor content filtering in Facebook Messenger, I instinctively thought about privacy implications introduced by this (apparently inefficient) security measure. I thought it could be a good idea to use JavaScript code delivered in SVG to check how modern instant messengers process this file format.

After a series of messages sent to my wife and colleagues, I feel a subtle hope that I will not be banned from using the messengers I’ve tested. And, of course, I have some results to share.

The good news is that Signal, Viber, WhatsApp, and both Facebook Messenger and Telegram in their “secret” modes, all five claiming end-to-end encrypted communications, were not caught cheating. Although in WhatsApp and Telegram, pasted URLs resulted in some activity originating from the client, no one else appeared in the web-server logs.

Bad news is that that’s pretty much all good news.

Starting from expected obvious: Slack does an active preview of the linked content to show it in the GUI. That’s cool; we all know that, so I use it as an example of how this kind of activity looks like for this post. So, when you send a link, the web-server serving it registers this request in the log:

54.89.92.4 — — [21/Nov/2016:16:02:31 +0000] “GET /avakl.js HTTP/1.1” 404 152 “-” “Slackbot-LinkExpanding 1.0 (+https://api.slack.com/robots)"

Where 54.89.92.4 of course is a Slack instance in Amazon AWS:

$ whois 54.89.92.4 | grep Organization
Organization: Amazon Technologies Inc. (AT-88-Z)

Let’s take a look how other messengers deal with the links.

Skype sends 6 requests from 2 hosts, both belonging to Microsoft directly. A rich company can afford that.

23.101.61.176 — — [21/Nov/2016:15:38:44 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5”

23.101.61.176 — — [21/Nov/2016:15:38:44 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5”

23.101.61.176 — — [21/Nov/2016:15:38:44 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5”

23.101.61.176 — — [21/Nov/2016:15:38:44 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5”

104.45.18.178 — — [21/Nov/2016:15:38:44 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5”

104.45.18.178 — — [21/Nov/2016:15:38:44 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) SkypeUriPreview Preview/0.5”

Telegram fetches the image once, form it’s directly owned network.

149.154.167.163 — — [21/Nov/2016:15:35:18 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “TelegramBot (like TwitterBot)”

$ whois 149.154.167.163 | grep -E ‘^descr|^person|^address’
descr: Telegram Messenger Network
person: Nikolai Durov
address: P.O. Box 146, Road Town, Tortola, British Virgin Islands
descr: Telegram Messenger Amsterdam Network

The URL sent via Facebook Messenger on mobile results in four requests from different addresses.

31.13.102.98 — — [21/Nov/2016:19:44:51 +0000] “GET /avakl.svg HTTP/1.1” 206 328 “-” “facebookexternalhit/1.1 (+https://www.facebook.com/externalhit_uatext.php)"
173.252.120.119 — — [21/Nov/2016:19:44:52 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “facebookexternalhit/1.1 (+https://www.facebook.com/externalhit_uatext.php)"
173.252.123.130 — — [21/Nov/2016:19:44:53 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “facebookexternalhit/1.1 (+https://www.facebook.com/externalhit_uatext.php)"
173.252.123.129 — — [21/Nov/2016:19:45:12 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “-” “facebookexternalhit/1.1 (+https://www.facebook.com/externalhit_uatext.php)"

Facebook kindly explains its behavior by provided URL.

However, when the link is sent via Facebook web-site, look what happens:

31.13.113.194 — — [21/Nov/2016:15:11:58 +0000] “GET /avakl.svg HTTP/1.1” 206 328 “-” “facebookexternalhit/1.1”

66.220.145.243 — — [21/Nov/2016:15:12:01 +0000] “GET /avakl.svg HTTP/1.1” 200 328 “https://l.facebook.com/lsr.php?u=https%3A%2F%2F*******%2Favakl.svg&ext=1479741420&hash=AcnhtJ5F7tKqGD-kIHGSbCF0-TflNMaiR9WNCxHznoOqJw" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:01 +0000] “GET /kl.js HTTP/1.1” 200 283 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:01 +0000] “GET /favicon.ico HTTP/1.1” 404 152 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:03 +0000] “GET /keylogger? HTTP/1.1” 404 152 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:04 +0000] “GET /keylogger? HTTP/1.1” 404 152 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:05 +0000] “GET /keylogger? HTTP/1.1” 404 152 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:06 +0000] “GET /keylogger? HTTP/1.1” 404 152 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:07 +0000] “GET /keylogger? HTTP/1.1” 404 152 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

66.220.145.243 — — [21/Nov/2016:15:12:08 +0000] “GET /keylogger? HTTP/1.1” 404 152 “https://*******/avakl.svg" “Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0”

As you can see, first, some Facebook-owned host fetches the SVG, and after that, there is a series of requests to “embedded” script URL, which demonstrates that the script is actually run at some “browser.”

Strangely enough, Google Hangouts haven’t shown any sign of interest in my links.

This leaves a lot of questions open. However, one thing is obvious: privacy policies are correct, and we don’t really own the stuff we send over Instant Messengers unless our comms are encrypted end-to-end.

During these tests I used awesome JavaScript keylogger by John Leitch.

Personal infosec tips for 2016

(This post has been originally posted on LinkedIn on Dec 31, 2015).

It’s no secret that the computer security threat landscape changes constantly for both private individuals and corporations. Wannabe cybercriminals, as well as the real ones, compete with nation state sponsored intelligence agencies to get the most of our sensitive data. Their toolkits and modus operandi aren’t static and neither should be ours.

Considering the ever changing personal security agenda, I have decided to update my advise on personal computer security, or personal cybersecurity if you like (however, I assume this term is irrelevant in a private setting). It may look like I am biased towards Apple stuff at several points below, but there are at least two reasons for that. First, the company has made huge progress in protecting their customers privacy lately; and second, I am a long term Apple user myself so these things are just closer to my experience. So, let’s go shopping 🙂

1. Use less software and regularly update what you use

The principal idea here is that the more software you use the more vulnerable you are. If you don’t need it or start it once a year just to remind yourself what’s it doing on your computer, remove it now. If you still use Java or Flash you should consider removing them right now. There is no reasonable explanation for keeping Flash in your system and Java is getting there too. So, unless your employer still runs some piece of enterprise crapware that requires Java for workstation clients, remove it as well. And if you can’t at least consider forbidding it from running in your browser. A lot’s been said about keeping all your code up to date, so just do it. Pay most attention to your OS and web browser and review the possibility to automate third party apps updates by using Secunia PSI or MacInformer. (Most Linux users are lucky since software updating is an essential function of all modern distros.)

2. Use a VPN service or setup your own

VPNs are getting cheaper each day because you know… NSA has made it a highly competitive market lately. You can get a single subscription for all your devices from FreedomeVPN by F-Secure or PrivateVPNAccess. Both are affordable if connection privacy is of importance to you. You can even setup your own server on Amazon or DigitalOcean and run it for the cost of one virtual instance (DO price is $5 per month + $1 if you want backups). OpenVPN AS is much easier to install and configure than a true opensource openvpn, and it has a free license for 2 concurrent users and easy to use client software for all contemporary environments (no WinMobile though).

3. Use secure communications software

There are plenty of means for secure talks and messaging nowadays. On your smartphone, OpenWhisperSystems Signal does its job of protecting your VoIP calls and text messages. It’s free and runs smoothly on iOS and Android (no luck for those three WinMobile fans I can think of). If you decide to use something else, make sure its architecture is server-less, meaning your messages are encrypted peer-to-peer and not stored anywhere in between. iMessage, although limited to Apple users, is one of plausible examples and Facebook Messenger is not.

For email, use good old PGP. GPGTools allows using it with Apple Mail easily and transparently. I am sure there is a way of installing GnuPG with your email client on Windows and Linux has been providing its users with this capability for years. GMail fans who still rely on webmail interface can do it too. So it looks like there is no excuse left for those who say email crypto is hard: it’s absolutely not for quite a while now. GPGTools is free but I’m sure you’re going to donate once you see its value.

4. Use a password manager

There is no need to remember more than a few passphrases these days. Get a password manager that synchronizes between your devices, protect it with a strong password, and generate unique, random, virtually unbreakable authentication keys for everything else. Personally I recommend using 1Password if Apple ecosystem is your friend, otherwise you can take a look at Keepass. 1Password can be free unless you need iCloud sync, and Keepass is free and opensource.

5. Encrypt your files before putting them into the cloud

Boxcryptor encrypts your stuff before your Dropbox, iCloud, Google Drive etc. synchronizes it to their servers and gets ahold of your content. There is no reason to share your precious files with someone you don’t even know personally, so encrypt them before you upload them. Boxcryptor allows you to share files securely too by adding other users to encrypted shares and granularly managing their permissions. I suppose there are other services like that, just make sure they don’t have easy access to your keys and encrypt files locally before uploading. Boxcryptor is free to use with just one cloud storage.

6. Backup everything and backup frequently

Offline storage space gets less and less expansive each year. Buy a 1 or 2 TB USB hard drive and backup your valuable files at least once a month. Most importantly, encrypt your backups and backup your encryption keys, such as PGP keys and password database. Again, Apple users are the luckiest ones since the platform allows for seamless full and incremental backups protected by contemporary crypto.

That’s it for now. Be safe in 2016.

Updated 7/01/16 — This is a really nice guide on how you can make your work with OS X more secure. It collides with some points I’ve highlighted in my post and I believe every Mac user can find lots of good advice in there.