Getting into InfoSec, Staying out of trouble

When people find out what I do for a hobby, I get very mixed reactions. Some people hear “Hacking” and think I’m an evil person trying to steal their Identity, Credit Card or any number of things for personal gain, and yet other’s approach with a more “ZOMG THATS KEWL!!!!!!!!ONE!!!!”. I’d like to say both reactions tend to get annoying, which has caused me to stop openly talking about InfoSec unless I know the person I’m talking to shares interest with me.

On my blog, I could care less if you agree with me or not… its my blog, you don’t like it? Leave. Makes no difference to me. However, what DOES bother me, is that it seems that 99% of people out there still don’t view InfoSec/Hacking as a needed function in business, and life.

One obsticle that faces anyone trying to break into the Security world is getting hands on knowledge, without breaking the law and putting a quick end to your hobby by ending up in jail. I’ve also heard that people cant set up a lab because they don’t have money for multiple computers, or cant risk breaking a desktop with a bad exploit. While I understand that, you ARE going to have to take some risks. These risks can be minimized by using a Virtualized Lab solution, I personally use VirtualBox and run any of the test hosts I would like. I even have a Virtual copy of my Real server so I can test the impact of Patches/Hacks on the virtual copy without causing downtime to the server itself.

VirtualBox gives you a lot of leverage to test things, while you will need to supply your own licenses for Windows (Microsoft does offer 90day demo versions of some of their products online). With a virtual host, you can then test any number of tools, commands, client side attacks, play to your hearts content because its YOUR system, how can it be wrong to break your own passwords, or steal your own facebook session? Its NOT. But just because you’re on a Virtual machine, DOESN”T mean it’s okay to hack into a website, or service you don’t own or have explicit permission from. Its one thing to steal a session ID from your Host, its another to brute-force against … they would likely press charges, even for you hacking only your own account, because your attack would put their other customers at risk of breach.

Pay attention to the Law of unintended consequences, Just because you didn’t MEAN to do something, doesn’t make it “okay”. I once was mentoring a kid, who came to me saying “I’m trying to brute force TELNET on this IP, but I can’t get in”. Instead of just simply offering help, I first looked at the target (which happened to be a BANK), then told the kid to make sure he actually does recon on his targets before he tries to randomly attack some host he found with an nmap scan. This is why I suggest working inside a Lab environment, you know your hosts, you have control of the boxes and its up to you. If you start looking to the internet for targets, you WILL put a bullseye on your own forehead.

What should you do if you accidently breach something you didn’t intend? Well… LEAKING it is a horrible idea. That’s one thing that has shocked me about the Anonymous community at large (and all the little sub factions). While some have honest intentions, the methods are wrong, and leave collateral damage everywhere. If you get tracked, and someone asks you if you did something, be forthcoming and offer to help fix the problem, or at least offer to SHOW them how you breached their security.

When I find a problem on my corporate wireless network, I bring it straight to the networking, and security teams, and work with them to show them the problems and scope. In turn, they ask me to find everything i can, because they don’t have the staff to spend 24/7 hunting for bugs or exploits on the corporate network while they are putting out fires from users downloading viruses and trying to secure the Intellectual Property.

Use encryption, and employ good passwords. Yes, I said passwords, pluralized. It is not enough to have a single strong password that you use for all your accounts. This is a topic for another time, but ties into staying out of trouble by making sure that any of the data you DO have is encrypted, and not readable to anyone who might breach you.

I would suggest picking your friends wisely and not making enemies. Not everyone in this business has your best interests in heart, and if you are really interested in InfoSec, you should practice the greatest trade secret (Keeping Secrets, starting with your own identity or personal information) Don’t go around screaming your name, don’t draw attention to yourself. and for heaven’s sake… if someone DOES help you, thank them. If they tell you confidential secrets…. don’t open your mouth. This community is tight knit and if you are found to be untrustworthy, word will spread within minutes and you will get no help from anyone again.

so the overall moral of the story. Set up a Lab (Virtual machines, or physical if you have the resources), make friends not enemies, and lastly, for the love of god, Keep your head out of your ass!