Our team has grown slowly and deliberately from a single person at the start to a nine-person team in 2021. Some things that work well enough on a small team need more thought as the group expands. With that in mind, we are encouraged and continuously reminded from the day we are hired to challenge our status quo and enabled to suggest and adopt changes.
Embracing that opportunity means our internal processes and approaches evolve as each new person joins the team and adds unique perspectives. As a global team, our views are as varied and diverse as the individuals providing them.
We have internal core values and guidelines for working together as a fully remote and distributed team that might be worth sharing in future posts. We have a clear mission, which I’ll share here to save you a few clicks.
We help information security teams focus on making systems more secure by reducing the overhead of managing and discussing the outcome of the security assessments they perform for their clients (whether these are inside their organisation or outside of it).
Not too long ago, we realized that there is a bunch of info about Dradis out there – how it works, what it does and doesn’t do, how to use it, etc. Still, not much is available to help the community understand the people and company behind the tool. Taking inspiration from companies like Balsamiq, we decided to do something about that gap. Now, we’ve put into words what we believe to share with you and the ideas that give us a yardstick to measure our decisions against. Without further ado:
We are here for the humans. At the end of the day, the work done in infosec is for and about humans. And as messy as humans are, that can make this work frustratingly complicated. Sure, scanning tools and blinking boxes can handle some of it – but pulling everything together requires a human. We are here to make it simpler for you to be human by getting the time sucks out of your way.
Infosec is a team sport. Just like information systems are interconnected, so are the different folks involved in securing them. Sharing clear information and thinking creatively together is often critical to solving the problem at hand, so let’s do more of that well.
Customers + Vision = Roadmap. We don’t have an official roadmap, but that’s not to say we don’t have plans. We’ve got big ideas on how this industry will continue to evolve and how we can best serve you and your customers. That’s why we reach out to our customers and invite your feedback.
It’s your data. You keep it. Whatever data you put in Dradis, is yours, and we like it that way. We respect your privacy and that of your customers like we value our own. We trust that you will let us know how we can improve and make a better product.
These declarations of what we believe are posted on our website so you can revisit them, and new users can easily find them. These beliefs may change as we grow as a team and new voices are added, and as this industry faces new challenges. I hope you’ll help us stay accountable to these beliefs and call us out if you see us not operating consistently to them.
Another Hacker Summer Camp is in the books. As always, there was a lot to see and do – more than any single human could hope to fit into a month, much less a week. Even so, I made it to Black Hat Tools Arsenal, BSides Las Vegas, DEF CON, and volunteered for the Diana Initiative. After a year and a half of working on the Security Roots team, I met Daniel in person and we promptly started talking shop in the middle of a Mandalay Bay hallway. I took a few hours to celebrate a milestone with a fantastic dinner and show. All of that in six days and though it was exhausting, I can’t wait to return.
My introduction to the hacker community was at BSides Orlando a few years back. Initially, I admit that was a bit intimidated to attend a hacker conference. Portrayed in the media as egotistical superbrains or criminals hiding beneath black hoodies ready to drain your bank account, hackers aren’t presented as a welcoming bunch. While those elements exist, what I found there and continue to experience was a group of people eager to share their knowledge and answer my constant questions. The energy and collaborative spirit of the community had me hooked. I was hungry to learn more and later that same year, I volunteered at BSides Las Vegas.
BSides Las Vegas
This year I returned to BSides Las Vegas as a volunteer with the Diana Initiative. Thanks to the generosity of BSides we had an early check-in table for Diana attendees. Much of my day I spent sharing details on the Diana Initiative from how it began, where to find tickets, to how to get involved. The overwhelmingly positive feedback was supportive of the need to increase diversity in information security. I didn’t much chance to check out the talks but there are a few on my list to watch.
Black Hat Tools Arsenal
Black Hat is the corporate side of the whole week and had a slightly different energy. I joined Daniel for the Dradis presentation at the Tools Arsenal. In my mind, I would show up in my Dradis shirt, hand out a few stickers, and take pictures of Daniel showcasing Dradis CE. Once there, I embraced the opportunity to chat with customers and talk with people about Dradis. I found myself repeating, “If it has been a while, give Dradis CE another look – so much has changed.”
DEF CON 27
It can be challenging to make connections at a conference this size. Unlike other large events I’ve attended, smaller distinct groups within the con space allow you to focus your attention and find like-minded folks. No matter your interest, there is a group. There are villages, workshops, talks, meetups, parties, and one of my favorite spaces – hallcon. Finding someone to talk to is pretty easy since #badgelife has most attendees wearing roughly a pound of gear on a lanyard around Las Vegas. This year’s DEF CON badge game worked particularly well to strike up hallway conversations while asking to “boop” someone’s badge.
Our staff pirate Christoffer’s post piqued my interest in maritime security, so I made it a point to stop by the inaugural Hack the Sea village. There was a good bit of discussion about the security of our seas even in casual conversation outside of the village, ranging from ICS to the antiquated technologies observed or used onboard. I visited the IoT village long enough to swear off of my existing IoT devices (but not really). While I was there, I cheered on friends that were competing in the IoT CTF.
The evenings held additional opportunities to connect with other attendees, just as varied as the talk and villages. Who doesn’t love a blanket fort? Blanketfortcon has you covered (see what I did there?) with an adult size blanket fort and bounce pad. Hacker Jeopardy is always hilarious, but I laughed the hardest during “Whose Slide Is It Anyways” watching contestants present using a slide deck they had never seen. Parties ranged from bass-thumping events going long into the early morning to more subdued gatherings with board games and great conversation.
If I am up at 6 am in Las Vegas, it is for one of two reasons; I am still up from the night before or I am volunteering somewhere. These days it is 100% the latter option, and I was excited to join the Diana Initiate staff to run registration. It turns out I particularly enjoy running registration and check-in, which I can only attribute this to having a generally sunny disposition and a love of spreadsheets. After months of hard work with the rest of the team, it was a gift to greet attendees, speakers, and sponsors and to witness their excitement for the days ahead.
Diana Initiative has grown from its initial years held in hotel suites and for the first time organized convention space at the Westin. This year Diana Initiative had 65 speakers across three tracks that covered both technical and non-technical skills, several villages, and a CTF. It was a nice break from the noise and crowds of the DEF CON and fostered a welcoming environment for attendees, many at Hacker Summer Camp for the first time. The quieter gathering, smaller size, and inclusivity made for an inviting atmosphere to new faces and established security professionals alike.
Do the thing.
Attending camp this year felt different than my last visit. There are noticeably more women in attendance, to the credit of organizations like WoSEC, WISP, Women’s Society of Cyberjustu, and Diana Initiative. There was plenty of evidence of the work that organizers and volunteers have put in to create an inclusive and safe week including the DEF CON support hotline and improved Code of Conduct. It was incredibly inspiring to connect with the many people that are elevating diversity and bringing change in this fantastic community.
Throughout the week, everyone I spoke with remarked that there is room for everyone in information security; quoting struggles finding qualified candidates and too-large workloads. Increasing the number of women not only brings more workers to the industry, but each person brings a unique lens to approach privacy and security challenges. No matter who you are or what your background, consider this your invitation. Show up, do the work, learn the things, and take your place. And then, share what you know. See you next year!
I have now completed the first course in my queue! Since the last post, I have been digging into website hacking. This is of course a big area and a massive element of day-to-day information security. I went through various avenues and implementations of SQL injection attacks, XSS (Cross Site Scripting) attacks, and more. I also learned about protecting against these sorts of attacks, and had a brief introduction into how vulnerability scanning can be automated with scanning tools. Of course, once you have your scan output ready, put it into Dradis and produce a custom no-fuss report!
Trying out the SQL injection procedures was based on attacking a fake vulnerable web server in Metasploitable. Insecure database calls in SQL on a website or web application can let attackers extract or modify information, or grant access even without passwords. An SQL injection vulnerability on one site can potentially undermine the security of all sites and applications hosted on that one web server. As the instructor said, if there is an SQL injection vulnerability on the target site, bingo, game over, you as an attacker can ultimately do virtually anything you want with that site.
With XSS vulnerabilities, you essentially insert scripts to run from a site. As an example, there may be a commenting feature on a web page with an XSS vulnerability, which means that this XSS script would run for all visitors to that page. What makes this insidious is that the script would run for visitors to the page, as it’s not part of the base web page. An insecure website could therefore jeopardize the security of third parties – and therefore, owners of web pages, web applications, and web hosts have a responsibility to protect their sites so third parties are not affected.
The course closed with a very brief introduction to ZAP (Zed Attack Proxy), one of many tools to automate scanning for vulnerabilities. The point of this course was to show the theory behind security vulnerabilities, and the sort of attacks that can be carried out by hackers. Now that I have been introduced to the nuts-and-bolts, step-by-step methods of attacking devices and applications, the path is open to learning more about particular focus areas and to think about scripting and automation. I do have some more studies coming up to these ends. I intend to learn more about hacking using Android, I need to learn more about networking vulnerabilities, and I would like to learn more about scripting and vulnerability scan automation through software like ZAP and Burp, both of which have official Dradis plugins. I already manipulate their plugin outputs most days when building Dradis templates, so it would be fun to create those outputs as well!
Lately I have been looking into the details of hacking through networks, and post-exploitation attacks. The idea was to get beyond the idea of trying out attacks on a second VM on the same device, or another device here at home, to the principle of hacking devices on other networks.
First up was freshening up on the basics of networking. From the “information gathering” step I should have multiple ways of potentially feeding backdoors to the target device. Then there was an exercise of doing so, using BeEF – essentially the same exercise as before, with only some minor changes to function with the outside network. That demonstrated the principle, so we moved on to a look at post-exploitation attacks.
Post-exploitation attacks were run with metasploit through veil-evasion. That generated a robust connection with meterpreter that should be essentially undetectable by antivirus programs. The challenge is of course to manage the original connection, but with that accomplished, meterpreter allows all sorts of scripts to be run as well as terminal access.
In effect, that meant running all the sorts of attacks that people should be paranoid about; keylogging, capturing screenshots of the target device, controlling the camera and/or microphone, altering the files on the target device, and so on. Fun! Metasploit has so many functions and capabilities that going through them in detail was beyond the scope of this course.
Now that the possibilities of post-exploitation attacks had been made clear, the course moved back to networking, to cover pivoting. Pivoting allows hackers to target other devices in the same network as an infected device. Even if the hacker’s device has no access to the final target devices, if they can attack a device in the same network as the final target, they can route their attacks through the infected device. That is another cool exploit, and hammers home how important security is on servers and routers.
As the course progresses, I believe I get a far better understanding of our Dradis users’ use cases. When I build custom Dradis templates and configure projects, of course there’s always some variation of issue descriptions, screenshots, and usually evidence output. These post-exploitation attacks and network penetration efforts are exactly the sort of vulnerabilities that Dradis is set up to report, and screenshots of my work would make good evidence output.
I do feel that in the last weeks’ studies I have been heavy on the theory and observation, but light on actual practise. I intend to set up a few devices and VMs to practise attacking, and I have permission to try to attack some other peoples’ personal devices. Let’s see how that goes; beyond that, the rest of the current course covers website hacking, which will also be fun!
Lately my studies have gone over email spoofing and hooking browsers using BeEF. Email spoofing in itself is easy enough, with editable “from” fields in many email apps, but I learned a few new cool approaches to make the spoofing far more accurate, enough to fool Gmail. Browser hooking is very cool, it’s frankly shocking to see just how much can be done to a victim’s device just through a browser. Then I consider that Chromebooks are basically a PC running through a browser. The trend is definitely to make browsers even more central to electronic device usage, and I’m not convinced that the work taking place for improved browser security is commensurate with the needs for it.
Most of this Social Engineering section has been based around one simple trojan, easily created and capable of bypassing antivirus programs. Whether it’s through spoofed emails, browser redirection, fake updates, or other BeEF tricks, the delivery of the trojan has been simple. The approaches are also fairly convincing on the face of it – getting someone to open a zipped .pdf or .png which is secretly a trojan is not hard when they are convinced it comes from someone they know and trust. At first approach, the browser hooking techniques I have seen appear a little more crude and unsophisticated – why would Firefox need to redirect you for an update, for example? – but could definitely work on more casual users. Phishing login data through a fake login window is still effective, especially when it’s from a frame in the user’s current page and doesn’t involve a redirect or an obviously fake URL in the header. Capturing screenshots, and even commandeering the webcam and microphone, is of course far more insidious and unlikely to be detected once the browser is hooked.
My main takeaway from this so far is that I’m gaining a lot more respect for proper preparation work in information gathering before making the first attack. Proper research with Maltego, or just careful use of Google and social media, clearly make an attack far more likely to succeed. As I’ve noted before, this suggests we should all be far more protective of our data and privacy – but how realistic is that really in the modern age, when simply applying for jobs or keeping in touch with your friends all but requires social media accounts?
I’m also surprised at the suggested measures for detecting trojans like the ones I have made – far too manual, like checking file properties. Fortunately the OSes I use will not run malicious code without my active consent, but the way I had my Windows rig set up (back when I had one) would be far more vulnerable despite the firewall, antivirus, and VPN.
Next up is some more work on networks, e.g. for using BeEF outside the user’s network, and then going into post-exploitation attacks in more depth. Fun!
The blog title gives it away but I’m the new guy over at Security Roots working on Dradis. My name is Matt and I love to explore the world. I was born in Poland, grew up in Canada and I am currently hanging out in one of the most tech savvy capitals, Shenzhen, China. Since I am the new guy I wanted to introduce myself, give you some inside scoop, my experience working with the team and a little bit about my first assignment. 👋
Over many years I have worked on a number of web design and development projects. I pride myself in being a designer with a creative edge and although I have extensive knowledge and experience with design concepts, HTML/CSS/JS, Photoshop, Illustrator, Xd and more, I strive to continuously expand my knowledge with all the ever changing technologies. Currently, as a result of joining Security Roots, I am learning Ruby and Ruby on Rails which, I have quickly realized, it’s quite different from Python and Django. I also enjoy video production/editing using Final Cut Pro X and I have my eyes on a DJI Mavic 2 Pro. 👀
Now let me tell you a little bit about my first month at Security Roots. Initially I was drawn to the job posting because it really resonated with me and I was thrilled when I got an email from Daniel (he’s the big cheese over here if you aren’t sure who I’m talking about) and we discussed the opportunity and by the end of it, all of my needs and wants had been checked off for my dream job. I did a small test assignment, which apparently went well since I’m here, and I got to meet the team. I was a bit nervous about this since I knew everyone had been working together for a few years now and are already in the groove of things. I had all kinds of thoughts going through my mind but I was very excited to join the team. All the nervous feelings were put to rest moments after I joined the workspace as I was welcomed with (virtual) open arms by everyone. With the warm welcome I could feel there was excitement and enthusiasm from everyone that a designer has joined the team. I quickly learned that everyone is friendly, very helpful and extremely knowledgable and skilled in their roles. The work environment at Security Roots is very different from anything I have experienced before but is also the most interesting and effective one in comparison! Everyone works independently on their assignments but at the same time is always collaborating and communicating with each other. Every week there is a new topic that everyone answers in a video and posts it to share with the team. This is a great way to get to know the people on the team and promotes more of a social vibe in a work environment. Curious about what the office looks like? Where is it located? Who has the best parking spot or the prime corner view? Well this is actually one of the MANY perks of being part of the Security Roots team. We all work 100% remotely all over the world, so the office can be anything from a home office to a co-working space, or even a boat! Another great feature of being on the team is consistent personal development. Daniel is constantly encouraging us to grow and develop! Whether you want to learn something new within the industry, take a course or read a book, we have it covered. I love to learn so being part of a company that promotes personal development was very important to me. Security Roots really knows how to treat their employees! ✅
I could go on and on about the perks and first impressions but let’s move on to something you will get to see and experience first hand. The first thing I tackled during my first month on the team was a redesign and update of the user profile page. When I am presented with a new feature that needs to be designed, or a current view that needs to be redesigned, I like to make a list of objectives and goals for the design. I want understand how it will be integrated into the overall project. I do background research on the feature, and use a variety of tools to come up with a few variations of a design, then decide on the best one to continue to develop and finalize. In the case of the profile page redesign, I looked at the current design and identified what the issues were with the flow. We also decided to update to the most current version of the HTML/CSS/JS framework incorporated into the project. There was quite a bit of work to be done to make the view work in the current layout regarding HTML structure and CSS class names. I got the view into something that could be navigated and jumped over to Adobe Xd and made mock ups to see how I could make the page flow better and be more visually appealing. I decided to incorporate a 2-column view which focused on arranging the fields in a way that made more sense. I opt-ed to make the left column show the avatar and API token reset and moved all the text fields into the right column and arranged them in a natural order of flow. Once the front end components were arranged, I added some validation styling and magic to make it all work and BOOM! My first project was completed with better flow and a more user friendly experience. 💣
As a team we truly hope that the new designs are beneficial to you and look forward to any feedback from users on the new designs that will be coming soon to Dradis CE & Pro!
This week my studies took a bit of a left turn into Social Engineering. Whereas everything else so far was technical in nature, using and abusing hardware and software issues and their vulnerabilities, the most recent classes covered the most defective element of any security system – the meatbag in front of the monitor. PEBKAC indeed!
In terms of systems, I got started with Maltego CE. The interface is very user-unfriendly, but with the right walkthrough and plugins, it’s the tool I never knew I wanted! By doing plugin-based searches on all sorts of media on nodes such as persons, websites, servers, and so on, it becomes possible to draw intricate networks of connections between nodes – like a conspiracy theorist’s corkboard, only for cyber-stalking. Fun stuff!
Next up on the technical side was spoofing to bundle malicious code with a legitimate file and obscure the executable extension, as well as spoofing emails and accessing email servers to send spoof emails without getting immediately flagged as spam.
The downside of this part of the course is that it feels like it’s stretching the concept of “ethical hacking” to the limits of what can be considered “ethical”. If I spoof a VM, or a real device with the owner’s permission, for the sake of attempting a man-in-the-middle attack, I’m not hurting the device’s feelings. To even test out a social engineering attack I have to try to fool someone. I have no problems with pushing the limits of what I can find out about an entity online through publicly accessible information, as the entity in question can use that data for good (e.g. improving their personal privacy by restricting apps’ access to their data), but getting someone to “click here” feels too close to Nigerian royalty.
Even so, the shock value of a successful engineering attack can have positive effects in the sense of raising awareness. A BBC journalist agreed to let a cyber-security firm try to phish him, and they succeeded.
Did you click that link? Considering the subject of this post, did you even check if it was legit? This time it was – but what if it hadn’t been?
This week I got started with Veil. By using this software together with other techniques from the course, I could open backdoors to target devices in short order. There are two clever aspects to the approaches used. First, I was forcing the client device to connect to my Kali VM to execute the attack, rather than me connecting to the target directly. This approach sidesteps the typical defences in regular firewalls and routers. Second, the payload delivery was made to spoof the download of genuine updates, with redirects to the appropriate “Update successful!” pages once the download was complete. Alternatively, the payload could be set to be delivered together with any other download of an executable file. It could also be combined with the use of your own web server, which comes conveniently included with Kali.
I haven’t yet played around with all the things that can actually be done once this backdoor is open, but ultimately, it looks like all that is required for me to get complete access to another device are fairly innocuous things – using a WiFi hotspot I set up, or clicking a link, or attempting to update their own software. Even more striking was the demonstration that the Veil software payloads were considered “clean” by all antivirus software.
Much like “Defense against the dark arts” classes, the sequence of lectures on attack methods and vectors ended with a lecture on how to defend oneself against these sorts of attacks. Worryingly, these again boiled down to:
Always make sure you’re using HTTPS
Don’t use networks you don’t control and/or trust completely
Verify checksums of all your downloads
These measures are all more active than convenient. “I think the base consideration of one’s security is insufficiently paranoid unless one is optimistic enough about their fellow humans to not believe that anyone will go to the effort of trying to steal their data.”
There might be a point there, though. Why bother stealing data when most people give it to Google, Apple, and Facebook for free?
Now I have got into vulnerability testing tools from the users’ perspective! This week I set up a Metasploitable machine, to use Metasploit from my Kali VM to scan for vulnerabilities and generate tool output. It’s very cool to see how Metasploit had writeups on the individual vulnerabilities and procedures to exploit them right from the command line.
Even cooler was Nexpose. Again I got a solid overview of the sort of vulnerabilities found and how they could be exploited. By referring to material outside the Metasploit Community, it feels very connected to the wider InfoSec world out on the internet. The automatic report generation and automated scans were also handy features.
I have been working on some improvements to the base Dradis CE application this week as well, so this tied in neatly with the studies. I have only just started with tool output generation, and already I’m manipulating data from Metasploit, Nexpose, and Nmap, all of which are supported in Dradis. Now that I’m getting the actual user’s view of tool usage I can better put myself in the shoes of hackers starting out with Dradis for the first time to generate customised reports using data from multiple sources.
Having spent so much time with Dradis Pro, it’s fun to get back to basics with Dradis CE. I’m not bothered by not having access to Word templates. I gave up using Windows years ago, even my Steam library wasn’t worth the hassle of dealing with it – and I think there’s a lot of potential in well-made HTML templates. For my purposes, learning and experimenting at home, and showing off to the people at the sailing club bar, it’s a good tool to play with; scan with all the tools and plug all the results into a simple collated report.
Next up in the course is client-side attacks; technical exploits as well as the social engineering exploits of the PEBKAC vulnerabilities!
This week I finished up the section of the course regarding basic network hacking. I learned some more about man-in-the-middle attacks, and got started with Wireshark to start actually analysing the data packets flowing through the network. Combined with attacks to make users use HTTP instead of HTTPS, that made target data (including usernames and passwords) totally readable and even searchable.
The obvious next step was “honeypot” attacks, creating a fake wi-fi access point using mana-toolkit. Combined with methods I learned earlier, this would make every user’s data transmitting through my fake network openly visible. Once again I am struck by how easy all of this is, with freely available easy-to-use software and a cheap USB wi-fi device. I am right next to a luxury marina and I have excellent mobile internet; it would be trivial to set up a fake hotspot to appear to be set up by the town for foreign visitors, and then ultimately read the visiting yacht owners’ data.
Having covered attacks and basic fake access point creation, I learned about preventing these sorts of attacks, for example by using Wireshark to look for unusual network activity and using XArp to detect ARP poisoning. It was interesting to get a better look at more good reasons why the sysadmins of an organisation with a medium-sized or larger pool of devices face challenges protecting all their devices – hardly convenient to make the ARP tables static for hundreds of devices at once without good scripting and a good deployment system.
I have noted before that people and organisations in general seem to have a more lax view of data security than I would be comfortable with, but here at the system level, it feels a little more disturbing. Perhaps I’m missing something, but I would think standard mass-market OSes like Windows, Ubuntu, Android, and such ought to have built-in tools for monitoring network safety and at least natively allow pop-up messages to show that your router appears to have changed its MAC address or that there are duplicates in the ARP table? Microsoft regularly gets a lot of criticism for its update services, but how can their multi-GB updates not include simple utilities for guarding against MITM attacks?
By coincidence I’m looking into appropriate hardware for better internet connections on my boat, like a powerful active wi-fi range extender combined with mobile internet connections bridged into a router with failover. If I’m going to be setting up a powered wi-fi antenna on the masthead, perhaps I should look at getting one with AP and Monitor mode capability…