Getting Started in Offensive Security

Information security is a large field with a variety of required skillsets and backgrounds. It also is an exciting field with many people interested in getting started. These are my thoughts on getting into the offensive security space.

Review of HackerBoxes 0021: Hacker Tracker

HackerBoxes is a monthly subscription service for hardware hackers and makers. I hadn’t heard of it until I was researching DEF CON 25 badges, for which they had a box, at which point I was amazed I had missed it. They were handing out coupons at DEF CON and BSidesLV for 10% off your first box, so I decided to give it a try.

Hacker Tracker

First thing I noticed upon opening the box was that there’s no fanfare in the packaging or design of the shipping. You get a plain white box shipped USPS with all of the contents just inside. I can’t decide if I’m happy they’re not wasting material on extra packaging, or disappointed they didn’t do more to make it feel exciting. If you look at their website, they show all the past boxes with a black “Hacker Boxes” branded box, so I don’t know if this is a change, or the pictures on the website are misleading, or the influx of new members from hacker summer camp has resulted in a box shortage.

I unpacked the box quickly to find the following:

  • Arduino Nano Clone
  • Jumper Wires
  • Small breadboard
  • MicroSD Card (16 GB)
  • USB MicroSD Reader
  • MicroSD Breakout Board
  • u-blox NEO 6M GPS module
  • Magnetometer breakout
  • PCB Ruler
  • MicroUSB Cable
  • Hackerboxes Sticker
  • Pinout card with reminder of instructions (aka h4x0r sk00l)

If you’ve been trying to do the math in your head, I’ll save you the trouble. In quantity 1, these parts can be had from AliExpress for about $30. If you’re feeling impatient, you can do it on Amazon for about $50. Of course, the value of the parts alone isn’t the whole story: this is a curated set of components that builds a project, and the directions they provide on getting started are part of the product. (I just know everyone wanted to know the cash value.)

Compared to some of their historical boxes, I’m a little underwhelmed. Many of their boxes look like something where I could do many things with the kit or teach hardware concepts: for example, “0018: Circuit Circus” is clearly an effort to teach analog circuits. “0015 - Connect Everything” lets you connect everything to WiFi via the ESP32. Even when not multi-purpose, previous kits have included reusable tools like a USB borescope or a Utili-Key. Many seem to have an exclusive “fun” item, like a patch or keychain, in addition to the obligatory HackerBoxes sticker.

In contrast, the “Hacker Tracker” box feels like a unitasker: receive GPS/magnetometer readings and log them to a MicroSD card. Furthermore, there’s not much hardware education involved: all of the components connect directly via jumper wires to the provided Arduino Nano clone, so other than “connect the right wire”, there’s no electronics skillset to speak of. On the software side, while there are steps along the way showing how each component is used, a fully-functional Arduino sketch is provided, so you don’t have to know any programming to get a functional GPS logger.

Overall, I feel like this kit is essentially “paint-by-numbers”, which can either be great or disappointing. If you’re introducing a teenager to electronics and programming, a “paint-by-numbers” approach is probably a great start. Likewise, if this is your first foray into electronics or Arduino, you should have no trouble following along. On the other hand, if you’re more experienced and just looking for inspiration of endless possibilities, I feel like this kit has fallen short.

There’s one other gripe I have with this kit: there are headers on the Arduino Nano clone and the MicroSD breakout, but the headers are not soldered on the accelerometer or GPS module. At least if you’re going to make a simple kit, make it so I don’t have to clean off the soldering station, okay?

So, am I keeping my subscription? For the moment, yes, at least for another month. Like I said, I’ve been impressed by past kits, so this might just be an off month for what I’m looking for. I don’t think this kit is bad, and I’m not disappointed, just not as excited as I’d hoped to be. I might have to give Adabox a try though.

As for the subscription service itself: it looks like their web interface makes it easy to skip a month (maybe you’re travelling and won’t have time?) or cancel entirely. I’m not advocating cancelling, but I absolutely hate when subscription services make you contact customer service to cancel (just so they can try to talk you into staying longer, like AOL back in the 90s). The site has a nice clean feel and works well.

If anyone from HackerBoxes is reading this, I’ll consolidate my suggestions to you in a few points:

  • Hook us up with patches & more stickers! Especially a sticker that won’t take 1/4 of a laptop. (I love the sticker from #0015 and the patch from #0018.)
  • Don’t have the only soldering be two tiny header strips. Getting out the soldering iron just to do a couple of SPI connections is a bit of a drag. Either do a PCB like #0019, #0020, etc., or provide modules with headers in place. (If it wasn’t for the soldering, you could take this kit on vacation and play with just the kit and a laptop!)
  • Instructables with more information on why you’re doing what you’re doing would be nice. Mentioning that there’s a level shifter on the MicroSD breakout because MicroSD cards run at 3.3V, and not the 5V from an Arduino Nano, for example.
  • Including a part that requires a warning about you (the experts) having had a lot of problems with it in an introductory kit seems like a poor choice. A customer with flaky behavior won’t know if it’s their setup, their code, or the part.

Overall, I’m excited to see so much going into STEM education and the maker movement, and I’m happy that it’s still growing. I want to thank HackerBoxes for being a part of that and wish them success even if I don’t turn out to be their ideal demographic.

Hacker Summer Camp 2017: Lessons Learned

In addition to taking stock of how things went at Hacker Summer Camp, I think it’s important to examine the lessons learned from the event. Some of these lessons will be introspective and reflect on myself and my career, but I think it’s important to share these to encourage others to also reflect on what they want and where they’re going.

Introspections

It’s still incredibly important to me to be doing hands-on technical work. I do a lot of other things, and they may have significant impact, but I can’t imagine taking a purely leadership/organizational role. I wouldn’t be happy, and unhappy people are not productive people. Finding vulnerabilities, doing technical research, building tools, are all areas that make me excited to be in this field and to continue to be in this field.

I saw so many highly-technical projects presented and demoed, and these were all the ones that made me excited to still be in this field. The IoT village, in particular, showed a rapidly-evolving highly technical area of security with many challenges left to be solved:

  • How do you configure devices that lack a user interface?
  • How do you update devices that users expect to run 24/7?
  • How do you build security into a device that users expect to be dirt cheap?
  • What are the tradeoffs between Bluetooth, WiFi, 802.15.4, and other radio techs?

Between these questions and my love of playing with hardware (my CS concentration was in embedded systems), it’s obvious why I’ve at least slightly gravitated towards IoT/embedded security.

This brings me to my next insight: I’m still very much a generalist. I’ve always felt that being a generalist has hamstrung me from working on cool things, but I’m beginning to think the only thing hamstringing me is me. Now I just need to get over the notion that 0x20 is too old of an age for cool security/vulnerability research. I’m focusing on IoT and I’ve managed to exclude certain areas of security in the interests of time management: for as fascinating as DFIR is, I’m not actively pursuing anything in that space because it turns out time is a finite quantity and spreading it too thin means getting nowhere with anything.

Observations

Outwardly, I’m happy that BSidesLV and DEF CON both appear to have had an increasingly diverse attendance, though I have no idea how accurate the numbers are given their methodology. (To be fair, I’m super happy someone is trying to even to figure this out in the chaos that is hacker summer camp.) The industry, and the conferences, may never hit a 50/50 gender split, but I think that’s okay if we can get to a point where we build an inclusive meritocracy of an environment. Ensuring that women, LGBTQ, and minorities who want to get into this industry can do so and feel included when they do is critical to our success. I’m a firm believer that the best security professionals draw from their life background when designing solutions, and having a diverse set of life backgrounds ensures a diverse set of solutions. Different experiences and different viewpoints avoids groupthink, so I’m very hopeful to see those numbers continue to rise each year.

I have zero data to back this up, but observationally, it seemed that more attendees brought their kids with them to hacker summer camp. I love this: inspiring the next generation of hackers, showing them that technology can be used to do cool things, and that it’s never too early to start learning about it will benefit both them (excel in the workforce, even if they take the hacker mindset to another industry) and society (more creative/critical thinkers, better understanding of future tech, and hopefully keeping them on the white hat side). I don’t know how much of this is a sign of the maturing industry (more hackers have kids now), more parents feel that it’s important to expose their kids to this community, or maybe just a result of the different layout of Caesar’s, leading to bad observations.

Logistics

There were a few things from my packing list this year that turned out to be really useful. I’m going to try to do an updated planning post pair (e.g., one far out and one shortly before con) for next year, but there’s a few things I really thought were useful and so I’ll highlight them here.

  • An evaporative cooling towel really helps with the Vegas heat. It’s super lightweight and takes virtually no space. Dry, its useful as a normal towel, but if you wet it slightly, the evaporating water actually cools off the towel (and you). Awesome for 108 degree weather.
  • An aluminum water bottle would’ve been nice. Again, fight the dehydration. In the con space, there’s lots of water dispensers with at least filtered water (Vegas tap water is terrible) plus the SIGG bottles are nice because you can use a carabiner to strap it to your bag. I like the aluminum better than a polycarbonate (aka Nalgene) because it won’t crack no matter how you abuse it. (Ok, maybe it’s possible to crack aluminum, but this isn’t the Hydraulic Press Channel.)
  • RFID sleeves. I mentioned these before. Yes, my room key was based on some RFID/proximity technology. Yes, a proxmark can clone it. Yes, I wanted to avoid that happening without my knowing.

For some reason, I didn’t get a chance to break out a lot of the hacking gear I brought with me, but I’ll probably continue to bring it to cons “just in case”. I’m usually checking a bag anyway, so a few pounds of gear is a better option than regretting it if I want to do something.

Conclusion

That concludes my Hacker Summer Camp blog series for this year. I hope it’s been useful, entertaining, or both. Agree with something I said? Disagree? Hit me up on Twitter or find me via other means of communications. :)

Hacker Summer Camp 2017: DEF CON

DEF CON, of course, is the main event of Hacker Summer Camp for me. It’s the largest gathering of hackers in the world, and it’s the only opportunity I get to see some of the people I know in the industry. It’s also the most hands-on of all of the conferences I’ve ever attended, and the people running the villages clearly know their stuff and are super passionate about their area. Nowhere do I see so much raw talent and excitement for the hacker spirit as at DEF CON.

This year was the first year at Caesar’s Palace and quite frankly, it showed. Traffic control reminded me of the first year at Bally’s/Paris: as best as they could do without any data, but still far from optimal. Additionally, Dark Tangent pointed out that they were expecting 6% growth, but ended up closer to 20%. That’s thousands extra. The rule that they do not sell out and everyone gets through the door is not without its downsides.

Overall, this year was incredible for me personally. Though I attended no main track talks, I made it to a couple of Sky Talks and some village talks, as well as a bunch of village activities. I met a bunch of interesting people who are working on interesting technical things, which is great because it reminds me why I got into this industry in the first place and what I want to be doing in the future.

The IoT village was excellent, but I wish I had gotten to it earlier to participate in the IoT CTF – it looked like a lot of fun, and their physical target range wasn’t something you see everyday. They had everything from cheap bluetooth devices to the Google Home and Amazon Alexa, and I believe this is a reflection of where we’ll see the future growth in security – the IoT isn’t a passing fad, and we’ll have millions of low-cost devices deployed and not properly managed. There’s no time like the present to get security to the front and center of the IoT device design process.

In previous years, I’d always played in the Capture the Packet contest. This year I opted out, despite having a bye in the first round, because there was so much going on and because it had consumed too much of my time at DEF CON 24. I don’t regret this decision, but it is something I missed slightly. In fact, it ended up that I never even set foot in the packet capture village! (I guess that’s what happens to villages at the end of halls?)

The “linecon” joke was never more accurate than this year – there was a line for everything! Not only did every talk have lines, but there were lines to get into the Biohacking Village, the Swag line was long (where was Hacker Stickers with our official unofficial swag?), even the line for Mohawkcon was ridiculous! (Maybe next year I just need to get a mohawk before I go there – it’s not like I don’t donate to the EFF anyway.) I’m sure this is a combination of many factors, including the growth of the community, the new venue, and the fact that it wouldn’t be DEF CON without linecon.

The DEF CON artwork is not something I normally write about, largely because I’m no artist and I barely have an eye for, well, anything, but I really thought the art was excellent this year. I so desperately wanted to rip one of the posters off the wall next to the escalators! (I have hopes one of them might appear in a charity auction at some point, but I didn’t see it at con.)

Caesar’s as a venue was okay – there was noticably more space, but figuring out how to get between some of the areas was not crystal clear. A lot of that was on me – I should’ve done more recon of the con area. (Look for a “lessons learned” post coming soon.) My hotel room was awesome though, and in the tower right above the con space, so I had that going for me. Fingers crossed to get in the same tower next year.

Dual Core

Dual Core had an outstanding show on the Friday Night lineup. I don’t care what DEF CON calls the headliner, Dual Core is always the headliner for my music tastes. I’ve seen him perform live at least once at every DEF CON and at dozens of other events (Southeast Linux Fest, DerbyCon, etc.), and I just don’t think it would be a full con without seeing him.

Mad props to DT and all the DEF CON Goons and organizers who work so hard to put the event together. No matter how much chaos there may be, I’ve had a great time every year, and I wouldn’t miss it for the world. That’s just a part of the World’s Biggest Hacker Convention.

Hacker Summer Camp 2017: XXV Badge

In my post the Many Badges of DEF CON 25 I may have not-so-subtly hinted that there was something I was working on. While none of the ones I listed were created in response to the announcement that DEF CON had been forced to switch to “Plan B” with their badges, mine more or less was. Ever since I saw the Queercon badge in 2015, I’d had the idea to create my own electronic badge, but the announcement spurred me on to action.

However, what could I do in only 2 months? Before I created this badge, I had never created a PCB. All my electronics design work before had been on protoboards at best, and while I had assembled SMD electronics on PCBs before, I had no idea how to design with it. So, it seemed like a perfect learning opportunity.

Boy, did I ever learn. In the process of creating this badge, I created 3 separate sets of PCBs, soldered 7 finished badges, (yes, only 7 – maybe this was the most exclusive unofficial badge?), debugged numerous problems, and read way more datasheets than I expected I would.

So what did I come up with? Well, how does 48 RGB LEDs drawing up to 15W of power sound? Overkill? It totally was.

Badge RGB

Ok, maybe there’s a little too much glare there. Sorry. It turns out that pointing a cell phone at 48 LEDs rarely results in a quality photo. Let’s try it again without the blinding light.

Finished Badge

Way better, don’t you think? This is the “XXV Badge” – 48 APA102C LEDs controlled by a Atmel SAMD21 ARM Cortex M0 MCU clocked at 48 MHz. The SAMD21 runs at 3.3v, the LEDs at 5V, so I have a boost converter driving the LEDs based on a TPS61232. A 74AHCT125 quad buffer provides level conversion (though not really designed to, it works quite well) for the SPI signals. All told, there’s 98 components, though many of them are simply things like decoupling capacitors.

I know the design is simple, but I’m no artist. On the other hand, I feel like it worked out quite well for the parties and I got a number of compliments and interest in the badge, so I’m pretty happy with the outcome for my first badge design (and first PCB!) I can’t wait to start thinking about next year!

The boost converter design & layout are approximately based on the reference design from TI, but I had to make a few adaptations due to part size and layout constraints. Fortunately, it ended up working out pretty well, and with fresh batteries, the output is well-regulated. However, running all of the LEDs at full brightness draws more current than 3xAAAs can support, causing the input voltage to the boost converter to drop and resulting either in an immense amount of ripple, or so much dropout that the SAMD21 CPU resets.

Kicad design files and firmware source code are on GitHub! My production boards were produced by Hackvana.