Last week, I had my one-year anniversary in the Information Security industry, doing work related to the offensive aspect of security. Surprisingly, it has already been a year since I left my previous role from a local bank and pursued my interest in Information Security. Time really flies…
The purpose of this blog is to document my learning journey, but I have neglected it for a few months due to hectic workload from various sources, however, the good news is that I have decided to consciously remind myself to update it more often moving forward! Well, make it a “new year resolution”!
Now, back to the review…
Work
Being part of an awesome team at Vantage Point Security, I have been given the opportunity to perform technical security assessment on various organisations in Singapore as a qualified Security Consultant. I was privileged to perform manual security penetration testing on various types of web and mobile applications that belongs to renowned organisations, such as some of the best financial institutions and telecommunication companies in the region.
Something interesting is that I am usually a customer of my clients, which makes me really appreciate it when I see them taking security seriously and strive to improve for the better. Overall, I find it very meaningful to be part of this ecosystem in making products better and safer for people – it makes me appreciate the things I am doing and keep me going!
A special shout-out to my mentor, Paul Craig, Sven Schleier, Jin Kun and Ryan Teoh for making my past one-year such an awesome journey of learning! I have learnt so much from them. It is always great to be able to work alongside people who are motivated and passionate about security. I am looking forward to doing even greater stuff together in the year ahead!
Certifications
I have managed to achieve the very first milestone of most penetration testers, Offensive Security Certified Professional (OSCP), after having completed 3-months of intensive lab hands-on practices in its recommended course, Penetration Testing with Kali (PWK). I have also written a blog post about my experience gained during the 3-months period, in hope that it will be helpful to fellow like-minded aspiring security enthusiasts. If you are interested, please check out My OSCP / PWK Course Review.
Besides OSCP, I have also gotten myself the following certifications in the past one-year:
- CREST Practitioner Security Analyst (CPSA)
- CREST Registered Penetration Tester (CRT Pen)
- EC-Council Certified Ethical Hacker v9 (CEH)
“CREST is a not for profit organisation that serves the needs of a technical information security marketplace that requires the services of a regulated professional services industry.” ~ directly quoted from CREST
From my observations, I see that CREST has been very successful in becoming the go-to quality assurance organisations in Singapore when it comes to selecting vendors to work with, be it the government agencies, financial institutions or organisations from other industries. Something I like about them is that they are conducting proctored examinations, which can solve a lot of “problems” caused by people with no ethics value. It is a huge problem occurring around the world, which I am not going to cover in this post – maybe next time (I got to stay on track!).
To me, certification is one of the many forms of (technical) quality assurance that a consultant can provide to their clients before engaging them on any security assessment projects. While being certified is a good thing, quality is always better than quantity. It is essential to put the skills you learnt into practice, or it will be just another piece of paper.
Bug Hunting
My experiences in bug hunting have been some of the most devastating yet delightful moment of my past one-year. When I learnt about the existence of “Bug Bounty Program” (e.g. Bugcrowd and HackerOne), I was both surprised and excited, thinking how it could be fun to be able to find bugs on the internet and get rewarded for it. It sounded really enticing at first, especially with the thoughts that since I have been testing web and mobile applications to earn a living, it should be easy for me. However, it doesn’t take long for me to realise how naive I was to even think that way – we are talking about the internet, man! Any low hanging fruits would have already been discovered by someone else, there is nothing left lying around for me to “hunt”.
On a positive note, this simple realisation has motivated me to keep up my pace in learning all kinds of “new stuff” that are happening in the internet, such as to research on the security mechanisms and implementation of various popular web applications, development frameworks, content management systems, penetration testing techniques such as bypassing a Web Application Firewall (WAF) etc. and many more interesting stuffs.
Nowadays, I still do bug hunting whenever I get some free time before I turn in for the night, or during some random weekends. Did you noticed that I call it “Bug Hunting” instead of “Bug Bounty”? That is because I don’t only focus on programs that give monetary rewards to security researchers. I work on any programs that I find it meaningful and reasonable to test, such as companies that I personally use their products or companies that give a clearly defined scope on their Responsible Disclosure or Bug Bounty Programs.
While it may sound cheesy to say that I want to make the world and the internet a safer place for everyone, sometimes people just want to do things that they themselves feel is meaningful, worthwhile, and can make themselves feel good. Personally, to find bugs, disclose them responsibly to the vendor and getting them fixed, is something that makes me feel that way.
I am still learning and trying to get better every day. I urge all aspiring bug hunters to create a Twitter account and start following fellow bug hunters and learn from one another. As mentioned earlier, I will start posting more write-ups in my next one-year, so stay tuned! Besides reading the write-ups from fellow bug hunters, I also recommend reading the publicly disclosed bugs from sources such as the HackerOne Hacktivity or other unofficial sources such as this and this. One of the best bug bounty tips that I have come across so far is to keep trying, keep learning, and never give up.
I have had my fair share of achievement over the past one-year and I feel really honored to be recognized by the 10 following organisations and have myself enlisted on their Security Researcher Hall of Fame:
- Netflix
- Nokia
- Adobe
- Sophos
- CERT-EU
- Bitdefender
- Jet.com
- Schuberg Philis
- Silent Circle
- Constant Contact
While I cannot disclose the details of the vulnerabilities that I have discovered, I might write a blog post next time on some of them – with all information masked, of course.
Security Research
Life is full of challenges, it is how you responded to them that makes a difference to your life ~ Source
We security folks always challenge ourselves in many things – some people challenge themselves to earn 50k in slightly over 1 month, some people challenge themselves to earn 30k in 30 days – we all like to set milestones and work towards it. For me, I am not at their level yet, but one-year ago, I told myself that I want to find a zero-day too. It seems impossible at first, but I was inspired by one of my colleague, Bernhard Mueller, during one of the project engagement that we did together and made me felt that I can do it too. The influence is real. I would download the same software or application development framework and look for zero-days; this is something that I will not do in the past. He have also written and article about why you should be looking for zero-day vulnerabilities during penetration testing. As time goes by, it has become a habit for me to look for zero-days during penetration testing engagement as well.
Of course, it is easier said than done. Most of these commercial and/or open source software were already being thoroughly tested prior to their releases, so it is very difficult to find any legitimate bugs in them. I have gone through my fair share of hardships, gained tons of knowledge along the way as I constantly failed and was ultimately lucky to have found a few zero-day vulnerabilities on some commercial products used by large enterprises.
It is worth mentioning that TIBCO is an organisation that values security. They take security report seriously and replies promptly to security researchers. It was great communicating with them.
- CVE-2017-8042 – Pivotal – Stored Cross-site scripting (XSS) vulnerability in Spring Batch Admin before 1.3.0
- CVE-2017-8043 – Pivotal – Cross-site request forgery (CSRF) vulnerability in the Spring Batch Admin before 1.3.0
Both of the above issues were reported in March 2017 and has been confirmed by Pivotal that they will not be addressing them as the software is going to reach End-Of-Life (EOL) by the end of 2017. The recommendation is for users to migrate to another product, Data Flow. They have recently put up a notice too.
Currently, both CVE trackers are pending Pivotal to publish them online, they have not confirmed a date yet.
While they were not high-severity vulnerabilities that could lead to Remote Code Execution (RCE), they were good enough of a start for me. They were genuine bugs on the software, undiscovered and hence left exploitable by malicious attackers, and my research/report did helped the software company to improve their products, which are used by many enterprises all over the world.
Next up is an interesting bug that I found while working on one of the private BB program. They are using the PRTG Network Monitor, which is an application that help organisations to monitor their systems, devices, traffic and applications that are using common technologies like SNMP, WMI, SSH, and many more. I shall restrain from providing too much information for now, maybe a write-up after the latest version and release notes has been officially released.
- CVE-2017-????? – Paessler AG – pending security patch and release notes
Lastly, I attended the Cybersecurity Camp @ Singapore 2017 which was organised by the Singapore Cybersecurity Consortium (SGCSC) earlier this year and learnt about fuzz testing for finding vulnerabilities. Having equipped with this knowledge and its theoretical understanding for a few months, I finally put them into practice after being encouraged by Jin Kun as he shared his own success story of having discovered many zero-day vulnerabilities through fuzzing.
Being inspired and motivated to do my own fuzzing as well, I learnt many things along the way, specific to how to fuzz an application efficiently, how to fuzz an application library, how to optimize my virtual machines processes for better performances, how to fine-tune my fuzzer, how does different fuzzers mutate or identify different paths within an application flow, how to compile binaries using different compilers and buildsystem, how to analyse a crash, and many more interesting stuff that I never thought I would learn. After some time of fuzzing, I have discovered 3 CVEs on BinChunker, the issues has been fixed and changes are being pushed to various Linux distros as I am writing this blog post.
- CVE-2017-15953 – BinChunker – Heap-based buffer overflow
- CVE-2017-15954 – BinChunker – Heap-based buffer overflow
- CVE-2017-15955 – BinChunker – Memory Access Violation
There will be a short write-up on this soon.
While BinChunker is not a very popular tool based on Debian popularity contest statistics and there was no RCE exploit developed for the discovered vulnerabilities, it was very satisfying. I really enjoyed the experience from discovering these vulnerabilities to reporting them and eventually getting them fixed. It’s great to see how people react and appreciate the findings you discovered and then work together to fix the problem as a team. Information Security is a super awesome community where people help one another to make things better!
Community Projects
Have you checked out the OWASP Mobile Security Testing Guide (MSTG) already? If you have not, then you probably should.
The MSTG is a comprehensive manual for mobile application security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Verification Standard (MASVS). You can also read it on Gitbook or download it as an e-book.
I was fortunate to work alongside the project leaders of MSTG at work and since I know nothing about mobile application security testing back then, I was highly encouraged by Bernhard to use the MSTG as my “study material” and if I find anything missing, I can research on them separately and contribute to this community project by submitting a Pull request. Well, it makes sense – since I am going to research on those things to learn anyway, why not share the knowledge with the community and help fellow aspiring security enthusiast in their learning as well?
With consistent contribution of quality content for a few months, I am humbled to be acknowledged as one of the “Top Contributor” for the OWASP MSTG project. If you are someone whom is interested in mobile application security, I highly encourage you to read through the content and create a pull request if you find anything missing. Once you start submitting those pull requests, they can become quite addictive.
Academic
This is the last section of the review. Some of my friends know that I am currently a part-time student enrolled in Master of Computing (Infocomm Security) at National University of Singapore (NUS). My first semester was hectic, having not been studying academic syllabus since graduated in 2014, however, things went well thanks to the support of family and friends (special shout-out to Zhan Teng, Julian Tan and Jiqing for being super awesome teammates!). The second semester is coming to an end soon and of course, with tons of submission deadlines to meet in the next few weeks and a few exams to clear!
Other things worth mentioning are some of the more interesting homework that I did this semester for one of my module, CS5231 – System Security, taught by Professor Liang Zhenkai. Usually when I root an android device, I use readily available tools and does not have a clear understanding about what really happened under the belly. In order to complete one of the tasks in the homework, I was being forced to step out of my comfort zone and dive into how android really works, how the rooting of android is being performed, what are the various methods to root an android device and eventually also created my own custom Over-The-Air (OTA) package to perform code execution as root; to fire up my own daemon service that can help to spawn a root shell to my client upon request.
Conclusion / To-do for the next year
Without knowing, this blog post has turned out to be a long article. Personally, I find it worthwhile and meaningful to just sit down, think-through and review about what I have done in my past one-year in the industry of Information Security. I feel that everyone should do something similar and then think about what they want to do in the next one-year.
The reason for me to post this article is also to put some pressure on myself and make sure that I achieve the goals which I said that I want to achieve in the next one-year. Next year, I am going to look back at this article and question myself.
In the next one-year, I intend to work on other CREST certifications, such as the CREST Certified Infrastructure Tester (CCT INF) and/or CREST Certified Web Applications Tester (CCT APP). Like I mentioned above as well, I like how they are conducting proctored examinations here in Singapore and I find that they can be great milestones to challenge myself in the next one-year.
Another certification which I am looking forward to challenge myself with is the Offensive Security Certified Expert (OSCE), which I intend to sign up for its course, Cracking the Perimeter (CTP), in the next few months. I need to try harder! #TryHarder
In view of the OSCE certification goal, I hope to focus more on low-level stuff, such as to improve my exploitation techniques, exploit development skills, etc., which are things that I don’t have much experience with now, but are useful skills which I am very keen to pick up.
In the next one-year, I hope to continue to hunt for bugs and keep up with the learning. I also aim to post write-ups on any interesting bugs, if I am given the permission to do so.
Other things are write-up on CTF labs such as the Bandit from OverTheWire and practice machines such as Kioptrix from Vulnhub.
For work, apart from Web Application and Mobile Application penetration testing, I hope that I can have opportunities to gain more exposure across the Asia region and get myself involved in different types of engagements, such as ATM Hacking, Red Teaming and Wireless Hacking. There are so many things to learn, I can’t wait anymore!
I also aim to develop my own Burp Extender module that can help to improve my productivity. At least my first extender module should not be too complicated, I just need to get started with something, start small, gain the knowledge and momentum before targeting something more complicated. If you have any interesting ideas that are not too complicated, please share in the comments section.
Lastly, as part of my Master course requirements, I need to complete a one-semester long research project (3-months duration). I can choose between an academic project proposed by one of the NUS professor, or an industrial project proposed by a company in the industry. I have not chosen any topics yet, but I hope that I can work on something useful to my field of work, to not only clear my course requirements, but also allow me to learn practical techniques and knowledge that are relevant to my area of interest. That way, I will have enough interest to continue to work on it after the 3-months duration. If there is any potential projects related to offensive side of security and not too complicated/simple, I would love to know it.
I hope that the next one-year will be even better and full of learning opportunities for me! Till I blog again.