Ma démarche d’auto formation en cybersécurité que je partage ici depuis que je l’ai entamée m’a permis d’être embauchée comme pentesteuse chez Okiok.
Cette nouvelle aventure canadienne m’a inspiré un conte cyber.
Il était une fois, un grand grand royaume nommé l’Internet ou existe un territoire lointain et invisible, le Cyberespace.
Cet espace non défini, renferme les plus grands serpents de mer du royaume. Ces colosses, cachés sous nos océans terrestres susurrent les tous petits, les petits, les moyens, les grands et les très grands secrets de ses habitants que l’on appelle : Internautes.
Ces Internautes, habillés de rouge, de bleu, de violet, de noir ou d’autres couleurs encore ont chacun une façon bien particulière de vivre dans le royaume.
Les bleus défendent le royaume, les rouges préparent les bleus en organisant de fausses attaques qui consistent à attraper discrètement des drapeaux sur les territoires à défendre. Les violets font les deux et enfin les gris-noirs ont des projets bien plus flous.
Ces derniers portent différentes nuances de noir. Ils ont pour emblème un hoodie de leur couleur qui cache leurs yeux.
Certains d’entre eux militent pour des causes politiques ou sociales nobles ou pas, d’autres s’accaparent les richesses du royaume et des Internautes et d’autres encore, créent des stratégies d’intrusions qui pourraient détruire le royaume et ses habitants.
Face à tous ces personnages aux bonnes et mauvaises intentions, j’ai voulu m’impliquer avec ceux vêtus de couleurs claires et dont les yeux étaient teintés d’une lueur bienveillante.
C’est alors que j’appris qu’au coin de ma rue, Okiok, le premier à avoir voulu protéger l’Internet et ses habitants organisait un recrutement d’internautes aux couleurs claires.
D’un pas curieux et décidé, je suis allée à sa rencontre, car je voulais faire partie de son équipe.
C’est ainsi que nous avons discuté, de mes voyages dans le royaume, de ses missions pour qu’il reste sûr et libre et qu’il m’a invité à attraper des drapeaux pour un premier essai.
Quelques jours plus tard j’appris avec une grande joie que j’allais faire partie de son équipe. Surexcitée, je m’empressais de le rejoindre dans son pays d’hiver où il m’a accueilli chaleureusement par un « Bienvenue dans la famille ».
J’avais enfin trouvé la définition de la cybersécurité : confiance et bienveillance.
One of my goal in this ethical hacker challenge was to volunteer for a GREAT organization. This is what i did with Radically Open Security who welcomed me as an intern for six months.
How did i get this opportunity?
When i started to work in the IT I quickly had concerns about the lack of safety on the Internet.
Therefore, my curiosity and thirst for learning led me to wonder about the construction of a safer cyberspace.
This quest has shaped the type of company I wanted to be involved with. This is when I discovered the existence of ROS (Amsterdam, Netherlands) and Melanie Rieback in a press article.
This initiative was an evidence and in line with the values I want to promote.
Transparency is the central point of this company and its business model is a promise of a better social future.
What is Radically Open Security?
« Radically Open Security is the world’s first not-for-profit computer security consultancy company. We are prototyping an innovative new business model – using a Dutch « Fiscaal Fondswervende Instelling » (Fiscal Fundraising Institution) to provide a commercial front-end that sends 90% of our profits tax-free to a backend foundation (Stichting NLnet) that has supported open-source, Internet research, and digital rights organizations for almost 20 years. The other 10% of our profits will go to an employee profit-sharing scheme, in which the secretary accumulates profit-sharing rights as quickly as the CEO. Additionally, due to our low management/overhead costs, we can afford to pay competitive wages to our computer security consultants. »
At ROS everybody works remotely.
Wait! Not for profit?
Yes not for profit! Let Melanie Rieback co-founder and CEO explain this to you:
What service do they offer?
Penetration testing, ethical hacks and social engineering
Participation in the creation of a Capture-The-Flag (CTF) game
ROS helped to build a CTF for the CyberHeroes week of the non profit organization Cyberworkplace (see my article about the CyberHeroes week here).
The theme of the week was Heroes in cyber, I build a list with many heroes from the cybersecurity world, cryptography and cybersecurity resources.
Observation of pentests
I was added to some pentesting channels on RocketChat a chatroom that was used for communication for work purposes. This way, i was able to peek over the shoulders of pentester and see how they work, how they communicate with the client as the pentests are completely available to the clients from the begining to the end (this is one of the core principle of ROS).
Review of pentest reports
I was able to read and review some pentests reports. This really helped me to see how proper pentest reports are build, what pentesters look for while pentesting and which tools they use.
Improvement of the onboarding manual for new staff members
When i onboarded i was provided with an onboarding manual. As i encountered some little problems to set up my work environment i added some entrees in the onboarding manual in order to help future onboarders who had the same configuration i had.
Creation of a wiki page with relevant onboarding information for new staff members
ROS wanted to improve the onboarding process and provide the onboarders resources and useful informations.
This is why i created a wiki page with many resources for every type of positions (project management, software development, pentesting, …). I also added a section for general informations about ROS.
After the set up of this wiki i invited everyone to contribute and share their knowledge with relevant links like their favorite tools that help them in their tasks, great articles they’ve read, anything they would find relevant.
Submission of a process for improving internal training
We wanted to improve the internal training that is why i created a documentation to propose some ideas on the subject.
Helping a coworker with the use of Gitlabs (Radically Open Security’s file storage system)
One of the other intern was new to Gitlabs. As i had previously encountered Git and worked with it, i was able to provide my help.
Organizing folders in Gitlabs
ROS puts their projects and documentation on an internal Gitlabs system. I updated the organization of the folders.
Use of Pentext and XML
« The OWASP PenText XML documentation project can help your software security company produce offers, reports, invoices and generic documents by offering a well-structured and easy to maintain documenting system you can modify to your liking. »
This tool was created by ROS they open sourced it and made it available on Github.
In order to use Pentext you need to know XML.
I really enjoyed using pentext. XML is really useful and you get to generate great looking documents. This saves a lot of work mainly for pentesting reports but it can also be use to save time on other types of reports.
What did i get from this experience
As I plan to build a company, ROS was an inspiring and innovative model for tomorrow’s companies.
More specifically, I learned how a holocratic system works in a company. This system in which everyone has a place and a voice has been a beautiful discovery.
On a more technical aspect I have used many tools such as Pentext.
Finally, I have appreciated working remotely because it requires a personal work organization that invites to be autonomous and rigorous.
During my internship at Radically Open Security, i had the opportunity to help with the building of a CTF made for the CyberHeroes week of Cyberworkplace. I found Cyberworkplace’s initiative so great that i asked if i could volunteer for the CyberHeroes week. They did not only accepted that i volunteered, but also invited me to come as a participant.
What is Cyberworkplace?
Cyberworkplace is a dutch initiative based in Rotterdam. It « is a non-profit initiative that helps reduce the current shortage of cyber security experts in the labor market and provides much-needed 21st-century skills to vulnerable young people (dropouts/ gamers/students, who lack practical experience in their study programs).
The training/lessons given at Cyberworkplace are inspired by modern teaching methods such as peer-to-peer techniques and project-based learning. » (source: https://cyberworkplace.tech/wat-is/)
What is CyberHeroes ?
« CyberHeroes is a one-week training program that brings together twenty talented youngsters from The Netherlands and New Mexico, USA. Together they will be trained in ethical hacking skills to address current security threats. Over the course of one week they will take on hacker battles, work on CSI-type cyber challenges with local police, study the history of cryptography, learn to fight cyber crime alongside international hackers, and much more. » (source: Cyberheroes booklet)
Day 1: Cryptography and Lockpicking
Philip Zimmerman made a great talk about cryptography and data protection.
He exposed the evolution of the Internet and the impact it had on privacy.
Oscar Koeroo started his workshop by a talk about his work at KPN and how they handled security.
On 2012 KPN got hacked, this year they decided to set up a Security Operation Center to handle better such incidents.
KPN CISO Strategy and policy is made available for everyone here
After this introduction, he started explaining cryptography concepts.
He then detailed RSA encryption.
Finally we practiced RSA encryption and encrypted with our own messages and numbers.
He mentioned a very good tool to help us for the assignments: Wolframalpha.
We ended the day with lockpicking, now i really want to buy my own lockpicking set! 😀 It reminded me of the video game called Skyrim, except it is much easier with a joystick^^
Day 2: CTF with Radically Open Security
In the morning, Daan Spitz was introduced and the CTF started.
Daan works for Radically Open Security who sponsored the event and gave a CTF that he made.
In the afternoon, Melanie Rieback CEO of Radically Open Security was introduced she presented ROS and gave a great demo talk about cracking passwords.
We cracked the password « TreeHouse1234 » in less than 33 seconds!
Demo and slides can be found on ROS’s github.
Day 3: On a boat with the dutch Police
On day 3, we spent all day at the Seaport Police of Rotterdam.
We had the opportunity to meet Dirk-Jan Grootenboer, Peter Duin and other great police officers. They presented the Seaport Police and their work.
The Cyber Resilience unit has different goals:
Awareness of cyber threats and risks by citizens, corporations and other organisations
Know how to act: reactive, preventive, pro-active
Work together to share knowledge and new opportunities offered by technology
Resulting in continuous growth of cyber resiliency
From cyber security to cyber resilience
From reactive to pro active thinking and acting
Catching the advantages of cyber with an open eye for the risks
(source: Police officers talk)
Then, we had a CSI like challenge and a Police Patrol Boat Adventure. We were able to work on our social engineering skills and see the huge port of Rotterdam (largest in Europe).
On the afternoon, Floor Jansen and Marinus Boekelo joined us to present the Hack_Right initiative and explain the amazing take over of Hansa Market a dark web marketplace.
Hack Right is an initiative to help young hackers who commited a small crime, to get back in the right path and use their skills for ethical hacking.
It consists of 4 modules
Restorative justice: if you commit a crime you break your connection with the victim to repair this boundary you have to do something for the community. In this module, cyber criminals are confronted with the damage and possibly even with the victims.
Training: ethical and legal boundaries
Coaching: personal connection between coach and offender. This involves providing longer guidance to the offender, linking them to someone from the community.
Alternative: indicates the opportunities on the labour market and teaches young people where to develop their talents
(source: Floor Jansen’s talk and Mediawijzer’s article)
Day 4: Cybersprint at The Hague Security Delta and US Ambassador residence
In the morning, we worked on « Make it Smart » Maarten van Duivenbode introduced us to smart objects and how to use them. We were able to program lights and their colors.
In the afternoon, we visited Cybersprint at The Hague Security Delta.
Cynthia Schouten made an introductive talk and gave us a tour of the campus. We visited: Hogeschool Leiden’s IOT lab, we were introduced to a mixed reality tool that aims to train student in forensics with simulated crime scenes
Then, we visited Splendo that introduced us their smart bikelock project for X-bike.
After the tour, Peter van Eijk who works at the municipality of the Hague presented the Hack Den Haag CTF. A CTF to help the city of the Hague to be more secure.
Finally, Soufian El Yadmani made an amazing talk about his adventure to cybersecurity. He explained that he was hired as a cybersecurity analyst at Cybersprint by winning a CTF. His team and him travel to many CTF competitions.
His secret to be a good ethical hacker? Practice, practice, practice!
After our visit to The Hague Security Delta Campus we went to the US Ambassador’s residence for a reception for the Cyberheroes program. There, Peter Hoekstra the Ambassador of the US, Anouk Vos from Cyberworkplace and Charles Ashley III from Cultivating Coders talked.
The Ambassador, is now a proud hacker in a beautiful Cyberworkplace hoodie and the owner of a CyberHeroes medal!
Day 5 and 6: Trip to Leeuwarden, no escape possible 😀
On the last two days of CyberHeroes, we were invited to Leeuwarden for a CTF at the amazing Hacklab.
Leeuwarden is a beautiful historical city in the north of Netherlands that has been European Capital of 2018.
The CTF gave us the opportunity to learn a lot.
After all this hacking we did we had to go to jail… joking we just spent the night in a former prison: Alibi Hostel
But before going to sleep, we took part in a great escape game made by Henk Van Ee founder of Cybersafety4u in which we had to unlock a hacker’s phone.
To conclude this awesome week, we all got a certificate and a CyberHeroes medal.
Needless to way i was very proud to participate and help for this great adventure.
I would like to take the time to thank Radically Open Security (Melanie and Anh) without whom i would not have heard about Cyberworkplace.
Thanks also to Anouk, Nasya and Maria from Cyberworkplace that welcomed me for this week.
They all made an amazing work and i would definetely recommend everyone who has the opportunity to take part in a week like this. Volunteer or help Cyberworkplace any way you can, they do such an amazing work for students and cybersecurity lovers.