My internship at Radically Open Security

One of my goal in this ethical hacker challenge was to volunteer for a GREAT organization. This is what i did with Radically Open Security who welcomed me as an intern for six months.

How did i get this opportunity?

When i started to work in the IT I quickly had concerns about the lack of safety on the Internet.
Therefore, my curiosity and thirst for learning led me to wonder about the construction of a safer cyberspace.
This quest has shaped the type of company I wanted to be involved with. This is when I discovered the existence of ROS (Amsterdam, Netherlands) and Melanie Rieback in a press article.
This initiative was an evidence and in line with the values I want to promote.
Transparency is the central point of this company and its business model is a promise of a better social future.

What is Radically Open Security?

« Radically Open Security is the world’s first not-for-profit computer security consultancy company. We are prototyping an innovative new business model – using a Dutch « Fiscaal Fondswervende Instelling » (Fiscal Fundraising Institution) to provide a commercial front-end that sends 90% of our profits tax-free to a backend foundation (Stichting NLnet) that has supported open-source, Internet research, and digital rights organizations for almost 20 years. The other 10% of our profits will go to an employee profit-sharing scheme, in which the secretary accumulates profit-sharing rights as quickly as the CEO. Additionally, due to our low management/overhead costs, we can afford to pay competitive wages to our computer security consultants.  »
At ROS everybody works remotely.
(source: https://radicallyopensecurity.com/business-model.htm)

Wait! Not for profit?

Yes not for profit! Let Melanie Rieback co-founder and CEO explain this to you:

What service do they offer?

  • Penetration testing, ethical hacks and social engineering
  • Malware reversing and analysis
  • Network monitoring and threat detection
  • Forensics
  • CSIRT and incident response
  • Code audits
  • DDoS Testing
  • Cryptographic analysis
  • Custom R&D Projects
  • Workshops, trainings and mentoring
  • Misc: Embedded, Android and RFID Security

(source: https://radicallyopensecurity.com/services.htm)

What did i do?

Participation in the creation of a Capture-The-Flag (CTF) game

ROS helped to build a CTF for the CyberHeroes week of the non profit organization Cyberworkplace (see my article about the CyberHeroes week here).
The theme of the week was Heroes in cyber, I build a list with many heroes from the cybersecurity world, cryptography and cybersecurity resources.

Observation of pentests

I was added to some pentesting channels on RocketChat a chatroom that was used for communication for work purposes. This way, i was able to peek over the shoulders of pentester and see how they work, how they communicate with the client as the pentests are completely available to the clients from the begining to the end (this is one of the core principle of ROS).

Review of pentest reports

I was able to read and review some pentests reports. This really helped me to see how proper pentest reports are build, what pentesters look for while pentesting and which tools they use.

Improvement of the onboarding manual for new staff members

When i onboarded i was provided with an onboarding manual. As i encountered some little problems to set up my work environment i added some entrees in the onboarding manual in order to help future onboarders who had the same configuration i had.

Creation of a wiki page with relevant onboarding information for new staff members

ROS wanted to improve the onboarding process and provide the onboarders resources and useful informations.
This is why i created a wiki page with many resources for every type of positions (project management, software development, pentesting, …). I also added a section for general informations about ROS.
After the set up of this wiki i invited everyone to contribute and share their knowledge with relevant links like their favorite tools that help them in their tasks, great articles they’ve read, anything they would find relevant.

Submission of a process for improving internal training

We wanted to improve the internal training that is why i created a documentation to propose some ideas on the subject.

Helping a coworker with the use of Gitlabs (Radically Open Security’s file storage system)

One of the other intern was new to Gitlabs. As i had previously encountered Git and worked with it, i was able to provide my help.

Organizing folders in Gitlabs

ROS puts their projects and documentation on an internal Gitlabs system. I updated the organization of the folders.

Use of Pentext and XML

« The OWASP PenText XML documentation project can help your software security company produce offers, reports, invoices and generic documents by offering a well-structured and easy to maintain documenting system you can modify to your liking. »
This tool was created by ROS they open sourced it and made it available on Github.
In order to use Pentext you need to know XML.
I really enjoyed using pentext. XML is really useful and you get to generate great looking documents. This saves a lot of work mainly for pentesting reports but it can also be use to save time on other types of reports.

What did i get from this experience

As I plan to build a company, ROS was an inspiring and innovative model for tomorrow’s companies.
More specifically, I learned how a holocratic system works in a company. This system in which everyone has a place and a voice has been a beautiful discovery.
On a more technical aspect I have used many tools such as Pentext.
Finally, I have appreciated working remotely because it requires a personal work organization that invites to be autonomous and rigorous.

(source cyberheroes week flickr) During the CyberHeroes week i had the opportunity to meet Daan, Steven, Melanie and Anh from ROS.

To go further

CyberHeroes week by Cyberworkplace

During my internship at Radically Open Security, i had the opportunity to help with the building of a CTF made for the CyberHeroes week of Cyberworkplace.
I found Cyberworkplace’s initiative so great that i asked if i could volunteer for the CyberHeroes week. They did not only accepted that i volunteered, but also invited me to come as a participant.

What is Cyberworkplace?

Cyberworkplace is a dutch initiative based in Rotterdam. It « is a non-profit initiative that helps reduce the current shortage of cyber security experts in the labor market and provides much-needed 21st-century skills to vulnerable young people (dropouts/ gamers/students, who lack practical experience in their study programs).
The training/lessons given at Cyberworkplace are inspired by modern teaching methods such as peer-to-peer techniques and project-based learning. » (source: https://cyberworkplace.tech/wat-is/)

What is CyberHeroes ?

« CyberHeroes is a one-week training program that brings together twenty talented youngsters from The Netherlands and New Mexico, USA. Together they will be trained in ethical hacking skills to address current security threats. Over the course of one week they will take on hacker battles, work on CSI-type cyber challenges with local police, study the history of cryptography, learn to fight cyber crime alongside international hackers, and much more. » (source: Cyberheroes booklet)

(source: Cyberheroes flickr)

What happened?

Day 1: Cryptography and Lockpicking

(source: cyberheroes booklet)

Philip Zimmerman made a great talk about cryptography and data protection.
He exposed the evolution of the Internet and the impact it had on privacy.

(source: cyberheroes booklet)
(source: Oscar Koeroo’s slides)

Oscar Koeroo started his workshop by a talk about his work at KPN and how they handled security.
On 2012 KPN got hacked, this year they decided to set up a Security Operation Center to handle better such incidents.
KPN CISO Strategy and policy is made available for everyone here
After this introduction, he started explaining cryptography concepts.
He then detailed RSA encryption.
Finally we practiced RSA encryption and encrypted with our own messages and numbers.
He mentioned a very good tool to help us for the assignments:
Wolframalpha.

(source: Cyberheroes flickr)

We ended the day with lockpicking, now i really want to buy my own lockpicking set! 😀 It reminded me of the video game called Skyrim, except it is much easier with a joystick^^

Day 2: CTF with Radically Open Security

(source: screen of the CTF platform made by Daan Spitz from Radically Open Security)

In the morning, Daan Spitz was introduced and the CTF started.
Daan works for Radically Open Security who sponsored the event and gave a CTF that he made.
In the afternoon, Melanie Rieback CEO of Radically Open Security was introduced she presented ROS and gave a great demo talk about cracking passwords.
We cracked the password « TreeHouse1234 » in less than 33 seconds!
Demo and slides can be found on ROS’s github.

(source: Cyberheroes flickr)

Day 3: On a boat with the dutch Police

(source: Cyberheroes flickr)

On day 3, we spent all day at the Seaport Police of Rotterdam.
We had the opportunity to meet Dirk-Jan Grootenboer, Peter Duin and other great police officers. They presented the Seaport Police and their work.
The Cyber Resilience unit has different goals:

  • Awareness of cyber threats and risks by citizens, corporations and other organisations
  • Know how to act: reactive, preventive, pro-active
  • Work together to share knowledge and new opportunities offered by technology
  • Resulting in continuous growth of cyber resiliency
  • From cyber security to cyber resilience
  • From reactive to pro active thinking and acting
  • Catching the advantages of cyber with an open eye for the risks

(source: Police officers talk)

Then, we had a CSI like challenge and a Police Patrol Boat Adventure. We were able to work on our social engineering skills and see the huge port of Rotterdam (largest in Europe).

On the afternoon, Floor Jansen and Marinus Boekelo joined us to present the Hack_Right initiative and explain the amazing take over of Hansa Market a dark web marketplace.
Hack Right is an initiative to help young hackers who commited a small crime, to get back in the right path and use their skills for ethical hacking.
It consists of 4 modules

  1. Restorative justice: if you commit a crime you break your connection with the victim to repair this boundary you have to do something for the community. In this module, cyber criminals are confronted with the damage and possibly even with the victims.
  2. Training: ethical and legal boundaries
  3. Coaching: personal connection between coach and offender. This involves providing longer guidance to the offender, linking them to someone from the community.
  4. Alternative: indicates the opportunities on the labour market and teaches young people where to develop their talents

(source: Floor Jansen’s talk and Mediawijzer’s article)

Day 4: Cybersprint at The Hague Security Delta and US Ambassador residence

In the morning, we worked on « Make it Smart » Maarten van Duivenbode introduced us to smart objects and how to use them. We were able to program lights and their colors.

In the afternoon, we visited Cybersprint at The Hague Security Delta.
Cynthia Schouten made an introductive talk and gave us a tour of the campus. We visited: Hogeschool Leiden’s IOT lab, we were introduced to a mixed reality tool that aims to train student in forensics with simulated crime scenes

(source: Cyberheroes flickr)

Then, we visited Splendo that introduced us their smart bikelock project for X-bike.

After the tour, Peter van Eijk who works at the municipality of the Hague presented the Hack Den Haag CTF. A CTF to help the city of the Hague to be more secure.
Finally, Soufian El Yadmani made an amazing talk about his adventure to cybersecurity. He explained that he was hired as a cybersecurity analyst at Cybersprint by winning a CTF. His team and him travel to many CTF competitions.
His secret to be a good ethical hacker? Practice, practice, practice!

After our visit to The Hague Security Delta Campus we went to the US Ambassador’s residence for a reception for the Cyberheroes program. There, Peter Hoekstra the Ambassador of the US, Anouk Vos from Cyberworkplace and Charles Ashley III from Cultivating Coders talked.
The Ambassador, is now a proud hacker in a beautiful Cyberworkplace hoodie and the owner of a CyberHeroes medal!

(source: Cyberheroes flickr)

Day 5 and 6: Trip to Leeuwarden, no escape possible 😀

(source: Cyberheroes flickr)

On the last two days of CyberHeroes, we were invited to Leeuwarden for a CTF at the amazing Hacklab.
Leeuwarden is a beautiful historical city in the north of Netherlands that has been European Capital of 2018.
The CTF gave us the opportunity to learn a lot.
After all this hacking we did we had to go to jail… joking we just spent the night in a former prison: Alibi Hostel


But before going to sleep, we took part in a great escape game made by Henk Van Ee founder of Cybersafety4u in which we had to unlock a hacker’s phone.

(source: Cyberheroes flickr)

To conclude this awesome week, we all got a certificate and a CyberHeroes medal.
Needless to way i was very proud to participate and help for this great adventure.
I would like to take the time to thank Radically Open Security (Melanie and Anh) without whom i would not have heard about Cyberworkplace.
Thanks also to Anouk, Nasya and Maria from Cyberworkplace that welcomed me for this week.
They all made an amazing work and i would definetely recommend everyone who has the opportunity to take part in a week like this.
Volunteer or help Cyberworkplace any way you can, they do such an amazing work for students and cybersecurity lovers.

(source: Cyberheroes flickr) Volunteers for the CyberHeroes week: Adelle, Anh, Maria, Anouk, Me, Nasya

To go further: