My internship at Radically Open Security

One of my goal in this ethical hacker challenge was to volunteer for a GREAT organization. This is what i did with Radically Open Security who welcomed me as an intern for six months.

How did i get this opportunity?

When i started to work in the IT I quickly had concerns about the lack of safety on the Internet.
Therefore, my curiosity and thirst for learning led me to wonder about the construction of a safer cyberspace.
This quest has shaped the type of company I wanted to be involved with. This is when I discovered the existence of ROS (Amsterdam, Netherlands) and Melanie Rieback in a press article.
This initiative was an evidence and in line with the values I want to promote.
Transparency is the central point of this company and its business model is a promise of a better social future.

What is Radically Open Security?

« Radically Open Security is the world’s first not-for-profit computer security consultancy company. We are prototyping an innovative new business model – using a Dutch « Fiscaal Fondswervende Instelling » (Fiscal Fundraising Institution) to provide a commercial front-end that sends 90% of our profits tax-free to a backend foundation (Stichting NLnet) that has supported open-source, Internet research, and digital rights organizations for almost 20 years. The other 10% of our profits will go to an employee profit-sharing scheme, in which the secretary accumulates profit-sharing rights as quickly as the CEO. Additionally, due to our low management/overhead costs, we can afford to pay competitive wages to our computer security consultants.  »
At ROS everybody works remotely.
(source: https://radicallyopensecurity.com/business-model.htm)

Wait! Not for profit?

Yes not for profit! Let Melanie Rieback co-founder and CEO explain this to you:

What service do they offer?

  • Penetration testing, ethical hacks and social engineering
  • Malware reversing and analysis
  • Network monitoring and threat detection
  • Forensics
  • CSIRT and incident response
  • Code audits
  • DDoS Testing
  • Cryptographic analysis
  • Custom R&D Projects
  • Workshops, trainings and mentoring
  • Misc: Embedded, Android and RFID Security

(source: https://radicallyopensecurity.com/services.htm)

What did i do?

Participation in the creation of a Capture-The-Flag (CTF) game

ROS helped to build a CTF for the CyberHeroes week of the non profit organization Cyberworkplace (see my article about the CyberHeroes week here).
The theme of the week was Heroes in cyber, I build a list with many heroes from the cybersecurity world, cryptography and cybersecurity resources.

Observation of pentests

I was added to some pentesting channels on RocketChat a chatroom that was used for communication for work purposes. This way, i was able to peek over the shoulders of pentester and see how they work, how they communicate with the client as the pentests are completely available to the clients from the begining to the end (this is one of the core principle of ROS).

Review of pentest reports

I was able to read and review some pentests reports. This really helped me to see how proper pentest reports are build, what pentesters look for while pentesting and which tools they use.

Improvement of the onboarding manual for new staff members

When i onboarded i was provided with an onboarding manual. As i encountered some little problems to set up my work environment i added some entrees in the onboarding manual in order to help future onboarders who had the same configuration i had.

Creation of a wiki page with relevant onboarding information for new staff members

ROS wanted to improve the onboarding process and provide the onboarders resources and useful informations.
This is why i created a wiki page with many resources for every type of positions (project management, software development, pentesting, …). I also added a section for general informations about ROS.
After the set up of this wiki i invited everyone to contribute and share their knowledge with relevant links like their favorite tools that help them in their tasks, great articles they’ve read, anything they would find relevant.

Submission of a process for improving internal training

We wanted to improve the internal training that is why i created a documentation to propose some ideas on the subject.

Helping a coworker with the use of Gitlabs (Radically Open Security’s file storage system)

One of the other intern was new to Gitlabs. As i had previously encountered Git and worked with it, i was able to provide my help.

Organizing folders in Gitlabs

ROS puts their projects and documentation on an internal Gitlabs system. I updated the organization of the folders.

Use of Pentext and XML

« The OWASP PenText XML documentation project can help your software security company produce offers, reports, invoices and generic documents by offering a well-structured and easy to maintain documenting system you can modify to your liking. »
This tool was created by ROS they open sourced it and made it available on Github.
In order to use Pentext you need to know XML.
I really enjoyed using pentext. XML is really useful and you get to generate great looking documents. This saves a lot of work mainly for pentesting reports but it can also be use to save time on other types of reports.

What did i get from this experience

As I plan to build a company, ROS was an inspiring and innovative model for tomorrow’s companies.
More specifically, I learned how a holocratic system works in a company. This system in which everyone has a place and a voice has been a beautiful discovery.
On a more technical aspect I have used many tools such as Pentext.
Finally, I have appreciated working remotely because it requires a personal work organization that invites to be autonomous and rigorous.

(source cyberheroes week flickr) During the CyberHeroes week i had the opportunity to meet Daan, Steven, Melanie and Anh from ROS.

To go further

Engensec IT Security Summer School

(Article disponible en français plus bas)

To move forward in my challenge, I decided to attend a Summer School. That is how in july, i had the great opportunity to attend a European Program in Cybersecurity in the beautiful city of Lviv (Ukraine).
This program was held by the Lviv National Polytechnic University and the classes were organised in a beautiful annexe of the University.
view from the outside
entrance hall
corridor
Many students from different countries were attending this studious week: Ukraine, Sweden, Poland, Netherland, Luxembourg and France.

Presentation of the IT Security Summer School in the Lviv National Polytechnic University.

Why a Summer School ?

Well, a Summer School is a short and intensive way to gain skills quickly plus you get to meet people from all over the world.
Also, it seemed important to me to confront my knowledge with practical exercises in group to give an interactive dimension to my learning in self-training. Finally, being coached by cybersecurity experts during the summer school allowed me to consolidate the knowledge acquired during the previous months.

What did we learn ?

On the first day, we had a first assignment which was fun. We were given a list of teams named after malware. The goal was to find our team mates with the help of this list. It was a very good ice breaker to first meet attendees. To go further with the social interactions we also had a team quest to do in order to get to know each other better and discover the city.

The high quality courses were taught by professors from leading European universities such as Sweden, Poland and Ukraine.

The four main subjects discussed during the week

Malware Analysis

First, the history of ransomwares (first ransomware: AIDS trojan 1989) was discussed.
Then we reviewed different ransomwares: their encryption method, how they interact with the user and for some of them how to decrypt files.
The practical exercises allowed me to understand the necessary steps to analyze malware.
However, there is no single way or infallible method. This field requires great patience and perseverance to gain more experience.

Software Security

This course was about : Programming problems and buffer overflows, Defensive programming, Revision control systems and Good practices.

About the part « good practices », i wish i had such a course during my training as a programmer. Good practices in development for security is, in my opinion, a must known for every developer.

The lab about buffers was really helpful to better understand the buffer overflow error and how it can make a software very vulnerable. I had another Lab in which i had to manipulate and debug a program in order to find a password.

Web Security (including web app vulnerabilities)

Web security is quite an important piece in cybersecurity.
This class gave me an overview of the most common vulnerabilities on the web. With this course I was able to complete my list of tools and Websites related to Web security.

I really enjoyed the practical exercises because they were divided into several stages and allowed me to progress naturally according to the level of difficulty. More precisely during these exercises I tested the vulnerabilities during authentication, SQL injection, XSS vulnerabilities and ethical hacking.

Pentesting

This course gave a good overview of the duties of the pentester.
First we discussed several elements such as technical terms, the different types of hacker, pentesting tools and methodologies.
We also worked on the methodology to follow when writing a pentesting report.
Also, I learned the techniques of malicious hackers in order to propose a good defense strategy.

Finally, all the practical exercises allowed me to get use to the tools used during pentests, analyze vulnerabilities, test web applications and put social engineering methods into practice.

A step in the workforce

At the end of the fourth day two professionals came to share their experiences in the Security Operation Center of a Ukrainian business. They described their work and the issues they had to tackle every day.

This presentation gave us an inside point view of cybersecurity professionnals.

A place of culture and full of history

The City of Lviv

Lviv is a city in western Ukraine which was founded in the 13th century but has roots since the 6th century. Needless to say it is full of history.

Opéra House of Lviv Opera House of Lviv

You’ll have many opportunies to widen your culture:

  • Go to the Opera and see a beautiful piece
  • Visit beautiful churches
  • Just walk around in the streets of the old town
  • Eat and discover local gastronomy

The city tour

Engensec organized for us an amazing city tour with historic reconstitution and actors in costums in many corners of the city.
It was very a good break from the classes and a good entertainment.
sword fight
guided tour

Why you should attend Engensec?

– The organizers are very welcoming and helpful
– You get to have social interactions with people from all over the world
– If you want high quality classes for a great value this is totally the place to go
– You get a certification in the end of the week and ECTS for a total of 60 hours
certificate example

To go further


Pour avancer dans mon défi, j’ai décidé de suivre une summer school. C’est ainsi qu’en juillet, j’ai eu l’opportunité d’assister à un programme européen de cybersécurité dans la belle ville de Lviv (Ukraine).
Ce programme a été organisé par l’Université Polytechnique Nationale de Lviv et les cours avaient lieu dans une magnifique annexe de l’Université.

view from the outside
entrance hall
corridor

De nombreux étudiants de différents pays participaient à cette semaine studieuse : Ukraine, Suède, Pologne, Pays-Bas, Luxembourg et France.

Présentation de Engensec security summer school à l’Université polytechnique nationale de Lviv.

Pourquoi une summer school ?

Une summer school est un moyen court et intensif d’acquérir rapidement des compétences et de rencontrer des gens du monde entier. Aussi, il m’a semblé important de confronter mes connaissances à des travaux pratiques en groupe pour donner une dimension interactive à mon apprentissage en auto-formation. Enfin, être accompagné par des experts en cybersécurité pendant la summer school, m’a permis de consolider les connaissances acquises durant les mois précédents.

Qu’avons-nous appris ?

Le premier jour, nous avons eu un premier exercice assez amusant. On nous a donné une liste d’équipes portant le nom d’un logiciel malveillant. Le but était de trouver nos coéquipiers à l’aide de cette liste. C’était une très bonne façon de briser la glace. Pour aller plus loin dans les interactions sociales, nous avions aussi une quête à faire en équipe pour mieux se connaître et découvrir la ville.

Les cours de qualité étaient encadrés par des professeurs de grandes universités européennes telles que la Suède, la Pologne et l’Ukraine.

Les matières abordées dans la semaine

Malware Analysis

Dans ce module nous avons abordés l’historique des ransomwares (premier ransomware: AIDS trojan 1989).
Ensuite nous avons passé en revue différents ransomwares: leur méthode d’encryption, la façon dont ils se manifestent pour l’utilisateur et pour certains comment décrypter les fichiers.

Les exercices pratiques m’ont permis de comprendre les étapes nécessaires pour analyser un malware.
Pour autant, il n’existe pas une seule façon de faire ni une méthode infaillible. Ce domaine implique une grande patience et persévérance pour laisser place aux tâtonnements et à l’expérience.

Sécurité des logiciels

Dans ce cours nous avons abordé : les erreurs de programmation dont le buffer overflow, la programmation défensive, les systèmes de contrôle de révision et les bonnes pratiques en programmation.

En ce qui concerne la partie « bonnes pratiques », j’aurais aimé avoir un cours comme celui ci lors de ma formation de développeuse. Selon moi, il est indispensable de connaître ces bonnes pratiques afin d’être en mesure de livrer des logiciels sécurisés.

L’exercice pratique sur les buffer a été vraiment utile pour comprendre comment l’erreur buffer overflow peut rendre un logiciel très vulnérable. Dans un autre exercice, il fallait manipuler et débugger un programme afin de trouver un mot de passe.

Sécurité Web (dont vulnérabilités des applications Web)

La sécurité Web est un élément essentiel de la cybersécurité. Ce cours donne un aperçu des vulnérabilités les plus courantes sur le web.
Aussi grâce à ce cours j’ai pu compléter ma liste d’outils et de sites Web relatifs à la sécurité du Web.

J’ai beaucoup apprécié les exercices pratiques car ils étaient découpés en plusieurs étapes et permettaient de progresser naturellement en fonction du niveau de difficulté. Plus précisément lors de ces exercices j’ai testé les vulnérabilités lors d’authentification, l’injection SQL, les faille XSS et le hacking éthique.

Pentesting

Ce cours donnait un bon aperçu des missions qui incombent au pentester.
Tout d’abord nous avons abordé plusieurs éléments comme les termes techniques, les définitions des profils de hackers, les outils et les méthodologies du pentesting.
Nous avons également travaillé sur la méthodologie à respecter pour la rédaction d’un rapport de pentesting.
Aussi, j’ai pris connaissances des techniques de pirates malveillants afin de proposer une bonne stratégie de défense.

Enfin, tous les exercices pratiques m’ont permis de me familiariser avec les outils utilisés lors des pentests, d’analyser des vulnérabilités, de tester des applications web et de mettre en pratique des méthodes de social engineering.

Un aperçu des opportunités d’emploi

A la fin de la quatrième journée, deux professionnels sont venus partager leur expérience dans le Security Operation Center d’une entreprise ukrainienne. Ils ont décrit leur travail et les problèmes auxquels ils étaient confrontés au quotidien.

Cette présentation était intéressante pour avoir un point de vue de professionnels de la cybersécurité.

Un lieu de culture et plein d’histoire

La ville de Lviv

Lviv est une ville de l’ouest de l’Ukraine qui a été fondée au 13ème siècle mais qui a des racines depuis le 6ème siècle. C’est donc une ville pleine d’histoire.
Opéra House of Lviv Opera de Lviv

Ainsi, vous aurez de nombreuses occasions d’élargir votre culture :

  • Aller à l’Opéra et voir une belle pièce
  • Visiter de belles églises
  • Marcher dans les rues de la vieille ville
  • Découvrir la gastronomie locale

La visite de la ville

Engensec a organisé pour nous une visite avec une reconstitution historique faite par des acteurs en costumes dans de nombreux coins de la ville.
C’était une très bonne pause des cours et un bon divertissement.
sword fight
guided tour

Pourquoi vous devriez venir à Engensec?

– Les organisateurs sont très accueillants et serviables.
– Vous aurez des interactions sociales avec des gens du monde entier.
– Si vous voulez des cours de haute qualité pour un prix abordable, c’est l’endroit idéal.
– Vous obtenez une certification en fin de semaine et des ECTS pour un total de 60 heures.
– Le programme est ouvert à tous sans condition de niveau ou d’âge.

certificate example

Pour aller plus loin