Category: Pentesting

What Is a Hacker?

On September 20, 2019

Reclaiming the Hacker Title, and Ending the Stereotypes

For some, the term hacker elicits images of a person wearing a black hoodie in a dark room working tirelessly on a computer. In other cases, connotations of criminal syndicates or nation-state attackers jump to mind. Unfortunately, thanks in part to media and entertainment portrayals of hackers, the reality is rarely understood. In fact, even formal descriptions of hackers tend to focus solely on their actions as the defining measure. In truth, the term hacker describes an identity. It refers to characteristics of how a person looks at problems and attempts to solve them.

My tattoo from GrrCON ’14 with the phrase from Jayson Street’s keynote that have inspired me ever since.

In 2014, I attended a security conference called GrrCON. A well respected member of the security community, Jayson Street, gave a very powerful keynote speech. His discussion focused on the history of hackers and drove home the message that hackers are not criminals and freaks. Instead, we are artists and inventors. His discussion impacted me so greatly that I got a tattoo at the conference that emblazons those words on the back of my shoulder.

The Mysterious Hacker

When we think about computer hackers in particular, we think about the secretive nature of hackers. People operating in anonymity, using handles rather than their names, using private and sometimes obscure communications channels to share information. Especially in the early days of the internet, this was an accurate view of the hacker community. As a result, it only adds to the myth and mystique of hacker lore. Since hackers were seen as criminals, anonymity was a crucial tool in simply advancing their craft. While their motivations were often rooted in curiosity, law enforcement had very different opinions.

As with any growing community of people, a social order began to develop as well. Personalities clashed, competition often ensued with rival hackers seeking to establish their place among the most skilled by demonstrating proof of their latest hack. Sometimes they even attacked each other. Even today, many of these behaviors persist. There is a degree of fame and respect that is given to those that demonstrate extraordinary skills. But hackers are so much more.

Curiosity and Creativity

“What makes me a hacker is my unfettered, at times almost obsessive need to understand the inner workings of technology.”
Alyssa Miller

If you’ve spent any time on my site or social media pages, you know I identify myself as a hacker. While I’ve taken over domain admin accounts by passing hashes, gained command line access to web servers via poorly configured web applications, and even dumped the entire contents of databases using blind SQL injection vulnerabilities, these skills don’t make me a hacker. On the flip side, I’ve never discovered a 0-day vulnerability, never stolen money or data, and never gone to jail for my activities. These facts don’t make me any less of a hacker.

What makes me a hacker is something more intrinsic, something very integral to my very being. What makes me a hacker is my unfettered, at times almost obsessive need to understand the inner workings of technology. It’s an optimistic problem solving skill. Believing that anything can be changed or improved if I can just simply understand first how it functions.

Many hackers, myself included, will tell you that as children we took things apart. Driven by a curiosity to understand how technology worked, we learned through examination. This is a cognitive trait that shapes how we look at problems and solve complex issues. This, in my opinion, defines what makes a hacker a hacker.

Hackers and Ideology

Take a look at the interactions of hackers on social media or other forums and you’ll discover hackers are typically very idealistic. While we don’t all have the same values, more often than not, they are all rooted in positive motivations. Street, in his presentation, discussed Nikola Tesla as an early hacker. Tesla had a vision for supplying electricity to the world without cost. He built upon the discoveries of his peers and predecessors to develop new technologies. His inventions drive many of the technologies we’ve become dependent on today. He wanted everyone to take his works and use them and continue to improve them. However, due in part to businessmen with less noble values, Tesla died broke and alone. His inventions tied up with patents that prevented new innovations.

Hackers often look at the internet the same way, with very idealistic vision. Most place a great deal of value on the free exchange of ideas and information while also valuing privacy and individual liberty. Many of us work to make the internet more secure to help ensure that vision. Nowhere is this ideal more clearly displayed than at the various hacker conferences that occur every year. Tens of thousands of hackers come together in various venues around the globe in an effort to share our knowledge, our research, and our opinions on how to improve the technology of the world we live in.

Gate-keeping

Unfortunately, while many in the security community work to promote a more positive image of hackers, there are some who want to perpetuate the stereotypes. They prefer the mystique of clandestine individuals or groups that have the power, because of their skills, to disrupt society and the world. That image of the hacker culture is seen as cool and almost elitist in a way. As a result, some attempt to establish their position in the social order by trying to define who is worthy of being called a hacker. Usually the definition relies solely on the level of their skills or the novelty of the exploits they unearth.

This view is counter-productive to establishing a truly free exchange of ideas and knowledge. It serves to create cliques, toxic competitiveness, and secrecy that break down the ideals. Sure it’s part of where we came from as hackers. Yes, competition can be healthy and productive. But to be truly great as a community, we must be able to build off the work of others. We have to leverage the unique perspectives we each bring to the table and let those drive new ideas. That is how we become l33t.

The Oxymoron of “Smart” Devices

By Alyssa Miller

On July 13, 2019

In IoT, Pentesting, Vulnerabilities

What a hair straightener can teach us about IoT Security

A recent article on Threat Posts provides details of a vulnerability in the Glamoriser Bluetooth Smart Straightener. The vulnerability is pretty significant. An attacker can fairly easily gain control of the hair straightener, turn the heating element up to max power, and potentially cause a fire. Discovery of this vulnerability provides us with a clear example of why manufacturers need to more calculating in their responses to the “smart” device trend.

Stock photo of the Glamoriser Bluetooth Smart Straightener — Researchers have found a security vulnerability in the Glamoriser Bluetooth Smart Straightener

According to product information on the Glamoriser website, the straightener comes with a mobile app that allows the user to control heat settings of the straightener for different types of styling and lock in a favorite setting. However, as it turns out (maybe not surprisingly), their implementation of this feature is anything but “smart”.

According to quotes from the researcher that discovered the vulnerability, Stuart Kennedy, the hair straightener’s Bluetooth Low Energy (BLE) connection lacks some of the basic security features most users have come to expect in Bluetooth devices. There is no pairing function in the straightener’s BLE implementation, meaning any device within range can connect and control the straightener. Sure, the risk may be fairly low due to the distance limitations of BLE, but the threat vector is very real.

An emblematic problem with IoT and Connected Devices

This certainly is not the first time that we’ve seen once innocuous home devices turned into a threat vector. Manufacturers have routinely enabled “smart” functionality but failed to implement basic security features. However, the risks associated with this example lend credence to the warnings of researchers regarding just how serious the problem could be.

As many in the security community already know, manufacturers with no history or previous experience with implementing connected technology are rushing to create “smart” devices. The resulting implementations are often filled with security and functionality gaps. Whether this is a result of a lack of expertise or the need for speed to market (or both) is debatable. But the trend of security issues in newly released “smart” devices is undeniable.

The hair straightener example also stands as a particularly poignant lesson in that the only discernible reason to have a mobile app seems to be just the ability to label their styling tool as “smart”. The desired feature set enabled by the mobile app, being able to identify and set the needed temperature based on hair type and desired style, could have just as easily been implemented without connectivity. Hair straighteners for years have had adjustable temperature controls. Couldn’t an app that allowed the user to look up the correct settings and then manually set them on the device have been enough? Have we really reached the point in lazy consumerism where we need the app to make that adjustment for us? Let alone to the detriment of someone’s safety?

Time To Stop and Think

Sure, smart home devices are all the rage right now. Connected IoT devices are touted as the latest innovations and everyone wants to get on that bandwagon. However, if manufacturers can’t concern themselves with the safety of their consumers, they must at least start considering the risks in terms of their own liability for implementing faulty devices with real security vulnerabilities. How much does the manufacturer stand to loose if they get sued when someone is hurt or killed as a result of a security flaw in their product? The case of the Glamoriser straightener provides the most tangible illustration of those risks we’ve seen to date.

With that risk comes the need for serious investment in R&D before simply launching a product. That investment needs to include analysis of the benefits of the new connected features against the risks of liability if those features turn out to be a security flaw. Manufacturers cannot afford to assume an immeasurable marketing edge will come from simply labeling their product as “smart”. Had such analysis been done in the case of the Glamoriser, it’s doubtful that the ability to set a temperature on the device from your phone would have demonstrated value in the marketplace that outweighed the potential liability of someone’s house being burned down. This isn’t a particularly challenging threat model to build, so how did they get it so wrong?

It seems most manufacturers only pay attention to the threats and risks of their products when there is a palpable demand from consumers. Unfortunately, consumers remain blissfully unaware of these risks until something catastrophic occurs and is publicized widely in the media. Even then market trends show we’re often willing to forgive and forget if it means we can own the latest innovative device. So we, as security researchers, have to find other ways to motivate manufacturers. So far this has proven to be a monumental task. The tide is shifting, more and more manufacturers are becoming aware of the risks and working with the security community. Sadly, it’s most often only after their failures or those of their competition are exposed.

Educating consumers and manufacturers alike seems to be one possible course of action. Security researchers have begun some outreach to the manufacturing community and we’ve made headway in certain markets like the automotive space. However, more can and must be done. There is opportunity for us to be more involved in the manufacturing community. We must look for ways not to scare manufacturers into doing better but to motivate them. Drawing the connections between producing secure products and expanding their business model is the key.

From a consumer perspective it is much the same. We’ve tried scaring people. We’ve talked about all the potential bad things that can happen. For consumers it’s a bunch of noise and they just want that cool new thing. So it’s time we start focusing on how their lives can be more convenient, more trendy, etc. by ensuring that they demand products that are secure and reject the early to market brands that blaze trails with questionable products. We need to make being securely connected the new hot thing.

Welcome Aboard

By Alyssa Miller

On July 12, 2019

In Application Security, Breaches, DevSecOps, Incident Response, Inclusion, IoT, Network Security, Pentesting, Policy, Red Teaming, Vulnerabilities

An Introduction of Epic Futility

OK well here I am interwebs!! After much encouragement from colleagues, friends, and acquaintances, I’ve launched a website and blog. As you’re likely aware, if you’ve found your way to this page, I’m very passionate about all things security and privacy related. It’s my career, it’s my passion, and most of all it’s something I love to share with others.

I’ve had a very a-typical journey into the world of security however. I’ll probably bore you in some other post with the full progression from my childhood interest in computers to my present day role as a security professional. But for now let me just share that what began as a hobby of playing with computers turned into a full-time job as a programmer which in turn lead to my entry into penetration testing and assessment work.

I have no delusions of grandeur. I am not the world’s greatest hacker, I am not some super security celebrity or highly touted “thought leader”. However, what I am is a person who really loves digging into technology, exposing how it works and how it fails, and sharing what I’ve learned with others. I’ve spoken at industry conferences, as you can see on this site. I’ve delivered various security assessments, training, and strategy guidance as part of my professional work. I’ve been featured in security publications and podcasts. I’m of course active on social media as well. But this is the first time that I own a dedicated space on the web to formally share my thoughts and opinions in written form.

Related to technology, security, and privacy, I also have a very powerful drive to correct what I see as a toxic environment in the tech and security communities. Women, People of Color, LGBTQ+ and other under-represented groups often find that the tech and security space is particularly unwelcoming. In security specifically, studies using the most liberal of criteria have found only around 20% of people in security roles are women. I believe that toxic environment is partly to blame. This is something I feel needs to change. I’m involved in multiple organizations that do work in this area, I speak on this topic as well, and so you’ll probably see posts from me focused on making our industry more inclusive as well.

So I hope you’ll enjoy. I hope you’ll reach out to me and share your own thoughts. I love to heard opposing viewpoints and discuss/debate at length as long as it’s done in a respectful and productive way. Thank you for visiting and please come back over and over!