System Overlord

A blog about security engineering, research, and general hacking.

Everyone in InfoSec Should Know How to Program

Okay, I’m not going to lie, the title was a bit of clickbait. I don’t believe that everyone in InfoSec really needs to know how to program, just almost everyone. Now, before my fellow practitioners jump on me, saying they can do their job just fine without programming, I’d appreciate you hearing me out.

So, how’d I get on this? Well, a thread on a private Slack discussing whether Red Team operators should know how to program, followed by people on Reddit asking if they should know how to program. I thought I’d share my views in a concrete (and longer) format here.

Computers are Useless without Programs

I realize that it sounds idomatic, but computers don’t do anything without programs. Programs are what gives a computer the ability to, well, be useful. So I think we can all agree that information security, as an industry, is based entirely around software.

I submit that knowing how to program makes most roles more effective merely by having a better understanding of how software works. Understanding I/O, network connectivity, etc., at the application layer will help professionals do a better job of understanding how software affects their role.

That being said, this is probably not reason enough to learn to program.

Learning to Program Opens Doors

I suppose this point can be summarized as “more skills makes you more employable”, which is probably (again) idiomatic, but it’s probably worth considering. There are roles and organizations that will expect you to be able to program as part of the core expectations.

For example, if you currently work in the SoC, and you want to work on building/refining the tools used in the SoC, you’ll need to program.

Alternatively, if you want to move laterally to certain roles, those roles will require programming – application security, tool development, etc.

You Will Be More Efficient

There are so many times where I could have done something manually, but ended up writing a program of some sort to do it instead. Maybe you have a range of IPs and need to check which of them are running a particular webserver, or you want to combine several CSVs based on one or two fields on them. Maybe you just want to automate some daily task.

As a Red Teamer, I often write scripts to accomplish a variety of tasks:

  • Check a bunch of servers for a Vulnerability/Misconfiguration
  • Proof of Concept to Exploit a Vulnerability
  • Analyze large sets of data
  • Write custom implants (“Remote Access Toolkits”)
  • Modify tools to limit scope

On the blue side, I know people who write programs to:

  • Analyze log files when Splunk, etc. just won’t do
  • Analyze large PCAPs
  • Convert configurations between formats
  • Provide web interfaces to tools that lack them

How much do you need to know?

Well, technically none, depending on your role. But if you’ve read this far, I hope you’re convinced of the benefits. I’m not suggesting everyone needs to be a full-on software engineer or be coding every day, but knowing something about programming is useful.

I suggest learning a language like Python or Ruby, since they have REPLs, a “read-eval-print loop”. These provide an interactive prompt where you can run statements and see the responses immediately. Python seems to be more commonly used for InfoSec tooling, but they both are good options to get things done.

I would focus on file and network operations, and not so much on complicated algorithms or data structures. While those can be useful, standard libraries tend to have common algorithms (searching, sorting, etc.) well-covered. Having a sensible data structure makes code more readable, but there’s not often a need for “low level” structures in a high level language.

Have I Convinced You?

Hopefully I’ve convinced you. If you want to learn programming with a security-specific slant, I can highly recommend some books from No Starch Press:


Announcing TIMEP: Test Interface for Multiple Embedded Protocols

Today I’m releasing a new open source hardware (OSHW) project – the Test Interface for Multiple Embedded Protocols (TIMEP). It’s based around the FTDI FT2232H chip and logic level shifters to provide breakouts, buffering, and level conversion for a number of common embedded hardware interfaces. At present, this includes:

  • SPI
  • I2C
  • JTAG
  • SWD
  • UART

TIMEP

This is a revision 4 board, made using OSHPark’s “After Dark” service – black substrate, clear solder mask, so you can see every trace on the board. (Strangely, copper looks very matte under the solder mask, resulting in more of a tan color than the shiny copper one might expect to see.)

It’s intended to be easy to use and work with open source software, including tools like OpenOCD and Flashrom.

Edit: I rushed to get this post out late at night, but I should’ve acknowledged that this project was inspired while I was taking a hardware security class with Joe Fitzpatrick. He also provided a review of an early revision of the board. If you have no idea what SPI, I2C, JTAG, and SWD are, I can’t recommend his classes enough to get started in hardware hacking. (Even if you do know what those are, his classes are a lot of fun.)

See the project on GitHub, and I hope to have some boards available for sale on Tindie in the near future.


Security 101: Two Factor Authentication (2FA)

In this part of my “Security 101” series, I want to talk about different mechanisms for two factor authentication (2FA) as well as why we need it in the first place. Most of my considerations will be for the web and web applications, and I’m explicitly ignoring local login (e.g., device unlock) because the threat model is so different.


So You Want a Red Team Exercise?

I originally wrote this for work, where we get a lot of requests to “Red Team” something. In a lot of these cases, a white box security review or other form of security testing is more appropriate. Because I’d heard through the grapevine that other Red Teams struggle with the same issues, I wanted to make it available publicly. Thanks to my management for their support and permission to take this public!

If you’d like to use or adapt this within your organization, feel free, but please give credit to the Google Red Team.


We frequently get requests to perform Red Team engagements on various products & services around our company. These requests often have misconceptions about the services our team provides. This document is intended to help those seeking a Red Team engagement have a better understanding of what we do, how we do it, and why we do it the way we do, and how to engage with us for optimal effectiveness.


Security 101: Learning From Home

Outside, there’s a pandemic. We’re being asked to stay indoors, shelter in place, and avoid social contact. Conferences are cancelled, live trainings are out of the question. Some businesses are closing (hopefully temporarily) and there are unfortunate layoffs and furloughs across the board. It’s a tough time.

Rather than dwell on the negative, focusing on something else can help you get through this mentally. Learning something or growing your skills can both help take away from the anxiety of the situation and also help you come out of this a better person. Whether you’re just getting started in security or looking to advance your career, or just looking to become more security-aware as an individual, there are some great options for learning from home. My lists below are by no means comprehensive – there’s more content than I can shake a stick at. However, these are intended to be good for beginners and have a diverse set of content. If you know of something I should have included, please reach out.

Some of these options are free or freemium – if you have the means, I’d strongly encourage you to pay for access and support those who are putting it together.

  • PentesterLab has a number of free exercises, and dozens available with a paid PRO subscription. ($35 for 3 months for students, or $20/month for professionals.) The exercises in this environment are very well laid out, including things like basic Unix skills all the way up to complex crypto challenges. Each challenge is well-documented and works reliably, and the challenges are arranged in “badges” helping you find the right progression for your skills.
  • Hack The Box is the premiere site for hosted hackable VMs. They provide a VPN connection to an environment with a number of challenge servers, each of which has a “User” and “Root” flag to be captured. I’ve played through 26 of their boxes as well as 22 challenges. They definitely have content for every skill level if your interest is penetration testing. If you plan to take the OSCP, these boxes are very similar in “spirit” to the OSCP lab boxes. Free tier gets access to all current boxes, pro gets you less busy servers as well as access to retired boxes.
  • Stanford University has made CS 253 - Web Security available online for free. It includes slides, video, readings, and 3 of the course assignments, accessible to anyone who would like to do this.
  • CryptoPals is a set of Cryptography challenges hosted by NCC Group. These are a progressive set of challenges to break various broken cryptography implementations, and require no pre-knowledge of crypto or advanced mathematics. (Some math is required, but it’s described as 9th grade level mathematics.)
  • CryptoHack is similar to CryptoPals, but with a CTF-style flair to it. This is another “learn crypto by breaking it” opportunity.
  • Exploit.Education is a set of challenges for vulnerability analysis/discovery, predominantly of memory corruption vulnerabilities. These are intended as a progressive set of VMs to attack and work your way through. Includes opportunities for ARM and ARM64 exploitation.
  • Why not take the opportunity to build your own home lab? I’ve been playing around in mine quite a bit in the evenings and weekends while working from home. My Windows domain skills have atrophied quite a bit, and I’m trying to reconcile that. Hopefuilly I’ll succeed. :)
  • Get in some reading time. eBooks require no shipping, so instant gratification. I can recommend almost anything from No Starch Press. At the moment, I’m looking at Black Hat Go, and just recently read Real-World Bug Hunting.
  • SANS continues to offer their online trainings. Additionally, they’ve launched a bunch of virtual CTF challenges, including many free opportunities. I played in the Virtual Mini-NetWars Mission 1, and it was a lot of fun and the content was absolutely great. It was like playing a hacking RPG.
  • Offensive Security has their online trainings as per usual. This includes both the very well-known Penetration Testing with Kali Linux (OSCP), as well as Cracking the Perimeter (OSCE), and Advanded Web Attacks and Exploitation (OSWE). I’ve done both OSCP and OSCE in the past, and can highly recommend both of them.
  • Check out a CTF on CTFTime.

No matter what you end up doing, make sure you take some time from yourself and disconnect from all the bad news. It’s so easy to become overwhelmed with everything going on. Focus on something you can control and reaching your goals.