Security Musings

Sometimes we have thoughts that occur to us that are related to security. Some are funny, some are serious, but we'll put them here for your consideration!


The Hacker Mentality

I tend to find airports entertaining. Sure, they are filled with frustration and irritation. You run the risk of catching all sorts of (bio-)viruses from the myriad sick people traversing the halls and touching everything in sight. The food is generally terrible. Your flight is probably late.

But from a hacker's perspective, they can be a goldmine for examples of security wackiness. Shops scattered all over, each with their own security posture. People with wi-fi enabled devices completely unaware. Bluetooth as far as the eye can see. Broken systems displaying blue screens to the world. It's fun just to watch and take note.

Take for example a recent trip from which I was returning. As I am getting near to the TSA checkpoint, I notice a white screen with writing, where normally I expect to see a goofy TSA video (I've been to this airport many times, I can probably quote the lines to the thing). Curiosity tends to get the better of me, so I zoom in and snap a pic of the screen in question. After going through TSA, I do a little review and find the screen in question is an error message from something called Active Desktop, which is a technology I barely remember.

Oh, this could be interesting.

Sure enough, after picking through the photo a bit, I figured out a few things about the system, and thus a bit about this airport's IT environment. At first, I thought maybe this would be a good slide to add to some of the application security training I do for customers, but then I realize it's actually a broader teachable moment than that.

Among the questions I'm asked most about my rather poorly understood profession (at least as far as most folks see us!) is "how do you know to do that?" The typical answer I give is that it's sort of an art guided by experience. I've seen the same flaws numerous times, I know the common issues, I can hazard guesses about how to do a given thing, then try it and see if it works, moving to plan B if it doesn't.

It dawns on me though that this isn't entirely accurate. Some of it is just merely observation and a small amount of research. Anyone can learn these things! They just have to know to look at a problem in a specific way. This airport incident gave me the perfect opportunity to illustrate that. I identify a few things on that single screen and elaborate a bit about what they tell us. From there, we can extend that to "what does this likely mean for the overall environment in which this system runs?"

Whether you're a tester, a security engineer tasked with defending your company or just someone who wants to know how to read the Matrix a bit, this quick presentation may be of use to you. It walks through the analysis of this page as well as poses some questions. My hope is that it sparks curiosity if nothing else. Whether you're a technical or non-technical person, it's reasonably easy to become an informed observer, and perhaps even a part-time aspiring security professional.

I am sharing a PDF largely for convenience. If you have a particular need for the PPT, just drop me a note and it's yours. As I mention in the slide deck, you are free to share this as you like, as long as you let folks know where it came from.

Enjoy your holidays, particularly if you're at the airport. ;)

Presentation: The Hacker Mentality