As an eBay company, you would think that we feel nervous every time we hear from our InfoSec representatives. What is it now? A new scan, a pen test, an audit? Worse yet, a problem? Fortunately our representative does a great job bringing the different satellite companies together and this time he just wanted to recommend us a course imparted by Certified Secure. Other eBay companies had done it and they had great feedback.

At the end of the year, right after we went into the peak time release moratorium we decided to have a break to celebrate delivering a key milestones of our new product and we gave the course a try. You might think security training is not much of a party, but when done right it can be a blast!

The Course

Monday 10am was the start of our two day course, we followed a similar approach to our anarchy days: no one in the team knew what was happening, we just asked the team to make sure they were on time… we love the surprise factor. Frank, our instructor, got in early but no preparation was really needed: hook the laptop to a screen and gather the team. The premise was pretty simple he explained:

“We have two days of security training in front of us but there will be no slides or lectures, everyone in the team will learn about security by solving a series of challenges that require hacking different applications and services”
(Disclaimer: This might not be the exact words Frank used, but you get the idea)

The morning of the first day set the bar high: given only an installable android app (apk file) we needed to get the phone number from the contact ‘Dad’ and a photo from the phone.

You might think this is from a local phone where the app is installed. Well. Think again! The actual objective was to compromise the address book and photos of a remote user that had the app installed on their device. It seemed like a huge challenge, but one mistake is all you need to compromise hundreds of phones.

A few lessons learned:

• Installing a vulnerable application can very easily compromise your device, use caution when installing apps from unknown developers
• As a developer, you not only need to defend your application against external attackers but from other applications installed in the device as well
• Do not include secrets on your app, mobile apps are easily decompiled and your secrets are not secure

In the afternoon we swapped our black hats for white ones. A website has been taken down by a botnet exploiting a wordpress vulnerability. Our task is to analyse the attack, detect the source, and take the botnet down.

This one was a problem for most of us, at Shutl we are all devops, but system forensics is fortunately not something we’ve had cause to learn. It was time to open wireshark and get out of our comfort zone: go through system memory dumps, analyse network traces, intercept and install SSL certificates, and much more. I’m not ashamed to admit that this exercise required lots of hints along the way!

The second day we started with more confidence, Frank was talking about cross site scripting, directory traversal and SQL injection… easy right? Wrong again! The people at Certified Secure have done a great job taking those basic web vulnerabilities we are all familiar with, and creating sophisticated challenges that require not only technical knowledge but creativity and an overall understanding of different attack vectors, and how they can be combined. We not only need to know the concepts but also learn to think like an attacker to solve the exercises.

To wrap up the course and celebrate our great success (scoring a remote shell) we got some popcorn and ice cream for the office. As ice cream ran out, we headed out to the closest pub for some beers.

Conclusions

I am a big fan of the training methods used, it combined two types of teaching I love: learning through problem solving, and expanding the ‘things you know you don’t know’. It is an approach that gives you first a problem, a need to learn, and then leaves you to it. It teaches you that it is important to know the concepts, but that those concepts come in a million different flavours and there are people out there continuously looking for new attack vectors. It encourages you to think like the attacker to better protect your applications.

I can strongly recommend Certified Secure. They have built a training package that is language and skill agnostic so it’s applicable to different technical profiles. They have made sure the different exercises have a reasonable learning curve, starting with approachable steps and getting increasingly complex and challenging through the later stages. As an added bonus, you get unlimited access to their training portal, with access to the 5 challenges the training consists of and hundreds more!

My final score: ★★★★★ 10/10 AAA++++++ would attend again Very nice… very very nice