25th September 2018
Due to popular demand, my women in information security interview series is back for autumn! This marks the second anniversary since I started. Some of my subjects in this round have been waiting since last spring, so getting to chat with them has been long overdue.
Let’s start with Sharka, a penetration tester who is full of enthusiasm. She wants to get some shout-outs to some of her favourite Twitter accounts: SureCloud, OWASP Manchester, DEF CON Paris, BSides Athens, MazuTech and Chrissy “5w0rdfish” Morgan.
Kim Crawley: So Sharka, please tell me a bit about what you do.
Sharka: I am a cybersecurity consultant and pentester at SureCloud by day. They are awesome because I get to hack all infrastructure, web apps and payment systems. Also, I get to follow my passion: social engineering and testing physical security. By night or my free time, I am a bug bounty hunter. I am very involved in the hacker community. I am one of the Manchester OWASP Chapter organizers and co-founder of the one and only DEF CON group in Paris. I’m also an ambassador for BSides Athens. Additionally, I research with my friend Chrissy under the Mazu project. It’s meant to be a unique project that looks at the world and its vulnerabilities from both the offensive (me) and defensive (Chrissy) side. I am coming up with exploits that she is trying to defend against. Recently, our research has been heavily focused around RFID and specifically around the new Proxmark3 RDV4.0.
KC: Your work sounds varied and exciting. How did you get started in cybersecurity in the first place?
S: My first hack was when I was around 8 years old. The first hack was to manipulate my blood glucose meter. I figured out how to manipulate the results to show better results than I actually had. But I didn’t touch a computer until 14, maybe. That’s when my dad brought his work laptop home. He always tells me that I was stuck to that thing all the time. At school, everyone would always find me in the room with PCs. But I was told IT is not for girls. So I didn’t study it, but I eventually found my way back. Security was that mind-blowing part that attracted me since day one. Without studies, it was little harder. But after hard work, one day I got an offer to be the first SOC engineer guarding British national infrastructure! That is where I truly started in cybersecurity professionally.
KC: You have some parallels with my background then. Dad’s computer gave us the opportunity to explore computing, and our cybersecurity careers may have been a bit delayed due to sexism. How do you juggle pentesting with OWASP, DEFCON and BSides organising and vulnerability research? Do you still get time off to rest and pursue your hobbies, or are those extracurriculars indeed your hobbies?
S: Well, I am glad you are pointing that out, because I feel like hacker mental health and well-being is often ignored and often by ourselves. We all know how it feels when we disappear down the rabbit hole to chase that one bug. Time doesn’t exist. Even food is not important! I think we should start talking about it more. In my case, I’m going to Kendo practice to our local dojo. But I also meditate and float. (I recommend to anyone who has the possibility to try it.) I believe you can experience it in sensory deprivation tanks.
KC: I keep wanting to write a book while I blog for several different websites and vendors. But then I change my mind. I’d rather hang out with my friends and play video games when I’m not doing paid work. Oh well.
S: Why not do both? Little by little? Start writing chapter by chapter. Go play, relax, then go back to it! I’d read it!
KC: I guess a chapter is about the length of one of my typical articles, so I’d consider your advice. Have you ever done a third party pentest and, without naming names, been really shocked by how insecure your client’s network was?
S: I must say I only do third party, and we have some pretty awesome customers that mostly do follow our advice. So hacking their network is harder and harder. I’d say I see more shocking insecure behaviours around me in everyday life unfortunately. That’s why I love to do talks and spread awareness.
KC: Do you think the general public, laypeople, are getting savvier about social engineering?
S: I don’t think they are there yet because there is this whole barrier about us hackers portrayed in black hoodies with balaclavas being malicious. So people are wary of anything hacker-related. But it’s changing slowly. When I talk about breaking into buildings, people are interested more and more, and they want to know what they can do to protect them.
KC: Do you think people overlook or underestimate the importance of physical security?
S: I think they try to give it some thought and put controls in place. But same as using tools to protect your network, you have to configure them right and test them regularly. Patch them. Once you’re feeling like it’s well-done, invite people like me to test them.
KC: I’m under the impression that to a lot of people, network penetration is all speed-typing on a PC. Crawling through the duct work to enter the server room wouldn’t occur to them. What are some of the most common physical security vulnerabilities that you see?
S: People placed to operate those physical controls, mostly. I study the psychology behind manipulation and persuasion. I learn how to read body language, facial expressions and physical traits to tell me who they are.
KC: What advice would you have for kids who are curious about pursuing cybersecurity one day?
S: Start building their knowledge and feed their curiosity! There are so many great online resources that are free where they can learn and practice. And then I’d say go for bug bounty hunting. Or do some research, but make sure to involve adults and understand everything about responsible disclosure. Go to conferences, connect with people ask people to mentor them. Ask questions no matter what!
Thank you for the job you are doing. You are building something fantastic and very important! And let’s not forget, hack the planet!
About the Author: Kim Crawley spent years working in general tier two consumer tech support, most of which as a representative of Windstream, a secondary American ISP. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in all things information security related. By 2011, she was already ghostwriting study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Article originally posted on Tripwire.
Learn more about Pentest-as-a-Service© here.