QA | 29 August 2017
First of all my name is Harry. I’m 16 years old and have been studying computer science GCSE and get my results back on 24 August. I have always been interested in computers, originally video games and how they worked. I've had a computer for as far back as I can remember. For the past year or so I’ve been very interested in cyber security, especially iOS and macOS as they are my preferred platforms.
I came across CyberFirst because I follow GCHQ and the National Cyber Security Centre (NCSC) on Twitter. After seeing a tweet come up a few times, I decided to have a look and see what it was about. I discovered that it was a cyber security course so immediately signed up for the nearest university. I was expecting to have quite a tough time getting in when I was sent an email telling me I had to take an exam - but it was quite easy. A few days later I got an email back telling me I was successful.
Throughout this post, I will talk about the activities we did in the labs and the guest speakers we had. I won't go into too much detail about what we did in the lectures because this post will already be long enough. Enjoy!
Day 1: Surprisingly decent hardware
Day 1 started off probably as you would expect. Trying to find the right place, learning your way around, getting to know people etc. The week would be split between a lecture theatre and a lab with some surprisingly decent hardware. Each team (the 17 of us were split into 5 teams) had 4 Lenovo ThinkPads, a MacBook Pro, a server and some networking stuff.
We started with the instructors introducing themselves and strangely we were each given a tablet and told to install an app. This turned out to be a complete trick that annoyingly no one noticed, although we all found it quite funny after. The 'Flappy Bird' app had been injected with some code and was actually taking pictures of us while playing and, after some denial, the terms and conditions actually had been modified on the app and we all had actually agreed to have our photo taken through the app.
This concluded the first lesson of the week:
- Don’t install apps through untrusted third-party stores
- Always read the terms and conditions
One of the most exciting labs we did throughout the week, at least in my opinion, was 'Patient Zero'. We were given an Excel spreadsheet with 3000+ entries. These were all pretend medical records with very limited sensitive information. The little information we were given was a postcode, age, gender, height, weight and some medical information like blood type. Our task was to find the person with pigeon flu, specifically the first person to get it. Working with the guy next to me, we quite quickly found the person who had the symptoms the longest and was the earliest admitted into hospital. We had to find the patient’s car colour, football team, adjoining neighbour and full address.
Next, we proceeded to look up the postcode of the individual. Looking up and down the street we noticed a man in the age range of patient zero standing next to a car. Now my first thought was the height, he was only a slight bit taller than the car so I checked the height of the car (was quite easy to identify the car model) and compared to the height of patient zero. Just as I had thought, he was only slightly taller than the car. Looking around, the house next door had their bins out which had their door number painted on them. Now we had the patient’s car colour and adjoining neighbour's door number. A quick check of the house either side and a zoom into the front door confirmed to us the full address of patient zero. While we were doing that we noticed an England flag outside his house - giving us his national football team.
Day 2: Stripping passwords, RATs, and orange Lamborghinis
Day 2 was so much more hands-on, and also very, very interesting. We began by creating standard and admin accounts on both Windows and Mac to compare what rights each type of user account had on the two platforms. Focusing on windows we used a program to export the NTLM (hash algorithm used by Microsoft to hash passwords) and used 2 types of attack, dictionary and brute force, to crack the hashes. The dictionary was provided to us to use and we cracked the two accounts passwords quickly (considering we were told what to set the passwords to). With the brute force attack, well that was more just to see the amount of time this sort of attack can take.
The next lab we did is something most people probably would think isn't that easy to do, but it is. We created a Windows recovery USB (this could be done from any computer running Windows) and booted to it on the target machine. We proceeded to open a command prompt and replaced the utilman.exe binary with cmd.exe. Now, utilman.exe is accessible on the lock screen in Windows so being able to replace it with the command prompt allows us to execute commands to remove the password from a local account. Now a Windows machine is only vulnerable to this if the accounts are local accounts, not Windows Live accounts and if full disk encryption (or bitlocker) is disabled. If the user did have full disk encryption enabled we would not have been able to replace utilman.exe with the command prompt. This is why data at rest encryption is so important.
Now over to the Mac. You have most likely been told when buying a computer that Macs cannot get viruses and they are more secure then Windows. This is partly true, only because less people have Macs, so less black hats and cyber criminals write malware for them. Anyway, stripping the password off a Mac is extremely easy, if again the account is a local one. If you are using an iCloud account then all it does is prompt you to sign in and reset the password that way. It goes to show that if you don't focus when you’re setting your machine up, you could be in a tricky situation if your machine is stolen and you have banking details on it (or anything else that could cost you a lot).
The next lab we did was malware. This was quite fun because we all purposely infected each other with a RAT (Remote Access Trojan) and from there used the IP addresses of the others in the room to play around with their machine's webcams, show popups, vandalise their screens etc.
The last activity we did that day was some more OSI (Open Source Intelligence). We were giving the term 'Orange Lamborghini' and shown a certain image. We were asked to find out as much information about the owner as we could. We found the owner’s name, age, address, family, company, net worth, what he was doing that day and his controversial activities.
Day 3: Network security
We began to focus on network security for the remainder of the week, beginning day 3 with setting up a router to be more secure. We had router security explained to us and were introduced to WEP, WPA and WPA2 and set up our router using one of these. Instead of using DHCP and DNS built into the router, we set up a Windows server and used that as our DHCP and DNS server. This allows us to control more easily the connections to the server and see the IP addresses of the clients. We were introduced to Wireshark too, however only briefly. We used it only to see HTTP requests.
Day 4: Internet of Things, Simulators of Enigma
On day 4 we explored IoT devices, particularly a cheap IP camera. We were tasked with setting up said camera, and researching to find a vulnerability affecting our router that could allow us to take control of the cameras of the other teams. After a bit of research on different sites, we discovered a vulnerability (CVE-2014-8361) that affected the UPnP protocol of the router. Using Zenmap (GUI version of Nmap), we found the IP addresses of the other teams and accessed their routers' dashboards. Now my team was slightly cheeky and we plugged our ethernet cable into another team's router while they weren't looking so we could take control of their camera. However afterwards we did access it remotely.
A fun program we used was an enigma machine simulator (shame we didn't have a real one tho) but this worked the same. It was quite complicated to set up and understand but we eventually were able to send messages back and forth which was quite fun. Moving back to Wireshark, we had 1 person copy a file from the file server we had set up, and the rest of us used Wireshark to monitor TCP packets. From that we extracted the entire file from its packet, which is quite scary since many people use public Wi-Fi and this is possible to get the entire file. To protect against this, we set up IPSec and then observed the same file transfer, and saw that the file could no longer be extracted from the packet.
Day 5: More encryption
On our last day, we focused on digital certificates, signatures and more on encryption. We used our server to request a certificate from a central server in our 'pretend internet' as the instructors called it. We used this certificate to secure a web server for a made-up company. Now obviously Chrome and Edge complained and didn't display the 'green padlock' as our central server is not a trusted root Certificate Authority. The final task was to set up a VPN and connect to it in Windows.
We had some amazing speakers, and they far exceeded what I expected. The first speaker was a professor at University of Portsmouth, he was an expert in social engineering and what he spoke about was fascinating. He spoke to us about an assignment he set his 3rd year students. He asked them to find out as much information as they could about him. Now this didn't sound like an easy task, especially because he explained how he uses a fake identity, along with all the members of his family. His students came back to him with excruciating details about his family, including cousins’ birthdays (that even he didn't know), the bank he mortgages his house with, his real name, the real name of his child. They even got his dad’s phone number and called his father trying to get details about his son. One of them even sent a phishing email with a link which, consequently, led to his operating system, IP and browser version being revealed, so they were able to hack into his home network and attempt to access the system to change their grades. After his talk, pretty much all of our heads were spinning.
The second speaker we had was from Cisco, who gave himself the title of 'Chief Security Officer'. He explained his role at Cisco and went into detail about some things that I won't mention here. He mentioned how he has taken on 3 students as interns over the summer and some of the amazing things they do. One of which is making a complicated graph, of which I forgot the name, of all the .onion sites. The other was doing a project with certificates and the other with some Cisco data.
The third speaker was the co-founder of the Cyber Security Challenge UK. He came to speak to us about his company and all the different things they do from mini games to CTFs, a research project that is run which awards 28 UCAS points to help towards university and a long list of sites that could be helpful to someone looking for a career in cyber security.
The fourth and final speaker was from nccgroup. He came to give us a live demo of the process of hacking a very insecure Windows machine. In the demo he was only able to gain access to a standard user account but even then he showed us some cool tricks. The first of which was vulnerability in folder permissions in Windows. He showed us that there was an event set to run an executable at a certain time every day. However, the folder was only modifiable by an admin so he created a new folder, moved the admin folder to that new folder, recreated the folder that was previously locked to admin users, and then dropped a malicious exe and named it the same as the previous exe was. He then waited for the time to approach and the malicious exe ran.
He also showed the process of extracting saved passwords and usernames from Google Chrome on the machine, and then signing in with them. He gave us some advice on things to do to advance this career choice, and tips on how to set up our very own pentest network with relatively cheap hardware capable of running VMs, of which I have a few old machines that are capable.
I have since been in contact with him, and he's giving me further advice of ways I can get into cyber security.
Conclusion: cyber security is the job for me
All in all I enjoyed my time at CyberFirst Futures and I will 110% be signing up for CyberFirst Advanced next year. I feel like the course has confirmed that cyber security is the job I should really focus my time on. If any of you are interested in cyber security and are in the age range that CyberFirst is aimed at, I recommend you take a look and seriously consider it. There is a massive shortage of people wanting to do this job so if you do take this as a career you would rarely be out of a job and you would get a very decent pay cheque whether you work in the public or private sector. To find out more, visit the CyberFirst website.
I hope you found this article useful and enjoyed it, I spent a great deal of time reading back through all the notes and ensuring this was as best as it could be. I’d like to make a disclaimer and say that everything I've said here is my opinion. In no way was I asked to do this article to give CyberFirst a recommendation.
Finally a massive thank you to GCHQ, the National Cyber Security Centre, QA and The Smallpeice Trust for allowing us to have this great experience.