A1. Security exists because hacking exists. It’s the good old principle of action / reaction. However, the line that separates the worlds of security and hacking is thin and too often crossed. On one side are those we call the white hats and the black hats on the other. But as in life, things are not always black or white. There are sometimes gray areas and a third category called grey hats, fall in between the two.
There’s a war raging between the two. The white hats, who try to protect and secure systems and the infrastructure, are faced with constant attacks, which mostly are committed by black hats. Through their activities and the enforced legislation worldwide, the latter are most likely criminals who try by all possible means to achieve their gold. Their motivations that once revolved around having fun and the challenge, have now given way to greed and profit. The black hats work either for themselves or for criminal or terrorist organizations. Military strategic objectives are now part of the equation as well. This new and growing reality might have some impacts never seen until now.
But fortunately, all is not lost! The white hats are there to defend the systems, the private networks and the public and critical infrastructure. It sometime takes a crash or any problem to realize that our health system, our economy and many other aspects of our lives are directly dependent. Step back for a moment and imagine what would happen if the power grid, the water treatment or the telecommunications were severely affected or wouldn’t work? We must therefore make every effort to protect and hopefully leave a more stable and a safer infrastructure for generations to come.
However, to successfully maintain order and avoid chaos, several elements are essential to develop an effective strategy and knowledge is the first element. It also requires people with integrity and with the necessary knowledge. Obtaining this knowledge does not happen overnight and experience cannot be acquired in books. It requires willingness to learn and hard work. The only way to achieve this goal is to invest time and effort. And like anything, you have to practice, practice and practice. What’s an expert? It’s someone who made many mistakes.
Some security training exists, but as this is an area which is very large, it is easy to get lost. One must question himself about what he likes. To be offensive? defensive? The technical side? Governance? An introspection and a serious reflection are essential in order to figure it out. You must wonder about what your motivations, your skills, your abilities, your strengths, your weaknesses, your intentions and what you like to do.
Q2. How can I practice to get ready for the hacking competitions?A2. First, NEVER try to practice or attacking a system that does not belong to you unless you have written permission. It is strongly recommended to use test or laboratory systems which are designated for that purpose. Any attempted unauthorized access to a system is illegal and punishable, particularly under articles 342.1 and 430 (1.1) from the Canadian Criminal Code.
We are seriously considering setting up a hackerspace which will provide a venue and an environment to practice legally on systems designed for this purpose. More info to come ...
We also invite you to visit Thomas Wilhelm (aka "The Hacker Junkie") Website at http://www.de-ice.net. This site offers a wealth of interesting and relevant information. Moreover, at De-ICE PenTest LiveCD Project the De-ICE PenTest LiveCDs can be downloaded from there as well.
Q3. I already have some hacking tools and I'd like to know where and how I could legally get some practice?
A3. It’s a good start to have an environment to practice but you also need the right tools. Here is an interesting list of Pen testing tools that you should look at (thanks to PaulDotCom for providing this list)
http://pauldotcom.com/TriplePlay-NetworkPenTestingTools.pdf
http://pauldotcom.com/TriplePlay-WebAppPenTestingTools.pdf
Also, read the Q2 answer.
Q4. Do you have some interesting links to share?A4. Look at the "References (in construction)" section.
Q5. Is it possible to build a testing environment at home and how?A5. Absolutely. Different machines, either physical or virtual, using different OS like Windows, FreeBDS, Linux, etc. can be built. This gives the possibility to test different types of vulnerabilities and scenarios. The use of virtual machines is an interesting avenue. Several "virtual appliances" can be downloaded from the VMWare website . The Bagvapp Website http://bagside.com/bagvapp/ also offers an interesting and diverse amount of virtual machines ready to be used.
Again, another interesting resource is Thomas Wilhelm (aka “The Hacker Junkie”) who on top of making De-ICE PenTest LiveCDs available for the community, also wrote a book called : « Professional Penetration Testing: Creating and Operating a Formal Hacking Lab »
Q6. I am very interested in a career in computer security. I have done some research, but without convincing results. Are there any references to books, websites or courses to learn the basics of computer security and hacking?A6. First, it is a good career choice! Several references and much information are available, but you must first know what you’re searching for (see R1).
As of yet, not a lot of educational institutions such as Colleges & Universities are offering security courses. But we are working on it ... ;-)
Q7. I am especially interested in obtaining data and learn how to break into various systems. Do you have any advice and referrals for someone who starts in the field?R7. It is important to understand that data acquisition and introduction into systems may be illegal and constitute a dangerous game. Having hacking tools in his possession and surf the Web in search of a "target" may be the equivalent of walking down the streets with a loaded gun! People have been arrested and putted in jail for using their tools and knowledge inappropriately. You should know that the authorities are now much more present and better trained than in the past.
Appropriate training will not only teach you the tools and techniques but also how to do things in a legal and business context, according to predetermined rules of engagement. Among these courses, there are the ones provided by the SANS Institues, just to mention these ones.
Also view R1.
Q8. Can I get involved in the Hackfest?A8. Send us an e-mail at info @ hackfest.ca
