The Script Kiddie Trap

The Script Kiddie Trap

What you need to know before 101 in cyber security.

D72dfe7b836c6530e8964af4ba4cb332?s=128

Abdullah

April 20, 2019
Tweet

Transcript

  1. The Script Kiddie Trap What you need to know before

    101 Abdullah Hussam @Abdulahhusam
  2. WHO AMI i WHOAMI Abdullah Hussam: ❖ Information Engineering Student

    at UOT ❖ Application Security Engineer, Security Researcher and Sometimes a Bug Hunter ❖ Served at: Isecur1ty, EarthLink, Cure53, and Hackerone ❖ 10 CVE’s: WordPress, Joomla, Drupal, …etc
  3. WHO AMI i Who Are You? ❖ Quick Survey! ❖

    Bug Bounty Hunters: ? ❖ Programmers: ? ❖ Or Pentesters: ?
  4. WHO AMI i Before We Get Started This talk is

    based on my subjective experience. Maybe I am right or wrong, I can’t tell. Things may vary for everyone based on where, when, who and many other circumstances. What works for X won’t work for Y and maybe won’t work for you.
  5. WHO AMI i Before We Get Started #2 This talk

    may piss some people off and if it doesn’t then I am doing something wrong here! Also, it may involve abandoning norms and sacred cows.
  6. WHO AMI i Our Roadmap Talk Technical Side Behavioral Side

    Motivation
  7. Technical Side How not to be a script kiddie technically

  8. WHO AMI i Who Script Kiddie is? In programming and

    hacking culture, a script kiddie, skiddie, or skid is an unskilled individual who uses scripts or programs developed by others to attack computer systems and networks and deface websites. It is generally assumed that most script kiddies are juveniles who lack the ability to write sophisticated programs or exploits on their own and that their objective is to try to impress their friends or gain credit in computer-enthusiast communities – Wikipedia
  9. WHO AMI i Who Script Kiddie is? Fact #1: Everyone

    starts as a Skid(Technically). Fact #2: Skid != Amateur || Noob (Just lazy people who don’t want to learn) Fact #3: It is not about the age or the title you can find a skid with a fancy title and sometimes with a PhD!
  10. WHO AMI i What is the Script Kiddie Trap? ❖

    People who think they don’t have to learn anymore! ❖ People who think every feedback is a Criticism. ❖ People who judge other people’s skills when they lack to.
  11. WHO AMI i Avoiding the Trap #1 Choosing the Path

    ❖ What you want to be? Security Eng, Security analyst, …etc. ❖ What you have to study? ❖ Where to start? ❖ Where to end?
  12. WHO AMI i Avoiding the Trap Find the Key Requirements

    and Cover it First
  13. WHO AMI i Avoiding the Trap #2 Find the Resources

    ❖ Very hard step(You can’t distinguish between bad and good). ❖ Stick to one resource or jump between them? ❖ Believe or not
  14. WHO AMI i Avoiding the Trap Too many aren’t good!

    Finish what you have and download another. My Unwatched Courses
  15. WHO AMI i Avoiding the Trap #2 Find the Resources

    ❖ Books are boring sometimes. You can read topics instead. ❖ Courses have to be presented by someone who has day-to-day experience. ❖ Write-ups are the most important. Be careful! “So many books, so little time.” –Frank Z.
  16. WHO AMI i Avoiding the Trap #3 Security isn’t Just

    About Security ❖ Programming is a key requirement in the field. ❖ Choose a language based on your focus area. ❖ Do some programming tasks. ❖ You can’t fix what you can’t understand. ❖ You can’t hack what you don’t understand.
  17. WHO AMI i Avoiding the Trap #3 Security isn’t Just

    About Security ❖ Network is a key requirement in the field(Mostly). ❖ You can’t understand how things work without understanding how the network works. ❖ No deep knowledge, unless network sec role. ❖ It is very easy! More than other fields.
  18. WHO AMI i Avoiding the Trap #3 Security isn’t Just

    About Security ❖ OS is also a key requirement(Specially Linux) ❖ You need to know how to use, secure, and analyze these systems. ❖ You need to know how process, threads, and protection are implemented in these systems. Specially if you want to work on the binary-level.
  19. WHO AMI i Avoiding the Trap #4 Bug Bounty Programs

    ❖ What is it? ❖ Platforms: HackerOne, BugCrowd, HackenProof, …etc. ❖ Self-Hosted Programs: Facebook, Google, …etc. ❖ Bug bounty has more than one face.
  20. WHO AMI i Avoiding the Trap #4 Bug Bounty Programs

    ❖ The good parts: • They give unlimited opportunities to everyone around the world! • A lot of money if you do it well. • You can build a name with it. • You can join the community very easily. • It is a huge +1 for your resume.
  21. WHO AMI i Avoiding the Trap #4 Bug Bounty Programs

    ❖ The bad parts: • It may(the bug hunting) waste your time. • Delay in response, fix, and rewarding processes. • Sometimes they give a false indicative about someone’s skills. • Fact: Skids can find bugs too! • Rewards are low(it debends)
  22. WHO AMI i Avoiding the Trap #5 Capture the Flag

    ❖ What is it? ❖ Very good to earn new skills and tricks. ❖ Good hackers sometimes aren’t good ctfer and vice versa. ❖ When to participate?
  23. WHO AMI i Avoiding the Trap #6 Joining the Community

    ❖ Where? Twitter, Slack, and Reddit. ❖ How? Write-ups, Involve in discussions, and help others. ❖ Participate in CTFs.
  24. behavioral Side How not to be a script kiddie behaviorally

  25. WHO AMI i Avoiding the Trap Don’t think you are

    special! ❖ Some people think they do the God work by themselves. ❖ You aren’t one of a kind. ❖ Don’t underestimate other people’s work. “You're never too important to be nice to people.” - Jon Batiste
  26. WHO AMI i Avoiding the Trap Make friends not enemies

    ❖ It is better for your future opportunities. ❖ Sometimes people hate you for what you are. (They are jealous) “If nobody hates you, you are doing something wrong.” – Dr. House
  27. WHO AMI i Avoiding the Trap Three hard-to-say phrases ❖

    ‘I don’t know’ ❖ ‘I need help’. ❖ ‘I was wrong’.
  28. WHO AMI i Avoiding the Trap Must to do things

    ❖ Credit people for their work. ❖ Don’t talk about what you don’t know. ❖ Don’t involve in no-wins situations. ❖ Don’t use your skills to hacking, attacking, or threating people. ❖ Don’t use fake name and images. That’s lame.
  29. WHO AMI i Avoiding the Trap Less I more We

  30. Motivation Get some home with you

  31. WHO AMI i Get Some to Home with You Motivation

    ❖ It is very easy to get involved in the community. ❖ It is very easy to find job when you are skilled enough. 3.5M unfilled positions by 2021 - cyber security ventures ❖ You are going to have friends from all around the world. ❖ If you are ambition enough you can get a job at Google or Facebook.
  32. WHO AMI i Get Some to Home with You You

    need to increase your network.
  33. WHO AMI i Offers I Got This talk isn’t about

    me it is about you!
  34. WHO AMI i Questions? Q&A

  35. WHO AMI i Bye! Thank you! Website: ahussam.me Twitter: @Abdulahhusam