If someone were to ask me, “What is one of the most important aspects of security?” I wouldn’t respond with auditing, mitigation, or low hanging fruit, etc… Don’t get me wrong. Those are all good things. But I’d say curiosity. In one of my security classes, we dissected several vulnerabilities. A common theme that stood out to me was this: the vulnerability was originally uncovered by someone thinking outside the box and just attempting something crazy. They probably had a thought similar to, “I know you shouldn’t be able to, but what happens if I just…”
One of the vulnerabilities we looked at was this one where the encryption on Linux could be bypassed by holding down the enter key: https://thehackernews.com/2016/11/hacking-linux-system.html. Reading about it made me laugh. I don’t know the backstory of its discovery, but I had to wonder if an object was accidentally laying on the keyboard or the discoverer was just like, “Call me crazy, but I’m going to hold the enter down for awhile.” The reward, a root shell.
After I took that security class, I stuck a sticky note to my monitor that read “Hmm… I wonder if…” That reminded me to be curious. Just try it. See what happens. Much to the chagrin of my coworkers, I called this “Let’s get stupid with it.” What I meant was: let’s try breaking it or throwing garbage data into it or approaching it from a completely different angle. Maybe nothing would happen. At times I find something helpful. Like this: When starting a previous job, I was trying to learn their environment. They’d deployed the business edition of AVG antivirus and AVG’s management server. We were going through the New Computer Setup checklist (something every IT Department should have!) and reached the step of installing the antivirus. In the app, I had to type in a username and password for it to pull down new policies from the management server. Completely on a whim, I wondered how it transferred those credentials over the network. I dropped down to Wireshark and found every Windows workstation was sending that username and password across the network…
In clear text.
If that wasn’t enough, because of password reuse, that username and password also happened to be the same as another account…
An Enterprise Admin account.
That was before we had DHCP reservations, Splunk alerts for unknown IP Addresses, and disabled unused network jacks around the building. So, theoretically, anyone could have walked into the lobby, plugged into the network (yes, there were live network jacks in the lobby), and almost effortlessly capture credentials that could have taken over the entire organization (full rights to the Windows domain which held password files that would have given them access to all cloud services, managed website, and bank accounts). All of that was discovered and mitigated by a simple, “Huh, I wonder…”
So, in short, stay curious, everybody!
Hopefully that’s helpful in your ongoing security journey!