We are Hackers for Hire, aka Professional Pentesters. AMA!

[removed]

Those background checks are rough.

Also, I can't take polygraph tests seriously. Since they're garbage science.

Once computers become sentient, will attempting to penetrate their ports be considered unconsensual assault?

Cant you alreafy get arrested from doing a port scan? In the future, that will likely be considered rape. The future is dumb.

In the US, portscanning isn't nearly as risky as it used to be. We scan the internet pretty routinely, and talk about it at Project Sonar.

If you are asked to fill out a pareto chart style (roughly 80% of the effects come from 20% of the causes) What would be you pick of 20% say in case of networks, web and mobile?

So, what accounts for all the win in the network, or what accounts for all the fail? I'll cover both, since oddly, the answer is the same.

Most network and computer resiliency -- the stuff that makes the target hard to hack -- is due to decent patch management. If your organization is diligent in getting updates out to servers, desktops, and mobile, you're 80% of the way there, for sure.

When it comes to exploiting vulnerabilities, though, most of the time, it's due to that small population of machines that don't see automatic updates. They may be "too critical to reboot," or they're some goofy IoT thing that can't get updated reasonably. That's where pentesters (and criminals) live.

Steve-O here: If Todd Beardsley shaves his beard does the universe collapse on itself?

No. That only happens if egypt shaves his. In theory. Let's pray we never find out.

What's the best thing a junior can do after passing OSCP?

Drop out and start working! Or, get an internship while you're in school. Either way, start getting out into the field for real.

(I didn't end up finishing my degree until I was 38).

I work at a financial institution in South East Asia. How difficult to penetrate a midsize financial institution?

What are some tell tale sign of bad security visible to public?

We discuss this some in our paper, Under the Hoodie. Turns out, there's not a ton of difference between industries, which we found kind of surprising.

You'd think that places like financial institutions and healthcare providers would have better security than a retail outlet, but the fact of the matter is, everyone runs pretty much the same stack -- Microsoft desktops, Linux servers, and Cisco switches and routers (and if not those, their top two or three competitors).

So, broadly, techniques and tech really don't change much from site to site. There's always something new you run into on every site, but the basics are the same where ever you go.

Vim or Emacs?

Vim.

VI. And bring back Lynx and Pine while we're at it.

You are wrong, /u/hackamuffin.

Links is way nicer than lynx.

Any easy way to see if my phone has been infiltrated by anyone I wouldn't want there?

Easy? I can't think of many. There are companies that make anti-malware for phones, like Zimperium which are fine, but for most people who don't have enterprise security on the phone, the best bet is to avoid shady, off-brand app stores, keep your automatic updates going, and factory refresh maybe once a year (you do have backups of all your photos, right?).

If you see that you're suddenly texting people with spam links, or find weird apps you never installed, then you've likely been owned.

I find security testing the most sexually pun-filled area of IT. For example: "penetrating your back-end". What are some of your favourites?

I know! And it's off-putting.

Unrelated, but over at Metasploit, we have a Code of Conduct that specifically forbids "the use of sexualized language or imagery." Which helps make our project a little more welcoming, but it's easy to accidentally pun something with the language we use.

I do think that pentesting, and security in general, is absolutely loaded with very aggressive language. Terms like "attack" and "exploit" don't exactly get a lot of people into a friendly mood, and the imagery is very much centered on castles and locks and swords and other things that boys like (with few exceptions).

It's unfortunate, and I believe that the language and images that we use to describe our industry absolutely contributes to the lack of women in our industry. That, and the overt sexism and misogyny that you find in male-dominated industries.

What can a junior in high school do to get into this profession? I've been playing with RATs (on my computers ONLY, nothing illegal), making viruses undetectable, and going through online netsec courses on cybrary. Thanks :)

We don't hire pentesters who are 16ish, but we have occasionally hired high school interns for software development jobs elsewhere at Rapid7. I'd say take this time to learn programming languages, scripting languages, and throw in on some open source software projects that strike your fancy on GitHub. Getting some programming experience under your belt will pay off a ton in the long run, since you'll better understand how computers work.

What movie has the most realistic representation of hackers?

Hackers!!! ... We say sneakers. Mr Robot is probably the most honest.

Yep, Mr. Robot seems to be the most technically accurate (except when things obivously veer off into fantasy land).

"Yes, we all know what a Raspberry Pi is." - favorite line. :)

I get using a Raspberry Pi, but I always argued this: Why not get a prepaid Android phone from Walmart at about $20-$40 and use that? You don't have to activate it and 9 out of 10 times they can be rooted since they are older. Launch your attack from that! You can then do your pwn custom tools. Git it?

eh, I'd argue it's easier to just run your stuff from Raspbian, especially if you're not into android APK development. The Android platform may end up being slightly cheaper, but that'll wash out when you end up having to get a better power supply going.

Are you 4chan?

Nope.

What are some common security practices that infuriate you?

The belief there's a well defined "internal" vs "external" side, given that we have mobile devices moving around all the time, and everyone's shoving their core infrastructure off to the cloud.

Network segmentation is hard.

1 - I read something several years ago about password policy and that decreasing pw reset times and increasing length and complexity had a sort of reverse effect because it lead to people following formula (switching characters around or increment numbers) or just being more prone to keeping them written down in unsafe places and there was a theoretical point of diminishing returns. In your experience have you found anything that supports or refutes this notion?

2 - Key fobs and phone apps providing tokens for use in authentication - is this a real solution or a placebo? Is there a struggle with increased cost and effort to the IT team replacing and resetting due to the fob or phone being lost that might be keeping some orgs from adopting this or regretting making a move to this?

So last question first: multifactor / two-factor authentication (MFA / 2FA) do tend to make things much harder for attackers, on a couple fronts. It means you can't just guess "Spring2017!" for all users across the site and expect to get going with your stolen credentials (without 2FA, this password will almost certainly work, btw). It also means that if you get compromised, and your user database leaked, those passwords are /slightly/ less valuable, because you still need to deal with the 2FA / MFA.

Now, in practice, 2FA / MFA is not a cure-all. They're still defeatable. But you need to work at it a little harder. For more on 2FA -- namely, who supports it -- see https://twofactorauth.org/ . I love that site. Tons.

For your first question: password management is tough. If I was king of security, I would mandate that users must use a password manager, which gives them long, unmemorable passwords full of all the character classes and maximum length. Password policies that enforce minimum lengths do tend to help overall password complexity, but that's about the only control that seems to work consistently.

If you're not a unilateral monarch (and no CISO is), then the best thing to do would be to force password expiration maybe 2x a year, have account lockouts that are human-forgiving (lockout for 30 seconds, alert for serious if the lockout is hit 10 times in a row), and keep an eye on your typical user behavior to tell when a service account is suddenly logging into all your phones when it's never done that before.

For more on passwords, I really like Mark Burnett's book. It's pretty much still the go-to for this.

No fear of getting their password manager info dumped?

Password managers mean that you are keeping all your passwords in one basket, so you better protect that basket.

But, I'd say, for most people, using a password manager is way less risky than reusing the same 3-5 passwords they use on every site they ever encounter.

The password manager I use is usually offline, and lives on my (phyiscal) keychain. It's encrypted with a fairly decent password, which I do have to remember in my head.

It also means that I don't get to use it with my phone (if I had it on my phone, it'd be online all the time). But, for that case, I tend to have long-lived sessions terminated on a phyiscal device that has full disk encryption, near my body pretty much all the time. Or, in a pinch, I can do a password reset via my e-mail.

How important do you consider network security measures like SIEM log monitoring, vuln scan/mgmt, and patch mgmt to be?

Side note - I work in that particular industry and am constantly surprised when I speak with an ISO who simply doesn't give a shit.

We cover this some in our pentesting census report, but briefly, detection is everything.

If you're able to detect the pentesters in time to actually do something about it, we'd fail on site a lot more often. Which is good news for you, the client! It means you at least have a chance of catching real intruders in the act.

The trick is hitting that balance between detecting everything that's useful, and suffering alert fatigue. You can't have a SIEM that just screams everything is broken all the time, or else your analysts will just never respond to anything.

Whats your favorite hardware? Whats your favorite operating system? Whats your favorite web browser? Whats the pay like? Are you guys able to do any of the stuff we've seen in the Wikileaks Vault 7 year 0 leaks?

The Vault7 stuff looked awfully familiar. I wrote a blog post about it. TLDR: Working at the CIA is pretty much an identical experience as working on Metasploit.

Bam here again. How has the security (conference) scene changed over the years? Would you say it is toxic or inclusive at large? A grounding litmus test would be if you would want a daughter of yours to go into infosec.

How has the security (conference) scene changed over the years?

Ignoring the rest of the question (which /u/eccentricoldsoul handled), I think it's pretty obvious that the conferences have all gotten a lot more commercial. RSA is the new CES, Black Hat is the new RSA, and DEF CON is the new Black Hat. I don't think this is particularly bad or contentious.

That said, regional conferences are where it's at. I like THOTCon, Derby, and Infosec Southwest (the last I help run, and you should go there!).

And, THAT said, there are a billion conferences. You could go to one a week and never run out. I think it's hard to characterize them as a whole. Some are great.

Did you read 2600?

I did! I was at the first 2600 meeting in San Francisco, at the... Montgomery Street? BART station. It was all pay phones, and no laptops allowed. Pretty much exactly like a Cory Doctorow book.

How do I avoid getting digitally ransacked by thieving, balaclava wearing l33t hackers?

Don't hang out in TV studios.

Did some companies ask you to make something illegal for them ?

See /u/hackamuffin's answer, here.

How is the weather where you are at?

Pretty downvotey!

how to i hack the wifi password of my neighbors ?

Well, step one is to get their consent. Have you done that?