Pierluigi Paganini July 04, 2017

Today I have the pleasure to interview Mubix “Rob” Fuller (@mubix ) one of the most prominent experts in the hacking community.

Rob has over 11 years of experience covering all facets of information security. He has been behind the lines helping to design, build, and defend the US Marine Corps, US Senate, and Pentagon networks – as well as performing penetration tests and Red Team assessments against those same networks. More recently, Rob has performed numerous successful Red Team assessments against commercial Fortune 50 companies representing some of the best defensive teams in the industry.

You are one of the most respected experts on cyber security. Could you tell me what your technical background is and when you started hacking?

I think my earliest “hacking” was cheating at video games. I enjoyed learning the mechanics of how the Game Genie and GameShark worked, and how I could cheat at games rather than playing them. My parents always thought that I ruined the games, but it really was the figuring out how to get the right hex for infinite life or ammo that was the game for me.

After that I owe my traditional IT / Security learning to the Marine Corps’s 0651 and 0656 schools, the amazingly patient Marines and civilians at the MARCERT, the OSCP and Chris Gates’ blog.

What was your greatest hacking challenge?

The greatest hacking challenge I would say is myself. Self-awareness is an ever progressing goal, I attempt to figure out and make myself better every day. I fail at it a lot, but all the best hacks are pure and simple perseverance and I plan to never let this one have the better of me.

What are the 4 tools that cannot be missed in the hacker’s arsenal and why?

So much troll ammo in that question. Or I could go the philosophical route and talk about the mind, and never giving up, but I’ll take the question at face value (this will be heavily weighted towards Windows since that’s my specialty):

1. A programming language. Yes, you don’t have to know programming to be in “Information Security” but to be a “hacker” (in the sense of breaking into systems), knowing a language will save you when the tool that you need for a very specific use case just doesn’t exist. It also helps you when you run into a tool that is broken, that every seems to use, but for some reason you are the only one noticing it’s broken.
2. An Intel NUC (or other computer) with ESXi (or other virtualization) on it. Having a lab, even on a hand-me-down laptop/computer with Virtualbox and trail copies of Windows I was able to learn more by building whatever application I was trying break into, than I ever would have by poking at it from the Internet.
3. A blog. I forget things all the time and I usually use my blog or another note taking method (pen an paper, text editor, telling friends about it), to be able to reference it later when I need it. Even if you are the only reader of your own blog it is hands down the best method of learning for me because it forces me to re-do things and revisit my assumptions.
4. Metasploit. Mostly because it makes things dead simple, and learning to use it isn’t very hard.

Which are the most interesting hacking communities on the web today?

I’ve never really been welcome or even interested in the darker side of hacking communities. I would get caught if I even tried to dive into that world.

To know one’s limitations is to know one’s self

However, I run NoVAHackers with Chris Gates so I would be remiss to not mention it, and it’s parent AHA. Both are great communities with basically a mini-conference every month at the meetings.

If you don’t have a hacker space, or “Hackers Association” in your area, first, look harder there probably is one that you just haven’t found yet, and second, if not, start it. I went to the first 2 or 3 meetings of NoVA Hackers by myself. Don’t be deterred by single digit membership or attendance. NoVA Hackers is near ~700 members + another 500 or so alumni since it started in 2009.

Which is the industry (healthcare, automotive, telecommunication, banking, and so on) most exposed to cyber attacks and why?

Honestly, I don’t want to answer this. Why would you point at someone and say “hit him, he’s easier to take down”

What scares you more on the Internet?

The fact that people think it’s a weapon for or against them.

We often hear about cyber weapons and cyber attacks against critical infrastructure. Do you believe concrete the risk of a major and lethal cyber attack against a critical infrastructure?

Yes, but in what country? Is the U.S. even the most connected these days? I doubt it. In counter point I would like you to watch the following for actual statistics on the matter by @SpaceRogue:

Why and which are the most exposed CI?

Same issue with the industry question, not going to point at the weakest link. I guess an argument to the fact that making light of these targets helps to force action, but I think unless you have had your head in the sand every knows of “Cyber Threats” these days, and a heading like:

Security Expert Rob Fuller says that Widgets are the most vulnerable target in U.S. Infrastructure

doesn’t really further any message or get anyone’s attention to something they don’t already know.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs –  Hacker, Mubix “Rob” Fuller)

[adrotate banner=”13″]