My Journey From InfoSec to Web Dev and back to InfoSec

28th February 2019

My journey started back in 1999, I was 15 years old, and I just double-clicked the file “picture.jpg.exe” which was sent to me by a friend over either Yahoo or MSN messenger. Nothing seemed to happen at first, then the next minute the tray for my cd drive opened and then my screen flipped upside down. I was fascinated! My imagination of what my friend must be doing on his computer to make this happen wouldn’t have looked out of place in the 1995 movie Hackers ( Classic! ). The next day at school I got him to explain how he did it, and this is when I discovered what Sub7 and Trojans were.

The next couple of years were what I’d, unfortunately, class as my “Script Kiddie” days. I wanted to learn about hacking so badly and remember this was the late 90’s, people didn’t have multiple home computers, virtualisation and there definitely weren’t any bug bounties programs or capture the flag style training resources to hone your skills.

Armed with sub7, I would chat to people online and offer to send them either a “game ” or “picture” which was the trojan in disguise. I would always use ICQ messenger to talk to people as this was the only messenger service which spoke directly to each other’s computers rather than to a centralised service which when using a firewall with logging allowed me to capture their IP address so I could connect to the then infected computer.

My internet activity was starting to rack up quite a phone bill ( remember dial-up internet ) but I was fully addicted and would stay up late into the night. Luckily this would coincide with BT ( British Telecom ) introducing unlimited dial-up internet for a monthly cost over a free phone number. I couldn’t convince my parents to purchase this, so I ended up scanning the BT network looking for clients that were already infected with sub7 and then using a brute forcing application I found online I could log in to their computer and steal the username and password for their internet connection. Luckily BT seemed to allow multiple connections using the same credentials, so I could now connect whenever I wanted day or night for free.

College is where my education properly started but not from any of my teachers, it was in fact, a fellow student ( who incidentally has gone on to do great things in the security world ). Even at just 16, he was already a great hacker, phone phreak and social engineer. I got to learn about networking, Linux, SMB vulnerabilities, IIS exploits, blue boxing, buffer overflows, telephone networks and much more.

This education created a great foundation in computer security, but at the same time, I also got interested in web development. I started creating layouts in HTML which then led to learning JavaScript and CSS. After a while, I wanted to make more interactive websites so I learnt ASP and how to create a database driven website using Access.

At the time I hated being in education and couldn’t see a future which involved making money with computer security, so I concentrated all my efforts into web development and dropped out of college.

While learning more about web development, I took on a few different first line IT support jobs to make money. I switched over to PHP after a few months and also learnt how to use MySQL. For a couple of years, I was stuck in the cycle of not being able to get a web development job because I had no experience but had no experience because I couldn’t get a job. At the time I was working for a small business, I convinced the owners that I could build them a little internal system like a basic CRM which would be better than what they were currently using. So for a month or so in between phone calls I built this system, they were so impressed we switched straight over to it. My job snowballed from there, and I developed more and more systems for the businesses and helped grow and take the company into new directions. After a few years, I was made a director of the business, and I kept that role for the next 9 years. During that time my web development improved, I got to build a mini data centre and learnt about virtualisation and cloud computing. I would always try and keep up to date with the latest security news and use whatever I had learnt to keep the network and systems secure.

Something was missing though, I wasn’t passionate about web development, I didn’t get the surge of excitement I did from computer security. So in March 2018 I handed in my notice with a plan to do part-time consulting work, some web development for personal projects but spend my extra time getting back into InfoSec with a focus on web app security and a plan to eventually create a hands-on course to teach web developers about the most prominent security risks.

I’ve recently registered to take part in Offensive Security’s ( OSCP ) Certification so I’m looking forward to starting that on April the 7th.