Ozgur's Blog

Random ramblings of personal nature

Job Encounter with CloudLinux


Introduction

Okay. I am absolutely livid at the moment. I recently got a rejection e-mail from CloudLinux. This is normal, right? So why am I losing my temper? Well the reason is I trust in what I wrote and it doesn't deserve a boilerplate rejection mail. I know I am not the best and there are other people better than me but still! Still, I don't think I should be dismissed with a response like that!

Job Description and Request

The job in question has a description as follows:

We need someone with practical, hands-on experience of cybersecurity, who can write, in English, to promote our products and educate intelligent enterprise audiences.

English needn't be your first language, but your technical skills must be demonstrable, along with your commitment, passion, imagination, and flexibility.

We're a fully remote-working company, so your gender, age, disability, and location are all unimportant.

This is a full-time post that pays monthly, in US dollars, to be a key part of the marketing effort for our cybersecurity product Imunify360.

Essential :

Your CV/résumé should show:

  • practical experience with pen testing, ethical/white hat hacking;

  • experience with investigating/reverse engineering computer malware and viruses.

  • knowledge of enterprise Linux security and hardening;

-ability to create long- and short-form content (articles or outlines) in English.

Nice to have :

Experience with Linux, either as a developer, admin, or user/geek.

Knowledge of the web hosting industry.

A broad appreciation of cybersecurity issues and trends, and their corresponding technology.

Knowledge of digital marketing techniques and SEO.

A journalist's sensibility for story-telling, and for educating, entertaining and persuading readers.

Keywords:

Pentesting methods

Reverse engineering viruses and malware

Linux security and hardening

So as you can see this is a marketing job, straddling between the technical explanation and storytelling with a focus on educating the readers. We did two interviews, I must admit the second one did went not so well but at the end I got a writing assignment and had the impression that I would be graded based on this article.

The assignment is as follows:

To explain the range of entry methods into a system. Different ways hackers get in. 1000 words, by Tuesday Will that works for you It doesn't have to be finished, we are looking for how the story is told and what level of language you have

I haven't made any changes in the text by the way. When I asked about the target audience this is what I got:

The audience is our clients - hosting providers, websites owners, servers owners

This is what I got by the way - I am directly quoting here.

The Article

So I sat down to work and created an article as follows:

This article aims to discuss some of the entry methods to a computer system used by hackers. A system may be out in the public - meaning it can be accessed via the internet - or it can be private, protected against access via a firewall.

You may ask what a Firewall is. Cisco defines a firewall as “a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules. [...] A firewall can be a hardware, software, or both.” Outgoing network traffic can be exemplified with you trying to reach to google.com, and incoming network traffic is the webpage data sent to you by Google.

Let’s say the machine in question is open to access via the internet. In this case, the hacker can start probing the system for possible vulnerabilities - chinks in the armor so to speak. If the operating system or the applications used within it aren’t patched regularly, this may be used as an attack vector. Attackers use tools like Nmap, Nessus, and Wireshark to check the versions of the operating system and the applications, the open ports they use to communicate and other vulnerabilities. This information, then, can be fed back to Metasploit. This is a framework that consists of exploits that can be used to provide access to that machine. The hacker activates the relevant payload, points it to the target and executes it. Contrary to popular expectations these attacks will often make the victim connect to the hacker’s computer - also giving him administrator/superuser access.

These payloads can exploit a buffer overflow attack. This is when a hacker enters malicious commands to a system by overflowing the application buffer. It often happens due to code errors in the application. In simple terms, every application has restricted access to the system memory. If you somehow overflow these boundaries by entering more data than it can handle, you can corrupt or overwrite the data held in this space- belonging to another application or operating system. The overflow often crashes the program attacked but it can also provide an opportunity to run arbitrary code by the attacker.

Some of the exploits may be classified as Zero-day attacks. These are the vulnerabilities that aren’t yet known by the software or operating system developers. Because of their unknown status, it is often very hard to protect yourself against these kinds of attacks.

If the machine is protected against direct access, they need some help from the user of the machine. One of the easiest ways to facilitate this help is to create seemingly legitimate emails carrying malicious software in the form of an attachment. This method of attack is known as phishing.

Another way they may use to gain access is social engineering. In this way, the attackers impersonate a legitimate authority and contact the user to gain access. They may ask for the user’s username and password and even try to make him install a tool claiming their system is infected. Or they can call the company and try to guess or double-check who has higher access in the company by claiming they need a signature from so and so and if they are in the office at this moment. This may be used to vector in the attack.

The application installed via these methods acts as a trojan horse. It is seemingly an innocent program, or a document, providing behind-the-scenes access to an attacker. Most often antivirus programs detect these kinds of software and don’t let them run. But they can be fooled too.

If any of these approaches are successful, the hackers will gain the ability to control the victim machine. Usually, the first thing they will do is to install a backdoor. This provides additional ways a hacker can use to gain entry and continue accessing. Then they may pivot the attack to other machines in the network or if the accessed computer has valuable data, they may begin exfiltrating or deleting it as well as obfuscating their presence by deleting or changing the logs. They may also crash the system, creating monetary loss as well as productivity and time losses.

In addition to these spear phishing tactics, hackers can use other methods to create attack vectors. One of the ways they can do this is via wi-fi spoofing. In this method, the hacker creates a hotspot with a name that is similar to the company public Wi-Fi to see what requests are made to which locations. With this data, he or she can create a targeted attack vector.

One of the most popular attacks done this way is a ransomware attack. In this method, the program, executed by the user, encrypts the files in the machine and shows a notification, demanding ransom for decryption key. This method provides an advantage for the hacker because it doesn’t need his oversight.

If they want to pivot the attack to other machines, the first thing they will do is check the neighbors of this machine. These clients in the network can be attacked via the same methodology. If these machines use similar versions of software and OS, and most often they do, the attack vector doesn’t need to change. If they do, other payloads can be launched against them using the victim machine as a bridgehead. Sometimes this is needed as well. If the victim machine doesn’t have access to critical systems like the web and database servers, a machine with higher privileges needs to be infiltrated. Server access is critical due to the reason that they often contain sensitive data - more sensitive than the user machine - and business logic. The server access will often signify a total network penetration. When the attackers have wholesome access to all machines and the data residing in them with superuser access, they can install additional backdoors and rootkits to prolong their presence as well as exfiltrate and modify the company data in its entirety.

Today, all these steps can be automated via Advanced Persistent Threat (APT). This is a methodology begins like any other: sending a malware to the user. The difference is this malware can do automated tasks done by a hacker. When executed, it begins to probe other machines and contacts Command and Control servers to inject more malware and receive instructions. These malwares will open new ways for access - so the cyberattack can continue if the original vector is discovered. The programs will scour the network for data and send them to another server under the control of attackers. At this point the evidence of APT attack is removed but the network remains compromised still - the attackers can return at any time to renew their attack. To protect yourself against these attacks and not letting the hackers penetrate your system you should:

  • Patch your system and applications to their latest versions
  • Follow good coding practices to prevent buffer overflows if you are a developer
  • Install antivirus software to prevent most of the user-related attacks
  • Use firewalls to create restricted access to the network
  • Uninstall the unused programs and close the unused ports to minimize the attack surface
  • Train and inform users regarding email hygiene
  • Use Intrusion Detection and Protection Systems

Or just use Imunify360 to do all the above and more. In addition to be a one-stop solution providing firewall, IDS and IRS protection, malware scanning and antivirus protection it also provides proactive defense via sandboxing, hence protecting you against zero-day attacks.

Commentary

So... if this article doesn't work, what does?! I still don't believe I have sent a badly written piece. And I stress this highly, this is a marketing position! It's not that they want me to do pentesting to other machines on this position. From what I gather this job involves a person who understood the pentesting terms and able to explain them to other people in a clear manner and I think this article succeeds in that! So what gives? I don't think I deserve a boilerplate rejection over this article. I think it succeeds in what I was given. If it doesn't I think I deserve some detail, some feedback.

What makes me so angry is getting a boilerplate mail. My credo is putting all the effort I can manage to my work, be it an article, coding project or what have you and I think I deserve something equal to this effort. Not "Oh sorry this position has been closed and thank you for your interest" type mail.

Update:

After writing this article CloudLinux tweeted me back and said:

We appreciate the time you spent on writing an article and ready to provide you with answers to all the questions you have after your interview process.

Which I did and asked for the reasons regarding the rejection of the position I applied for. In response I got a mail today (21-11) with my example article as an attachment with commentaries. You can download the file from here.

I am not going to continue this. I am not going to say "These commentaries are made after I get my rejection mail" or "From these comments I think you were looking for a native, instead of someone who doesn't have to know English as his/her first language". Instead I am thanking CloudLinux, and Paul Jacobs, for the feedback. This is something I can work with.

Thanks for reading!