Thursday, July 23, 2009

31337 Spotlight: "Quine"

Hello everyone! Welcome to yet another episode of "31337 Spotlight" where I focus on people you may not have heard of, but should definitely stand in the spotlight a little more. Today we shove someone I met only recently into the spotlight... He's got quite the reputation for knowing the right people and just flat getting things done - which is one hell of a statement in this industry if you know what I mean. He's a professional cat-herder during the day on Twitter since he runs "Securiry Twits" of which your humble host is a part... on Twitter (which is where I think he lives) he goes by @quine, but in the real world his name is Zach Lanier - and this is his 6 questions of fame!

Without further ado, I present to you... "Quine"
  • @Quine - tell us something about yourself
My name is Zach Lanier, though some might know me by the handle "Quine". By day (and, yes, night) I'm a "hacker, security weenie, and Security Twit herder". I've been in the information security field (professionally) for about nine years in various roles, including security assessment, incident response, security operations, and architecture. About a year ago, I took over the Security Twits list from its founder, Jennifer Leggio (a.k.a. Mediaphyter), and have been trying to continue growing this fun, knowledgeable, and helpful community.

  • What types of technologies do you focus your 'hacking' on (and why)?
I have eclectic interests, so my focus is...well, there really isn't a focus: it's all over the place. Any any given time, I've probably got my claws in conducting web app security assessments or more *ahem* "traditional" network-level penetration testing, along with corresponding defensive or remediation measures (break, fix, lather, rinse, repeat). Of late, I've been giving increasing attention to technologies like OpenID and OAuth. I think open standards like these can be quite powerful if implemented properly, but really warrant more scrutiny (especially with regard to security) if they're going to gain acceptance on an even greater scale.
  • What your most famous/proud accomplishment over the course of your career?
I can't say I've had any particularly *famous* accomplishments, but I am proud of having the opportunity to work with some really amazing, talented people; participate in and lead some challenging, but rewarding engagements; and help grow a few communities here and there, bearing witness to some great conversations and projects as a result. If I had to be a *bit* more specific, I'd say I rather enjoyed some of the security assessments and penetration tests I've worked on. Some involved the usual bag of tricks like SQLi leading to reverse shells (and snarfing financial documents);

Others, which require a bit more grace and care, involve more tactical, staged attacks. For instance, finding an anonymous FTP server that dropped us into the installation directory for the primary application on the target server. Therein was a file containing credentials, for automatic logon, of a local service account with admin privs. Using those credentials, we dumped the SAM and cracked the local administrator password, which of course was the same password for every local admin across the enterprise. We then used *those* credentials to hop onto some
*very* sensitive hosts (think HL7 data; patient records, diagnoses, billing, etc.). Though the client's jaw dropped when we delivered the news, they were nonetheless appreciative that *we* found this.
  • What got you started in Information Security...
*cues up the cliche-o-matic* I've always had an interest in understanding how/why things work the way they do. Breaking things, pushing them to their limits, improving them, and so forth seemed to mesh well with computers. When I was in high school, I was always being pushed by one of my technology teachers, Mr. Roncallo, to take on "interesting technical challenges", such as figuring out why the network chess server got hosed when it was port scanned. This led to me studying more about TCP and reverse engineering the chess server itself. In my senior year of high school, I was offered a job by a local ISP to do all things network security -- starting from scratch (hey, they were a small shop). Later, the ISP decided to start offering some consulting services to get some additional revenue. I was tapped to do some incident response, penetration testing, and integration, which allowed me to cut and sharpen my teeth on direct, customer-facing work.
  • Tell us something that people rarely know about you?
I can be *really* sarcastic and cynical. Wait, that's not news? Okay, let's see. Most people probably don't know that I happen to like a number of musicals (think "Grease", "Bye Bye Birdie", "42nd Street", etc.); I have my father to, uh, "thank" for that, having been brought up around these productions. Also, in junior high, I dated the daughter of Charlie DeChant, the saxophonist from Hall & Oates.
  • BONUS: What was your first computer system?

The first computer I programmed on was an Apple IIe, during computer class in Grade 1 of elementary school. A couple of years later, my family purchased an Apple IIGS. By the standards of the day, it felt like the IIGS was pretty limited in terms of capability. We didn't have a modem or even a hard disk in the thing, nor did we buy any interesting software for it. I suppose, then, that my first "real" computer was a Macintosh Performa 6200CD I got in 1995. It was that terribly-expensive-yet-surprisingly-anemic little puppy that got me started down the long, dark path that led to security. Side note: I was a *HUGE* Mac zealot back then; I've long since recovered even though I still use a Mac.

No comments: