Marine Corps engineer-turned offensive security expert offers careers advice and his best and worst experiences
John Jackson has been working in cybersecurity for less than five years, but already has several significant wins under his belt.
After five years as an engineer in the Marine Corps he founded white-hat hacker collective Sakura Samurai, which last year discovered git directories and credential files within United Nations infrastructure that exposed more than 100,000 private employee records.
On a roll, the group soon after publicly disclosed vulnerabilities within the Indian government that allowed them to access personal records, police reports, and other hugely sensitive data, along with session hijacking and arbitrary code execution flaws on finance-related governmental systems.
Jackson’s other notable successes have included the discovery of a vulnerability in the Talkspace mental health app and two serious bugs in Chinese-made TCL brand televisions.
In a follow-up to the first part of our two-part feature on becoming a pen tester, we asked Jackson, also known as Mr Hacking and currently senior offensive security consultant at Trustwave, about his achievements, his love for pen testing, and the skills that would-be penetration testers need to succeed.
Daily Swig: How did you get into pen testing?
John Jackson: My story’s a little non-traditional. I didn’t grow up as a computer nerd. I was actually going to college for philosophy at CU Denver when I got a phone call from a recruiter and he asked me, hey, do you want to be a hacker?
I went through a boot camp and by the time I got to certified ethical hacker level I was actually helping class members learn, because I had done so much self-study on my own as I was just so excited.
I got recruited by TEKsystems as a contractor to go and work for Staples, initially as a cybersecurity engineer, and after the first six months there, they switched me to endpoint detection response. I went from application security engineer to senior applications security engineer for Shutterstock and after that, I went to Trustwave.
I was still hacking on my own time doing ethical hacking, and I established a group at the time called Sakura Samurai.
DS: What’s the best way to get into penetration testing?
JJ: There’s not a linear path. When I was getting into it, they [the industry] didn’t have as many certifications as they do now, and they also didn’t have as many materials, but nowadays they have things like Hack the Box, which can be a good way in.
I think there is no definitive skill that makes you a good hacker – it’s not so much a skill but a mindset. It’s endless curiosity.
If you’re not the type of person that likes spending a lot of your free time learning then it’s not the best field for you, because you’re always going to have to improve, and it’s very difficult to improve if you’re not continually learning, and a lot of the time that’s on your own time.
DS: What are your favourite things about your job?
JJ: One of my favourite things is the ability to hack so many different things. I’ve done ATM hacking, I’ve done phishing and social engineering, and then I moved into red teaming where the scope is a lot larger, and you have a lot more control over how you hack the organizations because you emulate advanced persistent threat actors.
Pen testing is amazing because I’m always learning – it really keeps me going and keeps my brain fresh. I don’t get bored because every day is new.
DS: And the worst?
JJ: A lot of non-technical people are sometimes involved in setting up and arranging pen tests and red teams, and sometimes they under-scope the assessments and take a very check-in-the-box approach to pen testing.
I think that that’s bad for everyone involved – it’s bad for the pen testers because you’re limited to such a narrow scope of what you can and can’t do, and it’s bad for security because in reality it’s just not realistic. A criminal hacker is not going to stop and say “you know what, this domain’s out of scope, this technology’s out of scope, I’m not going to mess with that”.
Pen testers are highly technical and sometimes you’re dealing with people that are more salesy or C-level, and you have to explain why it matters – and that can be tough.
DS: What’s the most enjoyable project you’ve ever worked on?
JJ: I think my favourite project was a bank that wanted a red team with a scope of pretty much everything. That was a lot of fun, because I got to use the expertise I had to think outside of the box and use some of their own platforms to abuse their company.
They were blown away because they didn’t expect to see this or that service get abused, so I felt kind of proud doing that. [It felt like] finally someone appreciates that outside of the box thinking.
‘Red teaming’ gives you much ‘more control over how you hack the organizations because you emulate’ APTs
DS: And the most serious?
JJ: With the UN, with my group Sakura Samurai, we found GitHub credentials. We used the GitHub credentials to download the organization’s internal GitHub code and then, going through the code, we found over 100,000 lines of employee information. It was insane. That was definitely pretty scary.
The Indian government hack was crazy too – that was on another level. We found a lot of vulnerabilities – credentials, remote code execution, you name it. We were just going in and gave them a very extensive report, and actually coordinated it with DC3 [Department of Defense Cyber Crime Center] to help us disclose, because we were so worried about how much we found.
DS: What are your thoughts about bug bounties?
JJ: I’ve got a lot of complaints [about] bug bounty [programs], the biggest one being that you have to sign non-disclosure agreements when you submit these bugs, and sometimes that’s a moral conflict because you’ll discover things that are really bad. I was a blue teamer for half of my career, so when I find these certain types of bugs in bug bounty programs it’s unnerving because I know they’re not going to handle this how they need to handle this, they’re going to try and sweep this under the rug.
I moved towards vulnerability disclosure programs because you give them time to fix it and then you can disclose the bug that you found. I think that all hackers should try some vulnerability disclosure because it really just gives you a chance to get your hands on hacking a lot of things at once and then go through the process.
DS: What are you working on now?
JJ: Right now, I’m working on another red team engagement. We’re on the internal phase, so the phase of just being inside the organization and looking for security vulnerabilities to see what we can and can’t do, how far we can go.
It’s always exciting. I love doing it, as this just really combines a lot of elements of hacking – network hacking, web hacking, and then the social aspects like what type of technologies do people use, and how can you abuse that internally?
A good example that I can say on record because it’s very obvious is Office 365, using Microsoft products to get more passwords or access to the organization, so that’s what I’m dealing with right now.
DS: What careers could pen testing lead on to?
JJ: I definitely have moved towards red teaming more, which is just a different form of pen testing. But I’d say for me red teaming and pen testing is the end of the line.
You could spend your entire life as a pen tester, absolutely, but I think a lot of people in the different client environments have shifted into a model of wanting pen testers to do more threat emulation – specific goals like ‘steal our credit card data, steal our employee accounts’.
The reality is it’s just endless, and there’s always something bigger you can aspire to. So if you’re a pen tester maybe [the next step is] senior pen tester, if you’re a senior pen tester maybe it’s to go to offensive security consultant, moving into red teaming. I think shifting into red teaming is the end goal for a lot of people.