Thoughts - TzuSec.com

Review – Terraform Associate Certification

Posted on 2020-07-182020-07-18 by Rickard

In this blog post I will give my review on the latest certification I obtained, Hashicorp Terraform Associate. I will start by describing what Terraform is and then give you my take on how to study to pass this exam at your first attempt.

What is Infrastructure as Code (IaC)

If you are not familiar with the concept of IaC I would recommend you to watch this quick explanation.

What is Terraform

Terraform is an open-source software tool for IaC created by HashiCorp. The tool helps users to define and provision a cloud infra the Hashicorp Configuration Language (HCL), or optionally JSON. Three days ago they also released a CDK with Python and Typescript support. Terraform supports most of the big of cloud infrastructure providers.

Exam details

The exam is online based and you will be monitored by a proctor. To be able to do the exam you will need to have a webcam, speakers, a microphone and the zoom client installed.

Exam format: (Link to Sample questions)
- Multiple Choice Questions (MCQs)
- Multiple Answer Questions (MAQs)
- True or False
- Text match questions.
No of questions: 57
Exam duration: 1 hour
Exam cost: The website says $70.50 plus taxes, for me the total cost including taxes were around 90 euro which is very cheap compared to other certifications.

Study plan

In this section I will describe how I recommend that you study for this exam. When talking about certifications people always wonder how long time it takes to study for the exam. The answer to that question is the same as always, it depends on your background, your motivation to learn, how much time you can put into it and how easy you have to learn new stuff.

I had no prior knowledge of IaC before starting to study for this exam and I was able to learn the concepts to pass this exam in around two weeks. I have heard people saying that it is recommended to have 1-2 years of experience with Terraform before taking the exam but I don’t think that is necessary.

If you follow my study plan below I don’t think that you will have any problems with passing the exam.

Official HashiCorp study material
Begin by reading the official study guide.

If you have some experience with Terraform and just want to fresh up your skills before the exam you can read the official exam review instead.
Spin up a Lab environment
I used Microsoft Azure for this since I’m familiar with Azure and the fact that Microsoft offer you a $200 credit to explore Azure for 30 days. I think that most cloud providers offer similar stuff so choose the cloud provider of your taste and spin up a lab environment.

Installation guide and videos on how to get started are included in the study guide but here is a link directly to the installation video.
Video courses combined with lab time
My third recommendation is to watch some video courses. Learning from videos is my personal favorite and I really recommend that you watch the videos and try to follow the instructor in your own lab environment. The best video series I found online was on Youtube and it was created by Will Brock. Really awesome content that I highly recommend you to watch.

Practice exams
When you feel like you understand everything in the videos and have spent some hours in you lab environment I recommend you to do some practice exams so you get a feeling on how the questions will be structured on the real exam. I did some practice exams on Udemy after getting a free voucher from the creator. He shared it in the subreddit /r/Terraform so keep an eye there.

I also found an awesome blog post by a guy named Bhargav Bachina. He goes through each of the exam objectives and have created practice questions based on the objectives. In total there are 250 questions. I really recommend you to read this one.

Summary

When you have completed the steps above you should be ready for the exam. I think that the exam was very fair and I would say that 60min is more than enough time. I think that I had around 20 minutes left when I pressed submit.

In summary I would say that Terraform is a really awesome tool and that the certification was fun. I hope you liked this post. If you have any questions, feel free to send me an email or contact me at twitter. (@tzusec)

// Rickard

omg-cable finally arrived

Posted on 2020-01-28 by Rickard

Since @_MG_ posted the first video of his O.MG-cable about a year ago I have been so excited and followed his work closely from twitter and on his blog .

Now the cable can be bought in hak5s shop and as soon as it was available in the shop I placed an order. I really enjoy hacking gadgets and have really enjoyed playing with BadUSB so the thought of now being able to run the same payloads on command via a lightning cable with an implant is out of this world.

OMG-cable and programmer — The cable looks and feels exactly like a real cable from Apple. Insane!

The price in the shop is $129 and I paid ~$170 + duty for the cable including shipping to Sweden. I was surprised on how quickly I received it. I got the cable delivered within two working days from USA. Unfortunately I got the first cable with hardware fault so I had to wait some more time.

I spent some hours troubleshooting the cable together with MG himself via Slack and after we verified that the cable was faulty he told me to get a replacement cable. MG seems like a really good guy and I really appreciate what he has done with this cable. On the other hand the support from Hak5 were really slow and a disappointment. Without the help from MG I would probably have had to wait months to get a new replacement cable. Three weeks after getting the faulty cable I now have a new cable in my hand which works perfect so I’m really happy now.

I didn’t have too much time to spend this evening but after flashing the cable with the firmware I tried some basic payloads and it seems to be working great. Later this week I will try to record while I run some of my best (most evil) payloads so I can share it with you and show you which possibilities you have with this cable.

Don’t get phished this holiday season

Posted on 2019-12-11 by Rickard

Holiday season is coming closer and I would like to take this opportunity to discuss phishing since the amount of phishing attacks increases a lot during holiday season. According to Zscaler the amount of phishing attacks increased with 400% from October to November this year as Black Friday and Cyber Monday came closer.

Phishing, which is a type of social engineering, is based upon exploiting people’s feelings. During shopping-holidays like Black Friday and Cyber Monday but also during Christmas people are more vulnerable. Phishing campaigns are designed based on the holiday. During shopping holidays, it is very common with emails or texts that contains:

Fake Amazon Gift Cards.
Fake login portals to Paypal and other payment sites.
Scams related to other shopping or shipmen companies like Postnord or DHL.

During other holidays like Christmas and Easter it’s more common with greetings with bad URLs included. It can for example be a Merry Christmas email with a link to malicious site. It is also common with emails where the sender wishes you a merry Christmas and tells you that they have donated money to charity and that you can click on the link to read more. When people get these kinds of emails and like what they read they have already lowered the guard and it’s much more likely they will click on a unknown malicious link.

It’s crucial to always be vigilant and know how to distinguish phishing emails from legitimate ones, especially since 94% of all malware are delivered via email according to Verizon. I came across a poster from LogRythm a few years ago with a top ten list for how to spot and handle a phishing email and it’s still viable.

LogRhytms top ten things to watch in phishing emails

I recommend you to think about these tips when you get an email and make sure to always keep the guard up when it comes to emails.

Thanks for reading,
/Rickard