From student to pen tester My journey into cybersecurity
I Jason Magic
was 17 and still in high school when I first discovered the computer hacking scene. One of my computing teachers at the time stated that no one could get access to any of your accounts following the condition that it’s password protected. I disagreed, did some research, and wished to prove to my teacher that this statement was false. After reading many articles, and learning about the different attack vectors and exploitability techniques I managed to gain elevated access to the school’s network. I have been in love with hacking ever since. At the time, I didn’t realize how such a small statement from that teacher would shape my passion and the future of my life. Each day after school, I was fired up to gain more knowledge and experience, so I joined lots of hacking related forums, IRC channels, participated in capture the flag competitions and spoke to security researchers on both sides of the fence. When I graduated high school, it was time to decide what I wanted to do and who I wanted to be in the future. I followed my passion and enrolled into a Bachelor of Science in Cyber Security. This in conjunction with the additional self-mentoring provided a deeper understanding of the field and enhanced my skillset. While studying at university I was eager to begin a career in the industry as soon as possible. I applied for lots of junior entry roles, however, I constantly struggled to obtain an interview for an opportunity. Even for junior roles,
34 | Australian Cyber Security Magazine
I found that many corporations were seeking an asset with demonstrated experience, or a practical qualification I had not yet obtained. In saying that, I wanted to take my practical and theoretical knowledge outside the academic environment and into the wild. I aspired to do so in a manner that couldn’t reflect as being detrimental to my future in the security industry, especially before it even begun. Therefore, at 21 years of age, I decided to put on the white-hat and began doing freelance work followed by bug bounty programs. This was not purely for monetary benefit. At the time, learning more, establishing a portfolio, testing my gained abilities, and obtaining some form of experience was of greater value. Therefore, I initially began freelancing for nothing in return to discovering bug bounty platforms. I would report low, medium to severe vulnerabilities to the appropriate directorates associated with the affected corporations, and high profile government agencies. Following the above, I then signed up to an array of bug bounty platforms, of which proceeded to many vulnerability disclosures associated with the affected vendors public program. Within just three months, I had discovered and responsibly disclosed exploitable vulnerabilities affecting Government establishments, including, but not limited to; a South Asian Police agency, the US Army, NATO, NASA, Asia-Pacific Space Cooperation Organisation, Australian