So Uni just started and you're excited with all the new challenges and subjects.
You might have an idea of what you want to follow but Computer Science and Information Technology is such a broad universe! What should your focus be? In fact, Information Security itself is also a tiny universe that allows for a multitude of roles and skills!
Security managers, pentesters, malware analysts, NOC/SOC personnel, social engineers, security researchers just to name a few! Will you be able to choose and how?
This will be an informal talk where Miguel will talk about his experience as a security tester to help clarify the role of a pentester in the grand scheme of things.
Following up on Lex's presentation on how he did NOT solve the SANS 2015 Holiday Hack Challenge where the audience ended up chipping in their two cents on how to continue, we thought it would be a good idea to try to complete other challenges using a collaborative effort.
Starting from basics such as "what do I need to start?" to "argh, can't make it past this last hurdle!", there should be something for everyone.
Bring your own laptop as we will try to go over a couple of challenges with explanations and discussion on each step. The challenges VM will be provided at the start of the event.
Will we be able to complete at least one?
Biometrics have been used by humans ever since the birth of "society".
Now that machines are part of society, it makes sense that we try to teach them a thing or two about it.
What are the ramifications of this?
P.S. - This will not be a talk on how to bypass the fingerprint reader on your mobile...yet.
SANS have been running hack challenges for a number of years. Each challenge is designed for both, experts and beginners. Sometimes, in contexts where learning is the main focus, understanding the thought-process can be more beneficial than arriving at the results: beginners get exposure to how more advanced users solve these challenges, whilst more advanced geeks get to compare their thought-processes to others'; hopefully learning something new.
As 2015 was my very first live hack competition, rather than simply giving the answers to the challenge, I wanted to share my experience with trying-and-failing before each stage of the challenge, until arriving at the desired result. My intentions are to encourage beginners to take part in these challenges, and to gain insight on how more advanced users would solve the same or a different problem. This talk is delivered for the absolute beginner to follow, whilst still (hopefully) keeping the experts slightly entertained.
Taking the phish - We were hired to do a phishing job. We got to working, we did our share of research, we deployed the campaign, we collected results, job done. Then, the unexpected happened! This talk will describe some of the quirks and unexpected results we observed. We know what we did, but what did YOU do?
Crypto Wars 2.0 - A walk through the history of modern cryptography, it's spread and subsequent scrambling by governments to control the technology. The main focus will be the renewed efforts by governments to control crypto, circa 2012 onwards, with a quick background in the first crypto wars circa 1990s. I'll finish with a more positive countermeasures section. Slides here!
Just how secure are public WiFi networks? What are the risks of doing your online banking from a coffee shop?
This talk will aim to cover the basics of local network attacks, starting with WiFi exploits and then going over a typical LAN setup to show how easily an attacker could control your network traffic and potentially even your whole computer.
Finally there'll be some discussion of the mitigations and what to be aware of to stay safe.
Pentesters don't do programming (not very well, at least!). Programmers don't do security (usually). It doesn't need to be this way.
Miguel is going to go through OWASPs Secure Coding practices in his own words. Here's to hoping developers gain critical and basic knowledge to prevent a lot of the most common attacks on applications.
And yes, burp will be mentioned again :)
Lex is going to touch on some of the basic mathematical concepts used in modern (and to some extend ancient) cryptography such as Prime Numbers, Password Entropy Calculation and Probability Theory, with a focus on Modular Arithmetic. With that, he hopes to be able to demonstrate how the Diffie-Hellman key exchange works in practice by making use of a simple example with small integers.
Burp is probably the only tool Miguel refuses to test without.
He is going to try to make sense of it and show an actual example in which it could be used to find interesting information on a webapp.
Let's call it a free demo but without the commercial mumbo-jumbo.
Miguel <3's burp!
Ross studied Digital Security, Forensics and Ethical Hacking at Glasgow Caledonian University.
This talk is about the differences he found between the course syllabus and his internship at an InfoSec company and how he ended up working for them.
A few years ago Paul, an English teacher by trade, decided to try his hand at some of the cybersecurity challenges that were out there. He was rather surprised to find that he won. Not only won but had made it to a semifinal. This encouraged him to up his skill set dramatically. Following that, Paul continued to succeed in similar challenges, ending up in national and international finals, getting to meet "the spies" and ending up in Bletchley Park, beating professional scores at SANS's Netwars. This lead to a job as a penetration tester which he vowed to "give it at least a year". Paul is just about to finish his first full year in the industry and will be sharing the highs and lows of his journey, the successes and the occasional failure and revealing the secret of going from Noob to Leet in twelve months.
Windows PowerShell is a command-line shell that includes an interactive prompt and scripting environment designed for administration of modern Windows machines, this talk aims to provide an overview of the basics of these tools to get you up and running quickly when choosing to use powershell in a security testing context. With a few examples of how it might be useful to assist with some common testing tasks or use it to assist with your ultimate goal of pwnage.
This month’s fun talk looks at how features can be just as powerful as vulnerabilities. Marc takes a look at how Splunk can be abused to get root.
Currently in today's climate a number of high value security devices live on a number of networks. Unfortunately these security devices don't always live up to their promise of defending networks. Network Intrusion Detection Systems, are probably one of the more well known of these devices.
There can be little doubt the owners of these devices expect them not only to defend but also to prevent attacks from happening. The main issues is they very rarely react in a way their owners understand.
Frequently we hear of attacks on large corporate networks, which have largely gone undetected. Frankly these devices have failed to preform as expected, and their owners have been left to face increasing media attention.
Network Intrusion Detection/Prevention systems when correctly configured and tuned for their environment can be effective. This talk discuss the important of correctly testing and assessing NIDS/NIPS effectiveness and ways forward as a community we can go.
We're all familiar with input and output validation and why it's important for the overall security of web applications, but are your web application security tests focusing solely on HTML and missing the other ways in which your customers may render data?
Through a live demo this presentation will show you how to attack an application that has been coded to defend against common input validation, but can still result in some good old fashioned ownage and abuse of trust. Resulting in full compromise of an internal host.