Our lab holds a Capture the Flag (CTF) hacking contest as part of CSAW each year and the tagline for it is:
“A digital cyber attack and defense competition in detecting application security vulnerabilities.”
…but shhhhh! Don’t tell marketing, there is absolutely no defense involved! 
. I believe that attack has merits on its own, but that is a discussion for another time.
CSAW CTF started out in 2004 as a network-based game with dozens of virtual machines running known vulnerable software. The challenge was to discover and detect these issues and then find or tweak public exploits to work on them. This could have been a good way to run CTF, but we simply couldn’t afford the time to make it work properly. I ended up taking second place to Michael Aiello, now a close friend of mine, that year. Afterwards, Mike and I sacrificed our chances of winning the next year by helping develop the 2005 contest and, along with other members of the lab, changed the game’s format to how it remains to this day.
Continue reading ‘CSAW08 CTF’
Every year, as part of CSAW, we hold a Security Awareness Poster contest where we ask students to convey a simple message regarding any current issue in information security. These posters always turn out amazing and are among the most impressive, if non-technical, entries we get. Unfortunately, we haven’t been so good at sharing these posters with others and usually only make a few printouts for ourselves in the lab.
Today, that is going to change. I uploaded my hand-picked favorites from the last 3 years to my web site for the entire web to enjoy! I tried to mark who made what poster in the title but please leave me a message if I missed yours.
Amanda Morante's 1st place entry from 2006
View the full library of awareness poster images here.
Registration for CSAW 2008 is still open and we will be having the Security Awareness Poster contest again, in addition to 6 other contests. If you know any graphic designers, convince them to join!
I also did the Fortify [Web] Hacking Challenge last week. Their challenge was refreshingly different, fun, and relaxing compared to the other web hacking challenges I’ve done. I really enjoyed playing in it even if it only lasted a short time. Here’s the official description of the contest:
The link below will take you to a Web site which contains numerous vulnerabilities but is being defended by the Fortify Real-Time Analyzer (RTA). When you conduct an attack, Fortify RTA will block your efforts and redirect you to a separate page. However, if you conduct a particularly impressive attack, Fortify RTA will redirect you to a different page, with a code word. There are three code words available.
Fortify RTA had a tight lock on that website! I probably came up with a hundred separate attacks against their website, but they were only looking for a very specific 3. Every so often, I’d come up with what I thought was an impressive attack but it wouldn’t give me any points! Here’s one example:
I found an authorization problem when viewing account details that let me enumerate the database for and grab the account details of every client in the bank. I used Burp Intruder to automate harvesting this data, making over 10,000 requests to the server to gather the info. Then I manipulated client-side parameters on the ‘transfer funds’ page to steal money from other clients and deposit it into my account. This wasn’t an attack they were looking for and didn’t get me any points! Grrr..
I took screenshots of all the actual attacks below.
Continue reading ‘Fortify Hacking Challenge’
ISIS Lab is organizing NYU-Poly’s 5th annual Cyber Security Awareness Week (CSAW) where students can compete and win prizes in a variety of information security challenges. There will be door prizes, raffles for participating, and bonus prizes for undergrad and high school participants. Qualified finalists will receive a travel scholarship to attend the awards ceremony in New York City.
Our website with descriptions of the contests as well as winning entries from previous years is located here: http://isis.poly.edu/csaw
Also to note: many of the makers and hardware hackers in this crowd will be happy to know that we have a new embedded systems challenge this year. Check it out!
Published on
July 15, 2008 in
Events.
Tuesday (Tonight) – NYSEC at Pound and Pence
Wednesday night – InfoSec study time at ISIS Lab. I’m going to be working on a paper on Web Authentication.
Friday-Sunday – The Last HOPE at the Hotel Pennsylvania. Only $80 at the door! We’ll have a booth in the vendor area, come say hi!
We had a much larger turnout this time around. There were probably about 10 serious people with a few more in and out. We got a special presentation from a friend of ours who wanted to practice his Blackhat talk, so we didn’t end up watching any videos.
The agenda ending up being:
- Blackhat presentation dry-run.
- Aleksey reversed some storm malware, found a carding forum, and broke into it! He showed us some of the things he learned about their community by looking through the forum.
- Aleksey talked about his experience competing in the Defcon CTF prequals this weekend. All the questions from the competition are already up at Nops R’ Us but Aleksey was kind enough to upload his own work to the ISIS webserver.
- Erik and I made fun of Synology for all the bugs we found in their webapps this weekend. I’m waiting to release anything publicly until I have proof of concept exploits.
People in attendance: 6 or 7
- Dan Kaminsky interview – link
- w3af demo – link
- Unusual Web Bugs – video – slides
- Social Engineering presentations – link
We’re having another meeting next week and I’m taking suggestions for topics. An [obligatory] brief overview of the Debian OpenSSL bug will be done.
This summer the ISIS Lab will be hosting a weekly Information Security Video/Study Group every Wednesday from 6:30pm until people get bored (probably ~8-9pm).
I’ll show up in the lab and hook up our gigantic LCD TV to show a different video each week and host a discussion. Afterwards, I’ll do a review of each meeting on this blog. We will default to a FreeBSD Kernel Internals DVD course if no other videos are suggested (I need to brush up on my Operating Systems). If you have a specific video you’d like to see/discuss from Defcon, ShmooCon, HITBSecConf, Blackhat, RECon, or elsewhere then please suggest watching it!
Meetings will take place in the ISIS Lab (Room 219) located in Polytechnic University. The street address is 6 Metrotech Center, Brooklyn, NY 11201. If you’re not a regular, then I’m going to need to sign you in so call the lab phone at (718) 260-3986 when you get here (regulars get the sekret c0deword). I’ll keep a bunch of menu’s in the lab and we’ll make an order for takeout shortly after everyone gets here.
This event is open to the public (duh) so please invite your friends. Send all comments, suggestions or videos you’d like to watch to me, Dan, at dguido@gmail.com.
The first meetup is this Wednesday, May 14th. See you there!
Add this event and others to your calendar: ISIS Meetings.
-3 days: ISIS Labs is bringing 6 of its finest to compete in the North-East Collegiate Cyber Defense Competition (NECCDC) in Rochester, NY this weekend. Wish us luck!
I’ll try and keep you informed as to how the contest is going, what it’s like to compete in one of these things, and if we are winning by live-blogging the event from our hotel room each night. I don’t see that banned in any of the dozens of rules we’ve been made aware of so far! Continue reading ‘Blogging the NECCDC’
Published on
February 9, 2007 in
Events.
I just learned from the Matasano guys that NYSec 5 will be on February 19. Mark your calendars!
NYSEC 5 is Feb 19th, 2007. A Monday. 6:30PM. We’ll stay until people get tired of hanging out. We’re guessing 2-3 hours. Located at Pound and Pence. That’s downtown Manhattan, on the corner of Liberty and Nassau. If you don’t like it, show up and suggest somewhere else!
We are usually upstairs by the pool table.
For the uninitiated, NYSec is a casual get together of a bunch of InfoSec people that happens as often as they feel like it. I wasn’t able to make the first 4 gatherings (grrrr) but I’m definitely going to this one! See you there!
The UbuCon is an unconference for Ubuntu users, developers, and sysadmins taking place on February 16th at the new Google offices in Manhattan. A few people from ISIS will be there to represent the interest of security in Ubuntu’s future development and hopefully moving improvements like GCC proactive security measures, encrypted LUKS partitions, and main inclusions of Seahorse and gaim-otr up to a higher development priority. If you’d like to join us add your name to the RSVP list and we’ll see you there (it’s free!).
This is a little late (registration is over), but no less than 7 of us are going to ShmooCon in Washington DC this March 23-25. If you were lucky (and smart!) enough to get a ticket, we’ll see you there!
Recent Comments