Archive for the 'Meta' Category

CSAW08 CTF

Published on September 27, 2008 in CTF, Events, Meta and Press Release. 1 Comment

Our lab holds a Capture the Flag (CTF) hacking contest as part of CSAW each year and the tagline for it is:

“A digital cyber attack and defense competition in detecting application security vulnerabilities.”

…but shhhhh! Don’t tell marketing, there is absolutely no defense involved! :-) . I believe that attack has merits on its own, but that is a discussion for another time.

CSAW CTF started out in 2004 as a network-based game with dozens of virtual machines running known vulnerable software. The challenge was to discover and detect these issues and then find or tweak public exploits to work on them. This could have been a good way to run CTF, but we simply couldn’t afford the time to make it work properly. I ended up taking second place to Michael Aiello, now a close friend of mine, that year. Afterwards, Mike and I sacrificed our chances of winning the next year by helping develop the 2005 contest and, along with other members of the lab, changed the game’s format to how it remains to this day.
Continue reading ‘CSAW08 CTF’

Security Awareness Posters

Published on September 1, 2008 in Events, Meta, Press Release, Psychology of Security and Social Engineering. 1 Comment

Every year, as part of CSAW, we hold a Security Awareness Poster contest where we ask students to convey a simple message regarding any current issue in information security. These posters always turn out amazing and are among the most impressive, if non-technical, entries we get. Unfortunately, we haven’t been so good at sharing these posters with others and usually only make a few printouts for ourselves in the lab.

Today, that is going to change. I uploaded my hand-picked favorites from the last 3 years to my web site for the entire web to enjoy! I tried to mark who made what poster in the title but please leave me a message if I missed yours.

Amanda Morante's 1st place entry from 2006

View the full library of awareness poster images here.

Registration for CSAW 2008 is still open and we will be having the Security Awareness Poster contest again, in addition to 6 other contests. If you know any graphic designers, convince them to join!

Fall Penetration Testing and Exploit-Dev course

Published on August 24, 2008 in Exploits, Meta, Reverse Engineering, Social Engineering, Targeted Attacks and Web. 6 Comments

This year’s Penetration Testing and Exploit Development course (Fall 2008) will contain completely rewritten course material, guest lectures from leading security professionals, and free access to commercial tools provided by Fortify Software and Matta (thank you!). Additionally, the class will be held on-campus rather than online as it has been.

The instructor for the course is Nasir Memon with TA’s Dan Guido (me) and Vikram Padman. The syllabus has been finalized and the guest professors as well as their respective topics are as follows:

  • December 4th — FINAL PROJECTS
  • December 11th — hack the planet/show off projects

Students will have to complete one homework assignment every two weeks, a take-home midterm, and do a final project of their choosing. Each two week session will contain one full session of Q&A to review the homework associated with it. Extra credit will be given for participating in CSAW and UCSB iCTF.

Any questions about the course can be e-mailed to me at dguido@gmail.com.

EDIT: The course will be held in room RH227

ComputerWorld: NYU-Poly, an IT school to watch

Published on August 20, 2008 in ISIS in the News and Meta. 2 Comments

A recent article in ComputerWorld profiled NYU-Poly, and specifically the ISIS lab, as 1 of 10 “IT Schools to Watch.”

When Stan Nurilov attended Polytechnic Institute of New York University in an accelerated bachelor’s/master’s of computer science program from 2002 to 2006, he truly enjoyed the technical courses he took in areas like operating systems and databases.

But it wasn’t until he graduated and began working as a software developer/project leader for a branch of the U.S. military that Nurilov fully appreciated the project-level courses that taught him about leadership qualities.

“Those classes really help me when I need to work with customers and gain collaboration on projects,” he says.

Stan is a graduate of our SFS program that pays for two years of tuition, rent, and other expenses in exchange for a commitment to work at a government agency for two years.

Head over to ComputerWorld and read the rest of the article!

PHP strip_tags not a complete protection against XSS

Published on August 16, 2008 in Meta and Web. 3 Comments

On August 13th .mario, a high-profile member of the sla.ckers.org forum, alerted me to a XSS issue on the CSAW registration form. I had previously looked through the code and concluded it was safe based on this block of filtering code included at the top of the page:

//don't use this script!
foreach ($_COOKIE as &$cookie) {
  $cookie = trim(strip_tags(@mysqli_real_escape_string($mySQL, $cookie)));
}
foreach ($_POST as &$post) {
  if (is_array($post)) {
    foreach ($post as &$_post) {
      $_post = trim(strip_tags(@mysqli_real_escape_string($mySQL, $_post)));
    }
  }
  else {
    $post = trim(strip_tags(@mysqli_real_escape_string($mySQL, $post)));
  }
}

Additionally, the registration script limits sources of user controllable input by only ever using the POST and COOKIE superglobals.
Continue reading ‘PHP strip_tags not a complete protection against XSS’

Blogging the NECCDC

Published on February 29, 2008 in Events, ISIS in the News and Meta. 3 Comments

-3 days: ISIS Labs is bringing 6 of its finest to compete in the North-East Collegiate Cyber Defense Competition (NECCDC) in Rochester, NY this weekend. Wish us luck!

I’ll try and keep you informed as to how the contest is going, what it’s like to compete in one of these things, and if we are winning by live-blogging the event from our hotel room each night. I don’t see that banned in any of the dozens of rules we’ve been made aware of so far! Continue reading ‘Blogging the NECCDC’

ISIS made some new friends

Published on February 19, 2008 in Meta. 0 Comments

I just wanted to give a shout-out to some new friends that ISIS has made over the last few days through ShmooCon, NYSec, and elsewhere: Hello Matteo, AJ, Dino, Erik, Mike, Kees, and the NYCResistor Hacker Space! It was nice meeting all of you, keep in touch and call me if you want to grab a beer!

Reverse engineering mailing list

Published on February 13, 2007 in Meta and Reverse Engineering. 0 Comments

A mailing list for our re group was created. If you are truly serious about joining, please write to me (yan@isis.poly.edu) and I will add you. The list is meant to exchange ideas, topics, materials, and post challenges for other subscribers (along with tips).

The list is going to be informal and of average volume.