Our lab holds a Capture the Flag (CTF) hacking contest as part of CSAW each year and the tagline for it is:
“A digital cyber attack and defense competition in detecting application security vulnerabilities.”
…but shhhhh! Don’t tell marketing, there is absolutely no defense involved! 
. I believe that attack has merits on its own, but that is a discussion for another time.
CSAW CTF started out in 2004 as a network-based game with dozens of virtual machines running known vulnerable software. The challenge was to discover and detect these issues and then find or tweak public exploits to work on them. This could have been a good way to run CTF, but we simply couldn’t afford the time to make it work properly. I ended up taking second place to Michael Aiello, now a close friend of mine, that year. Afterwards, Mike and I sacrificed our chances of winning the next year by helping develop the 2005 contest and, along with other members of the lab, changed the game’s format to how it remains to this day.
Continue reading ‘CSAW08 CTF’
Every year, as part of CSAW, we hold a Security Awareness Poster contest where we ask students to convey a simple message regarding any current issue in information security. These posters always turn out amazing and are among the most impressive, if non-technical, entries we get. Unfortunately, we haven’t been so good at sharing these posters with others and usually only make a few printouts for ourselves in the lab.
Today, that is going to change. I uploaded my hand-picked favorites from the last 3 years to my web site for the entire web to enjoy! I tried to mark who made what poster in the title but please leave me a message if I missed yours.
Amanda Morante's 1st place entry from 2006
View the full library of awareness poster images here.
Registration for CSAW 2008 is still open and we will be having the Security Awareness Poster contest again, in addition to 6 other contests. If you know any graphic designers, convince them to join!
ISIS Lab is organizing NYU-Poly’s 5th annual Cyber Security Awareness Week (CSAW) where students can compete and win prizes in a variety of information security challenges. There will be door prizes, raffles for participating, and bonus prizes for undergrad and high school participants. Qualified finalists will receive a travel scholarship to attend the awards ceremony in New York City.
Our website with descriptions of the contests as well as winning entries from previous years is located here: http://isis.poly.edu/csaw
Also to note: many of the makers and hardware hackers in this crowd will be happy to know that we have a new embedded systems challenge this year. Check it out!
Of all the things that happened this weekend, I didn’t expect this! I registered but I probably wouldn’t have played if Tom Brennan hadn’t frantically raced up to me at about 6:30 on Friday to tell me that I had to =). Thanks Tom!
I’ll talk about some of the challenges I went through, but if you’re really interested in these kinds of things you should compete in one of the capture the flag competitions that I developed for these upcoming events:
- NYU-Poly’s Cyber Security Awareness Week – A yearly event for students that our lab puts on. Compete in 7 different information security competitions for prizes! If you win, we’ll pay for you to come to NYC and collect your prize!
- OWASP AppSec NYC – A 2-day web application security conference taking place downtown this September. There will be a web capture the flag contest, also with prizes. Everyone is welcome to play and challenges will be accessible to beginners and experts alike!
Now about HOPE/Packetwars CTF… Continue reading ‘I won HOPE/Packetwars CTF!’
This summer the ISIS Lab will be hosting a weekly Information Security Video/Study Group every Wednesday from 6:30pm until people get bored (probably ~8-9pm).
I’ll show up in the lab and hook up our gigantic LCD TV to show a different video each week and host a discussion. Afterwards, I’ll do a review of each meeting on this blog. We will default to a FreeBSD Kernel Internals DVD course if no other videos are suggested (I need to brush up on my Operating Systems). If you have a specific video you’d like to see/discuss from Defcon, ShmooCon, HITBSecConf, Blackhat, RECon, or elsewhere then please suggest watching it!
Meetings will take place in the ISIS Lab (Room 219) located in Polytechnic University. The street address is 6 Metrotech Center, Brooklyn, NY 11201. If you’re not a regular, then I’m going to need to sign you in so call the lab phone at (718) 260-3986 when you get here (regulars get the sekret c0deword). I’ll keep a bunch of menu’s in the lab and we’ll make an order for takeout shortly after everyone gets here.
This event is open to the public (duh) so please invite your friends. Send all comments, suggestions or videos you’d like to watch to me, Dan, at dguido@gmail.com.
The first meetup is this Wednesday, May 14th. See you there!
Add this event and others to your calendar: ISIS Meetings.
In an earlier post to my personal blog as well as to this blog, I enthusiastically recommended the Synology CS407 NAS as a data storage/backup platform. I am now taking that recommendation back.
Let me just say this: it seemed like a good choice at the time, and, if I could have trusted the vendor to deploy the software on it properly, it might still be. Here is a short summary of some of the issues I found:
You can skip to the full report here: A Security Audit of the Synology Disk Station Manager (DSM) v2.0-0590 Firmware.
What follows is a complete retelling of how I got here, sort of a lesson in vulnerability disclosure (not so much discovery, you’ll see why). It’s not pretty, I didn’t do all the right things, and it’s kind of long.
Continue reading ‘Multiple Vulnerabilities in ALL Synology Products’
Recent Comments