A full day of training on current security
topics, with hands-on projects
demonstrating how to detect
security problems,
how hackers exploit them, and how to prevent them.
A few brief presentations will introduce the
topics, and partipants will spend most of the
time performing hands-on projects.
Complete step-by-step instructions will
be provided to guide participants.
Resources are available
to guide
interested participants into deeper
exploration of these topics, including
many more hands-on projects.
All materials are in the public domain,
free for everyone to use, and published on
the Web.
Lab Setup
Survey
Primary Topics
HCC Lab Startup
1. Managing & Securing Mobile Devices
Presentation: Security Auditing Android Apps
Key
HTML
Android App Vulnerablities Research
1. Observing the TD Ameritrade Log
2. Mayo Clinic Medical Transport App Hardcoded Password Exposure
3. GenieMD Broken SSL
DEMO ONLY--NOT WORKING: Mobile Device Management with MaaS360
EXTRA: Making an SSL Auditing Proxy with a Mac, Burp, and pf
More resources (course from DEF CON 23)
2. Digital Forensics & Incident Response
Presentation: Introduction to Computer Forensics
Key
HTML
Acquiring a Forensic Image of an Android Phone
Acquiring an iPad image with iTunes
Analyzing an iTunes Backup with Magnet Forensics' Internet Evidence Finder
More resources (whole Forensics course)
3. Finding Vulnerabilities & Exploit Development
Introduction: Hacking Real Servers
KEY ·
HTML
1. Linux Buffer Overflow: Command Injection
·
Winners
2. SQL Injection
·
Level 1 Winners
·
Level 2 Winners
·
Level 3 Winners
More resources (whole Exploit Development course)
4. Lockpicking
Project
Recommended secure locks at the end of this paper
Recommended lockpick set from Amazon ($25)
Supplier that sells lockpicks one by one (UK, slow shipping)
Legal issues aroung lockpicking
Making Strings More Secure (Microsoft, 2004)
Extra Topics
5. Malware Analysis
Using 'file' and 'strings'
Reverse Engineering with IDA Pro
More resources (whole Malware Analysis course)
6. Web Application Security
Web App Hacking with Security Shepherd
More resources (Securing Web Applications course, in development)
7. Training & Cybercompetitions
PicoCTF
More resources (CCSF_HACKERS rankings, recommended competitions, walk-throughs and more training sites)
8. Bug Bounties & Vulnerability Disclosure
Example Disclosure Policy (Sam's)
Example Disclosure Policy (BugCrowd)
More resources (CCSF_HACKERS rankings, recommended competitions, walk-throughs and more training sites)
Prerequisite Knowledge
Participants should be familiar with basic networking and security concepts, at the Network+ and Security+ level. Familiarity with virtual machines, Linux, C, assembly language, and debuggers is helpful but not necessary.
Technical Requirements
Each participant should have a computer that can run
VMware Player, Workstation, or Fusion. The host operating
system can be Windows, Mac OS X, or Linux. Most projects
will use a standard Kali 2 32-bit virtual machine, which can be
downloaded
here. USB sticks containing Kali will be
available at the workshop. A few loaner laptops will also
be available for participants who don't have an appropriate
computer.
Participants are strongly encouraged to bring mobile devices
for security testing, including smartphones, tablets, and any other Internet-enabled devices.
Tools Used
We will use these tools, all of which are standard
for modern security testing:
- Burpsuite proxy
- Wireshark
- Genymotion Android emulator
- Gnu Debugger (gdb)
- "file" and "strings"
- IDA Pro (freeware)
- Very basic C and Python coding
- Immunity debugger
- Security Shepherd and PicoCTF (Training products)
|