Trends and Innovations in Cybersecurity

Hands-On Workshops

Sam Bowne
Twitter: @sambowne
Email: sbowne@ccsf.edu

Wednesday, March 30      HCC IT Staff, Educational Techs, & Guests
Friday, April 1      HHC Faculty

Workshop Description

A full day of training on current security topics, with hands-on projects demonstrating how to detect security problems, how hackers exploit them, and how to prevent them.

A few brief presentations will introduce the topics, and partipants will spend most of the time performing hands-on projects. Complete step-by-step instructions will be provided to guide participants. Resources are available to guide interested participants into deeper exploration of these topics, including many more hands-on projects. All materials are in the public domain, free for everyone to use, and published on the Web.

Lab Setup

Survey

Primary Topics

HCC Lab Startup

1. Managing & Securing Mobile Devices

Presentation: Security Auditing Android Apps Key      HTML

Android App Vulnerablities Research

1. Observing the TD Ameritrade Log
2. Mayo Clinic Medical Transport App Hardcoded Password Exposure
3. GenieMD Broken SSL

DEMO ONLY--NOT WORKING: Mobile Device Management with MaaS360
EXTRA: Making an SSL Auditing Proxy with a Mac, Burp, and pf
More resources (course from DEF CON 23)

2. Digital Forensics & Incident Response

Presentation: Introduction to Computer Forensics Key      HTML

Acquiring a Forensic Image of an Android Phone
Acquiring an iPad image with iTunes
Analyzing an iTunes Backup with Magnet Forensics' Internet Evidence Finder

More resources (whole Forensics course)

3. Finding Vulnerabilities & Exploit Development

Introduction: Hacking Real Servers KEY · HTML

1. Linux Buffer Overflow: Command Injection · Winners

2. SQL Injection · Level 1 Winners · Level 2 Winners · Level 3 Winners

More resources (whole Exploit Development course)

4. Lockpicking

Project

Recommended secure locks at the end of this paper
Recommended lockpick set from Amazon ($25)
Supplier that sells lockpicks one by one (UK, slow shipping)
Legal issues aroung lockpicking

Making Strings More Secure (Microsoft, 2004)

Extra Topics

5. Malware Analysis

Using 'file' and 'strings'
Reverse Engineering with IDA Pro

More resources (whole Malware Analysis course)

6. Web Application Security

Web App Hacking with Security Shepherd

More resources (Securing Web Applications course, in development)

7. Training & Cybercompetitions

PicoCTF

More resources (CCSF_HACKERS rankings, recommended competitions, walk-throughs and more training sites)

8. Bug Bounties & Vulnerability Disclosure

Example Disclosure Policy (Sam's)
Example Disclosure Policy (BugCrowd)

More resources (CCSF_HACKERS rankings, recommended competitions, walk-throughs and more training sites)

Prerequisite Knowledge

Participants should be familiar with basic networking and security concepts, at the Network+ and Security+ level. Familiarity with virtual machines, Linux, C, assembly language, and debuggers is helpful but not necessary.

Technical Requirements

Each participant should have a computer that can run VMware Player, Workstation, or Fusion. The host operating system can be Windows, Mac OS X, or Linux. Most projects will use a standard Kali 2 32-bit virtual machine, which can be downloaded here. USB sticks containing Kali will be available at the workshop. A few loaner laptops will also be available for participants who don't have an appropriate computer.

Participants are strongly encouraged to bring mobile devices for security testing, including smartphones, tablets, and any other Internet-enabled devices.

Tools Used

We will use these tools, all of which are standard for modern security testing:
  • Burpsuite proxy
  • Wireshark
  • Genymotion Android emulator
  • Gnu Debugger (gdb)
  • "file" and "strings"
  • IDA Pro (freeware)
  • Very basic C and Python coding
  • Immunity debugger
  • Security Shepherd and PicoCTF (Training products)

Last Updated: 4-1-16