Summer 2020 Workshops

Structure

All these workshops are structured in a fun CTF format. Each participant works at their own pace. The techniques will be demonstrated, with complete step-by-step instructions to lead beginners through the easy challenges and there are also harder challenges for more experienced participants. We will help participants who get stuck as needed, to ensure that everyone learns new techniques.

Participants need a laptop and a credit card or bank account to register for free Google Cloud servers.

Workshop 1: Go the Wrong Way

Level: Beginner

Good developers study documentation carefully and thoroughly understand their language. However, some people just want to code fast, break into things, and skip over the details. This CTF is for them.

Even if you've never programmed before, you can make simple attack tools in Go.

Workshop 2: Introduction to Attack Techniques

Level: Beginner

Learn how to take over Windows, Linux, and Android systems, and how to defend them. We begin with common tools: Nmap, Metasploit, and Armitage, and then go into buffer overflows, packet crafting, command injection, and SQL injection. We will also exploit Android and iOS apps, including WhatsApp, Bank of America, and Progressive Insurance.

No previous experience with programming or attacking is required.

Workshop 3: Securing Web Apps

Level: Intermediate

Participants will attack Web applications with: command injection; SQL injection; Cross-Site Request Forgery; Cross-Site Scripting; cookie manipulation; and Server-Side Template Injection. We will also exploit Drupal and SAML. We will then implement network defenses and monitoring agents. We will use Burp, Splunk, and Suricata. Prerequisites: participants should know basic security and networking. Experience with Web development is helpful but not necessary.

Workshop 4: Security Auditing Android and iOS Apps

Level: Intermediate

Practice finding flaws in real Android and iOS apps in this workshop, and you will be ready to avoid making similar security errors in your own apps.

Android apps are very easy to unpack, analyze, modify, and repack; partly because of the open nature of the system, and partly because most companies neglect basic security measures. In this workshop, participants will hack apps from the Bank of America, IBM, Harvard, Home Depot, the Indian government, and other large organizations. We will find insecure network transmissions, broken cryptography, improper logging, and pervasive lack of binary protections. We will also analyze the way iOS apps use network transmissions, and observe serious vulnerabilities in iOS apps from major companies.

Participants need a laptop that can run VirtualBox to run Android emulators. To audit iOS apps, particpants will need a Mac laptop. We will bring some loaner iPhones to use.

Posted 1-27-2020