HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research

  • 332 views
Uploaded on

It targets to inspire CS fellows as they may not realize why algorithms, theories and skills are critical, I will brief about hacking and security, correlate their learnt skills and knowledge domain, …

It targets to inspire CS fellows as they may not realize why algorithms, theories and skills are critical, I will brief about hacking and security, correlate their learnt skills and knowledge domain, hopefully, it helps them to find out their research interest in security area.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
332
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
16
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Computer Science, Hacking and Research: For fun and profit @CompSci Festival, HKUST Anthony LAI Valkyrie-X Security Research Group VXRL
  • 2. Welcome, who am I? Computer Science graduate in 1998. Not in {Dean List, First Honor} Currently work on security research, penetration test, attack analysis and incident response Speaking at DEFCON, HITCON, Blackhat...etc. Found VXRL, which is a non-profit making security research organization; Invited by OGCIO to be a member of information Security advisory member.
  • 3. Why do I set up this talk? With the past 15 years after graduation, I wanna:  Inspire you guys  Clear your misunderstanding over Computer Science  Convey ideas that faculty and your fellows cannot give you Basically, I believe it is my duty to do it.
  • 4. Agenda Computer Science - Important and Useful Algorithm - Other “kungfu”? Computer Security and Hacking - Fun? Profit? Security Research - Why is it critical and interesting?
  • 5. Part 1: Computer Science (10 minutes)
  • 6. Computer Science Why do we need computer science? Computer science teaches you programming only? Why do we need algorithm? Why do you need to learn about it? Top useful algorithm: http://www.quora.com/Computer-Science/What-are-some-of-the-most-ingenious-algorithms-in-computer-science
  • 7. Most Important Algorithm: http://www.koutschan.de/misc/algorithms.php
  • 8. From MSR
  • 9. Other Kungfu? Protocols Programming Database Operating System Fundamental Networking Software Engineering and Design Cryptography Pattern Recognition Data mining Discrete Maths Statistics
  • 10. Once you learn them all What are their usage in security? For example, Pattern recognition Data mining Search algorithm
  • 11. Security Area For example 1. Encryption 2. Server Logs and Network Packets - Identify threats and attack - Identify network attack 3. Malicious Code and Executable (Malware)
  • 12. Part 2: Hacking (30 minutes)
  • 13. Security and Hacking You need to understand various technical disciplines:  Operating System  Networking  Cryptography  Memory  Binary structure  Protocols Be ethical, don't make offense
  • 14. 18 CTF (Capture The Flag for Fun and Profit)
  • 15. 19 What is CTF game? You need to get the key for points Challenges include crypto, network, forensics, binary/reverse engineering/exploitation, web hack and miscellaneous. Top teams could enter final round of contest DEFCON, Plaid CTF, Codegate, Secuinside are famous CTFs in the planet and we join every year.
  • 16. 20 Why do we enjoy to play? Challenges are practical Need your knowledge Need your skills Understanding vulnerabilities Thinking like an attacker Train you up to manipulate proper tools
  • 17. 21 HITCON CTF 2013
  • 18. 22 Our rank? Any rewards? 4th prize in HITCON CTF 2013 (19-20 July, Taipei)
  • 19. 23 Our world ranking
  • 20. 24 Sample Question (1) Please read the following code, how can you solve it?
  • 21. 25 Sample Question (1) Please read the following code, how can you solve it?
  • 22. 26 Question 1 There are a couple of things to note: We must do the operations in reverse order since this is the inverse function. The hex2bin function is only available in PHP >= 5.4.0. Had to resort to the documentation to find the alternative: pack ("H*", $str)
  • 23. 27 Okay, let us do some hack (10-15 minutes :)  www.overthewire.org  Please click “Natas”  It is a module to practice your Web hack.  You could do it in group, I got prize for top 3 fellows.  However, you need to understand: − HTTP protocol − Web Application − Common vulnerabilities of Web Application (Please refer to OWASP Top 10 from www.owasp.org)
  • 24. 29 Pickle object serialization
  • 25. 30 Serialization
  • 26. 31 A Vulnerable Django https://github.com/OrangeTW/Vulnerable-Django/
  • 27. 32 If the key leaks We could generate our own cookie and sign it over.
  • 28. 33 We even could include command execution 1. Generate and sign the new cookie with command execution 2. Replace the original cookie with our generated one.
  • 29. 34 Pwned :) (Simply input Guest, type in some text in box and submit)
  • 30. 35 More than that, we could get the key from the server to change our command to read file instead ...
  • 31. 36 CTF fun and profit The fun is to practice our security and “kungfu” The profit is to earning knowledge, building trust and friendship. Sometimes, we could get reward :)
  • 32. Part 3: Research (10 minutes)
  • 33. Research Research is not limited to academia only As UG, or even you don't enroll PhD program at this moment, you could even start it. Someone do the research for career, some may do the research for “homework”, but I do it for “passion” and community.
  • 34. My Research http://scholar.google.com.hk/citations? user=YcjzoFkAAAAJ&hl=en
  • 35. Research Objectives:  Current problem  Issue/Industry driven  Practical  Impact and Improvement  Novelty or/and incremental efforts
  • 36. Security and Hacking Conference  http://en.wikipedia.org/wiki/Computer_security_conference  Realize the problems in both academia and industry.  Top Academic security conference (focus on practicality) − Usenix (https://www.usenix.org/)  Reviewers and panelists come from both academic and industry sectors.
  • 37. Security and Hacking Conference  Industry Conference − DEFCON (www.defcon.org) − Blackhat (www.blackhat.com) − AVTokyo (www.avtokyo.org) − Hack In Taiwan (www.hitcon.org) − POC (http://www.powerofcommunity.net/) − XCON (xcon.xfocus.net)
  • 38. Cheer up!  I try to correlate computer science, security/hacking and research together in the past 50 minutes.  Remember to position yourself as a scientist.  Reading others' paper (for example: Usenix)  Pick your strength and favorite.  Research could internationalize your capability and talents.  Enjoy computer science, hacking and research. :-)
  • 39. Our VX Research  Malware and Target Attack  Web Hacking  Forensics  Cryptography and Password  Reverse Engineering, Exploitation and Software Security  Secret mission and operation :-)
  • 40. Attack Map
  • 41. Thank you for your listening  https://www.facebook.com/darkfloyd2  darkfloyd[at]vxrl.org