Monday, June 30, 2014

OpenToAll CTF team

Edit: I made a subreddit you can visit for more information.

tl;dr I made a CTF team anyone can join that wants to play with others remotely.

One of the things you're guaranteed to be ask when you go to a security conference is, "Do you play CTFs?" If the answer is no you feel like a chump. You can get good at CTFs on your own (I haven't yet) but it'll be easier and more fun to get over the learning curve if you join us.

If you're new to CTF or just suck like I do have a look at this (and maybe this (read up to the networking chapter) then this too.) Be sure to have a Ubuntu and Windows VM as well.

Lastly, if you're already good at CTFs and would like to be a humanitarian and help some unskilled but passionate people please do so.

Friday, April 18, 2014

Hopelessly Ambitious Summer Plans

Edit: READ THIS RIGHT NOW I don't need to read books, I need to read write-ups! So my reading goals are crossed out. Too bad there are almost no CTFs in the summer but archived ones and wargames are almost just as good.

Every summer I vastly overestimate how much I'll be able to get done in my free time. I only hope to do as much of this as possible. EPUBs are so much better than PDFs because you can highlight them. Also, I'm gonna try to order the books I read by prioritizing the ones I can move through the quickest and see how that works (the first 13 are all really short or simple or I just need to reread through). This is a must read as far as reading goes.

Accomplishments
---------------------------------------------
Microcorruption
Matasano Crypto Challenges
WAHH Labs
Microsoft Bluehat Challenges
The Eudyptula Challenge
Understand:
        Blackbag
        Ruckus
        533
        Marcin's Burp Plugin
        Marcin's Blackhat Talk
       Corelan Exploit Writing Tutorials
Play All CTFs and Read Writeups
Pimp out Vim
Crawl:
        Matasano Log
        Jarmoc's Website
        Filippo's Website
        Skullsecurity
        LeafSR
        Old Rohlf Blog
        WebSec
        Neal is cool
        Mark Dowd was, in fact, sent back through time to kill the mother of the person who will grow up to challenge SkyNet.



Books
---------------------------------------------
  1 TAOSSA
  2 WAHH
  3 JavaScript: The Good Parts
  4 The Browser Hacker's Handbook
  5 Programming Ruby 1.9 & 2.0
  6 SQL Injection Attacks and Defense
  7 The Tangled Web
  8 Android Hacker's Handbook
  9 iOS Hacker's Handbook
 10 Practical Reverse Engineering
 11 Metasploit: The Penetration Tester's Guide
 12 A Bug Hunter's Diary
 13 Cryptography Engineering
 14 Internetworking with TCP/IP Vol. II
 15 Unix Network Programming, Volume 1
 16 Threat Modeling
 17 Computation Structures
 18 Secure Coding in C and C++
 19 Assembly Language and Computer Architecture Using C++ and Java(TM)
 20 Pro Git
 21 Windows Internals, Part 1
 22 Windows Internals, Part 2
 23 An Introduction to Mathematical Cryptography

Tuesday, September 10, 2013

Post First Meeting

Edit: My email is "kevin" [dot] "hock" [at] "stonybrook.edu" and have a look at the best reading list ever


I'll be at NYSEC next week and you're welcome to join me (you might want to go next month) but here is the stuff I said I'd make a post about during the meeting. Make sure to watch my favorite security person from 37 to 43 if you haven't already. At the end of the meeting someone gave me their laptop and that works on the projector so I can show everyone how to use Olly and IDA myself next meeting (in two weeks). WebGoat might be a pain to install so DO THIS before the next meeting. If everyone could have Windows in a VM though that would probably be a good idea in the future. Preferably XP but 7 is fine too.

There are two main things I want as a result of this club:
1. Good CTF team
2. People to get jobs in the security industry

This is the first CTF we're going to do this semester that is made specifically for beginners. CTFs are waaaaaaay more important than the rest of this blog post and are the quickest way to learn things. I wish I knew about CTFs way sooner instead of just reading a bunch of books. Here and here are great posts about CTFs

Another two hands on things are Matasano Crypto Challenges and Microsoft Bluehat Challenges that I wish I had years ago.



Going along with the rest of this post. I'll give all the resources you need to pass the interviews I've gone on in the past.

Important for interviews:

Practical Development using C#/Java/Python/Ruby or any other major language

SBU has you covered for the most part but of course, the more code on your GitHub the better.
Grey Hat Python 
SPSE
306
376
Matasano Crypto Challenges
..
I used to dislike coding but now that I have Kinesis Advantage, Vim and experience I really like it.

Binary Reverse Engineering
Practical Malware Analysis
Poly
More Sotirov

Exploit Research and Development
Buffer Overflow, Heap Overflow, Format String, ROP there's not too much more they can ask about but so much more stuff to know beyond what you'll get asked in interviews and for defense contractors this is the main thing you should focus on.
Erickson
Poly
Dino
OST
Corelan

Web Application Security
WAHH
Web Goat
OWASP TOP 10
Poly
Burp






Kinda important for interviews:
Source Code Review
TAOSSA
Poly

Cryptographic Analysis
Know private key vs public key etc type stuff. Fiestel Networks are good to grok and stuff but not really needed for interviews.
Matasano Crypto Challenges
ILOVETHISGUY
HE'SAWESOME
The one crypto book he recommends






MAKE SURE TO watch my favorite security person from 37 to 43 if you haven't already.