Converge is a great conference. I’ll admit I’m partial because it’s in my backyard. However that isn’t the only reason I like it. The talks cover great content, the speakers are friendly, and it’s not so big that guests feel like they’re lost in a see of other attendees.
On Thursday, I spent the morning volunteering with Irongeek recording talks for track 2. Helping with A/V is great because I get to volunteer and watch talks with a front row seat. In the afternoon I networked with people in the halls, after all that’s the most important part of a conference, right?
Friday was a lot of fun. I started off by playing with a new toy. A nexus phone loaded with Kali NetHunter. I’m still exploring the tools on it but one of them is called the Mana wireless toolkit that allows me to broadcast a wireless network. This makes for excellent trolling, especially for those who get the inside joke.. There was some evidence at GrrCON a few years ago.
Learning how to pen test
The rest of the day, I was in training for web application pen testing. Kevin Johnson from SecureIdeas offered a 1 day version of his week long training course. We went over a lot of great topics, like his recommended methodology and the tools that pen testers can use.
While the training was amazing, it’s still something that Kevin offers others, so I don’t want to spill too many secrets. I do suggest that if you’re interested that you take a look at his site, secretideas.com.
I’ve said it before on these blog posts and I’ll say it again. Conferences are a great center for networking, learning, and growing if you’re looking at getting into the information security industry. Hopefully my stories from this year’s Converge has convinced you to attend the next conference in your area!
Shmoocon is a hacker conference in Washington DC. I’ve been interested in going since 2015 but this is the first year I’ve been able to make it out. The conference was really hard to get into. Not because it’s expensive or that it’s hard to get to DC, but because the process to get my ticket was a unique challenge in itself. It required me to rely on good friends, new skills, and a whole lot of luck.
Trying for a badge
I roomed with @infosystir for the weekend, we saw an awesome deal on flights and rushed to get tickets and the hotel settled away. That was the easy part. Getting Shmoocon tickets was the worst experience I’ve dealt with compared to other conferences. There were three “rounds” of people rapidly refreshing the tickets webpage. Each time, I failed to get one. While @infosystir had the connections to score a media badge, I was bound to attend lobby con.
For those who don’t know, lobby con is where non-badge attendees settle in at the hotel bar and network with others who were able to attend. Badges usually float around from person to person. More than a few last minute cancellations are made each year, so people have extras as well. It is better to attempt to social engineer a ticket then to cancel a flight and lose any deposits. Either way I wasn’t going to bail on a conference.
Starting out right
Thursday night before the conference started, @infosystir and I set out for the bars. Before long, we met up with @lintile and he told me about an extra ticket. There was just one problem, it was a prize to a small cryptochallenge he made. On twitter, there was a post with random characters and a #shmoocon tag. Someone had responded that they ended up with gibberish after a failed attempt. At first I was worried that I could not beat the challenge before Shmoocon started. Even if the person on Twitter was joking, I’ve never tried a cryptography challenge before.
Step 1 – Decoding
As we sat at the bar, I asked @lintile where to start. He asked @TheSweetKat what it meant to have a message that ended with “==” and her immediate response was “it’s base64 encoded”. I quickly pulled out my phone and decoded the string, the answer I got was “<to be added here>”. Great another task, of course it would not be that easy.
I overheard @lintle mention md5 hashes so I looked that up next. It’s safe to assume that if the hash is 32 characters long, that it is MD5 or something similar to MD5. Thirty-two characters at least narrows it down to a handful of options, rather than a ton of options. So that’s what I started on next. My phone wasn’t powerful enough to brute force a hash, it was a Samsung S4 with a dying battery. However, after the conference I found there is an android app called Hash Suite so it is possible for phones to crack some md5 hashes.
Step 2 – The hash
While I was desperately googling for online hash cracking websites, I reached out to a experienced friend who would know where to start. My googling skills failed me, but @ashioni did not. He was able to get on his laptop and start up hashcat to start guessing strings that would result in a matching hash.
We came to the correct answer by using OSINT research.
OpenSource Intelligence leverages publicly available information, in this case @lintile’s Twitter page, to gather information and generate a profile of a target. Target profiles can then be leveraged in many ways. Providing better word lists or giving hints to crack a code are a few examples. In this case the target profile was used to come up with possible passwords the target may be using. We were able to narrow the string down to be something with only 10 lowercase letters and contained “@shmoo”. “?l” is a hashcat variable for lowercase letters. In order to guess the string that made the hash we were trying”?l?l?l?l@shmoo”. @Ashioni’s laptop should have been able to crack this within an hour but for some reason, there were no matches by the time my phone died later that night.
Cracking the code
I woke up the next morning and struggled to think what else I could do. @Ashioni had started up his password cracking rig that can do roughly 10 billion MD5 bruteforce attempts per second. Yet still no luck. I wanted to help, but I didn’t have hashcat on my mac or a connection to download the tool. While trying to think what else was possible; I was lucky to find out that it’s possible to hash strings using terminal on mac.
I started guessing random 4 letter works that @lintile might have used. Failure after failure, the hashes I made didn’t match. Free, move, goto, tick, cryp… none of them were working. It wasn’t until I checked @lintile’s Twitter again that I thought to use his handle truncated to 4 letters. the hash of “lint@shmoo” was as close as I got to matching the hash, but I had a “off by one” error. The last character of the hashes didn’t match. I tried capitalizing the L, I tried “tile” and other combinations of @lintile. Each of those created hashes with entirely different hashes. Nothing was as close of a match as “lint@shmoo”. When talking to @ashioni about the cracking rig not being able to find a match and my guess being so close. We though that using CTRL-C to copy may have been the culprit for the spelling error.
At the same time I figured this out, @lintile reached out to me and said I could have his second badge, the conference was about to start and I was the closest to cracking the hash. When I met up with him, I asked if “lint@shmoo” was correct and he said yes. I was ecstatic! Cracking the code and getting it right felt great. Wait… what about the last character of the hash? As it turns out, it was just a typo when copying the hash into the base64 encoder. That’s why @ashioni’s hashcat brute force attempts never matched.
It was really cool to get a Shmoocon ticket by completing a crypto challenge. Attending shmoocon wouldn’t have been possible without @infosystir, @lintile, and @ashioni. I really enjoyed completing my first crypto challenge as well. I talked to @lintile throughout shmoocon and am looking into more common ciphers and ways to practice for challenges in the future. He creates challenges for fun and also runs the Circle city con CTF and I’m looking forward to that. rumkin.com is a website he shared with me to learn about some other common ciphers… I think that in order to practice them, I’m going to try and create a little webpage with a simple crypto challenge.
2016 has been a crazy year, and I’m not talking about celebrities, politics or world news. A lot of security related things have happened for me personally. I wanted to base this post chronologically on what I’ve done.
One of the first screenshots from 2016 is a constant reminder for me. What’s the first rule of infosec? Troll first, work later. I’ve come to realize that Twitter is the diving platform everyone needs. Twitter allows us to get lost in the world of meme’s, jokes, and sometimes useful rant’s from infosec’s favorite rockstars.
Bsides Indy was a lot of fun. I got to meet some great people and attempted a CTF. Even if the CTF bombed hard, the team I was on had fun trying to attempt to play. The takeaway that I remembered most is networking. I met a lot of people I had only seen mentioned on Twitter feeds before. I took some of the stuff I learned at Bsides and messed around at Spartan Hacker’s SpartaHack hackathon.
For most of the conferences I’ve been to, I’ll say networking is the most important. The people I meet, the conversations we have, and the advice I get are invaluable to me. Networking is the main reason to continue to attending conferences.
Circle City Con
This conference was my first attempt at volunteering for a security team. Circle City was good experience. I learned a lot while on the job and met some great people. However at the same time, it was at this conference I learned that it’s not always best to volunteer for every shift you can make. After Circle City, I started shifting from a “ALL THE SHIFTS!” mindset to “I’ll fill a shift or two”. Circle City is a fun conference and a lot of stuff happens, I’ll be happy to get to go next year without being “on the job” for the entire conference.
Over the wire
Jayson from CBI introduced me to the Over the Wire challenges this year as well. It’s great training and proof that basic linux commands is all you need to be a 1337 H4CK3R. I learned a lot and that information helps me to gain a competitive edge in CTFs and during ethical hacking exercises at work. So far I’ve tackled Bandit with Jayson and friends, and also Leviathan by myself. Check out those posts if you want to know more about Over the Wire.
The conference that started MiSec. I was happy to volunteer at this conference in our own backyard. There was a lot of great talks, I got to network with a lot of my favorite people and help out with Hak4Kidz all day Saturday.
I was lucky to get to play Jayon’s CTF-NG. Jayson has done an amazing job creating a new style of CTF. It’s far above any other CTF I’ve attempted. The point of the game is to get cards and use them to beat other players. Cards are distributed across customized VMs inside the game’s network. I was able to get into a few machines and find some annoyance cards. Not bad for my first attempt at the game. Since playing I’ve learned there’s a lot of networking and basic linux commands that I need to master.
Since my first attempt at Jayson’s CTF, I’ve had a few more chances to redeem myself. I’ve had a couple helpful hints. There’s been improvement in my network analysis and tool usage. In the latest attempt, I was able to find a legendary card.
School’s out for summer!
In May I graduated from MSU with a major in Media and information and a minor in Computer Science. I continue to learn what I can about information security, but I’m hesitant to sign up for more another degree. At the same time I moved from an internship to a full time position at Vertafore where I get to work with application security and vulnerability management.
Misec Panel – Path to the dark side
MiSec had a really cool panel in May where some experienced infosec professionals shared their journey of getting to where they are today. There was a lot of great tips and live tweeting so check out the post I did to follow up on that.
TLS research & talks
One of the first projects I did while working full time at Vertafore was researching TLS. The goal was to find how it worked, why it was required and what standards are the most important to secure connections. I drafted some standards, locked down this website by using Let’s Encrypt, and gave a lightning talk at MiSec Jackson about some of my research.
Hacker Summer Camp
Hackers and DefCon go together like PB&J. Add BsidesLV, guns, and black hat parties and there’s a whole week of fun, training, and more in Vegas. I met so many people while volunteering, standing in lines for talks, or visiting work shops. Hacker summer camp was a great experience and I’m pumped for 2017. DefCon 25 is going to be huge, being the 25th anniversary of the original DefCon means they’re going all out. A new location, more villages and workshops, there’s going to be something for everyone. I hope to see you there!
The next research project I worked on at work that I also brought over into my personal websites was enabling Public Key Pinning. It’s a header that compares the TLS certificate to a pin that client’s browsers saves after the first visit to a website. I wrote a post about it and if you frequently visit this blog, you may have had a issue when my TLS certificate expired and I failed to correctly renew it. A few readers were blocked from seeing the blog because the HPKP pins didn’t match. I’m just happy I learned this lesson (and what’s required to fix it) on my personal websites and not while one of work’s applications!
I’ve done a little more for work that was based in application authentication. Specifically, I looked at 2FA, salted hashes, and other factors that goes into a securing login process. There’s blog posts on that research but those posts haven’t moved from drafts to something publishable. There will be a few time traveling posts appearing in 2016 next year.
September 14th was the first meeting of a new chapter of MiSec. Tek Systems hosted the first meeting in Lansing for MiSec and we have since moved on campus so students have a better chance of attending. It’d be great to have students and infosec professionals working together to improve the community.
Kyle and I had the idea to start another location. Since Kyle organizes the Jackson meetings, I’m the coordinator for the Lansing chapter. I get to be the guy that finds speakers for each month and organizes other events in the area. If anyone wants to give a talk or is interested in another event for MiSec Lansing, please reach out to me about it.
Other MiSec projects I contributed to this year is the MiSec slack channel and the wordpress redesign for the website. If you want to join us on slack, there’s an invite app that just requires an email. The wordpress redesign is something @taco_pirate and I worked on.
GrrCon 2015 was one of the jumping points of my security career. I can’t believe it’s already been a year since then. Going back to GrrCon, (having my employer pay for it), was really different this year. I wasn’t working behind the scenes but the organizers and team leads remembered me from last year. I played hacker Jeopardy (and somehow survived the aftermath), I was able to attend talks and still got a chance to network.
My journey into infosec is still just beginning and I’m excited to see where it goes from here! I plan on attending more conferences, be active in the community and continue to learn as much as I can. I hope you’ll join me!
October 6th & 7th was GrrCON. For those that don’t know, it is a security conference in Grand Rapids, Michigan. 2015 was the first year I started going to conferences and GrrCON was my first. That year I volunteered because it’s really hard for poor students to pay their way for the fun stuff. This year, I have a job that actually pays for me to go and learn about security.
Since I wasn’t volunteering this time, I got to explore a lot more of the con and see what goes on for everyone who isn’t behind the scenes. Last year, I was helping set up, getting there early, and got stuck at one spot hours. This time I was able to visit with sponsors, go to all the talks I wanted to see, test out the lock pick village and more. One thing that never changes is that I always have fun at GrrCON.
After attending the keynote speech on Thursday, I met up with friends from MiSec. One of the best reasons for going to a conference is to network. Twitter is one of the best places to stay in touch with your favorite hackers. However conferences are where you get to see them in person.
After networking and visiting at the MiSec sponsor booth I stopped by the lock pick village. I can officially say that I’ve picked deadbolt locks now, I’ve moved up from just being able to open padlocks. GrrCON had some amazing villages this year. The lock pick village switched up the challenges this year. Instead of the cage escape there was a race to free yourself from being handcuffed to 3 other contestants.
The other villages included IoT hacking, car hacking, enterprise hacking, and an osint (open source intelligence) CTF. IoT and car hacking were set up as demo’s which looked really cool. There was so much going on that the booths were always busy. The osint CTF was a challenge to find out the most information about two con attendee’s. Finding information like their DOB by using social media and more was the idea being the CTF.
Hacker Family Feud was a lot of fun as well. Amanda (@Infosystir) invited me to play along with Aaron and Adrian. I had no idea what to expect for some of the answers… but I do know I won’t be forgotten any time soon. One of the questions was “Name a 2015 vulnerability that was big in the media” and I froze when it was my turn to answer. The only media I’ve watched lately is Netflix. What was my answer you ask? “The Target hack”. While I didn’t get any points for that answer, I got some free drinks and candy for my attempt and left a lasting impression on the con’s organizers.
There were some great costumes, mature jokes, inappropriate comments and more at the hacker family feud. Due to recording restrictions, I can’t tell you more… if you want to see what really happens at night during GrrCON I only have one word of advice for you, get a ticket for next year!
A lot of my friends and mentors gave talks throughout the con. I attended as many as I could. The rest are recorded and posted on Irongeek’s website. You should definitely check it out and see what you missed.
Hak4Kidz made another appearance this year. From what I heard, there was an awesome turn out. Hak4Kidz held a all day workshop on Friday to get kids involved with ethical hacking. They participated in tech destruction, crpytochallenges, an online CTF, and more. One of the goals of Hak4Kidz is to include hacking into STEM programs (vote STEHM). It’s great to see the interest in sharing the “hacker” mindset with kids, or really, seeing how kids are going to improve our hacker mindset tomorrow. If you have kids or are interesting in helping out, check out their website.
There was a lot of great content this year. GrrCON has a collection of amazing speakers, staff, and volunteers that knock it out of the park every year. I have a lot of good material that I want to bring into work on Monday and share with my boss. Hopefully it will be a means to getting work to help me attending even more conferences next year.
One thing I want to attempt at the next conference is to sit down and attempt some of the challenges. It’s great to attend the talks and get so much information. However they’re also recorded so you can see them on your own time. Networking is important but that also isn’t exclusive. It can even help you win a challenge by asking for help or by joining up to create a team.
Lastly I want to say thanks to everyone who helped make GrrCON 2016 a reality. It’s awesome to have con like this thats so close to home. I can’t wait for next year, it looks like GrrCON 2017 will be on Oct 26th and 27th. Plan now so you don’t miss out! (There may be halloween costumes, be prepared)
Who’s been to a Security Conference before? I’m finally able to include myself in that group and I’m really exited about that. A conference is all about meeting others in infosec, learning a lot from talks and workshops, trying your hand at capture the flags (CTFs) or lock picking, networking and most importantly having a great time.
Not only did I get to go to my first con, I got to volunteer at GrrCON! So instead of paying for a ticket, getting kicked out of the VIP area, and missing out on the after-after parties. I was able to do everything a regular attendee could do and more. At GrrCON I did a lot of running around trying to make sure I was able to do whatever was asked of me. I was helping with registration on the first day, so chances are that if you were there on Friday then I asked you for your shirt size. Aren’t you glad we had such a great talk to get to know each other? One of my friends on twitter saw me and posted a picture as he was waiting in line to get in.
Now a lot of people might wonder, what’s so great about volunteering? Well it’s not the work experience or the free beer (Yeah, you heard me), it’s the networking with everyone. I have never had a better chance to talk to so many “professionals” in a single weekend. I got to meet the vendors, the speakers, everyone I ran into while working, and of course I got to know the organizers pretty well. I would strongly suggest that you sign up to volunteer at your next local conference. You can always catch the talks you missed online, it’s a lot better to network and have fun.
My first con has come and gone. I honestly don’t think it could have been any better. A tattoo artist was supposed to be there but they unfortunately weren’t able to attend (luckily for me and my drunken mindset). The worst part about going to GrrCon though? It seem’s I’ve caught a bug… one con isn’t enough for me. I need to go to another one, heck maybe twenty or thirty more. There are a lot of cons that are close to me, and once I get a full time job, I plan on attending even more. For now I plan on checking out Bsides Detroit, Converge, and a couple other cons around Michigan.
If you don’t already want to go to GrrCON next year, let me tell you why you should. First off, you’ll probably get photo ops with Bessie (@TWrekt) she’s famous for her appearances at GrrCon, DerbyCon, and others. If a picture with a dinosaur isn’t enough for you then I strongly suggest you reorganize you priorities. Honestly though, if you want to learn more about Information Security then go to conventions. GrrCon had some amazing speakers, vendors, and organizers and all of that would go to waste if you didn’t want to put it to good use. Trust me, it will be fun, informative, and definitely not something you want to regret missing out on.
I hope to see you next year at GrrCon 2016 in Grand Rapids, MI!