bsides dfw 2014 - security scavenger hunts
TRANSCRIPT
Cryptolingus Scavenger Hunt (CLSH)
Security Scavenger Hunts Brian Mork (@hermit_hacker)Security BSides DFW 2014
First Things First… Let’s Play A Game
http://sh.cryptolingus.net
http://sh.cryptolingus.net/scoreboard.php
Who Am I?
❖ Former DOD, Coder, RF Simulation, etc.
❖ Co-Founder, Team Cryptolingus
❖ Information Security Operations Manager
❖ Father, Husband, Hacker, Gamer (FHHG)
❖ Certification Kung-Fu:
❖ GIAC Certified Forensic Expert
❖ Red Hat Certified SysAdmin / Engineer
❖ Application Security Specialist? :)
Where Has Security Training Gone Wrong?
Why Does It All Suck?
You Forgot To Make It Fun
So Let’s Fix That
But How?
❖ 1. Physical Challenges
❖ 2. Online Challenges
❖ 3. Make Users Interact With Each Other
❖ … oh, and prizes. :)
What We Done Did
We Built It, They Came
❖ Get your minds out of the gutter.
❖ We couldn’t find a decent scoreboard that didn’t require massive amounts of Microsoft redistributable packages or obscene dependencies, so we built it and open sourced it… only PHP 5 required.
Behold: The CLSH!
❖ Register
❖ Login
❖ Play
❖ Simple and extensible
❖ Automatic scoreboard
❖ Logging for dispute resolution*
Security Awareness Week
Day -1
❖ Dropped physical item (wipe) with no other information…
Day 1
❖ Official notice sent out with link to the primary page
❖ Instructions on how to register and play
❖ Lunch and learn: physical safety
Day 2
❖ Lunch and learn: safe browsing
❖ Notification of a hidden game…
Day 3
❖ Lunch and learn: social engineering demo
❖ Physical scavenger hunt begins
Day 4
❖ Security Jeopardy (Round 1)
❖ This actually was mostly out there, so just modified and re-released
❖ https://github.com/hermit-hacker/SecJep
❖ Physical scavenger hunt begins
❖ Folks who were paying attention noticed comments about one time pads…
Day 5
❖ Security Jeopardy Finals
❖ Physical scavenger hunt begins
❖ The final components of the hidden game are exposed
❖ Prizes!
BSides Memphis Throwback…
H/T @lotusr00t
Stalling Technique: Security Jeopardy Anyone?
Questions?@hermit_hacker
https://github.com/hermit-hacker/CLSH
Hat Tips
❖ Madhat (@unspecific) for the custom artwork
❖ Liz Hazen for running the information security awareness programs