hkust computer science festival 2013 - seminar: computer science, hacking and research
DESCRIPTION
It targets to inspire CS fellows as they may not realize why algorithms, theories and skills are critical, I will brief about hacking and security, correlate their learnt skills and knowledge domain, hopefully, it helps them to find out their research interest in security area.TRANSCRIPT
![Page 1: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/1.jpg)
Computer Science, Hacking and Research:
For fun and profit@CompSci Festival, HKUST
Anthony LAIValkyrie-X Security Research Group
VXRL
![Page 2: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/2.jpg)
Welcome, who am I?
Computer Science graduate in 1998.Not in {Dean List, First Honor}
Currently work on security research, penetration test, attack analysis and incident response
Speaking at DEFCON, HITCON, Blackhat...etc.
Found VXRL, which is a non-profit making security research organization; Invited by OGCIO to be a member of information Security advisory member.
![Page 3: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/3.jpg)
Why do I set up this talk?
With the past 15 years after graduation, I wanna:Inspire you guys
Clear your misunderstanding over Computer Science
Convey ideas that faculty and your fellows cannot give you
Basically, I believe it is my duty to do it.
![Page 4: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/4.jpg)
Agenda
Computer Science- Important and Useful Algorithm- Other “kungfu”?
Computer Security and Hacking- Fun? Profit?
Security Research- Why is it critical and interesting?
![Page 5: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/5.jpg)
Part 1: Computer Science(10 minutes)
![Page 6: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/6.jpg)
Computer Science
Why do we need computer science?
Computer science teaches you programming only?
Why do we need algorithm?
Why do you need to learn about it?
Top useful algorithm:
http://www.quora.com/Computer-Science/What-are-some-of-the-most-ingenious-algorithms-in-computer-science
![Page 7: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/7.jpg)
Most Important Algorithm:http://www.koutschan.de/misc/algorithms.php
![Page 8: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/8.jpg)
![Page 9: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/9.jpg)
![Page 10: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/10.jpg)
From MSR
![Page 11: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/11.jpg)
![Page 12: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/12.jpg)
![Page 13: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/13.jpg)
Other Kungfu?Protocols
ProgrammingDatabase
Operating System FundamentalNetworking
Software Engineering and DesignCryptography
Pattern RecognitionData mining
Discrete MathsStatistics
![Page 14: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/14.jpg)
Once you learn them all
What are their usage in security?
For example,Pattern recognitionData miningSearch algorithm
![Page 15: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/15.jpg)
Security Area
For example
1. Encryption
2. Server Logs and Network Packets
- Identify threats and attack
- Identify network attack
3. Malicious Code and Executable (Malware)
![Page 16: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/16.jpg)
Part 2: Hacking(30 minutes)
![Page 17: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/17.jpg)
Security and Hacking
You need to understand various technical disciplines:
Operating SystemNetworkingCryptographyMemoryBinary structureProtocols
Be ethical, don't make offense
![Page 18: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/18.jpg)
18
CTF (Capture The Flag for Fun and Profit)
![Page 19: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/19.jpg)
19
What is CTF game?
You need to get the key for pointsChallenges include crypto, network, forensics,
binary/reverse engineering/exploitation, web hack and miscellaneous.
Top teams could enter final round of contestDEFCON, Plaid CTF, Codegate, Secuinside
are famous CTFs in the planet and we join every year.
![Page 20: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/20.jpg)
20
Why do we enjoy to play?
Challenges are practicalNeed your knowledgeNeed your skillsUnderstanding vulnerabilitiesThinking like an attackerTrain you up to manipulate proper tools
![Page 21: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/21.jpg)
21
HITCON CTF 2013
![Page 22: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/22.jpg)
22
Our rank? Any rewards?
4th prize in HITCON CTF 2013 (19-20 July, Taipei)
![Page 23: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/23.jpg)
23
Our world ranking
![Page 24: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/24.jpg)
24
Sample Question (1)
Please read the following code, how can you solve it?
![Page 25: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/25.jpg)
25
Sample Question (1)
Please read the following code, how can you solve it?
![Page 26: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/26.jpg)
26
Question 1
There are a couple of things to note:
We must do the operations in reverse order since this is the inverse function.
The hex2bin function is only available in PHP >= 5.4.0. Had to resort to the documentation to find the alternative: pack ("H*", $str)
![Page 27: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/27.jpg)
27
Okay, let us do some hack (10-15 minutes :)
www.overthewire.org Please click “Natas” It is a module to practice your Web hack. You could do it in group, I got prize for top 3
fellows. However, you need to understand:
HTTP protocol Web Application Common vulnerabilities of Web Application (Please
refer to OWASP Top 10 from www.owasp.org)
![Page 28: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/28.jpg)
29
Pickle object serialization
![Page 29: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/29.jpg)
30
Serialization
![Page 30: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/30.jpg)
31
A Vulnerable Django
https://github.com/OrangeTW/Vulnerable-Django/
![Page 31: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/31.jpg)
32
If the key leaks
We could generate our own cookie and sign it over.
![Page 32: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/32.jpg)
33
We even could include command execution1. Generate and sign the new cookie with command execution
2. Replace the original cookie with our generated one.
![Page 33: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/33.jpg)
34
Pwned :) (Simply input Guest, type in some
text in box and submit)
![Page 34: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/34.jpg)
35
More than that, we could get the key from the server to change our command to read file instead ...
![Page 35: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/35.jpg)
36
CTF fun and profit
The fun is to practice our security and “kungfu”
The profit is to earning knowledge, building trust and friendship.
Sometimes, we could get reward :)
![Page 36: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/36.jpg)
Part 3: Research(10 minutes)
![Page 37: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/37.jpg)
Research
Research is not limited to academia only
As UG, or even you don't enroll PhD program at this moment, you could even start it.
Someone do the research for career, some may do the research for “homework”, but I do it for “passion” and community.
![Page 38: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/38.jpg)
My Research
http://scholar.google.com.hk/citations?user=YcjzoFkAAAAJ&hl=en
![Page 39: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/39.jpg)
Research
Objectives:Current problem
Issue/Industry driven
Practical
Impact and Improvement
Novelty or/and incremental efforts
![Page 40: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/40.jpg)
Security and Hacking Conference
http://en.wikipedia.org/wiki/Computer_security_conference
Realize the problems in both academia and industry.
Top Academic security conference (focus on practicality) Usenix (https://www.usenix.org/)
Reviewers and panelists come from both academic and industry sectors.
![Page 41: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/41.jpg)
Security and Hacking Conference
Industry Conference DEFCON (www.defcon.org) Blackhat (www.blackhat.com) AVTokyo (www.avtokyo.org) Hack In Taiwan (www.hitcon.org) POC (http://www.powerofcommunity.net/) XCON (xcon.xfocus.net)
![Page 42: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/42.jpg)
Cheer up!
I try to correlate computer science, security/hacking and research together in the past 50 minutes.
Remember to position yourself as a scientist. Reading others' paper (for example: Usenix) Pick your strength and favorite. Research could internationalize your capability
and talents. Enjoy computer science, hacking and research. :-)
![Page 43: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/43.jpg)
Our VX Research
Malware and Target Attack Web Hacking Forensics Cryptography and Password Reverse Engineering, Exploitation and
Software Security Secret mission and operation :-)
![Page 44: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/44.jpg)
Attack Map
![Page 45: HKUST Computer Science Festival 2013 - Seminar: Computer Science, Hacking and Research](https://reader033.vdocument.in/reader033/viewer/2022060107/5549b5bfb4c90564768b4aee/html5/thumbnails/45.jpg)
Thank you for your listening
https://www.facebook.com/darkfloyd2 darkfloyd[at]vxrl.org