CTF: Most Fun You’ll Ever Have Learning!

Spend enough time learning any skill and you will eventually get good at it.  Information security is no different in this regard.  What does set information security apart from other professions are some of the tools available to augment your training and get some practice and have some fun at the same time.

My personal favorite “training” tool is capture the flag.  In this scenario servers are setup which contain various hacking challenges to unlock the “flag” which is typically a string that needs to be fed back into the control server.  These systems are typically setup with leaderboards for those who like the competition as well as accompanying documentation to help out when you’re stuck (or just have no idea where to start!)

Without a doubt my favorite capture the flag style event is the SANS Holiday Hack Challenge which is released in December of each year.  This is a unique blend of in game discovery and web research.  This is coupled with hands-on “hacking” activities necessary to progress.  Very clever story lines and interesting challenges make this worth checking out.  The challenges range in skill levels so even if you’ve never tried something like this before, this is as good a place to start as any. This is a little different than your standard capture the flag, better in many regards, and certainly worth checking out.

Some of my favorite online CTF challenge sites can be found below.  I am always looking for new CTF challenge sites so please share in the comments!

If you are looking for challenges that can be installed/hosted locally check out some of these.  Be careful not to expose these publicly.  They are vulnerable by design so be careful!  Best to keep them bound to loopback ( if possible):

As I said before, I love these things.  Please share your favorites in the comments!

…another ramble in the can!  You can follow me on Twitter@JaredGroves

Beware the False Negative -SSLv2 Detection Issues

In vulnerability management there are few things worse than the false negative.  Analysts happily going about their day, thinking things are fine while skr1pt kiddies are doing somersaults  through old vulnerabilities.  In my case we were looking for systems that still supported SSLv2.

I was most recently caught by the false negative situation when asked to do a verification of some settings changes aimed at tightening up the crypto on some of our web servers.  It being a busy day I turned to the trusty nmap scanning tool to perform the verification that SSLv2 was, in fact, disabled on these web servers.

nmap --script ssl-enum-ciphers -p 443 [hostname]

nmap -sV -sC -p 443 [hostname]

I look through the results of both checks, no sslv2.  No complaints, no problem, right?  WRONG!

More secure is always better, right?  Well, not if you are responsible for vulnerability management.  In this case the default crypto libraries on Windows no longer support SSLv2 and therefore don’t detect it as an available option when offered by the server.  This results in certain tools returning the dreaded false negative.

Knowing there’s a problem is a big step towards the solution.  There are still specialized tools available that use various methods to detect supported ciphers and protocols that can help.

If you have a web facing system and want to do a quick check there is always Qualys SSL Labs.  I’d recommend selecting the ‘do not show the results on the boards’ tick box, at least time you run your site.

My favorite offline tool for this task is testssl.sh.  Unfortunately it is only Linux or Cygwin so you are out of luck native on Windows.  I haven’t tested this on the new bash shell for Windows.  Anyone tried it?  Send feedback with your results.

If you are testing from a Windows box ssl scan is always an option.

Hope this helps. Happy hunting!

You can find my post on securing TLS on your system here:  HTTPS check. Secure? Maybe.

Have feedback?  Feel free to leave it in the comments or find me on Twitter @JaredGroves

Podcast Education

Not so long ago I was thinking about how, when I was a child, my father would come home after work with AM (talk) radio cranked up so loud the whole neighborhood could hear. Of course, I took it as my duty to mock my father for both the content and volume.  I swore that my tape deck (yep!) would forever play music and talk radio was for grownups.

I no longer have a tape deck in my truck, nor do I tune in to the AM radio band all that often, however, the magic of the Bluetooth connection for me is now used to crank InfoSec podcasts so loud my neighborhood can hear (or so my kids tell me).

For those who are in the Information Security field especially those who are tasked with vulnerability management it is important to make some time each day/week to listen to an InfoSec podcast of your choice.  Things change so quickly it’s a great way to stay on top of what’s going on in the industry.  Up to date intelligence is just as important as current technical skills in the InfoSec space.

Without further ado, my playlist of choice:

My weekly “must listen” show, without question is:  Security Now.  This podcast is like taking a training course for a couple of hours every week.

Steve Gibson brings wisdom and engaging content to every episode.  I listen faithfully and look forward to Tuesdays when the new episode is recorded.

Next up is Defensive Security.  Jerry Bell and Andrew Kalat cover current events and blue team topics often overlooked by other shows.

Risky Business has a slightly different format.  This show produced out of Austrailia by Patrick Gray.  The show is typically made up of 3 segments.  First is the news/current events with Adam Boileau which is often my favorite part of the show.  Next up is typically a featured interview which takes a specific topic and goes into a bit of a deep dive.  Finally there is the sponsored interview.  Patrick does a pretty good job keeping the guests balanced between the marketing hype and the actual details of their product.

Finally, a shift wouldn’t be complete without a daily dose of the SANS Internet Stormcast.  This is a 5-10 minute review of the latest threats and information in information security.

What are your favorites?  Have something you think I missed?  Let me know via the comments or on Twitter @JaredGroves

Disclosure:  I am just a fanboy and I am not receiving any compensation for these recommendations.