10/4/18

In this week's Wednesday Evening Training: How to become a hacker! An introduction to security & hands on hacking (part II)

Have you ever thought of becoming a hacker? Or to find out how hackers manage to break into systems and/or web applications? As a software engineer, you should know. How else will you be able to write code that is SAFE enough to withstand hackers? Also sysops should be aware; there are plenty of holes in your platforms and unless you start thinking like a hacker, you will not be able to find them (in time).


Security: even more important than it used to be

Security of information systems has always been an important topic. In the last decade, however, it even got more important. Since we seem to connect about anything to the internet, the web infrastructure is expanding fast. Also, the way applications and devices are connected with each other constantly changes. That is because the devices and applications we use enable us to work almost anytime, anywhere and with multiple devices and applications (even at the same time). So in an ICT architecture, the amount of "borders" that we need to control and secure are expanding rapidly and these borders are constantly changing during customer journeys. It has become a dynamic ecosystem of devices, connections, applications, data streams and people.

This ecosystem gives plenty of opportunity for hackers to take advantage of. Moreover: we get increasingly dependent to the internet in our daily work and life. The business case for hackers is getting better every day. The more reason to give increasingly more attention to security.

And what better way for architects, sysops and software engineers is there than to learn to think like a hacker?

Yesterday, in our Wednesday Evening Training one of our security experts, Vincenzo Corona, taught us more on hacking foundations and we became a bit more familiar with security best-practices. Like in the previous hacking session in the Wednesday Evening Training, we built our own hacking labs on virtual machines and got our hands dirty with some of the most popular hacking tools & techniques.


What we did in this evening's training...

Like a hacker, we analyzed the vulnerabilities of a target machine and step by step, we collection little pieces of information to gain access. Amazing to see how small sloppiness in the configuration and programming of a system can provide enough information to break in and thus gain complete control over a system. Even tiny bits of information can give you clues on weak points.

Due to the badly updated web platform we were able to create a connection to the target server and pass simple commands to it. Gradually we were able to increase our privileges so that we eventually were able to access the database and could download credit card data. These were obviously encrypted but this security could also be broken.
This was, of course, a lab not reality. But this lab was based on an actual hack that took place some years ago and therefore, very realistic and instructive.

During the training we got plenty of opportunity to ask all kinds of questions on the operating system, working of web server platforms and networks.

Thanks Vince, for sharing your knowledge and experience with us!

We will definitely organize additional Wednesday Evening Training sessions on this topic.
After completing the labs, we did a quick inventory to see which topics we would like to discuss on next occasions. There are plenty of idea's for that, e.g. hacking an IoT infrastructure (in other Wednesday Evening Trainings we are already experimenting a lot with devices like the Raspberry Pi, Arduino and WittyCloud), hacking an Android device, a good old pc game (setting the highscore! :) ), taking countermeasures, studying pitfalls in programming (that cause security issues), etc..

Security is a continuous battle, and that is why it is all the more important to keep up.

There will be additional documentation available and for those colleagues that were not able to complete the labs this week and in next week's Wednesday Evening Training ( a good old Dutch "klusavond") we'll have plenty of time for this.


Resources

No, again I'm not going to share links to hacking tools :)

Instead, I'll give you a link to the OWASP site: https://www.owasp.org
OWASP is an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.

To get started, you'll also need a virtual machine. You can download one at https://www.virtualbox.org/.

Follow us on LinkedIn

You'll find post of previous sessions here: https://www.linkedin.com/search/results/content/?keywords=%23wednesdayeveningtraining. You can follow us on LinkedIn by clicking on the "Follow" button.


Next week's Wednesday Evening Training

In next Wednesday Evening Training, we'll have a "klusavond" in which we'll continue on security and aditionally, Aish will demo an Arduino based LED cube and I'll give a demo and code walkthrough of my pet project: generating a 3D view on an Archimate architecture model created with Archi (a free architecture editor).


Wednesday Evening Trainings open for guests

Some of the Wednesday Evening Trainings will be open for guests. Just send me an email if you are interested.

No comments:

Post a Comment