Skip to main content

Introduction

Introduction

Consider the following four sentences, which ones would you consider 'hacking'?

  • A security specialist finds a command injection vulnerability, allowing them to execute arbitrary system commands.

  • A speedrunner discovers a new glitch, allowing them skip several levels ahead.

  • A teenager asks chatGPT a question starting with “Please pretend to be my deceased grandma…”, resulting in an answer with detailed instructions on the production of napalm.

  • A student borrows a course book from the library for the entire semester, paying $50 in late fees instead of buying the book for $300.

In essence, every one of them can be considered to be 'hacking'. Hacking is the process of finding creative, often unintended, ways of bypassing intended restrictions. But lets start off with a story that most people would associate with hacking.

Saudi Aramco

Saudi Aramco is one of the largest companies in the world by revenue, supplying nearly 15% of the worlds global oil and natural gas needs.

On the Wednesday morning of the 15th, 2012, employees were greeted with the image of a burning U.S flag on all the computers in the system. Hackers had managed to compromise the entire administrative network of Saudi Aramco, installing a wiper virus known as "Shamoon" on all computers, crippling the company. While the pumps themselves remained unaffected the company could no longer manage, distribute and sell the oil, causing millions in financial damage.

The hackers had initially gained access through a phishing email, a user had downloaded a malicious file believing it to be a C.V. giving the hackers access. From there the hackers spent months expanding their access, gaining access to more machines, networks and accounts, until finally they deployed their malware.

Why care

Over the next few weeks we will be giving several workshops on different aspects of cyber security. Each of these workshops will be more technical, focused on giving a basis for that particular aspect. We won't be teaching you how to be a master at hacking, partially because this would take far more time than these workshops last, but mostly because we are not masters at it ourselves. Instead, we will be focusing on giving you a basis to get started on, to then hopefully go out and learn more on your own.

 In the workshops we will mostly be covering offensive cyber security, for example we will describe how to identify and exploit a particular vulnerability. Even if you don't have any interest in working in cyber security, most of you will likely end up building IT systems for companies. If we go back to the story of Saudi Aramco, everyone in your company will probably get training about not clicking strange links, plugging in strange USB sticks, etc. But you will be the ones that build the systems within the network, the systems that the hackers will target after they have infected a computer, the ones they will target to try to expand their access.

StudSec

So now onto us, who are we? StudSec is an informal group that is part of STORM working with VuSec focussing on helping people get into cyber security. We have a discord (which will be linked at the end), CTF challenges, a wiki and we try to meetup once every two weeks to socialize and hack. We also participate in CTF competitions occasionally, under the name "vubar".

Workshops

As mentioned we're planning to give several workshops, here is a quick overview of the ones we're planning to give in the coming weeks as well as tentative dates. We will be announcing them in the discord in advance.

Web

In pure technical terms, web is focused on the security of systems interacting through the HTTP/HTTPS protocols. In more normal terms, this means everything revolving the websites we use every day. The servers serving the content and the browsers rendering them.

Pwn

Pwn, also referred to as binary exploitation is the exploitation of lower level programs. Programs like C and C++ are memory unsafe, this means the programmer interacts directly with the computers memory, which can result in significantly faster programs but also brings a lot of security considerations.

Crypto

Crypto, short for cryptography, focusses on the integrity and confidentiality of data. When you send a message over Whatsapp you want to be sure that the receiver and only the receiver reads your  message, and that the receiver knows you were the one that sent it.

Reversing

Reverse engineering, as the name implies, works backwards. Instead of writing a program, we take an existing program and try to understand how it works.

Forensics

After a system has been hacked it is crucial to understand how the system was hacked, and what the hackers have done with this access, this is what forensics focusses on.

Closing notes

 When trying to find bugs, either in the real world or in CTF categories it will likely be a lot of frustrating failures. Regardless of skill a typical CTF challenge will go like this regardless of skill level.

Figure_1.png

Thats the end of this workshop, we'll be sticking around for a bit feel free to ask us any questions you might have or ask them in the discord linked on screen. Here you can also find the CTF challenges if you feel like getting started.

Back to top