2016 BASC Training

We would like to thank our speakers for donating their time and effort to help make this conference successful.

The Matasano Challenges were a collection of exercises to teach people about mistakes in the implementation and use of cryptography. These could be thought of as the homework problems in a course on how cryptography goes wrong. In this training I selected challenges that I think are illustrative of concepts that can be reused in multiple contexts as well as attacks that can be done in the short time we have for the training.

The format will alternate between a lecture portion explaining the necessary concepts to understand the attack and a lab portion where we will use what we just learned to attack CTF style versions of the challenges. The lab portion will be time bound, but the challenges are available over the internet so if you don't finish, you can continue working after the training.

Topics

 * Introduction to Block Ciphers
 * ECB Mode Attacks
 * CBC Mode Attacks
 * Introduction to Public Key Cryptography
 * (EC)DSA Attacks
 * RSA Attacks

Technical Requirements
Laptop with the following:
 * Web testing tools such as a MITM proxy (e.g. burp suite), or browser extensions
 * Development environment ready to support making web requests, socket programming, and large integer arithmetic
 * Experience programming with web request programming and socket programming will be useful
 * I recommend Python as that is what I use and the PyCrypto library will be useful

In this hands-on workshop, I will help the participants to set up an “efficient” environment for fast web and mobile application penetration testing. Instead of using traditional ready-to-go penetration testing distributions like Kali Linux, I will focus on setting the environment in Windows and Mac OS. After all, a browser and an intercepting proxy is all we need for most manual penetration testing tasks. Setting up a virtual machine and getting it working correctly can be difficult for beginners. I want to keep this simple and painless!

The topics that will be covered are:


 * 1) Preparing Chrome browser by creating a separate pen-testing profile and then installing foxyproxy for quickly switching proxies. I will also talk about how they can use Chrome’s extremely powerful developer tools for getting insights about the application.
 * 2) Installing and setting up OWASP ZAP to start intercepting and modifying the traffic. This    section involves installing the root CA certificate in the browser’s certificate store. I will also cover Burp Suite if time permits. The reason I am focusing on OWASP ZAP is because it's free, awesome and some features which are really necessary for painless pen-testing are not present in free edition of Burp Suite. For mobile, I will talk about steps in setting up an Android device for penetration testing mobile apps. (Live demo for Android if time permits)
 * 3) The third step involves demonstration on a real world application listed on a bug bounty program and then helping the participants understand the traffic. I will show some tricks for focusing on important traffic such as setting up scope using the “context” feature in ZAP, using filters etc.
 * 4) The last and most important section will focus on sharing resources that I have gathered over last 2 years from twitter and security blogs. For people completely new to this domain, I will suggest a “study path”. I will talk about awesome books, blogs, bug bounty programs and some more tricks for painless pen-testing like using Gmail’s alias for creating test accounts and password managers for managing passwords.

Threat modeling is a way of thinking about what could go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building software, some teams either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. Threat modeling should be part of your secure software design process. Using threat modeling and some principals of risk management, you can design software in a way that makes security one of the top goals, along with performance, scalability, reliability, and maintenance.

Objectives
In this workshop, attendees will learn about Threat Modeling through understanding concepts and hands-on demos: Introduction to Threat Modeling, including how to conduct a typical Threat Modeling session Understand practical strategies in finding Threats, determine proper Mitigations, and how to apply Risk Management with the Mitigations Hands-on demo of one or two Real World Threat Modeling case studies Hands-on demo of the Microsoft Threat Modeling Tool 2016

Materials
Laptop with Microsoft Threat Modeling Tool 2016 installed (highly recommended, but not required)