OSU Security Club Meeting Notes

meeting-2014-01-14.md

Securty Club Meeting January 14, 2015

Introductions began ~19:05 14 people Preliminary introductions and plugs

This term our meetings will be mostly hands on You can collaorate on nything you're interested in.

Big Things to Tackle

Bug Bounty Day

• We are going to look at Django written in Python
  • Django because we have a lot of people that know a lot about Django and python.
• First we need to pick a date, because everything is better with pizza

Update on MuckRock

• The official appeal started today.

Honeypot

• Get and study malware.

Challange Sites

• Cryptopals, etc

Capture The Flag -- that we make

• We can challenge ourselves, but make something that is possible.
  • This will help us learn something while still having some potential for success.
  • Lower hanging fruit
  • Jeopardy Style
  • Helps with the live Attack / Defense ctf later on

Tor Relay

• Talks have happened and this is going to happen

What to do Today?

• Let's break up into groups and explore topics in groups.
  • Honeypot?
  • Going over CTF.
• Do we want to organize another CTF this weekend.

Discussions about how to do the CTF this weekend went on for quite a while.

meeting-2014-10-06.md

Security Club Meeting October 06, 2014

Attendance: 9

CVE common vulnerbility

Outline of Activity Possibility

• We can Capture The Flag
• Learn tools
• Bug Bounties
• Run a TOR exit nodes
• Police car location/time database analysis
• Password vulnerability webapp

Websites:

• cryptopals.com
• dvwa.co.uk
• microcorruption.com
• sans institute

CODE OF CONDUCT

• Don't do anything illegal
• Don't be stupid
• Do ask permission
• Do respect owners of the system
• VIOLATION OF THE CODE OF CONDUCT WILL RESULT IN BEING BANNED FROM THE CLUB

Picking Officers:

• emily - VP
• elijah - secretary
• ian - treasurer
• dan - Presiden
• lucy - webdev

Meeing Ideas:

• Aiming for every other week a presentation
• Off weeks we will do activities
• irdan can talk about secure messaging apps and their security properties
• Alec can discuss IDs

We can't personally profit from bug bounties Bug bounty weekend before Thanks Giving Talk the weekend before that

mailinglist: osusec@lists.oregonstate.edu

meeting-2014-11-13.md

Security Club Meeting November 13, 2014

Meeting began 18:15

Attendance: 6

Damn Vulnerable Web Application experiments

• Like SQL injection

Drupalgeddon

• Pretty bad stuff within seven hours

Open WebApp Security Project

• Top 10 list of webapp vulnerabilities
  • XSS: essentially injecting a script into a GET/POST query
  • Cross Site Requets Forgery

The knowing is in the doing

Meeting ended 19:00

meeting-2014-11-20.md

Security Club Meeting November 20, 2014

Meeting began 18:03 Attendance: 10

Mostly BSD and OSL

Today we talked about SQL injection

• Use SQL injection for legitimate purposes
• Then we use it to get all users with all ids
• Then we used it to union two values (usernames + ids and usernames + passwords)
• The way to sanitize this is to escape the string by rejecting anything with quotes. This is done on the server-side because client slide isn't dependable.
• The hard example escapes the string and only accepts numbers... so that's difficult to crack.
• Discussing how to crack the hardest example was the talk of the room for many minutes.
• The blind version of the SQL injection doesn't throw errors. Slightly harder.

We talked about Cross Site Scripting

Essentially allows for injecting a script into body text. Over the next twenty minutes the XSS section of this page fell into insanity

Then we went over CSRF Essentially a token is given to you when you log into a site; this token is included in every request to verify you are you and actually making a request.

Then we discussed bug bounties for next (winter) term Next meeting it December 4th 6pm KEC

Meeting ended 18:59

meeting-2015-01-07.md

Security Club Meeting January 07, 2015

Administrative We moved time of meetings from Wednesday 18:00 to Wednesday 19:00.

We will promote to:

• Defense Against the Dark Arts
• Cryptography

We will print and cover the code of ethics. It is currently visible on the website but it should be shoved in our faces at least once.

Projects

Bug Bounty Day?

• Django bug bounty.
• Event on the weekend (Saturday/Sunday).
• In Kelly Engineering Center.
• Starting around 'programmer morning'.

Muckrock Status

• Muckrock hasn't gotten back to us since their initial response.
• Status from the Portland Police Bureau: 'Just go away'.
• Muckrock says it should be easy we're just waiting on them to help out.
• Backburner project

Building a Honey Pot

• Uses: Could be really fun
• If we intend to use this on school property we need permission, this shouldn't be too hard.

Challenges Sites

• Sites we know of that have vulnerabilities
• Crypto Pals
• Capture the Flag challenge event

Tor Relay

• One on campus
• Who do we contact? Dave and Evan.
• There are docs for this.
• 20 other public universities run this.
• The law is on our side.
• Need buy-in from people at OSU that will be threatened Nero (OSU's ISP)

Some Talks

• Messaging Clients (meta: What is secure?).
• 30-80 minute presentation Private set Interception.
• Invite everybody else to talk. [A vulnerability you've found, something you're interested in, etc]
• Lightning-esq talks, longer than a lightning talk, with a demo.

What we all want to get out of this year in SEC? Hands on Experience

Start each meeting with a lightning talk

Side Quests

• Bug Bounty Day (event)
• Relevant Lightning Talks (out of meeting, reviewed at the top of each meeting)
• MuckRock stuff (out of meeting, reviewed at the top of each meeting)
• Educational Websites (whenever we have time)

Quests

• Honey Pot (potentially quick)
• Capture the Flag (Next is Jan 10-11 [9:00 to 22:00])
• Tor Relay (potentially quick)

We are going to do a CtF this saturday-sunday Jan 10-11.

meeting-2015-01-21.md

Security Club Meeting January 21, 2014

Meeting began ~19:05 Attendance: 13

Upcoming Event for SEC

• Bug Bounty
  • Based on the Doodle Poll (email) it's either going to happen this weekend or with Feburary 2nd, 2015 (when everybody can make it).

Today

• We are going to look at the last 10 security related commits to Django

We began reviewing the commits. Silence fell upon the room for many minutes.

At about 7:35 we started talking about Cross Site Scripting and general web security vulnerabilities.

CSRF (Cross Site Reference Forgery) is taking advantage of the fact that you have a CSRF token and forges a GET/POST request into some url like an image src tag to do some nefarious action.

(my interpretation of the discussion)

Django bugs found interesting

• One of the bugs blindly accepted and tried to read in large files if there were no newlines. Essentially DDOSing the site.
• Another DDOS like attack involved uploading the same file n times in one request overloading the system.
• One would turn http headers and format the - to _. If a user's name was foo-bar and another was foo_bar you could forge authentication.
• Allowed you to have arbitrary fields if you were on an administrative page.
• Exploit involved modifying a header.
• One involved caching CSRF tokens, which we didn't know was a thing.
  • A discussion about this carried on for a few minutes. Weighing the pros and cons.

meeting-2015-01-28.md

Securty Club Meeting January 14, 2015

Meeting started ~19:05 9 people

PLANNING TODO:

Planning security event February 7th, 2015:

• Time: 12:00 to 18:00
• If people get hungry we can say 'lets chip in for a pizza'.
• Bring your own food, we might get some during the event.
• Location: somewhere in KEC
• We will post the mailing list email to other lists once we get things figured out with KEC administration

Cryptopals helps teach bitlevel/lowlevel programming

• Dan has done the first 8 execises and can help do the stuff.

We spent a majority of time working on cryptopals while qustios were asked about the Django Bug Bounty, base 64 representations of numbers, and

There was about 30 minutes where the only sounds were those of fingers clicking on keyboards. It was glorious.

URL: http://cryptopals.com/

The meeting sorta ended a bit after 8pm.

meeting-2015-02-04.md

Security Club Meeting October 06, 2014

Meeting started ~19:10 Attendance: 8+3 Meeting ended at ~20:05

We started the meeting by talking about graphing django using epydoc.

Then we went over the organization of the event

Bug Bounty

• February 7th, 12:00 - 18:00
• It will be held at MLM 033
• We have group leaders - Trevor, Garrett, Ian, maybe Evan
• Sessions:
  • Session 1: Explore codebase (2hrs).
  • Session 2: Exlore candidates for vulnerabilities. (2hrs)
  • Session 3: More of session 2. (2hrs)
• Even if we don't find a bug we will learn about django and vulnerabilities.
  • Worst case senario we learn a lot about web security.
• Food
  • Some people will bring food, we will organize it as we are there as well.

We also talked about a few options for visualizing the function calls and code interaction to see possible security holls.

Emily brought up that pickling is notoriously vulnerable. An article is linked relating to this.

Send something out to osusec and lug mailing list to promote this event.

We then realized we're not 100% prepared

• We are going to split up into groups for the first session and explore various parts of the code base.
• Session two is when we focus on sections of the codebase and get explore candidates a bit more.
• The third session will be when we explicitly look for bugs and should be the 'money maker'
• We will spin up a Digital Ocean droplet to attack; otherwise we would either have to deal with VM/getting django setup headaches or we would break our code of ethics.

TODO's

• Spin up the server and set it up with a django app to attack
  • People can login to this and edit configs and such.
  • We should deploy at least two instances of django
• Interactive class hierachy
• Interactive function call map thing
• Foods

Supported versions of django 1.4.19(LTS), 1.6.10, 1.7.4

Links: pycallgraph: http://people.oregonstate.edu/~kronquii/pycallgraph.png Pickle: https://www.cs.jhu.edu/~s/musings/pickle.html The Django tutorial: https://github.com/linzeyang/Django_Tutorial Horribly complicated: https://github.com/mozilla/kitsune Etherpad: http://etherpad.osuosl.org/bb

Some of the post headers don't match their permalinks, so the posts are slightly out of order. The order on the osusec Meeting Notes webpage is likewise noticably off.