Tuesday, January 26, 2016

More than a simple game

EKOPARTY Conference 2015, one of the most important conferences in Latin America, took place in Buenos Aires three months ago. IOActive and EKOPARTY hosted the main security competition of about 800 teams which ran for 32 hours, the EKOPARTY CTF (Capture the Flag).

Teams from all around the globe demonstrated their skills in a variety of topics including web application security, reverse engineering, exploiting, and cryptography. It was a wonderful experience.

If you haven’t competed before, you may wonder: What are security competitions all about? Why are they essential for information security? 

Competition, types, and resources

A security competition takes place in an environment where the contestants try to find a solution to specific problems through the systematic application of knowledge. Each problem (or challenge) is worth a different number of points. The number of points for each challenge is based on its level of difficulty and the time needed to reach the solution (or flag).

Security competitions help people to develop rare skills as it requires the use of lateral thinking and a low-level technical knowledge of many topics at once, this is a small list of some of their benefits:
  • Fun while learning.
  • Legally prepared environments ready to be hacked; you are authorized to test the problems.
  • Recognition and use of multiples paths to solve a problem.
  • Understanding of specialized attacks which are not usually detectable or exploitable by common tools.
  • Free participation, typically.
  • Good recruiting tool for information security companies.

You will find two types of competitions:
  1. CTFs (Capture the Flag) are restricted by time:
    1. Jeopardy: Problems are distributed in multiple categories which must be solved separately. The most common categories are programming, computer and network forensics, cryptography, reverse engineering, exploiting, web application security, and mobile security.
    2. Attack - defense: Problems are distributed across vulnerable services which must be protected on the defended machine and exploited on remote machines. It is the kind of competition that provides mostly a vulnerable infrastructure.
  2. Wargames are not restricted by time and may have the two subtypes above.

Two main resources can help you to get started:

Also, you can see solutions for many CTF problems in the following github repository:

Wednesday, January 6, 2016

Drupal - Insecure Update Process

By Fernando Arnaboldi

Security updates are a common occurrence once you have installed Drupal. In October 2014, there was a massive defacement attack that effected Drupal users who did not upgrade in the first seven hours after a security update was released. This means that Drupal updates must be checked as frequently as possible (even though by default, Drupal checks once a day). 

Just a few days after installing Drupal v7.39, I noticed there was a security update available: Drupal v7.41. This new version fixes an open redirect in the Drupal core. In spite of my Drupal update process checking for updates, according to my local instance, everything was up to date: 

Issue #1: Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning.