Other Activities
SANS Institute & Counter Hack - Holiday Hack Challenge 2023
Information Security - Practical Skills and Awareness
This year's SANS Holiday Hack Challenge featured a series of offensive and defensive capture-the-flag exercises ranging from some relatively simple JavaScript and Browser manipulation to a full-blown Azure cloud infiltration via a complex Azure API-based enumeration and manipulation of certificate weaknesses. Oh and a satellite control system to hack and save the planet. Over 15,000 people signed up this time with the competition phase ending on 5th January 2024. SANS kindly maintains the CTF environments for a year or two after the event, so it's not too late to go and take a look.
Mike had a busy Christmas entertaining the masses at home this year, but managed to complete 19 out of 22 challenges by deadline. Naturally he finished the remainder and published his customary solution write-up in the following weeks. The wrap-up session held on 18th January identified 281 completed the full set by deadline, with around 350 making it to 19/22. You can find details of the best solution write-ups and competition winners on the SANS Website. Mike's write up for this and previous competitions is also available to review.
SANS Institute & Counter Hack - Holiday Hack Challenge 2022
Information Security - Practical Skills and Awareness
Each year the SANS Institute teams up with penetration testing and security experts at Counter Hack to produce series of holiday-themed offensive and defensive cybersecurlty exercises. This year's challenges include some old-school fun with network traffic interception / analysis, shell escapes and JavaScript, as well as some more contemporary work with CI/CD pipelines, AWS penetration, blockchain manipulation and non-fungible tokens (NFT). Remember those? There were over 16,000 participants this year, providing peer support and exchanging war stories on a set of dedicated Discord channels.
Mike spent this Christmas in Florida with his family (tough gig , but someone has to do it) and so didn't join the competitive element of the challenge this year, but completd the tasks in early January with a little help from already-published solutions in places. He completed his usual lab-book record of the journey which you can read in the HHC 2022 tab at this link. SANS published a list of the competition winners with links to their write-ups here: SANS Holiday Hack Challenge Winners.
SANS Institute & Counter Hack - Holiday Hack Challenge
Information Security - Practical Skills and Awareness
This year's Christmas Capture-The-Flag event from the SANS Institute took in topics that closely mirror current real-world cyber security challenges. Alongside remote printer take-over and a couple of log4j examples, participants tested their skills as attackers and defenders across Linux and Windows hosts as well as cloud environments. Perennial favourites included SQL injection, network sniffing and password cracking. More fun that charades.
Mike joined what was his fourth HHC and completed all 13 objectives along with the many "just-for-fun" side challenges by closing date. It was a tough set of problems this year, but for sure HHC is a great example of the maxim "no pain, no gain".
At the wrap-up and awards ceremony held on 9th February 2022, Mike was delighted to see himself on the "Super Honorable Mentions" list for a second year - a cohort of 53 drawn from around 15,000 who enrolled for the challenge.12,496 made it through the first challenge, with 282 people / teams completeing the full set of objectives and challenges this year.
If you'd like to see what participating in HHC involves, take a look at Mike's lab-notes style write-up on the 2021 tab here. You can also check out this year's award winning entries via the SANS announcement here.
SANS Institute & Counter Hack - Holiday Hack Challenge
Information Security - Practical Skills and Awareness
Nothing stands still for long in the world of technology, so staying up-to-date is an essential part of life as a consultant. Cybersecurity is an especially fast-moving area where understanding tools and techniques available to both the good guys and the bad guys is important. The internationally-renowned SANS Institute works with the Counter Hack team and others each year to provide a Christmas-themed interactive Capture-The-Flag and learning environment, where participants can update their knowledge and practical skills around cybersecurity.
This is the third time Mike has joined the 15,000+ security professionals pitting their wits against the challenges set. The themes are carefully chosen to reflect current real-world issues, and this year included Amazon S3 bucket disclosure, hacking in-car systems and SaaS solutions, and a monster challenge around blockchain security. There was even a topical supply-chain vulnerability angle to the final challenge, warning of the perils of employing unproven consultants in security-critical areas! The challenges start simple and get progressively more difficult, so reaching the end takes a degree of commitment as well as skills and knowledge. Many participants publish reports and videos describing their adventures (check out #holidayhack), and for those who submit by the January deadline there's the possibility of recognition by the organisers and even some prizes.
Mike keeps a OneNote logbook documenting his journey through the challenges, and this year was ecstatic to receive both a "super-honourable mention" (one of only 27 awarded) and a runners-up prize in the Most Creative Answer category for his efforts. If you want to see what his logbook looks like, you can check it out via the 2020 tab at this link. If you're interested in having a look or trying out for yourself, the good news is that SANS keeps the environment (and those from prior events) up and running after competition close, so create an ID and have a go!
SANS Institute
More Practical Fun with InfoSec
Following last year's participation in the fun and educational capture-the-flag event KringleCon, Mike once again dusted down his programming skills and mastery of obscure linux commands to take on the 12 information security challenges provided by the SANS team in KringleCon 2. This year he fared better than last time, completing all 12 problems within the allotted time (just!). This year's challenges included a lot of network and logfile analysis via tools like Splunk and RITA, as well as a programming a practical application of machine learning to break a CAPTCHA. There was also a tricky crypto code reverse-engineering challenge that brought back happy memories on 6809 assembler programming.
If you're brave, you can read all about it on the HHC2019 tab here.
At the awards ceremony held on 13th February 2020, Mike received a "honorable mention" award, putting him in a cohort of 125 award winners from a total of 14,912 people who entered the challenge.
SANS Institute
Completing a Series of Red-Team / Blue-Team CTF challenges
Each year the SANS Institute - the internationally renowned cyber-security training and knowledge-sharing organisation - organises a capture-the-flag (CTF) competition in which security experts are invited to complete a series of red-team (i.e. simulated computer hacking) and blue-team (i.e. defending against attack) challenges, to develop and demonstrate their understanding of cyber-security risks.
The 2018 challenge dubbed KringleCon included a virtual conference with content from SANS team members and collaborators, along with 12 CTF challenges of varying difficulties. Mike joined KringleCon for some post-Christmas entertainment and to update his practical knowledge of cyber threats, completing ten and a half out of the twelve challenges unaided and within the competition time limits. He completed the final challenges with a bit of help from other participants after the deadline. You can read about the challenges (which are still open for you to try if you're interested) here and Mike's notes on completing the challenges on the HHC 2018 tab here.
SANS reported that out of 17,460 participants in the challenge, around 730 made it as far as question 10, with around 650 completing the entire challenge.
Keeping it real
While I haven't been paid to write computer programs since 1993, I've always found that maintaining an interest in coding technology and platforms (among other things) has offered great benefits when dealing with developers and especially when debunking IT suppliers' FUD and nonsense. So here's a small hobby project that ticked a number of interesting boxes in 2008 - open source, PHP, JavaScript, web services and geolocation.