Silicon Valley Code Camp : October 1 & 2, 2016session

Honeypots, Cybercompetitions, and Bug Bounties

When your site gets hacked, do you know what the attacker did? We use vulnerable servers and monitoring tools to examine attacks. Cybercompetitions and bug bounties keep us trained in the latest methods of attack and defense.

About This Session

Websites get hacked frequently, and most administrators cannot determine how the attacker got in. We are developing techniques to detect and prevent attacks usig deliberately vulnerable "honeypot" sites and watching the attacks on them. We use Tripwire, Dropbox, Twitter, crontab, and shell scripts to detect intrusions and rapidly exfiltrate the evidence to external servers. The evidence we gather helps us understand current real-world threats and methods. Cybercompetitions are extremely valuable to test and sharpen hacking skills, but they are typically too difficult for security beginners. We have found helpful training tools to guide and encourage students including PicoCTF, EasyCTF, and CTFtime. We now have a strong competitive hacking team, CCSF_HACKERS, competing in more than ten contest per semester. We also have an enthusiastic hacking club, including security students and coders, which is growing rapidly. Every website should offer bug bounties, or at least have a responsible discosure policy. This is easy to do, costs little or nothing, and greatly improves security. I'll explain how to do this and report the results of my own disclosure policy--students and other researchers have hacked me many times, getting into my email and Twitter accounts, rooting my servers, and adding harmless defacements to my Web sites. They all got my thanks and were placed on a Hall of Fame page. These people are heroes, helping me stay secure, not criminals or enemies.


The Speaker(s)

undefined undefined

Sam Bowne

instructor, Computer Networking and Information Technology , City College San Francisco

Sam Bowne has been teaching computer networking and security classes at CCSF since 2000. He has given talks at CodeCamp, DEFCON, BayThreat, LayerOne, and Toorcon, and taught classes and seminars at many other schools and teaching conferences. He has a Ph.D. and a CISSP and a lot of other certifications, and a lot of computer and cables and firewalls and stuff.