Menu
Log in



HOME OF

Our
News
Stories.


  • March 13, 2021 5:00 PM | Anonymous

    Last month, dangerous winter storms rolled into the South, creating a challenging situation for thousands of residences in the area, and most were left to survive in the cold with little to no power or running water. People I know were forced to stand in lines to obtain their ration of water for the day.  Water is an essential part of our very existence, and every cell in our body needs it to grow and function. Per Worldometers.info, 657million+ liters of water have been used so far in 2021. Now, think about non-developed countries that lack quality water supply. Per UNESCO, one in nine people worldwide uses drinking water from unimproved, unsafe, untreated sources.

    In the United States, we are fortunate to have access to treated water. Also, drinking from US Water Supplies is considered safe. However, on Friday, Feb. 5, 2021, two days before the Superbowl, a cyber attempt was made against a small water facility in Oldsmar, Florida. Using the internet, the adversary managed to connect to software called TeamViewer. It was installed on the workstation used to control the water treatment process. TeamViewer is a popular tool used by technicians, and it allows personnel to gain remote access to a computer and use it as if they were physically in front of it. Once in the network, the adversaries tried to increase the sodium hydroxide levels or lye.

    However, thankfully a Supervisor on duty was alerted by an Indicator of Compromise (IoC), a cursor moved across his computer screen. Due to his alertness, he was able to prevent a catastrophe from occurring. Think about it for a second – what if the Supervisor had not seen the cursor move — many unsuspecting customers, travelers, or residents could have been poisoned.  Unfortunately, this type of situation is not uncommon. Operations staff and equipment vendors need to remote access into industrial machines and to utilize software such as TeamViewer to manage our critical infrastructures such as our water supply.

    How can this type of incident be prevented in the future? Prioritize installing a firewall in your network like a Network Intrusion Detection System (NIDS)/Network Intrusion Prevention System(NIPS) or even a Host Intrusion Detection System (HIDS)/ Host Intrusion Detection System(HIPS). This way, you can be alerted about, or the system can prevent suspicious or malicious events. Consider placing industrial networks in DMZs to prevent external IP addresses from accessing your internal networks. Do not use default credentials on servers or applications and conduct a vulnerability assessment every six months.

    Sources: https://www.hstoday.us/subject-matter-areas/infrastructure-security/perspective-cyber-attack-on-water-supply-is-a-wake-up-call-for-state-and-local-governments/

    Sources: https://en.unesco.org/waterquality-iiwq/wq-challenge Sources: https://www.worldometers.info/water/

  • February 20, 2021 5:02 PM | Anonymous


    BlackGirlsHack is kicking off its Help-a-Hacker Fundraiser! As a newly formed non-profit organization; waiting on our 501c3 designation, we are caught between rapid growth and reality. The reality is that we are growing much faster than we anticipated, and the squad is getting sooooo big. What that means is, we’ve got hundreds of future cybersecurity professionals who are trying to get their foot into the door of cyber.

    To do this, they need TRAINING, HANDS-ON SKILLS, and CERTIFICATIONS. For our future K-12 students, we are providing exposure to cybersecurity and ethical hacking as a profession. There are many financial barriers to entry for these professionals. This includes the cost of certifications, resources for a home lab (we plan to remedy this issue by implementing a BGH Cloud Labs program), and hands-on skills to help prepare qualified workers for the vast number of open cybersecurity jobs.

    To help fulfill our mission of increasing diversity in cybersecurity, we need YOU to help us level up. Donate now using the QR code above or on our website at blackgirlshack.org/donate.

  • December 25, 2020 5:05 PM | Anonymous

    So this started off as a conversation within the port eight club on clubhouse. Someone asked the question about whether entry level cyber jobs really existed. Ever the contrarian, I argued that I didn’t think they did. I did a search of indeed in my area the other day for entry level cyber security jobs and saw such gems as:

    • 3-5 years experience with an OSCP (Advanced Level Cert)
    • 2-4 years experience with a CISSP (This cert requires 5 years experience mind you)

    Now full disclosure, I actually found what seems to be an entry level job in the Dulles VA Area, its in the Slack #jobs Channel. More of this later…

  • December 23, 2020 5:06 PM | Anonymous

    Just some programming updates:

    Registration will be moving away from meetup and onto the BlackGirlsHack website. If you wish to participate in our events please register using the link in the menu bar above.

    BlackGirlsHack is offering two new workshops, the New Year, New Lab and the New Year, New Lab from Scratch. The New Year, New Lab is for existing CEH Students to upgrade their home lab to add a windows machine. The New Year, New Lab from Scratch workshop is for people who do not have any sort of home lab. Both labs are done using VirtualBox with Windows, Kali, and BWA VMs. Both workshops are free and open to all. Signup is on meetup.

    BlackGirlsHack is offering a Friday Night Labs training workshop which will show beginners in cybersecurity how to get hands on lab skills to supplement their learning efforts. The workshops are every Friday in January and signup is on Meetup.

    BlackGirlsHack is offering a free CEH study group which will be an immersive 15 week program that will be covering the 7 domains of the CEH Ethical Hacking Exam currently at version 10. We will be using the Shawn Walker All In 1 and Ric Messier CEHv10 Study Guide books. This study group is offered on Tuesday evenings from 7-10 pm. Signup is on Meetup for the current cohort. The next cohort will start March 30, 2021 and signup is available to registered users.

    BlackGirlsHack is offering a free Security+ study group which is a 7 week offering that covers the Security+ 501 exam. The study group is offered on Saturday Mornings from 10-12am. Signup is on Meetup for the current cohort. The next cohort will start February 6, 2021 and signup is available to registered users.

  • November 10, 2020 5:07 PM | Anonymous

    Black Girls Hack is offering a free CEH study group which will be an immersive 15 week program that will be covering the 7 domains of the CEH Ethical Hacking Exam currently at version 10. We will be using the Shawn Walker All In 1 and RicMessier CEHv10 Study Guide books. Week 1 will be covering the following:

    Network and Communication Technologies

    • Networking technologies (e.g., hardware, infrastructure)
    • Web technologies (e.g., web 2.0, skype)
    • Systems technologies
    • Communication protocols
    • Telecommunication technologies
    • Mobile technologies (e.g., smartphones)
    • Wireless terminologies
    • Cloud computing Cloud deployment models

    Sign up for the study group is on meetup.com search for Black Girls Hack group or find the link at linktr.ee/tennisha

  • October 26, 2020 5:08 PM | Anonymous

    I did my first National Cyber League, which also happened to be my first real Capture the Flag (CTF) type event and I learned a lot from the experience so

    I thought i’d share. First, before you get started with any CTF type event it is important that you set up your attack machine or VM and install all the tools that you might need. There was definitely a difference between the tools I thought I might need and the tools I needed. Let me explain. NCL told us off the break that the categories for the capture the flag were as follows:

    Cryptography
    Password Cracking
    Log Analysis
    Network Traffic Analysis
    Forensics
    Web Application Exploitation
    Scanning
    Enumeration and Exploitation

    What I appreciated about this they tie the skills back to the NIST NICE framework by letting you know the value that the skills you are exhibiting and how it ties back to NICE cybersecurity workforce skills (Have you checked out the What Can I Do Series? on our blog). Even knowing the categories that the challenges were in did not prepare you for the challenges. For example, there were tools that I didn’t have downloaded on my machine which I found valuable for the competition. For example, DIIT (Digital Invisible Ink Toolkit) was invaluable to me for the Steganography related challenges. This is a good tool to have to solve those types of challenges. There are other tools that are native to Kali such as OpenStego, but it turned out that this tool didn’t work for the images I was provided. For other challenges while I had the available tools, I wasn’t familiar with how to use them. This was the case for john the ripper. John is a common password cracking tool which is great if you’re handing it a password or two to crack and a list. It is less great when you’re told that the password has a specific format and its long enough that brute forcing it and trying to hit all the combinations will not serve you any good. Another lesson learned from the experience is to use various browsers. For one of the challenges the answer was in the html code and was updated each time the page was refreshed. You could only see the information in specific browsers though so its good to have a backup handy. This is also the case for search engines. While I call myself relatively skilled in the art of google-fu, my yandex, my bing, my yahoo fu-s need work. I don’t use the other ones but google doesn’t always have the answer. Another lesson learned i’d give to anyone who is trying their hand at this type of event is “sometimes the answer is right in front of you” and “don’t overthink it.” We were provided a picture in one of the challenges and asked for some information and while I approached the problem by looking at meta-data and gps data and all the data, the solution to the problem was just found in looking at the picture. Another challenge involving a picture I did the same thing. In the challenge they gave you a screen shot of a twitter feed and the key, the key was in the comments on twitter. Me though? your girl looked at all the data, zoomed in, scanned the picture with a QR reader and everything. I went to the twitter page to get the og picture because the screenshot wouldn’t have metadata. The flag was comments on the twitter page.

    Random file names check! NCL was full of surprises. They had a BSON file that had data in it. It was a database dump. Don’t know what BSON is… Neither did I. Crash course on mongodb on a Saturday night… why not? When I tell yall that I had like 100 browsers open across 2 different computers and 4 different VMS…. and of course no one has all the information on one page. Install the software, restore the database, read the database… I know SQL… TOO BAD it doesn’t use sql. learn how to query, count records, look for information. UGHHHHH. If you see me in these cyber streets with bald spots, you know what happened.

    I also ended up needed random tools and programs for example a PDF cracker tool and tool that allows you to map gps coordinates and radii on a map to determine the location of a obscure airfield. I might have been amused if I wasn’t sick and stressed out and severely lacking on TIME.

    Preseason lasted a week and the Individual competition lasted for 72 hours. For the preseason portion of the competition I found that you were given plenty of time. For the Individual competition I found there were not enough hours in the day. I was sick for most of the competition and my backup computer decided mid challenge to throw a temper tantrum and restart mid keystroke. MID TYPING. NO WARNING. (talk about big mad)

    But i’ll tell you what, NCL was a great experience and I decided that once my papers go through for my nonprofit that i’ll be sponsoring a team. Be on the look out for the BlackGirlsHack Team in the team competition in early November but hopefully you’ll see us around for years to come. See y’all in these cyber streets

  • October 10, 2020 5:11 PM | Anonymous

    While security conferences typically host capture the flag competitions where you are tasks with completing a set of tasks in order to find hidden treasures or flags within their systems, traditional businesses model their security with colored teams where each team is responsible for a certain aspect of the organization’s security. Blue Teams for example are white hat defenders; they are the people who work for the company and is responsible for defending the organization’s assets. While Intrusion Detection systems are typically responsible for identifying attacks on an organization’s assets, it is the Blue team that takes actionable steps to mitigate the attack and prevent further damage. To help ensure that the Blue team stays ready, many companies also employ the services of a Red Team. Red teams are independent groups that determine the effectiveness of an organization’s security by assuming the role of the attacker. They use the same tools and techniques as hackers and are considered ethical hackers. With the organization’s permission, Red teams spend several weeks to months performing security testing with specific objectives and reporting on any issues or findings with the Blue team. Red teams are often mistaken for Penetration testers whose job it is to provide a security assessment of an organizations network and report on flaws or vulnerabilities. Penetration testers, red teams, and blue teams all are trained like adversarial attackers but are provided permission and do so within the scope of their duties.

  • October 07, 2020 5:12 PM | Anonymous

    Information Systems Security Manager

    Entry Level Education – Bachelor’s degree

    2019 Median Pay – $ 146,360 per year($70.37/hr)

    Job outlook – 10%

    What they do: They are responsible for the cybersecurity of a program, organization, system, or enclave. They are responsible for the planning, coordination and the direction of computer related activities in an organization.

    Where do they fall in the NIST[2] – Information Systems Security Managers work in the Cybersecurity Management specialty area.

    Where do I start: Information Security Managers typically have advanced level certifications such as the CISSP, PMP, or GIAC. Because they are managing organizations they typically have 5 or more years of experience.

    [1] https://www.bls.gov/ooh/management/computer-and-information-systems-managers.htm

    [2] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf

  • October 04, 2020 5:15 PM | Anonymous

    Cyber Instructor or Trainer

    Entry Level Education – Bachelor’s degree

    2019 Median Pay – $61,210 ($29.43/hr)

    Job outlook – 9%

    What they do: Trainers lead training activities and design and develop training or education of personnel within the cyber domain.

    Where do they fall in the NIST[2] – Trainers fall under the Training, Education and Awareness (TEA) Specialty area and they can have jobs such as Cyber Instructor, or Cyber Instructional Curriculum Developers.

    Where do I start: Learn something new and teach someone. In addition to a bachelor’s degree, training specialists need work experience in teaching, tutoring, or educating others.

    [1] https://www.bls.gov/ooh/business-and-financial/training-and-development-specialists.htm

    [2] https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf

  • October 02, 2020 5:21 PM | Anonymous

    My world domination plan includes cloud infrastructure because most of the world’s Fortune companies are running their infrastructures from the cloud. Whereas traditional networks included server farms, and physical infrastructures, cloud computing infrastructure includes all of the networking, storage, power, and virtualized resources that an organization needs. There are currently 3 main companies in the Cloud Computing market Amazon Web Services, Azure, and Google Cloud. Each providing Infrastructure as a Service (IaaS) models where they serve as third party hosts offering core infrastructure for their customers.

    While each of the cloud computing companies offers the ability to for example create a Virtual Machine (VM) or a Virtual Network in the cloud, at a large scale companies such as Netflix, Hulu, Amazon, and others need their infrastructures created and destroyed in a much more efficient way. To do that the provisioning, modifications and removal of virtual servers, some organizations use infrastructure as code services such as Terraform and Kubernetes. Terraform is a vendor neutral service that allows you to develop code to provision servers on AWS, Azure, VMware and a number of other cloud services providers in the market. Kubernetes on the other hand takes a container management approach to infrastructure as code to manage system servers and networking. These are both very important to big tech companies and therefore very important areas that are needed for my world domination plan.

    Resources I have for my study of Infrastructure include

    • Terraform training (available from their website)
    • Kubernetes training videos (available from their website and youtube)
    • Infrastructure as a Code (I bought from Amazon)
    • Terraform up & Running (I bought from Amazon)
    • Azure
    • AWS
    • Edx has some AWS courses
    • Oracle Learn
Powered by Wild Apricot Membership Software