K-12 Cybersecurity issues. What can be done to protect our students and staff?

Imagine being a student watching your classmate present during YouTube live, and then all of a sudden, you hear someone interrupt your classmate’s presentation, to say your classmate’s name and then speak about how much he admires her.  Then how about this? The intruder then says, “You cannot mute me because I am a HACKER!”. I have to admit; this particular scene played out in real-time in front of me during a class I attended this past April.

            The Facilitator of the course, feeling comfortable to do so, inadvertently posted the class Zoom details to a live YouTube feed. The Facilitator was genuinely embarrassed and apologetic to my classmate and his students. I do not think he thought that we would experience an invasion like that ever. I mean, we were in class, and everyone there was trying to learn.  These types of cyber attacks are becoming increasingly common, especially now during this Covid-era.

            I recently read an article by The K-12 Cybersecurity Resource Center and The K12 Security Information Exchange (K12 SIX), which provide information regarding school-related cyber issues, and are dedicated to helping protect K-12 schools from cyber threats. It is worth mentioning that the U.S. public K-12 is a $760 billion sector managing and storing data for 50 million students. However, in some situations, IT system infrastructure is stored on-premise or shared with other districts, which increases the risk of protecting student and staff confidential information.

            In 2020, K-12 saw a staggering increase in publicly disclosed cyber attacks. Examples of K-12 Cyber attacks include Denial of Service attacks, Phishing, and Ransomware, to name a few. With these cyber attacks, data retrieved by an adversary and, in most cases, sold. This situation then becomes detrimental to parents’ livelihood but more specifically to their children and School Staff. For example, children under 18 receive mail telling that tells them they have been denied credit, or sometimes the information the adversary has obtained is used to Bully children or School staff online. Also, the article spoke about that Wealthier, more prominent, and suburban school districts were more likely to have a reported breach, with Ransomware being an example of an attack method. The Ransomware attack is successful when an unsuspecting person opens an email which then activates the malicious software.

            With remote learning being the norm, a secure and safe environment must be created for students and School Staff. School districts with student and School Staff data still on-premise should look for ways to encrypt data-in-rest and store it in locked storage. School districts can implement at least basic security awareness training and security hygiene practices to maintain a high level of security controls in place for all facets of their IT infrastructure.

   If you are interested in learning more about K-12 Cyber incidents, feel free to visit k12cybersecure.com.

References :

https://k12cybersecure.com/wp-content/uploads/2021/03/StateofK12Cybersecurity-2020.pdf

Leveling up with RangeForce

How many times have you applied for a Cybersecurity job to receive a day or weeks later a rejection letter that you have not been considered for the role? Or maybe you have been shortlisted for a role because you met the minimum qualifications, transferrable skills, even hold Cybersecurity certifications, and have an evident passion for the role? According to (ISC)2, the number of unfilled cybersecurity positions now stands at 4.07 million, up from 2.93 million this time last year. The unfilled positions include 561,000 in North America. The shortage of skilled workers in the industry in Europe has soared by more than 100 percent over the same period, from 142,000 to 291,000.

            Ok, so now you finally land the interview; the interview went well, and yet you are still rejected, and your chance to finally land that Cybersecurity role appears to diminish right in front of you. You may feel defeated. You may feel like you are not cut out to be a Cybersecurity Professional, and then you decide to give up on your dream. I know the feeling. However, if there are so many unfilled Cybersecurity roles worldwide, why can we not land the

Cyber role? I have often heard that if you want to get into Cybersecurity, you have to show that you have the skills, like command-line skills and more.

            So in 2018, I decided to transition to a career in Cybersecurity and to develop my skill-set.  I started by searching online for Cybersecurity boot camps, certificate, and degree programs. However, since I already held a master’s degree in information science, the thought of going into debt again was not an option for me. So I decided to try online Cybersecurity and IT workforce development platforms. I did not have a great experience with the platforms I tried. For example, I would get stuck at a step in a challenge, and there were no tips provided to help me understand how to complete the task and move forward. Sometimes my VM instance session would have an error and then shut down as I was completing a challenge. These roadblocks were very frustrating because  I would have to refresh my browser and then re-start a module from the beginning. After those experiences, I gave up on using any online Cybersecurity and IT workforce development platforms, essentially placing the development of my skills on hold until BlackGirlsHack introduced me to RangeForce in February 2021.

            Founded in 2015, RangeForce was created to provide impactful training experiences to individuals and teams throughout the cybersecurity industry. They improve a learner’s ability to detect and respond to the latest cyber threats while identifying skills gaps and providing the training needed to upskill learners quickly. I have been using RangeForce since February 2021, and I can say it is the best platform I have used. RangeForce’s user experience is excellent, with it being easy to navigate between pages. Each module contains clear and concise content for the topic or instructions for an assessment. They also offer tips within each assessment to help a Learner if they find difficulty completing an assessment alone. RangeForce is also very concerned with their Learners’ experience with each module and asks for general feedback after each of them.

            I am always excited about using RangeForce, and I think you would be if you tried it too. If you want to level up your Cybersecurity skills, when you have a chance, please feel to visit RangeForce for more information.

Sources:

1. https://www.rangeforce.com/blog/founding-story-rangeforce-cyber-attack-cyber-range-simulation

2. https://dataconomy.com/2021/01/cyber-attacks-increase-threefold-4m-unfilled-cybersecurity-positions/

Cyber Attack on Water Plant Facility

Last month, dangerous winter storms rolled into the South, creating a challenging situation for thousands of residences in the area, and most were left to survive in the cold with little to no power or running water. People I know were forced to stand in lines to obtain their ration of water for the day.  Water is an essential part of our very existence, and every cell in our body needs it to grow and function. Per Worldometers.info, 657million+ liters of water have been used so far in 2021. Now, think about non-developed countries that lack quality water supply. Per UNESCO, one in nine people worldwide uses drinking water from unimproved, unsafe, untreated sources.

In the United States, we are fortunate to have access to treated water. Also, drinking from US Water Supplies is considered safe. However, on Friday, Feb. 5, 2021, two days before the Superbowl, a cyber attempt was made against a small water facility in Oldsmar, Florida. Using the internet, the adversary managed to connect to software called TeamViewer. It was installed on the workstation used to control the water treatment process. TeamViewer is a popular tool used by technicians, and it allows personnel to gain remote access to a computer and use it as if they were physically in front of it. Once in the network, the adversaries tried to increase the sodium hydroxide levels or lye.

However, thankfully a Supervisor on duty was alerted by an Indicator of Compromise (IoC), a cursor moved across his computer screen. Due to his alertness, he was able to prevent a catastrophe from occurring. Think about it for a second – what if the Supervisor had not seen the cursor move — many unsuspecting customers, travelers, or residents could have been poisoned.  Unfortunately, this type of situation is not uncommon. Operations staff and equipment vendors need to remote access into industrial machines and to utilize software such as TeamViewer to manage our critical infrastructures such as our water supply.

How can this type of incident be prevented in the future? Prioritize installing a firewall in your network like a Network Intrusion Detection System (NIDS)/Network Intrusion Prevention System(NIPS) or even a Host Intrusion Detection System (HIDS)/ Host Intrusion Detection System(HIPS). This way, you can be alerted about, or the system can prevent suspicious or malicious events. Consider placing industrial networks in DMZs to prevent external IP addresses from accessing your internal networks. Do not use default credentials on servers or applications and conduct a vulnerability assessment every six months.

Sources: https://www.hstoday.us/subject-matter-areas/infrastructure-security/perspective-cyber-attack-on-water-supply-is-a-wake-up-call-for-state-and-local-governments/

Sources: https://en.unesco.org/waterquality-iiwq/wq-challenge Sources: https://www.worldometers.info/water/

Cybersecurity’s Not So Secret Diversity Problem

Happy National Cybersecurity Awareness Month! In its 17th year of existence, National Cybersecurity Awareness Month (NCSAM) is continuing to raise awareness about the importance of cybersecurity across the nation. In an age where almost every week we are being notified of breaches of digital information, NCSAM offers the opportunity to continue to educate Americans and corporations about the importance of their cybersecurity teams, their software, and the importance of securing their customer’s information online. The NCSAM’s theme this year is “Do Your Part. #BeCyberSmart” and in supporting that theme, Black Girls Hack is doing our part to highlight the impact of the lack of diversity in Cybersecurity.

While Cybersecurity has many diversity problems, none are more glaring than the lack of women, and the lack of African Americans. In 2019, the Bureau of Labor Statistics performed a survey of employed persons detailed by occupation, gender, race and ethnicity. In that survey, African Americans represented 7.6% of Information Security Analyst positions and women represented 17.1% of those roles. Similar statistics exist for all the Professional and Related Occupations including Systems Analysts, Programmers, Software Developers and Network and System Administrators to name a few. The lack of diversity in Science, Technology, Engineering and Mathematic (STEM) roles, is a direct reflection of the amount of diversity in STEM undergraduate and STEM graduate programs and in STEM programs in high school, and middle school and elementary school. *Insert infinity mirror*

More than just lacking representation, and role models, the lack of diversity in Cybersecurity has many unintended side effects such as adding bias to artificial intelligence, signature analysis and definition, and systems themselves. Malicious actors are creative and diverse in their way of thinking and to stay ahead of the game, cybersecurity professionals must be reflective of that trend and of society.

Organizations are using artificial intelligence to do everything from deciding what to watch next, to driving, to interviewing and determining the best candidate, and criminal justice. Analysis has shown that the over-representation of men in the design of artificial intelligence leads to both cultural and gender bias in the developed systems. Machine learning, which is how systems gain their “intelligence” is built off the data that it is provided with and  if that data, and the design and development of the algorithms are biased, the resulting application of the technology will perpetuate that bias (Leavy, 2015).

More advanced intrusion detection systems for example use Artificial Neural Network based Intrusion Detection Systems (IDS) to help detect attacks. These Artificial Neural Network IDS systems analyze large volumes of data and use that data to help predict attacks and learn from its mistakes (Garzia, Lombardi, & Ramalingam, 2017). Recent studies have shown that examination of facial analysis software shows an 0.8 percent error rate for light skinned men, and a 34.7% error rate for dark-skinned women (Hardesty, 2018). Three reviewed commercially released facial analysis programs from major technology companies showed both skin color/skin type and gender related biases. What that means for us, as consumers of these systems, is that these systems, having learned how to respond based on the data it was provided will have difficulty in identifying the way women make decisions, and differentiating black faces in video footage, and determining if a Black woman is a good fit for a job when it can’t accurately interpret her facial expressions.  Some companies are replacing first round interviews with AI assisted technology. Applicants are asked to use a webcam to respond to interview questions on video. The employers can then use AI to “review” the interviews to evaluate if the candidate matches in demeanor, enthusiasm, facial expressions, or word choice (Burke, 2019). Based on this evaluation the candidate is then recommended (or not) for the next round of interviews. When AI cannot properly analyze darker skin or gender based differences, and is built from data and developers with inherent biases, this serves the purpose of both eliminating diverse applicants from the hiring process, and reducing the number of diverse employees within the companies.

So why isn’t this being shouted from the mountain tops? It’s because research has shown that the people who often address gender and racial bias in Artificial Intelligence and developed software are often those affected by the bias (Leavy, 2015). Susan Leavy in her white paper on Gender Bias in Artificial Intelligence argues that by recognizing the bias, women are more likely to understand its impact and attempt to resolve it (Leavy, 2015). The problem? While women represent 47% of the occupational workforce, they represent 27% of Chief Executives, 28% of Computer and Information Systems Managers, 20% of computer programmers, 18% of software developers, and 17% of information security analysts. African Americans fare far worse representing 4% of Chief Executives, 9.6% of Computer and Information Systems Managers, 8.5% of computer programmers, 5.8% of software developers, and 16.6% of information security analysts (BLS.gov, 2020).

Cybersecurity has a diversity problem and until minority and gender discrepancies in hiring, education, and access to resources are resolved, America and its citizens will be worse off in every aspect of the industry.

BLS.gov. (2020, January 2020). Labor Force Statistics from the Current Population Survey. Retrieved from BLS.gov: https://www.bls.gov/cps/cpsaat11.htm

Burke, L. (2019, November 4). Your Interview With AI. Retrieved from insidehirered.com: https://www.insidehighered.com/news/2019/11/04/ai-assessed-job-interviewing-grows-colleges-try-prepare-students

CISA.gov. (2020, October). National Cybersecurity Awareness Month. Retrieved from CISA.gov: https://www.cisa.gov/national-cyber-security-awareness-month

Garzia, F., Lombardi, M., & Ramalingam, S. (2017). An integrated internet of everything — Genetic algorithms controller — Artificial neural networks framework for security/safety systems management and support. International Carnahan Conference on Security Technology (ICCST).

Hardesty, L. (2018, February 11). Study finds gender and skin-type bias in commercial artificial-intelligence systems. Retrieved from MIT News: https://news.mit.edu/2018/study-finds-gender-skin-type-bias-artificial-intelligence-systems-0212

Leavy, S. (2015, May 28). Gender Bias in Artificial Intelligence: The Need for Diversity and Gender Theory in Machine Learning. Retrieved from https://ame-association.fr/wp-content/uploads/2018/11/17.188_gender_bias_in_artifical_intelligence_the_need_for_diversity_and_gender_theory_in_machine_learning.pdf

World Domination Plan

As part of the What Can I Do series, I have been advocating for you to take inventory of your KSAs (Knowledge, Skills and Abilities) and tasks as they apply to your existing areas of expertise and use them to find areas within Cyber that you have existing experience. The NIST SP 800-181 framework was designed to help define the tasks and knowledge areas that are needed for the cyber security professionals in the workforce. If you’re considering doing a career change or focusing your efforts in school to get a career in Cyber, start with what you know and expand from there. The What Can I Do posts are meant to show roles in cyber security that you can take your existing KSAs to show your experience doing the work. Documenting your areas of experience are only one part of your killer interview, the other is showing areas that you have been working on that may not be demonstrated in your existing work experience. My recent inventory and my goals for world domination showed that for the types of jobs that I plan on claiming, I needed to expand my KSAs. For me, while I have experience in technology, information assurance, development, risk assessment, and project management I need to expand my experience in other areas. To game-plan those areas I developed a list of 10 things I wanted to work on to help increase my KSA. Enter the World Domination Plan (Dramatic music plays in the background). My world domination plan includes 10 areas that I want to expand my breath of knowledge and gain practical experience. Those areas (for me) are Infrastructure, Cloud Computing, Linux (refresher), Certified Ethical Hacking, Python (Scripting languages), Git, Networking, Web Development, APIs, and a Java Refresher. I set up reminders on my calendar on a rotating 10 day schedule where each day I work on one of those 10 items. My goal, is to document practical experience, a portfolio if you will, of the areas I have gained experience outside of my existing role. What does that even mean??? So today was python day 050. Today I’ve been reading my Python 3 Object-Oriented Programming pdf book on my kindle (from a past Python related Humble Bundle) and working on implementing a game I like to play in Python. I like variation in my learning platforms so I’ve got a lot of different resources I use to supplement my Python learning including Codecademy (free trial and then student discounted monthly or annual price… I caught a deal for 119 for a year), ITPro.tv, Python bootcamp on Udemy, Python ethical hacking (another humble bundle gem), and Python for networking engineers (humble bundle). I set up an account on Github and my code is available as I’m working on it. As I take on additional python projects (my next one is to come up with a program to figure out how much I spend on GrubHub a year) my Github account will show my mastery of the python language, my ability to document my code (don’t look for that on my game right now), and my ability to tie in multiple technologies (programming, Git, APIs, VisualStudio for Coding). My plan is to share with you my plan for each of my 10 areas so that you can get ideas for how you can supplement your work experience and show you have more skills than you’ve learned at your job(s).

Why Representation Matters!

One of the most frequent questions children are asked by well meaning adults is “what do you want to be when you grow up”. I wanna be like Mike when I grow up, they might say. I am going to be the next Viola Davis or Issa Rae. No, you got that, I’m going to be like Tiger. Younger kids might want to be a princess, or a ninja, a ballerina or even a doctor. But before kids have the cognitive ability to form for themselves what they want to be, they are influenced by what they see on TV, in movies, on YouTube or in the news. Prior to the age of Obama, there may not have been a lot of little black children saying, “I want to be President.” Michelle Obama had me thinking whether I wanted the smoke involved with going to law school. Doc McStuffins (albeit fictional) has inspired more than a few future doctors. It is hard to believe that you can be something where you don’t see people like you in that space. Our kids need to see Black people in the C-suite. They need to see Black engineers, and hackers and developers, and scientists and mathematicians. There are 3 black people who are CEOs of Fortune 500 companies. They are all men (Davis, 2020).When was the last time you were asked your favorite basketball player? Now how about your favorite Engineer? The Massachusetts Institute of Technology had its first Black graduate in 1892. It gave its first Civil Engineering degree in 1917 (25 years later) (Kershner, n.d.). Throughout that time the engineering discipline was dominated by white men. In 2019, Engineering occupations have only 15.7% women, and 6.8% Black. White men still represent over 77% of the engineering profession (Statistics, 2020). That is why it’s important to see Black people in Science, Technology, Engineering and Mathematics.  

Lack of Diversity in STEM fields doesn’t start with diversity training, it isn’t fixed with diversity programs, its fixed by encouraging young black (and minority) boys and GIRLS to engage in Summer STEM camps, to focus on practical applications of math besides handling finances, and to engage in robotics and computer programming and engineering at a young age. It starts in early childhood education. From 2006 to 2016 the number of Black people in undergraduate education increased from 1.82 million in 2006 to 2.11 million in 2016. For comparison, the number of White people enrolled went from 9.2 million in 2006 to 8.6 million in 2016. Of that 1.8 million Black people, 1.2 million were Black women. The number of women enrolled in engineering programs went from 65,169 in 2006 to 135,414 in 2016. For context the number of all undergraduates in engineering programs went from 379,004 in 2006 to 624,096 (NSF.gov, Undergraduate enrollment in engineering programs, by enrollment status, sex, ethnicity, race, and citizenship: 2002–16, 2020). Although women represented 56% of students enrolled in undergraduate education, they only represented 21% of students in engineering in 2016. And while Blacks represented 12% of the 2016 undergraduate enrollment, they only represented 5% of the engineering students (NSF.gov, 2020). What this says for Women and Blacks in STEM is that while they are well represented in undergraduate education, the number of women, and black women specifically in the pipeline to STEM fields is severely lacking. To begin to fix the disparities in STEM fields children need to see more women and minorities in STEM. They need to know that we have amazing men and women in cyber (Shout out to Lisa Jiggetts of Women’s Cyberjutsu and Marcus J Carey of Tribe of Hackers) and amazing Black Women in Mathematics and Data Science (Shout out to Kim Martin at Netflix).

To address the lack of diversity in STEM, we need to see more Black STEM heroes. We need to see them on the Boards of companies, and the executive suites of Fortune 500s. But most importantly when they get there, they need to use their influence and resources to reach back and create programs that expose children to STEM at an early age. Representation matters because there are those of us out here who wanted to be a hacker when we grow up and we need a face and a name for our vision boards, for our “who’s your favorite engineer” conversations and for our #goals.

Davis, D.-M. (2020, July 21). One of the only 4 Black Fortune 500 CEOs just stepped down — here are the 3 that remain. Retrieved from BusinessInsider.com: https://www.businessinsider.com/there-are-four-black-fortune-500-ceos-here-they-are-2020-2

Kershner, K. (n.d.). Famous Black Engineers Throughout History. Retrieved from howstuffworks.com: https://science.howstuffworks.com/engineering/structural/famous-black-engineers.htm

NSF.gov. (2020, September). Undergraduate enrollment at all institutions, by citizenship, ethnicity, race, sex, and enrollment status: 2006–16. Retrieved from NSF.gov: https://ncses.nsf.gov/pubs/nsf19304/data

NSF.gov. (2020, September). Undergraduate enrollment in engineering programs, by enrollment status, sex, ethnicity, race, and citizenship: 2002–16. Retrieved from NSF.gov: https://ncses.nsf.gov/pubs/nsf19304/data

Statistics, B. o. (2020, January 22). Labor Force Statistics from the Current Population Survey. Retrieved from BLS.gov: https://www.bls.gov/cps/cpsaat11.htm

Amazon Smile

BGH is now on Amazon Smile

Help A Hacker Fundraiser

BlackGirlsHack is kicking off its Help-a-Hacker Fundraiser! As a newly formed non-profit organization; waiting on our 501c3 designation, we are caught between rapid growth and reality. The reality is that we are growing much faster than we anticipated, and the squad is getting sooooo big. What that means is, we’ve got hundreds of future cybersecurity professionals who are trying to get their foot into the door of cyber. To do this, they need TRAINING, HANDS-ON SKILLS, and CERTIFICATIONS. For our future K-12 students, we are providing exposure to cybersecurity and ethical hacking as a profession. There are many financial barriers to entry for these professionals. This includes the cost of certifications, resources for a home lab (we plan to remedy this issue by implementing a BGH Cloud Labs program), and hands-on skills to help prepare qualified workers for the vast number of open cybersecurity jobs. To help fulfill our mission of increasing diversity in cybersecurity, we need YOU to help us level up. Donate now using the QR code above or on our website at blackgirlshack.org/donate.

Are Entry Level Cyber Jobs A Thing?

So this started off as a conversation within the port eight club on clubhouse. Someone asked the question about whether entry level cyber jobs really existed. Ever the contrarian, I argued that I didn’t think they did. I did a search of indeed in my area the other day for entry level cyber security jobs and saw such gems as:

  • 3-5 years experience with an OSCP (Advanced Level Cert)
  • 2-4 years experience with a CISSP (This cert requires 5 years experience mind you)

Now full disclosure, I actually found what seems to be an entry level job in the Dulles VA Area, its in the Slack #jobs Channel. More of this later…

Happy Holidays and Happy New Year

Just some programming updates:

Registration will be moving away from meetup and onto the BlackGirlsHack website. If you wish to participate in our events please register using the link in the menu bar above.

BlackGirlsHack is offering two new workshops, the New Year, New Lab and the New Year, New Lab from Scratch. The New Year, New Lab is for existing CEH Students to upgrade their home lab to add a windows machine. The New Year, New Lab from Scratch workshop is for people who do not have any sort of home lab. Both labs are done using VirtualBox with Windows, Kali, and BWA VMs. Both workshops are free and open to all. Signup is on meetup.

BlackGirlsHack is offering a Friday Night Labs training workshop which will show beginners in cybersecurity how to get hands on lab skills to supplement their learning efforts. The workshops are every Friday in January and signup is on Meetup.

BlackGirlsHack is offering a free CEH study group which will be an immersive 15 week program that will be covering the 7 domains of the CEH Ethical Hacking Exam currently at version 10. We will be using the Shawn Walker All In 1 and Ric Messier CEHv10 Study Guide books. This study group is offered on Tuesday evenings from 7-10 pm. Signup is on Meetup for the current cohort. The next cohort will start March 30, 2021 and signup is available to registered users.

BlackGirlsHack is offering a free Security+ study group which is a 7 week offering that covers the Security+ 501 exam. The study group is offered on Saturday Mornings from 10-12am. Signup is on Meetup for the current cohort. The next cohort will start February 6, 2021 and signup is available to registered users.

CEH Study Group with Code Switch Crew

Black Girls Hack is offering a free CEH study group which will be an immersive 15 week program that will be covering the 7 domains of the CEH Ethical Hacking Exam currently at version 10. We will be using the Shawn Walker All In 1 and RicMessier CEHv10 Study Guide books. Week 1 will be covering the following:

Network and Communication Technologies

  • Networking technologies (e.g., hardware, infrastructure)
  • Web technologies (e.g., web 2.0, skype)
  • Systems technologies
  • Communication protocols
  • Telecommunication technologies
  • Mobile technologies (e.g., smartphones)
  • Wireless terminologies
  • Cloud computing Cloud deployment models

Sign up for the study group is on meetup.com search for Black Girls Hack group or find the link at linktr.ee/tennisha

National Cyber League Experience

I did my first National Cyber League, which also happened to be my first real Capture the Flag (CTF) type event and I learned a lot from the experience so I thought i’d share. First, before you get started with any CTF type event it is important that you set up your attack machine or VM and install all the tools that you might need. There was definitely a difference between the tools I thought I might need and the tools I needed. Let me explain. NCL told us off the break that the categories for the capture the flag were as follows:

Cryptography
Password Cracking
Log Analysis
Network Traffic Analysis
Forensics
Web Application Exploitation
Scanning
Enumeration and Exploitation

What I appreciated about this they tie the skills back to the NIST NICE framework by letting you know the value that the skills you are exhibiting and how it ties back to NICE cybersecurity workforce skills (Have you checked out the What Can I Do Series? on our blog). Even knowing the categories that the challenges were in did not prepare you for the challenges. For example, there were tools that I didn’t have downloaded on my machine which I found valuable for the competition. For example, DIIT (Digital Invisible Ink Toolkit) was invaluable to me for the Steganography related challenges. This is a good tool to have to solve those types of challenges. There are other tools that are native to Kali such as OpenStego, but it turned out that this tool didn’t work for the images I was provided. For other challenges while I had the available tools, I wasn’t familiar with how to use them. This was the case for john the ripper. John is a common password cracking tool which is great if you’re handing it a password or two to crack and a list. It is less great when you’re told that the password has a specific format and its long enough that brute forcing it and trying to hit all the combinations will not serve you any good. Another lesson learned from the experience is to use various browsers. For one of the challenges the answer was in the html code and was updated each time the page was refreshed. You could only see the information in specific browsers though so its good to have a backup handy. This is also the case for search engines. While I call myself relatively skilled in the art of google-fu, my yandex, my bing, my yahoo fu-s need work. I don’t use the other ones but google doesn’t always have the answer. Another lesson learned i’d give to anyone who is trying their hand at this type of event is “sometimes the answer is right in front of you” and “don’t overthink it.” We were provided a picture in one of the challenges and asked for some information and while I approached the problem by looking at meta-data and gps data and all the data, the solution to the problem was just found in looking at the picture. Another challenge involving a picture I did the same thing. In the challenge they gave you a screen shot of a twitter feed and the key, the key was in the comments on twitter. Me though? your girl looked at all the data, zoomed in, scanned the picture with a QR reader and everything. I went to the twitter page to get the og picture because the screenshot wouldn’t have metadata. The flag was comments on the twitter page.

Random file names check! NCL was full of surprises. They had a BSON file that had data in it. It was a database dump. Don’t know what BSON is… Neither did I. Crash course on mongodb on a Saturday night… why not? When I tell yall that I had like 100 browsers open across 2 different computers and 4 different VMS…. and of course no one has all the information on one page. Install the software, restore the database, read the database… I know SQL… TOO BAD it doesn’t use sql. learn how to query, count records, look for information. UGHHHHH. If you see me in these cyber streets with bald spots, you know what happened.

I also ended up needed random tools and programs for example a PDF cracker tool and tool that allows you to map gps coordinates and radii on a map to determine the location of a obscure airfield. I might have been amused if I wasn’t sick and stressed out and severely lacking on TIME.

Preseason lasted a week and the Individual competition lasted for 72 hours. For the preseason portion of the competition I found that you were given plenty of time. For the Individual competition I found there were not enough hours in the day. I was sick for most of the competition and my backup computer decided mid challenge to throw a temper tantrum and restart mid keystroke. MID TYPING. NO WARNING. (talk about big mad)

But i’ll tell you what, NCL was a great experience and I decided that once my papers go through for my nonprofit that i’ll be sponsoring a team. Be on the look out for the BlackGirlsHack Team in the team competition in early November but hopefully you’ll see us around for years to come. See y’all in these cyber streets

Red or Blue… or Maybe Purple

While security conferences typically host capture the flag competitions where you are tasks with completing a set of tasks in order to find hidden treasures or flags within their systems, traditional businesses model their security with colored teams where each team is responsible for a certain aspect of the organization’s security. Blue Teams for example are white hat defenders; they are the people who work for the company and is responsible for defending the organization’s assets. While Intrusion Detection systems are typically responsible for identifying attacks on an organization’s assets, it is the Blue team that takes actionable steps to mitigate the attack and prevent further damage. To help ensure that the Blue team stays ready, many companies also employ the services of a Red Team. Red teams are independent groups that determine the effectiveness of an organization’s security by assuming the role of the attacker. They use the same tools and techniques as hackers and are considered ethical hackers. With the organization’s permission, Red teams spend several weeks to months performing security testing with specific objectives and reporting on any issues or findings with the Blue team. Red teams are often mistaken for Penetration testers whose job it is to provide a security assessment of an organizations network and report on flaws or vulnerabilities. Penetration testers, red teams, and blue teams all are trained like adversarial attackers but are provided permission and do so within the scope of their duties.