BlackGirlsHack partners with US Cyber Games!

BlackGirlsHack Foundation (BGH) is excited to announce its partnership with the US Cyber Games.

The US Cyber Games was founded by Katzcy, in cooperation with the National Initiative for Cybersecurity Education (NICE) program at the National Institute of Standards and Technology (NIST). The Season I program ran from April to October 2021 and consisted of the US Cyber Open, the US Cyber Combine Invitational, and the selection of the first-ever US Cyber Team™ to represent the United States at the International Cybersecurity Challenge (ICC) to be held in Athens, Greece June 14-17, 2022.

ARE YOU READY?US CYBER OPEN CAPTURE THE FLAG (CTF) CHALLENGE | JULY 1-10, 2022
REGISTER TODAY!
Do you like analyzing different attack methodologies and covertly discovering and collecting information about a system?Have you ever wanted to decrypt objects that are locked away from prying eyes with up-to-date cryptological processes?Do you like to nitpick at tiny details in recovery data batches and try to get to the bottom of what happened?Now’s your chance.Register to Play in the US Cyber Open CTF Challenge. ALL SKILL LEVELS | ALL AGESFREE to PLAY | NO TEAMS NEEDEDLearning and having fun is key— but so is capturing that flag for the WIN and receiving great prizes!
REGISTER TODAY!
If you think you’ve got what it takes, and want to test your metal, request an invitation to the US Cyber Combine Invitational – you may just earn a seat on the Season II US Cyber Team. Restrictions do apply.

https://www.uscybergames.com/us-cyber-team

RangeForce Renews Support of BlackGirlsHack

BlackGirlsHack Foundation (BGH) is excited to announce that RangeForce has renewed their support of the BlackGirlsHack Foundation. In February 2021, BGH announced its first corporate partnership with the web-based battle skills platform RangeForce. At the time the company provided a subset of their web-delivered training platform to a number of users. Over time, as those licenses were in short supply, they became a perk for paid BGHF members. Since then, as both RangeForce and BlackGirlsHack have continued to grow, so has the demand for cybersecurity training for blue/purple/red/yellow team based training. It is for this reason that we’re proud to announce that RangeForce has not only provided access to all of the modules, but they’ve made them available for the entire squad!

BlackGirlsHack partners with Black Hat USA 2022

BlackGirlsHack Foundation (BGH) is excited to announce its partnership with Black Hat USA 2022. Black Hat USA 2022 has provided BGH with 25 Briefing Pass for scholarship awards to the BGH squad. Founded in 1997, Black Hat USA 2022 is an internationally recognized cybersecurity event that provides industry leading technical and relevant information security research. Part of the Hacker Summer Camp, Black Hat USA 2022 provides an opportunity for the squad to be abele to network, learn and gain valuable exposure and information.

The Black Hat Briefings were created 25 years ago to provide computer security professionals a place to learn the very latest in information security risks, research, and trends. Presented by the brightest in the industry, the Briefings cover everything from critical information infrastructure to widely used enterprise computer systems to the latest InfoSec research and development and everything in between. The Briefings are vendor-neutral, allowing the presenters to speak candidly about real problems and potential solutions across both the public and private sectors.

The Black Hat USA 2022 Briefing Scholarship will be offered to the winners of the Bring a Hacker to Summer Camp Raffle and Leadership team who we’re raising funds to bring to the conference in Las Vegas August 10-15. Check out black hat 22 here and donate to the Bring a Hacker to Summer Camp fundraiser here.

BlackGirlsHack partners with HyperQube to launch BGH Cloud Labs

BlackGirlsHack (BGH) is excited to announce its partnership with HyperQube.io to roll out our BGH Cloud Labs training program. BGH Cloud Labs is the brainchild of BGH’s Executive Director Tennisha Martin. It was envisioned as a way to provide Ethical Hacking (Red Team) and Security Operations (Blue Team) training in the cloud for people who did not have the physical resources or computing required necessary to do them on their home computers. When BlackGirlsHack started, Tennisha began teaching home lab workshops to show future cyber pros how they can build a home lab on their computers and be able to practice everything from network penetration testing, web application penetration testing, web application security testing and red and blue team skills. Many of those participants were not able to continue with the workshops after it became clear that their home laptops and computers did not have enough memory or ram available to support a virtual lab environments. From this, the idea of BGH Cloud Labs was born to provide a cloud-based laboratory environment that would allow anyone with an internet connection to be able to hone and grow their ethical hacking skills without the need for computer or laboratory upgrades. From there Tennisha began working with the BGH team to research affordable cloud based solutions that would allow us to be able host hands on lab workshops that would provide an interactive environment for people to learn. HyperQube’s CEO Craig Stevenson dropped into one of these Friday Night Labs sessions and reached out to the instructor about ethical hacking lab training re-envisioned. After seeing the HyperQube cyber range Tennisha knew that this would be the perfect platform to bring the BGH Cloud Labs project to life. BGH Cloud Labs powered by HyperQube is being unveiled at Friday Night Labs on Friday April 29, 2022. Join us at meetup.com/blackgirlshack

BlackGirlsHack partners with NowSecure

BlackGirlsHack is excited to announce our partnership with NowSecure, a leader in the mobile application security space. BlackGirlsHack’s founder and Executive Director Tennisha Martin was asked to speak to one of NowSecure’s employee resource groups a few months ago and talked to them about the importance of taking real action to increase diversity in cybersecurity. That action, could look like many things, but it was important that it was actually an action and not a discussion. NowSecure’s CEO Alan Snyder immediately took up the call to action and offered to donate mobile penetration testing training and vouchers for certification to the BlackGirlsHack squad. They also took the unprecedented step of not just providing a set number of licenses but making it available for everyone. BlackGirlsHack members started receiving their NowSecure Academy welcome messages and getting started on their training last week. Check out NowSecure and how they’re helping to secure the mobile space.

BlackGirlsHack partners with INE

INExBGH Logo

BlackGirlsHack is excited to partner with INE to bring premium training and discounted vouchers to the squad. INE stands out amongst other ethical hacking certification bodies as it provides hands-on labs and free training for its entry-level junior penetration testing (eJPT) certification. We can’t wait to start flooding the job market with certified penetration testers, and we are excited to see the impact to the greater IT community as the eJPT and Certified Professional Penetration Tester certifications become a leader in the hands-on certified penetration tester space. Find out more about BlackGirlsHack and INE’s partnership to help increase diversity in cybersecurity here and here.

Budget Hacking by BGH

Budget Hacking

As a nonprofit that interfaces with a lot of people who are trying to obtain jobs in cybersecurity, I can tell you having done a gap analysis as a black woman in cybersecurity, that the financial barriers to entry into ethical hacking are high. We are in the middle of a pandemic and people are trying to take care of their family and don’t need the worry of an 1200 EC Council Exam, a 360 Comptia exam, or an over 8000 Sans exams. Those certs are all worth something in the industry but they’re not worth anything to you if they are outside of your reach. To help address this financial barrier to ethical hacking I’m going to discuss some ways that you can be able to practice real-world hands on skills free or low cost.

Setting up a Home Lab

Setting up a home lab in virtualbox or vmware can provide an easy environment within your computer to practice hands on skills. With a computer with access to a computer, you can set up a home lab that has a minimum of two virtual machines (VMs) One VM, Kali or Parrot, and one VM to be the victim machine called broken web app. All of the tools discussed here, virtualbox, vmware, kali, parrot, and the vms themselves are all free. They are also a one stop shop for learning authentication, authorization, network penetration testing, ethical hacking, scanning and enumeration, exploiting and privilege escalation and more. There is even a running webserver that is available on the victim VM that will allow you to practice your web hacking activities and learn how to spot and exploit things like the OWASP Top 10. As you can see, setting up a home lab give you a wide range of both red and blue team activities that you can perform to be able to practice your skills. The best part of this is that you don’t need access to the internet once your network is set up and you would not have to work about any legal repercussions from the practice of ethical Hacking. BlackGirlsHack has a new year, new lab workshop that walks you through how to set up a home lab so that you can practice these skills. There is also a New Year, New Lab Part Deux and Part Tree that show you other useful things you can do without spending any money. And once you level up your skills in penetration testing and web application penetration testing you can get intentionally vulnerable vms from vulnhub that will give you other types of boxes to “break into” such as windows and other flavors of Linux.

TryHackMe

No discussion on budget hacking would be complete without tryhackme. Tryhackme has a free tier of programs and a paid tier (10/mo) you can definitely do all types of rooms for free. What you will find in Tryhack me is rooms that are set up to teach a very specific subject. For example, you might go into the nmap room to learn how to use nmap, or into the wireshark room to learn how to use that. Tryhackme is a cloud based cyber training program that is available for free  for many types of rooms, and boxes. TryHackMe is a beginners level application although they do have some rooms that are more advanced.

Rangeforce

Rangeforce is an interactive and hands on team cyber readiness platform. They specialize in blue team things although they do have purple, yellow and some red team training. They are a cloud based cyber training platform that has a free community edition or if you’re a member of BlackGirlsHack, we have their higher content free through our BlackGirlsHackxRangeforce partnership.

Hack The Box

Hack the box is an online cybersecurity training platform that allows people to practice their ethical hacking skills breaking into boxes that they have staged which cover a wide variety of hosts. Hack the Box is probably more for mid to advanced level people as they do not provide step by step guidance line tryhackme and Rangeforce does. They have a wide range of boxes available for free but they also have a paid offering.

Portswigger Academy

Portswigger Academy aka Web Security Academin is a free online training center for web application security. It includes content related to the OWASP Top 10 and uses Burp Suite, a real world tool that is used for web application penetration testing. It is free and often neglected but if you are a future ethical hacker, penetration tester, or web security professional, this needs to be your new goto site.

Over the Wire

Over the Wire is a set of cyber wargames that are offered for free that provide you with a wide variety of skills. The over the wire Bandit series is a primer in Linux and is set up in a gamified way so that you have to hack your way to the highest levels. They also have other wargames including Natas which teaches the basis of web security, and Leviathan and Narnia are some of the other wargames that are general cyber skills, common sense and basic exploitation. You don’t need a lot to join this games and they’re lots of fun.

CEH Study Group with Code Switch Crew

Black Girls Hack is offering a free CEH study group which will be an immersive 15 week program that will be covering the 7 domains of the CEH Ethical Hacking Exam currently at version 10. We will be using the Shawn Walker All In 1 and RicMessier CEHv10 Study Guide books. Week 1 will be covering the following:

Network and Communication Technologies

  • Networking technologies (e.g., hardware, infrastructure)
  • Web technologies (e.g., web 2.0, skype)
  • Systems technologies
  • Communication protocols
  • Telecommunication technologies
  • Mobile technologies (e.g., smartphones)
  • Wireless terminologies
  • Cloud computing Cloud deployment models

Sign up for the study group is on meetup.com search for Black Girls Hack group or find the link at linktr.ee/tennisha

National Cyber League Experience

I did my first National Cyber League, which also happened to be my first real Capture the Flag (CTF) type event and I learned a lot from the experience so I thought i’d share. First, before you get started with any CTF type event it is important that you set up your attack machine or VM and install all the tools that you might need. There was definitely a difference between the tools I thought I might need and the tools I needed. Let me explain. NCL told us off the break that the categories for the capture the flag were as follows:

Cryptography
Password Cracking
Log Analysis
Network Traffic Analysis
Forensics
Web Application Exploitation
Scanning
Enumeration and Exploitation

What I appreciated about this they tie the skills back to the NIST NICE framework by letting you know the value that the skills you are exhibiting and how it ties back to NICE cybersecurity workforce skills (Have you checked out the What Can I Do Series? on our blog). Even knowing the categories that the challenges were in did not prepare you for the challenges. For example, there were tools that I didn’t have downloaded on my machine which I found valuable for the competition. For example, DIIT (Digital Invisible Ink Toolkit) was invaluable to me for the Steganography related challenges. This is a good tool to have to solve those types of challenges. There are other tools that are native to Kali such as OpenStego, but it turned out that this tool didn’t work for the images I was provided. For other challenges while I had the available tools, I wasn’t familiar with how to use them. This was the case for john the ripper. John is a common password cracking tool which is great if you’re handing it a password or two to crack and a list. It is less great when you’re told that the password has a specific format and its long enough that brute forcing it and trying to hit all the combinations will not serve you any good. Another lesson learned from the experience is to use various browsers. For one of the challenges the answer was in the html code and was updated each time the page was refreshed. You could only see the information in specific browsers though so its good to have a backup handy. This is also the case for search engines. While I call myself relatively skilled in the art of google-fu, my yandex, my bing, my yahoo fu-s need work. I don’t use the other ones but google doesn’t always have the answer. Another lesson learned i’d give to anyone who is trying their hand at this type of event is “sometimes the answer is right in front of you” and “don’t overthink it.” We were provided a picture in one of the challenges and asked for some information and while I approached the problem by looking at meta-data and gps data and all the data, the solution to the problem was just found in looking at the picture. Another challenge involving a picture I did the same thing. In the challenge they gave you a screen shot of a twitter feed and the key, the key was in the comments on twitter. Me though? your girl looked at all the data, zoomed in, scanned the picture with a QR reader and everything. I went to the twitter page to get the og picture because the screenshot wouldn’t have metadata. The flag was comments on the twitter page.

Random file names check! NCL was full of surprises. They had a BSON file that had data in it. It was a database dump. Don’t know what BSON is… Neither did I. Crash course on mongodb on a Saturday night… why not? When I tell yall that I had like 100 browsers open across 2 different computers and 4 different VMS…. and of course no one has all the information on one page. Install the software, restore the database, read the database… I know SQL… TOO BAD it doesn’t use sql. learn how to query, count records, look for information. UGHHHHH. If you see me in these cyber streets with bald spots, you know what happened.

I also ended up needed random tools and programs for example a PDF cracker tool and tool that allows you to map gps coordinates and radii on a map to determine the location of a obscure airfield. I might have been amused if I wasn’t sick and stressed out and severely lacking on TIME.

Preseason lasted a week and the Individual competition lasted for 72 hours. For the preseason portion of the competition I found that you were given plenty of time. For the Individual competition I found there were not enough hours in the day. I was sick for most of the competition and my backup computer decided mid challenge to throw a temper tantrum and restart mid keystroke. MID TYPING. NO WARNING. (talk about big mad)

But i’ll tell you what, NCL was a great experience and I decided that once my papers go through for my nonprofit that i’ll be sponsoring a team. Be on the look out for the BlackGirlsHack Team in the team competition in early November but hopefully you’ll see us around for years to come. See y’all in these cyber streets

Red or Blue… or Maybe Purple

While security conferences typically host capture the flag competitions where you are tasks with completing a set of tasks in order to find hidden treasures or flags within their systems, traditional businesses model their security with colored teams where each team is responsible for a certain aspect of the organization’s security. Blue Teams for example are white hat defenders; they are the people who work for the company and is responsible for defending the organization’s assets. While Intrusion Detection systems are typically responsible for identifying attacks on an organization’s assets, it is the Blue team that takes actionable steps to mitigate the attack and prevent further damage. To help ensure that the Blue team stays ready, many companies also employ the services of a Red Team. Red teams are independent groups that determine the effectiveness of an organization’s security by assuming the role of the attacker. They use the same tools and techniques as hackers and are considered ethical hackers. With the organization’s permission, Red teams spend several weeks to months performing security testing with specific objectives and reporting on any issues or findings with the Blue team. Red teams are often mistaken for Penetration testers whose job it is to provide a security assessment of an organizations network and report on flaws or vulnerabilities. Penetration testers, red teams, and blue teams all are trained like adversarial attackers but are provided permission and do so within the scope of their duties.