Security High School held a competition during 14 hours of very interesting security tests and challenges. Everyone could participate, but in order to receive the award you had to be present during the closing of the competition in the John XXIII Auditorium, where all the conferences and papers were held.
The organization made available to participants a reserved area to work and participate with laptops, offering a large number of plugs. In that area there was an air of competition, a desire to learn and a latent emotion that exploded with loud voices when something worked well.
In this post, we’re going to explain a little about what these tests are about and how interesting the world of security can be. Many participants returned to the web after the challenge to continue solving what they lacked and there was a large percentage of participation.
Cryptography
- It is the art of concealing information by encryption or encoding so that an unauthorized recipient cannot read the information.
- The information can be hidden by a series of patterns, such as exchanging each x positions or having a keyword that changes the letters of the alphabet of order.
- On the Internet, we use cryptography when we use our public-private key.
- We can encrypt information with the public key of the recipient and he, and only he, can read the content of the message because you need the private key to be able to read the information.
The tests for these challenges consisted of a series of encodings and decodings such as Unicode, Base64 or even the pokémon Unown, known for their physiological form in the form of letters.
There was also information hidden in images with certain characteristics, such as the reflection of letters that were inverted in a mirror or the reflection of water that the waves modified certain patterns.
Steganography
Steganography is the study and application of different methods to hide information within other information and give it more security. It seems strange, but I’ll give you an example. Imagine hiding a pin in a bird’s nest and then putting that nest in a tree full of nests.
In the tests, we can see clearer examples of how steganography hides information. They hid hidden messages in simple PDF files depending on the form of the text or in the metadata.
We could also see them hiding text files inside music files, where specific programs were needed to get the hidden information. And we would even have to use image editing programs to see if an image had been modified and a key had been hidden.
Exploiting
Exploiting consists of taking advantage of certain vulnerabilities of a system or resource in order to obtain information or to be able to use it for your own benefit.
This method can be from the same system, remotely over the Internet or through third party applications such as the Flash player or browsers that we strongly recommend are updated to the latest version.
This challenge was one of the most endured on the day of the competition, but there are already people who have solved it outside the deadline. The challenge was to download an executable file for the Windows environment and “run it to see if the user was lucky” to get the key to solve the challenge.
Now it was only necessary to begin to study that executable and obtain the key, that is to say, to exploit the vulnerabilities that the program may have to obtain the information.
Forensic Analysis
In computing, we also have thorough analysis of information or systems that have been exposed to an attack or infected with malware.
In this part, the challenge consisted of analyzing a capture of an area of the RAM memory of a computer where a photo had to be recovered. To do this, several tools had to be used to read and execute the RAM information.
One of the speakers, gave a talk on how to forensically analyze a RAM memory area. The one who was there was able to see live how the analysis could be carried out and, thus, be able to use what was learned in solving this challenge.
OSINT
Open-source intelligence (OSINT) is the collection of publicly available data to be used for or against the objective. The Internet is riddled with information that we have not published, but it is publicly accessible. Business registers, Catrasto registers, delinquent information, BOE publication… can be found everywhere on the internet.
The test consists of looking for the owner of the plot that is shown in a link to Google Maps. To do this, it consists of locating and collecting all available information about what you can see thanks to Google Street View and, from that point, use all Internet search engines to find the necessary information.