A Hands-on Guide to CTFs for the Uninitiated

void* vikings, Portland State University’s CTF team

CTFs are beloved by industry as an entry point into the security profession. However, they can be confusing and overwhelming for people new to the game style and the security field at large. We’ll cover background on CTFs, game styles, common pitfalls for new players, best practices, and some strategies to get the most out of CTFs. Then, the audience will vote for examples to work through live with the team. We’ll do as many as time and interest permits. All you need is your computer and a willingness to learn, although a browser and a terminal will be helpful. :)

The void vikings are the CTF team of Portland State University, located in downtown Portland. Our mission is to promote security culture, ethics research, ongoing education, and development of safer code through playing in Capture the Flag competitions. The 2020-21 officers are Robin Su, Allison Marie Naaktgeboren, and Evan Johnson.*

All About dumping SPI Flash

Joe FitzPatrick

The chips that hold BIOS/UEFI on your pc are the same chips that hold firmware for all sorts of embedded systems and are found all over the place.

Regardless of where they’re found or who manufactured them, they’re generally pretty similar, and almost always hold something important. I’ll walk through and demonstrate the process of finding, connecting to, and dumping SPI flash chips in a number of different systems with a handful of different tools. I’ll explain a few of the common gotchas you might encounter, and have time for Q&A about the trade-offs of different techniques.

Joe FitzPatrick (@securelyfitz) is an Instructor and Researcher at SecuringHardware.com. Joe has worked on low-level silicon debug, security validation, and penetration testing of CPUS, SOCs, and microcontrollers. He has spent the past decade developing and leading hardware security-related training, instructing hundreds of security researchers, pen-testers, hardware validators worldwide. When not teaching classes on applied physical attacks, Joe is busy developing new course content or working on contributions to the NSA Playset and other misdirected hardware projects, which he regularly presents at all sorts of fun conferences.

Python Web Hackin’

Wu-chang Feng

Python programming and web penetration testing are two important skills for security practitioners to develop. So why not develop both at the same time? In this walkthrough, we will do just that by showing how to solve the myriad of labs of PortSwigger’s Web Security Academy (https://portswigger.net/web-security) with Python programs.

Wu-chang is a Professor of Computer Science at Portland State University where he works on developing labs and CTFs for teaching security.

Never trust, Always verify : Getting to Zero Trust with Azure Active Directory

Swetha Rai and Corissa Koopmans

So, you have been asked to implement the Zero Trust model for your organization. What does that mean?  Where do you begin?

The traditional security approach focused on the corporate perimeter is no longer sufficient to defend against today’s emerging threat patterns.

Join us for a session where you will learn ideal deployments and configurations to support your Zero Trust model using Azure Active Directory. We will cover enabling strong authentication, points of integration for device security, and user-centric policies to guarantee lease-privilege access.  

You will learn: 

  • Why identity is the control plane
  • How to secure your identity infrastructure
  • How to implement your Zero Trust model using Conditional Access, Intune and other Microsoft products

Swetha Rai is a Program Manager on the Get-To-Production(GTP) team in Microsoft Identity Engineering. In her role, she engages with large and complex enterprise customers to help them drive their deployments of Azure Active Directory. She has a background in software development and services. She has spoken at various industry events including Defcon Blue Team Village and Techmentor. Some of her videos on Identity Architecture can be found at aka.ms/identity-arch-videos

Corissa Koopmans (@Corissalea) is part of the ““Get to Production”” team in the Microsoft Identity Division, focusing on customer experience, open identity solutions, and improving the product based on customer feedback. She has a background in International Management and Data Analytics and has presented at the Microsoft MVP Summit, BSides Charlotte, and Tec2020. Corissa is also responsible for driving the Identity Architecture video series which can be found on YouTube at aka.ms/identity-arch-videos.