Last month Ardillo and I were invited to present a hacking workshop for non-hackers. The group, called Instituut voor Informatierecht (IViR), is affiliated with the Faculty of Law of the University of Amsterdam and contained a large amount of legal advisors, professors and students. About 30 people attended our workshop which we compiled especially for this group.
Our agenda contained a few main subjects and demos:
How secure is your workstation, what's the value of a password and how can you bypass these mechanisms. We showed the group how easy it is to find passwords, to crack them if they are not strong enough, how you can overwrite the password and also how to disable the password mechanism based on a DMA (Direct Memory Access) Attack.
Everybody is using wireless hotspots nowadays, did you remember the "FREEPUBLICWIFI" id's in the air when you were drinking your cup of coffee at a look-a-like Starbucks?
But what can go wrong, and how can you attack these systems? Well, by our man in the middle (Ardillo), it became quite clear it's easier than you though.
Breaking alarm systems
To bridge the gap between software and hardware, and to make security more "touchable" we decided to explain how wireless alarms can be hacked, bypassed and disarmed.
One of the attendees was even using the same system we used for this demo, he was quite convinced the alarm system wasn't delivering that what (where) he paid for.
After all these demos it was time to DIY, the 30 attendees joined our Arduino workshop in pairs of 2. In 1 hour everybody was able to program their own micro-controller and play around with LEDs :-)
Some even had time to build a "Knight Rider"! :-)
This workshop was of course organized for IVIR to make security and hacking more touch-able, on the other side it was great for me and Ardillo to see how a totally new public was responding to technical subjects we presented.
A few of our major conclusions:
* More than average technical skilled people, we even had people working with Ubuntu, "if then else" functions and PGP :-)
* For Arduino: Windows and serial-ports is still crap :p
* We had a lot of questions: and how do you solve this issue, we even started an idea to create easy vpn solutions. We (the techies) are still not able to create a user friendly solution and we should (more to come ;-))
* On the wireless communication part we had somebody asking about security on medical support systems, like pacemakers, insulin pumps, etc. It might be worth to investigate this, although we didn't came to an ethical solution if we find a #zeroday.
The overall conclusion:
It was well worth to do these workshops with a variety of groups, we (the techies) can learn a lot from other people and that's why we are going to search for a wider public for this type of presentations/workshops. It will enlarge the awareness, will give people the chance to understand tech and last but not least, it gives us the chance to understand what is important at a wider public.
Our focus for now is on:
- NG (Next Generation) hackers: kids in multiple ages, we should invest more time and energy in our future
- Teachers: see how the NG hackers are getting their current skills, where can we (the techies) help?
- Other acadamic's like Docters, etc. to detect more vulnerability's in our every day life's
- CEO's, to see how people on higher level of company's are aware
- Politicians: if we want to rule the world, we should at least be able to understand politics.
We would like to thank IVIR to work together, it was a pleasure!
kthxbye, Fish_ & Ardillo
- The slides of the day
- Cold boot attack explained
- Man in the Middle