LuSec

I am back to Luleå after summer holidays with some fresh new ideas. I am happy to know that now we have a lot more on-campus students that study information security!

Next week (17th of September) we are organizing a social gathering with all the new students. Just an informal meeting to get to know each other, speak about the plans for the year, upcoming events and various opportunities. Hopefully there will be also some snacks organized. More info coming later this week.

In the near future I will also post information about the LuSec briefings – the informal meeting to share the news and exchange ideas about the security in general. Last year we had these meetings every month and it was very interesting to hear the presentations on various topics, so do not miss the opportunity this year

Stay tuned!

I officially announce summer holidays for LuSec No news, no meetings, no nothing. Have a rest, enjoy the lovely weather, go to the events, update your knowledge, and sometimes keep an eye on our group blog for some security thoughts. See next year!

Hello everyone!

Next meeting will be on the Friday 15th at 15:00. The place is probably the same, room A405 (last time I confused with 406). More details at the beginning of the next week. Presentations from the last time are available here and here, but keep in mind that information in the slides is minimal as we discuss a lot and do demos.

Some positive news: LuSec is a step closer to becoming official organization! I am happy to announce that the university put the link and description of LuSec to the “Information Security” programme page. Congratulations to everyone involved!

UPDATE: room changed to A3101

Slides can be downloaded here.

It took me some weeks except some days to create the last video. I had some problems with compressing the video and editing it. But now everything is uploaded.

Few words about the “LuSec Briefings”. As I said earlier, it is unofficial meeting with short presentations (20-25 minutes talk + 10 minutes discussions) on any IT related topic. It will happen in ~3 weeks, no certain date so far. If you are willing to give a talk, drop me a line to alius@ludd.ltu.se. More details will come up next week.

Hey there!

For those of you, who are still visiting sometimes this page there’s a bunch of interesting news. First of all, in a few days I will upload the video from the last presentation. It’s a time-consuming process, that’s why it takes me quite a lot of time to do.

The next LuSec is planned for the next year, however if I stay in Sweden until June (which will be clear next week), then at the end of April “LuSec Briefings” are scheduled. It is an unofficial meeting with small presentations (20-25 minutes + 10 minutes discussion). So far there are 3 presenters already. Not sure about the webcast, but all the slides and probably also audio will be later available. More information comes at the beginning of April. So stay tuned

Presentation by Neil Costigan about public key cryptography

Slides can be downloaded here

Presentation by Artjom Vassilljev about insecure configuration of PBXs

Slides can be downloaded here

Presentation by John Lindström about challenges in creating security policies.

Slides can be downloaded here

If you have any feedback, comments, proposals, please drop me a line to alius@ludd.ltu.se! I am not yet sure, but hopefully LuSec will be also next year, and bigger, better and more interesting!

Artjom

I guess, some of you are curios to get the solutions for the competitions? Then read below.

The binary code on the poster read the following: “Hello, Dave… I know everything hasn’t been quite right with me, but I can assure you now, very confidently, that it’s going to be all right again. I feel much better now. I really do. I really do. I really do. I really… #@&*$^!%{#* …I am completely operational, and all my circuits are functioning perfectly. …it’s going to be”. Anders was the only one to decrypt this hard text! Congratulations to him!

What was bad about the dummy network configuration? Actually, everything was bad. Here are the things, that you could report:
* The wireless network was open, which itself is a big security risk for the company
* FreeBSD 5.5
* The password for root was “happiness”, the same on both servers and on the WiFi router
* Both servers had test account, which had the password “test”
* One of the machines had “finger” service enabled
* Both machines had several accounts on them with passwords from Top 500 worst passwords list
* In the home directory of the test account on one of the servers there was a compiled program with SUID bit enabled, which had several buffer overflow bugs, which could be exploited to get the root access. Additionally, there was a source code in the same directory to ease the finding of bugs
* Old version of thttpd server with a lot of security vulnerabilities
* Netutils scripts running on one of the servers
* Outdated Apache server, which has security vulnerabilities
* PHP4, which has numerous security vulnerabilities
* PHP allow_url_fopen and register_globals was on
* MySQL root password is “happiness”
* FTP allows root to login
* Outdated version of Wordpress with security vulnerabilities
* Outdated version of Coppermine photo gallery with security vulnerabilities
* Disabled e-mail verification in the Coppermine photo gallery
* Not enabled firewalls on both of the servers
* Disabled security settings on both servers, which limit the amount of packets per second, that kernel receives
* Predictable path for PHPMyAdmin (http://server/pma)
* Old version of PHPMyAdmin

Congratulations to Jonas and Andreas, who won this competition!