Jennifer Yonemitsu, Synack, sat down with the winners of BSides SF Capture the Flag for a Q&A session…
Have you entered in other CTF competitions and if so, what do you like about CTF competitions? Do you have a favorite?
I’ve been playing CTFs on and off for two years now. I like the variety of challenges, the relevance to new/hot issues (e.g. a shellshock-based challenge the same weekend it was announced), and think it’s good practice for skills relevant to my job.
What did you enjoy most about the CTF at BSidesSF? What do you think attributed to your team’s success?
We were lucky enough to have more than ten people putting in time, a good division of labour, and the dedication to put time in. I barely had time to see any of the talks, as I spent 8+ hours a day on CTF challenges.It was down to the wire to pull into second place, so I definitely think the time put in was a huge factor. The CTF had some creative challenges, and the location-specific challenges were a nice touch.
Where did you/do you learn about CTFs, and hacking techniques?
Since OpenToAll is a pretty established team now we have a Slack channel where there’s always ongoing discussion. That keeps it on the mind. We share links about news in the industry, and plus there are often more than one CTF a week, so it’s not hard to just start hacking when you feel like it. In addition to actual CTFs there are a huge number of resources and ‘wargames’ that offer just about unlimited resources to learn from. We have channels dedicated to working through these challenges.
Are there other types of security focused challenges/projects you like or work on?
I prefer to focus on reverse engineering and binary exploitation challenges. I also enjoy programming challenges on occasion, since my background is in software development I feel I can always contribute at least a little bit there.
Do you have an all-time favorite target and why? Was it a successful outcome for you?
I’d say that some of the funnest were challenges on a non-standard system. Maybe a weird CPU, non standard libraries, or something else that takes it out of ‘yet another memory corruption on linux x86’. For some reason I find them a lot better if I manage to solve them.
Do you have a specialty (web, iot, mobile, etc.) and what about it do you like?
I’ve always been interested in low-level development. That lends well to memory corruption and binary reverse engineering. I have no interest or patience for web challenges.
Anything else you’d like to share with us about you as a researcher and/or your team?
Our team is called ‘OpenToAll’ for a reason. We welcome just about anyone to join our team.
Would you classify yourself and/or your team members as security researchers/hackers?
Our BSides CTF team consists of 4 people from 4 different infosec teams at Square:
Each of us comes from a slightly different background, some “researcher/hacker” and others engineering-focused.
Have you entered in other CTF competitions and if so, what do you like about CTF competitions? Do you have a favorite?
This is the first time Square’s infosec team has officially competed in a public CTF. We all have individually participated in other CTFs in the past. We individually can’t decide on a favorite, but all agree BSides SF’s CTF was pretty cool!
What did you enjoy most about the CTF at BSidesSF? What do you attribute to your team’s success?
Our team enjoyed the variety of challenges present in the CTF. It allowed us to individually play our strengths to contribute to our eventual success in the competition.
Where did you/do you learn about CTFs, and hacking techniques?
We all independently learned about CTFs and hacking techniques generally on our own time. Professionally, we learn about hacking techniques as part of our everyday work engineering defenses to new threats. The other members of Square’s infosec team also have incredible security backgrounds, so we often find ourselves learning a lot from each other.
Are there other types of security focused challenges/projects you like or work on? Do you have an all-time favorite target?
The team comes from all different backgrounds. Some highlight challenges and research projects are:
As a CTF team, we don’t have any specialty, and our backgrounds span many different security areas (product, infrastructure, mobile, hardware, etc). In any case, CTFs keep us all on point with security issues spanning a bunch of different areas – specific to the types of challenges each CTF offers.
Anything else you’d like to share with us about you as a researcher and/or your team?
We are the coolest team. Did you know we have awesome desserts and sushi? More seriously: We (Square) work across many disciplines: security, mobile, backend, data infrastructure, data science. Our system is critical: without it, some Square products couldn’t exist. Several companies have built systems like this; we consider ours the most advanced. We catch real hackers and criminals.
cc and dumps stein mart cc