Gábor Pék (CTO, Avatao)
This is the final part of this blog series. If you haven’t done already so, you can read the
It was early 2013, in the middle of my Ph.D. studies when two master students (András Gazdag and Levente Fritz) asked me to talk about memory corruption vulnerabilities. It seemed to be a good idea, as there weren’t any lectures about it at our university (Budapest University of Technology and Economics) at that time. I like approaching problems and tasks systematically, so preferred doing it on a regular basis by involving other interested students also. That was the point when we contacted Levente Buttyán (head of CrySyS Lab) for his support.
He liked the initiative very much, so we decided to invite the best students from previous years’ Security Challenge. Fortunately, all the invited students joined us, and a couple of weeks later we formed our learning group which we call CrySyS Student Core since then. It was a really great beginning, we had many smart and interested students around us. The only thing we needed was to make them even more motivated. I chose some topics that were appealing enough (e.g., memory corruption, virtualization security, malware analysis, reverse engineering etc) and started to talk about the complex, but the amazing world of system security to some excellent students week by week. We did not have a room at the beginning, but we projected my slides on the corridor wall at our department. After around two months it was time to involve students more deeply: fortunately, many of them were motivated enough to present a topic they were interested in. From this point on, we scheduled a speaker for each session and a topic to talk about. Soon we set up some rules to keep the group running as follows.
CrySyS Student Core
The CrySyS Student Core is an invite-only group of students from our university who feel enthusiasm for various domains of IT security and who have already proven their aptitude. One way to get invited is to score among the best students at our CrySyS Security Challenge, which is a hacking contest that we organize for our students every year. Another way is to provide an impressive performance during a student semester project that we supervise. Thus, students who get invited have already achieved something, and they have a certain level of expertise in a specific IT security domain (e.g., reverse engineering programs, hacking websites, or breaking cryptographic protocols). We meet once every week (including the holiday seasons) and discuss various topics in IT security. Very often, we prepare talks on topics that we have been studying or working on recently and present our experience to each other. For instance, a student would explain his discovery of a software bug and the following exploit discovery. Another common activity is to prepare for international CTF games. This preparation usually means that we give brief tutorials on various topics to each other, discuss write-ups for challenges from previous CTFs, or solve CTF challenges from previous years together. Occasionally, we invite an external expert to give a talk on a specific topic.
Giving birth to !SpamAndHex
One measurable indicator of success is the steady improvement of our group’s results at international CTFs. Before founding the Student Core, we participated only in the yearly iCTFs, and we didn’t have a real track record on the global landscape of CTF teams. Our iCTF team was called Team.iCTF.CrySyS. In 2011 which ranked 36th and Team.iCTF.CrySyS.B in 2012 (ranked 23rd). After founding the Student Core in April 2013 some students, for example, Dániel Bali, Tamás Koczka, Gábor Ács-Kurucz, Zsombor Lázár showed special interest in playing more CTF games. They participated in many-many online CTFs. After a couple of months, we knew that we need a team name to play with on international CTFs. We had many ideas in our mind, but we finally concluded that !SpamAndHex is the best choice. Practically, we polished ‘Ham and eggs’ little a bit. In December 2013, we played again on iCTF as team !SpamAndHex for the first time with this name. We invited other students also from our university, but the key people of our team were all Student Core members. We tried our best, and we ranked 2nd. We could not believe it! Wow. It was a huge success for us! Something began at that point.
(The !SpamAndHex team on iCTF 2013)
(iCTF 2013 scoreboard)
Capture the Flag competitions
We did not stop here. Next year, in 2014, we got into the Final of Nuit du Hack and 5 of us (i.e., Dániel Bali, Gábor Molnár, Gábor Vaspöri, Gábor Ács-Kurucz and Tamás Koczka) flew to Paris. These guys did their best and scored 3rd in their very first Final. The rest of the team, who stayed at home hardly waited to shake their hands and congratulate. This year we played 28 CTFs and ranked 14th on the global ranking of ctftime.org, the worldwide ranking of all CTF teams. After a couple of years of experience in CTF games we knew that we can do it even better. The year 2015 brought us real success. However, some of our members had to pay the cost of it seriously. For example, Tamás Koczka, Gábor Ács-Kurucz, and Dániel Bali participated almost on every mentionable CTFs this year. Other members, including me, played mostly on dedicated CTFs. So let’s start 2015. First and foremost, we participated again on iCTF in April, 2015 (referred as iCTF 2014!) and we won it! We invited many other talented students also from our university, but the key members were from the Core.
The DEFCON CTF Finals
Our story did not stop here. We played many CTFs with some really good results, however, the real challenge was still ahead of us. If you are a top team, you must play in the DEFCON CTF Finals. There are two ways to qualify for the DEFCON CTF Finals. Either you win one of the selected CTF games like Boston Key Party, HITCON CTF or you get in from the official qualifier. We took the second path and for the first time in history, a Hungarian team qualified for the DEFCON CTF Finals in 2015. I was very proud of the team that practically did not exist two years before.
(The !SpamAndHex team is preparing for the DEFCON CTF 2015 Finals)
The most limited commodity is time
In 2016, we did not have as much time to participate at CTFs as in 2015, but we concentrated on the major events. We
intentionally practiced for the DEFCON qualifier and we got into the Finals again. We were lucky to play against the best teams in the world at the 24th DEFCON CTF Finals in Las Vegas. However, it was not as easy as it seemed to be. This year was fairly different from any other years before. For the first time in history, teams had to play against the DARPA Cyber Grand Challenge winner machine Mayhem from ForAllSecure. We will keep on rolling! I am really grateful to the !SpamAndHex team members have achieved these successes and raised awareness of IT security in Hungary and beyond.
Reading Time: 9 minutes Banking information, login credentials, insurance numbers. A few of the data stored by many financial institutions. We asked an expert about the best practices to protect these information.
Reading Time: 9 minutes Python is a high-level, flexible programming language that offers some great features. To be as effective as possible, it is important to possess the knowledge to make the most out of coding with Python.
Reading Time: 7 minutes Money management moves towards complete automation, and the evolution of cybercrime follows along. The money heist has changed, we all know that. Cyberspace takes more and more of that cake, but the reason behind attacks remains the same: money, in any form.
Reading Time: 7 minutes Telecommunications is everywhere. Hence, this area is more exposed to external threats than others. It is crucial to ensure a strong line of defense in this industry, so your entire organization has up-to-date protection and is aware of best practices.
Reading Time: 7 minutes Security champions represent an essential part of any security programs. They lead their teams on security projects, ensure internal security and help keeping security on the top of your mind. But how exactly they operate in a business? We asked Alexander Antukh, Director of Security at Glovo for professional insights.
Reading Time: 9 minutes Security champions play a vital role in establishing and maintaining a security culture in an engineering organization. See how to turn your developers into security champions!
Reading Time: 6 minutes As the company grows the leadership wants to establish a security program to ensure the solid and undisrupted operation of the business. Security at this point is essential, especially when calculating the loss from a halted business, even for a few hours.
Reading Time: 9 minutes OWASP Top 10 Vulnerabilities in 2021 based on the non-official proposal of Ivan Wallarm. Here is what we know.
Reading Time: 6 minutes For most companies, security is considered a side quest, which is partly related to the daily processes. In reality, security ought to be a strong foundation of any organization. To ensure the defense of the enterprise, the relevant teams need strong security knowledge and abilities.
Reading Time: 8 minutes Exposing data, especially sensitive data, is a long-time-coming threat. Since personal information such as addresses, payment details, non-hashed passwords, config files, and so on are very popular targets among attackers, it’s obvious that sensitive information is supposed to be protected from unauthorized access.
Reading Time: 8 minutes Compliance standards are a valuable but mostly misunderstood part of the corporate culture. Like any other certificate, a compliance certificate demonstrates that the entity/business operates according to a commonly accepted standard and signals trust towards third parties. A successful compliance certificate eases regulatory processes, opens new markets, and in general speeds up revenue generation, which is the key metric for businesses.