Life of a hacker

During this years edition of the innovation festival Trondheim Playground, Girl Geek Dinners Trondheim announced a hacker workshop. Host for the event was the IT Consultancy company Webstep. Even if you don’t work with IT security in you job, the benefits of knowing how a hacker thinks can make you and your employees understand the importance of following a security policy, and how to develop or buy better and more robust applications.

Ready for workshop @ webstep.no

First talk was an intro to IT security by cryptologist Lillian Kråkmo from Cybehave. Lillian gave us examples of recent event in the Norwegian news on companies getting hacked and politicians not following security guidelines.

Cryptologist Lillian Kråkmo on IT security

IT security is always a trade-off between functionality, security and usability – you cannot get the best of them all at the same time. To asses the rist you have to look at the value, threats and vulnerabilities of each case, also a trade-off. But remember that you are the always the biggest security threat. IT security is a process or internal culture, not a product you can buy. Here are the top ten vulnerabilities according to OWASP 2017:

Second, Kristina Brend, advisor at Webstep had a lightning intro to important technical concepts to know when performing browser based hacking. We covered HTML, CSS,JavaScript, HTTP-requests, API and finally some entertainment tips for the future, if you want to keep updated in the world of IT security:Beers with Talos for more technical news, and Darknet Diaries for good storytelling on the commute.

 

The workshop was lead by Cybehave‘s founder and IT security expert, Håkon Olsen. He guided us through the OWASP Juice Shop project. There are 40 possible security weaknesses to find in the app. If you want to test it at home, we recommend making a free account with Heroku, follow instructions to deploy the app here, and download the browser Firefox (best developer tools) and/or helper tools like cURL.

We learned about XSS, SQL-injections, bad hashing algorithms, the importance of data validation at server level, monitoring network data like cookies & tokens. However, no one got through all the 40 challenges during the workshop, so we will keep on hacking at home.

——–

GGD organizers: Kristina Brend & Nina Beate Solberg Susegg