March 10, 2017 | 6 Min. Read

Q&A with the BSides SF 2017 CTF Winners

Jennifer Yonemitsu, Synack, sat down with the winners of BSides SF Capture the Flag for a Q&A session…

First Place Winner: Graziano Misuraca and The “Open to All” Team

Would you classify yourself and/or your team members as security researchers/hackers?
I do product security at my job. My teammates are a mix of professionals, hobbyists, and students.

When did you become a researcher and what motivates you to be one?  
I slowly transitioned to it over the years, starting in embedded systems engineering. I’ve just started doing it ‘professionally’ seven months ago when I went to Tesla.

Is cyber security hacking something you do professionally or consider it as a hobby?
It’s a hobby I’ve managed to get paid for 🙂

Have you entered in other CTF competitions and if so, what do you like about CTF competitions? Do you have a favorite?
I’ve been playing CTFs on and off for two years now. I like the variety of challenges, the relevance to new/hot issues (e.g. a shellshock-based challenge the same weekend it was announced), and think it’s good practice for skills relevant to my job.

What did you enjoy most about the CTF at BSidesSF? What do you think attributed to your team’s success?
We were lucky enough to have more than ten people putting in time, a good division of labour, and the dedication to put time in. I barely had time to see any of the talks, as I spent 8+ hours a day on CTF challenges.It was down to the wire to pull into second place, so I definitely think the time put in was a huge factor. The CTF had some creative challenges, and the location-specific challenges were a nice touch.

Where did you/do you learn about CTFs, and hacking techniques? 
Since OpenToAll is a pretty established team now we have a Slack channel where there’s always ongoing discussion. That keeps it on the mind. We share links about news in the industry, and plus there are often more than one CTF a week, so it’s not hard to just start hacking when you feel like it. In addition to actual CTFs there are a huge number of resources and ‘wargames’ that offer just about unlimited resources to learn from. We have channels dedicated to working through these challenges.

Are there other types of security focused challenges/projects you like or work on? 
I prefer to focus on reverse engineering and binary exploitation challenges. I also enjoy programming challenges on occasion, since my background is in software development I feel I can always contribute at least a little bit there.

Do you have an all-time favorite target and why? Was it a successful outcome for you?
I’d say that some of the funnest were challenges on a non-standard system. Maybe a weird CPU, non standard libraries, or something else that takes it out of ‘yet another memory corruption on linux x86’. For some reason I find them a lot better if I manage to solve them.

Do you have a specialty (web, iot, mobile, etc.) and what about it do you like?
I’ve always been interested in low-level development. That lends well to memory corruption and binary reverse engineering. I have no interest or patience for web challenges.

Anything else you’d like to share with us about you as a researcher and/or your team?
Our team is called ‘OpenToAll’ for a reason. We welcome just about anyone to join our team.


Second Place Winner: The Square Team

Would you classify yourself and/or your team members as security researchers/hackers?
Our BSides CTF team consists of 4 people from 4 different infosec teams at Square:

  • Product security: Responsible for ensuring our product and engineering organizations understand the security implications of the decisions they make, and responsible for knowing all things security as they relate to Square’s products.
  • Platform security: Responsible for datacenter, host, and network security across all of Square’s environments, including both production and corporate networks. We’re the first line of defense at Square, responsible for intrusion detection, incident response, and threat intelligence.
  • Security infrastructure: Responsible for managing infrastructure for building secure services at Square. That means understanding what we need to make sure developers easily build secure services. Many of the bugs we work to prevent showed up as challenges in the CTF, too!
  • Mobile security: Responsible for detecting and assessing potential risks for our various mobile apps (e.g. app and OS tampering) to maintain the safety of our sellers’ mobile devices. We are a full-stack engineering team responsible for in-app remote attestation for Android and iOS, backend tamper response services, data platform, and anomaly detection.

Each of us comes from a slightly different background, some “researcher/hacker” and others engineering-focused.

Have you entered in other CTF competitions and if so, what do you like about CTF competitions? Do you have a favorite? 
This is the first time Square’s infosec team has officially competed in a public CTF. We all have individually participated in other CTFs in the past. We individually can’t decide on a favorite, but all agree BSides SF’s CTF was pretty cool!

What did you enjoy most about the CTF at BSidesSF? What do you attribute to your team’s success? 
Our team enjoyed the variety of challenges present in the CTF. It allowed us to individually play our strengths to contribute to our eventual success in the competition.

Where did you/do you learn about CTFs, and hacking techniques? 
We all independently learned about CTFs and hacking techniques generally on our own time. Professionally, we learn about hacking techniques as part of our everyday work engineering defenses to new threats. The other members of Square’s infosec team also have incredible security backgrounds, so we often find ourselves learning a lot from each other.

Are there other types of security focused challenges/projects you like or work on? Do you have an all-time favorite target? 
The team comes from all different backgrounds. Some highlight challenges and research projects are:

  • Microcorruption.com: MSP430 lock emulator teaching memory corruption exploitation
  • Cryptopals.com: Set of challenges to learn how to break cryptographic algorithms and implementations
  • OSX IPC research: Security research in the way inter-process communication works on OSX and iOS leading to the discovery of CVE-2015-3795.
  • Overthewire.org: x86 reversing challenges that get incrementally more difficult.
  • Stripe CTFs: Three different CTFs with different focuses on web and distributed systems (no longer running unfortunately, but the code is public)

As a CTF team, we don’t have any specialty, and our backgrounds span many different security areas (product, infrastructure, mobile, hardware, etc). In any case, CTFs keep us all on point with security issues spanning a bunch of different areas – specific to the types of challenges each CTF offers.

Anything else you’d like to share with us about you as a researcher and/or your team? 
We are the coolest team. Did you know we have awesome desserts and sushi? More seriously: We (Square) work across many disciplines: security, mobile, backend, data infrastructure, data science. Our system is critical: without it, some Square products couldn’t exist. Several companies have built systems like this; we consider ours the most advanced. We catch real hackers and criminals.