This is a talk a gave last year at BSides St. Louis and DerbyCon. The purpose was to share how I really got into security and how gaming enabled my success breaking into the industry. I went from being a professional gamer to professional penetration tester in a few years. From Gaming to Hacking the Planet leads up to what I’m working on now, an educational information security video game!
Have you ever wondered if all that time you spend playing games is a waste? I’m here to tell you it’s not. Without gaming, I wouldn’t be where I am today. Gaming taught me how to think creatively, gaming taught me how to fuzz all the things, and most important; gaming taught me how to hack the planet. We will explore how gaming helped get me where I am today, why you should keep gaming, and how you can start applying what you’ve learned from playing games directly to information technology and security. If you’re lucky, you might even see a demo of the educational game I’ve been developing; possibly even play it!
Chris Spehn (@_Lopi_) is a penetration tester for a company who shall not be named. Chris was formerly a security research intern at Trustwave SpiderLabs. He attended Illinois State University for Information Assurance and Security. Shortly after his transfer to ISU, Chris started contributing to an open source project called the iDroid Project; he was primarily responsible for implementing GNU/Linux on Apple’s iDevices after the Linux kernel had been ported; and was invited to speak at the first Jailbreak conference in London. Chris was Discover Financial Service’s first information security intern and worked with the Incident Response team as well as the Penetration Testing team for two summers. Chris is also the founder of Illinois State University’s first information security club, participated in CCDC for three years, received first place in National Cyber League 2012, and was the red team captain for the Central Illinois High School Cyber Defense Competition. Chris spends most of his free time gaming, researching, and competing in capture the flag competitions.
The idea is to explain how I really got started with security. I will start off by explaining when I started gaming, and how it put me on the path to become a hacker. Luck was involved, but it was primarily curiosity. I was curious if there was another way to be successful at playing Diablo II. I will explain how I started fuzzing for vulnerabilities within Diablo II as well as successes and failures of specific item duplication exploits that were famous at the time.
My story is not all a picnic though, eventually it turns into cloning popular game hacking websites and binding all of their hacks with a packed trojan horse undetectable by all anti-virus vendors at the time. I stole thousands of Diablo II accounts back in the day simply because I was curious how to get better at a game. This is how I learned to hack the planet.
The above portion will be very brief and aimed at non-techies.
In the bulk of the talk, I will ‘gamify’ web application penetration testing. I am going to draw from my own gaming experiences, and how it’s possible to relate your own gaming experiences to web application penetration testing. Here’s a brief example of how I will do this:
- Megaman fuzzing reference (show gif or brief video of megaman ‘fuzzing’ a boss)
- Bring up ‘level 1’ of a vulnerable web application.
- Demo ‘fuzzing’ of the web application
- Highlight the Megaman weapon the boss is vulnerable to.
- Show the payload the web application is vulnerable to.
- Megaman kills boss or ‘exploits’ the vulnerability via a payload.
- Demonstrate exploiting the web application vulnerability.
- Relate layers of security in a web application to different ‘levels’ or ‘phases’ of a boss in a game.
All of this inspired me to work a new project revolving around security education aimed at teaching hacking and penetration testing. It’s a game called Conscious Hacker. It will not be ready for the conference, but as you can see from the concept above; the ideals come from this talk. I’ll mention it briefly towards the end, and use some of the same analogies seen above; i.e Megaman teaching me how to fuzz properly.
Game Concept: Conscious Hacker
Conscious Hacker is about garnering interest in people to create a safe and legal place for them to train their skills on defending and attacking computer systems. Using games as a conceptual framework to maintain engagement and create a low-risk environment, we will create challenges that utilize real information security techniques, paired with clever visualizations to help the student understand what is happening. Hacking is about manipulating technology, and students can’t manipulate something without understanding how it works. If students don’t understand attacker techniques, how can they possibly prevent them?
This educational game will teach information technology while fostering the security mindset at the same time. This will be done through a series of “wargames”. A wargame is a cyber security challenge and mind sport in which the competitors must exploit or defend a vulnerability in a system or application, or gain or prevent access to a computer system. A wargame usually involves a capture the flag logic, based on pentesting, semantic URL attacks, knowledge-based authentication, password cracking, reverse engineering of software, code injection, SQL injections, cross-site scripting, exploits, IP address spoofing, and other hacking techniques.
Beyond teaching practical security skill sets, the game will also contain cryptographic puzzles in order to challenge the player to learn more about security. The trick to security is there is always more to learn, and there’s certainly a shortage of information security professionals with a solid foundation in cryptographic principles. By learning basic encoding as well as cryptography, players will be ahead of most aspiring information security professionals.
Overall, the response from the talk was overwhelmingly positive. Speaking at BSides St. Louis and DerbyCon was an honor. I know some of you have been asking about the game lately. It’s still a work in progress. To make a long story short, I started a new job and lost focus as well as massively overestimating what I would accomplish in six months. Thanks for all your continued support, I am flattered and humbled by it.