Classroom Seminar in Project Management and Scientific Work

Yesterday, I’ve been in Pfungstadt/Darmstadt for a classroom seminar in project management and scientific work. The seminar is a mandatory day of the three-days introductory course at the WBH. The lecturer was Mr. Dipl.-Päd. Bernd-Uwe Kiefer. The seminar started with a small round of introductions. Then, we talked for one hour about project management in a classical and modern/agile approach, projects itself, the project order, and so on.

After that, he switched the topic to scientific work. The students got divided in three groups. The objective of each group was to create a presentation of 30 minutes about scientific work. At first we needed to clarify the topics that we want to present, after 30 minutes every group discussed with the lecturer their approach.

Then we had five hours to prepare the presentation. In my group it worked very well and we managed to finish the presentation around one hour earlier. After all groups completed their presentation, we had to present it in front of the class. The most interesting part is that all three presentations have been completely different. Of course, the most topics are repeated multiple times, but I liked to see the different approaches. After each presentation, the lecturer provided a small feedback for the group and he discussed with the whole class some aspects of scientific work that have been mentioned in the presentation.

Actually, I thought that I don’t need this seminar. However, it was a nice day and I think I have learned a little bit more about the scientific work at the WBH. To finish this module I will have to write a term paper about communication in projects with 15 pages by using scientific writing. Hopefully I will finish the term paper in the next weeks so I can focus on the other modules like software architecture.

Open Slack Communities

To gather some information and stay up-to-date, I’ve recently decided to join some Slack communities. Slack is a chat platform to connect and talk to people and there seems to be a rising number of communities out there. Especially technology and software development related communities are interesting for me. On medium.com I’ve found an article which provides an incomplete list of some communities on Slack. At first joined the Spec.fm Slack community, because I like the Developer Tea podcast so much.

At second, I joined the #developers community, which is mentioned in the medium.com article above. Actually they have multiple communities on Slack, so you can join the team that feel connected to. There is for example a PHP, a Python or a NodeJS community available in addition to the general Developers community.

I’m in these communities for around a week. Mostly lurking and watching how the community communicates. Some people are sharing links, articles, tweets, but actually nothing very interesting. I also haven’t seen any “intense” chat between some people so far. Only in the Spec.fm community are some design related people regularly chatting. In the next days and weeks I will keep watching the Slack communities and I will report here, if my first impression changes.

What I’m still looking for is an infosec related Slack community. No matter if it is a cryptography, a penetration testing or a general infosec group. So, if you know any infosec communities on Slack, which are open for new people, please drop me a note in the comments or contact me directly. Thank you very much! 🙂

Back to University – Getting started

As I wrote some weeks ago, I just started with the Master’s course at the Wilhelm Büchner University of Applied Science. The start was a little bit frustrating.

At first, I have only received the study letters for the first three months. This means that I haven’t got any module completely. The university recommends learning all modules in parallel, but during my Bachelor’s study I found it more helpful to study one module at a time. Or only two modules at the same time if it is necessary. I can understand the viewpoint of the university. The first month is free for testing, so you can cancel at any time and they won’t send you too much material because of that. However, I’ve discussed with the study support that I would like to keep the study and get the next package (months four to six). After getting always different answers to the same question, the conclusion is that you have to wait some more weeks to get the missing study letters for the first semester. In the meantime I have now received all study letters to complete the first modules. Wohoo!

So I’m now ready to start and in fact I’m already working on my first graded submitted exercise. My plan is to do the first exams in the beginning of 2017. Hopefully this is realistic. 🙂

Podcast Recommendation: Developer Tea by Jonathan Cutrell

On my way to work I’m mostly listening to some podcasts. Two weeks ago I’ve found a (for me) new podcast that I would like to share here. It’s the Developer Tea podcast by Jonathan Cutrell. The episodes are relatively short and discuss only one special topic, which is often introduced by a listener’s question. The questions aren’t always directly related software development, but sometimes a kind of a meta-topic like some general career or work method topics. For example, he discusses things like: Should I go back to school and get a degree? How to deal with a demotivated co-worker? What should I do if I’m unsatisfied with my current tasks at work?

I like this podcast very much and have already listened to more than 20 episodes. Jonathan gives a lot of his personal opinion but also advice how he would approach a problem or act in a given situation. I do not always agree with him to 100%. However, I think his tips are very helpful and give some interesting insights and some new points of view. The only critics I have at the moment is the sponsorship. Every episode is sponsored by some company and he has a short sponsor break to promote the company or product. It is understandable that you want to make some money at least to cover your costs for hosting, etc. However, if you are listening to multiple episodes in a row it is a little bit annoying to hear the same kind of commercial over and over again. However, that’s maybe just me and I’m still listening to the podcast because of the great content.

Recently he started a new series on his podcast with the title Dev Career Roadmap. In this series of episodes he gives more detailed information and tips on how to start or get better in your developer career. I’m looking forward to the next episodes of this series and the podcast and I can recommend that you start to listen to some episodes. I think this podcast is definitely worth listening to!

The next Step – M.Sc.

I haven’t thought that this could happen. Today I decided to apply for the Master’s course. At last, I decided to take a course, which is more general in IT and software engineering and also contains some infosec modules.

It will be again at the Wilhelm Büchner University of Applied Sciences in Darmstadt/Pfungstadt. The Master’s course contains software architecture, development of mobile and web applications, software engineering classes and the possibility to choose IT security management as one specialization.

I’m very excited about my decision and I’m looking forward to my new study letters that should arrive next week.

Download of my Thesis and Presentation

thesis_coverI received the permission to publish my thesis and presentation today from my university. So here you go!
You can now download my thesis with the title “An Analysis of the Tor Network” directly from my server. I hope that this is an interesting read for you. Unfortunately it is in German. The whole title in German is “Eine Analyse des Tor-Netzwerks: Konzept, Funktionsweise und Angriffe”.

Here is my presentation which I used in the colloquium to present my thesis, explain my motivation and showed the key results.

The thesis was rated with grade 1,3.

Update: In case you have any questions regarding this topic or my thesis, just ask and I’ll try to answer it. 🙂

Restoring WhatsApp Chats after Shooting Rampage in Munich

I guess you have seen it in the news: On Friday 22nd July 2016 afternoon, a 18-year old teenager started a shooting rampage in the Olympia-Einkaufszentrum (OEZ) in Munich and committed suicide afterwards. In the last days a 16-year old friend of the attacker contacted the police. The police applied for an arrest warrant for the 16-year old boy because they feared he might manipulate possible evidence and indices.

Actually he already tried to clear some traces. In the meantime the police in Munich was able to check his smartphone and found that both friends have met some hours before the rampage at the OEZ and had a chat conversation via WhatsApp. His friend deleted the chat session in WhatsApp. However, the police was able to restore the chat session.

whatsapp_database_backupIt’s interesting how this is possible, but actually it is not that difficult! 🙂
WhatsApp stores a local backup of your chats on your smartphone. On my personal Samsung Galaxy Note 4 there are nine backup files for the last nine days. Every day at 2 am WhatsApp creates a new backup and deletes the oldest one. Additionally you can set up WhatsApp to create a further backup online for example in Google Drive.

 

The restore is stupid, simple. If you uninstall WhatsApp and re-install it, it looks for recent backup files and asks, if it should restore the latest backup. If you say “yes”, all your deleted chats and messages are restored. It uses always the latest backup. So if you want to restore the backup that was created four days ago, you just have to change the file name so that WhatsApp recognizes the required backup file as “last” backup and restores it.

So, bad luck for the 16-year old teenager, but good for the police to investigate the rampage and the motives of the attacker further.

Package Repository in Kali Linux

I’m currently setting up my VMs according to the “Penetration Testing” book, I’ve wrote about last time. During the setup you need to install additional packages like mingw, etc. On my machine, the command

finished with error: “Unable to locate package …”.

If you search the internet for this issue you will get lots of advice how to change the source.list file in Kali. Most of them just say: ‘Copy these x lines and you’ll be fine.’. But you have to be careful. Offensive Security explains in the Kali documentation how to set up the sources.list file correctly. Here is a link to this documentation. Instead of just adding more an more repositories, you should check if the required package is available in the Kali repository. Sometimes the name of the package may have been changed.

Here you can search all packages in the Kali repository. This was helpful for me and I found the missing packages this way.

Update:
This morning I saw on Twitter another article about the Kali repository. Maybe this is helpful, too.

Podcast: Building a Life and Career in Security

Today I would like to recommend a podcast that I’m regularly listen to.

I’m trying to move into an information security career. So I’m very interested in the stories of people, who are successfully working in this particular field of information technology.

On my daily way to work I often listen to various podcasts. Most of them are IT or specially InfoSec related. One of my favourite podcasts that meet all points is the “Building a Life and Career in Security” podcast by Jay Schulman. It is about IT/InfoSec (check), it is about people’s stories (check), and the host Jay Schulman talks about the way of his guests into the infosec field and their personal and professional background (check, check, check!).

If you are interested in getting into the IT security field I can strongly recommend this podcast! You will hear lots of different stories and get to know a lot of different jobs in this industry. And there are around 2 to 3 new episodes each month, which is a perfect publication period.

Do you know other podcasts or blogs, that are covering this topic (infosec + career stories)?

Penetration Testing Book by Georgia Weidman

In my previous post I’ve already mentioned that I will keep up learning new stuff. The title of my blog is securitypath and so security topics will be mostly present here. In the future I would like to get my foot in the door in the security industry. The most interesting part is the whole blue team / red team approach, where the blue team is defending and hardening the systems and infrastructures and the red team is trying to get around these things and get control of the target boxes.

Some days before I saw on Twitter a nice piece of code as infinite recursion. Starting with a new idea, losing motivation, abandon project and then having the next idea again. So according to this I’m currently at the “start with new idea” step, again. 🙂

pentest-weidmanAt next I will work through the book “Penetration Testing – A Hands-On Introduction to Hacking” by Georgia Weidman. Publisher is No Starch Press. My copy is from 2014 but I think this is the first and latest edition of this book until today. I saw many positive recommendations and a lot of love for this book on Amazon.de and also Amazon.com, so I decided to get a copy of it.

At the moment I’m still in the beginning, chapter 1. This chapter is all about getting your penetration test lab started. You learn to set up Kali Linux with some additional tools like Nessus (a vulnerability scanner, which has a free version). And you set up a Linux box and a windows box, which work as vulnerable victims for your attacks.

The next chapters will walk through the penetration testing cycle with information gathering, finding vulnerabilities, exploitation and post exploitation. There are much more detailed chapters, but that seems to be the recurring theme through the book.

My goal is to get my hands dirty and to reach some hands-on pentesting skills, even if it’s on a low level. Currently I’m considering if I should approach to the OSCP (Offensive Security Certified Professional) certification in Pentesting because of the workshop content, the exam and the certification in the end. But this will be a challenging task and at first I want to finish the Pentesting book.
In my next posts I will report how it works out and which problems or success stories I experienced during my approach.