It has become tradition to write a short review of the last year and about the plans for the next one.
Community action & CTF
Like mentioned in the last year’s review we would like to thank a lot of people for supporting the project internetwache.org. For this reason we organized a “Capture The Flag” (CTF) on a weekend in february. The participation was overwhelming! Over 1500 teams registered and 650 teams actively participated in the CTF. For anybody who is interested in a deeper look on the statistics of it, we refer to this blogpost.
Another small community action was our first batch of stickers which we gave away on the 33c3 (CCC-Congress) . We think that the stickers are “quite” good for a first try - but we also see that we can improve some things. If you meet us somewhere, just ask friendly and we’ll give you some, too.
Our work
As we pointed out in the last year’s blogpost we wanted to explore Industrial Control Systems (ICS) and SCADA-systems. We were lucky to find 4 waterworks unprotected and unsecured on the internet. We also got a hint that there were mobile traffic light systems connected to the internet which were vulnerable to an exploit. All those cases were reported to several CERTs in order to get critical systems off the internet or vulnerabilities fixed. In September we also researched cryptomining malware.
In general we still like the idea behind bug bounty programs and responsible disclosure - but we are not as active as we haven been before. We simply do not have the time for doing a lot of bug bounty hunting due to work or studing. Another reason is that there are more researchers than some years ago. We are still active on platforms like HackerOne or Bugcrowd, but mostly in private bug bounty programs.
Media reports
We are very excited that our work was also covered by many media reports which normaly do not report about information security related topics. For example the German magazine Spiegel reported about our waterwork findings online and in print. Furthermore we published some articles on the well-known news sites such as zeit.de, handelsblatt.de or golem.de.
New in 2016 was that our work was also covered by video broadcasters like Deutsche Welle (DW), ARD, WDR and SpiegelTV (RTL). To give you a little expression about this you might take a look at the following video.
We would like to thank all corresponding jornalists for their coverage and also some constructive criticism about our work. We will try to continue our cooperation with the media to inform about modern cyberrisks in our society and to secure our daily (digital) lifes. If you have any constructive critisism, ideas or just want to write us something, you can find all details on the contact page.
Conferences
Last year, Sebastian and Tim visited a bunch of conferences and we also wrote blog posts about them. Tim attended the Security Analyst Summit 2016 and Sebastian joined the TROOPERS and the Alligatorcon conference. Furthermore it has become kind of a “tradition” to visit the CCC-Conference (Chaos Computer Club) (33c3) at the end of the year. We had our very own assembly there and that made the conference even more enjoyable. We like conferences especially for getting new ideas and experience and furthermore for getting to know a lot of new people. We would like to thank the people we met at conferences a lot for nice conversations and for giving some insight view into their professional work.
2016 in numbers
After our successful Internetwache-CTF our follower count on twitter increased steadily. We can look at more than 1600 interested followers. If you’re also interested, but don’t follow us yet, you can find us on twitter @internetwache.
The traffic to our webblog doubled during the year. We had around 25000 visitors and 45000 pageviews. With only 8 new articles those numbers are quite impressive. The reason for the low amount of articles can be found in our FAQ, but in essence we don’t have enough time and we prefer quality over quantity. Another reason is that we write all posts in German and English, so more effort.
Since mid 2016 Julien is no longer part of the Internetwache.org team. We would like to thank Julien for his contributions and support and wish him all the best! We highly recommend Julien’s securiy blog rcesecurity.com and hope that we’ll stay in touch. As a sign of appreciation we’ve put his name into our Hall of Fame.
Personal successes
Sebastian writes about his non-web security research on his blog 0day.work. For the next he plans to publish some more research and interesting blogposts. Furthermore Sebastian participated in a lot of CTFs - in most cases as a part of the @ENOFLAG team. The RuCTF finals in Jekaterinburg were really exciting. Measured by the amount of consumed vodka, the 9th place is still presentable :). They finished the qualification for the next year’s finals on the 6th place.
Tim writes about the topics privacy and information-security on the german IT-news website golem.de until early 2016. Furthermore he published his first German IT-textbook with the title “Hacking im Web” which was sold over 1000-times within the first 5 month after the publication. Tim also has a webblog about websecurity in German which covers topics of the book. Secondary to his Bachelor studies he finished his training and lived 3 month in Barcelona. 2017 will be the final part of his dual studies - furthermore he plans to write some blogposts (on an own blog).
Outlook on 2017
We archieved most of the goals we had for 2016. So here’s an educated guess about our work for the next year. A new Internetwache.org CTF is in prepartion, but we don’t have enough ideas yet and not enough time for implementing all challenges. Furthermore we want to do some new research in the field of it-security, but we do not want to spoiler now. Cooperating with media is fun. We will continue to share our opinion about questions of IT and information security to archieve a more secure (digital) society.
You will hear from us ;)
Sebastian Neef und Tim Philipp Schäfers
The team of Internetwache.org