Security Ripcord

One of the best parts of wandering around DefCon was periodically sliding through the Capture the Flag room. As I stated in my original Defcon 15 post, Invisigoth of Kenshoto was kind enough to field a few questions and shed a little light on what was happening.

When I first walked into the room it was a bustle of activity. Teams were setting up their systems and their networks. Their equipment hosted a wide variety of computer systems. As I looked around at the different systems the teams were running I could see Windows, Linux, OS X (and possibly BSD but I couldn’t be certain) running on all different types of hardware: Dell, Apple, Alienware, IBM (Levono), HP, Sony, and more. It was already late in the morning so I had wandered in right at the end of their allotted setup time. Invisigoth made an announcement that the teams would be limited to eight team members working at one time and then, a few minutes later, announced the commencement.

Although the scoreboard was running at this point there had not been a lot of noise in the room up until the beginning. With the announcement of the start of the contest I was looking up at a projection of the scoreboard on one of the walls of the room. It showed each team, the number of overwrites, steals, and breakthroughs, and the level of service operation. This screen also flashed through several other statistic screens that compared the teams according to each category. A scrolling text area across the bottom of the screen also provided update information, in this case, the beginning of the competition. What happened next, however, got me to laugh out loud. With the start of the competition the technomusic started and two additional video screens lighted up. Comics, music videos, and other very distracting videos began to entertain the crowd as it filtered through the room and added its own noise contributed via talking, laughing, and applause.

After the start of the competition I asked Invisigoth a little bit about the teams. He was very proud of the fact that approximately 160 teams participated in the pre-qualification round and from that field the eight teams that came out on top provided representation from around the world. Although I did not get a complete breakdown I do know that team “Song of Freedom” were from Korea and team “Osu, Tatakae, Sexy Pandas!” were from Spain. It was about this time, 20 to 25 minutes in, that “Osu, Tatakae, Sexy Panda!” drew first blood. They scored the first breakthrough and quickly followed it with several steals and overwrites. When this happened I looked over at the area where last years winners “l@stplace” were located to see their reaction. I don’t even think that any of them looked up at the score board. Looking around the room I was very impress to see that no more than one or two of the other team’s members were looking up at the board either. In a room full of noise and disruption these teams were hard at work attempting to crush the other teams while keeping their services up and running.

April Dudash of The Independent Florida Alligator described the team objectives in her article “the H@cker Elite: UF engineers compete in Vegas“.

Teams were awarded points for service level, steals, overwrites and breakthroughs, or being one of the first three teams to exploit a particular service. Penalties were given if teams tried anything inappropriate, like illegal-hacking moves or real-life physical violence.

Basically, Kenshoto gave each team a server with twenty services running on them. They used the information they had from these servers to compromise the servers owned by their opponents while at the same time protected the availability of their own services. Uptime played a critical role in the outcome of the game. To better understand the objective, however, here is some of the information provided in a competition flier distributed by Kenshoto.

STEAL - Breaking into a service and getting read access to a secret token. Submit your steal for a point.
OVERWRITE - Breaking in with write access and overwriting the target’s key with yours. Each overwrite will trigger a point.
BREAKTHRU - First team to expliot a new vuln gets mad bonus (auto-scored and scaled for difficulty). Later teams get points, but the value drops exponentially.
SLA - Percentage of time that your services have been up (we have a polling monkey that checks every few minutes). This scales your final score.
PENALTIES - Seriously? You’re reading the definition for ‘penalty’?!?! While you’re at it: there is no Santa Claus.

One of the times that I spoke with Invisigoth I asked him about the services. At first he just smiled at me. The sort of, “Well, kid, get a team and get to the finals and you’ll find out” kind of smile. Relenting only a little, he told me that there were three levels of services: Easy, Hard, and (of course) Kenshoto. The pinnacle process, meaning the one they deemed the most difficult, was named “Manshetwa.” As he described it to me I was quickly confused. So, if I completely botch this description I hope that they forgive me or, at least, correct me in the comments. Manshetwa was a binary program within a program. Actually it was three programs running inside of a parent program that acted like a custom virtual machine. (BTW, all of the services are custom for this contest.) The parent program monitored the three processes and also attached to each of them as a debugger so that no team could attached another debugger to any of the programs. The programs acted, in conjunction, as a service. One of the programs accepted input from the network on a specific port. After accepting the information this program decrypted the input and sent the information to the second program. The second program used this input to generate some custom assembly code which it passed to the third process. After accepting the assembly code the third process ran the code. A little fuzzy? It is to me as well. I don’t have any more answers than that because Invisigoth had other duties as required and to this point I had taken enough of his time. I can only assume that if the third program runs the correct code the team sending the information accomplished a Breakthru. Of course, this service was designed to be almost impossible to exploit. In fact, Invisigoth looked at this service as a time killer. Any team who assigned an individual to work on this service in order to benefit from the massive amounts of points associated with it were merely wasting man power. He mentioned how @tlas, the team leader for l@stplace, had specifically forbade his binary analysis expert from even looking at the service for this very reason.

In the end, out of eight teams from around the world, team l@stplace repeated their victory. The whole team was awarded another DefCon Black Badge and Leather Jacket. You can read what @tlas had to say about it in his post “Play it again, Sam.” He also links to several of his team member sites so you should check out their comments as well.

When it was all said and done I was very happy I spent a little extra time in the CTF area. Invisigoth was more than helpful basically because the competition ran fairly smoothly and because he appeared to be having a great time. I also enjoyed watching the professionalism and drive of all of the teams involved and it made me long for working with a team of elite and dedicated individuals again. I am hoping that I can get a few of the Security Catalyst Community interested in the CTF next year. After our success with the Mystery Box challenge I don’t think that will be very hard. The hardest part will be getting them to pick between the two.

Go forth and do good things,
Cutaway

DefCon15, @tlas, l@stplace, Kenshoto, CTF, WarGamez, Invisigoth, Security Ripcord

Plenty of people have already blogged on the DefCon 15 badge. Joe “Kingpin” Grand did an outstanding job so I thought I would give everybody a taste of each badge running around during the conference.

Lets go in a sort of unofficial rank order from lowest to highest.

1. Press Badge

2. Human Badge

3. Speaker Badge

3. Goon Badge with Ninja Party Invitation

4. Black Badge

Unfortunately I did not get a picture of Kingpin’s badge as I didn’t think about doing this until the last few minutes of the conference. Special thanks to James Costello for the Human badge, Arthur from Emergent Chaos for the Speaker badge, Grifter for the Goon badge with Ninja Party invite, and Priest for allowing me to photo the table full of Black badges. Yes, the Press badge is mine.

Go forth and do good things,
Cutaway

DefCon15, Kingpin, badge, Grifter, Priest, Arthur, Security Ripcord, Joe Grand

Now that I am back from my very first DefCon experience I have two questions. “Why did I miss the previous 15? What was I thinking?”

From the very start the whole trip seemed like it was on a slow and deadly spiral downhill. I got packing late and had to rush. I couldn’t get the Sprint EVDO card running under BackTrack 2.0 installed on a Dell D600. I suddenly had to do actual work while I was on the trip so I had to take my Mac Book Pro but couldn’t get the Verison EDVO card for it because it was locked away in a file cabinet (now that I know a bit about lock picking I could have gotten it). Then, when I finally got to Las Vegas I realized that I had never been here and I had no idea about how to get to the Riviera.

Once I got to the Riviera things started to pick up a bit. I met up with Mike Henry who graciously let me sleep in his room with he and Martin McKeay. We soon met up with Larry Pesce and Jon Squire and we all loaded into a cab for the Accuvant party at Mandalay Bay. This turned out to be a great move because of the open liquor and sushi bar. I also got a chance to met with several of the Accuvant attendees and they were all very knowledgeable and friendly. I can definitely see why Michael Farnum (who did not attend DefCon) likes his job so much. After the party it was back to the hotel for my last real nights sleep for the next couple of days.

In the morning it was on. I had already picked up my Press badge (Thank you very much, Nico!!) so I filtered into one of the sessions. Sean M. Bodmer, the Director of Federal and Military Programs at Savid Technologies, gave a talk on how it is important to extend your incident response plan to include “attack characterization” in order to understand why you are being attacked and by whom. After the presentation I asked him a few quick questions about how much extra time this would cost an incident response team, if he had a common framework the community could leverage, and if there was a central repository so that people could look for similar attack methodologies to help them identify attackers. He told me that once an organization had a framework in place it only takes about 6 to 8 extra hours to detail the attack methodologies and familiarize the rest of the team with the results. The framework that as been developed by Savid is not public as they have not been approached to make it available to anybody else. Same goes for the database of attackers. Although I like his idea I very much doubt that a small or even mid-sized business has the extra funds and manpower to devote to this extra work (I’m not saying it wouldn’t be helpful information, just that it will be hard to promote). Large business including the government, however, could definitely benefit from this type of information. Also, I am surprised that he did not offer a common framework to this approach. Obviously he and his team are very knowledgeable about how to profile attacks and attribute them to specific individuals. I would have like to have seen them take this next step especially since they were presenting this at DefCon.

After this first presentation I decided to wander around a bit. It only took me a few minutes to end up in the WarGamez Capture the Flag room where eight teams from around the world were diligently setting up their systems and preparing for the competition. A few minutes of looking around showed me that Kenshoto was running this event so I quickly cornered one of their members to get a quick introduction and ask him if he was open to answering questions periodically during the con. This person turn out to be “invisigoth” and he was more than happy to help while he was not assisting the competitors. There will be more about his competition in the near future.

By the time I finished up in the CTF room and wondering through the vendor area, it was time to start the Mystery Box Challenge. Volunteering to be a member on the Security Catalyst team was definitely the best move that I could have made. Firstly, the contest is an embodiment of everything that DefCon represents. Break in anyway that you can using any resource that is necessary. Secondly, I couldn’t have been a part of a better team. Although none of us were particularly strong in all aspects necessary to complete the challenge, each one of us brought a necessary skill level. Together we knew how to get it done or somebody who could help us do it. Although we did not win I am very proud of the fact that we kept the amount of outside influence to a bare minimum (basically, we need a lock picker). Although I could write up exactly how we did everything I would rather point you to James Costello post titled “Back from DefCon” which sums it up very nicely.

After 36 hours with 2 hours of sleep I was dead beat. I tried to wander around some of the parties but my body was not up to it. Everybody I talked to told me not to sleep at DefCon but I just couldn’t help myself.

After such a positive and involving experience of the Mystery Box the rest of DefCon was a bit uneventful. The TCP/IP Drinking Game and Hacker Jeopardy were fun (Winn Schwartau is hilarious BTW) but I didn’t get the same sense as trying break into something. As this was my first DefCon, however, I felt it was important to experience some of the things that make it DefCon.

The next day however, it was back to trying to learn new tips and tricks. I spent the day floating in and out of the Lockpick Village, the Wireless Village, the CTF competition area, and one or two talks. The only other talk that I was impressed by was the one given by Marc Weber Tobias and Matt Fiddler titled “High Insecurity: Locks, Lies, and Liability”. They had a very informative presentation that points out some of the inconsistencies of physical security. Oh, yeah, I just remembered Matt Richard and Fred Doyle also gave an interesting talk titled “Beyond Vulnerability Scanning - Extrusion and Exploitability Scanning”. Basically they have created a set of tools that can test an organization’s outbound countermeasures.

Wow, I just realized how long this post has turned out to be. I guess I can really sum up DefCon as a great opportunity to meet new people and participate in competitions that stretch your imagination and skill sets. What more could you as for beside “how do I do this year around”?

Will I return to DefCon next year? I have already started working on the very topic and hopefully my wife and I can negotiate a sufficient exchange of personal vacation time to get me out to DefCon 16.

One thing of interest that I did take way from DefCon was the emphasis to physical security. What I mean is that the Lockpick Village was completely pack from the moment it opened to the moment they closed down the area and asked everybody to leave. What does this mean to your organization? Well, if hackers are looking into this then maybe you should start considering what you are doing and where the weaknesses might manifest themselves within your environment. You might have the best OS hardening skills in the business. But if you cannot limit and protect the physical access to your systems and other resources then you are going to be in serious trouble.

Go forth and do good things,
Cutaway

DefCon15, Kenshoto, invisigoth, CTF, GenesysWave, Security Ripcord, Mystery Box Challenge, James Costello

The guys at The Ethical Hacker Network have been working really hard lately. Their latest endeavor is a security conference in Chicago devoted specifically towards Ethical Hacking. It is called ChicagoCon 2007 and it should prove to be a lot of fun.

I have nothing but good things to say about the people I have met over at EHN. Some of these people, Don Donzal and Chris Gates, will be speaking at the event so you will also be able to meet and be impressed by them as well. There was some talk about me presenting but unfortunately I will not be able to make it.

So, if you have some free time on your hands, need some security training, or need to bust out some CPEs, please check into ChicagoCon. I am certain you will have a great time.

Go forth and do good things,
Cutaway

ChicagoCon, EHN, Chicago, Security Ripcord, Chris Gates, Don Donzal