[ISN] Hack . . . hack back . . . repeat
R. A. Hettinga
rah at shipwright.com
Thu Aug 12 08:12:57 EDT 2004
--- begin forwarded text
Date: Thu, 12 Aug 2004 02:13:41 -0500 (CDT)
From: InfoSec News <isn at c4i.org>
To: isn at attrition.org
Subject: [ISN] Hack . . . hack back . . . repeat
Reply-To: isn at c4i.org
List-Id: InfoSec News <isn.attrition.org>
List-Post: <mailto:isn at attrition.org>
List-Help: <mailto:isn-request at attrition.org?subject=help>
<mailto:isn-request at attrition.org?subject=subscribe>
Sender: isn-bounces at attrition.org
By Rodney Thayer
LAS VEGAS - Capture the flag might be only a game, but it was serious
business at DefCon, the world's largest annual computer hacker
convention. For 36 straight hours, eight teams of experienced hackers
and serious security professionals played predator and prey as they
tried to hack into competitors' networks while defending their own.
From my front-row seat as a member of the winning team, Sk3wl of R00t
(hacker slang for "School of Root," where "root" refers to gaining
administrator access to a system), I got a bird's-eye view of how new
- and not so new - attacks could be launched and thwarted.
Each qualified team playing the game - organized by a Seattle security
community group called the Ghetto Hackers - controlled a pair of
Windows machines running a variety of network and Web-based services
that were connected to each other and a central scoring mechanism
called the Scorebot via a Gigabit Ethernet network. Rest assured, this
hacker network was not connected to the Internet.
As soon as the doors to the secluded hacker playground disguised as a
hotel ballroom were opened at 10 a.m. July 30, the air was tense in
this crowded room. The game scenario and the legitimately purchased
Windows images were presented to participants two hours before the
official noon start time. How would you like to have to lock down two
Windows boxes in just two hours as you started to recognize that there
were world-class exploit developers in the room - and on your network?
A team scored by attacking rivals' servers and stealing flags (data
strings stored within the servers). The successful hacker then
presented the stolen flags to the scoring system for credit. The
overall score was a combination of credit for attacking other teams'
servers and successfully defending your own services. Penalties were
issued for excessive consumption of bandwidth, so simple port scans
and brute force attacks were not used, and denial-of-service attacks
In the middle of the room sat the Ghetto Hackers' gear, necessary for
keeping the game within bounds and blasting loud techno music for the
entire 36-hour ride. We'd trained for the competition in small
conference rooms with similar tunes blaring as white noise to
desensitize. But by the time it was 2 a.m., and you were staring at a
network trace flying by on a screen, you noticed that your heartbeat
and your breathing synchronized with the music and the packet traffic.
At that point, it was time to take a walk.
At the beginning everyone was organized with their supplies. Our
cooler was stocked with ice and Coke. As time dragged on, people
started bringing in food and drinks. At first we were organized and
sent out someone for bread and cold cuts. But by the middle of Day Two
we gave up and started ordering pizza. We stuck with soda for the most
part, but as the contest wore on, a beer or two appeared. As we
scanned the room (discreetly, of course) we saw the other teams
behaving the same way if not more so. One team had a steadily draining
bottle of Southern Comfort on top of its server.
The Ghetto Hackers' full-length equipment rack was ornamented by a
large, red, wooden arch in the style of a Japanese archway complete
with Asian script. Our Japanese language expert slunk over for a
closer look and determined the writing on the wall to be complete
gibberish, with no hidden message to help us crack the code.
Each team carefully arranged its equipment - everything from laptop
Macs to Cisco switches, some piled 3 feet high on the allotted two
tables - around the periphery of the room. Teams were supposed to have
a maximum of 15 members, but no one stuck to that upper limit as the
flow in and out of the room easily boosted each roster to more than 20
The ground rules I agreed to dictate that I not divulge individuals'
identities. But in general terms I can say the teams included at least
two CTOs; security professionals from Ernst & Young, AOL and the
University of California at Santa Barbara; and well-known and unknown
hackers. Additionally, at least four teams had members hailing from
the U.S. Department of Defense.
We mostly kept to ourselves and minimized visible screen space to
avoid becoming vulnerable to "shoulder surfing" or other forms of
You also had to do some reconnaissance to sniff out any secret deals
being cut to share or trade information among teams. Think "Survivor,"
when it was good.
There wasn't exactly a book on how to organize your team or set
strategy for this sort of thing. But our winning strategy as a team
was organization. We organized everything from a rotating "cat nap"
schedule to divvying up jobs along lines of expertise.
Because offense was 80% of the overall score, you had to maintain
support for your front-line attackers. The trick was to not ignore
your defenses. If your defenses slipped, other teams could get in and
score. As the Ghetto Hackers pointed out at the awards ceremony, we
were solid attackers - not significantly better than other teams - but
we had very good defense and were able to keep other teams from
stealing flags from us.
Most attacks we saw were levied against information in the database.
Someone would figure out how to run the Wiki (a piece of server
software that lets users freely create and edit Web page content using
any Web browser) and do some obscure set of queries that would reveal
flag data. Or someone would go into the Multi-User Dungeon, online
game environments that use a great deal of bandwidth, and figure out
if you walked north through the forest just the right way you'd be
able to pick up a flag.
We saw many failed attacks. Someone tried to buffer overflow the Web
server with 800,000-byte null packets. Someone else tried to go after
SNMP services to gain entry. Teams even attempted to capture their
incoming Scorebot traffic and replay that same traffic in the
direction of our machines in the hopes that our services would mistake
them for the actual Scorebot and give up flags to them.
If I were to apply my experiences to a more everyday situation than
what was taking place at the off-the-strip Alexis Park hotel, five
points would bubble to the top of the security cauldron:
Unsecure, unnecessary services - such as terminal services and SNMP -
are running on most Windows machines. You've got to take care to shut
down or firewall all unnecessary ports used by these services.
* Passwords are revealed frequently. To defend against this,
periodically change all passwords, including those that give access
to Web services and databases.
* Customized Web applications typically leak critical information. To
defend against this, applications must be modified so they do not
have commands that give too much information without proper
authorization or let users modify objects out of turn.
* Unmonitored services are dangerously open to attack. Watch your logs
like a hawk.
* Hack attacks happen. Be very, very afraid.
Thayer is principal investigator with Canola & Jones, a security
research firm in Mountain View, Calif. He can be reached at
rodney at canola-jones.com.
Thanks to the Ghetto Hackers for running a great contest. They put
together a complex game and made it run under very stressful
conditions and it worked great. Thanks also to Sk3wl of R00t for
letting me join in.
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable -
--- end forwarded text
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography