http://www.nwfusion.com/news/2004/080904defcon.html By Rodney Thayer Network World 08/09/04 LAS VEGAS - Capture the flag might be only a game, but it was serious business at DefCon, the world's largest annual computer hacker convention. For 36 straight hours, eight teams of experienced hackers and serious security professionals played predator and prey as they tried to hack into competitors' networks while defending their own. From my front-row seat as a member of the winning team, Sk3wl of R00t (hacker slang for "School of Root," where "root" refers to gaining administrator access to a system), I got a bird's-eye view of how new - and not so new - attacks could be launched and thwarted. Each qualified team playing the game - organized by a Seattle security community group called the Ghetto Hackers - controlled a pair of Windows machines running a variety of network and Web-based services that were connected to each other and a central scoring mechanism called the Scorebot via a Gigabit Ethernet network. Rest assured, this hacker network was not connected to the Internet. As soon as the doors to the secluded hacker playground disguised as a hotel ballroom were opened at 10 a.m. July 30, the air was tense in this crowded room. The game scenario and the legitimately purchased Windows images were presented to participants two hours before the official noon start time. How would you like to have to lock down two Windows boxes in just two hours as you started to recognize that there were world-class exploit developers in the room - and on your network? A team scored by attacking rivals' servers and stealing flags (data strings stored within the servers). The successful hacker then presented the stolen flags to the scoring system for credit. The overall score was a combination of credit for attacking other teams' servers and successfully defending your own services. Penalties were issued for excessive consumption of bandwidth, so simple port scans and brute force attacks were not used, and denial-of-service attacks were forbidden. In the middle of the room sat the Ghetto Hackers' gear, necessary for keeping the game within bounds and blasting loud techno music for the entire 36-hour ride. We'd trained for the competition in small conference rooms with similar tunes blaring as white noise to desensitize. But by the time it was 2 a.m., and you were staring at a network trace flying by on a screen, you noticed that your heartbeat and your breathing synchronized with the music and the packet traffic. At that point, it was time to take a walk. At the beginning everyone was organized with their supplies. Our cooler was stocked with ice and Coke. As time dragged on, people started bringing in food and drinks. At first we were organized and sent out someone for bread and cold cuts. But by the middle of Day Two we gave up and started ordering pizza. We stuck with soda for the most part, but as the contest wore on, a beer or two appeared. As we scanned the room (discreetly, of course) we saw the other teams behaving the same way if not more so. One team had a steadily draining bottle of Southern Comfort on top of its server. The Ghetto Hackers' full-length equipment rack was ornamented by a large, red, wooden arch in the style of a Japanese archway complete with Asian script. Our Japanese language expert slunk over for a closer look and determined the writing on the wall to be complete gibberish, with no hidden message to help us crack the code. Each team carefully arranged its equipment - everything from laptop Macs to Cisco switches, some piled 3 feet high on the allotted two tables - around the periphery of the room. Teams were supposed to have a maximum of 15 members, but no one stuck to that upper limit as the flow in and out of the room easily boosted each roster to more than 20 people. The ground rules I agreed to dictate that I not divulge individuals' identities. But in general terms I can say the teams included at least two CTOs; security professionals from Ernst & Young, AOL and the University of California at Santa Barbara; and well-known and unknown hackers. Additionally, at least four teams had members hailing from the U.S. Department of Defense. We mostly kept to ourselves and minimized visible screen space to avoid becoming vulnerable to "shoulder surfing" or other forms of spying. You also had to do some reconnaissance to sniff out any secret deals being cut to share or trade information among teams. Think "Survivor," when it was good. There wasn't exactly a book on how to organize your team or set strategy for this sort of thing. But our winning strategy as a team was organization. We organized everything from a rotating "cat nap" schedule to divvying up jobs along lines of expertise. Because offense was 80% of the overall score, you had to maintain support for your front-line attackers. The trick was to not ignore your defenses. If your defenses slipped, other teams could get in and score. As the Ghetto Hackers pointed out at the awards ceremony, we were solid attackers - not significantly better than other teams - but we had very good defense and were able to keep other teams from stealing flags from us. Most attacks we saw were levied against information in the database. Someone would figure out how to run the Wiki (a piece of server software that lets users freely create and edit Web page content using any Web browser) and do some obscure set of queries that would reveal flag data. Or someone would go into the Multi-User Dungeon, online game environments that use a great deal of bandwidth, and figure out if you walked north through the forest just the right way you'd be able to pick up a flag. We saw many failed attacks. Someone tried to buffer overflow the Web server with 800,000-byte null packets. Someone else tried to go after SNMP services to gain entry. Teams even attempted to capture their incoming Scorebot traffic and replay that same traffic in the direction of our machines in the hopes that our services would mistake them for the actual Scorebot and give up flags to them. If I were to apply my experiences to a more everyday situation than what was taking place at the off-the-strip Alexis Park hotel, five points would bubble to the top of the security cauldron: Unsecure, unnecessary services - such as terminal services and SNMP - are running on most Windows machines. You've got to take care to shut down or firewall all unnecessary ports used by these services. * Passwords are revealed frequently. To defend against this, periodically change all passwords, including those that give access to Web services and databases. * Customized Web applications typically leak critical information. To defend against this, applications must be modified so they do not have commands that give too much information without proper authorization or let users modify objects out of turn. * Unmonitored services are dangerously open to attack. Watch your logs like a hawk. * Hack attacks happen. Be very, very afraid. Thayer is principal investigator with Canola & Jones, a security research firm in Mountain View, Calif. He can be reached at rodney@canola-jones.com. Acknowledgements Thanks to the Ghetto Hackers for running a great contest. They put together a complex game and made it run under very stressful conditions and it worked great. Thanks also to Sk3wl of R00t for letting me join in. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/ --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'