I participated in the Pros V Joes CTF competition at BSides Las Vegas this year. It was intense.
The setup on day one is that you are a member of a blue team entering a compromised environment. You have multiple tasks: respond to service requests, maintain uptime for a couple services such as WordPress and ftp, find artifacts left behind by the attackers, and repel new attacks. The attackers don’t attack for the first two hours.
The environment was very well designed. We had vSphere to see most systems. There was a nice mix of Windows end point and server versions, a few Linux systems, an Asterisk PBX, and a pfSense firewall. I’m happy it was a pfSense firewall. I’m told they used Cisco ASA in previous years. The ASA is extremely rough to manage, I’d prefer to never see one again.
We started by doing network discovery, patching, and checking configurations. We also started responding to customer requests via calls, tickets, and emails. The tickets were all pretty basic and represented real world requests in this situation. Through network discovery, we found a few systems the customer neglected to mention to us.
Our failing was our lack of experience with Asterisk. We focused on other systems as we knew those systems. The red team immediately hit it when they were able to attack and took it down. While the phone wasn’t under SLA, we couldn’t receive tickets via phone and started receiving email tickets asking us to fix the phone system.
Day two was a repeat of the day one environment with some minor changes. A member of the read team would join us and we would be battling the other blue teams. We could start attacking each other immediately. Given the results of day one, the PBX was the main target. Everyone’s PBX immediately went down. I’d suggested a strategy of immediately blocking the Internet from our environment and taking the SLA hit while we patched. We decided against the strategy, hoping we could remediate fast enough.
Would I participate again: Yes!
Are conference attendees getting older on average? A fellow attendee made the observation at DerbyCon. ShmooCon is probably combating this with their Shmooze-A-Student program as well as their guarantee of tickets for West Point. But what about the others?
The theory given was that DerbyCon and ShmooCon are hard to attend. Tickets sell out extremely quickly. The tickets are more likely going to people who have already attended and want to return.
Anyone else observe this or have any thoughts?
This was an interesting Security Summer Camp.
I stayed at the Tuscany the entire week. I can not stress how awesome the Tuscany is. You’re right there for BSidesLV and then you have the shuttle that runs during DEF CON. It is amazing. The Las Vegas Strip is only a half mile walk as well. The change of venue for DEF CON next year will make the Tuscany an even more attractive venue.
I really liked the DEF CON badge this year. It is much nicer than the DEF CON 20 badge. I don’t care for the Egyptian theme from DEF CON 20. Of DEF CON badges though, 21 is still my favorite. The playing card design on a circuit board is just awesome. The DEF CON 20 badge is my favorite of any conference.
The BSidesLV badge from this year is also pretty cool. I like the poker chip design. It is way better than the chunk of metal from 2013.
Of swag, I planned to buy a copy of Adam Shostack’s book on Threat Modeling. Given that he is being accused of rape, I decided to hold off. I’d think that if I were accused of a crime, I’d at least offer some sort of response. The silence is strange.
The BSidesLV pool parties were my favorite evening festivities. I didn’t bother attending any Black Hat parties this year. The pool party at the Tuscany was awesome. theSummit benefit was fun, but BSidesLV beat them. I wanted to participate in Bloodkode again this year, but I had the sniffles and was disqualified from giving blood. I did finally participate in Be The Match though.
I enjoyed Jessy Irwin talk on education security at BSidesLV. I’m use to the issues with manufacturing and patching. You have to wait for downturns of processes for industrial control equipment. It’s life. I never considered that IT professionals in education have similar restrictions. Patching has to be done during breaks and Apple’s release in September is amazingly inconvenient.
CustoDiet by Quadling and company seems like a nice idea for a tool. I’d love for a platform for being able to provide security to my family networks. Hopefully it is a successful project.
DEF CON was awesome. I had a somewhat negative outlook going in. Everyone complains about crowds and not being able to get in to talks. I assumed DEF CON was going to be like Black Hat where I’d have trouble meeting people. None of that ended up being true.
To keep costs down, I registered on the forums and found people to crash with. It worked out great. I’d do it again. My regret is that I didn’t have time to participate in any of the activities. I didn’t go to Toxic BBQ, DEF CON Shoot, Hacker Jeopardy, etc. I need to go to some of that stuff next year. I only participated in Blood Kode besides going to talks.
The top two talks I attended were BYO-Disaster: Corporate Wireless Still Sucks by James Snodgrass and Josh Hoover and the DNS May Be Hazardous To Your Health by Robert Stucke. There were plenty of great talks, but those were the best for me.
The BYOD talk covered a range of exploits to get a mobile device to think it is connected to a corporate network. From there, the rogue access point hits the user with a prompt and the user is guaranteed to enter their credentials. The technical exploits were interesting and the social engineering was impressive. In short, mobile devices will accept an authentication success to a wireless network even if authentication attempts hadn’t been attempted. Most users probably wouldn’t even check their wireless settings in my opinion. Those that do (like me) would probably just assume it was a proxy glitch or something and enter credentials at the prompt.
The second talk on DNS was all around amazing. The presenter had a couple crazy DNS tricks. First Robert covered DNS bit-flipping. He registered domains that were off by a single bit from a target and captured traffic. In his study, Google was the target and he managed to capture some traffic. I couldn’t find any indication of this in my environment though. Given the industrial nature, I was rather surprised. The second part of his DNS study was registering improperly resolved network objects. So for instance, a machine trying to find wpad for proxy settings should ask for wpad.domain.com. An improperly configured machine may continue up the chain and ask for wpad.com. His example organization was Accenture. I can confirm that. The final DNS game was registering old command and control servers to see if the botnets were still active. He found the botnets were still active and speculates an attacker could register the old domains to gain control of the botnets.