Re: A Challenge

From: Chet Uber (eidetic@mindspring.com)
Date: 12/22/01


From: Chet Uber <eidetic@mindspring.com>
Date: Sat, 22 Dec 2001 06:59:25 GMT

Scott Craig wrote:
>
> I don't know the person being referred to or the company, but I'd just like
> to remind people that it could be more than promoting themselves. If I had
> good intentions of running a security company or if I had bad intentions
> upon the world, I could see benefit from doing such an event.

Thank God for rational minds. At least one open enough to examine the
possibilities.

> Good Intentions
> ----------------
> Let's assume the system is only protected against what is known. I would use
> this event to discover attack techniques that have not been publicized or I
> may have not stayed awake for in computer invasion class. Of course I'd be
> hoping that the most elite hackers would show.

I am going to try to explain a couple of things that may shed some light
on this event. First of all, this is one event in a week long
information security conference; and it coincides with a day long
"Intrusion Detection, Incident Response, and Deception Workshop." Ron
Woerner from the Nebraska State Department of Roads is heading up the
Incident Response part, and Marcus Ranum is heading up the Intrusion
Detection. These events coincides on purpose, as after years of trying
to teach people to properly use computers we have found that the
hands-on imperative is the MOST important thing. Reading is necessary.
Teaching is necessary, but showing someone to do something is the best.

So imagine if you will.

1. One this day of the week, there is this workshop. We have built it so
that it has INTENTIONALLY weak systems. The entire network is currently
just under 100 hosts. Setting this up on our end is no small task.
Anyway, we can fail systems at will, etc. and we teach people how to
recover BY THE BOOK if you will. In real time under real pressure.
Rebuild a clean system offline and get up for the Web Cast in 90
minutes. Drills are great. We can generate random attack traffic if we
need to (we do it all the time); but a real network under real attack is
a nice tool to learn on.

2. One this day of the week, there is a CONTEST and an EXPERIMENT going
on under the guise of "Steal Fred Cohen's Prizes." Fred is protecting
the entire network. The network is all fully functional, and unlike the
portions that are in use in that one workshop; we intentionally made the
rest -- NOT TO FAIL. These machines still have needed services (these
are not bare boxes), but we need them to stay up; and they are not
intended to be part of the workshop. People are being invited formally
my written invitation (read good enough to have a red team that competes
in these events on a regular basis) and informally through newgroups,
advertising, and other means. All are equally welcome, however being
dedicated to doing this is a must. This is not a joke. Machines that are
intended to fail have small prizes, machines that are not intended to
fail have big prizes. It is the attack as a whole that is important. We
are looking at the traffic, and patterns in it. It is of much less
consequence to us whether it is a 0 day exploit, or something more
common. The prizes are to motivate: Fred to do a good job in locking
down the big prize boxes, and the attackers to try to defeat his
safeguards and steal those big prizes. The full rules will be out in
January, but this is a good "jist"

3. Universities, researchers et al may bring hardware and place it into
the data stream under arrangement with the technical team and the
hosting universities and other scientists participating. There are
requirements, benefits, and rules. You may request the data after the
fact for research purposes.

4. This is a unique event, in that it consists of 2 - 4 hour attacker
shitstorms against a single target network. We are trying to achieve N >
50 internal attackers, and N > 250 external attackers in each session.
This four hour session is recorded at many places over the network. This
network has many segments, switches, routers, wireless componenents,
remote segments, etc. We basically tried to model the network after a
comples multi site business. While we don't have departments like a
business; the machine room, workshop labs, registration, expo floor, etc
are working like one. This data has never been captured and made
available to researchers like this. Not that this magnitude of attack
hasn't happened, the data just isn't public.

 
> Bad Intentions
> ---------------
> Similiar to above but I would having a laundry list of attacks to use
> elsewhere. I would have video cameras everywhere (thus the physical presence
> required), monitor all radio emissions used for access into the wireless APs
> for for bursts to disrupt computer systems, and have multiple sniffers
> running (in case one gets taken out in an attack). I would of course also
> only give the prize out if the attack method to capture the flag was fully
> documented. Hey... I may even just be using a snapshot of my targeted system
> as the holder of the flag to go after.

Please do all these things. Van Eck monitoring equipment is invited.
There is a four hour special night called. OVER THE TOP: Future Threats,
and it deals with active and passive electromagnetic warfare. We have a
demonstration on wardriving, Van Eck monitoring, and HERF devices. There
is a special call for papers in this area, and the ones so far are quite
good. The focus is on mitigating risk, and understanding the
technologies.

WE FULLY EXPECT the better teams to employ undercovers, bribes, cameras,
audio and more. This is EXPECTED and encouraged!! We are monitoring the
spectrums (HUMAN and SIGNAL) if you will. Peoples gotta test out
sensors. ;)

>
> Debatable Intentions
> ---------------------
>
> I would hope that the hacker who broke into my XYZ system shows up using the
> same attack that took it down last May which was using a very unique method,
> so that I may identify the little genius and turn him in with bad evidence.

Hehe.

>
> Just some added thoughts. Got to admit, my post is not taking out personal
> attacks against anyone, just showing my hesitations if I had such knowledge
> and time. (Time... the most expensive "thing"... does anyone get paid for
> their time? At least certificates to McDonalds or something - no tainted
> food I hope).

Thank you for the good hearted inquisition.

>
> --Member of the Paranoid Usenet News audience

Paranoia is an excellent asset.

--

Chet Uber, Senior Advisor SecurityPosture 7660 Dodge Street, Suite D Omaha, NE 68154 vox +1 402.498.2673 fax +1 402.391.3906 cell +1 402.671.9720 eidetic@mindspring.com http://www.securityposture.com

If you are not the intended recipient be advised that you have received this email in error and any use, dissemination, forwarding, printing or copying of it is strictly prohibited. It is the responsibility of the addressee to scan this mail and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached.

---------------------------------------------- "We Break Things to Make Them Better" (c) 2001. Chet Uber. All Rights Reserved. ----------------------------------------------



Relevant Pages

  • Re: A Challenge
    ... > good intentions of running a security company or if I had bad intentions ... The entire network is currently ... We can generate random attack traffic if we ... on under the guise of "Steal Fred Cohen's Prizes." ...
    (comp.security.misc)
  • Re: A Challenge
    ... > good intentions of running a security company or if I had bad intentions ... The entire network is currently ... We can generate random attack traffic if we ... on under the guise of "Steal Fred Cohen's Prizes." ...
    (comp.security.ssh)
  • Tech paper on proposed future generation NIDS
    ... Data is aggregated from the network ... UDP packets, or other incongruity in data and packet types. ... to reduce IDS rule sets and attack proccessing. ... When people in security speak of correlation, ...
    (Focus-IDS)
  • RE: Intrusion Prevention Systems
    ... Network systems functioning as a bridge can prevent the traffic ... recognize the attack and prevent it from affecting the target is absurd. ... His point is that there are many techniques ... variables affecting the application's receipt of and response to the data. ...
    (Focus-IDS)
  • [Full-disclosure] Re: RLA ("Remote LanD Attack")
    ... > " That is correct this affects network perimeter devices, ... > I used the -k switch a few, times although, it seemed to work either ... > the data/payload size seems to cause the attack to be more optimized. ... >>> remotely against the central connectivity device. ...
    (Full-Disclosure)