Home > Uncategorized > Security News #0x86: The MACCDC Edition

Security News #0x86: The MACCDC Edition

Congratulations to UMBC, who won the just completed Mid-Atlantic Collegiate Cyber Defense Competition. The University of Maryland came in second and we at Towson came in third. Thanks go to the organizers, especially Lewis Lightner for putting on a professional event. Thanks also go to the red team (captained by Rob Fuller); they are all volunteers who take time out of their schedules to come down and help teach my students. Well done all!

  • Raphael Mudge has an excellent post on the red team perspective of the first five minutes of a CCDC event. If you haven’t seen how the CCDC event runs, students are given (usually) older unpatched systems, and the start of the event is utter mayhem as students try to change default passwords and update systems while the red team is busy pwning all the things and setting up persistence. He ends with the question- should it be this way? As a professor and coach, I say emphatically no. The just completed MACCDC event had students defending unpatched Windows 2000 and Windows 2003 servers and a Red Hat 7.2 server. Most defensive tools don’t work on such antiques, and the threat model is just silly. Why does CCDC rely on such old systems? MS 08-067. This, along with default credentials is the usual way (not the only way) that red team gets its initial footholds on systems. When I teach my class (which uses these types of exercises extensively) we do not use anything older than Windows 7 / 2008 R2. The systems are unpatched, but not vulnerable to remote network attacks like MS 08-067. To ensure red team gets a solid foothold, student teams are restricted to choose passwords from a small list; they are also required to open any emails received, visit any requested web pages, and run and received programs. This gives red team a variety of ways to get in, which means students can zero in on one or two attack types; they also get to use and deploy many other defensive tools (EMET or SRP anyone?). Competitions differ somewhat from classes, but as competition systems move towards virtualization there is no reason why the competition could not include unprivileged users on workstations doing all of the things real users do- opening carefully prepared packages of joy sent by attackers. If we don’t move to a model like this, the day will come when students are asked to defend systems that are older than they are.
  • While I am thinking about the Red Team- the Nyan cat that was used to overwrite all of those MBRs is available.
  • Lockboxx has a write-up on the just completed WRCCDC from the Red Team perspective.
  • The Metasploit module to exploit Firefox 31-34 (CVE 2014-8636) is now available.
  • Are you unsure how to set up and execute a reverse shell? Check out Arr0way who has put together an excellent cheat sheet.
  • Did you know that Metasploit has a post module to search through local Outlook email messages?
  • Windows registry keys can be made more difficult to examine by using non ASCII characters.
  • It looks more and more like it is time to move away from RC4 in TLS.
Categories: Uncategorized
  1. Some White Hat
    April 2, 2015 at 10:34 pm

    “He ends with the question- should it be this way? As a professor and coach, I say emphatically no.”

    As a professor, coach, and a professional who’s worked in the field for 15 years in both the financial sector and now the DoD side, I have to enthusiastically disagree.

    I think the ability to defend old systems is very important.

    Ancient systems are part and parcel of something we call the Real World. I’ve worked in industry for over fifteen years, and I can tell you for a fact that old versions of Windows are still in use, sometimes as CRITIAL systems. I now spend my time of late working in the military sector, and I can tell you that things are no different over there. I have friends in other verticals, in big, medium, and small companies, that confirm it’s rather endemic.

    Companies are often slow to update their systems. Many are either unwilling to upgrade, or in some cases, unable to.

    I participated in a CTF that Tim Rosenberg ran in 2009 (not CCDC). Before that game, he said, and I’m paraphrasing here, “Some of you will complain that ‘these systems are too old! We shouldn’t have to defend them because it’s not realistic!’ Oh really!? What reality is that? Because I’d like to live there! In the Real Production systems I’ve had to deal with, there are old, unsupported systems in the worst places!”

    Having said all that, complaining about how the Red Team can get in just misses the point of the exercise. But the game is not about keeping Red Team out, because in the real world, we can’t keep Advanced Adversaries out.

    The point of the game is: OH SHIT, they got in! NOW WHAT DO WE DO??

    If the point of the game is to deal with them once they got in, does it matter if it was MS08-067, MS05-039, or MS03- 026 that they used? (never mind that there’s plenty of MS08-067 out in the world still!)

    There is always a way in. But what happens after they do?

    But, back to old systems, having to deal with Red Team squatting on a Win2K3 box or a RedHat 7.2, or some other old box is certainly something that happens in the Real World. It’s a funny phenomenon – often the most critical systems are the ones that are the oldest, because of things like the software you need isn’t manufactured anymore, so you’re stuck running that Industrial Control system on WinNT 4.0SP4. So, after they penetrate your perimeter by client side attack, drive by download, or even insider threat, there’s little to stop them and plenty of poorly defended systems for them to pillage.

    Management decides what systems we geeks and hackers get to defend, based upon their business interests and the bottom line, not what security says is important. We have little say about it in most cases.

    Oh, your security tools don’t work on older platforms? That’s a shame, but your security tools aren’t doing very much on more modern systems. Antivirus, IDS, and even sandboxes can be easily evaded in more ways than can be counted. We’re in a really bad way as defenders, and it’s not getting better any time soon. If you want proof, just look at all the breaches from last year – Target, Home Depot, PF Changs, UPS, the list goes on and on…

    It’s not about the tools, it’s about the abilities of your people. It’s about dealing with whatever crap you’re forced to defend, because that’s the way it is in the Real World.

    THAT is what CCDC is all about.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: