Security News #0x86: The MACCDC Edition
Congratulations to UMBC, who won the just completed Mid-Atlantic Collegiate Cyber Defense Competition. The University of Maryland came in second and we at Towson came in third. Thanks go to the organizers, especially Lewis Lightner for putting on a professional event. Thanks also go to the red team (captained by Rob Fuller); they are all volunteers who take time out of their schedules to come down and help teach my students. Well done all!
- Raphael Mudge has an excellent post on the red team perspective of the first five minutes of a CCDC event. If you haven’t seen how the CCDC event runs, students are given (usually) older unpatched systems, and the start of the event is utter mayhem as students try to change default passwords and update systems while the red team is busy pwning all the things and setting up persistence. He ends with the question- should it be this way? As a professor and coach, I say emphatically no. The just completed MACCDC event had students defending unpatched Windows 2000 and Windows 2003 servers and a Red Hat 7.2 server. Most defensive tools don’t work on such antiques, and the threat model is just silly. Why does CCDC rely on such old systems? MS 08-067. This, along with default credentials is the usual way (not the only way) that red team gets its initial footholds on systems. When I teach my class (which uses these types of exercises extensively) we do not use anything older than Windows 7 / 2008 R2. The systems are unpatched, but not vulnerable to remote network attacks like MS 08-067. To ensure red team gets a solid foothold, student teams are restricted to choose passwords from a small list; they are also required to open any emails received, visit any requested web pages, and run and received programs. This gives red team a variety of ways to get in, which means students can zero in on one or two attack types; they also get to use and deploy many other defensive tools (EMET or SRP anyone?). Competitions differ somewhat from classes, but as competition systems move towards virtualization there is no reason why the competition could not include unprivileged users on workstations doing all of the things real users do- opening carefully prepared packages of joy sent by attackers. If we don’t move to a model like this, the day will come when students are asked to defend systems that are older than they are.
- While I am thinking about the Red Team- the Nyan cat that was used to overwrite all of those MBRs is available.
- Lockboxx has a write-up on the just completed WRCCDC from the Red Team perspective.
- The Metasploit module to exploit Firefox 31-34 (CVE 2014-8636) is now available.
- Are you unsure how to set up and execute a reverse shell? Check out Arr0way who has put together an excellent cheat sheet.
- Did you know that Metasploit has a post module to search through local Outlook email messages?
- Windows registry keys can be made more difficult to examine by using non ASCII characters.
- It looks more and more like it is time to move away from RC4 in TLS.