The first official meeting of the Rochester TOOOL chapter happened this last Thursday. Jason Ross, the organizer of the group, you may have met at 2600 meetings, BSidesROC, seen present at BlackHat, or whatever infosec you’ve been to in the area. He’s been working with TOOOL.us to get a chapter started locally which makes Rochester a part of a small group of TOOOL chapters in the US.

The Open Organization Of Lockpickers is organized in the U.S. By Deviant Olam and Babak Javadi but the group started in the Netherlands. If you’ve ever been to a hacker con, you’ve probably seen a lockpick village and it was probably done by one of the guys from TOOOL if not Deviant or Babak themselves. The group has the main goal of spreading public knowledge about lockpicking, loch mechanism, and physical security in general.

I think a cool side affect of this group that’s equally important, is erasing the fear that’s associated with lock picking. 99% of the common folk (non-infosec) people that I tell I’m interested in lock picking or let them know about TOOOL, first give me this sly look like I’ve just disclosed an illegal secret to them. Others are afraid of buying lock picks because the government might put them on the Owns-A-Lockpick-Set List. I think this fear wears off after you’ve been around people that have been doing this for a lot longer than you, and you understand the legal issues.

TOOOL in ROC

What does a chapter do? Why is there one in Rochester? Exactly. Well in general, the way that the group sounds like it’s going to be organized is that there will be actual members as opposed to open gatherings. If you want to know where the next meeting is going to be, you should become a TOOOL member and get involved with the group. I’m not sure, but most likely what will happen at the meetings is first of all, you’ll meet like minded folk and spread knowledge about lock picking of course, but I think you can plan on there being a presentation or two on a regular basis. This last meeting, Chaim Sanders presented on the basics of lock picking; the same presentation that he gave with us when we went down to NYC to run the TOOOL lock picking booth at Maker Fair. Other than that, you’ll be able to use the picks, locks, and whatever other tools the local chapter owns which is building up quickly.

Here’s another way to put it, here’s a list of reasons you might want to get involved:

• learn about lock picking from experts
• help spread the knowledge of lock picking to other individuals
• meet smart people
• get a major discount on lock picks and practice locks
• practice picking locks on a wide variety of hardware
• drink beer with smart lock picking people while you get a discount on hardware and practice picking locks with experts

Membership is free right now so you just need to sign up on the list.

Bigger Plans

Besides the group helping other group members, I’d like to see the organization reach out to the local community. Maybe one example would be to run a lock picking table in a local festival. Teach the public about the security of locks. Selling lock pick sets isn’t out of the question either and that would help pay for things like new hardware or new tools. I’m also hoping that the members can be available to travel to other cities and put on their own lock picking demos. We did this in NYC during Maker Fair and it was a blast. I’d love to get the opportunity to do it again and with more people.

Go check out the website as it’s being setup. It just came online today so don’t judge it too hard. 🙂

TOOOLROC.org

 

It’s been 6 month’s since I started running a Tor bridge node on an Amazon EC2 instance. Back then, Tor had just announced an initiative to get people setting up cloud images to run as bridge nodes. This was during the then recent upheaval in the Middle East where connections to the Internet were either disabled completely, or they were extremely restricted as to what sites they were allowed to see. Tor couldn’t directly help with re-establishing network connectivity, but those that blocked Twitter and other social networking sites, could be evaded by Tor and their bridge nodes.

Skip this paragraph if you already know about bridge nodes: Tor has built in features that  make it hard to detect at the protocol level. When a user establishes a connection to a entry node, the data is encrypted and designed to be difficult to fingerprint so firewalls/network policies have trouble detecting who’s using Tor. As a result, companies/countries/fascist organizations have created a list of all the Tor entry nodes (information that is publicly available) and blocked access to them completely. To circumvent this, bridge nodes were created. When a user finds themselves blocked from connecting to the Tor network, they can request a bridge node through a couple of different ways but most commonly, emailing “[email protected]” will automatically reply with a current bridge node. But why am I explaining this. Go here to learn all about them.

Running a bridge node works perfectly for Amazon’s Free Tier since they’re lower traffic than an exit or entry node. In fact, I have not spent a single penny while running it.

Below are the days with the highest usage in bytes. November was definitely the Middle East scuffles and you can probably chalk up most of the others to the same. I was trying to correlate a specific event that happened on these days but couldn’t find any. If you notice something, let me know. I’m guessing a blog post went online showing more people over there how they can use Tor and bridge nodes. To get setup and run a bridge node of your own on an EC2 instance, you can read more here.

11/21/2011 16:00	5034870
11/21/2011 17:00	3861440
11/26/2011 6:00	51935
12/6/2011 14:00	41933
12/11/2011 17:00	38003
1/8/2012 18:00	230296
2/2/2012 15:00	65177
2/28/2012 8:00	786658
3/1/2012 8:00	47005
3/1/2012 9:00	149672

 

Here is a brain dump of what happened this weekend at ISTS 9, SPARSA’s Information Security and Talent Search. A bunch of the people from 2600, Raphael Mudge, Punkrokk, Joe, Gerry, and others were part of the Red Team.

Define:ISTS

The event worked like so:  There were 13 Blue Teams, groups competing in the event. Their job was to take the 5 servers that they were given, run specific services in order to get points, and, something a little different than other competitions, hack into other groups for points. If you do this, you will receive points that are tracked throughout the weekend. Finally, challenges were to be performed that were worth more points.

I really like this style for students compared to CCDC or other types that attempt to give competitors the simulation of running an enterprise network. These competitions will force competitors to stand up services, defend against attacks, and write up little reports that explain how the attackers got in and their remediation plan. This is a great simulation for real enterprise environments for students looking to get into a career as a systems administrator, but ISTS gives you a chance to show off your security skills, even the offensive ones.

Day 0:

Friday, students fill up the GCCIS auditorium and the mood is really light. Teams are wearing silly hats, the group that won last year is feeling pretty confident that they’ve earned some cred to be there again. The red team is stalking in the corner, marking its prey. SPARSA goes over the rules, hands teams their packets, and lets them know how the next day goes. Each of the teams have the rest of the night to go home and build up their attack boxes as VM’s. That’s right, they’re allowed to bring their own VM’s, just to attack other players.

The next morning, we arrive at RIT to meet the red eyed SPARSA members who have been working through networking issues all night.

A side note about the network this year: it was very well done. This may seem like a silly thing to note but seriously, you have almost 100 people pummeling each other over the network, issues will occur. Compared to other years, there were very little issues. Last year we were out of a connection for a long time. This year there may have been a blip here and there, but it was quickly remedied.

The battle ground is RIT’s Innovation Center. If you’ve never seen this thing, it’s like something you’ve seen in Swordfish or the Matrix. The walls are all glass including partitions inside the space itself. The Fish Bowl is slathered with power plugs, ports, projectors, and preposterously plush ammenities.

May The Odds Be Ever In Your Favor

Let me make sure I explain the insanity of the first 30 minutes. Blue teams walk in with their own VM’s loaded up with whatever scripts or automated attacks they want to launch. That’s every team, of 5 people, ready to kill the other 60 players, with all kinds of attacks. And then there’s Raphael, prepped with his Armitage server, automated scripts, and a big smile on his face.

If I were competing, I would have chosen a tactic for the first part of the event, just like The Hunger Games. If you’re going to battle ninja v ninja, you had better make sure your weapons and foo is strong or you’ll end up a bloody pile of  empty dreams. If you’re relying on a strategic victory, you may decide to focus your energy on protecting yourself from others attacks; I call this the run-into-the-woods strategy.

Let me also just say, that the Red Team had no special information related to the event… though we tried. In fact, in some ways, the Red Team is not necessary because all the other teams are already breaking into each other.

We let the students trickle into their stations and the battle begins. We are just scanning subnets when Raphael announces “I have 10 shells!” His scripts have automatically installed meterpreter sessions that are phoning home. His persistence scripts automatically make sure that we can come back to these accounts later. The rest of the red team is destroying boxes, the same as what the Blue Teams are doing to eachother.

Let’s be honest, the best part about being on Red Team is messing with the other teams. The Blue Teams all started with VNC open which made for some hilarious hacker watching. The first was one team that put all their attack scripts on their desktop. This was actually pretty cool attack script which was a reverse shell that automatically tweeted a user’s password when the owned a box. Follow ISTS Tweeter to see the fun they had.

The other one was a group that decided to plug in a drive that contained a lot of personal information. Including a resume. We passed the file to a nc listener that Justin Elze had running on his machine and printed it out to hand deliver to the group. One team member figured out how to break into a box and trick a hard drive into having a single sector. No seriously. This is pretty awesome. The box was never heard from again. It couldn’t be reformatted. Raphael had some fun with one team’s SMTP server and a VNC payload. I’m sure that video will show up somewhere soon.

UPDATE 4/1/12 8pm: Video is up

What’s Next

I usually come to the same conclusion after every year which is “damn, I wish I had planned for X.” I think this year, the conclusion is that, “damn that was fun. Let’s do this more often.”

Interlock has recently been donated a bunch of really good equipment. One of the servers has 20G of memory and lots of hard drive space. We’re going to be setting up a proper Warzone that will allow us to run these type of events when we want to. I’m going to rely on the other 2600 people to get something cool setup.