Archive for the 'News' Category

B-Sides Rochester: Plans

Jan 25 2016 Published by under BSidesROC,News

It’s another year of BSidesROC, a local hacker con that we put together. Our sixth year actually. Not everyone really cares about how BSidesROC has changed over the years but it’s hard not to at least mention them for posterity and laugh at our failures.

I think that BSidesROC has evolved with the times or at least updated their memes. Year one was all about the memes and just messing around and to be honest, we didn’t care if anyone even showed up. We were going to have fun and hang out whether people attended. Today, here we are with a big group of organizers, 3 tracks of presentations, and hopefully even a keynote. We’ve gone from un-conference to regular conference and I think that’s OK. It’s what people told us they wanted.

After the fist year we started doing surveys to figure out what people actually wanted. Turns out a lot of people liked BSidesROC and looked forward to it, but didn’t really care about whether we made it an un-conference. I think we were trying so hard to make it like BSidesLV but really not that many people went to BSidesLV to care. So we built our own thing.

The Challenge of Finding Sponsors

There are inherent challenges with running a local con on a shoe-string budget. I say this every year, “We can’t do this without our sponsors.” I know this is a line that sounds robotic and everyone says it but I lack the ability to express this. It’s not the easiest thing for a bunch of hackers to go out and try to pitch this conference as something they want to advertise in. One quick story about someone that gets it though.

Secure NetworksIn the first year, Jason Ross and I were coming up with names of people we should talk to about sponsoring. We had seen this pretty awesome skull logo with keyboards, and concluded that whoever these guys were, they get “it”. (Honestly if you put skulls in anything I automatically want to be your friend.) So I nervously called Steve Stasiukonis (who I affectionately now call “Secure Steve”) and tried to give him my pitch. I don’t remember exactly what was said but it was something like this:

“Yeah, we’re like, a free and open hacker con and we’re all about having fun and we just want to build a hacker community…”

And he jumped in with, “Cool, but I’ll only do it if you make sure it’s not some kind of vendor fest. I’ll send you a check.”

This was the first time that I think someone figured out what we were trying to do and our first sponsor. Not only has he and Secure Network Technologies been sponsoring us for every year since, he’s given some of the most entertaining presentations, hooked us up with presenters, and provided us with gear.

The Horizon of 2016

Every year, we almost start from scratch. You may think we have some scripts that run like ./init_bsidesroc.py --year=2016 graphics=random_meme.jpg  but we put a lot of time and effort to come up with something that we think is better than last year or meets our interests. Being at a big venue like RIT affords us some options in terms of better presentation equipment and grabbing local college kids and just makes us seem more “legit” somehow. I’m sure we’ll fix that, don’t worry. 🙂

Cryptobar

The last few years we’ve had an anti-surveillance undertone that I think most of the industry has shared. This year, I’m stepping it up with an idea I call “Cryptobar.” It’s a dedicated area that attendees can go to learn how better to  lock down their gear and learn about the latest ultra-secure operating systems like Qubes and Subgraph.

New Designs

Last year was the first year we asked a local artist to build what they saw as a hacker con art piece. It was used on our shirts and badges and the entire process was a lot of fun. We’re hoping to do something similar this year.

Keynotes

I’m hoping that the people I’m talking to come through on a keynote. My underlying motive is to give students some perspective on the industry outside of what their school provides. We’ll see how it goes.

New CTF

We have a new team working on the CTF this year. Hacker Battleship remains the theme but expect more interesting challenges that you’ve never seen before. Also expect more shell code exploits. 🙂

Actionable Visualizations And Silo Breaking

Dec 12 2015 Published by under Intelligence,News,OSINT,Rochester 2600

This post on hackernews  got my attention. It’s a IoT based visualization showing your activities and health metrics. It’s very flashy and interesting looking, like you’re going to see it in an episode of CSI Cyber. The term “actionable” I’ve usually applied to government types discussing the latest threat intel but we can also take it to apply with our visualizations.

Actionable visualizations, should provides the viewer with brand new information that could not have been easily concluded before. This was a common problem with threat intel practices in years past. You would collect tons and tons of information and render it into a beautiful graph and then look at it and go, “Yup, there’s a graph of all the stuff I already knew.”

Street Corners

Along the lines of circular information collection, I’ve always thought that one of my generation’s problems is how easy it is to never have to listen to disparate positions. I’m able to hide in my corner of the Internet and learn about only the things that I need, and you sit in your corner and we never have to interact. It’s a perspective I took away from the book, Amusing Ourselves To Death.

In my city, like your city, there are lots of different meetup groups and interest meetups and meetups related to meetups. We have programming languages, maker group, security groups, whatever, and they all operate in their own “silos” to take a corporate reference. There are a few outliers that will cross-pollinate by visiting each of the groups when possible and we consider them community advocates.

Where am I going with this?

I’m part of a few groups that will often throw events. We’ll do classes or social events that are open to the public and we want to get the word out but you know what, I just end up telling my own silo about an event that they already knew just like the IoT visualization that tells me what time I ate dinner. How do I stop telling people (and myself) about information that we already know?

Thus, my tryst into visjs to attempt to apply some of the threat intel type relationship modeling (like Maltego) to community outreach. The goal being: (just like how social media analysts and intelligence operatives) try to identify “key influencers” in the area. I’m trying to identify various active communities to make sure that they’re involved when trying to do outreach.

Silo Sociogram

To self-criticize using my beginning premise, this is far from actionable at this point. I haven’t learned anything that I did not already know. I’ve sent out a comment to a few friends to try to expand this to get their perspective on relationships and see if 2600, Interlock, and other community groups might be able to try to break out of their own circular communications.

BSidesROC 2014 and whatever a privacy workshop is

Mar 25 2014 Published by under BSidesROC,News

Rochester’s version of a Security B-Sides is coming up next week. There’s a rush to finalize everything and there might be a question about this new event I’ve referenced as “Privacy Workshop”, “OPSEC Training”, or just AntiTree talks for 3 hours. The Privacy Workshop Track is something that came out of an ad-hoc event that @CJP has been doing for the last couple of BSidesROC’s. He would walk in and say “I want to do a key signing party” and we’d go “Awesome!” and set him up with a table. This workshop/lecture series is an expansion on this idea where we said we’d like to do more than just key signing, we wanted to teach you what you’re doing get you started. As GPG is a pretty good answer to some of the surveillance out there, I thought I would expand it into a series of presentations focusing on other tools with a similar goal. I’ve broken it down into three parts; Connectivity, Communication, and Operations. The tools I’ll be focusing on will be Tor, TAILS, and GPG. Operational security with TAILS, anonymous connectivity with Tor, and secure communications with GPG.

With Tor, my main goal is to address the most common questions like “But I bet the NSA has a backdoor in Tor, right?” So I’ve turned it into a discussion about how Tor works, and ways it can be broken. I’d be happy to discuss real threats to Tor, but I’m pretty bored with the “Tor is funded by the government” tin-hat talk. I find it actually really interesting the challenges that Tor has so in other words, I’m just looking for people to have conversations with. 🙂

GPG and TAILS are both hands on workshops aimed at getting your hands dirty with both of the tools. GPG is pretty straight forward for the most part and I’ll go into a few extra tips that I think are interesting and then to go through Keybase.io if there’s time.

With TAILS, I’ve even built some USB sticks with TAILS prebuilt on them. I thought it might be interesting for the workshop to provide a hands on experience as quickly as possible.

Of course all of this is still up in the air, so I reserve the right to change everything. 🙂 I’m just hoping that with all the time I’m putting into putting this together, there are people actually interested. 🙂

New Year Review – 2014

For a few years now, I’ve been stating my plans for the rest of the year, and reviewing how the previous year went. Here’s the review:

Last Year

Major Con Presentation

One of my goals was to be accepted into a “Major Con” for some definition of that word. This year I presented at Derbycon, GRRCon, Defcon Skytalks, BSides Detroit, and the Rochester Security Summit. I will say that my moon shot was to be accepted into 30C3 but I was aptly turned down.

Intel/OSINT/OPSEC Project

This intel/OSINT/OPSEC topic has bugged for a few years now and thanks to Edward Snowden, I think I chose a good year to work on it. I put a ton of research time into formalizing what an intelligence gathering campaign would look like, and even implementing it. I even wrote some tools to help me get the job done. I presented my research at GrrCon, RSS, and BSides Detroit. I’ll admit, it’s a bit of a fluffy, opaque subject to talk about, which is why I really wanted to do the research and be done with it. The output from the research is just some new tools in my aresenal.

Hardware Hack into a PCB

Last year, although I was messing around with my hardware hacking project (that I was asked to take down), I never moved it from a proof-of-concept breadboard, to my own custom circuit. This year, I was able to build a couple circuits and get the fab’d. But I didn’t design them so I still think that’s cheating. Going through the process of loading an Arduinio with AVR software was a big enough step.

iButton Door System

DSCF5127DSCF5125

This was a failure. Some of us still talk about it but I didn’t build an iButton door system. I have all t he hardware and Raspberry Pis to do it, I just haven’t put the time in.

Mannequin

My poor mannequin has been around for years. I’ve chopped her head open and loaded her up with an xbee controlled arduino, I’ve made her my T-Shirt model for BSides Rochester, but this was to be the year of her demise. I accomplished this in a fantastic fashion though using Tannerite – an explosive that we packed inside of her.

3D Printing A Model

This was just a fail. I didn’t print anything really. We used a 3D printer to make the badges for BSidesROC this year, but I never actually went through the process myself.

Unplanned Accomplishments

There have been some interesting unplanned accomplishments this year:

  • Becoming a minister and performing in someone’s wedding ceremony
  • Going to Korea, twice
  • Building a silicone brain
  • Having a thermite party to destroy all of my old media
  • Operating a back hoe
  • Receiving my first DMCA request

Next Year

Grown-up Things

This is the year I know I’m going to have to and want to do some what I would call Grown-Up Things. Things that aren’t necessarily about completely full blow chaos and fun. One being learning about how businesses work, forming an LLC, and paying attention to financials. There’s some other things but where’s the fun in discussing that. I just know that this year will be filled with a lot of “Adult” opportunities.

 Crypto

Although I have a decent understanding of crypto, I’d like to put some time in and develop this into a skill. A friend of mine is taking the Stanford Cryptography class and I’m hoping we can learn that together. But beyond that, I’d like to apply it to some actual research. Maybe doing some basic crypto audits of something like BitMessage. I’ll never be a cryptographer, but I’d like to be able to identify and exploit poor cryptographic implementations.

Development

I’m have a decent ability to make something in Python, but it’s all scripting. I’ve never taken a class or anything that would give me any kind of structured development style. My goal for this coming year is to further build my development skills beyond just scripting and hacking things together. Ideally I’d like to join a development team on a project of some kind.

Bitcoin

Gah – Bitcoin… when I say it out loud it sounds so stupid. But this year I’ll be putting time into learning how the bitcoin protocol works, the community that supports it, and slightly riding the roller coaster as it goes up and down. Last year I was doing intelligence when Edward Snowden released all his intel, this year I may be doing Bitcoin when we watch the first crypto currency become regulated.

Hardware RE

This year hasn’t taken me into much hardware reverse engineering lately. I’ll be looking for an interesting project to spend some time on.

ISTS X

Mar 25 2013 Published by under News,SPARSA

Another year, another ISTS. For those that haven’t heard the Information Security Talent Search (ISTS) is a yearly event run by RIT’s SPARSA group — a student run organization. This isn’t your run-of-the-mill hacking competition. ISTS was one of the first (if not the first) to actually bring an offensive perspective to the competition.

Here’s your job:

  1. Keep your services running – the longer they are up, the more points you get
  2. Stop your opponents from running services. Hack, exploit, social engineer, whatever.. make their boxes go down.
  3. Complete the business injects that are given throughout the day
  4. Complete the various challenges faster than your opponents

Sounds simple right?

Setup

As always, SPARSA worked hard to get the system up and working by opening hours. And as always, that didn’t necessarily work out. But to be fair, to configure the competition the way it needed to be was not a simple task.

Last year we had a power outage in the opening minutes of the competition, this year, we had some networking issues that delayed us about an hour and half. Minus a few other issues like the Red Team didn’t have enough networking equipment to begin, we were good. Issues aside, the SPARA people worked insanely hard to organize this event and I think overall it went over amazingly.

This year was the introduction of Col. Sanders – a no nonsense representation of the worst case boss you could ever had. When the Red Team exfiltrated sensitive information off the network, it was reported to Col. Sanders who would bring in the affected team and give them a stern yelling. First offense was a single team member, second offense was the entire team.

But if your entire team has to go into the office, this leaves your physical security lacking.

IMe3Brg

In previous years, the problem (for the Red Team) was that after about a half a day, the Blue Teams would figure out how to lock down their services or replace them with secure versions of services, and we would be in a bit of trouble having to dig deep for some attack vectors. This year, was great because teams would often decide to roll back to a previous version of their system, restoring all of the old vulnerabilities that had just patched.

Red Team

Our read team this year was made up of Raphael Mudge (Cobalt Strike),   Joe Werther (MIT Lincoln Labs), Jason Ross (Intrepidus Group), Corey Sinay (Booz Allen), Phillip Martin (Palantir), Tim April (Akamai), Rusty Bower (Palantir), Justin Elze (Accuvant), Charles Profitt, (anyone I’m missing) and  myself [UPDATE: Forgot our freaking group leader – JP Bourget of Syncurity].

Our job, was to add some anarchy to the already stressful environment. Although competitors were already attacking each other, it was our job to attack everyone as well.  Cruel and entertaining.

War Stories

This was a pretty unfortunate blood bath. To start off, we had the developer of effing Cobalt Strike with us who had default credentials on the boxes from the beginning. He built a custom listener that beaconed home via DNS. That’s I’ll I’m going to say about that.

Cobalt Strike logo

This year we added a cruel little detail. Unlike previous years where we would secretly just report issues we exploited to the White Team, we decided that public shaming was a better route so we created a subreddit dedicated to mocking the teams. Col. Sanders put this up on the screens in front of the contestants to let them see live what was happening.

I think Rusty did the Wingdings one – which replaced the fonts on the Windows machines with only Wingdings. You’ll see a lot of screenshots showing shadow files, exploiting web stuff, and dropping database tables (and complete databases in Jason’s case). VNC that was running on a lot of the machines made it extra interesting to watch their thought process. There was also some logging in via open MYSQL instances.

Web Fun

I wish I could get more stories from others but I can tell you that I enjoyed playing with web vulnerabilities on the Sea Shell application. This was an app that had a directory traversal, a c99 web shell, a chinese character shell, and a web shell inside of a picture of a shell!

We would take the C99 shell, and copy  it over to another directory – usually the cgi-bin directory. This ended up being really difficult for some teams to detect so I would dump their shadow file to their index page, they would reboot and delete everything in /var/www and then I would dump their shadow file again and taunt them. It looked like this:

bNEhfbq


broh2
fuckoffshithead

The last one, they added in some code that said if page = anything except login or blog, then print this nice message. But they never found the issue.

I ended up just scripting the whole thing because this was a waste of time.

You’ll see this did a command injection using the “Seashell.png” and tried to use the c99 shell  if it was there to dump /etc/shadow to their main page. One just printed “balls” to the main index page. I noticed code that tried to detect this specific attack that would search for “balls”. Others gave up and changed their static page to this:

team4_lolzballs

 

The whole point of this was to knock down the score so it was run on all the teams every 60 seconds. I ran it for about 4 hours and it kept getting new groups that were rolling back their machines to previous versions I think.

autopwn

 

Offense Is The New Black

I can’t say enough positive things about the experience of ISTS. It was well organized, managed by hard working people, and all in all went off without major issues. From a talent search perspective, I think that ISTS is far beyond many of the other competitions that have always been doing a Defend and Remediate approach to emulate IT environments. Now that we can all agree that we need offensive people as well as defensive people, companies should be paying attention to these people at ISTS.

Again, ISTS has been doing offensive security way before it was cool making them the hipsters of hacker competitions.

hackerhipster

 

UPDATE 3/26: More people are blogging from the redteam:

Justin Elze:

New Year Update and Review

Dec 31 2012 Published by under News

Last year, I wrote a post outlining some of my focus points for the rest of the year. This is a review of those tasks and an updated perspective for the next year.

Last Year

Hardware Security Projects

Last year, I generically noted that I’d like to get into more hardware security projects. I took on the Juke Box project which was a mixture between hardware hacking, radio, and mobile. I’ve also been doing a lot more soldering to work on Travis Goodspeed’s FaceDancer 11 and GoodFet. I think the new pile of hardware hacking tools in my office reflects a consistent interest in this.

Radio Waves

I’ve never had a specific reason for getting my HAM radio license, and I can’t say I’ve really gotten too deep into the HAM community in Rochester, but I have been into a lot more RF related projects this last year. Again, the Juke Box project is an example. I also learned a lot more about using a USRP N210 thanks to Intrepidus Group. Although years down the line, my end goal is to be able to more easily reverse engineer RF signals and hardware. The Juke Box was a good introductory project but some of my next steps have started getting into two way proprietary RF communication. Just writing my own protocols and analyzing them. This has no professional application but I still find it interesting.

Mobile Hacking

I gave myself a goal of “mobile hacking” for this last year but I knew that there was no way I couldn’t improve on this. Work gives me a lot of opportunities to dive into mobile projects so I’ve kept up to date on Android and started diving into Windows Phone 8. Compared to Android, this is a completely foreign monster and a new perspective on a mobile OS. I still won’t be putting my Android down anytime soon but WP8 is going to be pretty interesting. I put on my goal for last year to get into iOS development. While I think I have a decent understanding of the platform from a security perspective, knowledge-wise, I’m still heavy on Android. Unfortunately when I’m deciding what I want to work on over the weekends, Apple just doesn’t rustle my jimmies enough to get motivated. I will still learn more about it but instead of fun exploration, it’ll need to be disciplined learning.

BSidesROC

My goal last year was to do another B-SidesROC. Again, pretty predictable that it would happen but I wasn’t sure if it was going to be a “Security B-Sides” even or just a locally run con. There’s  been a lot of drama that comes with BSides in the past year so we weren’t sure. People like Jack Daniel, quadling, and banasidhe are still involved in the project which is the only reason I still have hope. Anyways, this next BSidesROC has been ramped up to include a lot of new organizers. People that have been behind the scenes and turned into organizers, and new people that just want to be involved in the project. Every year is pretty stressful but I have a lot of fun attending.

Interlock

In my post last year, I was planning to replace myself as the Vice-President of the organization. I can say that I succeeded in that, but unfortunately I failed at keeping myself out of the organizations officers. Berticus stepped down from his two-year tenure as President and I some how was put in as his replacement. The president position has, since the inception of the group, been something I stayed away from. Mostly because I did not want the group in any way appear to be “mine” or “lead by.” That couldn’t be further from the truth. In fact, I don’t think that the organization would be as cool as it is if it wasn’t for the previous presidents involvement. You may find it interesting that I needed to convince Alan, our first president, to become the lead. He is a natural leader and was perfect for the group but he needed a couple dozen shots of Jameson at the local Scottland Yard to convince him to do it but it was worth it. Anyways, I think the group has become matured and defined so there’s not much for me to screw up.

Unplanned Fun

Besides all of the above goals, some things have come about either naturally or accidentally. One of those was doing a few presentations at BSides Detroit and Defcon Skytalks. I took what I though (and still do) was a pretty weird presentation about hacking RF and hardware and turned it into a pretty entertaining presentation. I really enjoyed the research time (especially at the bar) and I think people appreciated that it was just fun. I also got back into doing internal assessments. It had been a while since I switched jobs that I was doing internals again. Good times.

Next Year

This coming year, I can see a lot of the same goals but I’d like to be more specific.

Major Con Presentation

Last year, I had this silly presentation that I submitted to a few things. This year, I’d like to be able to apply some serious research into some kind of topic and present at a major con (that one of my friends are not running). Speaking at a con really has no benefit to me and in some ways, I feel like a whore doing it. But I feel like I haven’t contributed enough to the community lately, it would make my employer happier, and it’s a good item to scratch of my hacker bucket list.

Intel/OSINT/OPSEC Project

OSINT is such a crazy subject to me. The more I discuss it and learn about it, the more opaque and weird it is. I think that any hacker worth his weight in binary knows the standard OSINT tactics especially from a pentester’s perspective. But what about the next level or processing that content or controlling only relevant information. It’s one thing to say I can find the phone number for some guy in Seattle, it’s another to say I can find out when that guy hacks into someone’s system. I’ve also lumped into this subject OPSEC that is in some ways, a counter-intelligence practice. There are a lot of weird ways this could take off but it’s been a research topic of mine for a while. I can see it being applicable from a malware analyzer’s perspective, or pen-testers, or whatever. I’d like to gain a higher understanding of some of the concepts and apply the research either privately or publicly. 

Hardware Hack into a PCB

One of my goals this year is to turn a hardware hack from using tools and breadboards, to a full circuit. This was always the plan with the Juke Box project but it never really arrived. I’d like to find a new project and turn it into a simple circuit. Simple, but a good opportunity.

iButton Door System

Berticus has made a very stable iButton door system at Interlock but I’d like to upgrade it to a Raspberry Pi to allow web administration of it. This may seem like a easy goal but completing this would give me a lot of knowledge about 1wire and electric strike plates that I think will be useful. The first goal is to replace the Interlock door system, the second is to start fitting my home doors with a similar mechanism.

Mannequin

That mannequin needs to meet its death this year. Either I rebuild her into something that is repeatedly useful, or I kill her off in a final explosive way. Either way, it needs to be done.

3D Printing A Model

This just needs to happen. This is kind of like all of my friends are jumping off a bridge so I’m going to need to do it as well. Really, from my perspective, there’s not a lot of horribly hackery things you can do with a 3D printer, but they’re just freaking cool. I think that I need to get involved with them, if nothing else, to just expand my knowledge into this realm. I’d like to see if I can’t print a 3D model of myself or someone else.

 

Defcon Skytalk: Jukebox Jacking

Jul 19 2012 Published by under Android,Defcon,News

Late next week, JustBill and I will be presenting at Defcon/303 Skytalks in Las Vegas. The presentation, Jukebox Jacking, is a project I’ve been working on for longer than I want to admit. The short version is that I’ve been messing around with a jukebox in my spare time as a weird side project. It started out as just a mobile hacking project and then turned into RF and hardware hacking. Here’s the link: https://skytalks.info/talks.html#8

The good portion of this talk is that I think it’s funny how deep we went into this thing. The infosec in me feels a bit guilty because a few of the things I did, have no remediation path. There’s nothing they can do besides replacing the entire jukebox. Their original design was based on the thought that “Nobody would ever try this.” Sorry. :/

The talk is on Sunday at 10am. Yes, that DOES suck but I think it’s actually a correct slot for this talk. I’m not pretending that this is brilliant technical material nor is it interesting to everyone out there. Hopefully the take aways are that if you’ve ever wondered how this jukebox works, now you do, if you’ve wanted to get into RF and hardware hacking, these are some tools that could help, and if you want to get started with mobile hacking, this is how to do it.

I’ll be updating this page with the presentation and details of the project later.

UPDATE: changed link to project details.

 

BSidesROC Part I: Define Hackercon

May 05 2012 Published by under BSidesROC,News

There’s only a few days left for this years BSidesROC on 5/12/12. “Rochester’s first and only hacker con”. << Do you know why we say that? Not because we’re the only computer security conference, and not because we think other security conferences suck (well some do), but it’s because an info sec event is not the same as a hacker con. I’m talking about Rochester Security Summit for example. It’s been going on for years run by the local ISSA chapter and they do a good job. It is a corporate crowd.  You expect that when you pay a certain amount of money that there’s a certain level of professionalism. And the people that attend are info sec professionals. A hacker con on the other hand…

Con != Conference

“Con” used to stand for “conference” , and it literally still does but it’s also a reference to the “con” community. Defcon, Shmoocon, Comicon, (FurryCon?). Each of these are conferences but there’s something else to it. Different. If you’ve been to Defcon or Shmoocon, your expectation is to have a ton of fun, meet cool people, and take part in fun activities with such people. In some ways, it’s much more of an intense experience because you’re not walking in with your button down shirts enjoying a coffee while you sit at the white circle table that hotels always have. That would be a conference. At Defcon you’re walking in with a black shirt ready to be punched in the face by awesomeness. You may look around and notice a lot of younger people but it’s not that the crowd is necessarily young; it’s the ideas and the passion usually associated with young people. And that’s what it comes down to in con versus a conference; passion. These people want to be here, they’re not being forced by their employers. They want to see what’s happening in a community.

Hacker != Infosec

Hacker: That scary word that Rochester is learning to accept. Slowly. You know the word, and the politics behind it. But I think there’s a big difference between hacker and infosec, both in how they act and the way they think. Hacker and infosec have an overlap of course, but a hacker refers to someone with a passion to learn about security. Infosec on the other hand is a job position or career path. It’s business driven, professional, and pretty easy to define. By day, I am an Information Security professional and I attempt to be professional and goal oriented when it comes to my job. At night, I’m a hacker that wants to learn things related to security whether or not they benefit my career.

Y U SO Pedantic

The point is to show that BSidesROC is a different beast than any of the other conferences in Rochester. Maybe it’s not better if you enjoy professional cons. But definitely better if you have a passion for security and don’t take life too seriously. And if you don’t like paying for things. It’s also a warning for those people expecting to walk into a comfortable sit-in-your-seat-and-listen event. Because this is not it. If you haven’t been to a hacker con, I strongly recommend that you come to this one if for nothing else, to see what a hacker con is like.

By the end of the week, I’ll include some details about what’s happening at BSidesROC.

A Rochester TOOOL Chapter

Apr 21 2012 Published by under Lock Picking,News

The first official meeting of the Rochester TOOOL chapter happened this last Thursday. Jason Ross, the organizer of the group, you may have met at 2600 meetings, BSidesROC, seen present at BlackHat, or whatever infosec you’ve been to in the area. He’s been working with TOOOL.us to get a chapter started locally which makes Rochester a part of a small group of TOOOL chapters in the US.

The Open Organization Of Lockpickers is organized in the U.S. By Deviant Olam and Babak Javadi but the group started in the Netherlands. If you’ve ever been to a hacker con, you’ve probably seen a lockpick village and it was probably done by one of the guys from TOOOL if not Deviant or Babak themselves. The group has the main goal of spreading public knowledge about lockpicking, loch mechanism, and physical security in general.

I think a cool side affect of this group that’s equally important, is erasing the fear that’s associated with lock picking. 99% of the common folk (non-infosec) people that I tell I’m interested in lock picking or let them know about TOOOL, first give me this sly look like I’ve just disclosed an illegal secret to them. Others are afraid of buying lock picks because the government might put them on the Owns-A-Lockpick-Set List. I think this fear wears off after you’ve been around people that have been doing this for a lot longer than you, and you understand the legal issues.

TOOOL in ROC

What does a chapter do? Why is there one in Rochester? Exactly. Well in general, the way that the group sounds like it’s going to be organized is that there will be actual members as opposed to open gatherings. If you want to know where the next meeting is going to be, you should become a TOOOL member and get involved with the group. I’m not sure, but most likely what will happen at the meetings is first of all, you’ll meet like minded folk and spread knowledge about lock picking of course, but I think you can plan on there being a presentation or two on a regular basis. This last meeting, Chaim Sanders presented on the basics of lock picking; the same presentation that he gave with us when we went down to NYC to run the TOOOL lock picking booth at Maker Fair. Other than that, you’ll be able to use the picks, locks, and whatever other tools the local chapter owns which is building up quickly.

Here’s another way to put it, here’s a list of reasons you might want to get involved:

  • learn about lock picking from experts
  • help spread the knowledge of lock picking to other individuals
  • meet smart people
  • get a major discount on lock picks and practice locks
  • practice picking locks on a wide variety of hardware
  • drink beer with smart lock picking people while you get a discount on hardware and practice picking locks with experts

Membership is free right now so you just need to sign up on the list.

Bigger Plans

Besides the group helping other group members, I’d like to see the organization reach out to the local community. Maybe one example would be to run a lock picking table in a local festival. Teach the public about the security of locks. Selling lock pick sets isn’t out of the question either and that would help pay for things like new hardware or new tools. I’m also hoping that the members can be available to travel to other cities and put on their own lock picking demos. We did this in NYC during Maker Fair and it was a blast. I’d love to get the opportunity to do it again and with more people.

Go check out the website as it’s being setup. It just came online today so don’t judge it too hard. 🙂

TOOOLROC.org

RIT ISTS Red Team

Apr 01 2012 Published by under News,Rochester 2600

Here is a brain dump of what happened this weekend at ISTS 9, SPARSA’s Information Security and Talent Search. A bunch of the people from 2600, Raphael Mudge, Punkrokk, Joe, Gerry, and others were part of the Red Team.

Define:ISTS

The event worked like so:  There were 13 Blue Teams, groups competing in the event. Their job was to take the 5 servers that they were given, run specific services in order to get points, and, something a little different than other competitions, hack into other groups for points. If you do this, you will receive points that are tracked throughout the weekend. Finally, challenges were to be performed that were worth more points.

I really like this style for students compared to CCDC or other types that attempt to give competitors the simulation of running an enterprise network. These competitions will force competitors to stand up services, defend against attacks, and write up little reports that explain how the attackers got in and their remediation plan. This is a great simulation for real enterprise environments for students looking to get into a career as a systems administrator, but ISTS gives you a chance to show off your security skills, even the offensive ones.

Day 0:

Friday, students fill up the GCCIS auditorium and the mood is really light. Teams are wearing silly hats, the group that won last year is feeling pretty confident that they’ve earned some cred to be there again. The red team is stalking in the corner, marking its prey. SPARSA goes over the rules, hands teams their packets, and lets them know how the next day goes. Each of the teams have the rest of the night to go home and build up their attack boxes as VM’s. That’s right, they’re allowed to bring their own VM’s, just to attack other players.

The next morning, we arrive at RIT to meet the red eyed SPARSA members who have been working through networking issues all night.

A side note about the network this year: it was very well done. This may seem like a silly thing to note but seriously, you have almost 100 people pummeling each other over the network, issues will occur. Compared to other years, there were very little issues. Last year we were out of a connection for a long time. This year there may have been a blip here and there, but it was quickly remedied.

The battle ground is RIT’s Innovation Center. If you’ve never seen this thing, it’s like something you’ve seen in Swordfish or the Matrix. The walls are all glass including partitions inside the space itself. The Fish Bowl is slathered with power plugs, ports, projectors, and preposterously plush ammenities.

May The Odds Be Ever In Your Favor

Let me make sure I explain the insanity of the first 30 minutes. Blue teams walk in with their own VM’s loaded up with whatever scripts or automated attacks they want to launch. That’s every team, of 5 people, ready to kill the other 60 players, with all kinds of attacks. And then there’s Raphael, prepped with his Armitage server, automated scripts, and a big smile on his face.

If I were competing, I would have chosen a tactic for the first part of the event, just like The Hunger Games. If you’re going to battle ninja v ninja, you had better make sure your weapons and foo is strong or you’ll end up a bloody pile of  empty dreams. If you’re relying on a strategic victory, you may decide to focus your energy on protecting yourself from others attacks; I call this the run-into-the-woods strategy.

Let me also just say, that the Red Team had no special information related to the event… though we tried. In fact, in some ways, the Red Team is not necessary because all the other teams are already breaking into each other.

We let the students trickle into their stations and the battle begins. We are just scanning subnets when Raphael announces “I have 10 shells!” His scripts have automatically installed meterpreter sessions that are phoning home. His persistence scripts automatically make sure that we can come back to these accounts later. The rest of the red team is destroying boxes, the same as what the Blue Teams are doing to eachother.

Let’s be honest, the best part about being on Red Team is messing with the other teams. The Blue Teams all started with VNC open which made for some hilarious hacker watching. The first was one team that put all their attack scripts on their desktop. This was actually pretty cool attack script which was a reverse shell that automatically tweeted a user’s password when the owned a box. Follow ISTS Tweeter to see the fun they had.

The other one was a group that decided to plug in a drive that contained a lot of personal information. Including a resume. We passed the file to a nc listener that Justin Elze had running on his machine and printed it out to hand deliver to the group. One team member figured out how to break into a box and trick a hard drive into having a single sector. No seriously. This is pretty awesome. The box was never heard from again. It couldn’t be reformatted. Raphael had some fun with one team’s SMTP server and a VNC payload. I’m sure that video will show up somewhere soon.

UPDATE 4/1/12 8pm: Video is up

What’s Next

I usually come to the same conclusion after every year which is “damn, I wish I had planned for X.” I think this year, the conclusion is that, “damn that was fun. Let’s do this more often.”

Interlock has recently been donated a bunch of really good equipment. One of the servers has 20G of memory and lots of hard drive space. We’re going to be setting up a proper Warzone that will allow us to run these type of events when we want to. I’m going to rely on the other 2600 people to get something cool setup.

Next »