Capture The Capture The Flag

bgp4 writes: "During DefCon 8, the Shmoo Group sniffed all the Capture the Flag network traffic. For those that don't know, Capture the Flag is weekend long hacking contest held at DefCon each year. The network dumps have now been posted and are available here. Hopefully by making this data available to the public, software developers will become more aware of how vulnerable their software really is and fix the root of the problem. Better intrusion detection isn't the answer ... Secure software is. We're looking for mirrors, so if you'd like to host the data, please let me know."

Better intrusion detection not the answer?

[interiot]

Better intrusion detection isn't the answer ... Secure software is.

The human body disagrees somewhat. The immune system detects intruders and stops them before they can cause damage. This allows security to be designed once and well, rather than requiring the additional overhead for each component. This becomes more important as programs get more complex and have more components. (more complex = less secure, but we can't mandate that all programs be simple, so we have to find another way).

Granted, there are other layers of security such as cell walls and nose hair, but the body still uses intrusion detection as a large part of its defense.

Re:Better intrusion detection not the answer?

[d.valued]

Of course, the human body is vulnerable to trojans like the HIV-1 virus.
"And they said onto the Lord.. How the hell did you do THAT?!"

Re:Better intrusion detection not the answer?

[Chuck+Chunder]

The human body may disagree. But that's why we have hospitals, doctors, vaccinations etc. etc. etc....

Re:Better intrusion detection not the answer?

[bgp4]

I like the immune system analogy. However the human body's immune system is the result of millions of years of evolution. The current state of secure software development is still in the primordial goo where the organic molecules are blindly flailing trying to build a cell or 2. It's hard to protect something that doesn't have any defenses in the first place.

One of my fav quotes... It's from Steve Bellovin from ATT:

"firewalls are a network response to a software engineering problem"

I'd add intrusion detection to that statement.

Re:Better intrusion detection not the answer?

[interiot]

I'm not saying that intruder detection is a silver bullet. Just that the human body survived moderately well before the 1800s, largely due to its ability to recognize the difference between an outsider and itself, and to attack the outsiders. Intrusion detection is what evolution chose to do in the absence of doctors, so I don't think it's something that should be shunned.

Re:Better intrusion detection not the answer?

[Chuck+Chunder]

Talking of evolution, the human body and the 'success' of the human race is misleading.

In your original post you state that the immune system 'stops them before they can cause damage'. That's somewhat untrue. The human body (and in fact race) survives by having enough redundancy that it can sustain vast amounts of damage but continue to function and replace the parts that fail.

Evolution works not by choosing intrusion detection as a good method of protecting the individual, but by having enough redundancy and variety such that the failure of a individuals doesn't matter a great deal to the race as a whole.

I don't see that as a good (cost effective) solution for a computer network. Individual parts are likely to contain unique information and cannot simply be recreated after destruction.

That doesn't mean that intrusion detection doesn't have it's place, but using the human body/race as an example to promote it's effectiveness is rather dubious. The human body/race simply 'works' on an entirely different scale with a relatively unlimited amount of resources.

Re:mirroring data eh?

[bgp4]

There's about 1.9GB of data total. File size varies from 100K to 600MB.

Re:mirroring data eh?

[sighup]

Check one of the current mirrors. There's one 514MB file and a 146MB file. Then several ~50MB files. Basicly, if you don't have a gig free, you probably can't handle it.

Just take a look at http://www.shmoo.com/cctf/data/ to see how large the files are.

Re:Data publicly available since Aug 11

[sighup]

Yeah, I noticed that. Seemed like a small amount of data, there.

I'm in the process of downloading the data from Shmoo's CCTF (from the Wiretapped site) and I plan to run it through snort for processing. I'll maybe run it through snort with some of the rules enabled. I haven't decided how much free time I have.

Re:The Rules:

[dolo666]

All you can do is manage the risks. There is no security.

This is music to my ears! I agree with your adept comment that altruism sucks, yet one can never sing the security song loud enough to management, with their semi-focus on the real issues in a product -- they salivate on profit and unachieved success while the deadlines they push are forcibly unreasonable.

Good management listens, and better managers do best to respect the lowly designers, who all tend to respect the job at hand. (Orwell, "Napoleon was a sturdy pig.")

The problem with society is that society has problems.

Management almost always is the root of all evil when it comes to product safety. While you can package security in your product, to whom you sell security depends on what you have to sell. We can sit here like a gaggle of winos, contemplating if a product is going to be secure, or we can push back deadlines and make things work correctly before D-Day.

Buddha said it best; "The gatherings of your neighbor are not meant for your jealousy!"

Management stiffs are often jealous. They often forget the reality of what's going on in the day-to-day because they are stuck looking at how good the new office rep has it.

Tell that to Mohammed. /d

Re:Data publicly available since Aug 11

[bgp4]

I'd be curious to see the difference between the trace running the current snort ruleset (08292k.rules) and the pre-defcon ruleset (07272k.rules). I'd be happy to run against 07272k if you run against 08292k and we can figure out the delta's.

sound groovy?

Another Thing I Would Like To See

[n3rd]

I would also enjoy seeing the shell histories of the people who participated in this event.

When I seen intrusion detection and honeypot articles, the most interesting thing IMO is seeing the shell history of the intruder. Shell history is one of the best ways to actually see an intruder's train of thought step by step, uncensored. Getting in, obtaining root, cleaning the logs, setting up rootkits and trojans, etc.

The other thing I take much joy in reading is IRC logs of hackers (posted in some honeypot articles). I feel the IRC logs are the best insight as to which hackers are the real thing, and which ones are just script kiddies begging new spl0its off of the veterans and innovators.

Re:Another Thing I Would Like To See

Here ya go:

------------------------------

$ ./wuftpd2600.c
bash: ./wuftpd2600.c: Permission denied
$ compile wuftpd2600.c
bash: compile: command not found
$ make wuftpd2600.c
make: Nothing to be done for `wuftpd2600.c'.
$ BitchX h4x0rd3wd irc.h4x0r.net
.
..
...
..
.
> /join #h4x0r
> whose got ne 'sploitz? i will trade you my entire 36gig pr0n collection!
<l33tist> g0 4waY l4m3R. j00 R n0T a h4x0R l1Ke uS 'l33t p0eople!!!
<supahacker> gotta go, my dad wants to use his computer.
<p1mpx0r> d3wDz! 3y3 juST 0wN3D www.sheep-pr0n.com! we g0t 3n0ugh sh33p pr0n t0 mak3 0ur d1ckZ bl33d f0r w33kS!!!!11!1!!!1!!1!!
*** You have been kicked off channel #h4x0r by l33tist (j00 R n0T l33T enUf f0r #h4x0r!)

------------------------------

did this give you any insight?

Which leaves a gaping security hole for...

[yerricde]

...the AIDS virus.

The immune system detects intruders and stops them before they can cause damage. This allows security to be designed once and well, rather than requiring the additional overhead for each component.

Some of the most successful viruses (e.g. AIDS) attack the intrusion detection system directly.

<O
( \
XGNOME vs. KDE: the game!

Re:Which leaves a gaping security hole for...

[interiot]

That's because the immune system plays such an important role. But it's not invincible.

That's so wrong...

[dido]

Doesn't anyone believe Bruce Schneier? The whole crux behind any effective computer security is prevention, detection, and response. Doing without one is asking for trouble. Just like a physical security device such as a lock or a vault, all secure software does is buy you time. It's a preventive device in the same way a lock or vault prevents theft. Eventually, someone, somewhere will break it, if they're determined enough, and no one stops them. Even the vault at NORAD will yield to people with blowtorches and several thousand tanks of acetylene and oxygen, and the equivalent in dynamite of several tactical nuclear warheads, if the Strategic Air Command didn't take notice of what was going on at the vault gate. Or if someone drove up to the gate carrying a 25 megaton nuclear warhead pilfered from the old SS-18 bases in Kazakhstan. They'll get in eventually, even if it takes them a year or more. Telling people that they don't need better intrusion detection is like telling the folks at SAC not to put guards up in front of the gate at Cheyenne Mountain or install cameras to watch what goes on there, since after all, "the gate is secure. So now you don't need to know that someone's trying to get in." Absolute BS. Eventually, someone will find a way in no matter how good you think your security is. They may use the software equivalent of a blowtorch (or nuke) by taking whatever assumptions you had about your security model and turning them on their head. If you don't watch what's happening to your system, and don't take the appropriate steps to deal with it when something does happen. And something will happen, eventually. It's not a question of whether, but when. Then the question will be is will you be prepared to deal with it when someone tries to to make you one of the own3d. Prevention, detection, response. This article advises us to do without one of them. Don't listen to it. "Security is a process, not a product." --Bruce Schneier

Re:That's so wrong...

[bgp4]

Christ...

I'm well aware that security is a process not a product (this has been rammed down all our throats by the media... it's a hell of a good sound bite). My point is that folks tend to put too much emphasis on firewalls and intrusion detection and not on writing good code. Multilevel security is fact of life. Every piece of software, every architectural decision must be designed and implemented correctly in order to acheive a reasonable level of security. I've heard more ppl say "I have a firewall/IDS so I'm secure" than "I wrote good code so I'm secure". There's not enough emphasis on software engineering and software security. We're too reactionary with todays software. Once your IDS picks something up, it may be too late.

I totally agree that IDS's play a vital role in the "security process." I'm just trying to raise awareness of software security issues.

Re:That's so wrong...

[Grahf666]

My guess is that a DOS attack would be the network security equivilent of a nuke. Blunt, imprecise, but very powerful, and there's nothing to do to stop it. A DDOS, is of course, even worse, because it makes the detection and tracking part so much harder. No wait, I take that back, a DDOS, like a nuke, can be noticed quite easily, but, like an ICBM, it might be hard to tell where it's coming from.
My metaphors are getting a bit batty, but I think you see my point. So if a DOS turns the whole security model "on its head," as you put it, what can be done about it besides weathering the storm?

Re:OT: Re:It sucks to have to view at +2 to avoid

[nomadic]

You know, the annoying thing isn't that they troll, but that they do it so badly. Spam is the last refuge of the incompetent; in my day if we wanted to write flamebait we did it better.
--

Defcon

[panic911]

Although this may be a bit off topic.. I am just curious, who has gone there and what kind of cool stuff is at Defcon.. I've heard a few interview speeches in mp3 that sound cool. I may see you there next year :)

Re:This is good

[Admiral+Burrito]

People get realy mad when they buy a defective VCR or a car that after two day won't work. When those things happen they usualy return the product and when personal security is involved (in the case of cars) they can even sue the company that made the car.

The problem is, insecure products work just fine as far as the user can tell. In fact, insecure products often work "better" (easier to setup and use) than secure ones.

Also, security is something that can only be proven in the negative (with very few exceptions). So a company can boast about how seriously they take security even when they don't have a clue how to write secure code. After all, they don't know that they are not secure, right? When holes are found they fix them while continuing to boast about how seriously they take security. For most people, software companies' claims of security are all they have to go on.

The programmers responsible may not even know that they are doing anything wrong. I've spoken with some application developers who think security consists of "passwords and stuff" even after I've shown them how to exploit bugs in their own code. And these are people who've written security-sensitive apps for some large corporations.

This is good

[Hard_Core_Nerdity]

Maybe this will teach software companies to put less pressure overworked programmers trying desperately to meet unrealistic deadlines. They don't realize that people don't work well when they don't have time to do their jobs properly. Many of these companies will never learn their lesson, if you doubt me, look at he number of known security holes in a certain operating system fittingly named after a hole in a wall.

Re:This is good

[bogado]

I couldn't agree more. This behaviour never cease to amaze me. People get realy mad when they buy a defective VCR or a car that after two day won't work. When those things happen they usualy return the product and when personal security is involved (in the case of cars) they can even sue the company that made the car.

Now if the product in question is software it can have as many defects that no one will even think of returning it. People simply think that "computer are complicated, I must have done somthing wrong" and keep using the defective software.

If some company looses a lot of money because, let's say a car didn't work as it should I am shure that this company will sue the car maker for it's losses. The hole in the wall OS have made many companies loose a lot of money due to security bugs (not counting the time lost in reboots and work lost due to crashes) how many have sued? The most they do is to go after the cracker that created the exploit/viruses to lock him up.


--
"take the red pill and you stay in wonderland and I'll show you how deep the rabitt hole goes"

Re:This is good

[evilquaker]

Maybe this will teach software companies to put less pressure overworked programmers trying desperately to meet unrealistic deadlines... Many of these companies will never learn their lesson...

The only way they'll learn their lesson is if they start losing sales because of security flaws. Right now, security doesn't sell (to the general public and PHBs), but "features" do, and that's why we're in the state we're in...

Re:The Rules:

[The+Mayor]

I think you're a bit off. I think the even numbered rules go something like:

Rule 2: It's not secure unless it's authenticated
Rule 4: It's not secure unless it's authenticated
...

That said, you're very right in saying, "All you can do is manage the risks. There is no security."

The Rules:

[chazR]

Rule 1: It's not secure unless it's encrypted.
Rule 2: It's not secure unless it's encrypted.
.
.
Rule 47: It's not secure unless it's encrypted.
.
etc

Rule 0: Encryption (on it's own) does not give you security. Sorry.

And, now, the important rules:

It's not secure "Because thay told me it was secure". The people at the other end of the link know less about security than you do. And that's scary.

It's not secure because "Nobody cares what I do online." Wrong. somebody might care. If it's online gaming, I will happily snoop your packets for an advantage.

I hate to spout the truism again, but here I go anyway: "Security is not a product. It's a process"

All you can do is manage the risks. There is no security.

Re:Very creative

[bgp4]

We've been planning this for a while now.. I think since April or so. It wasn't based on the MacHack thing at all... the group just came up with the idea.

As far as the "decency" thing... The capture the flag network at DefCon is a LOT different than the public network at MacHack. There was only one purpose of the data on those wires; attempted compromises of remote systems. This data has real value to the security community, not random artistic value like the machack data ;)

no pun intended?

[canthidefromme]

"Hopefully by making this data available to the public, software developers will become more aware of how vulnerable their software really is and fix the root of the problem."

Get it?? the ROOT of the problem? hehe...

-j

It sucks to have to view at +2 to avoid the trolls

[paled]

Anyone on staff at Slashdot over this weekend:

bounce that fscking moron that insists upon loading your site with the kind of crap that makes me have to view at +2.

take back you site.

thanks.

Re:analysis tools?

[FireWhenRady]

The open source ethereal network analyser Ethereal at zing.org has a large number of protocols defined.

Another good analysis package is the SNORT intrusion detection system at snort.org

Re:OT: Re:It sucks to have to view at +2 to avoid

[Restil]

Don't they have anything better to do?


Obviously not.

Tis a shame that one downside of the internet is that the average lamer is protected from what would get him beaten to a pulp in real life by the same actions.

Whats truely sad is, when I was the age that most of these idiots probably are, I don't recall knowing anyone that would need to resort to such action to entertain their pathetic lives. Those of us who didn't fit in generally found other more rewarding activities to participate in. Trolling certainly wasn't among them.

-Restil

Data publicly available since Aug 11

[fv]

Ron Gula already posted DefCon8 data along with DC7 and SANS ID-Net dumps several weeks ago. The page says Toorcon captures will be available shortly.

--
Frustrated by firewalls? Try the Nmap Security Scanner

Re:Data publicly available since Aug 11

[bgp4]

Ron only posted about 3 MB of data from DC8. I think it was just the stuff that DragonIDS caught and dumped. We're the flip side of that... we have 1.9GB with no postprocessing (basically every bit that went across the wire). My guess would be there's data in our dump that Dragon didn't catch.... that's why we decided to dump it all.

Orginally we were just going to dump data from snort, but we decided it would be better do dump it all and then run it through some IDS's to see what was caught and what was missed.

Re:ROTFL

[paled]

Ya know, one or two Penis Bird jokes could be funny. 26 in a day - sounds like you need to check out the large yellow thing when it isn't obscured by clouds.

mirroring data eh?

[MoldyZero]

im sorta interested in this, but i wanta know how much data... that is something that most people who respond want to know, how much space will it take, and for slowing down servers. im still trying to get people to crack into my server at 216.231.36.2 oh, and lets all get rid of that guy who is flooding slashdot with shit about birds... I hate birds.

please hurry and fix it....

[MoldyZero]

this is getting far to out of hand here, 157 replies to the thread... ok, that is lower than normal slashdot 11 replies at score: 1. Uh, that is not right. i do not want to have to view at +2... i miss some interesting posts.

The author is wrong.

[Syberghost]

Better intrusion detection isn't the answer ... Secure software is.

You're completely wrong.

"Secure" isn't an object, it's a process. There is no such thing as "secure" in the sense you seem to imply.

In meatspace, we can't make a house that can't be broken into; it would no longer be a house.

The same is true of computer security. Secure software only keeps out the lamers, which is an admirable goal in itself, but is only part of the picture.

Intrusion Detection is about accountability, which combines with the law and the courts to result in deterrance; kind of like the way most people won't break into your house because they might be seen by your neighbors, they might leave fingerprints or other evidence, and you might have alarms or cameras, with all of that meaning that they might go to jail and/or get their ass kicked.

We know how to build good software, although we often don't do it. Intrusion Detection is where all the hot research is going to be for the next few years.

-

Re:analysis tools? Argus!

[nealmcb]

The first thing I'd like to see is for someone to run Argus (source code available!) on it, which would produce a nice overall picture of which hosts, ports, pairs of hosts, etc were involved.

The latest is argus-1.8.1 from

ftp://ftp.andrew.cmu.edu/pub/argus/

See also recent discussions on future plans:

http://www.veriguard.com/Archive/Argus/2000/msg001 61.html

--Neal

Re:first

Then please end it now.