Slashdot Mirror

← Back to Stories (view on slashdot.org)

Code Auditing the Defcon Way

Posted by Zonk on from the hands-on-classes dept.

An anonymous reader writes "Last weekend at Defcon, the best and brightest hackers got together to play Capture the Flag, a weekend long hacking event that is the premier event of its kind. According to the results, Shellphish won (UC Santa Barbara students led by professor Giovanni Vigna). An article at SecurityFocus states that the competition was far more technical than in previous years, focusing on reverse engineering skills and code auditing." From the article: "The game required skills that are also required by both security researchers and hackers, such as ability to analyze attack vectors, understanding and automating attacks, finding new, unpredictable ways to exploit things...It's about analyzing the security posture of a system that is given to you and about which you initially know nothing."

39 of 74 comments (clear)

  1. More technical? by Alex+P+Keaton+in+da · · Score: 3, Insightful

    Sort of like when extreme sports went mainstream... Seems like this is a better way for people to show of their skills for the ever growing, and ever more lucrative security business....

    --
    And All I Ask is a Tall Ship And a Star to Steer Her By
    1. Re:More technical? by kihjin · · Score: 1

      http://www.extremeprogramming.org/ :-P

      --
      This slashdot-related signature is a stub. You can help kihjin by expanding it.
    2. Re:More technical? by xcentrics · · Score: 2, Insightful

      "What it takes to be an elite hacker is to find vulnerabilities in custom software," said the Kenshoto member. "It is not code auditing per se. They have to reverse engineer, and we have made it difficult to reverse engineer."

      real-Reverse Engineering under linux ?!? forget about it.
      i mean the system is free ,98% of software is free.Therefore there are no commercial _exe_packers_ (i've never heard about it) so RE is not as hard as under Win where anything can be packed in example with Asprotect.If there were new asprotect for unix systems then it would be real RE challenge...

      --
      "Kata ton daimona eay toy." (Be true to your soul).
    3. Re:More technical? by Anonymous Coward · · Score: 2, Interesting

      http://protools.reverse-engineering.net/unpackers. htm

      Sorry to tell you this, because just like Shrinker, some bunch of dorks has also broken AsPack (as far as Win32 Portable Executeable format packers/compressors)...

      I use (or have used) both in the past not only to gain the faster loadtime off disk (or, even over LANS, because the decompression process only happens AFTER the read up off of the diskdrive into memory, & thus, runtime & today's modern VERY fast nearly 4ghz CPU's more than makeup for the decompress process 'slowdown' in memory as well as how fast memory is nowadays) but also to 'confuse' debuggers (disassembly tools imo more than anything) via 'obfuscation' of their code, which makes it harder on them.

      You can do what I do though, which makes it HARDER STILL on them (and, as a bonus effect, builds in "native antivirus protection" into the app), which is, believe-it-or-not, hardcoding the application's compressed .exe filesize into the application @ it's initialization (either form/screen creation or show methods), & test it on disk.

      If the Win32 PE file changes its size even 1 byte (less or more) from its on-disk compressed size? DO as you like!

      After all, this IS what std. type "Virus" do, add size & code to the end of the .exe afaik, so this DOES function as a rudimentary form of virus protection & stops your apps from spreading infectors like those, potentially @ least, because they let you know something IS wrong!

      This is what/how I do it in my code @ least. SO, what can you do IF the filesize changes? Well, limits of your imagination, or 'cruelty' I suppose...

      E.G.-> Reboot their machines, shutdown the program being 'hacked' or potentially virus infected since it changed its size (what I do), or if you are crueler than myself, anything you like (i.e./e.g.-> Blow their bootsector, lol).

      There is MORE you can do to protect against various "debuggers" like SoftIce &/or WinDbg for example RIGHT in your code though, even if they uncompress to attempt disassembly.

      API calls like IsDebuggerPresent, or the presence of SoftIce via routines present all over the internet for it (there are many of these).

      * :)

      APK

      P.S.=> It almost amazes me that folks build in .exe decompressors &/or stand-alone "debuggers" (hacker/cracker tools mostly imo), because they're like swords & double-edged, & often used to bypass password protected installers for the illegal filesharing circuits out there where you can get commercially produced software for ZERO cost...

      How's that done?

      Tools like SoftIce or Frog's Ice, WinDbg, & others like them OR techniques like DLL Injection as well! It's unfortunate, but, thievery abounds in this field...

      There is nothing you can really do, but make it TOUGH on those that practice it, via ideas like I use above as an example... & I am sure someone could figure out a way around that too, if not eventually!

      They do it by mis-using 'debuggers' like the ones I mention. I have NO respect for those that do that, by the by/personally... apk

    4. Re:More technical? by CryBaby · · Score: 1

      I suspect that the motivation behind changing the game was to de-emphasize the growing commercial aspect. If you've attended DefCon in the past few years and watched Capture the Flag, it felt like it was slowly being taken over by corporate teams (several teams were named after their company and/or displayed large company banners in the game area).

      This was still a "creeping" influence the last time I attended (not too long ago), but it sure felt like a trend.

      I can understand why companies are upset by the change. If I had an OS company, I'd sure love to be able to advertise that my product had been used to win Capture the Flag. Under the current rules, you can't use your own OS so the opportunity for "product placement" is decreased.

      Vendors are free to set up their own events for head-to-head product comparisons (and should), but having them at Defcon felt like having a BMW race team show up at a local gearheads' track event. It's not that the non-corporate participants can't compete - it just fundamentally alters the nature of the event.

  2. Re:Why do Defcon hackers prefer Linux? by Demogorgo · · Score: 3, Funny

    i wish i had a dollar for every time some bearded lowlife tried to put firefox on my computer. who do they think they're fooling?

  3. "According to the results" by Armchair+Dissident · · Score: 3, Funny

    "According to the results, Shellphish won"

    Who wants to be that Shellphish hacked the results...

    --

    The ways of gods are mysteriously indistinguishable from chance.
    1. Re:"According to the results" by Armchair+Dissident · · Score: 1

      be? be?! Bet!

      --

      The ways of gods are mysteriously indistinguishable from chance.
  4. Anyone parse that as professor Vagina? by Anonymous Coward · · Score: 1, Funny

    Damn, I need to get laid.

  5. Posture =) by PlasticMonkey · · Score: 1

    Haha, he said posture! - Nope, I don't get it either - hey it's early!

    Erm on a serious note, how did the Defconhackers get an overal score of 0?

    Why are they even *on* there? Randomness.

    -Phil

    1. Re:Posture =) by PlasticMonkey · · Score: 1

      Yeah, but it's still crazily low! The next runner up is like way ahead :p

    2. Re:Posture =) by viega · · Score: 1

      Well, they pretty much didn't play. First, only one of their team members showed up. Then, he recruited some people, but by the time he did, the green team had totally owned them. They sat there the whole time, but they might have even been helping out the green team.

  6. X (Hackers) Games by KarMax · · Score: 2, Insightful

    IMHO there is nothing WRONG about this kind of "x hacker games" there is a lot of this kind of stuff, Hollywood movies, popcorn books (like Davinci Code by Dan Brown), among others.

    The problem is when begins to be a serious "news" or "event".

    The article try to remark that the event is "pro" or "serious", dont get it...

    Its just a game!

    --
    Rock and Roll
    1. Re:X (Hackers) Games by b0urn3 · · Score: 1

      Actually, considering the amount of data that is collected from both wargames and the DC wireless network for research use, it is pretty "serious." Too bad next year's Defcon has been cancelled.

    2. Re:X (Hackers) Games by KarMax · · Score: 1

      Maybe you missunderstud me

      Im _NOT_ denigrating them, they are playing and this is good!, i play to!
      I use "Davici Code" in the example, becouse its a "best seller" book, fictional novel, who was taken seriously as if we were talking about a SERIOUS book.

      Olimpic games its a bad example, to discuss becouse i dont aprove olimpic games, i think its stupid (medaling stuff).

      I dont share your point of view... i mean, be better all the time is what i want, but becouse i want to be better, not becouse i want something for someone, that doesnt makes me better.

      You must understand that i dont denigrate them, im putting thing in place, thats the problem i was talking about you and of course some CEOs among others who look at some guy who shoot a LOT of things in an "ambiented" game (sound good ;)), to do things he isnt ready.

      Menawhile this guy was shooting, there is another, studiyng the birds (he knows everything about it), and nature, and a lot of different weapons.

      Both are doing what they want to do, there is nothing wrong or somethig like things on them, but some peopple are taking the guy shooting as he was the other guy.

      Hope my point be more clear.
      C ya

      --
      Rock and Roll
  7. Well, as for myself, my PC runs OT/NT by RedLaggedTeut · · Score: 1

    Well, as for myself, on my PC the operating systems installed are OT(old testament) and NT(new testament).

    While I like how the OT is handling faults from a theoretical point of view, in practice I mostly use the NT, since applications keep on running and work together well.

    --
    I'm still trying to figure out what people mean by 'social skills' here.
    1. Re:Well, as for myself, my PC runs OT/NT by Exluddite · · Score: 5, Funny

      Yes and things have really improved from OT to NT. Used to be that when the system crashed, you were down for 40 days, with NT you're back up and running in 3.

      --
      What does this button do...
  8. Re:Why do Defcon hackers prefer Linux? by TimMD909 · · Score: 1

    "... [bunch o bullshit omitted]... but this is what a good business woman like myself sees." - You

    Well, years and years of feminism movements have just been killed. That argument is about as solid as my argument to my parents to pay for my marijuana habit... Sheesh

  9. Re:Why do Defcon hackers prefer Linux? by TimMD909 · · Score: 1

    Whoops forgot to mention that the test of whether a person should be allowed to make computer related decisions is......
    (drum roll please)
    CAN YOU FIND OUT HOW TO DL THE ISO FOR REDHAT!

  10. Re:Why do Defcon hackers prefer Linux? by James+McGuigan · · Score: 1, Interesting

    The job of a linux distributor (such as Red Hat, Debian, Gentoo, Ubuntu etc) is primarily that of assembling a large quantity of free and open source software into an easy to use and pre-configured package. While they may write and contribute some of their own software to the mix, and do some customisation and bug fixes of their own, 95%+ of the software you see in a linux distro will be common to other distrabutions.

    I don't use Red Hat or Fedora myself, so could be wrong about the below, but... Fedora is developed by the community (Red Hat also helps to develop it) and is kept fairly up-to date with new software releases. Red Hat Enterprise Linux uses snapshot of Fedora as a core, keeps it stable (ie doesn't update it that often, just bug fixes) and adds a few bits of proprietary software and adds in the support contract (most people buy Red Hat for the support). If you want Red Hat without the support, and the RH branding, then maybe CentOS is what you are looking for.

    I would personally suggest Ubuntu Linux, which is Debian based, its fairly well polished and most things will work straight out of the box, so you shouldn't need too much in the way of support to get it setup (Though I have had some difficulties with the 64 bit version). Even things like Java, ATI/nVidia drivers and multimedia codexs can be gotten via apt-get (you may need the extras repository for some of these). If you need paid support, Canonical will support Ubuntu for $100 USD per computer per year (I haven't used them myself, so can't say how good they are).

    If you want free support, then goggle is your friend, as is reading the documentation, searching goggle groups, asking on mailing lists and visiting IRC channels. The only cost is the time and effort to find the answers for yourself (which doubles as a good education in Linux). You are not guaranteed an answer, but will usually find one, nor a time limit on how long it will take to find or receive an answer. This is the method that most individuals actually use, though it does require that you are willing to learn. In a business where time is money, it is possible that paid support may work out cheaper than your own time in searching google (it depends on how much your time is worth compared to the time saved via a support contract), but in comparison, I will ask you when was the last time you phoned up Microsoft and had them tell you how to fix your problem.

    As for the Mozilla Corporation, they are very new and haven't done anything that I could comment on, but I see it as very, very unlikely that its formation will have a detrimental effect to the development of free and open source Firefox. We already have Netscape as a commercial company that takes Firefox, gives a customised setup, adds alot of their own branding to the package and throws in a few proprietary components and calls it Netscape 8. Firefox is not the poor "free starter edition" cousin to Netscape 8. As long as people are intrested in Firefox, then it will continue to be developed and it will always remain free.

    For businesses specialising in free and open source software, the "switchero" is fairly uncommon. FLOSS licences actually prevent people from doing a "switchero" on existing software, if its been releases as FLOSS then that version will be free forever. With non copyleft (ie GPL) licences (or when exceptions are made in the licence), then someone can make a proprietary fork of the project and future versions of that fork may not be free, though others are still free to continue to work on the FLOSS version. This can also happen with copyleft or GPL software when only one person, or one group, owns ALL the copyright to the software and can thus change the licence for future versions (such as PHPedit). In many cases, where the software has been developed by the community, there are too many copyright holders for this

  11. Security Posture?!? by birge · · Score: 1

    Is anybody else disturbed by the growth of meaningless, self-aggrandizing jargon in this field? Attack vectors, security posture... Give me a break. These guys do good work, they don't need to puff themselves up with this kind of fantasy verbage like some social scientist or art historian. When did people's egos get so big they need to invent cool sounding words for everything? We've got a serious arms race going on in the "my profession is cooler than yours" wars.

    1. Re:Security Posture?!? by duffbeer703 · · Score: 1

      I'm glad that I'm not the only one to notice and be annoyed by it. I find the compulsion to substitute "ph" for "f" everywhere even more obnixous.

      The worst is the growth of "dark" words, darkmail, darknet, darkphish, argh... enough already!

      --
      Conformity is the jailer of freedom and enemy of growth. -JFK
    2. Re:Security Posture?!? by birge · · Score: 1

      Yeah, I'm extremely bitter because I can't figure out what attack vector means... My point, sport, is that I know exactly what it means, because adding "posture" after security doesn't add any meaning. It's just, well, posturing; nerds playing cloak and dagger, painting themselves as agents in an engagement that's far less interesting in real life than they'd like to believe. Hence, all the dark-this and black-that, as if we were talking about something more important than a computer file.

    3. Re:Security Posture?!? by birge · · Score: 1

      Wow. I never attacked anyone in particular. I think I pretty much addressed it as a general criticism, in fact one that is very common to other fields, so if you're just a minion going along with the flow, no need to feel picked on. What the heck did I do that constitutes "taking it out" on anybody?

    4. Re:Security Posture?!? by birge · · Score: 1

      I was talking about PEOPLE (i.e. an entire industry field), not a specific PERSON. You calling me a pompous ass is a personal attack, me faulting a group mentality isn't. If you had the stones to post under your own name, I'd have the chance to show you what a decent personal attack looks like.

      I agree that CV is pretentious as a word. But, there's a difference between a CV and a resume. And CV comes about historically; it's an older phrase than resume and people trying to get academic jobs have called their list of papers, etc. a CV for as long as anybody knows. However, there's no real difference between attack and attack vector, and it's not something people inherited. Some guys just thought it would make their jobs sound cooler by using a technical word (vector) in what is really a non-technical context. Just try to show me a sentence where I won't understand what you mean by removing the word vector. Same thing for security posture. Anyway, if hackers want to emulate academics in terms of being pretentious dicks, then I guess I've won my argument.

    5. Re:Security Posture?!? by birge · · Score: 1
      Guess what? An attack vector isn't the same thing as an attack. There are plenty of attack vectors that are never exploited through actual attacks.

      That's like saying there are a lot of pitches that haven't been pitched. I mean, pitch vectors that haven't been pitched.

      Look, if you consider making fun of an entire industry tantamount to personally attacking each individual, then fine, give me that power. At any rate, I'm sorry if my argument isn't as tight as you'd like. Maybe if I summarized it more eloquently, you'd quit being so knee-jerk defensive?

    6. Re:Security Posture?!? by birge · · Score: 1

      I think if you reread my first post, you'll see that I made a point of saying that I respected WHAT these folks do, and just thought the words were contrived. But you're right about MIT having a reputation for arrogance, and I really don't want to contribute to that. I didn't mean to sound arrogant, because my original point was that I don't like the way professions try to sound important by coming up with obfuscating phrases, when simple ones (or existing ones) will do. I was being accusatory, but I'm perfectly willing to admit my profession does it quite a bit, too.

      The point is taken about attack vector. I understand the meaning now, I think. Still a bit hokey (couldn't just say attack method?) but I agree it has a specific meaning. But security posture? That's just indefensible. :-)

    7. Re:Security Posture?!? by birge · · Score: 1
      The term "security posture" has an obvious and well-defined meaning. It's been in use since before IT systems, and its etemology is from the military world.

      Jeez, that makes it sound even more pretentious! Guys with guns who dodge morter rounds invented the term, and it's been adopted by pasty guys who wear sandals, write computer code and wake up around noon. (I'm one of the latter guys, so don't get too pissy about the insult.) Sure, call me a dick (and you'd be half right) but don't you see my point even a little bit?

  12. I would love to see network trace logs by abulafia · · Score: 2, Insightful
    I haven't been to Defcon since the third one... no time (at least I have the t-shirts), and now that I don't live nearby, it is hard to justify the expense and time off. Hell, I can't even have normal vacations, let alone conference junkets. But damn, this seems like it would have been a great year to have gone.

    I'm sure someone watched the wire for this event - if TCPdump (or whatever) traces of it are available anywhere, someone post a link. It would be a fascinating thing to waste my weekend on.

    --
    I forget what 8 was for.
  13. Re:Why do Defcon hackers prefer Linux? by kc0re · · Score: 1

    I would like a team of totally mac users to jump in on this. Just to prove/see how secure macs really are.

  14. Re:Why do Defcon hackers prefer Linux? by Mechcozmo · · Score: 1
    Let me simplify the above:
    Linux is only free if your time is worthless.

    That isn't to say Linux is bad-- but the setup of various components can be... trying at times.

  15. You forgot by woah · · Score: 1
    ..but the setup of various components can be... trying at times

    ...only for thick people.

    Seroiusly though, buy only supported hardware. When you buy a Mac, you don't expect for all your existing PC peripherals to work with it. Same goes for Linux. Check to see what is supported. That's all there is to it.

    What really gets me are all these whiny posts, "I installed Linux and now my camera's not working and my scanner's not working and blah blah bla..." - Get a clue, kids!

    1. Re:You forgot by Mechcozmo · · Score: 1
      Actually all of my hardware was supported with Ubuntu. However, I could not get WINE to work. I was lost. I figured out to add the repository, searched for WINE, checked it and then told it to download and install, etc. I was happy that I didn't have to bother with a CD key, restart, etc through all of this. But then once it said it was done... nothing. How did I start WINE? Configure it? View a ReadMe file?

      Under Windows it is a messy pain but you at least can run the program. Under OS X you control where the program is. But under Linux, nothing. I'd love to use Linux as my primary x86 OS but it frustrates me that the support out there is nearly nonexistant. The IRC help channel, Google, Ubuntu itself, none of them were able to help. And when I installed Windows 2000 and it overwrote the MBR... oh well. Firefox was broken anyway. There wasn't any QA work done before it was dumped into the update stream.

      If you want to help me, just let me know. I'd love to know that the open source community is helpful towards new members without just saying "RTFM!" because the manual is for a different version and a different subset of something and is worth nothing.

      Sorry for the rant, but that's a part of the reason why I believe Linux isn't ready for the desktop.

  16. Re:Why do Defcon hackers prefer Linux? by James+McGuigan · · Score: 1

    Assuming that you know what you are doing (ie have done it before), then setting up a linux machine (especally a fairly user friendly one like Ubuntu), can actually take less time overall than installing and configuring Windows, MS Office, Anti-Virus, Windows Updates and various other utilities.

    apt-get install is actually a very easy way to install new software on linux. Alot quicker (human time and attention wise) than finding your MS Office CD, typing in the CD code, then going through the 15 minute install process.

    However I will admit that some items outside the packaging system, such as Java on Debian proper, can be a little time consuming to setup. I'm actually fairly relieved that there is a copy of dvd::rip in the ubuntu extra's repository, attempting to get it setup on Debian proper was a nightmare, and even I gave up on that one (dvd::rip has about a dozen dependices outside of the debian repositories)

    The other thing to note, is that while some people may be money rich but time poor, there are equally many more others who are time rich but money poor.

  17. Re:Why do Defcon hackers prefer Linux? by Mechcozmo · · Score: 1
    The other thing to note, is that while some people may be money rich but time poor, there are equally many more others who are time rich but money poor.

    And for those who are not money rich and not time rich, what options do we have? OS X is set up in less than 30 minutes. Windows is set up in a few hours. Linux has taken too long to get working and therefore not worth spending more time on it which is unfortunate since I'd like to use it.

  18. The game is quite different... by lamj · · Score: 1

    I was there playing CTF. This year's focus is definitely very different, unless you can dream assembly, you are not going to be very effective at attacking.

    The way they setup the infrastructure also does not allow you to do a whole lot of defense against the attacks.

    In terms of this being real-world... Honestly, how many security incidents are caused by hackers reversing the binary which lead to the intrusion? I would say 95% of intrusion are done by script-kiddie method.

    I hope they will put more infrastructure related vulnerabilities into the game to make it more interesting. I am not suggesting the lame vulnerabilities that can be detected by Nessus and standard exploit tools but some that requires serious kung-fu to detect and exploit.

    All in way, it was a very fun game. I am sure everyone enjoyed it. Congrats to all the winning team, see ya all there next year.

  19. Teams? by geekp0wer · · Score: 1

    Just like online gaming.... Teams were not balanced. From what I heard the top 3 teams all had 20+ people. Some 30..... 4th place had 7 people. Also heard the points system was a little skewed. Basicly if you owned someone else's server then you scored points for the length of time you owned it. B ut then the team that was being hacked would take it off line and you would be out of luck. The penalties for off line boxes were less sever than the rewards for owning someone. The contest was run by a group called Kenshoto. The story goes that they are an anonymous bunch and that is the alias they are using. I was there and the set up was ultra cool. A few improvements and next year will be even better. Check out this link for more info. http://www.securityfocus.com/news/11269

    1. Re:Teams? by kenshotosnit · · Score: 1

      The penalty for off-line boxes was MORE severe than the reward for an 0wn. You could basically score two points for an 0wn per 5-10 minutes. If you managed to take down all your services for the whole game, you'd end up with 0 points, because your attack score was multiplied by your uptime percentage. Let's say that you determined that you were getting pwn3d through the Alice service about 1/2 way through the game, so you just shut the thing off. The one team would probably fail to score two points every 20 minutes, for a loss of about 90 points (before you take the other team's uptime/SLA into account... a good team had a 60% uptime, so this is at most 54 adjusted points). But, what would you be giving up? IIRC, in this scenario, you'd probably fail about 150 polls due to Alice being down. This would move your SLA/uptime down at least 5%. The top teams were all scoring about 1000 points or more before SLA scaling. This would make it a wash versus the team that 0wned Alice, but you are losing points with respect to other teams, too. If you just leave Alice up, only one team gains ~50 points on you. If the team 0wning you makes it so that you don't score uptime points, then they deserve to have the service taken down on them... if they were good, they scored "breakthrough" points anyway. On the whole, though, you should have been trying to figure out HOW you were being owned, and use that to fix the service. It was part of the game. We gave "breakthrough" points for finding a problem at all, so if you were good at auditing, you would score (first people to report a breakthrough got a lot of points, but subsequent reporters got very few). Just to give you an example, the winning team wouldn't have won if they hadn't found a new vulnerability in the last hour of the game.

  20. Doh! by KnarfO · · Score: 1

    Son of a B!

    --


    "Creativity is allowing ones self to make mistakes. Art is knowing which ones to keep" - Scott Adams