-3 days: ISIS Labs is bringing 6 of its finest to compete in the North-East Collegiate Cyber Defense Competition (NECCDC) in Rochester, NY this weekend. Wish us luck!
I’ll try and keep you informed as to how the contest is going, what it’s like to compete in one of these things, and if we are winning by live-blogging the event from our hotel room each night. I don’t see that banned in any of the dozens of rules we’ve been made aware of so far!-26 hours: It’s 2 hours before we leave for Rochester and I’ve come down with a cold, it has started snowing throughout Northern NY, and the team collectively realized we don’t have a GPS unit for the 6 hour drive. Instead, we will be navigating via iPhone. Make sure to keep an eye on CNN tonight for reports of a van full of computer nerds barreling off I-80 into a ditch.
-12 hours: We made it, and not a single wrong turn! But… you see this? That’s a 4-seater. We had 5 people. Oops! I think one of Mike, Alex, or Brad is going to bill Prof. Memon for a butt-massage after sitting 6 hours on a bunch of cup holders. Thanks guys for not complaining!
Strat is coming up by train tomorrow and I think someone will be going home with him the same way :-x.
We still have no idea what to expect for this competition. The only thing we’ve seemed to agree on so far is that it’s impossible for the Red Team not to have some advance knowledge of the competition machines. We can’t see how this will be much of a challenge once we put our uber-firewall in place. We’ll see.
+10 hours: see the comments below
Attached files:
Loading ...
Just a little note to say I am here — finally! After three train engines and 9 hours for travel, I have made it to the RIT… Well, the hotel. I am also happy to report that after Dan deauth’n the whole hotel to “fix” the mystery problems with the hotel wireless, the network actually does seem to be working fine. Unfortunately from what I have heard, is more than what can be said about the our competition network… Well tomorrow (urr, today) is a new(ish) day.
I was one of the participants this weekend and thought I would provide an overview of the competition from my perspective. The fun started on Friday when we were thrown into the role of a newly hired InfoSec team for a mid sized company. We were given a network to manage with several servers and workstations that all ‘worked’ but had lacked proper configuration and security best practices for some time. Our job was to clean up the mess and while maintaining our publicly facing internet services.
As we began to familiarize ourselves with the network, two XP workstations got owned up right away. It was very cool to see the effects of Core Impact and how quickly it can hammer away at a network. On our end, we noticed network connection issues on one of the XP machines and got some ugly output from ipconfig and soon the machine rebooted. The other workstation was not far behind and rebooted before we had a chance to deal with it.
We had decided earlier, prior to the competition, that we should get rid of the provided router and firewall and replace them with a FreeBSD box. This was much trickier than it sounds because one of the many rules of the competition was that no workstation could use two network cards. Despite each machine coming with two ethernet ports we were told we could not use more than one, even if we sacrificed a second workstation to consolidate the nics. Luckily we had Boris on our side, a FreeBSD expert who had heard about stub routing and was excited to try it. He was able to setup a router/packet filter/server with all traffic entering and leaving a single physical network interface.
Not long after we made the router change, our switch began to drop ports in and out of service. We found out later, that the attackers gained access using a default password (duh) and were in the process of uploading an older version of the firmware which would provide more vulnerabilities for them to regain access in the future. We noticed some ports drop off and decided to power cycle the switch. Unfortunately, the reboot happened to occur in the middle of the attackers IOS downgrade and because the upload had not finished, the switch was bricked. We didn’t quite put together what happened for a quite some time and all had a chance to research the IOS command line. Finally, we were able to get a new piece of hardware to replace it after the judges were convinced we were not going to be able to reload it within the constraints of the competition. Yes, we changed the password on this one right away.
With the switch down most of the evening, we lost points for having all of our services unavailable. In the down time we were able to start off loading many of the services on the servers to the FreeBSD box and continue hardening the other hosts on our network.
Saturday was a much better day for the ISIS team. The FreeBSD machine was properly filtering all the traffic and hosting most of our services. We gradually moved more services over to the BSD box which freed up some of the other machines which could be retasked. By the end of the day, all of our services other than one e-commerce site, a chat server and AD controller were being served up on the single system. Had the competition gone on longer, now would have been the time to replicate it on another box to help mitigate the risk this single point of failure introduces.
We continued through Sunday without many other issues which freed us to focus on the various “Business Injections” or memos with work to do from our “virtual CEO.” These ranged from adding new users to dealing with the sudden loss of hardware. Additionally, any time we observed an attack we could score points for developing an incident report.
Overall, NECCDC provided an interesting weekend looking at systems administration and some of the security issues involved with managing a network. The competition definitely was longer than it needed to be. We started Friday afternoon at 1 and were told to step away from the keyboards at 7. Saturday started at 9 and ended again at 7 with a lunch break. Sunday, the network was active from 9 to 12:30 and by this time, our network was in such good shape we were reading slashdot and hoping for some more interesting attacks.
In addition to the live network attacks we were tasked with various reports to write. We managed to stay up until 3 finalizing business security policies and incident reports. Next year, I would like to see the competition compressed into a day and a half. NECCDC would be just as effective if we played all day Saturday and then wrote and handed in policies/reports/budgets on Sunday. This would definitely ease the travel for out of town competitors like those of us from NYC and the team that came down from Vermont.
I definitely appreciated the experience and enjoyed meeting some new faces. Thanks to RIT and everyone who made the competition happen!
Quote of the Weekend
“The first thing to do is yank the cord and slap a pix on it.” -Cisco Rep in regards to the start of a Computer Defense competition.
Our crew from ISIS found this particularly amusing as none of us are IOS experts and the first thing we did was get rid of the Cisco equipment. We were given a router, switch, and Pix firewall. Many of the most successful attacks this weekend were against Cisco products. To be fair, 2-3 members of the red team came from Cisco and clearly knew lots of tricks to gain and keep access to Cisco gear.