.

Cybersecurity Awareness Showcase

<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Tue Oct 18, 2011 11:38 am

Cybersecurity Awareness Showcase

Hi everyone! It may be a bit late to post this, but I figure it deserves a mention, anyway.

InfraGard Jacksonville chapter is hosting a Cybersecurity Awareness Showcase at the University of North Florida this week.
It's happening Oct 19-21 (tomorrow-Friday), with the last day being a Defend The Flag competition. They're supposed to have some pretty good hands-on presentations from Kevin Johnson and Johannes Ullrich.

Cost to see these two presentations is $150 for members of ISSA, InfraGard, or ISACA, or $200 for non-members.
For the other sessions, the cost is $50/day.
For the security competition, it's $100 per team (up to 5 members).

Hope to see you there!
Put that in your pipe and grep it!
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Tue Oct 25, 2011 9:12 am

Re: Cybersecurity Awareness Showcase

By the way, my team won the security competition. ;D
Put that in your pipe and grep it!
<<

r2s

User avatar

Newbie
Newbie

Posts: 49

Joined: Thu Sep 16, 2010 6:14 pm

Location: USA

Post Tue Oct 25, 2011 9:18 am

Re: Cybersecurity Awareness Showcase

Congrats man!
In progress: OSCP & GXPN (June)
"Silence enables the sound to be" - Eckhart Toll
<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Wed Oct 26, 2011 4:01 pm

Re: Cybersecurity Awareness Showcase

Congrats. Can you expand on what the flags were and how you got them?

Don
CISSP, MCSE, CSTA, Security+ SME
<<

eth3real

User avatar

Sr. Member
Sr. Member

Posts: 309

Joined: Wed Feb 27, 2008 10:35 am

Location: US

Post Thu Oct 27, 2011 8:46 am

Re: Cybersecurity Awareness Showcase

Thanks for asking, Don, I had been meaning to post this sooner. ;D

This was actually their first competition, so some of it was trial and error. It wasn't a "Capture the Flag" competition, it was a "Defend the Flag" competition, though the "flags" weren't clearly defined.

The breakdown is that they gave us a mock enterprise network, consisting of a Linux webserver, and 2 Windows 7 workstations.

First thing we (our team had 4 people) took care of, was changing all of the password. The passwords were provided to us on a list, but the guy that setup each network happened to be on the red team.

After that was application layer firewalls on all the boxes. We implemented iptables on the server, and I believe it was ZoneAlarm on the workstations.

Next, we took care of some of the immediate things that could be dangerous, like making sure SSH was using protocol 2 only and didn't allow root only, checking what account the apache and mysql servers were running as, changing any users' shell who didn't need shell access to /bin/false, and double checking the sudo and su access.

Then we started scanning the webserver for XSS and SQL Injection, but we didn't find anything, fortunately.

We had a couple of safety measures planned/in-place that didn't work. For example, we used a Turn-Key ISO of Insta-Snorby (Snort and Snorby), setup 2 NICs as a bridge, and put it in-line between the incoming network line and our switch. However, after I got it setup, it was not capturing anything, even though it had worked in my previous attempts on my home network. The bridge was still working correctly, we left it in-line the whole competition, it just wasn't capturing any data. Not sure why that didn't work, I'll be investigating it later.
I had also signed an SSL certificate using OpenSSL, and was planning on forcing the apache server to only use HTTPS traffic, but we ended up not reconfiguring apache to use the newly signed certificate, I think just for the sake of time.

One of the more interesting things we did, though, was setup static ARP addresses on all of the machines, as to prevent an ARP spoofing man-in-the-middle attack.

After we took care of those measures, we had everybody watching access logs, error logs, tcpdump output, and quickly adding a drop rule at the top of iptables for any IP addresses that looked like they were attacking (nmap scans, changing user agents, etc.).

We had from 9 am to 12 pm to prepare, and then from 12 pm to 4 pm, the red team was attacking. At 2:30 pm, the leader of the red team got up and said "I give up, you guys win. I can't believe how prepared you were for this." So, even though there were no specific "flags" determined, he wasn't able to get into anything. I actually noticed once that he was using the Samurai Web Testing Framework, which naturally runs an apache server with convenient PHP and AJAX shells, but he noticed right when I was logging in with the default username and password and disconnected his line before turning off services like that and eventually reconnecting.

We were actually the only blue team that showed up, so we won the competition by default, but that didn't stop us from playing hard. I had a great team, and I would love to work with them again soon. It was absolutely a blast, and I can't wait for the next one. I think we're getting the local 2600, DC, and LUG groups to start planning a similar events.

Next year will be my first time at Def Con, so I'm not planning on even trying to get into their CTF event, but maybe the following year.
Put that in your pipe and grep it!

Return to Other

Who is online

Users browsing this forum: No registered users and 2 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software