Tenable Blog

On July 21-22, 2009 Renaud and I attended the New York City Infragard CTF event. It was a great experience being able to participate in the games, learn and teach people about security. Below is a breakdown of how the event was organized, including several examples of attack and defense techniques we performed.

Day 1 - The Game

The game is divided into two areas; one for attackers ("Red Cell") and one for defenders ("Blue Cell"). The Blue Cell is further divided into teams, each defending a set of machines that represents a real company. The attackers can use whatever tools they have at their disposal. The defenders must defend everything from mock SCADA systems, VoIP, Microsoft Exchange and web servers running several different web applications. It is a good representation of what a real company may look like, which makes this type of exercise particularly educational.

Traditional buffer overflow vulnerabilities require specific conditions to be met on the system, payload to be written for the target platform and an exploit smart enough to get around system execution protections in memory. Some of the most dangerous exploits rely on vulnerabilities that can be triggered in a varying number of conditions and circumstances. A far more reliable approach is to take over a process or manipulate a protocol to gain access to the system that does not require that a buffer overflow vulnerability be present.

This brings us to the HP Discovery & Dependency Mapping Inventory (DDMI) agent, which runs on a variety of platforms, including Windows and Linux, to provide central inventory management. HP's DDMI agent contains a flaw that allows an attacker to connect to it without credentials and manage the agent. The agent fails to check for a valid SSL certificate from managing DDMI servers, which means anyone can pretend to be the server and control the agent, providing the ability to:

The Story:

--US and South Korean Sites Under Attack; Late Data Says Attacking PCs to Self Destruct (July 8 & 9, 2009)
A variant of MyDoom is believed to be behind the distributed denial-of-service (DDoS) attacks that took down US and South Korean government, military and private industry websites last week. Some reports have speculated that North Korea may be behind the attacks, which have been described as unsophisticated and "a nuisance." Brian Krebs of the Washington Post reports that the virus that is causing PCs to attack these sites will overwrite the files (including the operating system) of the infected computers.
http://isc.sans.org/diary.html?storyid=6757
http://voices.washingtonpost.com/securityfix/2009/07/pcs_used_in_korean_ddos_attack.html?wprss=securityfix
http://www.nextgov.com/nextgov/ng_20090708_6262.php
http://www.computerworld.com/s/article/9135279/
Updated_MyDoom_responsible_for_DDOS_attacks_says_AhnLab?taxonomyId=17 ...

Once again, we have a "cyberwar" that only registers as a blip on the radar screen for most of us. Other than that, it's an inconvenience for government or commercial sites that didn't think about capacity when they built out their internet connections. It's far from a disaster; in fact, it's hardly news-worthy. It's only remotely interesting because, once again, the cyberwar pundits attempted to link the attacks to state sponsorship. Like with the attacks on Estonia in 2007, ("Russia accused of unleashing cyberwar against Estonia") will it turn out to be a few civilians operating under their own initiative? Another way of phrasing that question is "is the North Korean intelligence service a bunch of wimps?"

Attackers have access to a great deal of public information about your organization. Public web sites, domain records, routing information and several other sources can provide an attacker with useful information to launch attacks. Public documents posted on your web site contain metadata that can be very useful to an attacker. Metadata, in the context of the documents created within your organization, is information about the document itself. This can include who created it, their email address, the creation date, the software used to create and publish it and the software version and platform. This information can then be used to create client-side attacks that specifically target individuals and the software they are using.

It’s the Small Things

Embedded systems continue to be overlooked in many environments, but often can present as much risk, if not more, than other systems on your network. Every enterprise has some form of an embedded device, from printers to routers and switches, that exists on the network and exposes services that could be exploited. Some recent examples include: