Capture the Flag might be only a game, but it was serious business at DefCon, the world's largest annual computer hacker convention, in Las Vegas. For 36 straight hours, eight teams of experienced hackers and serious security professionals played predator and prey as they tried to hack into competitors' networks while defending their own.
From my front-row seat as a member of the winning team Sk3wl of R00t (hacker slang for 'School of Root' where 'root' refers to gaining administrator access to a system), I got a bird's-eye view of how new and not so new attacks could be launched and thwarted.
The game was organised by a Seattle security community group called the Ghetto Hackers. Each qualified team controlled a pair of Windows machines running a variety of network and Web-based services that were connected to each other and a central scoring mechanism called the Scorebot via a Gigabit Ethernet network. Rest assured, this hacker network was not connected to the Internet.
As soon as the doors to the secluded hacker playground disguised as a crowded hotel ballroom were opened at 10am, the air was tense. The game scenario and the legitimately purchased Windows images were presented to participants two hours before the official noon start time. How would you like to have to lock down two Windows boxes in just two hours, as you started to recognise that there are world-class exploit developers in the room and on your network?
A team scored by attacking rival servers and stealing flags (data strings stored within the servers). The successful hacker then presented the stolen flags to the scoring system for credit. The overall score was a combination of credit for attacking other teams' servers and successfully defending your own services. Penalties were issued for excessive consumption of bandwidth, so simple port scans and brute force attacks were not used, and denial-of-service attacks were forbidden.
In the middle of the room sat the Ghetto Hackers' gear, necessary for keeping the game within bounds and blasting loud techno music for the entire 36-hour ride. We'd trained for the competition in small conference rooms with similar tunes blaring as white noise to desensitise. But by the time it was 2am, and you were staring at a network trace flying by on a screen, you noticed that your heartbeat and your breathing had synchronised with the music and the packet traffic. At that point, it was time to take a walk.
At the beginning everyone was organised with their supplies. Our cooler was stocked with ice and Coke. As time dragged on, people started bringing in food and drinks. At first we sent out someone for bread and cold cuts, but by the middle of Day Two we gave up and started ordering pizza. We stuck with soda for the most part, but as the contest wore on, a beer or two appeared. As we scanned the room (discreetly, of course) we saw the other teams behaving the same way if not more so. One team had a steadily draining bottle of Southern Comfort on top of its server.
The Ghetto Hackers' full-length equipment rack was ornamented by a large, red, wooden arch in the style of a Japanese archway complete with Asian script. Our Japanese language expert slunk over for a closer look and determined the writing on the wall to be complete gibberish, with no hidden message to help us crack the code.
Each team carefully arranged its equipment, everything from laptop Macs to Cisco switches, onto tables around the periphery of the room, some piled 3 feet high. Teams were supposed to have a maximum of 15 members, but no one stuck to that upper limit as the flow in and out of the room easily boosted each roster to more than 20 people.
The ground rules I agreed to, dictate that I not divulge individual identities. But I can say the teams included at least two CTOs, security professionals from Ernst & Young, America Online and the University of California at Santa Barbara, and well-known and unknown hackers. Additionally, at least four teams had members hailing from the US Department of Defense.
We mostly kept to ourselves and minimised visible screen space to avoid becoming vulnerable to shoulder surfing or other forms of spying. You had to do some reconnaissance though to sniff out any secret deals being cut to share or trade information among teams.
There wasn't exactly a book on how to organise your team or set strategy for this sort of thing. But our winning strategy as a team was organisation - of everything from a rotating cat-nap schedule to divvying up jobs along lines of expertise.
Because offence was 80 percent of the overall score, you had to maintain support for your front-line attackers. The trick was to not ignore your defences. If your defences slipped, other teams could get in and score. As the Ghetto Hackers pointed out at the awards ceremony, we were solid attackers - not significantly better than other teams, but we had very good defence and were able to keep other teams from stealing flags from us.
Most attacks we saw were levied against information in the database. Someone would figure out how to run the WIKI (a piece of server software that lets users freely create and edit Web page content using any Web browser) and do some obscure set of queries that would reveal flag data. Or someone would go into the Multi-User Dungeon, online game environments that use a great deal of bandwidth, and figure out if you walked north through the forest just the right way you'd be able to pick up a flag.
We saw many failed attacks. Someone tried to buffer overflow the Web server with 800,000-byte null packets. Someone else tried to go after SNMP services to gain entry. Teams even attempted to capture their incoming Scorebot traffic and replay that same traffic in the direction of our machines in the hope that our services would mistake them for the actual Scorebot and give up flags to them.
If I were to apply my experiences to a more everyday situation than what was taking place at the off-the-strip Alexis Park hotel, five points would bubble to the top of the security cauldron:
* Unsecure and unnecessary services, such as terminal services and SNMP, are running on most Windows machines. You've got to take care to shut down or firewall all unnecessary ports used by these services.
* Passwords are revealed frequently. To defend against this, periodically change all passwords, including those that give access to Web services and databases.
* Customised Web applications typically leak critical information. To defend against this, applications must be modified so they do not have commands that give too much information without proper authorisation or let users modify objects out of turn.
* Unmonitored services are dangerously open to attack. Watch your logs like a hawk.
* Hack attacks happen. Be afraid, very afraid.
Rodney Thayer is principal investigator with Canola & Jones, a security research firm in Mountain View, California. He can be reached at [email protected] He says: "Thanks to the Ghetto Hackers for running a great contest. They put together a complex game and made it run under very stressful conditions and it worked great. Thanks also to Sk3wl of R00t for letting me join in."