Report from the hacker tournament and security conference with Mitnick

"In the next room there are people who are the main threat to our security"

On Tuesday, the second (offline) part of the hacker Symantec Cyber ​​Readiness Challenge tournament and the CROC Cyber ​​Conference security conference with Kevin Mitnick took place. All this together was called C ^ 2: Cyber ​​Challenge.

The most interesting:

• Our hackers were very fast.
• Gas was not allowed into the hall with the participants (although many at the conference considered this a reasonable measure).
• Mitnick showed miracle flash drives with antivirus traversal and capturing the machine under control, copied the Citibank IVR, showed how to greet people while copying the MIFARE card, and told a bunch of stories from his stormy youth. “When will we start testing? Already finished. Did not receive the letter? That's right, the report on your desktop. "

Below is a report, a little about the preparation and a bunch of photos (traffic) .
')

Kevin is proud of the phone, the firmware of which he received from the hands of a security guard

Infrastructure

One of the most difficult things in preparing a large event is to make everything work like a clock. Starting from the arrival of people and registration and ending with a normal fast network for all-all-all.

Here is the venue. 12 minutes walk from Frunze. We started several minibuses for the transfer of guests from the metro: right at the exit, all the participants were met and put in "Pavens". No one was lost.



Registration often becomes a bottleneck for such a plan. Here we have a lot of girls who give badges, the names of the participants are printed immediately on the spot:



In support was both the Russian team, and also experts in technical support from England. The speaker was located nearby. Since part of the conference is in English (Mitnick, for example, does not know Russian), simultaneous translation is needed. Here is a rack with devices that could be exchanged for documents:



The next important question is the Internet. Participants need a fast connection, so we brought a line of 256 megabits / second directly from the provider. In the hall there were places with double margin (not everyone likes to sit right next to other players), and each row had its own local lock. Each participant had such own “tail”:



In the middle of each row was a 48-port switch:



Interestingly, the site survey was 4 days before the start, all equipment was purchased at the weekend, and the installation and tests ended a couple of hours before the conference. The Internet was laid by 6 people. In total, the installation at different times was from 20 to 30 people. There were no emergency situations - one of the switches burned out, but it was quickly replaced with a backup one. Each patch cord was tested - no one needs surprises with a crooked curve.

Separately, for the participants of the conference, they held a line for 100 megabits - Mitnik needed it.

Reserve line in case of the fall of this whole thing - another 100 megabits. Automatic on the transfer decided not to do: complex switching. In case of an accident, the technician would transfer the cable in less than 2 minutes - check it.

A game

Participants came in advance, hooked up the settings and prepared. Many were still on the road a couple of hours before they worried that they hadn’t received a link for settings.

Food from the buffet table was dragged right into place, stocked with water, so as not to leave the game once again. Here, for example, Vlad (the future winner) has three glasses - if he wants to drink, mineral water or juice, if he does not, he still has an empty one.



The beginning of the game, the plot of the message from a former employee of the corporation EDC Giles Knox:



While he was talking, many had already started the first flag.



Future winners (II and III places) during the game:



The girl among the participants:



The lighting was turned down, on the faces of the participants - the light from the screens. Letters, as in the films, were not imprinted:



The game was tense:



Among the flags were tasks for:

• Port scan
• Decrypt and brute force passwords
• Attacks on session
• Mobile deanonymization
• Work with disk images
• Disclosure of the sixteenth century cryptocodes
• SQLi (lots of different topics)
• Exploration and exploitation
• CSRF / XSS and many other interesting pieces.

Not without traditional surprises - despite the prohibition of infrastructure attacks, some people began to brutal routers. After the general warning, the participant heeded the voice of reason - for the first time they forgave and did not disqualify.

The conference

Here we have done several important things - actually, typical for organizing for conferences, but convenient. For starters, the speaker needs his big screen, a "promler", to see the presentation. If not, he begins to look back nervously. We mounted it like this:



Secondly, four screens for slides: two more on the sides of the stage for the original language, one slightly to the right for translation. For example, many participants gladly removed the second screen — useful links were put there and what Kevin scanned in Aeroflot among the open data:



The following people spoke at the conference itself:

• Boris Bobrovnikov, Director General, CROC
• Andrey Vyshlov, General Director, Symantec Ltd;
• Pavel Golovlev, Head of Information Technology Security Directorate, SMP Bank;
• Evgeny Druzhinin, information security expert at CROC;
• Sergey Ershov, Head of Information Security Division, Information Security Directorate, CJSC Greenatom;
• Andrey Zerenkov, Chief Information Security Consultant, Symantec Ltd Representative Office;
• Denis Kamzeev, Deputy Head of the Directorate for the Control of Operational Risks of ZAO Raiffeisenbank;
• Artem Krolikov, head of the AlfaStrakhovanie information security department;
• Vyacheslav Morozov, Nice Systems regional manager for Russia and the CIS;
• Mikhail Sukonnik, Radware Regional Director for Russia and the CIS;
• Dmitry Ustyuzhanin, Head of the Information Department of VimpelCom OJSC.

The moderator was Oleg Sedov, editor of special and online projects Intelligent Enterprise / RE.

The conference began with the fact that a proposal was made to significantly improve the security of IT systems around the world by sending gas to the next room . This idea still quite often emerged in the course of discussions. It should be noted here that it is unlikely that the real “legacy” hackers arrived at the conference - the media was sea, and every face will be remembered by everyone for a long time. As a result, they noted that our attackers are behaving quite correctly in relation to the “native” systems - where they live, they do not crap, they go, basically, to the West. "Russian hacker" in the US is already a brand, we are afraid. I must say, by right.

We discussed the interaction of IT, IS and other departments . For example, the fight against insiderism is often hung on the information security, although it should be done by personnel officers too; The Federal Law on Personal Data was hanged on the information security, and they believe that this is a non-core task and should be done by IT specialists - and so on. In Russia, they are not yet able to play with teams: the interaction of departments is established in big business is far from ideal. He cited the example of a western “security officer” - a person coordinating IT and information security, a little HR and a bit of a financial part - he is closely in business and knows what risks and how to close completely. Then we talked about outsourcing and its development - the future is there, but for now the restrictions on the processing of information on the side are in the way.

We came to the conclusion that we need normally configured processes. For example, now, if an employee finds vulnerability, it’s good, if he reports to the admin, it’s good if the admin doesn’t take offense at his joint and thanks (this is very important, they helped him!), Well, if he closes the hole, but does not silence it. Much worse, if the employee gives information about the hole to his colleagues - in two weeks the whole company will exploit the vulnerability as it should. The security officers are trying to train people - for example, when sending data to the wrong place, either they change the process (because it is necessary), or they explain to the user and his manager what the error is and how to do it right.

We discussed risk management . It turns out that one of the most urgent problems is that when the security officer comes to the management and says “it is necessary”, he is told “no money”. It is clear that it is not enough to close all risks in a row, but the main ones are critical. They noted here that a business from the 90s understands risk management very well and lives for them: if a security man thinks that it is necessary, then it is necessary, this is a fact absorbed back in hard years. Let's just say that the one who knows the rules better wins, the one who follows them loses. As one of the panellists said: “White and fluffy need to be explained.”

New areas are important - the use of their own mobile devices by employees and virtualization (in particular, the transfer of infrastructure to the "cloud"). Here, “implementation on two Mondays” is often done, and information security comes only after the first leak: in practice, the system should be built right away so that it is safe.

Long talked about vacancies . For example, one large bank has completely moved to outsourcing. Press releases wrote about efficiency, SLA, business flexibility, and so on. In practice, they are simply tired of the "walkers." The information security officers came, suddenly asked for a raise and so high a salary, then they came again at a random moment and again they suddenly asked for money or something else. When to satisfy their ambitions are tired, they just transferred everything to outsourcing.

Is it possible to take "hackers" from the bottom to work in the company? They gave two examples - one antivirus, for example, prefers to teach people only by itself, and another company specializing in pentests - to take “consumables”, since the tasks of the personnel are one-time. Many problems with corporate culture and loyalty. One of the participants says: "You know, it was very difficult for us to accept people who have no idea where the piercings go into gadgets." On the other hand, many calmly perceive such "strange" people. Here are the words of another participant: “Such a guy with dreadlocks worked for us. No one was worried. He left in two months ... Hmm, I just now thought, maybe he was solving his own problem with us ... ”. As a result, they came to the conclusion that in academic security (protection) it is better to take specially trained people (almost with shoulder straps), but in the new directions - yes, of course, no one can cope better with the attackers.

Kevin's talk

Kevin for the new generation is no longer an authority, but on the other hand - a significant figure for those who gathered in the hall.



He was telling general things about social engineering (we already talked about them in preparation for the tournament — that's an educational program ), and then he started to burn.


This is how a successful security specialist should look like: three laptops, a telephone, a bunch of dual-use devices and pretty women around

To start, talked about the general data collection. The analysis of social networks was added to the traditional garbage collection and contact search. Kevin loves LinkedIn - there the whole structure of the company is in full view. A very simple example - there are all salespeople who often travel with laptops.

Plus, he showed FOCA - software for analyzing the metadata of open company documents. He scanned Aeroflot and got the basic software configurations on the machines, several dozen employee names and easily set their email addresses.

Need to know which antivirus to bypass? No problem. You can call the user and ask, but the cooler is to call all antivirus companies and say that you want to buy 1096 more copies. We already have a contract with you, right? 15 calls - and you know exactly who the supplier is.

Showed different road apple - PDF-files with exploits, anti-virus protection by-passes for DOC-files, flash drives with magic startup (when the user does not suspect anything, but he is already remotely administered). Everything was shown on the Win7 configuration with the latest patches and regular McAffee scans.

Here is his identification device. They work through console emulation: can be used to execute code. The best way is to build in the keyboard and make a gift that is activated after a couple of days.



So he called "the bank" - more precisely, his bot copied all the bank voice messages on the menu, and then he finished it so that the IVR offered to enter the account number and other data from the credit card. Purpose? Use the number with a copy of IVR in phishing emails.



Here he shows how to greet people in a cafe: in his left hand he has a scanner of access cards in his bag:



Here is this:



Then he showed how to send SMS from any number (an old trick, but useful for social impact) and at the same time lured two numbers from the viewer plus looked at his inbox on the phone. Here in this brief report there are more details.

In the end, he handed out cool metal cards to everyone with a cut-out set of tools for opening locks and offered a job. If necessary - here are his contacts:

The final

At this time, the tournament ended. With a large margin won v0s (Vlad) - this is the same guy that won first place in the online part of the summer.



The gap is impressive. The jury even decided at first that the flags were not enough, and this guy would take them ahead of time. This result shows units around the world, and the observers from England were very impressed.



In total, 32 people participated in the game. All together they took 486 flags (this is a lot from the experience of international competitions) and earned 187,400 points. Immediately after completion, many began to discuss the following information security tournaments around the world.