If you manage systems with important data on them, you want to make sure you use the strongest form of authentication possible. Passwords are the worst form of authentication you can have, prone to theft, re-use, and hard to remember. SSH keys are much better, but the most secure option is to use a smart […]
If you’re a developer, the task of building secure software can seem to be daunting. Vulnerabilities are a bane of large complex software projects, and companies like Microsoft spend millions to try to address them. This shouldn’t be a surprise, but since it’s popular to claim everything is hackable and nothing can be secure, it’s worth spelling out: Remote code execution vulnerabilities are not hard to prevent if developers follow a few simple, practical rules from the start, since they basically always fall into the below categories.
At BSides San Antonio this year, I gave a talk on Red Teaming the CCDC, including the CCDC red team year-end highlights, lessons learned, and all the secrets we’ve been hiding from the regional qualifiers to the national finals. I covered how we hacked and hid from the most paranoid student sysadmins in the nation, […]
As you may know, I’ve been involved with red teaming all levels of the CCDC, but I’ve also taken part in a number of CTF competitions. CCDC is one of a number of defense competitions growing in popularity, including the high-school level Cyber Patriot and military academy CDX. These stand in contrast to the longer-running Capture-The-Flag competitions commonly found at hacker conferences and elsewhere, which tend to focus on finding exploits for pieces of software. Defensive exercises have come under harsh criticism in the past few years, so are they really doing any good?
One of the most outspoken critics of CCDC has been Chris Eagle. He compares his significant experiences in the Defcon CTF, which his team has won twice, and defensive competitions, primarily with CDX….
Chris Eagle (surprisingly honestly) said “I have pigeonholed myself into the binary software analysis arena.” He continued to explain how NPS has developed many tools that make them really good at the Defcon CTF but aren’t applicable to the real world, since they’re tailored to alert on Defcon flags and those specific types of binaries, and would be unlikely to alert on real attacks. As he said, “It’s really kinda focused on the game” and “We’ve gamed the game a lot” since “We’d seen the same kind of game three times.”
We have also seen a number of students at CCDC develop their own scripts and tools to use at CCDC. The difference I see is that so far, all the custom tools I have seen students employ could be used on real networks as well to harden systems or detect & disable real malware. This is another indication that CCDC, as opposed the Defcon CTF finals, is not teaching students how to “game the game” it’s teaching them how to defend a real network.
March is Pass-the-Hash Awareness Month! It’s not as simple as you might think, but to break it down, I did a guest post on the passing-the-hash blog: http://passing-the-hash.blogspot.com/2014/03/guest-post-lets-talk-about-pass-hash-by.html
As you may know, I run the Red Team for the Collegiate Cyber Defense Competition (CCDC) in the southwest region. One of the more interesting things I put together for the regional competitions this year was a way to install Linux remotely over a command-line interface (such as meterpreter). I actually originally wrote it for […]
Let’s face it, if you are using passwords on your web site or application, you are part of the problem. It doesn’t matter if you’re using bcrypt or scrypt, or all the salt in the world, you’re still perpetuating these 11 password problems and pains. But client certificate authentication and even issuance is actually easy with modern browsers. Want to see how easy it can be? Check out the example below.