On Wassenaar

Our goal is to increase security, but unfortunately, the proposed rules are too broad and will have negative effects on our legitimate vulnerability and intrusion software research, limiting our ability to defend against cyber intrusions. … I fear the primary result of the proposed regulations is to enable federal regulators to arbitrarily fine and prosecute anyone in security or software development on whim, simultaneously the biggest reason to oppose these regulations and the biggest reason regulators may push them through anyway.

No Comments

Credential Assessment – Mapping Privilege Escalation at Scale

I recently gave the following presentation at CanSecWest. (cansecwest.com) You can see the slides below:

No Comments

How to run a secret drug empire and hide your incriminating evidence*

-or- New tools to stop common laptop data thefts Why your OPSEC advice is wrong The internet security and privacy communities, law enforcement realms, all sides of the drug war, and the world as a whole have been enraptured by the unfolding saga of the Silk Road, the tor-hidden giant marketplace of illicit goods, and […]

No Comments

Replacing Passwords With EasyAuth

There’s been a lot of focus on replacing passwords for authentication lately. Google and Twitter have each put forward proposals to address issues in authentication, Google’s based on browser modifications and Twitter’s based on mobile phone usage. Many people advocate multi-factor authentication while others advocate email-based authentication or even more unusual ideas. While many offer […]

No Comments

Exploiting Ammyy Admin – developing an 0day

Background For the past few years, a number of groups of scammers have been cold-calling thousands if not millions of people in what’s been referred to as the “Ammyy Scam” or the “Microsoft Tech Support Scam” among other names. The scammers pretend to be from Microsoft or another official group and claim to have detected […]


Easy Smart Card SSH Setup

If you manage systems with important data on them, you want to make sure you use the strongest form of authentication possible. Passwords are the worst form of authentication you can have, prone to theft, re-use, and hard to remember. SSH keys are much better, but the most secure option is to use a smart […]

, ,


More Spiders, Fewer Trees: Meterpreter Hop

Just about every time you see a serious network intrusion where the attackers obtain access to internal networks, the attackers used “hop points” to conceal their identity and evade detection. … Setting up and using hop points has been a chore for penetration testers as well. Normally setting up a hop requires owning the server to open and listen on arbitrary ports and forward data. But today, using a new payload and session type I contributed to the metasploit framework, you can use any common PHP host as a hop for meterpreter. This is a big deal since it’s the first time metasploit has natively supported receiving a connect-back shell that goes somewhere other than directly to the Metasploit controller. … Check it out in the video below:


No Comments

4 practical rules to not get your program hacked

If you’re a developer, the task of building secure software can seem to be daunting. Vulnerabilities are a bane of large complex software projects, and companies like Microsoft spend millions to try to address them. This shouldn’t be a surprise, but since it’s popular to claim everything is hackable and nothing can be secure, it’s worth spelling out: Remote code execution vulnerabilities are not hard to prevent if developers follow a few simple, practical rules from the start, since they basically always fall into the below categories.


Red Teaming the CCDC

At BSides San Antonio this year, I gave a talk on Red Teaming the CCDC, including the CCDC red team year-end highlights, lessons learned, and all the secrets we’ve been hiding from the regional qualifiers to the national finals. I covered how we hacked and hid from the most paranoid student sysadmins in the nation, […]

No Comments

CCDC and CTFs – Addressing the Criticisms

As you may know, I’ve been involved with red teaming all levels of the CCDC, but I’ve also taken part in a number of CTF competitions. CCDC is one of a number of defense competitions growing in popularity, including the high-school level Cyber Patriot and military academy CDX. These stand in contrast to the longer-running Capture-The-Flag competitions commonly found at hacker conferences and elsewhere, which tend to focus on finding exploits for pieces of software. Defensive exercises have come under harsh criticism in the past few years, so are they really doing any good?

One of the most outspoken critics of CCDC has been Chris Eagle. He compares his significant experiences in the Defcon CTF, which his team has won twice, and defensive competitions, primarily with CDX….

Chris Eagle (surprisingly honestly) said “I have pigeonholed myself into the binary software analysis arena.” He continued to explain how NPS has developed many tools that make them really good at the Defcon CTF but aren’t applicable to the real world, since they’re tailored to alert on Defcon flags and those specific types of binaries, and would be unlikely to alert on real attacks. As he said, “It’s really kinda focused on the game” and “We’ve gamed the game a lot” since “We’d seen the same kind of game three times.”

We have also seen a number of students at CCDC develop their own scripts and tools to use at CCDC. The difference I see is that so far, all the custom tools I have seen students employ could be used on real networks as well to harden systems or detect & disable real malware. This is another indication that CCDC, as opposed the Defcon CTF finals, is not teaching students how to “game the game” it’s teaching them how to defend a real network.