Hurricane Labs Hack Challenge Recap

Last night (July 15, 2009) we had our first Hack Challenge in a very long time (we've held them quite a bit in the past) so I wanted to recap it a bit here using words and pictures. :-) Here we go.


The purpose of our Hack Challenges is to demonstrate both the ease of exploiting flaws and an educational exercise in defending yourself against those exploits. Last night's challenge seemed to excel at both. The skill levels ranged from beginner to expert and the scores seemed to reflect that range quite well. Hopefully everyone had fun and learned something. Now on to the pics.


We had tables with network drops set up at several points in our office:



















We also had far more people than we expected which was awesome!





We set up a learning area where you could go to get information about how to actually exploit the vulnerable targets and get flags. This was also used to demonstrate some of the more powerful tools out there (such as metasploit, etc):












Now on to our winners! We only gave out prizes for first, second and third:







Third Place Nick Consolo:






Second Place was a team of guys ( I don't have all their names so I won't list any):








And finally...First Place when to Nathanial Maier










All of our winners:






We want to sincerely thank everyone who participated last night along with the guys from Security Justice who did their podcast from our offices last night and The NEO Infosec Forum who helped to promote the event. Extra special thanks to my staff who really put on an extraordinary event (I'm biased though). Great job guys! We hope everyone had fun and learned something. We'll be sure to let everyone know when the next one will be held.

How to Successfully Format a Rulebase

Written by: Rob Jerina

I’ve been looking through a lot of firewall rulebases lately. Many of them need major improvements, of course no rulebase is perfect. However, most of them seem to be very open, especially allowing traffic to their own firewall. I would like to discuss the general formatting of a firewall rulebase: organization, simple formatting, and security.

First thing you want to do in a general firewall rulebase is to allow yourself access to the firewall for management. Depending on what type of firewall you have, you will need to craft the rule you create with the services used for management. Whatever you do, do not allow anybody but yourself (and other firewall admins) to the firewall. By doing this, you will make sure that only specific, trusted hosts will be able to connect to manage the firewall. After creating the rule(s) for the management of the firewall, deny all others access to it.

After this management and what we call the ‘stealth rule’, you can start creatining your access rules. It is important to be organized when composing these rules. If the firewall software you use allows you to designate different sections, this is where it will be useful. Mostly you will want to separate rule sections by outgoing traffic and incoming traffic. Depending on how many networks you have internally, this may be more specific (‘DMZ to Internet’, ‘LAN to Internet’, ‘LAN to DMZ’, ‘Internet to DMZ’, etc). One mistake I see when creating these rules are that admins will allow their DMZ servers to connect to servers (sometimes the entire LAN) on any port. If that DMZ server (or servers) were to be compromised somehow by an exploit or worm, they would have access into servers on your LAN on any port or even any machine on your LAN. Then you would have a big problem internally that is very messy and difficult to remedy.

After you have all of your access rules created (and hopefully locked down as much as possible), it is good practice to drop any traffic that does not match on the rules you created above. This will ensure you that even if you didn’t create a rule allowing it in a rule above, you are explicitly dropping the traffic. Depending on your firewall software, you can set this rule to log as well and use it for any type of troubleshooting.

This is the recipe for a very basic rulebase. Even with advanced and larger implementations, a similar format should be followed. Adding in VPNs (remote or site-to-site) can confuse things a bit. I see a lot of VPN rules above the firewall stealth rule. This would allow anyone connecting through the VPN to connect to your firewall. Since you usually do not have much control over the network on the other side of the VPN, this could be a very bad thing. You might be thinking “My firewall has a password, I should be fine”. Just because it has a password though does not make it secure. Having multiple levels of security is good practice to keep your network safe.

Information Security Summit

Reprint from announcement:

7^th Annual Information Security Summit

October 29-30, 2009

Pre-Summit Training October 26-28, 2009

Registration is now open for the 2009 Information Security Summit. This year’s event features pre-Summit training opportunities and 2 days of talks, presentations, hands-on workshops, a vendor trade-show fair and much more! Information Security Technology, Business/Management, Law Enforcement, Career Development, Compliance and Legal issues will be featured. Joel Snyder of Opus One will be our Thursday Keynote Speaker. Our theme this year is Information Security on a Shoestring Budget.

Pre-Summit training opportunities include:

Forensics from Len Drinkard

Open Source Technologies from Bill Mathews

NACS – Joel Snyder

Malware Analysis from Tyler Hudak

Incident Response from Mandiant

Keynote speakers scheduled:

Joel Snyder from Opus One

John O'Leary from O'Leary Management Education

Grady Summers & Richard Bejtlich from General Electric

Check our website at http://www.informationsecuritysummit.org for a complete list of training options and other conference details.

Check out the flyer at http://www.informationsecuritysummit.org/2009_summit_flyer.pdf

Our event this year will be held at:

Corporate College East.

4400 Richmond Road

Warrensville Heights, Ohio.

This facility is a quarter of a mile from Tri-C's Eastern Campus and is easily accessible from Interstate 271. Our recommended hotel for overnight guests is the Embassy Suites at 3775 Park East Drive in Beachwood as they offer complimentary shuttle service to and from Corporate College.

Register at https://www.informationsecuritysummit.org/register.php. We look forward to seeing you at the Summit!

The 2009 Summit Planning Committee

Network Access Control (NAC) and You

This month I've been doing a lot of work with various network access control (NAC) solutions for various customers. The bottom line is most, if not all of them are horribly flawed. Some assume that the computer is the user and authorize the MAC (media access control) address requiring no authentication on the part of the user. In this scenario if an attacker gets control of a machine (or more likely a user leaves their machine unlocked and walks away) then the unauthorized person has full access as if they were the legitimate user. This is probably the most popular sort of NAC solution as it doesn't really require an agent to be installed and is fairly transparent to the user base.

The second type I've run across requires an agent to be installed and run on the client side which then checks with some sort of server piece for authorization. This can be a better solution but becomes a support headache as you install 1,000s of clients and what happens when you have a workstation that isn't support by the client? You then have to make an exception for that workstation and defeat the whole purpose of your NAC project. There are probably several other issues with this one but in my limited testing I didn't get to run across many others.

The final type I've run across is popularly referred to as a "captive portal". Essentially a server piece picks up (ususally from a switch) when you connect, moves you to an isolation VLAN where you can only get to a portal page. Typically this portal page can be integrated with Active Directory or any other authentication mechanism of choice and allows a user to login which authorizes them to be on the network and do whatever they wish and are allowed to do. The drawbacks here is you give over control of your switch to some automated device which can be scary and you have to trust it to do its job 100% effectively. Out of all these NAC "solutions" I've been testing this is by far my favorite one even though it makes users aware of the system. To be fair though a lot of vendors (and Open Source NAC projects) allow for some hybrid of these so as always your mileage may vary.


Have any different experiences with NAC? Let me know about them with a comment here!