MA-CCDC-09 Finals

The Mid-Atlantic CCDC (Collegiate Cyber Defense Competition) for 2009 is over and the University of Pittsburgh team is the winner and will represent the Mid-Atlantic region in the national finals in San Antonio, TX in April.

Systems for the college teams (blue teams) were upated this year to include more robust active directory services and a domain controller running Windows 2008 server. Workstations ran Vista for the first time. Several variations of Linux were included and several web apps were serving pages.

The red cell was bigger than ever and better organized that ever and faced more difficult obstacles than in the preliminary rounds with the targets being upgraded. As usual, there was a lot of scanning done, and a lot of launching of exploit code, and every now and then, some celebrating when one worked as expected. Then came the digging in process, trying to maintain access against the efforts of the students to clean our presence off of their systems. The MS08-67 exploit from last year (the one behind the conficker worm) was effective against several windows systems and even the old standby RPC-DCOM still worked against the older Win2000 server.

Perhaps the most brilliant work done came on Saturday when Rob Fuller, Seth Fogie and Paul Asadoorian collaborated with several hours of work to take over some web pages by injecting iframes (inline frames).

Continuing his work from last year in owning the VOIP system, Mike LaSalvia dominated the phones most of the weekend.  By Saturday, he had recruited several other red cell members to form a group of phone operators.  They had a list of team member names and as incoming calls were intercepted, the operators were prepared to give out the real name of a student on the team they were pretending to represent.  This created many moments of laughter and celebration in the red cell enclave.  The highlight was when Mike called the acting “CEO” and claiming to be a team captain, insisted that he had evidence of betrayal by a fellow student and requested that the CEO fire this student.  The film crew that was working on a documentary captured the entire incident.

We managed to get some MP3 players with built in microphones taped under the blue teams tables before they arrived in an attempt to record conversations, hopefully including some passwords and other configuration information. After the competition halted Friday evening, the players were retrieved and analysis began. One player stopped recording after 20 minutes for an unknown reason. One player was discovered, the recording deleted and then turned in to the white team. (it will be interesting to see if forensic analysis shows it was wiped or simply deleted) Another mp3 player was discovered right at the start of the competition, but the team wasn’t sure what to do with it and simply pocketed the player while it was still running. That player yielded about four hours of good competition time audio. The final player worked flawlessly, recording until it was retrieved. Listening to the recordings was difficult because of the nature of the condenser microphones and the position of the players underneath the teams tables. Every contact with the table created sounds that were very loud with the gain turned up high to hear the conversations. Analysis after the competition was over showed that using high pass and low pass filters eliminated much of the noise and made the recordings much easier to hear. This did eventually produce a lot of valuable information, but too late to use in the actual competition.

The experience of preparing for the CCDC as a member of the red cell taught me the value of using virtual appliances for training and lab work.  It was possible (even on fairly short notice in one case) to find a virtual appliance, download it, get it running and use it as for target practice.  Having a collection of virtual appliances that mirror real world configurations can greatly accelerate any learning effort.

After each of the past three years, it has seemed that both the red cell and the blue college teams get a little bit better organized and better prepared for the competition. In spite of this, the most obvious area ripe for improvement is knowledge management. Both ego and insecurity inhibit information sharing inside the red cell and the same is probably true to some extent in the college teams. The red cell often wastes a lot of effort with redundant discovery scanning and mass exploitation attempts of the same systems that may result in system crashes or interference with each others efforts. This year there was at least one incident of “friendly fire” where a system being used by one red cell member became infected by another red cell system.

Often the college teams have only one or two returning veterans from the competition to help guide the next years team. This leaves their faculty advisor and/or graduate mentors as the main source to pass information from one generation of team to the next. A premium should be put on debriefing teams shortly after the CCDC and documenting lessons learned that can be passed on. Linking this knowledge to training and practice efforts should yield good benefits.

SEE ALSO:
…other CCDC related posts

Leave a Reply

You must be logged in to post a comment.