Report from the hacker tournament and security conference with Mitnik

“People are sitting in the next room who pose the main threat to our security.”
On Tuesday, the second (offline) part of the Symantec Cyber ​​Readiness Challenge hacker tournament and the CROC Cyber ​​Conference security conference with the participation of Kevin Mitnik took place. All this together was called C ^ 2: Cyber ​​Challenge.

The most interesting:
  • Our hackers turned out to be very fast.
  • Gas was not allowed into the hall with the participants (although many at the conference considered this a reasonable measure).
  • Mitnik showed miracle flash drives with bypassing antiviruses and taking the machine under control, copied Citibank IVR, showed how to greet people while copying a MIFARE card, and told a bunch of stories from his hectic youth. “When do we start testing? Already done. Didn’t receive the letter? That's right, the report is on your desktop. ”

Below is a report, a little about preparation and a bunch of photos (traffic) .

Kevin is proud of the phone, the firmware of which he received from the hands of a security guard


One of the most difficult things in preparing a major event is to make everything work like a clock. From the arrival of people and registration to the normal fast network for all-all-all.

Here is the venue. 12 minutes walk from Frunze. We launched several minibuses for the transfer of guests from the metro: right at the exit, we met and put all the participants in the “pativans”. No one was lost.

Registration often becomes a bottleneck for events of this kind. Here we have a lot of girls who give out badges, the names and surnames of the participants are printed immediately on the spot:

Support was provided by both the Russian team and technical support specialists from England. Nearby was the announcer. Since part of the conference is in English (Mitnik, for example, does not know Russian), simultaneous translation is needed. Here is a rack with devices that could be exchanged for documents:
The next important question is the Internet. Participants need a quick connection, so we brought a line of 256 megabits / second directly from the provider. There were places with a double margin in the hall (not everyone likes to sit right next to other players), and each row had its own lokalka. Each participant had such a tail of their own:
In the middle of each row was a 48-port switch:

Interestingly, the site survey was 4 days before the start, all equipment was purchased on the weekend, and installation and tests were completed a couple of hours before the conference. 6 people laid the Internet. In total, there were from 20 to 30 people at installation at different times. Not without emergency situations - one of the switches burned out, but it was quickly replaced by a backup. We tested each patch cord - nobody needs surprises with a curve crimp.

Separately, for the conference participants a line was drawn at 100 megabits - Mitnik needed it.

The backup line in case of the fall of this whole thing is another 100 megabits. They decided not to do the automation of the transfer: complicated switching. In the event of an accident, the technician would transfer the cable in less than 2 minutes - checked.

A game

Participants came in advance, hooked on the settings and prepared. Many still on the road a couple of hours before the start were worried that they did not receive a link for the settings.

Food from the buffet was dragged straight to the place, stocked up with water so as not to leave the game once again. For example, Vlad (the future winner) has three glasses - if he wants to drink, mineral water or juice, if he doesn’t want to - he still has an empty one.

The beginning of the game, the plot with a message from a former employee of the EDC corporation Giles Knox:
While he spoke, many had already taken up the first flag.
Future winners (II and III places) during the game:
Girl among the participants: The
lighting was dimmed, the light on the participants' faces screens. The letters, as in the films, were not imprinted:

The game was intense:
Among the flags were tasks for:
  • Port scan
  • Decryption and brute force passwords
  • Session Attacks
  • Deanonymization on a mobile device
  • Work with disk images
  • Sixteenth Century Cryptocode Disclosure
  • SQLi (a bunch of different topics)
  • Exploration and exploitation
  • CSRF / XSS and many other interesting things.

Not without traditional surprises - despite the prohibitions of an infrastructure attack, some started brute-forcing routers. After a general warning, the participant listened to the voice of reason - for the first time they forgiven and did not disqualify.

The conference

Here we did a few important things - actually, typical in organization for conferences, but convenient. To begin with - the speaker needs his own big screen, a “prompter” to see the presentation. If he is not there, he begins to look back nervously. We mounted it like this:
Secondly, four screens for slides: two more on the sides of the stage for the original language, one slightly to the right - for translation. For example, many participants are happy to remove the second screen - useful links were displayed there and that Kevin scanned among the open data in Aeroflot:
The following people spoke at the conference:
  • Boris Bobrovnikov, CROC CEO
  • Andrey Vyshlov, General Director, Representative Office of Symantec Ltd;
  • Pavel Golovlev, Head of the Information Technology Security Department of SMP Bank OJSC;
  • Evgeny Druzhinin, information security expert at CROC;
  • Sergey Ershov, Head of Information Security, Information Security Division, Greenatom CJSC;
  • Andrey Zerenkov, Chief Information Security Consultant, Representative Office of Symantec Ltd;
  • Denis Kamzeev, Deputy Head of the Operational Risk Control Department of Raiffeisenbank CJSC;
  • Artyom Krolikov, Head of Information Security, Alfa Insurance;
  • Vyacheslav Morozov, Regional Manager for Russia and the CIS Nice Systems;
  • Mikhail Sukonnik, Radware Regional Director for Russia and the CIS;
  • Dmitry Ustyuzhanin, Head of Information Security Department, VimpelCom OJSC.

The moderator was Oleg Sedov, editor of special and online projects Intelligent Enterprise / RE.

The conference began with the proposal to significantly increase the security of IT systems around the world by letting gas into an adjacent room . This idea still quite often surfaced in the course of discussions. It should be noted that it is unlikely that the real “inherited” hackers arrived at the conference - there was a lot of media, and everyone here will be remembered for a long time. As a result, they noted that our attackers behave quite correctly in relation to the "native" systems - where they live, they do not crap, they go mainly to the West. "Russian hacker" in the US is already a brand, we are afraid. I must say, rightfully.

Discussed the interaction of IT departments, information security and other . For example, the fight against insider trading is often hung up on information security, although personnel officers must do it too; The Federal Law on personal data was hanged on information security, and they believe that this is a non-core task and should be done by IT specialists - and so on. In Russia, they still do not know how to play in teams: the interaction of departments is debugged in large business is far from ideal. An example was given of a Western “security officer” - a person coordinating IT, information security, a bit of HR and a bit of financial part - he is closely involved in the business topic and knows what risks and how to completely cover. Then they talked about outsourcing and its development - there is a future, but so far the limitations of laws on the processing of information on the side interfere.

We came to the conclusion that we need normally configured processes. For example, now, if an employee finds vulnerability, it’s good if he informs the admin, it’s good if the admin doesn’t take offense at his jamb and thanks (this is very important, they helped him!), It’s good if he closes the hole, and does not shut up. It is much worse if the employee gives information about the hole to colleagues - in two weeks the whole company will use the vulnerability as if it were necessary. Security guards try to educate people - for example, when sending data to the wrong place, they either change the process (because it is necessary) or explain to the user and his manager what the mistake is and how to do it right.

Discussed risk management . It turns out that one of the urgent problems is when the security guard comes to the leadership and says “it is necessary”, they say “no money” to him. It is clear that everything in a row to cover the risks is not enough, but the main ones are critical. It was noted that a business from the 90s perfectly understands risk management and lives with it: if a security guard believes that it is necessary, then it must be, it is a given, absorbed even in dashing years. Let's just say that the one who knows the rules wins, the one who follows them loses. As one of the participants in the discussion said: “White and fluffy need to be explained.”

Important new areas - the use of employees' own mobile devices and virtualization (in particular, the transfer of infrastructure to the "clouds"). It is often done "implementation in two Mondays", and information security comes only after the first leak: in practice, you immediately need to build the system so that it is safe.

They talked about vacancies for a long time . For example, one large bank completely moved to outsourcing. Press releases wrote about efficiency, SLA, business agility, and so on. In practice - they are just tired of the "walkers". IS employees came, unexpectedly asked for an increase in already high salary, then again came at a random moment and again unexpectedly asked for money or something else. When they were tired of satisfying their ambitions, they simply transferred everything to outsourcing.

Is it possible to take “hackers" from below to work for the company? Two examples were cited - one antivirus, for example, prefers to teach people exclusively, and another company specializing in pentests takes “consumables,” since the tasks are one-time from the personnel. A lot of problems with corporate culture and loyalty. One of the participants says: “You know, it was very difficult for us to accept people who have no idea where the piercings turn into gadgets.” On the other hand, many calmly perceive such "strange" people. Here are the words of another participant: “Such a guy with dreadlocks worked for us. No one was worried. He left after two months ... Hmm, I’m thinking now, maybe he was solving his own problem with us ... ” As a result, they came to the conclusion that in academic security (defense) it is better to take specially trained people (almost with epaulettes), а вот в новых направлениях – да, конечно, лучше «самоучек» с атакой никто не справится.

Kevin's performance

Kevin is no longer an authority for a new generation, but on the other hand, it is a symbolic figure for those who gathered in the hall.

He told general things about social engineering (we already talked about them in preparation for the tournament - here is an educational program ), and then he started to burn.

This is what a successful information security specialist should look like: three laptops, a phone, a bunch of dual-use devices and pretty women around.
First I talked about general data collection. To the traditional garbage collection and search for contacts added analysis of social networks. Kevin loves LinkedIn - there the whole structure of the company is in full view. A very simple example - there are all the sales people who often travel with laptops.

Plus, he showed FOCA - software for analyzing metadata of open documents of the company. He scanned Aeroflot and received the basic configurations of software on machines, several dozen names of employees and easily set their mailing addresses.

Need to know which antivirus to bypass? Not a problem. You can call the user and ask, but cooler is to call all the anti-virus companies and say that you want to buy 1096 more copies. We already have an agreement with you, right? 15 calls - and you know exactly who the supplier is.

He showed different road apples - PDF files with exploits, anti-virus protection bypasses for DOC files, flash drives with magic startup (when the user suspects nothing, but he is already remotely administering it). Everything was shown on the Win7 configuration with the latest patches and constant McAffee scans.

Here is his identification device. They work through console emulation: can be used to execute code. The best way is to embed it into the keyboard and make a gift that is activated in a couple of days.

So he called “the bank” - more precisely, his bot copied all the bank’s voice messages from the menu, and then he dopped it so that IVR offered to enter the account number and other data from the credit card. Purpose? Use an IVR copy number in phishing emails.

Here he shows how to greet people in a cafe: in his left hand he has a scanner of access cards in his bag:
Here is this:

Then he showed how to send SMS from any number (an old trick, but useful for social impact) and at the same time lured two numbers from the viewer plus looked at his inbox on the phone. There are more details in this brief report .

In the end, he handed out cool metal business cards to everyone with a cut out set of tools for opening locks and offered a job. If necessary, here are his contacts:

The final

At this time, the tournament ended. Won by a wide margin v0s (Vlad) - this is the same guy who won first place in the online part in the summer.

The gap is impressive. At first, the jury even decided that there wouldn’t be enough flags, and this guy would take them ahead of time. Such a result was shown by units all over the world, and observers from England were very impressed.

In total, 32 people participated in the game. All together they took 486 flags (this is a lot from the experience of international competitions) and earned 187.400 points. Immediately after completion, many began to discuss the following IB tournaments around the world.