July 28
th, 12:34 PM, 2000
The brutal desert heat wasn’t too easy to bear in standard DefCon clothing. Black was the order of the day, and despite the low humidity, Reuben was looking forward to getting inside, back into the air conditioning. He looked around the pool area and wondered if anyone else was feeling the same way; if they were, it didn’t show. Most per- plexing of all were a couple of the members of Phenoelit, the German hacker think-tank, who were wearing not just black, but black leather pants. Reuben could feel the sweat under his backpack, and wondered what it must feel like under those pants. Phenoelit was well-known for their understanding of (and ability to poke holes in) various net- working protocols, especially those used for communication between devices like routers. FX, one of their members, was a talented researcher and speaker with regard to router vul- nerabilities, and had the ear of Cisco when it came to fixing problems.
Chapter 2
Most people seemed to think that the main source of security research in the IT world was the government, or large corporations. In reality, it was small, non-commercial groups like Phenoelit, L0pht, Attrition, and a select few independent researchers, like Rain Forest Puppy, Dan Kaminsky, Greg Hoglund and David Litchfield, among others, each with their own particular specialties and focus.The research was rarely done under con- tract, but was rather the result of a natural curiosity just to see if something was really secure or not…and if not, how to break it.The benefits of this research varied from many factors, but without it, the only people finding new vulnerabilities would be the criminal hackers, who produced “0-day exploits.”
When a vulnerability was discovered, the normal plan of action was to develop a program that could “exploit” it.The reason for this was simple; software companies tended to vehemently deny that their software was vulnerable.This could be attributed to the desire to avoid bad publicity, their personal attachment to their work, or ego, it didn’t matter. What mat- tered was that you often had to demonstrate the vulnerability to convince them that it existed, and get them to fix it. When security researchers did this, they normally contacted the software producer first, keeping the knowledge under wraps.They then had the option to reply in kind, get more details, and fix the problem; once the fix was available, the researcher would release details of the vulnerability (and how to get the fix) to the world, and claim credit for the discovery.The threat of vulnerability (and exploit) disclosure tended to keep the software companies honest; if they refused to acknowledge or address the problem, they risked being seen as unconcerned about the security of their product, and thus the security of their customers. Indeed, on rare occasions, the company would be unre- sponsive, and the exploit code would be given to the public to attack their systems at will, which would force the issue. Sometimes the researchers were called “hackers,” sometimes they were called “security researchers,” and there was no rhyme or reason to it, really. Even the meanings weren’t necessarily stable.To many people, a “hacker” is someone who breaks the law and does bad things. But to most in the field of computer security, a “hacker” was just someone with some solid skills, and perhaps not even
security-related skills at that. It just meant someone who was one hell of a programmer.
Sometimes, however, the first person or group to discover a vulnera- bility were those with no such moral goals or distinctions.To a black-hat, a vulnerability that nobody else has found is valuable; the attack to exploit it is a sword against which there is no armor, essentially.The vulnerability that had been known to the general public for zero days so far, and thus was known as a “0-day vulnerability,” and the exploit (“0-day exploit,” nat- urally), would be kept secret from the public and the vendor; if the vendor came to know of the flaw, they would likely fix it, and the attack would lose much of its effectiveness. In addition, IDS vendors would add signa- tures to detect it, and people would know to watch for the attack in gen- eral. Such exploits were sometimes traded among very close friends, and eventually leaked, but usually they became known after a seasoned admin with a watchful eye noticed the attack, and was able to conclusively see that it was a new attack that exploited an unknown vulnerability. At that point, the researchers went to work and recreated the vulnerability, and the vendor was notified. Sometimes, the first hint of such an attack was a large amount of scanning (searching on the Internet with automated tools) for a particular application for no apparent reason; the person in control of the 0-day exploit would be looking for targets en masse.
And DefCon was the annual conference for hackers and the like. Thousands of people of many ages and backgrounds churned through the conference: script kiddies who knew little besides how to cause havoc and destruction (both digitally and interpersonally), old-school hackers who still knew more than most other attendees, feds of one kind or another (in varying degrees of disguise), academics, and probably quite a few profes- sional criminals.They all readily mingled with each other, fully aware that anyone they spoke to at any time could belong to one or more of these groups. On top of that, everyone drank, almost perpetually, all weekend long; this seemed not to hinder intellectual discourse at all, oddly enough. In fact, it actually seemed to foster it, as fears of who one talked to and what one said diminished.
The resort hosting DefCon was the first to ever allow them back a second time. It was no surprise that a conference of this sort inevitably
included people who lacked a moral compass. Past events included hacking the radio communications of casino guards.That prank was at least
amusing, as it involved periodically replaying the same “There’s a fight on level two!” sound (recorded off the airwaves from the dispatcher), causing dozens of guards to converge in the same spot repeatedly.This went on for over ninety minutes before the guards caught on. Other pranks descended into raw stupidity, such as tossing a smoke bomb into an elevator. It seemed that script kiddies were not entirely aware of the degree to which video surveillance permeated a Las Vegas casino hotel.
Attempting to bring at least some degree of order to the situation was the intimidatingly large, viciously sarcastic and incredibly humorous man known only as “Priest,” who acted largely as referee and MC for the event. A former NSA employee, he embodied the duality of the security
industry, helping organize and run an event that brought both sides of an online war face to face in the spirit of mutual learning.
One of the lighter sides of DefCon was the “Spot the Fed” competi- tion, which had its origins in a less-than-fun act of community self-preser- vation. In the early days of DefCon, federal agents (usually from the FBI) would attempt infiltration of the event and attendees, in hopes of gath- ering intelligence.Their hope was to collect information that would lead them to catch hackers, although they never had any particular crime in mind when they attended.The problem was, it’s fantastically difficult for a person with an FBI mindset (not to mention background and age) to fit in among such a crowd.Thus, their presence did not go unnoticed for long, and the attendees amused themselves by pointing them out publicly.This eventually evolved into a game; “spot the fed,” as it came to be known, which had every hacker looking at any fellow attendees that appeared “feddish.” If an attendee spotted one successfully, they got a black (of
course!) t-shirt that said, “I spotted the fed!” on it. In later years, as DefCon grew, the surveillance and the contest both became more light-hearted; the fed got a t-shirt also, proudly proclaiming, “I am the fed!” By then it was a fun and jovial game, and the feds and hackers alike delighted in it. It was also a nice break from often contentious and always mentally taxing debate and discussion of incredibly technical concepts…the simple joy of
everyone uniting in agreement as they looked at the short-haired blond thirty-something man on stage and chanted, “FED! FED! FED!” in unison.
Curiously looking about to see if he could spot anyone looking “fed- dish” in plain sight before giving up for the moment, Reuben looked down at his program and tried to figure out which sessions he wanted to see.The topics were all over the place, including IDS evasion, network- level steganography, and some hardware hacking. He noticed an interesting session on penetrating secured systems that have been certified “B1.”This certification essentially meant that the systems in question were about as secure as can be realistically expected, even under the worst of conditions.
Well, won’t be attending that one.Too many bad guys will be interested, he thought.That’s part of the problem at DefCon, you can learn much from what your opponents will tell you, but you can also end up being improp- erly identified with them too.The trick was to avoid unnecessary risks and focus on the benefits, and learning how to break into DoD classified sys- tems had no benefit to a commercial-world whitehat like him whatsoever. Neither did the session on writing buffer overflows for the SPARC archi- tecture…he didn’t write exploits, and few of his clients used Sun hardware yet in any case. Likewise, some of the less technical sessions, like the one covering the sociology and psychology of virus writers, appealed to him, but had little value to his client base. He had to remember that he was there to learn, but more importantly to learn what would serve him in his work. Still, there were some overlaps, and some sections of time where one thing seemed as good as any other, job-wise.
Looking down at his badge, he noticed that this year it was plastic and colorful, unlike the previous year. A large red pill was featured, with the label, “DefCon 8,” a clever metaphor. It was widely felt that DefCon was the conference where one “took the red pill.” He looked around the pool area again, and it struck him how the sight was bizarre on some level, and yet comforting. Everyone around was, on some level, like him. Nobody here would look askance at him for being a “geek” (although the word was by now becoming a compliment rather than an insult, thanks to the dot- com boom), or try to talk sports with him. Conversely, nobody looked at him like some mystical member of a new priest-class, able to speak to the computer gods on behalf of mere mortals either; Reuben felt particularly
uncomfortable when people did that. Here, he could strike up a conversa- tion with someone about extremely technical concepts and actually feel challenged by the resulting conversation. Back at home, in Washington DC, he worked with some very talented engineers, but none of them were security geeks, in the pure sense of the word. He could learn a lot from them about networking and various server apps, but when it came to secu- rity, Reuben was increasingly feeling like the big fish in a small pond. He was “that guy,” who knew the wizardry of such things, in office lore. He wanted to get into larger jobs, into work that challenged him more. He wanted to do some of the really high-stakes work for the larger companies.
Reuben walked inside and went to the vendors’ area. A peculiar
hackers’ bazaar filled the large room, with people vending everything from old hardware to t-shirts with funny or artistic designs. “Got root?” ques- tioned one shirt, a slogan also available on stickers of various sizes. Another shirt sported a diagram of the OSI Model…but with two extra layers on top. Instead of the normal 7 layers, ranging from “physical” to “applica- tion,” there were perched the “money” and “politics” layers, a witty refer- ence to how the best-laid plans of geeks were often utterly trashed by non-technical realities. Another shirt was a cross between a type of vulner- ability and a quote from a recent popular movie…“I am Jack’s overwritten stack pointer…” He pulled out his wallet, and bought a few shirts as well as a couple of witty stickers. Someone else was offering copies of a
database of what looked like DMV information, and another vendor pro- duced false identification.God, they’re just asking to get raided, being out here like that,thought Reuben as he smirked to himself and moved on. Just because the feds who attended DefCon were good-natured didn’t mean they were blind, stupid, or derelict in their duties.
New this year was the open-access wireless network. Reuben didn’t have a wireless card yet, so he wasn’t participating. He wasn’t sure he wanted to just yet either. An open network at DefCon would have to be the most hos- tile network on the planet, with such a concentration of hackers of every level of moral character populating it. He didn’t have to wait long to see an example of what he feared.
“That’s odd. I’ve only been up and running a few minutes, but I have core files all over the place,” stated one attendee with a wireless card. Core
files were dumps of sections of running memory, produced when an appli- cation failed unexpectedly. While many things could cause such an event, it was too much of a coincidence here that the core files all seemed to be from listening daemons on the operating system; the laptop had been hit with a slew of buffer overflow attacks, which invariably caused the targeted application to crash as it was subverted to a hacker’s purpose. Apparently the puzzled owner of this laptop had just finished installing and config- uring RedHat Linux 6.2, and had joined the network without installing any patches or using a firewall. Inside of two or three minutes, he’d been hacked multiple times, and his laptop was now like a piece of meat that a dozen dogs were fighting over. Reuben just shook his head and kept walking, laughing to himself quietly and metaphorically imagining the computer as an inept beekeeper who decided to provoke several hives worth of hornets simultaneously.The computer had been taken over, or “rooted,” not once but several times, or perhaps even dozens.The expres- sion derived from gaining access to the “root” account of a UNIX-based system. Root had the power to do anything, and thus being able to use that account gave a hacker unstoppable access to everything else on a machine.
Reuben strolled into the room where “Capture The Flag” was starting. The CTF competition was really amazing; several teams set up systems on a network, and the teams then tried to hack each other while fending off attacks. Points were awarded for successful hacks, and at the end, the team with the most points won. One organization dutifully recorded every packet that passed on the network, and made the data (by that time one huge file) available to the general public for whatever purpose. It was well-known that many of the newest and most clever attack techniques were contained in that data, and IDS vendors took good advantage of the intelligence provided therein. Mostly, Reuben was just impressed with the notion of such talent set up in a gladiatorial setting, digitally speaking.
He noticed that an IDS vendor was actually participating in CTF this year, in an odd sort of way. Network Security Wizards was here, with their Dragon IDS.The CTF had to be a nightmare to monitor like that, with every imaginable attack underway. An IDS, or Intrusion Detection System, was a security system for a network, kind of like a burglar alarm. It listened
in on network traffic, quietly observing like a chaperone at a high school dance, watching for any sign of bad activity.The problem was defining “bad activity,” since good activity could look like almost anything. While hackers typically used traffic that defied normal definitions of what should be seen on a network, misconfigured systems, poorly written software, or even heavy network traffic could do the same. On top of that, there were emerging methodologies that hackers used to evade detection, and IDS vendors were still struggling to address these methods; it was common knowledge that there had not yet been an IDS that could not be evaded by some method or another.
Reuben walked up to the console of the Dragon IDS and looked at its management console. He’d never seen this one before, but he was still learning about IDS, so that wasn’t anything particularly surprising. Apparently it was running a pretty heavy set of rules, plus some extra custom ones that Reuben didn’t even recognize.The number of alerts on the network was truly insane; the sensor console sitting next to the man- agement station listed each one as they occurred, and with intermittent pauses, the screen rolled at a speed that no human eye could follow as attack after attack unfolded within milliseconds of each other.
“Pretty neat, huh?”The vendor’s representative was clearly as proud of the IDS as Reuben was impressed. “It’s recording every attack, and we’ve put some nice custom rules into it, so that if it detects a root compromise of one team by another, it’ll RST-snipe the connection and hijack it, and we’ll take the root instead. Let me show you how the management inter- face works…”
Reuben watched as the man demonstrated how to view a single alert on the interface (which was web-based) and “drill down” into it to see