<<< EISNER::DRA1:[NOTES$LIBRARY]VMS.NOTE;1 >>> -< VMS and bundled utilities >- ================================================================================ Note 3216.0 VMS remains secure at DEFCON hacker fest 4 replies EISNER::SIVIA "Pete Sivia" 399 lines 21-JUL-2001 02:26 -------------------------------------------------------------------------------- Posted on comp.os.vms Way to go guys & VMS! > From: Wisniewski, John > Sent: Wednesday, July 18, 2001 11:08 AM > Subject: What I did on my summer vacation....VMS declared Cool and > Unhackable at DEFCON9 hackers convention in Las Vegas > > > SATURDAY July 14th, 2001, 2:34am Defcon9 Convention Las Vegas Nevada > > Location Cyberspace: > Capture the Flag Network -- > GreenTeam address space 10.255.30.100-125 Hacking Stations 250-255 Server > Range > > > OUR SIDE: > Codename: Green team - Computer Servers/BOFH and Hack team > > Personnel: > > 16 Operatives of Green Squad were anonymous but all appeared to be > professionals from the outside Computer Industry. > > Resources: > AlphaStation 255/233Mhz, 512Mbtyes Memory, OpenVMS v7.2 1h1, > PointSecure System Detective Software, Cooler of Mountain Dew and > Gatorade,MREs, Dual Band Ham radios (for command and control), Laptops > (various > standard issue),with various tcpip scanning-attack tools, 4 rations of > Orange Jolt (for > caffeine), case of Honey/Oat Granola Bars. Other classified servers and > software. > > > THEIR SIDE: > Code name: Getto Hackers, Purple Team (red and blue had already merged > less then 10 hours into the attack) Black and Yellow teams... > > > Personnel: > 15-25 member teams plus another 200+ crazed independent snipers who's > alliances shifted between various other Hacking Squads. > > Resources: > Laptops of various standard issue, Linux, FreeBSD, Windows, and a plethora > of scanning and > attack tools for TCP/IP warfare. Stimulants and alcohol and a life spent > socially engineering > their way into various systems. > > > > 2:34am Saturday Morning > 10.255.30.252 -- OpenVMS Alpha Server Green Team. > > I had been up since 6:30am Friday Morning working on our server, > monitoring attacks and watching the various attacks performed over the > last 14 hours in the > CTF (Capture the flag network) since the battle began at 10:00am > yesterday. > > Me? Just an VMS grunt and Bastard Operator from Hell (BOFH is sort of a > title for Server Operators on the Floor here at Defcon). Me and my group > put > together a small OpenVMS server to use as an Internet Bunker during the > CTF game trying > to get points and glory for the coolest and most unhackable server on the > floor. > > No, there's no real heirachy within the teams, but we will all cover > each other's back, stand watch to see no physical access to the equipment > is performed > etc. Each server has it's own members who tend to their care and feeding. > Most of us are > here for the first time competing.. None of last year's elite and winners > wanted to > take on any of our servers so here we sit.. > > Somehow all the professional server folks in real life gravitated to the > Green Team and joined forces. This is proving to be a good thing too > because the > hackers are playing pretty rough... > > Servers and the entire team had to compete for points on several levels > during the play. > > First was offering various standard services for the "Floor" to examine > and exploit by the other Hacker teams. > > We offered an Apache web server with a cool top page for everyone to > enjoy. Then we created an automated captive tel net session that would > collect user data (well whatever lies pass for user info;-) and > automatically create nonprived user accounts with DCL and script access as > well as > personal webpage serving (via Apache) for the hackers to enjoy and play > with. > > The other team's ideas for services on their boxes were to just turn on > the port daemon and let > the other's find it... We had actual webpages/content, interactive > accounts and a free/open account > with no password for DEFCON Games. We resurrected and vested from VAX > binaries some of the best Text based VMS games from the mid-80 for the > hackers to play with if they got tired of running script > kiddie stuff against us;-) > > Some of the old-timers were down right wistful seeing the 1980 > VAXtrek,Doomsday 2000, Moria 4.81, Battlestar, Dungeon, Hack, Rogue, and > ZK after all these years. Thanks to the games many of the hackers though > we were running on a VAX! BOFH will take subterfuge from where ever they > can get it > on the floor of CTF:-) > > Anyways, Server Points were allocated for real-services, time up and > available, and being > unhackable... > > Unhackable.. > > It's not without some shame I have to admit that I allowed my groups VMS > server to get hacked and > the hackers to score the only points against our server... > > Oh, it's not like they really hacked their way in .. well let me tell you > how it happened...and you > can decide... > > I had been up since 6:30am Friday Morning working on our server, > monitoring logs and > watching the various attacks performed over the last 14 hours in the CTF > (Capture > the flag network) since the battle began at 10:00am yesterday. > > A few of the other green team BOFH said they would be staying up all night > so I was about to bid > good night and go up to the room for a few hours of sleep before the > morning shift. My team mates would watch the hardware and keep the late > night hacks from physical access... > > So I was about to pack it in and then up comes a fresh young man looking > more like a high school kid then a gothic, caffeine frenzied, hacker...He > began to ask some questions about OpenVMS and we began > to talk.. > > Soon it began to feel more like a DECUS encounter in one of the Compaq > National Events, comparing information and swapping stories then came the > innocent request. We created a user account and I began to show the young > man how to create files and change directory even creating a foreign > symbol for > "cd:==set def" to make him feel more at home with the services on OpenVMS. > Friendly and inquisitive and I was lulled into Usergroup mode talking with > a peer about VMS stuff... > > "Let me show you my telnet scanner" the youth beamed as he plugged into > the server hub (my mistake number one) > > "Go ahead and log in, I'll show you how I can capture the whole session" > said the youth. > > I logged in across Telnet (my mistake number two) and logged in to one of > the privileged accounts > as the young man scammed my password, even showing me the ease of the > capture. > > "Interesting I noted" (not the least bit tired by my previous 14 hours) > but you could > only compromise an account if you were on the right side of the bridge > /router with the > telnet session." > > "Yeah admitted the young hacker... " It would be a pretty lame hack which > required physical access." > > "A pretty lame hack indeed..." I smiled as we continued to talked. > > I sat down and began to go through my checklist for locking down the > server for the night after that and the young hacker returned to his PC. > (I > also had made a mental note to change all the priv'd passwords after our > educational exchange. > > Before I had time to do anything, the young hacker closed his notebook, > unplugged and placed a note in front of me... > > "Check this out..." claimed the youth as his note pointed me to one of > many rooted > directories on the user disk... > > I changed my directory and found he had indeed placed two files one with > his name and a taunting brag. I immediately understood the hacker had > taken advantage of a tired BOFH, just for his own points... We had > switched from friendly exchange to sniping hack attack as soon as the > hacker thought he had enough to accomplish his goal. > > "Very Nice" I congratulated as I unplugged the network hub from the rest > of the CTF network > > Then I spoke a bit more formally to the youth "Now if you'll excuse me.." > > Feeling a bit disillusioned by the event and I felt a bit more tired while > I set to work > to recover from the back stabbing... The sadder thing is that I realized > this young hacker > would do anything, say anything, become anything to accomplish his current > goal. > > The young man attempted to engage me further and tried shoulder surfing my > laptop but I waited > until he was across the rooms before locking down the all the privileged > accounts with new pass > words, through a telnet session that was not connected to the rest of the > network... > > SATURDAY 1:30PM > > The Goons (Judges) came up to me in an attempt to ascertain if the young > hacker had indeed "Rooted" > our VMS server as he had been claiming.... > > Rooting a server ment placing your file in the "Root" directory of the > Operating system you were attacking. It was worth 100 points if it had > been done. > > I logged in (by this time we were always going through the console port > for privileged accounts > instead of the network even after green team put up a filtering bridge) > and showed the goon (CTF Judge) the rooted directory on the user disk the > eager young hacker had placed his victory signature. > > I also showed the the goon that the system disk and all it's directories > were on the other drive which is where we considered the VMS system "ROOT" > to be sys$sysroot:[000000]. > > The hack signature was nowhere to be found on the system drive and I > explained the social engineering lesson both I and the hacker had both > learned earlier that morning. The lameness of the backstabbing hack was > not lost on the goon... > > Despite his claim of rooting the "VAX" the young hacker was given only 10 > points (instead of the full 100) for his social engineering efforts and > admonished by the goons in the scoreboard file to "Learn Something About > VMS" before claiming to have hacked into this server again. > > The green team was ahead 680 points to 390 (the closest team against > us)with other teams as low as 90 points by this time. > > The scoreboard spoke to the lameness of the attempt on our server but I > still felt violated by the encounter as I haven't been violated by a user > in a very long time. > > Until I remembered exactly where I was and why I was there. > > > 1:30pm Sunday Afternoon > 10.255.30.252 -- OpenVMS Alpha Server Green Team. > > > Saturday, I had returned to the trenches of the CTF as a true BOFH reborn > hard. > > Questions were answered with "I don't know" or "RTFM" (Read The Fotran > Manual) and simple requests for assistance were ignored or rebuffed. > > Attempts to sit at the Green Team's table were met with suspicion and > hostility in ever increasing doses. > > Sunday Morning the Green Team had moved it's tables in a U shape with all > of our team looking outward across the no-mans land to the merging hacker > teams,massing against our few remaining servers for continued attacks. > > None of our few servers were compromised despite the continual network > attacks and onslaught. > > During it all we recorded it all, watched the attacks in realtime and > tried to make sense or note the occurrences that might take some more > research to understand. > > Then the Goons posted the next to final scores on the scoreboard. The 5th > rule change left the Getto Hackers and the purple team and in the lead > but there was one more entry in the scoreboard. > The Goons had deemed the "VAX" Unhackable 30 minutes before the CTF was > over. > > After that posting all traffic and attacks against our VMS server were > gone. I thought something had broke on the network but all the hackers > had moved on to other, perhaps more fruitful targets during the last > minutes of the game.. > > After a brief check of the networks and seeing Green Team's Unix groups > still being attacked the > reality set in.. > > For the last half hour of the mighty contest we floated in the eye of a > DEFCON hurricane, calm and invulnerable to any attack the DEFCON > toolsmiths had been able to muster against our Internet bunker and enjoyed > the calm as we floated across the finish line. > > > EPILOG SUNDAY 2:00pm > > The CTF ended and the hackers and BOFH both returned from cyberspace to > the filthy hotel ballroom filled with cigarette smoke, jolt bottles, > strewn ethernet cables, servers and hubs and the sea of laptops that had > been their window on the battles that had been waged over the last three > days. > > The Goons announced the Getto Hackers had acquired the most points Purple > 2nd and Green Team was 3rd. > We were all invited to the awards ceremony at 3pm in the UberHackor > ballroom. > > At an event like this I'm just a grunt, and togeather the other two BOFH > that were part of my group > we worked and struggled , helped planned designed and built our system > right. It was a team effort > from the start to the very end. > > We took our turns watching, and monitoring, recording, and studying. Our > whitepaper for CETS/Encompass in September should have some very > interesting results after we've > analyzed the log files. (Which was why we did this in the first place;-) > > We were lucky to join together with some other professional Admins that > made up the rest of Green Team and together we presented a vision of > system administration to the hackers they rarely see: admins > who are ready for them. > > You loose some battles but across the long-term, the hacker community can > be defended against > our excercise in computer security showed that and if they hadn't changed > the rules 5 times in > three days to favor the hackers... > > > There's a quite a bit of camaraderie in foxholes that develop and at the > end of three days. The > Green team had developed of respect for one another and a deep > understanding that that while good > tools or great tools help, it's still people who keep systems running and > secure. > > The awards for first place was $500 plus some trinkets to the merged team > of the original Ghetto > hackers and the Digital Revolution,$100 plus some trinkets to the merged > Purple team (original > red and blue teams) and $100 plus some trinkets to the Original Green team > who had toughed it > out with our servers over the last three days without any help from > merging (or the rules). > > But none of us on the Green team were really playing for prizes or > position... > > During the ceremonies and acceptance speech the Gettohackers acknowledge > the Green Team's server prowess and pronounced us as Cool. > > The Head Goon singled out the VMS Server with it's webpage contents and > continual service under wave after wave of Hacker attack as Cool and > Unhackable. > > The entire DEFCON Audience heard the pronouncements about OpenVMS... > Perhaps some might even > take it to heart if they are sysadmins in real-life. > > We donated the money Green Team won to the FreeBSD organization, divided > up the trinkets to the team, but our group had what we'd wanted. > > Last year we had a dream that we could take an OpenVMS server, run > standard software and services in the most hostile hacker environment in > the world and survive. > > On July 15th, 2001 at 3:30pm we not only survived...We were declared both > Cool and Unhackable > by the DEFCON elite and goons... Our OpenVMS server could take no higher > honor away from this > contest in Las Vegas. > > Mission Accomplished... > * "Patrick Jankowiak" wrote in message news:<3B585A62.A772C066@usa.alcatel.com>... > Hi. > > A couple friends and I, on our own and for the drunken fun of it, took a > VMS box configured with apache webserver and telnet and ftp and set up > to automagically generate user accounts and default web pages for anyone > who telnetted and answered the questionnaire, to defcon9, the yearly > hackers' convention in las vegas. > > It was subjected for 3 days to the attendees, over 5000 hackers. People > you should be afraid of. It stayed on the intranetwork with the hackers > for the whole time and was not hacked, and it was not for lack of > attempts by some very expert and accomplished people, although one Luser > did manage to (ahem) accidentally trip over the power cord. details > later. > > #3||0!, is VMS Marketing listening?