HackFest Series Goes to PRESENTATION ONLY - (Quarterly FEST Labs Only)

[Lisa Kachold]

Evidently there has been some confusion about the status of the
security at the FBC Hackfests and PLUG status of continued Festing or
for my participation?

I am cogniscient of responsible process required for any LUG regular
function, as was discussed with Hans and Alan D. when I promoted these
monthly venues under the PLUG name.

I recently wrote a statement related to limiting regular lab
activities to "presentation only"  (below) whereupon we walk through,
via overhead presentation materials, various functions and features of
Backtrack4 (and other linux security distributions), where members can
bring their own equipment and follow along.  We are wasting a good
deal of time, while leaving open systems to risk with our lab festing.

Our changed model will include a quarterly HackFest LAB, with full
forensics and IDS safeguarding, however, ANY PLUG member attending any
pentest security test tool lab event plugging into a shared (wired or
wireless) network needs to understand fully the risks, therefore
registration will be required.  We hope to have an updated website to
provide that under Drupal 6 at some point, otherwise, we will use
another social networking portal tools; watch for the announcements.

Shared networks are setup CAREFULLY for a very good reason, with
adequate trust, authentication, and full identification/verification
of who exactly we are allowing to what.

During hackfests, we boot into LiveCD's, use shared "private network"
(while someone inevitably plugs into the wired network) which brings
all machines accessing any resources on that shared network into
danger from mis-applied TRUST.

Generally extensive forensics occur also - I setup IDS, file and
network log veracity for all events.  Charles with the Foundation for
Blind Children has ensured (from his years of experience) that the
networks are completely isolated (which is a big monthly job requiring
a good deal of resources); we have not had PLUG members step up
willing to assist forensics projects, systems setup, presentations or
promotion.

We cannot protect the Foundation's hard drives (where Linux tool
LiveCD's are booted), the PLUG members machines, or local wireless
router from "tools" on Backtrack4  and are finding that the benefits
for the number of people who show up, do not outweigh the work put in
by Eldric and his crew, or the risk.

Reading the logs, I find a great many processes that cannot be easily
tied to the signup sheet and clearly constitute FLAGS (however
unannounced).

(In our postulated quarterly LAB HackFest events, we will assign by
MAC address, to tie to registration information/IP for IDS/log
Xreference).

Advanced exploit forensics appear in logs that do not follow the
presentation materials or the subject of the tag team event.  Evidence
of new changes (each system undergoes preliminary forensic file tiger
signature being going over to FBC) and even persistent attempts to
retain access when the machine is restored to my local network have
been verified from more than one event.  None of these are FLAGS that
have been announced by the members, which is the verbiage that is
agreed to via the signup sheet, and verbally announced to all during
every event.

If I cannot protect my machines (which are always seriously targeted)
or my lab demo boxes (brute forced SSH - access and attempts to log
scrub - caught with keylogger), and FLAGS are never announced, I
cannot allow booting BackTrack4 to machines with drives owned by FBC.

To ignore the logs without stating I am aware of this risk is not
acceptable, and would be irresponsibly criminal.  To fail to inform
all related to these risks, as well as state the full situation, while
also training about acceptable RISK and shared network TRUST, to the
PLUG members, would also have been less than responsible.

It is worth noting that someone who was at our last event, questioned
(suddenly) if his equipment could have been at risk, evidently even
some of the most astute PLUG members are not aware, even by signing
the Disclaimer, that their systems are at risk at any time in a
pentest/hackfest environment or public venue (even a coffee shop)?

Further the PLUG event experience has been less than rewarding for
those attending as we get setup, and watch things behind the scenes,
where a presentation session, which can be regularly relied upon,
about a certain section or aspect of linux security tools, would be
exceptionally rewarding.  Watching another do, people can record DVD
or download presentation materials.  We can setup Backtrack4 screen
logging/recording and have accomplished something worthwhile during
the events, rather than all muck around alone, leave frustrated, etc.

We therefore will go to a limited format atmosphere, without full
networking, devoted currently to BackTrack4.  Members can carry on via
their own equipment, watching the screen, as I (and guest presenters)
go through materials on LiveCD pentesting tools in typical PLUG
full-duplex communications mode (making suggestions or building on the
subject, as we play).

I, having started the regular HackFests, with Hans and Alan's
blessing, shall continue in the administrative support role,
requesting LiveCD security pentest presentations (Backtrack4) from the
PLUG community or pulling up something regularly myself.

The PLUG will continue to provide presentation materials on a local
linux zine (no longer on LinuxGazette [who was not able to continue to
regularly publish our materials with adequate lead time, and announced
widely our events (Backtrack4 is contraversial)]) like LXER.COM or
LinuxJournal (whose editors are active in our PLUG) or another regular
venue for the next month. Stay tuned for more related to advance
presentation materials!

We apologize to anyone if there has been some misunderstanding and
hope to see you all at the next event next week at
http://plug.phoenix.az.us/node/660 in our new time zone:

TEN to 1PM on Saturday the 12th of September!  At the Foundation for
Blind Children's Administrative Offices.

On 8/31/09, Lisa Kachold <lisakachold at obnosis.com> wrote:
> I finally got moved in after all the new townhouse repairs and have
> sorted out and evaluated all the technical details from the past two
> hackfests at the Foundation for Blind Ch ildren.
>
> I have found:
>
> 1) Multiple successful exploits against my own equipment (4 prior
> Hackfests starting from the first at UAT - 3 systems totally pwned).
> 2) Escalated access retention in the way of processes set in place to
> retain access vi port 443 out to various local cox DHCP addresses on
> two of my linux machines from the last Hackfest and from low level
> exploits in a Vista system.
> 3) Access to harddrive on systems booted into USB or DVD Backtrack3/4
> from various local and network users (2 builds accessed on my own
> equipment historically).
>
> There is no way to protect a local shared network outside of TRUST.
> Unless we can assign an IP address to each person who provides their
> address, name, phone number and signs a legally binding agreement, we
> cannot continue.
>
> If I cannot TRUST to keep my systems safe, we cannot continue to
> endanger the networks of the Foundation for Blind Children by allowing
> networking access with pentest tools.
>
> HackFests will continue in presentation only format.  No networks, no
> access to school machines with LiveCD's or USB keys will be allowed.
>
> If users would like to bring their systems and follow along that is
> find, but no Wireless access will be available (a WEP2 key is
> available via decrypt in BT4 in 11 minutes).
>
> We will continue to provide media to people wanting to burn a DVD for
> any linux security tool.
>
> --
> http://linuxgazette.net/165/kachold.html
> (623)239-3392
> (503)754-4452 www.obnosis.com
>


-- 
(623)239-3392
(503)754-4452 www.obnosis.com
http://www.obnosis.com/motivatebytruth/gnu-people.jpg