Secure Digital Life #76
Recorded on August 21, 2018 at G-Unit Studios in Rhode Island!
Interview: Mark Mulvany, Sr. Information Security
Mark started out tinkering with computers as a kid and accumulated enough expertise to secure a desktop support role out of high school. Continuing his education, Mark eventually moved to a security role where he has been expanding his expertise for over 10 years.
Mark currently holds a CISSP and partners with other groups and individuals to help build and grow InfoSec programs and defenses for systems, networks, SDLC, and anywhere else that’s needed.
Outside of work, he is a husband and father of two, is active in his church community, and helps run a rifle program at his local gun club.
General talk about DEFCON.
So, let's look first at the DEFCON 26 badge itself. I mean, this thing is cool.
Equipment you might have needed to work on this badge:
- Definitely a connector for the USB/Serial port. -- This is a 9600 baud serial connector that is a USB micro B type.
- You need a serial terminal tool. Putty is free. (putty.org)
- Magnifying glass (so you can read the processors)
- Other tools like maybe a multimeter or an arduino with some connectors.
- That would let you examine the inner workings of this badge. It involves a ASC based game that gives you info about the overall workings of this badge.
- The badge also has a side connector with multiple pins. This, it was quickly determined, allowed you to connect to other types of badges (there were quite a few) besides HUMAN and VENDOR. Goons could be good or bad goons and bad ones put more red guys on your board. There were also Contest, artist, press, speaker, and CFP badges.
- I think that is really all the equipment you would need to "hack" the DEFCON badge. Of course, you could likely use some other tools to check out the connectors and such if you really wanted to dig into this badge.
- I mean, basically, there are several things to do here. 1) Identify the connectors and possible connections. That seems to have been the most important component of this badge. If you didn't connect to all the badges, not sure if you can complete this later.
- There were also hex clues in some of the badge storylines (but not in mine) on the text game. So, for all badges you need to know crypto techniques.
- The goal seemed to be to light all the DEFCON letters by modding the badge, linking the badge to all the other badges, and maybe even some weirder things like magnets and bridge connections.
I used screen on ubuntu to connect. I didn't dive too deep into it, though I did copy all of the text from screen and how to maneuver around. I focused more on the darknet, though I there are a number of resource if you were curious after the fact:
read bugs existed and updated firmware needed
curiosity and collaboration were key. having knowledge in hardware, programming, etc was helpful. Was designed to get all involved, needed those "non-techie"
MM: Darknet is a fun challenge meant to help educate and teach. As well as be a challenge. from their website:
"At DefCon, the DarkNet Project team has come together to inspire the hacker and maker communities. Our primary goals are to promote community efforts in learning new technology and promoting good information security practices. We hold an event every year that challenges our agents to gather knowledge from all across the conference, from villages to other events to communities like DeafCon, and use it to compete for the top honor our community members can achieve. Just as in Sobol's and Suarez's vision, the highest form of competition does not merely consist in excellent individual achievement, but the degree to which an agent can help and raise up her fellow agents."
So let's look at the Darknet badge. This one came in pieces and there are a LOT of pieces. For this one, you would need to add a soldering iron and solder for sure. So, for me, that means:
- Soldering Station
- De soldering?
- Magnifying glasses (for us older types)
- Small toolkit of some sort with small tools
- Maybe my tweezers (one of my favorite words)
- Wire cutters
- Safety glasses
Go to https://dcdark.net/badge7/index.html for lots of great help on how to solder, assemble this badge, etc. from this great bunch of people who do this for free.
MM: I went down to the HHV to put mine together. did bring soldering iron, flush cutters, but hotel was a bit too far to go back and do it in room. so could do it with the basics. second desoldreing tools. I had an led that the cathode lead didn't match the flat side, so guessed, but guessed wrong. also, contacts were very close. Did have to remove some solder to prevent cross connection
- I would really encourage you to practice soldering. There are tons of sites out there and videos that can show you how to do this. You have to practice or you will really really suck at soldering and if you suck at soldering, the results will also suck.
- MM: I signed up for hackerboxes after defcon last year.
- You can get electronic project kits to assemble from all sorts of sites as well.
- These are cheap and you can also practice desoldering them.
- MM: many different types of challenges/quests for this badge, reverse engineering, visting other villages, general knowledge, historical, hashes, crypto, physical, exploitation, network taps/sniffing, other puzzles
So, in the end:
Form a team. MM: At least collaborate, make new friends, work together.
- Crypto puzzle person
- Solderer (2)
- Programmer (Python, C, would be good)
I mean, a team could be any sort of group and it could just be you. But...look, any puzzle I have ever solved, well, having a second person there to pitch ideas from a different perspective is just going to be better. I think it's best if all of you have all those skills but decide who is best at each one and put them on that lead. Practice solving kits and things or look up old badge problems.
- Read all the instructions, if any, before you start.
- Test each step and document what you did
- Check the internet often for tips and updates
- Don't hurt yourself or others
- Have fun
MM: try existing CTF's, challenges, etc that are already out there. mindmaps, holiday hack challenge, etc. https://www.amanhardikar.com/mindmaps.html https://holidayhackchallenge.com/past-challenges/ Google-Fu