by Ed Skoudis
This morning, I had the honor of presenting at DerbyCon. My talk focused on the ability to cause physical impact through hacking computers and networks. I call it "Kinetic Pwnage". The slides are available below, and the talk touches on several themes of the recent work my team and I have focused on, including CyberCity, a miniature city with a real power grid and other computer controlled components used to build capabilities of cyber warriors.
By the way, right after the talk, lotsa people asked me how they could do CyberCity missions. If you are interested in participating in CyberCity missions hands-on, we'll be running our first ever CyberCity missions at a public conference event during the SANS Pen Test Hackfest Summit & Training event, in Washington DC on November 7-14. If you take a full six-day class there, you can join us for one whole evening of CyberCity missions hands-on, plus four evenings devoted to NetWars. Oh,
By Ed Skoudis
Over the past month or so, I've been pondering a phenomenon and some of its implications, running the idea by some of my friends to spur some interesting conversations. I've spoken with penetration testers, security researchers, military planners, forensics experts, defensive operators, incident response specialists, red teamers, blue teamers, and a variety of security curmudgeons about it. The idea is this: at sufficiently advanced technical levels, offense and defense sometimes merge and become one. Offensive techniques can be used to achieve defensive ends; defensive means can be used to achieve offensive ends; and, sometimes, the inherent technical skills of offense and defense are actually identical. I don't claim that this is a particularly new idea, but I do think that it can be fun to contemplate and is perhaps useful. Let me tell you how I came to this observation, and then expand on some examples and implications.
While I was at the RSA
[Editor's Note: Some things I work on are the result of ten, thirty, or one-hundred minutes of effort. Others are the result of six months or a year of work (such as my office tour). This blog is the result of over a year's work by not only me, but also John Strand, Josh Wright, Kevin Johnson, Steve Sims, and many others).
In each of the seven SANS Penetration Testing Curriculum courses, Day 6 is a Capture the Flag (CtF) event, allowing students to pull together their experiences from the previous five days into a full-day exercise that models real-world penetration test activities. For about a year now, we've been rolling out course-specific CtF challenge coins as a prize for the noteworthy accomplishment of coming in the Top five winners in each class. But, only a few people know the backstory of the SANS Pen Test Curriculum coins... until now. You see, there is a cipher embedded in each coin, and here's the story of how that came to be.
Hello Holiday Hackers! Tim Medin, Ed Skoudis, and Tom Hessman here with the official announcement of winners and answers for "The Year Without a Santa... Hack," our annual holiday hacking challenge. If you are unfamiliar with the challenge, you can read it here. We'll keep the challenge and target systems running for a long time, so you can continue to work through it using the answers below if you didn't finish, or, if you did finish, you can dazzle your friends with your awesome skills!
Those of you who completed the challenge hacked your way through the Miser brothers' weather control systems. To warm the North Pole, you hacked Snow Miser's SnowTalk system, cut the chillers, and turned on the heaters in the northern parts of the world. To chill out the South, you hacked Heat Miser's Wonderwarm system, turned off the heaters, and turned on the chillers in the tropical portions of the world, all with the
[Editor's Note:One of my favorite Rankin and Bass Christmas specials is The Year without a Santa Claus. I simply love the songs of the weird and unforgettable Miser Brothers, and have frequently found myself humming their tunes during the holiday season. I've always wanted to write a hacking challenge themed around them, and with my recent work on SANS NetWars CyberCity, my interest in the security of Industrial Control Systems, and the ability to collaborate with Tim Medin on a challenge, this seemed like the right time to roll it out.
We'll award prizes to the best technical answer, most creative answer that is technically correct, and one to the winner of a random draw. So, regardless of how deep you get into the challenge, please do submit your answers to email@example.com on or before January 6, 2013 to win! Even if you can't get through all of the zones, please send in your partial answers. You may very well win! So, without further adieu, we