# Evil security ideas

## ezvw

Good Afternoon.

I am building a Gentoo VM as part of a Cyber Computer Competition focusing on Defence. As part of this we build VMs and give students copies of these machines. They then secure these computers for a period of time (weeks). Once this period is complete we bring industry professionals in to attack the machines. 

I thought I would reach out to this community to see if anyone had any clever, Gentoo specific, exploits to use to pre-compromise these VMs. The option I am working on right now is a patch file I can leave the host machine for sshd that logs username and password. Have a great day!

----------

## NeddySeagoon

ezvw,

a)  If we did, would we share them here?

b)  This sounds like a homework assignment.

c)  if your students don't reinstall from scratch, they have missed the first lesson in security.

----------

## ezvw

NeddySeagoon, 

a) Either here or PM is fine.

b) I am a student but this is my job, not an assignment.

c) Agreed, I nearly won one a year back by simply doing that. But it is an uncommon response. The idea is that these are functional production machines so it would require a reinstall and replicating a configuration.

----------

## NeddySeagoon

ezvw,

Reinstalling is the only way you know what's installed.  If you don't take that step, you might miss something trivial, for example, your ssh key in  /root/.ssh/authorized_keys.

Several hosting providers do that as a matter of course, so its a well known root back door.

The initial premise when handed a system to 'secure' is that its already compromised, so start off with a hardened install and tailor it to the threat model.

----------

## ezvw

NeddySeagoon, 

I understand and agree with that you are saying. But that is outside the scope of what I am doing. This is a competition that is attended by college freshman. Many of whom have never worked with linux.

----------

## khayyam

 *ezvw wrote:*   

> I understand and agree with that you are saying. But that is outside the scope of what I am doing. This is a competition that is attended by college freshman. Many of whom have never worked with linux.

 

ezvw ... ok, in which case you could test the level of 'trust' the competitors are attributing to the ("gentoo specific") mechanisms involved in building the software. So, as you control the underlying host system to which the VM's are bridged/NAT'ed you can point the DNS for the sources, and portage tree, to a host of your own making (and so the patch, and/or adulterated sources). In this way some care must be taken to notice, and so avoid, this tampering (in short, they must use webrsync combined with checking of the gpg signature provided by releng), otherwise such tampering will pass all the verification mechanisms of the build process.

HTH & best ... khay

----------

## krinn

- a competition to check security of a gentoo system

- competitors are students (so by essence, i won't say noobs, but at least "learners" ; erm, not good so)

- competitors may have never use or seen a linux

- competitors results will be attack by industry specialists

And you are asking how you could made things worst for them?

Well, blindfold them, swap all keys on their keyboards, turn off monitors, allow only binary code to be use, force LC_ALL="Russian"... things like that should do good job.

NeddySeagoon, you really think this thread shouldn't be sent to trash and endup the joke?

----------

## khayyam

krinn ... it's best to defer judgement before all the facts are in ...

Because these are students doesn't necessarily mean they are clueless, most people studying a subject come with some background (and interest) in the subject, and a competition like this is designed to be enjoyable, and/or illustrative of a general problem in the subject area. So it may not be as you suggest, the students are getting the opportunity to rub shoulders with "specialists" in the field, and so perhaps gain some insight into that field. It sounds to me as though the "competition" is between groups of students, not students vs specialists, so the level of difficulty doesn't really come into it, and again it's mostly about what students can learn from the experience, rather than the difficulty involved.

best ... khay

----------

## NeddySeagoon

krinn,

I was initially skeptical  ... first post from a new user, how can I break into a system ...

As khayyam says, there could be some merit in this.

However, if I know some Gentoo specific attacks, I don't admit that I do, the only people that will learn of them are the Gentoo security project.

Responsible disclosure and all that. 

It might be interesting to play with ezvws VM too.

I can just see the brief ... here's a Gentoo VM, its full of root kits and other security vulnerabilities ... please fix it.

That's a completely different kettle of fish to put together a secure VM running XYZ internet facing services and some industry experts will pen test it.

The former gives the security experts a head start.

I understand its not a real world exercise ... its a competition and the rules and starting points are the same for everyone.

I'm sceptical if not exactly supportive, So I'll let the thread run.  Other mods may have a different view of the world.

----------

## krinn

Guys, i'm sorry, i interpret his intention differently than yours.

 *khayyam wrote:*   

> Because these are students doesn't necessarily mean they are clueless,

 

I know that khayyam, and i said (so by essence, i won't say noobs, but at least "learners" ; erm, not good so) , while it could be wrong to assume all of them are beginners, it would also be unsafe to assume all of them are not.

And he has given himself clue about some of their level Many of whom have never worked with linux.

So, unlike you i don't think it's a competition of students vs students like you think, seriously who would made such a boxing competition, where the competitors are some guys, ranging from boxing amateurs to guys that have no arms (guys will use a gentoo vm and some guys just have never use any linux before!) that would fight against Mike Tyson and co??? (assuming industry professionals are indeed true security professionals).

 *khayyam wrote:*   

> so the level of difficulty doesn't really come into it, and again it's mostly about what students can learn from the experience, rather than the difficulty involved. 

 

I shall remember you what he is asking: my competition will be a butchery, how can i made it even worst?

What would anyone learn from getting on a ring vs Mike Tyson and his friends, oh and don't forget, with extra stuff, like arms tied... except that you should just not get into the ring?

I also find funny that the entity that hold the competition (you know that entity that have students, who is making cyber competition and invite professional industry as judges) cannot setup an url to the competition, or just doesn't have any website ; ah yes html is so hard to code...

 *NeddySeagoon wrote:*   

> krinn,
> 
> I was initially skeptical  ... first post from a new user, how can I break into a system ...

 

That's clearly my point of view

 *NeddySeagoon wrote:*   

> I can just see the brief ... here's a Gentoo VM, its full of root kits and other security vulnerabilities ... please fix it.
> 
> That's a completely different kettle of fish to put together a secure VM running XYZ internet facing services and some industry experts will pen test it.
> 
> The former gives the security experts a head start.

 

Exactly, asking anyone to secure a default gentoo (or linux) where the one that will do that has never even use a linux is enough hard (i'm polite when i say hard enough, because it's just a fucking craziness).

So the explains "instead of default gentoo vm, i want fuck the vm and gives them a flaw one already", not only flaw the competition (you don't need to help industry professionals on cyber defence vs some students, except if you want make sure no one could win the competition) ; but in real i just cannot believe his intention is to make this harder.

That's why it's a joke, and his intentions are just "hey guys, tell me how to break into a gentoo please", and deserve a move to bin.

I just didn't report it, because NeddySeagoon is here, and why reporting something to mods if mods are already aware of it?

----------

## 1clue

I'm with krinn on this.

I can see this sort of scenario with a bunch of experienced admins at some sort of weekend hoo haa.

I can see where some corporate admin gets hit by a bus and a new guy needs to figure out what he's got.

I can see where some corporate admin gets pwned and somebody else has to go in and help clean up.

I can absolutely see where some csc-[23]xx course tells students to make a gentoo vm with xyz services exposed which passes professional pentest.  Incredibly believable.

While I can imagine some merit as proposed by ezvw, I can imagine 10x as much "tell me how to cripple a gentoo box".

----------

## Ant P.

The best way to be evil is to give them the stock "Gentoo" image from an incompetent hosting provider like OVH or Scaleway. Completely out of date, nearly impossible to upgrade and therefore about as secure as an average Windows install.

As they say, there's a fine line between malice and stupidity.

----------

## szatox

Quite frankly I too see it in similar way to krinns.

If you plant a backdoor, there is no point in bringing experts in. You already have the head-start (you know the backdoor), so you can suck at this game and sill win against the experts constrained with limited time.

----------

