omg.wtf.bbq.

Here’s my (possibly distorted) recollection of Immunity’s Hack Cup 2010, complete with terrible security puns. Thanks to my teammates on SensePost/#TeamZA for winning! And thanks to Nico Waisman specifically for organizing and Immunity for sponsoring a great event. And yes – all of this is a joke – as in, not meant to be taken seriously, as in plz don’t hack my computer.

Group Stage (or, who cares?)

CLGT was our first opponent, and they had foreigners from all over. I’m sure with vim + Metasploit and a North Korean relay owned by PHF they’re as dangerous as Glenn Beck’s investment advice, but on the 30ft by 30ft indoor soccer field they posed no threat to the new paradigm of South African/Arshanican synergistic collaboration of competitive footballing excellence. #TeamZA wins 6-2.

Immunity was next, complete with Argentinians, so I gave them some respect. Probably too much respect, it seems, since they beat us in a squeaker in the group stage. They had one good player who had excellent dribbling skills, and I’m afraid I found his jersey in my fist more than once. The notable Mr. Aitel scored against us. We let him score because his Beckham-ish looking kid was watching and we felt bad. You’re welcome, Dave. #TeamZA wins by -1 goal.

Playoffs

Media Whores actually practiced the day before Blackhat. They were banking on preparation. It must have gone very well, because Nathan Hamiel was bragging to me about how he kicked the ball and it got stuck on the moon or some shit. Maybe the MediaWhores should get there 1 month before the next Blackhat for more intense preparation.

We murdered them like a zillion to nothing. I think I scored 6 goals. After one of my last goals, one of their players, (maybe Mr. Naraine?) gave me a look like, “Jesus, man. What are you?” Answer: a temporary South African. 0xcharlie and Dion looked like they had some touch, but we were too physical, and frankly, too good-looking. #TeamZA wins 8-2.

Goal++ was unlucky enough to draw us in the semi-finals. They are built up of Sir David “OWASP” Campbell and guys from Intrepidus Group, who are supposedly experts in the mobile field. If that was true, why didn’t they use their mobile skills to call an ambulance halfway into this legendary beatdown? They were physical and fast but lacked the touch to string enough passes together to break down our vaunted defense, led by Dominic “Crazy Legs” White. His lower tentacles consistently reached the ball of his opponents like Paul the Octopus, except with more statistical unlikeliness.

They scored a few goals off of some defensive mistakes (made on purpose because only Allah is perfect). Mr. Campbell tried to pull some crazy Denver FROC shit by repeatedly punching me when the ref wasn’t around. Thankfully, Marco Slaviero pulled his male organ out of Intrepidus’s memcached server just long enough to hit a crazy (left-footed?) banger to the upper 90, completing the psychological domination of these men – these men that were so athletic you might mistake them for brothers. #TeamZA triumphs spiritually, financially and hyperbole with a 5-2 win.

The Finals

The two best teams clearly reached the finals. The Cosmic Kites beat down Immunity in the semi-finals like sirdarckcat and thornmaker beat down the IE8 XSS filter. They also featured a number of Argentinians who were unknown to me. On the other hand, practically everyone here is unknown to me, except the visually distinct Grugq, who was there clearly backing the right horse in #TeamZA.

With many fans of Hack Cup who had traveled over 1 mile to watch the tournament looking on, a battle of epic consequence took place. We were all really tired, and the Cosmic Kites were living up their name flying around the field like LeBron James on HGH and Lance Armstrong’s bike. Even Jurgens van der Merve (gesundheit), our goalie, had put in a hard day’s work pwning CEH-certified types who were silly enough to enter his goal box. He was more Tim Howard than Robert Green.

The game flowed back and forth for a few minutes, until I scored a goal I can’t remember. Then, Cosmic Kites answered with swarming defense and the threat of infecting us with Argentinian herpes, which is worse than avian flu.

I think I scored again, and to my recollection it was a header, which is not very common in indoor soccer (or for me at all) – it must have been a real mess inside the goal box. But, our lungs were tired from all vuvuzelaing and scripted goal celebrations – and Cosmic Kites answered yet again.

The game seemed prime for overtime – except for the work of the extremely coachable Charl van der Walt. As we went through the tournament, I kept telling him to slide the ball to the center and slightly behind from his wing position, where he was consistently an APT, so that I could have an easy finish. In the last 0:04 of the game Charl got the ball and took it up the wing – where to my amazement he slid the ball perfectly to my unmarked right foot in the center for an easy finish! We celebrated as the clock wound down to zero.

To the victor then went the spoils:

Dominic, Juergen, Arshan (me), Marco, Charl. Yes, we won even though Dominic was wearing that.

Jeremiah Grossman, who not many people know is actually the devil, smoked a bunch of crack and made the mistake of associating himself with me again with this virulently circulating “7 facts”. Before I got a chance to see his post, he sent me an e-mail saying he was sorry about the “7 facts” thing. I got all excited because I thought it had something to do with Miley “fuckmeboots” Cyrus who has a song by the same name. Now I am all pissed off because it has nothing to do with my dream girl (just playing, Anna Faris – what we have is srsly speshl).

The Rules:

• 1. Link to your original tagger(s) and list these rules in your post.
• 2. Share seven facts about yourself in the post.
• 3. Tag seven people at the end of your post by leaving their names and the links to their blogs.
• 4. Let them know they’ve been tagged.

0. I don’t think anyone cares about these facts, but I enjoyed writing them while stuck in a hotel outside Philly. By the way, I love It’s Always Sunny in Philadelphia. Great show. That technically will make this page contain 8 facts, but I figure I’m also 1/7 more important or better looking than everyone else, so that means I deserve another fact.

1. I grew up on something more than alert(document.cookie). I cut my teeth on auditing and exploiting C. My favorite hacking books are Hacking: The Art of Exploitation by Jon Erickson and The Shellcoder’s Handbook by Aitel, Kozoil, Litchfield, et. al. Despite some lies you might hear from samy, the structs in my DNS spoofers are not misaligned and I can smash some stacks. However, my skills in the world of how-the-hell-can-I-write32 and the like have atrophied during my past 3 years in Funhouse of Mirrors we call the webappsec world.

2.  My favorite hobbies are video games, soccer and table tennis. I’ve even gotten some recognition and money for the first 2! Watch your back, Chris Shiflett.

3. I am a social justice junkie and desperately want everyone to vote 3rd party in the next presidential election. Stay within the realm of sanity with choices like Ralph Nader, Cynthia McKinney and Ron Paul. The media and controlling parties simply aren’t capable or willing to affect change, although we all have high hopes for Obama. If you don’t do something to help change your country, even if it’s just helping spread awareness about how fundamentally broken our system is, you might as well buy a shotgun, hole up in your house, and wait for the zombies to come. And pray that when they do, they’re the slow-moving zombies that can only infect you with a bite. If they’re fast and can infect you with scratches, you my friend, can consider yourself as eaten as a delicious risotto in front of Reuben Studdard.

4. I hang out with mostly non-technical people, which is probably why I haven’t killed myself yet. Computers r dum.

5. I can’t fall asleep without reading. I usually stick with Stephen King (the Dark Tower series should be a legal requirement for young adults), Frank Herbert (Dune, duh), George R.R. Martin, and all kinds of non-fiction including modern science types (On Intelligence, Freakonomics), but mostly historical and political (All the Shah’s Men, The Story of World War II, Franklin and Winston, A People’s History of the United States, The Essential Chomsky).

6. I’m an avid fan of both types of football, and cheer on my hometown Baltimore Ravens and my never-been-there-but-home-away-from-home Liverpool Reds.

7.  I was almost an artificial intelligence academia dork. My master’s thesis got published and I had some cool opportunities, but security was more interesting. We’re a long way from the finish line in the world of AI, and I didn’t want to be a forgotten ant in the pile of failed researchers.

Ok, here are the people I’m picking out.

Ivan Ristic. A good friend; unique, and an expert.

Mario Heiderich. He’s a great mind, passionate, but most importantly because he will HATE me for it.

Billy Hoffman. Because he’s my hero.

Dre/Marcin: Marcin is one of my padawan and Dre is hilariously inflammatory. This counts as 2.

Rafal Los:  I’m calling on a preacher’s kid, I must be running out of people.

Coates: A co-worker who pwns.

This is your every day, ticket serving Amtrak kiosk. Look familiar?

I love taking the train. God, the only thing better than taking the train would be taking the train for free.

Whoops. Thanks for the ticket, Marge Power, traveling from Alexandria, VA.

How was I able to do this? Direct object references (DOR). Laughably, ridiculously easy attacks. Is this a Diebold product? It’s no wonder that with this level of security, a 14 year old kid from Kerplakistan with a pasta drainer, wireless mouse and a shoebox was able to completely derail their trains. I’ve told my the webappsec classes that the easiest way to steal a bunch of information from a website is through direct object references. My wife could perform a DOR attack, and if you think she knows anything about security, I can just tell you she has like 5,000 Facebook applications with full privileges running.

So, let’s get to the really gory, technical details of this Mitnick like hack.

My confirmation number was 01CF01.

I typed in 01CF04.

Maybe it was by accident, Amtrak, and maybe it wasn’t. Regardless, I got Marge’s ticket offered to me. Look at the screen again. See the “Print Tickets” option? I’m sure this does happen all the time by accident. Whoever made this horribly insecure contraption knew that, too, because on the first picture, if you look closely, there’s a “Not you? Click here to try another confirmation number” button as well. You don’t need an ID to board a train, remember.

Incidentally, Marge Power is such a badass name. That’s why I didn’t get her tickets out. She sounds ripped. Anyway, imagine the same kind of functionality on a website:

http://bank.com/viewProfile?accountID=101

Hrm. How about 102? Or:

http://bank.com/viewReport?file=arshan.pdf

Hrm. How about ../../../../etc/passwd? When we learn to program, we’re not taught security. We’re taught to pass our test cases and include as much functionality as we can. Maybe we can sneak in a little blurb about data ownership into our curriculum, say, instead of DFDs or UML or anything else that 90% of web developers never even use? Even harder to imagine teaching doe-eyed comp sci students security is the prospect of teaching stuffy old professors about security.

Anyway, hope your March Madness brackets are doing well. I have my alma matters Towson University and Essex Community College meeting in the final, with Essex snatching the victory in classic underdog fashion from Towson in triple overtime – on a jumper from some 19-year old father of 2, making the end score 45-44. Sure, neither were in the tournament, but you know how those later rounds are weighted. If I nail the final I’m taking home the dough.