I participated in this contest and wrote a small Python script that generates a .CSV summary of Apple TV activity on a network and extracts .plist files from that traffic. It was a lot of fun to tinker around with, and it looks like I just managed to land in the list of finalists. You can check out the finalist entries, including mine, at the following links:

• Puzzle #3 Winners
• My Entry: atvsnarf.py and my writeup

These competitions are fun to participate in, and I’m hoping that I’ll have time to finish up my entry for Puzzle #4 before the deadline.

• Insurgents Hack U.S. Drones

According to this article, the insurgents were able to capture drone video feeds using software like SkyGrabber.  SkyGrabber is, according to its website, essentially a sniffer for satellite Internet connections that can recognize and extract.  This works because the data stream from the satellite to the clients on the ground is undirected.

This article has fueled a lot of discussion along the lines of “Why aren’t drone feeds encrypted?”.  There are plenty of people writing about that question, so I’m going to take it in another direction:

“What if we (including the WSJ) are missing something here?”

What if the videos found on insurgent laptops were not direct data streams from the drones themselves?  What if they were actually captured as files being shuffled from one place to another over a satellite Internet connection, after they had been recorded and saved?

Now, I haven’t used SkyGrabber, so I would like some feedback from someone who has used it on this, but there are some things that don’t really make sense to me yet about this.  Looking at the feature list for SkyGrabber and (especially) the screenshots, I see progress bars for the downloads.  A progress bar indicates that you know when the file you’re downloading will end.  That indicates, to me at least, that SkyGrabber gets most of its data from protocols like HTTP (and P2P protocols as it states on the product pages) that indicate the size and name of files that they are about to transmit.

How do you know when a live stream, such as one that a drone is transmitting, is going to end?  How likely is it that, if it does record live streams, SkyGrabber would be able to recognize whatever streaming format the drone uses?  Someone with some experience using SkyGrabber (or, more unlikely, unmanned drone communication protocols) might be able to chime in on this.

Now, if recordings are being shuffled around after a mission from location to location, then it would make sense for those to go over protocols that SkyGrabber might understand.  This would fit with the “U.S. officials” statement that there was no evidence that the flights could be controlled or interfered with.

Without any other evidence, it’s hard to take the WSJ article as the complete story.  There’s a lot of room for alternatives:

• The feeds being intercepted may not be live
• Software other than SkyGrabber might be used
• Maybe the story’s right-on and the drone is communicating over well-understood and parse-able protocols

It’s even possible that, while these incidents could have involved interception of non-live data, that the drones do communicate unencrypted and the possibility exists (with better tools) to intercept their feeds.

It’s very hard to say, but there are some of my thoughts on the matter.

In the last moments of the game, with “Eye of the Tiger” playing from an unidentified laptop, the two top teams submitted all of the flags they had been afraid to submit earlier, along with plenty of cover traffic.  The scoring server creaked and groaned under the pressure, and I closed all of the other VMs to help out a bit.  When the clock hit 9:00 AM, I pulled the power to the hub, cutting the VM server off from the rest of the network.  The two teams congratulated each other, and we all went down to the classroom for the awards ceremony.

The final scores:

1. Ring 0 : 29 Flags
2. McGrewchebags: 23 Flags
3. Where’s Jerry?: 12 Flags
4. Team 3: 6 Flags
5. Team 5: 4 Flags

After looking into it, we have found that the “Jerry” of “Where’s Jerry”’s name dropped the class some time back.  That team is on an even footing with the others with 4 members, so there is no injustice there.  I originally had a 1 flag bounty on Jerry’s head, if they could bring him to me, though with these circumstances, I’ve raised the bounty to 2.

Ring 0 was just awarded a flag for a social engineering attempt that I was deliberating on for a while, and another flag for something I cannot disclose at this time.  Right now, it’s a very close three-team race for first place, although it’s hard to say how many unsubmitted flags the teams could be sitting on.

The scores as of this moment:

1. McGrewchebags : 17 Flags (Time of last capture: 3:46 PM Saturday)
2. Ring 0 : 14 Flags (Time of last capture: 11:30 PM Saturday)
3. Where’s Jerry?: 12 Flags (Time of last capture: 1:51 PM Sunday)
4. Team 3: 6 Flags (Time of last capture: 8:22 PM Saturday)
5. Team 5: 4 Flags (Time of last capture: 11:57 AM Saturday)

The teams are getting more and more humorous with their trash talking.  It’s all in the spirit of the competition, though, as they’re being very friendly and sportsman-like to each other.  Earlier, I was witness to a member of Ring Zero sharing his copy of Fyodor’s nmap book with a member of McGrewchebags.

There was a bit of social engineering action today (bribery, etc.), and a small handful of points were handed out.  The best social engineering attempt, a survey sent to us, was actually rewarded by providing the team with an answer to one of their survey questions, rather than a “social engineering flag”.  That answer might serve them well.  It’s difficult to judge the social engineering attempts objectively, so I simply go with my gut.  Occasionally students protest about perceived uneven applications of rules and rewards, but it all evens out in the end.  Either way, there’s no way to appeal my decisions :)

Teams are getting a good handle on their sniffing and packet analysis skills, and are falling into a good routine on that front.  Most of the teams appear to be working well with each other as a team, and continue to put in some long hours.  I wouldn’t be surprised to see a sleeping bag in here the next time I drop by to see what’s going on.

I will be dropping by at least once tommorow and Sunday, and will post updates then.

Current scores:

1. McGrewchebags – 15 Flags (Last capture, 7:39 AM)
2. Ring 0 – 9 Flags (Last capture, 11:31 AM)
3. Where’s Jerry? – 8 Flags (Last capture, 11:25 AM)
4. Team 5 – 3 Flags (Last capture, 12:16 PM)
5. Team 3 – 1 Flag (Last capture, 2:46 PM)

Current scores as of 10:04 this morning:

1. McGrewchebags: 14 flags (Time of last capture: 7:39 AM)
2. Ring 0: 7 flags (Time of last capture: 9:53 AM)
3. Team 4: 4 flags (Time of last capture: 9:38 AM)
4. Team 3: 1 flag (From yesterday, when they weren’t here)
5. Team 5: Nothin’!

I’ll likely update again this evening at 5PM.

Three flags were submitted for scoring today.  This includes one flag each by Ring 0 and the McGrewchebags, 30 minutes apart from each other.  The remaining flag is more interesting for one reason: it was credited to Team 3, who had no members in the room at that time.  I know the reason for this, along with many other CTF secrets that I cannot reveal until after the closing ceremony.  For now, it is an exercise for the readers and other teams to figure it out.

Network traffic is picking up with “cover traffic”, designed to confuse other sniffing teams.  If it begins to get out of hand, I will need to start unplugging network cables, but so far so good.  The active teams are learning a lot about filtering through packet logs.

Soon, it seems, teams will be getting very serious about attacking target VMs and actually capturing flags for themselves ;)

The scores as of 5:00PM:

1. McGrewchebags – 13 Flags
2. Ring 0 – 5 Flags
3. Team 4 – 1 Flag (Time of last capture NULL, only flag is social eng. granted)
4. Team 3 – 1 Flag (Time of last capture: 2:46PM, no members present!)
5. Team 5 – 0 (Sleeper cell, or just asleep?)

The students of team Ring 0 have made their presence known on the scoreboard, now in a distant second place with 4 flags.  Don’t let the word “distant” fool you, though.  They were in here and working on it for a good while last night, indicated by their time of last flag submission: 12:42 AM.  The flags they submitted last night were likely just the ones they didn’t mind the other teams’ sniffers catching.  I am certain they have more.

A flag was awarded last night to Ring 0 for a social engineering attempt that I interfered with.  The team registered a gmail account in my name, and planned on posting a letter on the door of the lab, from “me”, informing the other teams that the lab was closed temporarily, due to damage caused by the “disqualified” Ring 0.  They were not sure if the letter would violate the spirit of the CTF rules against interfering too much with other teams, so they consulted with me before putting the sign up.  I thought it was a cool idea, but I didn’t want to cut into other teams’ time in the lab, so I thanked them for the attempt, told them to not put up the sign, but awarded them a flag for their efforts.

I look forward to today’s activity.

The scoreboard, as it stands this morning:

1. McGrewchebags – 12 flags
2. Ring 0 – 4 flags
3. Team 4 – 1 flag
4. Team 3 – 0
5. Team 5 – 0

After a briefing on the rules of CTF to the students from 9:00 to 9:45 this morning, this semester’s marathon Capture the Flag began.  The five teams have until 9:00 Monday morning to rack up their score.  There is plenty of time to go, although some teams are getting an early start.

The McGrewchebags (I love their name) have had an excellent start.  Members have been in the lab working on it ever since the end of the initial briefing, and have found most of the publicly available flags along with a handful of flags on the isolated CTF network.  They are also the very first team to break the scoring server in such a way that they could end the game right then and there.  The game was quickly repaired and the McGrewchebags were rewarded 2 points on the spot.

The teams that have been on the network have quickly realized that having an entirely hubbed network (one large broadcast domain) and the lack of a secure way to submit flags for scoring presents an interesting set of opportunities and challenges.  Passive monitoring is allowed, and each team is laying claim to one computer in the lab from which to run scripts and sniffers.  Espionage and communications security are top concerns for some of the teams, with counter-measures and counter-counter-measures being discussed in hushed tones.

The only team to submit flags to the scoring server, the McGrewchebags, are in the lead, although it is not known how many flags other teams are “sitting on” at the moment.  It’s a battle of nerves, as ties are broken by the earliest time of last submission.

The un-named Team 4 was just (50 minutes ago) awarded with one flag for a nice social engineering attempt.  This team sent me an email, spoofed to appear as though it was from the professor of the class, informing me that Team 4 deserved points because “they got me earlier” (meta-social-engineering!).  The email wasn’t perfect.  The headers didn’t match Dr. Vaughn’s usual emails, and they accidentally double-spaced his signature, but it was a pretty good attempt and earned them a flag.

Ring 0 just chose their name, and appear to be in a sort of set-up stage.  They may be a little slower to jump in than the McGrewchebags, but I get the impression that they are very serious about winning.

Scores as of Wednesday 5:00PM:

1. McGrewchebags : 12 points
2. Team 4 : 1 point
3. Ring 0 : 0 points
4. Team 3 : 0 points
5. Team 5 : 0 points

If everything stays up and running, and I don’t get any emergency calls, I will be back on the CTF network in the morning, and will keep my readers up to date with scores and commentary.

There are five teams of students, and each will be racing to find a series of “flags” (10-character hexadecimal students l strings) that are scattered among a series of target computers.  As they find these flags, they will be submitting them to a scoring server to increase their score.  Since the are of varying levels of experience, we have strict rules against attacking other teams directly (though passive monitoring is allowed).

The students have always enjoyed the CTF in the past, and I believe that the new time format will make it even more fun and instructive.  The student teams have been meeting and preparing for some time now, and are very excited.  My favorite team name so far is “The McGrewchebags”.

If all goes well, I will be posting scores and commentary as the competition carries on through the weekend.

If you are a student in the class, here’s a free flag: ff8551ef39