Monday, May 16, 2016

Javier Marcos: "Red Team always wins"

Javier Marcos. Security engineer and CTFs master.

Javier Marcos is a true hacker warrior and a warriors master, struggled in dozens of battles now called Capture The Flag (CTF). Security Engineer at Facebook, he has just released a free platform that facilitates the organization of CTFs, that is what he talks about in this interview, neither the first nor the second one in his career.

Javier, 32 years and alias Javuto, is a kid of mountains and a village, Vegacervera. Even when at 4 years his family moved to Leon, mountain 'bravura' is still intact in him. Once achieved the title of computer engineer he reached the conclusion to go on "by land, sea or air", so he emigrated first to Portugal, then Ireland and then California, although his Twitter assures he lives in the land of the Brave.

- How did you get into the world of computer security?

- Many hours on the IRC, on the network and with the computer. I remember reading everything I could get my hands even when I was understanding anything. Before Internet, I took out some technical books from libraries trying to figure out something clear. There never was any field calling me in a particular way, I just practiced and went slowly learning a lot of things. I started a master on Security and a few months later I joined Security Team at IBM, where I was already working as a software engineer.

- You have created some security tools. Which one would you highlight?

I have been fortunate to be part of the development team at Osquery since its inception. It was born from the need of monitoring and extracting structured information from OSX and Linux systems. Since these tools are often agents working all the time on your machine, we even didn't want to run something without a full audit, and that's why it is completely open source. Moreover, the concept of being able to apply SQL in the operating system is very powerful.

And I must mention my brand new CTFs platform! It took me some three years developing in my spare time, and it made me moving to polish the code and distribute it as open source software.

- I read that it is a platform for Jeopardy and "King of the Hill" games. What kind of games are those?

- Jeopardy is basically a question and answer panel where the answer may be something you would find with a simple search on Google or some flag or text that is hidden. They are often cryptography, forensic, exploitation or web challenges... The idea is that you have a hidden text and you must find it. King of the Hill is different: we have a system that is vulnerable and the first team dominating it wins the points. Moreover, the longer the control is maintained, the more points are carried.

- What does exactly the platform?

- It is to organize competitions. It manages the registration and team management, game management and scores. The tests are not within the platform, because it depends a lot on the kind of event you want to organize. It's not the same making a CTF in a school or in a security conference.

- Is it the first platform of this kind?

- I think it is the first one to integrate Jeopardy and King of the Hill. We are also working on the developing of a solution for Attack and Defense competitions, where teams must defend their infrastructure while attacking others. This kind of competition is played at Defcon finals and for me it is the Champions League of the CTFs.

One of its exclusive things is the most possible CYBER interface, colorful and striking. We have also tried to use the code as an educational tool for secure programming best practices. Anyway, our platform is part of the Facebook Bug Bounty, so if people find vulnerabilities... OK, welcome home!

- How did you become a CTF fan?

- They are a very entertaining way to spend the time and to learn a lot! It's not only about playing but when you have to organize one, there are many things to do: writing your own platform for the game, deploy infrastructure, leave it bombproof, develop levels, join it all and see how people enjoy, and learn.

- Do you prefer to organize or to participate?

- If you want to organize good CTFs you must have played many of them, since you feel firsthand the frustration of so-so tests, or when something gets broken and nothing you can do. Even if you just take a quick look, or read writeups from past events, there's always something that can give you an idea for a test. I play on my own, but when I lived in Dublin I helped Mario Ballano from int3pids.

- What kind of CTFs do you like to organize?

- Attendance CTFs to feel the atmosphere and to see people going all-out. From the last ones, I have to highlight the Navaja Negra-ConectaCon, due to the good atmosphere and participation. Really to repeat!

- Are you ever surprised with solutions that you do not expect?

- I remember a year at BruCON, I had a test that was a vulnerable Android application, with a numerical combination that changed every second for generating different codes. To pass the test the quick way was invoking the code after hitting the combination, but some kids made reverse engineering to the algorithm, so they were able to predict the combination at a future time. The points were the same but they really impressed me.

- What is the best CTF that you remember?

- I have a special remember on AppSec USA 2011, in Minneapolis. Juan Galiana and me went there to show attack techniques abusing HTML5 and there was a CTF for a couple of days. Just after our talk, ending the first day, we went to have a look and we saw that we had possibilities. I mean, instead of going out for dinner and drinks, we stayed at the hotel to prepare the strategy and tools for the next day. And, OK, after an intense day we won the CTF.

Although I can not miss the opportunity to mention the Kachakil car. It happened playing a prequals of Defcon in Dublin, there was a rather difficult challenge that let you control avoiding obstacles.

- Participating in CTFs give the same training than engaging in hacking of real machines?

- Playing CTFs let you use intrusion techniques while doing nothing illegal. And you learn a lot while you build your test environments. Many times you need to simulate a platform, and virtual machines or virtual servers are phenomenal to get things done. It is not only breaking things in Security :)

As for the techniques, it depends on what level we are talking about. There are many teams who develop their own tools and have a lot of examples and facts, so if the problem is generic, you may find that solution are already done or almost ready. You have a lot of released things that are plenty to play CTFs. And, after all, the nature of the attacked machines is always the same, whether a CTF or something else.

- We've been talking recently with RoMaNSoFt and he said that CTFs are even more difficult than hacking. So do you think?

- I totally agree. Challenges are often rather more convoluted than reality, and somebody even have introduced real systems to see who could jeopardy them. At the end of the day the CTFs are used to attract talent, isn't it? Why not 0days too?

- Everything evolves very fast, is there something for CTFs replacement?

- I do not think so, but now there are more options for types of games, strategies and implementation. Defense events are taking on, something like reverse CTF. For example, in the United States, it is very popular the CCDC (Collegiate Cyber Defense Competition), where students have to defend their infrastructure, designed to simulate a real corporate environment, and the Red Team is made up of security professionals.

I've been 3 years participating as a member of the Red Team and it really help students to learn how to deal with the pressure of an incident; especially when you tell them where you've get into, and what should they have done to detect intrusion and eliminate the threat. But hey, the Red Team always wins :-P

- Finally, would you give us a sentence?

- I could tell you something deep as "who does not risk, does not win", but people who know me, know that I like to take things from a humorous point of view and "trolling" the more, the better. So "Always Be Trolling!" is a philosophy way of life for everyone!

Text: Mercè Molist


Post a Comment