Announcement

Collapse
No announcement yet.

Dark Tangent's Tamper Evident Contest RULES

Collapse
This is a sticky topic.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Dark Tangent's Tamper Evident Contest RULES

    How to play:
    • Read this post and decide if you want to play or help run the contest
    • Register in the forum thread for sign ups if you want to play.
    • Show up to DEF CON 18 with all your gear and tools to attack!
    • Grab the package.
    • Win!


    I have always been interested in the concept of tamper evident and tamper proof packaging and seals. For the past couple of years I have wanted to encourage people to explore, like with lock picking, just how secure various technologies and products are.

    With physical games like LosT's Mystery Box Challenge, the Hardware Hacking Village, and the Lock Pick Village really taking off it is now or never!

    So here is how I envision the contest working. It is a first year contest run by someone (Me) who has little to none actual experience performing defeats against tamper evident tech. Because of this I want to learn! For the first year we will start easy and over the years as we all get better and the challenge will get progressively more difficult. Because of this I am going to tell you almost exactly what to expect this year.

    THE DETAILS

    LONESTAR or TEAM?: You can register as an individual, or as a team of unlimited size for the first year. This is to get people playing. Next year the teams will be restricted to a max size of three. So decide (Individual|Team)

    THE GOAL:
    There are various tamper evident technologies out there, including tape, seals, locks, tags, and bags, to name a few. This contest will test your ability to perform "defeats" (Described below) against a range of inexpensive commercial low to medium security products. I will list the exact products I am buying so you can go buy them as well to practice in advance if you want to.

    SCORING:
    You will receive points for succeeding, no points for failing, negative points for not trying to defeat or skipping an item. Extra points are awarded for completeness of documentation. The more unique your exploits are the better. In the case of a tie in points, whoever turned in their results first wins.

    Different levels of defeats are worth different points. We will use the LANL Defeat Categorization Scheme to describe them:
    • [1]Type 1 defeat = 1 points
      [2]Type 2a defeat = 2 points
      [3]Type 2b defeat = 4 points
      [4]Type 3 defeat = 6 points
    • Failing to attempt a defeat earns you negative 2 points (-2)


    A component of the contest will require documentation of how you did your break, pictures or video, so the knowledge can be spread and others can learn what does and does not work. In the end we can all make better informed decisions about what we can or can't trust!

    The documentation that you need to write on each defeat is straight out of the first .pdf below, but we will be using a limited subset of the "Reporting Findings" section. Specifically:
    A comprehensive vulnerability assessment report should consist of the following 5 items:
    1. A detailed description of the successful attacks. For each attack the following information should be provided:
    • Is the attack theoretical, partially demonstrated, fully demonstrated but not perfected, or practiced to perfection?
    • What are the cost, time, and effort to devise and demonstrate the attack?
    • What time is required on-site to do the attack?
    • How much time is required for the attack to become activated, which may differ from the time to do the attack? (It may, for example, take some time for the epoxy used in a particular attack to fully cure.)
    • What time is required for off-site preparation? (The British Standard permits off-site, pre-test preparation,
    but does not apply time constraints [11].)
    • What personnel, skills, technical sophistication, and costs are necessary to complete the attack?
    • How many times and for how long must the adversary have on-site access to the seal?
    • What is the size, weight, cost, and nature of the tools and materials that must be brought on-site for the attack?
    • What is the level of defeat? (See the next section.)
    • Is inside information necessary for the attack, or just what is publicly available?
    2. Sample(s) of the defeated seal should be provided if practical and appropriate.
    The more you break and document the more points you earn. The Individual and team that gets the most points, wins!

    THE COURSE OF THE CONTEST:
    When you get to con you will be given a package. This package will have tamper evident seals on it. Some of these products claim to be "Impossible to reseal or reuse". Your goal is to prove them wrong and document your work every step of the way. Open the box and tamper with its contents. Inside you will find two chains. One of the chains is just a plain chain, the other chain will have some tamper evident tags and such on it. You will have until noon on Sunday of con to move as many of these seals and tags from one chain to the other without your tampering being detected. Oh, and open the box and deal with anything else you may find in there.

    There should only be about five or six tags this first year, I will edit this post and exactly describe what they are and where you can buy them in advance. I will also have spares at the con that you can practice against. Be warned this is not everything, but it is the majority of what you will run into.


    We will list a few more contest details, dis-qualifiers, rules, and registration information soon.

    REFERENCES:
    Here is a list of Links & papers to get you started becoming familiar with what I have found on this subject. No details on how to actually do a break? Yeah, now you see why I am interested! Let's go all OSS on this problem. If you find other documents or references please post it in the Tamper Evident Research thread and I will include them in the post by editing it.

    Websites:
    http://www.ne.anl.gov/capabilities/vat/seals/index.html
    http://www.ne.anl.gov/capabilities/vat/seals/types.html
    Definitions to use when talking about tamper evidence http://www.ne.anl.gov/capabilities/v...efinition.html
    http://www.ne.anl.gov/capabilities/vat/detect.html
    http://www.ne.anl.gov/capabilities/v.../findings.html

    .pdf documents:
    Read this first paper, Effective Vulnerability Assessment of Tamper-Indicating Seals, because it will describe the definitions of the defeats, as well as the vulnerability assessment you must write up for each seal you manage to defeat.

    http://library.lanl.gov/cgi-bin/getfile?00418792.pdf
    http://grandideastudio.com/wp-conten...mbed_paper.pdf
    http://csrc.nist.gov/groups/STM/cmvp...secpaper06.pdf
    http://www.cl.cam.ac.uk/~mkb23/research/PIN-Mailer.pdf

    From the first .pdf, here is a quote describing the different defeats for those of you curious, but not curious enough to download and read it.

    Under the LANL scheme, we classify successful attacks into four categories: type 1, 2a, 2b, or 3.
    In a type 1 defeat, tampering is not detected if the "usual" seal inspection process is followed. See figure 1.
    The usual process is that routinely or typically employed by the end-user. For most seals, this is the protocol recommended by the developer or manufacturer of the seal. A type 1 defeat, however, will be detected if unusual efforts are taken. For many seals, an example of an unusual inspection protocol would be to disassemble the seal and examined it in great detail to look for tampering.

    In a type 2a defeat, tampering is not detected if the usual inspection protocol is followed and if the user visually studies the exterior of the seal (plus any internal parts that can be seen without opening the seal) to look for evidence of entry. See figure 2a. The visual inspection can be done with either the naked eye or a hand-held magnifier.

    In a type 2b defeat, tampering is not detected if the usual inspection protocol is followed and if the user disassembles the seal and meticulously examines the interior and the exterior of the seal visually (with the naked eye or a hand-held magnifier) to look for evidence of entry. See figure 2b.

    In a type 3 defeat, tampering cannot be detected, even if the most advanced postmortem analysis is undertaken. See figure 3. State-of-the-art techniques in forensics, material science, or microscopy will not be able to tell that the seal has been defeated. Classifying a defeat as type 3 is problematic in that it is difficult to be absolutely certain that no technology anywhere in the world has the ability to detect the tampering. Despite this problem, we believe we have demonstrated a number of type 3 defeats at LANL [13].

    If a non-type 3 defeat is successful in a seal application where the "usual" inspection protocol automatically includes meticulous visual examination of the exterior or interior of the seal, the defeat is classified as 2a or 2b, respectively, rather than as a type 1 defeat.
    For this contest the "usual" seal inspection process will be that of cursory inspect held at arms length, to simulate someone walking by or casually looking at the seals while talking to someone else.

    NEXT STEPS:
    Sign up if you are interested by posting in the registration thread, or in the helper thread if you want to help me run this thing. I'll be quite busy, so I will need to rely on a core group of people to help me pull this off. We will need to build the boxes, document what is inside, and then deal with the check in and out of the boxes as well as evaluate the results.

    Thank you all, I hope to have a few players and some fun results this year!

    The Dark Tangent
    Last edited by Dark Tangent; June 16th, 2010, 20:38. Reason: Added some seals that will be used in the contest
    The Dark Tangent: Use PGP for email Key ID: 0x8B0B476D
    Fingerprint: EA2B 63F9 2219 9171 2AB1 0065 FC59 8B0B 476D

  • #2
    Re: Dark Tangent's Tamper Evident Contest RULES

    I heartily enjoy this idea.

    Comment


    • #3
      Re: Dark Tangent's Tamper Evident Contest RULES

      I'm up for helping if you need extra hands. Busy Wednesday but Thursday can be all hands on deck before and after DC101 talks.
      "They-Who-Were-Google are no longer alone. Now we are all Google."

      Comment


      • #4
        Re: Dark Tangent's Tamper Evident Contest RULES

        I'm up for the challenge, team or no team I'd like to give it a go.
        Vell, WiK's just zis guy

        Comment


        • #5
          Re: Dark Tangent's Tamper Evident Contest RULES

          I would like to enter this contest also, if for naught else but to gain experience. However, I am somewhat unsure how I would get epoxy & another necessary chemical through TSA security on carry-on (and will not have checked baggage). I note there are Wal-marts etc in Vegas, but does anyone have a suggestion how I might get the chemicals I actually NEED through TSA? Without spending a few hours in a darkened back room, that is!

          Perhaps I could team with someone who is driving there? If someone wants to team, I am for it. I can tell you what chemicals will be needed, and could even send them to you via UPS possibly. Also some small, common tools are necessary
          Last edited by snideology; July 18th, 2010, 16:47. Reason: Requesting a teaming with someone local, or driving there
          The f*ck? Have you ever BEEN to Defcon? - chs

          Comment


          • #6
            Re: Dark Tangent's Tamper Evident Contest RULES

            Originally posted by snideology View Post
            I would like to enter this contest also, if for naught else but to gain experience. However, I am somewhat unsure how I would get epoxy & another necessary chemical through TSA security on carry-on (and will not have checked baggage). I note there are Wal-marts etc in Vegas, but does anyone have a suggestion how I might get the chemicals I actually NEED through TSA? Without spending a few hours in a darkened back room, that is!

            Perhaps I could team with someone who is driving there? If someone wants to team, I am for it. I can tell you what chemicals will be needed, and could even send them to you via UPS possibly. Also some small, common tools are necessary
            You could mail them to yourself at the hotel you are staying at.
            Originally posted by Ellen
            Do I wish we could all be like hexjunkie? Heck yes I do. :) That would rock.

            Comment


            • #7
              Re: Dark Tangent's Tamper Evident Contest RULES

              Originally posted by snideology View Post
              ... I can tell you what chemicals will be needed, and could even send them to you via UPS possibly. ...
              Originally posted by hexjunkie View Post
              You could mail them to yourself at the hotel you are staying at.
              Take your own (and hexjunkie's) advice. UPS/FedEx/USPS all ship to/from the Riviera's Business Center. Most larger hotels have similar setups, and if your hotel doesn't offer such services, there is a UPS Store about 2 miles from the Riv. I've shipped a number of things to and from hotels for DC when I didn't want to deal the TSA or it wasn't practical for checked luggage.
              Thorn
              "If you can't be a good example, then you'll just have to be a horrible warning." - Catherine Aird

              Comment


              • #8
                Re: Dark Tangent's Tamper Evident Contest RULES

                I had considered doing that, although admittedly I have concerns about mailing a box of chemicals(or, frankly, anything) to a hotel. Also, I would prefer not bringing tools on carry-on, but will if I have to.

                Thanks for the replies; I shall resort to mailing to the resort, if no one wishes to team. See you there!
                The f*ck? Have you ever BEEN to Defcon? - chs

                Comment


                • #9
                  Re: Dark Tangent's Tamper Evident Contest RULES

                  Originally posted by hexjunkie View Post
                  You could mail them to yourself at the hotel you are staying at.
                  Be careful with this. There *can* be unexpected fees when you pick up at a hotel, and I have had many experiences in the past where hotels have:
                  Misplaced boxes
                  Lost boxes entirely
                  Put boxes directly into the convention area
                  Put boxes into the convention area of the WRONG convention
                  Stolen from boxes. (They are not responsible. There will probably be a sign that says that.)
                  Refused boxes. (This happens sometimes if there is no room number / Name / arrival date on the box.)
                  Thrown away boxes. (same)
                  Sent boxes to the wrong room. (Where they are likely looted.)
                  Received boxes from the mail carrier, but made no note of it so that they sit in their office and can never be collected.

                  etc..

                  If others say they have done it with no trouble, it is probably safe. I just have a lot of bad experiences from many many trade shows. :)
                  Last edited by Ellen; July 19th, 2010, 05:46.
                  WUVMVEtSUktQRlJOVE9CSENLRUFIUUtR

                  Comment


                  • #10
                    Re: Dark Tangent's Tamper Evident Contest RULES

                    Originally posted by Ellen View Post
                    Be careful with this. There *can* be unexpected fees when you pick up at a hotel, and I have had many experiences in the past where hotels have

                    <snip>

                    If others say they have done it with no trouble, it is probably safe. I just have a lot of bad experiences from many many trade shows. :)
                    Another alternative is to ship it to a Customer Center in Las Vegas and pick it up there.

                    http://www.ups.com/content/us/en/res...ld_pickup.html
                    And I heard a voice in the midst of the four beasts, And I looked and behold: a pale horse. And his name, that sat on him, was Death. And Hell followed with him.

                    Comment


                    • #11
                      Re: Dark Tangent's Tamper Evident Contest RULES

                      Sounds like a fun contest -- the I-Hacked crew would like to enter, however we will not be bringing anything // all bypass mechs must be found in hotel.


                      we want to participate, but only if we can tweet about it

                      Comment


                      • #12
                        Re: Dark Tangent's Tamper Evident Contest RULES

                        Originally posted by hevnsnt View Post
                        Sounds like a fun contest -- the I-Hacked crew would like to enter, however we will not be bringing anything // all bypass mechs must be found in hotel.


                        we want to participate, but only if we can tweet about it
                        OK, I'll put you down at team I-Hacked Crew
                        The Dark Tangent: Use PGP for email Key ID: 0x8B0B476D
                        Fingerprint: EA2B 63F9 2219 9171 2AB1 0065 FC59 8B0B 476D

                        Comment


                        • #13
                          Re: Dark Tangent's Tamper Evident Contest RULES

                          For everyone playing, contest pick up will start at noon on Friday, and for the first two hours you need to stay in the contest area. Preferably longer.

                          One of the main purposes of the contest is to pass on lessons learned, video, pictures, etc. So being visible to attendees will be exiting and interesting for them.

                          We are working out the actual scoring points system, but the better you defeat, document, and reassemble the better off you will be.

                          The one thing I'd like some feed back is on extras. I have plenty of spare tags and such, and they would be fun for people to play with. Should I make them available to teams after they have made their attempt on the real ones? That way they have either defeated them or not, but can then go on to perfect a technique to be shared by all. Thoughts?
                          The Dark Tangent: Use PGP for email Key ID: 0x8B0B476D
                          Fingerprint: EA2B 63F9 2219 9171 2AB1 0065 FC59 8B0B 476D

                          Comment


                          • #14
                            Re: Dark Tangent's Tamper Evident Contest RULES

                            Originally posted by Dark Tangent View Post
                            The one thing I'd like some feed back is on extras. I have plenty of spare tags and such, and they would be fun for people to play with. Should I make them available to teams after they have made their attempt on the real ones? That way they have either defeated them or not, but can then go on to perfect a technique to be shared by all. Thoughts?
                            Well, honestly I personally would like to practice prior to trying! Serious attempts into high-level storage or shipping would probably include prior knowledge, although casual attempts would obviously not.

                            But you raise a valid point. So might I suggest giving participants some, but not all, of the items? Possibly 50/50, or whatever.
                            The f*ck? Have you ever BEEN to Defcon? - chs

                            Comment


                            • #15
                              Re: Dark Tangent's Tamper Evident Contest RULES

                              This is absolutely a good idea. In fact, I have to wonder if it would acceptable to give each team a couple of extras at the start. This would simulate an attacker having done surveillance and purchased identical seals (for parts, etc..). Obviously, this would entail checking the serial numbers on even level 1 attacks.

                              Also, is there a way to ensure plenty of table space in the contest area for this first portion? I guarantee there will be chemicals, hot tools, and other cool stuff being used and elbow room makes sense from a safety standpoint.

                              Originally posted by Dark Tangent View Post
                              For everyone playing, contest pick up will start at noon on Friday, and for the first two hours you need to stay in the contest area. Preferably longer.

                              One of the main purposes of the contest is to pass on lessons learned, video, pictures, etc. So being visible to attendees will be exiting and interesting for them.

                              We are working out the actual scoring points system, but the better you defeat, document, and reassemble the better off you will be.

                              The one thing I'd like some feed back is on extras. I have plenty of spare tags and such, and they would be fun for people to play with. Should I make them available to teams after they have made their attempt on the real ones? That way they have either defeated them or not, but can then go on to perfect a technique to be shared by all. Thoughts?

                              Comment

                              Working...
                              X