A number of people have asked for a more robust way to communicate about the Ridgeback Acid Test this spring. So, here we go!
The Ridgeback Acid Test events serve two purposes. First, the events are robust test scenarios for the product we are making. We needed a robust test scenario because people kept asking, “How do you know your product works?” What better test than to open it up to countless friends, enemies, and passers-by?
Second, the events give the general public a way to practice their penetration testing skills. This is not a simple 1-2-3 exercise that someone might do for a training class. The event is set up more like a real security engagement to do black-box pen testing. I have gotten a lot of positive feedback from participants, so I am definitely encouraged to make the whole experience more robust and rewarding for the participants. (I am also looking for volunteers to help with the next event — drop me a line if you are interested.)
The test event this spring was done pretty quickly — I wish I had had more time to prepare things. Bad weather delayed a lot of the prep work, but because of external factors we needed to get an event done quickly. All told, I am pretty happy with how it all turned out.
The Test Setup
The test event was like a capture-the-flag event. There were 30 hidden treasures (i.e., flags or secret messages) divided into four tiers:
- There were a total of five Tier I treasures. Tier I treasures were public and not protected.
- There were a total of 10 Tier II treasures. Tier II treasures were public and not protected.
- There were a total of 10 Tier III treasures. Tier III treasures were secured with an absolutely minimal level of protection.
- There were a total of 5 Tier IV treasures. Tier IV treasures were poorly protected.
The resources behind the target IP address were:
- 1 router
- 10 operating systems
- 4 web servers
- 5 shell logins
- Plus, there were more goodies to find if you got a shell.
The test environment was designed to be a very poorly secured network accessible through a public IP address. Of course, we are making a security product — the Ridgeback security appliance — so there was one of those thrown in there to guard everything. We were testing very specific features of the products Active Camouflage system.
The Test Results
I was very happy with the test results and very encouraged by how many people liked the event. (That is why we are now going to do this every quarter.) The Active Camouflage did what it was supposed to, letting in valid traffic and doing “interesting things” with illicit traffic. (I cannot, at this time, go into the “interesting things.” As River Song said on Doctor Who, “Spoilers!”)
Tier I treasures were worth 2 points each, Tier II were 4 points each, Tier III were 8 points each, and a whopping 16 points each for Tier IV treasures. Here were the top eight scores:
- Stephan Gross – 38 points
- <name withheld> – 22 points
- Terry Kaufman – 20 points
- Michael Elgayar – 16 points
- Marcelle Lee – 16 points
- Daniel Coyne – 14 points
- <name withheld> – 14 points
- <name withheld> – 14 points
The next 2015 test event will be June 22 – June 28 and the signup is on the Ridgeback Acid Test page. The next event will be more robust, with more easier treasures to benefit people getting started with penetration testing. If anyone has any special requests for the next event, or can help volunteer, please let me know. Life at a startup is very hectic, so I can’t make any promises, but I do want the events to help benefit as many people as possible.