Informit.com is providing a good coverage of the Mid-Atlantic Regional Collegiate Cyber Defense Competition. Students put their skills to the test, trying to lock down systems against intrusion from an invading hacker team. All in the name of learning.How many times have you heard a commercial telling you how much money an Information Technology professional can earn in a year? Well, trust me; the job is not as easy as it sounds. Just ask the eight teams that participated in the annual Collegiate Cyber Defense Competition (CCDC). During the event they are under immense pressure to a build web application, maintain a web server with an ecommerce system, manage an Exchange server, keep a DNS server up and running and more — all while protecting their network from four seriously determined hackers.
From the article: “When the three hour grace period was over, the Red Team slowly worked their way into attack mode. One member started to sort through the information they gleaned from their scans and investigated each possible exploit. Another member fired up a MySQL database client and started to poke around the students databases looking for sensitive data. The two others were adding/changing accounts to routers, firewalls, and systems. However, for the most part, the students were not being pelted with attacks. And this continued for the next several hours.”
The rules were fairly simple — at least at first glance. Basically, the Red Team could do anything but hurt someone or perform a denial of service attack (network flood). The student teams were a bit restricted, with regard to changing IP addresses and messing with the infrastructure.
Communication was allowed between team members, but only the team leader could talk to the white cell members about problems, etc. The feds could be called over for an investigation and the Red Team was allowed to try to talk to the teams to put a social engineering twist on the games. Finally, all business objectives and administrative requests are sent to the CEO via email.
I’m all for this and from TFA, this sounds like a great thing (and lots of fun!). It seems that this includes even the social enginnering aspect. In other words, it’s a trivial matter to get into somebody’s system; it takes a whole another skill set to convince that person to hand you the keys to their data. That is to say, attempting to gain access to a computer system through it’s weakest link: THE USERS! It’s one thing to pit technical skill againt the threat of hacking, but it’s been done over and over, all that technical skill accounts for nothing if you have a user that has his/her password written down on a sticky – on their MONITOR! Users must be educated and kept up to task on things like this, and it’s my opinion that the IT/Security industry does not place enough emphasis in that area.
In this contest, Social engineering was allowed. It seems that a few members of the Hacker/Red team would often walk around the room and try and to watch what people were doing. A few times they even stopped and tried to get information out of the student/blue teams. However, they had to leave our team area when asked. It seems that one team actually left sheets with the wrong passwords on the tables in hopes that they(Red Team) would waste their time.
Even GoogleFight thinks that the Red Team actually whupped the Blue Team with the Red Team(Hackers) returning 267,000,000 results compared to the Blue Team(Students) which returned 146,000,000 results.
For those who read French here is a press release [web.crim.ca] about a team of Scheme hackers headed by Marc Feeley [umontreal.ca] participating in a Quebec security competition who won both the first prize for keeping the other nine teams out and the second prize for finding the most security problems in the other teams’s servers.
According to a member of the student team
” It was very fun. We really expected the hackers to be exploiting vulnerabilities much more than social engineering and such. We had 4 hours in the southeast competition. BUT we did not have the debian CDs, the linux boxes were full of backdoors and lots of misconfigurations on purpose. We thought we would have a fully functioning network going in, and for us it seemed to be more of a disaster recovery competition. The hard drive on our static web server (linux) died after the 1st hour, we finally got a replacement the next morning for the 2nd day but it was too late. We had 2 windows servers running on MS virtual server 2005 & 1 Debian mail server VM… for whatever insane reason on the 2nd day our mail server wouldn’t recognize the virtual network card and we were SOL.. Our downfalls were
a) not changing the passwords of the users fast enough
b) forgetting to configure the obscure mail server software. It was called “post.office”; never heard of it. By the time we remembered about it, the hackers had changed the password on it, although we (naively) assumed it had just been locked down somehow.
Our main “network guy” knows about as much about Cisco gear as anybody else, but our router still got fuzzed. At the time, it was a little disheartening. However, later on I overheard a conversation between a contestant on another team and the Windows girl on the red team. While this guy was going on and on about his “invincible” router and switch configs, she said “access lists are nothing.” He tried to elaborate, and that he did this and that, but no. You can deny all outside traffic at the router, and they’ll get in. The specific red team folks we had at ours (Midwest regional) were fucking good…as in writing 0-day exploits while sitting there good. $4000 a day security auditors good. At the end of it all, we all realized that the level of skill from the red team was high enough that they could have destroyed any team there in a heartbeat, but it was more fun to play around with them. I asked on the hackers how big name companies like Google and Visa don’t get hacked to shit, and his response was along the lines of “You just have a backup plan for when you get hacked because it will happen eventually.” The main point of the competition is mostly educational. I learned more in the month before our regional security-wise than I have in the last few years. We won, so we must have done something right, but at the same time, I’m convinced that the only secure computer is one that’s not plugged in.”
The Red Team being mentioned at the top really consists of Elite Security Guys
Joe Harwell: Joe is a Security Specialist for Nortel Government Solutions. He currently is responsible for design, integration and testing of many of the “three letter agencies” security systems, and has over 15 years of experience in the field. He was CERT penetration tester for the US Army in a previous life.
Ryan Trost: Ryan is a Senior Security Engineer for Criterion Systems, currently working on a DHS contract. When not overseeing the security architecture of his team, he spends his free time developing a Network Security Snap-on Application that involves IDS Geocoding (patent pending). Ryan will be graduating from George Washington University this May with a Masters in Computer Science.
Adam Meyers, CCE, IAM, IEM: As an information security professional and consultant, Adam Meyers provides clients with complete security expertise, ranging from assessments, forensics, incident response, penetration testing, and security architecture. Additionally he provides physical security assessments and threat analysis. Mr. Meyers is a Certified Computer Examiner (CCE). Prior to joining SRA, he worked with the George Washington University Security Team, as the Network Manager for the 2000 National Democratic Convention, and as a private security consultant, all while pursuing a degree in political science with specific attention to inter-state information warfare.
Tom Parker: Tom is a computer security analyst who, alongside his work providing integral security services for some of the world’s largest organizations, is widely known for his vulnerability research on a wide range of platforms and commercial products. Tom regularly presents at closed-door and public security conferences, including the Blackhat briefings, and is often referenced by the world’s media on matters relating to computer security.
Read More on Informit’s Article A Student-Hacker Rematch at the Second Annual Collegiate Cyber Defense Competition