Slashdot Mirror

← Back to Stories (view on slashdot.org)

Students vs. Hackers

Posted by ryuzaki0 on from the content-vs.-form dept.

sethfogie wrote to mention Informit.com's coverage of the Mid-Atlantic Regional Collegiate Cyber Defense Competition. Students put their skills to the test, trying to lock down systems against intrusion from an invading hacker team. All in the name of learning. From the article: "When the three hour grace period was over, the Red Team slowly worked their way into attack mode. One member started to sort through the information they gleaned from their scans and investigated each possible exploit. Another member fired up a MySQL database client and started to poke around the students databases looking for sensitive data. The two others were adding/changing accounts to routers, firewalls, and systems. However, for the most part, the students were not being pelted with attacks. And this continued for the next several hours."

83 comments

  1. Re:FP... by Anonymous Coward · · Score: 0

    Way to contribute nothing to the discussion. Yay.

  2. Re:FP... by Anonymous Coward · · Score: 0

    yee haw

  3. Nice rules by Anonymous Coward · · Score: 1, Informative

    I don't know about you, but I always hurt people for info. From TFA:

    The rules were fairly simple -- at least at first glance. Basically, the Red Team could do anything but hurt someone or perform a denial of service attack (network flood). The student teams were a bit restricted, with regard to changing IP addresses and messing with the infrastructure.

    Communication was allowed between team members, but only the team leader could talk to the white cell members about problems, etc. The feds could be called over for an investigation and the Red Team was allowed to try to talk to the teams to put a social engineering twist on the games. Finally, all business objectives and administrative requests are sent to the CEO via email.

    1. Re:Nice rules by Master+of+Transhuman · · Score: 1

      Restricting the student teams from messing with the infrastructure was the first mistake, since the hackers had somehow stolen the details of the entire system.

      First thing the students should have done was change EVERYTHING - the subnets, the IPs, maybe even the software being used. That would have forced the hackers to have to relearn everything they thought they knew.

      --
      Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
  4. And the winners are... by SgtPepperKSU · · Score: 1

    FTFA: "Oh, and of interest, [the winners were] the same team that had only a week to prepare and were all programmers" Priceless!

  5. Simulations are lacking, here's why by Ponga · · Score: 5, Insightful

    I'm all for this and from TFA, this sounds like a great thing (and lots of fun!) However, using the information gleaned here to apply to real-world situations is lacking in one MAJOR area: They neglect the aspect of social hacking. That is to say, attempting to gain access to a computer system through it's weakest link: THE USERS!
    It's one thing to pit technical skill againt the threat of hacking, but it's been done over and over, all that technical skill accounts for nothing if you have a user that has his/her password written down on a sticky - on thier MONITOR!
    Users must be educated and kept up to task on things like this, and it's my opinion that the IT/Security industry does not place enough emphasis in that arena, And to thier detriment...

    1. Re:Simulations are lacking, here's why by xiong.chiamiov · · Score: 1

      This is so true. User *are* the weakest part of any system, and unless you eliminate 90% of your user base, you will never have a secure system. Enter restricted accounts.

      --
      have you read the Moderation Guidelines Addendum?
    2. Re:Simulations are lacking, here's why by God'sDuck · · Score: 3, Interesting
      using the information gleaned here to apply to real-world situations is lacking in one MAJOR area: They neglect the aspect of social hacking.
      i think you missed the vignette about the little tidbit obtained before the contest even started: the stat sheet on the systems the defendors had been issued, that the Red Team conned off someone. seems sorta equivalent of pulling a sales receipt out of a dumpster to me...
    3. Re:Simulations are lacking, here's why by mspohr · · Score: 0
      If you had RTFSummary, you would have known that:

      "Another member fired up a MySQL database client and started to poke around the students databases looking for sensitive data."

      This looks like social engineering to me.

      --
      I don't read your sig. Why are you reading mine?
    4. Re:Simulations are lacking, here's why by Ponga · · Score: 2, Informative

      Wrong! 'Social' means interacting with a person! Not a MySQL Database!!

    5. Re:Simulations are lacking, here's why by Anonymous Coward · · Score: 0

      Users must be educated and....

      Users? Educated?? You must be dreaming.

    6. Re:Simulations are lacking, here's why by davidesh · · Score: 1

      Social Engineering was part of the competition. I took part in the Southeast competition, although social engineering wasn't defined as being part of it, we thought it would happen and it did.

      Turns out the RED team (ISS Xforce & PWC @ our competition), got bored after they destroyed everyone's setup... so they went out and walked into rooms and some folks they were able to sit down and plug in the network.

    7. Re:Simulations are lacking, here's why by arbiterip · · Score: 4, Interesting

      I actually participated at this contest for Millersville University. Social engineering was allowed. I must admit, I have not yet read the article but members of the Hacker/Red team would often walk around the room and try and to watch what people were doing. A few times they even stopped and tried to get information out of us. However, they had to leave our team area when asked. Our team actually left sheets with the wrong passwords on the tables in hopes that they would waste their time.

    8. Re:Simulations are lacking, here's why by spiritgreywolf · · Score: 1

      Woah there - chill a little on having IT jump all over it because of lazy users. I work at a company where IT felt having a password that is so convoluted and un-memorable that 80% of the people REQUIRE a sticky note just to remember the damn thing.

      Just because you CAN do a thing doesn't mean you MUST do a thing, and I think the natural reaction from most admins is to not think further about the impacts their changes will make.

      Things like "something you have, something you know" - use a hardware key along with a password that the user can remember (within reason - don't make it something they'll forget if they don't remember after a long weekend). Combine their password with the changing number (a-la SecureID), and you have both tight and safe, which without handing over your key makes it harder to social engineer in the first place - making a task like this infintely more difficult to break through the front door.

      Yeah, I know what people will say - "That costs more!" Does it? How much is your data worth if you force your users to write their passwords down all over the frakkin place?!

      --
      Never have a philosophy which supports a lack of courage
    9. Re:Simulations are lacking, here's why by mspohr · · Score: 0
      Thankfully, we have wikipedia http://en.wikipedia.org/wiki/Social_engineering_(c omputer_security) to referee this discussion:

      "Social engineering is the practice of obtaining confidential information by manipulation of legitimate users. A social engineer will commonly use the telephone or Internet to trick people into revealing sensitive information or getting them to do something that is against typical policies."

      Examples cited in the article include e-mail and web page social engineering and also your personal interaction: "Social engineering also applies to the act of face-to-face manipulation to gain physical access to computer systems."

      --
      I don't read your sig. Why are you reading mine?
    10. Re:Simulations are lacking, here's why by slashname3 · · Score: 2, Insightful

      Not only is the end user normally the weak point there is also the complacency factor that hits the security team itself. But that only happens over time, usually an extended period of time. The longer a collection of systems are in place the more likely that one of the administrators will short cut procedures and leave a system exposed.

      In a similulation as described in the article everyone is hyper vigilant and actively looking at all aspects of security. In the normal world it is rare that the entire team would be operating at such a highened state of alert all the time.

      And external threats while real are less likely than an internal user using knowledge or capabilities granted to those users to compromise systems or data. Users also allow viruses onto firewalled networks either knowingly or unknowingly. Internal threats are more common than external threats and much harder to protect against.

    11. Re:Simulations are lacking, here's why by DPJohnny+Canuck · · Score: 1

      "I work at a company where IT felt having a password that is so convoluted "

      I'd call that jumping all over IT.

      Being from IT myself and having to implement a more complex password policy, it's not like we wanted folks to have a convoluted password. In our case, we got several branches involved, and had to make a tradeoff between security and usability, and it's something that we've had to struggle with for a long time. It's been a challenge for us AND our users.

      Similarly, we investigated implementing a certificate/smartcard infrastructure, however senior management (non-IT VP's) balked at the deployment and ongoing support costs.

      Finally, I think your statement "I think the natural reaction from most admins is to not think further about the impacts their changes will make." shows a lack of understanding of the analysis and decision making that goes on in IT. In our case, end users and striving for best practices are at the top of our list.

    12. Re:Simulations are lacking, here's why by spiritgreywolf · · Score: 1

      Okay, okay! you got me. I knew as soon as I clicked the post button that line was gonna get me basted.

      I know what you say is indeed true - it's just frustrating that's all, that policy is usually dictated by people who don't have to access these systems on a daily basis but who will also not release the funds to implement systems to do it right.

      Again, I apologize for sounding like an ass...

      --
      Never have a philosophy which supports a lack of courage
    13. Re:Simulations are lacking, here's why by Yomer333 · · Score: 2, Interesting

      Not for nothing, but I participated in the Midwest regional (we won, w00ty w00t), and social engineering actually played a huge part. Our team (SIU) spent multiple nights in the bar and the hotel getting drunk with the red team. At the end of it all, one of the hackers said that the entire red team voted us as the best. Unfortunately, the red team's vote was never used for scoring as was originally intended, but hearing that was one of the highlights of the weekend. Since then, one of the hackers pointed out that he'd "rather see a team that he got to drink with win the nationals." Is social engineering as advanced in a competition as it would be in real life? Probably not. However, it definitely does play a role...at least in our competition.

    14. Re:Simulations are lacking, here's why by Major_Small · · Score: 1
      I think a more interesting competition would be to bring the "security" team down to a few people, and split the rest up into the "hacker" group, with a few more "experts" dispersed into the "hacker" crowd.

      of course, the people that had their teams switched would be "let go" from the security team - accounts locked down/deleted, escorted "out of the building" so as to not steal anything on the way out, etc.

    15. Re:Simulations are lacking, here's why by DPJohnny+Canuck · · Score: 1

      No problem.

      I understand it's difficult when you don't have the administrative privileges. Certainly, when I go into systems that I don't have privilege, it feels cramped. Cryptic password policies don't help much either. ;)

  6. The user is the weak point! by Giant+Ape+Skeleton · · Score: 4, Informative
    Poking around on other people's machines is all well and good, but in the most pervasive and damaging "hacks" (sic), there is usually a major social engineering component.

    In other words, it's a trivial matter to get into somebody's system; it takes a whole 'nother skill set to convince that person to hand you the keys to their data.

    I wonder if tech-savvy folks (the students referred to in TFA fior example) are as good at "locking themselves down" as they are at securing their computers. Have any studies been done on the credulosity of geeks?

    --
    The difference between stupidity and genius is that genius has its limits.
    1. Re:The user is the weak point! by Tx · · Score: 1

      I don't think the social engineering aspect was absent from this setup. FTA:

      He next reached inside his bag and pulled out a complete description of the student's setup, including all operating systems, services, web applications, and IP addresses he had obtained from an anonymous source. Everyone in the room immediately got a slightly evil grin on their face as they realized the results of this social engineering reward.

      --
      Oh no... it's the future.
    2. Re:The user is the weak point! by physicsphairy · · Score: 1
      "Have any studies been done on the credulosity of geeks?"

      Ratio of people who visit slashdot to people who take slashdot seriously?

      --
      When things get complex, multiply by the complex conjugate.
    3. Re:The user is the weak point! by Anonymous Coward · · Score: 0
      Have any studies been done on the credulosity of geeks?

      Credulosity? You were just guessing that was a word, right? Credulity.

    4. Re:The user is the weak point! by Anonymous Coward · · Score: 1, Funny

      Geeks are perfect skeptics. They're incredibly smart, and their preternatural awkwardness gives them a tendency to analyze all elements personal communication to the point where they can pick one bullshitter out of a dozen. It's astounding, seeing the results of studies that show that hard-core geeks are practically impossible to trip up, and I can vouch for this in my everyday experience: I've known dozens of people who installed Linux, and no one has ever managed to pull a fast one on any of them, ever. You have nothing to worry about.

    5. Re:The user is the weak point! by darkmeridian · · Score: 1

      Polygraph Technician: This is a control question, really. How would you say would be the easiest way to take a weapon away from a Grammaton Cleric?
      Brandt: [speaks into Preston's ear.] You ask him for it.

      In the social engineering context, I guess you give him chocolate for it.

      --
      A NYC lawyer blogs. http://www.chuangblog.com/
  7. GO MILLERSVILLE! by Hinde01 · · Score: 1, Interesting

    I go to this school and am friends with one of the guys that is on the team. From how they tell it, they prety much owned the other teams (or at least got the least owned by the red team). Hopefully one of them will log on and give you their perspective. I really wish I had heard about this before it happened, but I missed it. Oh well. The entire CS department here at Millersville will be pulling for them when they go onto Texas.

    1. Re:GO MILLERSVILLE! by EdMcMan · · Score: 1

      Out of curiousity, who are you? :)

  8. It is one thing to know it is coming... by nb+caffeine · · Score: 4, Insightful

    and another to not pay attention because you think you are safe...

    Sounds like fun though, kinda like the CS programming competitions I went to in high school

    --

    "Something's wrong with you...and I hope we never do meet again." - Deftones When Girls Telephone Boys
  9. Students vs. Hackers? by neoshroom · · Score: 0

    The stub title says Students vs. Hackers, but the article seams to imply that students were divided into a red team and a blue team and had to hack each others systems. Notable events include the red team attempting to secure their router firmware and accidentally killing their router and one team got into the other team's mailbox.

    Exciting stuff...*yawn*

    --
    Big apple, new Yorik, undig it, something's unrotting in Edenmark.
    1. Re:Students vs. Hackers? by Tx · · Score: 4, Informative

      ... but the article seams to imply that students were divided into a red team and a blue team and had to hack each others systems

      Only if you didn't, like, read it. The red team were not students.

      Red Team:

      Joe Harwell: Joe is a Security Specialist for Nortel Government Solutions. He currently is responsible for design, integration and testing of many of the "three letter agencies" security systems, and has over 15 years of experience in the field. He was CERT penetration tester for the US Army in a previous life.

      Ryan Trost: Ryan is a Senior Security Engineer for Criterion Systems, currently working on a DHS contract. When not overseeing the security architecture of his team, he spends his free time developing a Network Security Snap-on Application that involves IDS Geocoding (patent pending). Ryan will be graduating from George Washington University this May with a Masters in Computer Science.

      Adam Meyers, CCE, IAM, IEM: As an information security professional and consultant, Adam Meyers provides clients with complete security expertise, ranging from assessments, forensics, incident response, penetration testing, and security architecture. Additionally he provides physical security assessments and threat analysis. Mr. Meyers is a Certified Computer Examiner (CCE). Prior to joining SRA, he worked with the George Washington University Security Team, as the Network Manager for the 2000 National Democratic Convention, and as a private security consultant, all while pursuing a degree in political science with specific attention to inter-state information warfare.

      Tom Parker: Tom is a computer security analyst who, alongside his work providing integral security services for some of the world's largest organizations, is widely known for his vulnerability research on a wide range of platforms and commercial products. Tom regularly presents at closed-door and public security conferences, including the Blackhat briefings, and is often referenced by the world's media on matters relating to computer security.

      --
      Oh no... it's the future.
    2. Re:Students vs. Hackers? by Master+of+Transhuman · · Score: 1

      Correct me if I'm wrong but it was one of the student teams, not a red team, that hosed their router.

      --
      Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
  10. Actually, this was allowed. by neoshroom · · Score: 2, Informative

    Actually, this was allowed. As the article notes they were highly suspicious of the press, because they thought he could actually be a member of the opposing team. You are right though, with the teams sitting in front of the computers the whole time, the chances of any social engineering hacks were pretty limited and real systems admins can't be at every computer all the time.

    --
    Big apple, new Yorik, undig it, something's unrotting in Edenmark.
    1. Re:Actually, this was allowed. by EdMcMan · · Score: 2, Interesting

      Administrators cannot be there at all times. The red team actually broke into the building after hours to teach us that lesson!

    2. Re:Actually, this was allowed. by davidesh · · Score: 1

      When we came in the next morning there was actually a machine turned on. The day before we were told this machine "you are not allowed to configure it is part of the competition" so we figured it must be some part of the scoring system or something.... turns out it was a suse box they were using as a nice backdoor... I ripped it out @ 11am after the mail server went down. It also had "kitty porn" and fake ssn's of employees running on a web server. But yes it was turned on 1 hour after we left the building the night before.

    3. Re:Actually, this was allowed. by Dare+nMc · · Score: 1

      > sitting in front of the computers the whole time, the chances of any social engineering hacks were pretty limited and real systems admins can't be at every computer all the time.

      every collegiate social event I attended served alcahol, were they allowed to buy drinks? (having a a little nip now, thanks for noticing my great spelling.)

    4. Re:Actually, this was allowed. by Anonymous Coward · · Score: 0

      If I had to guess... I'll bet the stupid hotel bar closed at 2330 and the red team had nothing better to do in BF Pennsylvania then to go pull some black bag op.... Good thing for them the hotel had glowsticks.

  11. Blue v Cyan?? by scwizard · · Score: 0

    Isn't students vs hackers like blue vs cyan?

    --
    ~= scwizard =~
  12. An endless sea of worthless links covered with ads by Anonymous Coward · · Score: 0

    Why doesn't the article link to the official website for The Center for Infrastructure Assurance and Security (CIAS)?

    I also find it funny that one could summarize the Slashdot summary as "big hacker showdown, nothing happens". Where's the blatent political slant and blind Linux enthusiasm that we've all grown to know and love? Oh, and I see you trying to hack me !

  13. Re:Unhackable browser by Anonymous Coward · · Score: 0

    Wow, an AJAX browser implementation running inside a ...... browser. How useless.

    BTW, the OS still matters (You see a lotta people running Windows 95?).

  14. Hacking at school... by __aaclcg7560 · · Score: 4, Insightful

    A school competition to hack and slash against harden servers? Wow! That's interesting. Considering that most schools discourage any form of hacking on the school network, and my local community college had called in the FBI on a few occasions. I didn't know that some schools taught "Script Kiddies 101", much less even mention hacking in the regular programming courses.

    1. Re:Hacking at school... by Anonymous Coward · · Score: 0

      and my local community college had called in the FBI on a few occasions

      Actually, that was part of the hack.. ;)

    2. Re:Hacking at school... by Hinde01 · · Score: 2, Informative

      A. The students weren't hacking, they were trying to protect their server and keep it running. B. The hackers were intrusion specialists in the private sector. One used to work at the DEA and another was in the military.

    3. Re:Hacking at school... by davidesh · · Score: 1

      maybe you should read... because the Blue teams (schools) were not allowed to send out a single malicious packet from their network. Doing so would get you disqualified from the network.

    4. Re:Hacking at school... by rick.lee.hale · · Score: 1

      what is your problem? ahh, i know i g n o r a n c e. please keep up, these types of programs are not new. cssia.org

      --
      -r
    5. Re:Hacking at school... by Master+of+Transhuman · · Score: 1


      At City College of San Francisco, one of our teachers sort of teaches "Script Kiddies 101". His computer security courses teaches how various simple tricks can be used to trick a sys admin into giving you root access (e.g., tricking him into running a standard command with root privilege which you have tricked out as a script that copies a shell with his privilege and then runs the command he thought he was running before erasing itself - stuff like that.

      It's very introductory, but it's better than the Windows security course which is ninety percent about locking down the desktop using Group Policy - which is hardly significant computer security, regardless of what people think about internal users being the worst security risks.

      --
      Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
  15. Lunix servers by Anonymous Coward · · Score: 0

    it's not really fair that the students were given the task to secure lunix servers in three hours, Windows I understand because of the ease and efficiency of it but lunix requires too much work and recompiling and editing files..

    1. Re:Lunix servers by davidesh · · Score: 4, Interesting

      it was pretty rough. We had 4 hours in the southeast competition. BUT we did not have the debian CDs, the linux boxes were full of backdoors and lots of misconfigurations on purpose. We thought we would have a fully functioning network going in, and for us it seemed to be more of a disaster recovery competition. The hard drive on our static web server (linux) died after the 1st hour, we finally got a replacement the next morning for the 2nd day but it was too late. We had 2 windows servers running on MS virtual server 2005 & 1 Debian mail server VM... for whatever insane reason on the 2nd day our mail server wouldn't recognize the virtual network card and we were SOL.

  16. Other recent security competition by Brad+Lucier · · Score: 1

    For those who read French here is a press release about a team of Scheme hackers headed by Marc Feeley participating in a Quebec security competition who won both the first prize for keeping the other nine teams out and the second prize for finding the most security problems in the other teams's servers.

  17. Not exactly fair, was it? by khasim · · Score: 2, Insightful
    Unless those students were specifically chosen because they have CCNA's or better and MCSE's or better, etc. Why pick "students" for this "challenge"?

    The student teams were a bit restricted, with regard to changing IP addresses and messing with the infrastructure.
    The easiest way to defeat the attackers would be to lock them out at the firewall or router. Then all the sql-injection vulnerabilities wouldn't matter.

    And when your database app has those vulnerabilities, there isn't much the average network admin can do.
  18. This calls for... by nEoN+nOoDlE · · Score: 1

    Let Google Fight handle this one.

    Students:
    2,890,000,000 results

    Hackers:
    87,700,000 results

    No contest.

    --
    Don't trust a bull's horn, a doberman's tooth, a runaway horse or me.
  19. hacker != cracker by Anonymous Coward · · Score: 0

    ;-1

  20. Finally did something slashdot-worthy! by EdMcMan · · Score: 4, Insightful

    I was at the competition (on the winning team).

    It was very fun. We really expected the hackers to be exploiting vulnerabilities much more than social engineering and such. Our downfalls were a) not changing the passwords of the users fast enough b) forgetting to configure the obscure mail server software. It was called "post.office"; never heard of it. By the time we remembered about it, the hackers had changed the password on it, although we (naively) assumed it had just been locked down somehow.

    1. Re:Finally did something slashdot-worthy! by kashani · · Score: 1

      Heh, we used Post.Office in 98-99 because our VP decided Windows NT was the future. It sucked. No surprise that you've never heard of it and I'm frankly surprised it's still around.

      kashani

      --
      - Why is the ninja... so deadly?
    2. Re:Finally did something slashdot-worthy! by aluminum_geek · · Score: 1

      I'm very amused because I was on the winning team for the midwest regional. It was held last weekend in Champaign and Southern Illinois University won.

      My question to you is this: Was your contest a totally unorganized snafu?

      At our competition, none of the machines were configured right, the scoring engine they used was pathetic (and constantly scoring teams incorrectly), and the rules were randomly enforced. Although teams hacking other teams was prohibited, our Red team openly discussed the fact that most teams were actively hacking each other.

      What really irked me was when we complained about a machine not being configured correctly, and they told us "It was to simulate you coming into a company and having to deal with misconfigured servers." That would be a perfect explanation, if they hadn't told us problems configuring the systems, thus delayed the start of the competition by several hours.

      Finally, I'll see you in Texas. :-D

    3. Re:Finally did something slashdot-worthy! by EdMcMan · · Score: 1

      Ours was fairly organized. The machines were mostly in working condition. They didn't take too much effort to get the services running. However, it did seem like people went out of their way to make them insecure. One thing I found amusing was on one webserver there were about 5 files like "debug.php", "index.php" (although it didn't load by default), and such with blatant vulnerabilities or phpinfo()'s in them.

      My only real complaint is that we didn't see anything the scorebot was doing. For a while, they showed us rankings, but then stopped. If we were docked points, we didn't know what for, or even how much.

      We got the same explanation for insecurity though - "that's how the other guy left it!"

      Likewise, I'll see you in Texas. ;)

    4. Re:Finally did something slashdot-worthy! by Yomer333 · · Score: 1

      One of the highlights of the initial setup was that our Solaris box was a "default" install. When our Solaris guy poked around for a few minutes, he found out he had almost nothing (not even man pages). When he asked what kind of "default" install it was, the guy who set them up said that it was his normal production install. Technically, it was his default, but what the hell? Our Fedora box had no development tools, our 2K server box was basically dead on arrival, and there were files on the 2k3 server created at 12:58, and we got into the room at 1:05-ish. Hopefully they start setting things up a little earlier in Texas.

  21. What's your background? by khasim · · Score: 2, Interesting

    Since you were in the contest, what was your background? Did you have any experience with that router and firewall? Any professional/vendor certifications or training?

    1. Re:What's your background? by EdMcMan · · Score: 4, Interesting

      We are all computer science majors. So, basically we learn to code.

      All of our knowledge from this competition is from experience outside of school. A little hands-on knowledge can go a long way. I worked primarily on the Linux servers (but also the e-commerce site on Windows). My knowledge of that is just through personal experience. I've been using Linux for a long time.

      I know at least one person on the team has a lot of certifications (Microsoft). Another person was trained on routers by the national guard. Although I have experience from a Cisco class in highschool, I let other guys who knew it better handle it. As a funny note, we locked ourselves out of our firewall almost immediately (due to mistyping the new password). We didn't attempt to reset it while we were in first place.

      So, our backgrounds are all pretty unique to answer your question. As a side note, we do have a security class offered at our school, but it is heavily based on theory.

    2. Re:What's your background? by Herkum01 · · Score: 2, Funny

      As a funny note, we locked ourselves out of our firewall almost immediately

      Are you sure you don't work for my company? They call this a security feature where I work,

  22. That makes me want to smack people. by khasim · · Score: 1
    We are all computer science majors. So, basically we learn to code.
    I'm impressed that you lasted that long.

    Seriously, aside from the physical entry (extremely uncommon in the Real World), a quick class on firewall/router configuration would have stopped the attackers.

    I think you guys were setup to fail on this. You gave an impressive performance, but the skills needed weren't what you were going to school for and, in the Real World, you wouldn't be limited to those "rules".

    Congrats!

    1. Re:That makes me want to smack people. by davidesh · · Score: 2, Interesting

      at our competition (southeast) they even said we were setup to fail and the deck was stacked so high against us it was ridiculous. We didn't have most of the CDs to reinstall/install OS's or Applications. We also didn't have access to the internet except for a few proxied sites and it wasn't working so hot.

    2. Re:That makes me want to smack people. by EdMcMan · · Score: 1

      Thank you.

      One of the caveats of the firewall is that we couldn't block by source ip -- so, while it sounds like you can just stop any attack at will, that is not the case. Someone came up with the suggestion of blocking by destination ip... but I don't think the white team would have been very amused.

    3. Re:That makes me want to smack people. by EdMcMan · · Score: 1

      We had internet access (unrestricted), but it was only on one machine. So we had to copy everything via memory stick. It was extremely annoying.

    4. Re:That makes me want to smack people. by davidesh · · Score: 1

      I wish we had that, we were told we were going to but we ended up not having it. Not having the debian discs killed us. :-\

    5. Re:That makes me want to smack people. by Master+of+Transhuman · · Score: 1

      I agree - since the red team had access to the entire infrastructure setup, the first thing the students should have done was change everything - subnets, IPs, passwords, even what software was being run in some cases.

      That would have forced the hacker team back into information gathering mode for a longer time, and it's clear from the story that even though the students had three hours without attacks, they needed more time.

      --
      Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
  23. Start Reading From the Description by YoJ · · Score: 1

    Start reading from the description of what actually happened, that is the interesting part of the article.

  24. That's just wrong. by khasim · · Score: 1

    Rule Zero: There is no security without physical security. The other team learned that.

    The first rule of security is to restrict the avenues of attack. You weren't allowed to do that.

    The second rule is to run only what you absolutely need. But without the install media, that's not very easy to do.

    The third rule is ... patching. Not easy with only one machine connected to the Internet. And not much use if your app had the same sql-injection vulnerability that the other team's did. Patching only works if there is a patch available.

    If they had allowed you to follow basic security practices, you'd have had the time to dig into the systems and correctly configure them, change the default passwords, disable junk accounts, etc.

    Also, it doesn't appear that they let you go outside your firewall/router to scan your network the way the Red Team did. Did they? If not, that's another stupid rule they had which is 100% the opposite of the Real World.

    Congrats on the work, though. Even with the stupid rules and such, it looks like you gave an impressive showing.

  25. How to win. by operagost · · Score: 1

    1. Obtain an OpenVMS Alpha system.

    2. Read the docs.

    3. Install the patches.

    4. Let 'em try their damnedest to break in.

    5. TEH WIN!!!!!1111

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.
  26. Not impressed by operagost · · Score: 1

    Basically, I'm unimpressed with the Red Team. They stacked the competition in their favor by setting up systems so misconfigured they could not be secured in the three hours alotted, and broke into the room to install rootkits knowing the "victims" could not possibly physically secure their computers in this location. One must always assume that access to the console equals access to the entire system-- so this line of attack did nothing but pump up the egos of the Red team and teach the other teams nothing. If the other teams had been allowed to install motion sensors, cameras, trip wires, steel doors, keycards, etc., this would have been a fair attack.

    --

    Gamingmuseum.com: Give your 3D accelerator a rest.
    1. Re:Not impressed by Anonymous Coward · · Score: 0

      The systems were not intentionally miss-configured. Several were default installs. Any insecure configurations were typical of a corp environment. I know at least one of the red-teamers and they're probably one of the best reverse engineers/sploit developers I know. Anyone who expected them to drop decent 0dayz for this competition needs to lay off the kool aid.

    2. Re:Not impressed by EdMcMan · · Score: 1

      Actually, they did use a 0-day at our competition. They found a flaw in our sony network camera that enabled them to bypass the authentication. That doesn't sound useful, until you realize it has a built-in microphone.

    3. Re:Not impressed by Desert+Raven · · Score: 2, Informative

      The Red Team aren't the ones who were responsible for setting up the boxes.

      Though, for reasons even they can't comprehend, they were constantly consulted on what to install on them, and even were asked for *binary* install packages.... If you want to blame someone, blame the organizers, not the red team. I mean, c'mon, what would *you* do?

      Yeah, one of the Red Team members is a friend/co-worker of mine.

    4. Re:Not impressed by davidesh · · Score: 1

      or how about the rogue mysterious box they had sitting plugged into our network that we were told not to configure and it was mysteriously turned on, on day 2... (southeast comp... dunno if they did this at the midwest)

    5. Re:Not impressed by Anonymous Coward · · Score: 0

      I'm sure the red team did not take advantage of the 2 0-days which were actually a DOS and an arbitrary read; if I had to guess....

  27. RTFA? by Yomer333 · · Score: 2, Insightful

    A little clarification from someone who participated.

    This wasn't a competition to spawn a generation of script-kiddies.

    Social engineering played a part in the competition.

    When the article says "restrictions," it's not saying we weren't allowed to change shit. The "no changing ip's" business was that we had to have services on a certain IP for the duration of the competition.

    "The easiest way to defeat the attackers would be to lock them out at the firewall or router. Then all the sql-injection vulnerabilities wouldn't matter."

    No dice. Our main "network guy" knows about as much about Cisco gear as anybody else, but our router still got fuzzed. At the time, it was a little disheartening. However, later on I overheard a conversation between a contestant on another team and the Windows girl on the red team. While this guy was going on and on about his "invincible" router and switch configs, she said "access lists are nothing." He tried to elaborate, and that he did this and that, but no. You can deny all outside traffic at the router, and they'll get in. The specific red team folks we had at ours (Midwest regional) were fucking good...as in writing 0-day exploits while sitting there good. $4000 a day security auditors good. At the end of it all, we all realized that the level of skill from the red team was high enough that they could have destroyed any team there in a heartbeat, but it was more fun to play around with them. I asked on the hackers how big name companies like Google and Visa don't get hacked to shit, and his response was along the lines of "You just have a backup plan for when you get hacked because it will happen eventually." The main point of the competition is mostly educational. I learned more in the month before our regional security-wise than I have in the last few years. We won, so we must have done something right, but at the same time, I'm convinced that the only secure computer is one that's not plugged in.

    1. Re:RTFA? by Master+of+Transhuman · · Score: 1

      "The "no changing ip's" business was that we had to have services on a certain IP for the duration of the competition."

      Oh, okay - if it had to be a public accessible service such as the Web server - but could you change the ports? No reason to use the standard ports for services if you don't have to and clobber the banners, too.

      "I'm convinced that the only secure computer is one that's not plugged in."

      That's about right. And the only secure computer that is running is the one that doesn't have anything on it somebody might want - which fortunately for most companies is quite a few of their computers.

      --
      Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
    2. Re:RTFA? by Yomer333 · · Score: 1

      Yeah, you could change the default port for anything, but that only adds the time it takes to do an nmap.

      "Security by obscurity" - not necessarily using a program that few people know and assuming they don't know the exploits, but rather being inconsequential enough that no one will take the time to hack your ass.

  28. red herrings? by Barbarian · · Score: 1

    I see that flooding was disallowed, but how about red-herring attacks to get caught in packet sniffers used by the good guys, for the purpose of distraction from the real attack?

    1. Re:red herrings? by EdMcMan · · Score: 1

      Yes, they were used.