Slashdot Mirror
Students vs. Hackers
sethfogie wrote to mention Informit.com's coverage of the Mid-Atlantic Regional Collegiate Cyber Defense Competition. Students put their skills to the test, trying to lock down systems against intrusion from an invading hacker team. All in the name of learning. From the article: "When the three hour grace period was over, the Red Team slowly worked their way into attack mode. One member started to sort through the information they gleaned from their scans and investigated each possible exploit. Another member fired up a MySQL database client and started to poke around the students databases looking for sensitive data. The two others were adding/changing accounts to routers, firewalls, and systems. However, for the most part, the students were not being pelted with attacks. And this continued for the next several hours."
I don't know about you, but I always hurt people for info. From TFA:
The rules were fairly simple -- at least at first glance. Basically, the Red Team could do anything but hurt someone or perform a denial of service attack (network flood). The student teams were a bit restricted, with regard to changing IP addresses and messing with the infrastructure.
Communication was allowed between team members, but only the team leader could talk to the white cell members about problems, etc. The feds could be called over for an investigation and the Red Team was allowed to try to talk to the teams to put a social engineering twist on the games. Finally, all business objectives and administrative requests are sent to the CEO via email.
In other words, it's a trivial matter to get into somebody's system; it takes a whole 'nother skill set to convince that person to hand you the keys to their data.
I wonder if tech-savvy folks (the students referred to in TFA fior example) are as good at "locking themselves down" as they are at securing their computers. Have any studies been done on the credulosity of geeks?
The difference between stupidity and genius is that genius has its limits.
Actually, this was allowed. As the article notes they were highly suspicious of the press, because they thought he could actually be a member of the opposing team. You are right though, with the teams sitting in front of the computers the whole time, the chances of any social engineering hacks were pretty limited and real systems admins can't be at every computer all the time.
Big apple, new Yorik, undig it, something's unrotting in Edenmark.
Wrong! 'Social' means interacting with a person! Not a MySQL Database!!
... but the article seams to imply that students were divided into a red team and a blue team and had to hack each others systems
Only if you didn't, like, read it. The red team were not students.
Red Team:
Joe Harwell: Joe is a Security Specialist for Nortel Government Solutions. He currently is responsible for design, integration and testing of many of the "three letter agencies" security systems, and has over 15 years of experience in the field. He was CERT penetration tester for the US Army in a previous life.
Ryan Trost: Ryan is a Senior Security Engineer for Criterion Systems, currently working on a DHS contract. When not overseeing the security architecture of his team, he spends his free time developing a Network Security Snap-on Application that involves IDS Geocoding (patent pending). Ryan will be graduating from George Washington University this May with a Masters in Computer Science.
Adam Meyers, CCE, IAM, IEM: As an information security professional and consultant, Adam Meyers provides clients with complete security expertise, ranging from assessments, forensics, incident response, penetration testing, and security architecture. Additionally he provides physical security assessments and threat analysis. Mr. Meyers is a Certified Computer Examiner (CCE). Prior to joining SRA, he worked with the George Washington University Security Team, as the Network Manager for the 2000 National Democratic Convention, and as a private security consultant, all while pursuing a degree in political science with specific attention to inter-state information warfare.
Tom Parker: Tom is a computer security analyst who, alongside his work providing integral security services for some of the world's largest organizations, is widely known for his vulnerability research on a wide range of platforms and commercial products. Tom regularly presents at closed-door and public security conferences, including the Blackhat briefings, and is often referenced by the world's media on matters relating to computer security.
Oh no... it's the future.
A. The students weren't hacking, they were trying to protect their server and keep it running. B. The hackers were intrusion specialists in the private sector. One used to work at the DEA and another was in the military.
The Red Team aren't the ones who were responsible for setting up the boxes.
Though, for reasons even they can't comprehend, they were constantly consulted on what to install on them, and even were asked for *binary* install packages.... If you want to blame someone, blame the organizers, not the red team. I mean, c'mon, what would *you* do?
Yeah, one of the Red Team members is a friend/co-worker of mine.