Slashdot Mirror

← Back to Stories (view on slashdot.org)

Students vs. Hackers

Posted by ryuzaki0 on from the content-vs.-form dept.

sethfogie wrote to mention Informit.com's coverage of the Mid-Atlantic Regional Collegiate Cyber Defense Competition. Students put their skills to the test, trying to lock down systems against intrusion from an invading hacker team. All in the name of learning. From the article: "When the three hour grace period was over, the Red Team slowly worked their way into attack mode. One member started to sort through the information they gleaned from their scans and investigated each possible exploit. Another member fired up a MySQL database client and started to poke around the students databases looking for sensitive data. The two others were adding/changing accounts to routers, firewalls, and systems. However, for the most part, the students were not being pelted with attacks. And this continued for the next several hours."

7 of 83 comments (clear)

  1. Simulations are lacking, here's why by Ponga · · Score: 5, Insightful

    I'm all for this and from TFA, this sounds like a great thing (and lots of fun!) However, using the information gleaned here to apply to real-world situations is lacking in one MAJOR area: They neglect the aspect of social hacking. That is to say, attempting to gain access to a computer system through it's weakest link: THE USERS!
    It's one thing to pit technical skill againt the threat of hacking, but it's been done over and over, all that technical skill accounts for nothing if you have a user that has his/her password written down on a sticky - on thier MONITOR!
    Users must be educated and kept up to task on things like this, and it's my opinion that the IT/Security industry does not place enough emphasis in that arena, And to thier detriment...

    1. Re:Simulations are lacking, here's why by slashname3 · · Score: 2, Insightful

      Not only is the end user normally the weak point there is also the complacency factor that hits the security team itself. But that only happens over time, usually an extended period of time. The longer a collection of systems are in place the more likely that one of the administrators will short cut procedures and leave a system exposed.

      In a similulation as described in the article everyone is hyper vigilant and actively looking at all aspects of security. In the normal world it is rare that the entire team would be operating at such a highened state of alert all the time.

      And external threats while real are less likely than an internal user using knowledge or capabilities granted to those users to compromise systems or data. Users also allow viruses onto firewalled networks either knowingly or unknowingly. Internal threats are more common than external threats and much harder to protect against.

  2. It is one thing to know it is coming... by nb+caffeine · · Score: 4, Insightful

    and another to not pay attention because you think you are safe...

    Sounds like fun though, kinda like the CS programming competitions I went to in high school

    --

    "Something's wrong with you...and I hope we never do meet again." - Deftones When Girls Telephone Boys
  3. Hacking at school... by __aaclcg7560 · · Score: 4, Insightful

    A school competition to hack and slash against harden servers? Wow! That's interesting. Considering that most schools discourage any form of hacking on the school network, and my local community college had called in the FBI on a few occasions. I didn't know that some schools taught "Script Kiddies 101", much less even mention hacking in the regular programming courses.

  4. Not exactly fair, was it? by khasim · · Score: 2, Insightful
    Unless those students were specifically chosen because they have CCNA's or better and MCSE's or better, etc. Why pick "students" for this "challenge"?

    The student teams were a bit restricted, with regard to changing IP addresses and messing with the infrastructure.
    The easiest way to defeat the attackers would be to lock them out at the firewall or router. Then all the sql-injection vulnerabilities wouldn't matter.

    And when your database app has those vulnerabilities, there isn't much the average network admin can do.
  5. Finally did something slashdot-worthy! by EdMcMan · · Score: 4, Insightful

    I was at the competition (on the winning team).

    It was very fun. We really expected the hackers to be exploiting vulnerabilities much more than social engineering and such. Our downfalls were a) not changing the passwords of the users fast enough b) forgetting to configure the obscure mail server software. It was called "post.office"; never heard of it. By the time we remembered about it, the hackers had changed the password on it, although we (naively) assumed it had just been locked down somehow.

  6. RTFA? by Yomer333 · · Score: 2, Insightful

    A little clarification from someone who participated.

    This wasn't a competition to spawn a generation of script-kiddies.

    Social engineering played a part in the competition.

    When the article says "restrictions," it's not saying we weren't allowed to change shit. The "no changing ip's" business was that we had to have services on a certain IP for the duration of the competition.

    "The easiest way to defeat the attackers would be to lock them out at the firewall or router. Then all the sql-injection vulnerabilities wouldn't matter."

    No dice. Our main "network guy" knows about as much about Cisco gear as anybody else, but our router still got fuzzed. At the time, it was a little disheartening. However, later on I overheard a conversation between a contestant on another team and the Windows girl on the red team. While this guy was going on and on about his "invincible" router and switch configs, she said "access lists are nothing." He tried to elaborate, and that he did this and that, but no. You can deny all outside traffic at the router, and they'll get in. The specific red team folks we had at ours (Midwest regional) were fucking good...as in writing 0-day exploits while sitting there good. $4000 a day security auditors good. At the end of it all, we all realized that the level of skill from the red team was high enough that they could have destroyed any team there in a heartbeat, but it was more fun to play around with them. I asked on the hackers how big name companies like Google and Visa don't get hacked to shit, and his response was along the lines of "You just have a backup plan for when you get hacked because it will happen eventually." The main point of the competition is mostly educational. I learned more in the month before our regional security-wise than I have in the last few years. We won, so we must have done something right, but at the same time, I'm convinced that the only secure computer is one that's not plugged in.