Slashdot Mirror

← Back to Stories (view on slashdot.org)

Students vs. Hackers

Posted by ryuzaki0 on from the content-vs.-form dept.

sethfogie wrote to mention Informit.com's coverage of the Mid-Atlantic Regional Collegiate Cyber Defense Competition. Students put their skills to the test, trying to lock down systems against intrusion from an invading hacker team. All in the name of learning. From the article: "When the three hour grace period was over, the Red Team slowly worked their way into attack mode. One member started to sort through the information they gleaned from their scans and investigated each possible exploit. Another member fired up a MySQL database client and started to poke around the students databases looking for sensitive data. The two others were adding/changing accounts to routers, firewalls, and systems. However, for the most part, the students were not being pelted with attacks. And this continued for the next several hours."

9 of 83 comments (clear)

  1. Simulations are lacking, here's why by Ponga · · Score: 5, Insightful

    I'm all for this and from TFA, this sounds like a great thing (and lots of fun!) However, using the information gleaned here to apply to real-world situations is lacking in one MAJOR area: They neglect the aspect of social hacking. That is to say, attempting to gain access to a computer system through it's weakest link: THE USERS!
    It's one thing to pit technical skill againt the threat of hacking, but it's been done over and over, all that technical skill accounts for nothing if you have a user that has his/her password written down on a sticky - on thier MONITOR!
    Users must be educated and kept up to task on things like this, and it's my opinion that the IT/Security industry does not place enough emphasis in that arena, And to thier detriment...

    1. Re:Simulations are lacking, here's why by arbiterip · · Score: 4, Interesting

      I actually participated at this contest for Millersville University. Social engineering was allowed. I must admit, I have not yet read the article but members of the Hacker/Red team would often walk around the room and try and to watch what people were doing. A few times they even stopped and tried to get information out of us. However, they had to leave our team area when asked. Our team actually left sheets with the wrong passwords on the tables in hopes that they would waste their time.

  2. The user is the weak point! by Giant+Ape+Skeleton · · Score: 4, Informative
    Poking around on other people's machines is all well and good, but in the most pervasive and damaging "hacks" (sic), there is usually a major social engineering component.

    In other words, it's a trivial matter to get into somebody's system; it takes a whole 'nother skill set to convince that person to hand you the keys to their data.

    I wonder if tech-savvy folks (the students referred to in TFA fior example) are as good at "locking themselves down" as they are at securing their computers. Have any studies been done on the credulosity of geeks?

    --
    The difference between stupidity and genius is that genius has its limits.
  3. It is one thing to know it is coming... by nb+caffeine · · Score: 4, Insightful

    and another to not pay attention because you think you are safe...

    Sounds like fun though, kinda like the CS programming competitions I went to in high school

    --

    "Something's wrong with you...and I hope we never do meet again." - Deftones When Girls Telephone Boys
  4. Hacking at school... by __aaclcg7560 · · Score: 4, Insightful

    A school competition to hack and slash against harden servers? Wow! That's interesting. Considering that most schools discourage any form of hacking on the school network, and my local community college had called in the FBI on a few occasions. I didn't know that some schools taught "Script Kiddies 101", much less even mention hacking in the regular programming courses.

  5. Re:Students vs. Hackers? by Tx · · Score: 4, Informative

    ... but the article seams to imply that students were divided into a red team and a blue team and had to hack each others systems

    Only if you didn't, like, read it. The red team were not students.

    Red Team:

    Joe Harwell: Joe is a Security Specialist for Nortel Government Solutions. He currently is responsible for design, integration and testing of many of the "three letter agencies" security systems, and has over 15 years of experience in the field. He was CERT penetration tester for the US Army in a previous life.

    Ryan Trost: Ryan is a Senior Security Engineer for Criterion Systems, currently working on a DHS contract. When not overseeing the security architecture of his team, he spends his free time developing a Network Security Snap-on Application that involves IDS Geocoding (patent pending). Ryan will be graduating from George Washington University this May with a Masters in Computer Science.

    Adam Meyers, CCE, IAM, IEM: As an information security professional and consultant, Adam Meyers provides clients with complete security expertise, ranging from assessments, forensics, incident response, penetration testing, and security architecture. Additionally he provides physical security assessments and threat analysis. Mr. Meyers is a Certified Computer Examiner (CCE). Prior to joining SRA, he worked with the George Washington University Security Team, as the Network Manager for the 2000 National Democratic Convention, and as a private security consultant, all while pursuing a degree in political science with specific attention to inter-state information warfare.

    Tom Parker: Tom is a computer security analyst who, alongside his work providing integral security services for some of the world's largest organizations, is widely known for his vulnerability research on a wide range of platforms and commercial products. Tom regularly presents at closed-door and public security conferences, including the Blackhat briefings, and is often referenced by the world's media on matters relating to computer security.

    --
    Oh no... it's the future.
  6. Finally did something slashdot-worthy! by EdMcMan · · Score: 4, Insightful

    I was at the competition (on the winning team).

    It was very fun. We really expected the hackers to be exploiting vulnerabilities much more than social engineering and such. Our downfalls were a) not changing the passwords of the users fast enough b) forgetting to configure the obscure mail server software. It was called "post.office"; never heard of it. By the time we remembered about it, the hackers had changed the password on it, although we (naively) assumed it had just been locked down somehow.

  7. Re:Lunix servers by davidesh · · Score: 4, Interesting

    it was pretty rough. We had 4 hours in the southeast competition. BUT we did not have the debian CDs, the linux boxes were full of backdoors and lots of misconfigurations on purpose. We thought we would have a fully functioning network going in, and for us it seemed to be more of a disaster recovery competition. The hard drive on our static web server (linux) died after the 1st hour, we finally got a replacement the next morning for the 2nd day but it was too late. We had 2 windows servers running on MS virtual server 2005 & 1 Debian mail server VM... for whatever insane reason on the 2nd day our mail server wouldn't recognize the virtual network card and we were SOL.

  8. Re:What's your background? by EdMcMan · · Score: 4, Interesting

    We are all computer science majors. So, basically we learn to code.

    All of our knowledge from this competition is from experience outside of school. A little hands-on knowledge can go a long way. I worked primarily on the Linux servers (but also the e-commerce site on Windows). My knowledge of that is just through personal experience. I've been using Linux for a long time.

    I know at least one person on the team has a lot of certifications (Microsoft). Another person was trained on routers by the national guard. Although I have experience from a Cisco class in highschool, I let other guys who knew it better handle it. As a funny note, we locked ourselves out of our firewall almost immediately (due to mistyping the new password). We didn't attempt to reset it while we were in first place.

    So, our backgrounds are all pretty unique to answer your question. As a side note, we do have a security class offered at our school, but it is heavily based on theory.