Slashdot Mirror
The Student vs Hacker Security Showdown Rematch
monkeyboy44 writes "Following up on last year's entertaining hacker vs. student showdown, InformIT.com once again covered the annual Mid-Atlantic Regional Collegiate Cyber Defense Competition where college students are put to the test. During the three day event, small teams from eight of the areas colleges are handed insecure networks that they have to lockdown and keep running — all while a team of hackers attempt to gain access any way they can. To keep it interesting, the teams also had to perform various tasks, such as program web applications, install IDS systems and more — and if hacked, the US Secret Service was on hand to determine if there was enough data to start an investigation. Once again, the hackers dominated — but not without a few surprises."
Psh, just disconnect from the wan problem solved.
Libertarian Leaning Political Discussion Forum.
Like you have any idea, how to "stop" or "track" Anything, let alone know what is required to "fire" or "hire" and admin or engineer.. for any reason
US Secret Service was on hand to determine if their was enough data to start an investigation. Please read before you post.
It seems like the most reasonable step when someone is starting with a totally messed up system is to disconnect it from the network. Obviously, it's less than ideal, but it seems better than letting secure data get taken or allowing the hacker to get a stronger foothold. Obviously, you can't always bring down all IT systems in order to fix them, but, then, you probably also would have fixed these problems before the machines were attacked...
Seems like the best way to ensure your success in said competition is to walk through the door with every hacker tool known to man, and just go all out on your own network.
The days of careful analysis and investigation are over. Why not learn a thing or two from the rapid fire, spray and pray, script kiddies?
for sale
I'm a self-modifying sig virus
Not to mention that the students were not trained in network security.
... give him an unsecured network ... with default passwords and such ... and a time limit of less than a week ... with the restriction that he cannot just unhook his network ... and his network gets cracked.
So, you give someone who isn't trained in network security
Big fucking surprise.
Today's news indicates that the Chinese are holding the IP on 0-day sploits.
the NPG electrode was replaced with carbon blac
From TFA:
Knowing how to secure both Linux and Windows, plus understanding Cisco firewall configurations (or Shorewall/iptables) -- not to mention having a firm grasp of web application security -- is not a realistic expectation of any newly graduated employee, much less a seasoned veteran.
What? I'm guessing that maybe this is because a seasoned veteran would expect for the network to be maintained correctly? Especially the firewall?
Really, this doesn't sound like a level playing field at all. My company support *three* services - IMap, HTTP, and ssh. We keep the programs that offer these services completely updated. There's not a lot to keeping those updated. There's one major player for ssh, two for web, and four or so for mail. Even the minor ones take less than an hour to figure out.
We expect that the routers will handle almost everything else. Flaws coming out in IP stacks are a pretty major thing, and get fixed pretty quick, so it should mostly be a nonissue.
If these guys only had to support features that people actually use and lock down everything else, things would be very different.
Mod me down and I will become more powerful than you can possibly imagine!
However, what you can't see is the rough access point that was installed behind the firewall in the 10.10.20.x range. You also can't see the pre-installed rootkit/keylogger that resides on the server.
Okay, so they have a pre-installed rootkits on the machines, and 2/3rd of the boxen they are given are windows machines running fundamentally insecure protocols. ( such as ms's infamous technique of sending cleartext LM hashes over the local network) It also seems the machines are setup with easily guessable passwords to boot.
Furthermore, they seemed to stress the "firewall" as if it was some sort of solution rather than just a roadbump as it is in reality. Disabling all blocking rules and simply serving as a router should have more than enough, since firewalls only ever provide the illusion of security anyway.
As the red team clearly illustrated, it only takes a few minutes to gain access to a Linux box via single user mode, bypass BIOS passwords by shorting out the motherboard,
This also has nothing to do with a sysadmins job. If you put your servers physically in the hands of an attacker, there is nothing you can do to stop them quite by definition.
It seems that the only way to win this competition on the defensive would have been to re-install the latest fedora core on all four machines, and setup services that you trust instead of MS services, then hunker down and physically guard the boxes.
Perhaps Hackers 2: Mid-Atlantic Meltdown.
Let's hope Jolie is up to the task.
It takes significant experience to walk into a network blind and secure it in hours. I have 2 decades of experience, and I've walked into places where it took days just to figure out w.t.f. they're running. It would take a day or more to figure out what all is going on in the network in my house -- and there's only 4 computers on at the moment.
And if you're dealing with Windows(tm), it can take hours to download and install all the freakin' patches. (unless you happen to wander around with a fully populated WSUS/SMS server.)
Well said.
Meant for this story, obviously. Sorry about that.
Anyone running Fedora for a server is fucking insane and shouldn't be a sysadmin in the first place. Fedora is a bleeding edge distro, besides the fact that the package system is slow as crap, bleeding edge stuff can be really broken.
A "proper" server like maybe the current Ubuntu LTS server package would be a hell of a lot better than frackin Fedora.
Elite Network Counter Strike Force pwn Teens
(translated version)
In the annual Mid-Atlantic Regional Collegiate Cyber Defense Competition (CCDC), held at a secret location, a Network Counter Strike Force Team, consisting of seasoned veterans from several security technology firms and academia, PWNed several teams of IT students in a stunning display of 1337-ness.
In summary, the students are handed a small network with various services, most of which are outdated, vulnerable, and pre-exploited (rigged).
They, the students, then, have a few hours to get everything patched and secure, at which point the RED Team (a.k.a. the haxorz) are set loose to pwn them all.
However, as IT professionals know very well, it isn't just the hacker you have to deal with!
The Secret Service was on hand to make sure the competition went a lot like last year, as well as many other unplanned events ("interviews"). Welcome to the "Real World" -- CCDC style!!!
The students' goal: lock down rigged Windows and Linux systems and secure their networks. The Hackers' goal: to pwn the students' networks, steal important data and embarrass them in front of their Mothers.
Hylas Ipsum (not_hylas( )) read about the 2007 real-world competition and reported on the event from the perspectives of Slashdotters and first year Umpires everywhere.
Last Year's Event
This was the second year for the CCDC. I wasn't invited to last year's event, like this year, which turned out to be a very amusing experience for the haxorz. As with any first time adventures, unexpected "anomalies" played a very big role in the outcome of the event.
Despite minor hiccups, the Secret Service benefited most by walking away with all the chicks.
This Year
Prior to attending the 2007 event, we were fairly certain the RED Team was going to have a more difficult time gaining access to the students systems.
Perhaps the most amusing and educational aspect to this years Mid-Atlantic CCDC was how the RED Team managed to surprise everyone involved by cheating again, with no one saying a thing. Since the Prize Cups' disappearance the night before, this contest was for "sport".
With the air of sportsmanship renewed, the game was afoot.
As previously mentioned, each network contained a wide range of operating systems and services. In summary, the core network contained three computers:
A Windows 2003 computer running an Exchange Server, telnet, DNS, and Active Directory
A Fedora Core 4 server on a DMZ running Apache, telnet, PHP, MySQL, and osCommerce
A Windows XP workstation running syslog, VNC and telnet
In addition, two of the teams had a PIX firewall w/telnet and the other six had a Linux-based system running telnet on Smoothwall.
Prior to the physical intrusion, the RED Team had the most success by exploiting default configurations and default accounts. Once they were let loose, the team members quickly found and "pwned" routers, osCommerce sites, and Linux servers simply because the systems were still using default accounts. Unfortunately, this is a "real world" problem that has turned more than one company into a victim. Or to put it another way, why attempt to locate and exploit a DCOMRPC vulnerability when the password to the Administrator account is blank!
Why indeed?
The RED Team then commenced to "trash talking" the students, seeing blood in the water.
All this said, the event is much more than just a competition. It is a test of how well a person can perform under serious pressure. In fact, there was an unofficial "bonus" to the first hacker who could make a student cry.
Default configurations and accounts were bound to be located and fixed within minutes. The RED Team would not be able to simply walk in, connect to a system, and login. However, CCDC predicted this and provided a few "unknowns" to assist the red team with their work.
Since the "corporate network" was not truly connected to the internet for "security reasons", all patches and updates ha
~hylas
It wasn't to inspire awe in the hackers, many people don't seem to realize this. The whole point of the excercise, indeed, it appears, was to give the hackers the advantage, and see how the admins coped.
Further, the point of the whole thing was to expose people who might one day face challenges such as those posed by the hacker teams some real world experience, and understanding of how much vigilance it really does take to secure a given system.
In other words, it was sort of DESIGNED as a scare-tactic to the admins. In the long term some of them may indeed become overly security-paranoid, but in fact the point of the challenge was to cause a greater level of anxiety, hopefully to insure that companies who chose to hire individuals from the admin team would be better protected from loss, and that those individuals would hopefully enjoy imporved job security.
The whole thing was setup to attempt to reverse the standard, day-to-day lackluster security practices employed by the majority of the IT industry.
-taosk8r
So where does one go to learn about this kind of security work?
A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
I was a member of one of the (losing) student teams.
First, none of the members of my team are majors in network security (just "IT"), linux gerus, and we did not recieve any advice from the previous team that went last year (what fags).
Second, two of the four boxes were Linux. Three monitors. The firewall box and the windows xp workstation box was KVM'd together.
8 people trying to work on 3 machines = not cool.
Third, oh god all of the systems were basically pre-fucked up. Rootkit/keyloggers on the 2003 server box, there was a wireless access point that was PLUGGED INTO our switch, broadcasting all internal traffic to the red team and allowing them DIRECT access to the internal network.
Fourth, it wasn't clear to my team that we had to have THREE external IP addresses mapped to THREE internal IP addresses, so our firewall/router solution didn't work at all. Business inject on the first day? ha? none of the e-mails could get to us because they were sending it to another ip! At the end of day 1, they also said that they would reimage the firewall box to Fedora Core 4 and give us control over it. So, everyone crammed as much about configuring fedora core 4 and learning iptables... we walk in day 2 and the guy says that he locked us out of our firewall box and that we aren't allowed to change it. (because 7/8 teams fucked up the firewall on the first day). Awesome, three direct ip mapping into our private network!
Fifth, there was a misunderstanding about what kinds of software we could use. We thought we were able to use ANY (non-pirated) software that was available on the Internet, including free trials. Turns out, we were only allowed to use commercial software ONLY if it was released as a beta version and had the appropriate enterprise use license. Hurray windows firewall? It's not like we could download zone-alarm.
Sixth, there was just too much stuff that was already on the machines that no one on my team had any experience with. osCommerce? hah.
Seventh, 70% of all the business injects are related to the website. When the red team broke into our Linux (fedora core 4) box, they completely fucked Apache and MySQL up (how to backup Linux? nothing to backup TO). So much for all those business injects.
Eighth, we only had one laptop to use to download stuff from the Internet or to research free software alternatives. Granted, our team probably needed more people that knew how to use Linux, but still...
Ninth, the network diagram was incorrect. How the hell do they expect us to configure a router if they provide the wrong DNS/default gateway information?
Yeah, we got owned hard... but there's also the saying... you learn from your mistakes... I believe I learned more in those 3 days then my entire 3 and 1/2 years in my university.
Not allowed to disconnect any cables during the competition.
Or just put Centos on there. Who on earth runs Fedora as a server? If they are a sysadmin they need to be promptly sacked.
This seems like a dumb competition - of course the hackers are going to win. I highly doubt any of the hackers would win if the roles were reversed. Why not give the students several days to set up a system to spec, then let the hackers at it?
If I have seen further it is by stealing the Intellectual Property of giants.
I-T
:P
I mean--really.
I don't see where an encrypted file system would help unless the key is required to be typed in each time a server is raised above run level 1. Physical security is a primary foundation of any more sophisticated security scheme. It is a fundamental problem when your security is based oon, "What you have." If you have the machine, game over. If the machines were set up with easily guessed passwords, that is a fundamental problem called, "What you know." (What you can guess). It seems to me none of the network was secured with, "Who you are".
I don't see where an encrypted file system would help unless the key is required to be typed in each time a server is raised above run level 1.
Well, yes, that would kind of be the point, wouldn't it?
Well, you would think so, but had you RTFA, you would have been informed that the teams were also caught out by an unauthorised access point inside of the firewall! Just goes to show, even "trivial" solutions are not always complete.
we should not blame the network because the students should have enough knowledge to protect insecured network from the hackers.they can use a tool such like honeypot to learn about the hackers and improve the network. By implemeting intrusion detection system, the students can detect the hackers and build a strong and secure network.
"Once they were let loose, the team members quickly found and "owned" routers, osCommerce sites, and Linux servers simply because the systems were still using default accounts. Unfortunately, this is a real world problem that has turned more than one company into a victim. Or to put it another way, why attempt to locate and exploit a DCOMRPC vulnerability when the password to the Administrator account is blank!" It should be a good lesson for all including the company & students that this "small" thing is among the vital concern.
prepared each student with network security knowledge then we can talk business...
Thanks for your even response to my posting. If the hackers have physical control of the server and they reboot it, then fail to enter the proper key, the server would be offline and unavailable to perform its services, and therefore a denial of service would be effected. At least that much damage could be done without the key. I admit they wouldn't get the credit card numbers that way. Having the server offline, they could brung up their own device at the same IP address and there would be no IP conflict at the arp level.
If the attackers have physical access to the machine, they can smash it with a hammer. This is why I specified that I was talking specifically about attackers who are after your data.
I meditated on what you said, and I see the wisdom now. Because you were gentle with me about it, I learned from you instead of being insulted. Thanks for giving me the chance to think and learn.
Will no one refer to the Kobayashi Maru? Educational stalwarts often believe that you've got to give "students" some "unwinnables" in order for them to be best prepared - even for success, let alone failure. But sometimes the student can teach the master, eh Kirk?
I was at the competition, on Millersville's team. Overall, I'd like to say the competition is awesome. Casey and the rest of the white team organizers did another awesome job. The competition was fun, challenging and educational, as it should be!
However, there are several things that could be improved. If you think the 3 hours of "prep time" could be used to secure our systems, you are mistaken. The three hours were actually used to complete business injects. Obviously, the systems were very "pre fucked up" as someone else said, and we didn't have enough time to secure everything. I think allowing the teams time to actually secure their systems would be very helpful.
However, as Tim from Whitewolf Security said, if no one gets hacked, it's a very boring competition.