Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Student vs Hacker Security Showdown Rematch

Posted by Zonk on from the i'm-rooting-for-the-nerds dept.

monkeyboy44 writes "Following up on last year's entertaining hacker vs. student showdown, InformIT.com once again covered the annual Mid-Atlantic Regional Collegiate Cyber Defense Competition where college students are put to the test. During the three day event, small teams from eight of the areas colleges are handed insecure networks that they have to lockdown and keep running — all while a team of hackers attempt to gain access any way they can. To keep it interesting, the teams also had to perform various tasks, such as program web applications, install IDS systems and more — and if hacked, the US Secret Service was on hand to determine if there was enough data to start an investigation. Once again, the hackers dominated — but not without a few surprises."

2 of 83 comments (clear)

  1. Re:Spelling by gardyloo · · Score: 2, Funny

    I suppose that's what the "education" tag is referring to.

  2. Elite Network Counter Strike Force pwn Teens by not_hylas(+) · · Score: 4, Funny

    Elite Network Counter Strike Force pwn Teens
    (translated version)

    In the annual Mid-Atlantic Regional Collegiate Cyber Defense Competition (CCDC), held at a secret location, a Network Counter Strike Force Team, consisting of seasoned veterans from several security technology firms and academia, PWNed several teams of IT students in a stunning display of 1337-ness.
    In summary, the students are handed a small network with various services, most of which are outdated, vulnerable, and pre-exploited (rigged).
    They, the students, then, have a few hours to get everything patched and secure, at which point the RED Team (a.k.a. the haxorz) are set loose to pwn them all.
    However, as IT professionals know very well, it isn't just the hacker you have to deal with!

    The Secret Service was on hand to make sure the competition went a lot like last year, as well as many other unplanned events ("interviews"). Welcome to the "Real World" -- CCDC style!!!

    The students' goal: lock down rigged Windows and Linux systems and secure their networks. The Hackers' goal: to pwn the students' networks, steal important data and embarrass them in front of their Mothers.
    Hylas Ipsum (not_hylas( )) read about the 2007 real-world competition and reported on the event from the perspectives of Slashdotters and first year Umpires everywhere.

    Last Year's Event

    This was the second year for the CCDC. I wasn't invited to last year's event, like this year, which turned out to be a very amusing experience for the haxorz. As with any first time adventures, unexpected "anomalies" played a very big role in the outcome of the event.
    Despite minor hiccups, the Secret Service benefited most by walking away with all the chicks.

    This Year

    Prior to attending the 2007 event, we were fairly certain the RED Team was going to have a more difficult time gaining access to the students systems.
    Perhaps the most amusing and educational aspect to this years Mid-Atlantic CCDC was how the RED Team managed to surprise everyone involved by cheating again, with no one saying a thing. Since the Prize Cups' disappearance the night before, this contest was for "sport".
    With the air of sportsmanship renewed, the game was afoot.

    As previously mentioned, each network contained a wide range of operating systems and services. In summary, the core network contained three computers:

    A Windows 2003 computer running an Exchange Server, telnet, DNS, and Active Directory
    A Fedora Core 4 server on a DMZ running Apache, telnet, PHP, MySQL, and osCommerce
    A Windows XP workstation running syslog, VNC and telnet
    In addition, two of the teams had a PIX firewall w/telnet and the other six had a Linux-based system running telnet on Smoothwall.

    Prior to the physical intrusion, the RED Team had the most success by exploiting default configurations and default accounts. Once they were let loose, the team members quickly found and "pwned" routers, osCommerce sites, and Linux servers simply because the systems were still using default accounts. Unfortunately, this is a "real world" problem that has turned more than one company into a victim. Or to put it another way, why attempt to locate and exploit a DCOMRPC vulnerability when the password to the Administrator account is blank!
    Why indeed?
    The RED Team then commenced to "trash talking" the students, seeing blood in the water.
    All this said, the event is much more than just a competition. It is a test of how well a person can perform under serious pressure. In fact, there was an unofficial "bonus" to the first hacker who could make a student cry.

    Default configurations and accounts were bound to be located and fixed within minutes. The RED Team would not be able to simply walk in, connect to a system, and login. However, CCDC predicted this and provided a few "unknowns" to assist the red team with their work.

    Since the "corporate network" was not truly connected to the internet for "security reasons", all patches and updates ha

    --
    ~hylas