Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Student vs Hacker Security Showdown Rematch

Posted by Zonk on from the i'm-rooting-for-the-nerds dept.

monkeyboy44 writes "Following up on last year's entertaining hacker vs. student showdown, InformIT.com once again covered the annual Mid-Atlantic Regional Collegiate Cyber Defense Competition where college students are put to the test. During the three day event, small teams from eight of the areas colleges are handed insecure networks that they have to lockdown and keep running — all while a team of hackers attempt to gain access any way they can. To keep it interesting, the teams also had to perform various tasks, such as program web applications, install IDS systems and more — and if hacked, the US Secret Service was on hand to determine if there was enough data to start an investigation. Once again, the hackers dominated — but not without a few surprises."

7 of 83 comments (clear)

  1. Veterans not as good as students? by fireboy1919 · · Score: 2, Informative

    From TFA:
    Knowing how to secure both Linux and Windows, plus understanding Cisco firewall configurations (or Shorewall/iptables) -- not to mention having a firm grasp of web application security -- is not a realistic expectation of any newly graduated employee, much less a seasoned veteran.

    What? I'm guessing that maybe this is because a seasoned veteran would expect for the network to be maintained correctly? Especially the firewall?

    Really, this doesn't sound like a level playing field at all. My company support *three* services - IMap, HTTP, and ssh. We keep the programs that offer these services completely updated. There's not a lot to keeping those updated. There's one major player for ssh, two for web, and four or so for mail. Even the minor ones take less than an hour to figure out.
    We expect that the routers will handle almost everything else. Flaws coming out in IP stacks are a pretty major thing, and get fixed pretty quick, so it should mostly be a nonissue.

    If these guys only had to support features that people actually use and lock down everything else, things would be very different.

    --
    Mod me down and I will become more powerful than you can possibly imagine!
    1. Re:Veterans not as good as students? by wiremind · · Score: 2, Informative

      The part that made it all kinda absurd for me was this:

      "You also can't see the pre-installed rootkit/keylogger that resides on the server. These are the types of real world issues that IT professionals have to deal with..."

      thats not a real world scenario, you build your servers off the network, you have cd's with all the latest patches, you install antivirus. and you have trusted people do this. By the time a server hits the network its got antivirus, patches, and is totally locked down.

      Next absurdity:
      (in reference to detecting the rootkit) "a couple of the teams installed "illegal" software and detected the presence of something unusual, but once they were forced to remove the software due to an onsite audit, the illicit activity was seemingly forgotten"

      AN ONSITE AUDIT!!! are you kidding. if these sysadmin's had a concern, they would buy the software needed to deal with the problem, so why was the software illegal? did they have an 'imaginary budget' ??? Shit like that proves that this whole event was just a gong show.

      Business Injects:
      "and the grading is tough. For example, one inject was to install a web statistics application that is accessible from the /webstats folder in one hour."

      HAHAHAHAHAHAHA LMAO .... wow.. thats supposed to be a 'realistic scenario'???
      If its for an intranet, then its probably not that critical, probably just some boss wanting to try something he read about in "IT Management Weekly - Website Management", and if its for something on the internet, then your webhosting company would take care of it. If you are the webhosting company, then you've probably already got a solution in place for this request. So the whole scenario is NOT realistic in ANY WAY.

      I'll stop now, but every single paragraph had something worth laughing at.
      The whole event sounds pretty absurd.

      kyle

  2. Completely Rigged by Srin+Tuar · · Score: 3, Informative


    However, what you can't see is the rough access point that was installed behind the firewall in the 10.10.20.x range. You also can't see the pre-installed rootkit/keylogger that resides on the server.

    Okay, so they have a pre-installed rootkits on the machines, and 2/3rd of the boxen they are given are windows machines running fundamentally insecure protocols. ( such as ms's infamous technique of sending cleartext LM hashes over the local network) It also seems the machines are setup with easily guessable passwords to boot.

    Furthermore, they seemed to stress the "firewall" as if it was some sort of solution rather than just a roadbump as it is in reality. Disabling all blocking rules and simply serving as a router should have more than enough, since firewalls only ever provide the illusion of security anyway.


    As the red team clearly illustrated, it only takes a few minutes to gain access to a Linux box via single user mode, bypass BIOS passwords by shorting out the motherboard,

    This also has nothing to do with a sysadmins job. If you put your servers physically in the hands of an attacker, there is nothing you can do to stop them quite by definition.

    It seems that the only way to win this competition on the defensive would have been to re-install the latest fedora core on all four machines, and setup services that you trust instead of MS services, then hunker down and physically guard the boxes.

  3. Student != Professional by Cramer · · Score: 5, Informative

    It takes significant experience to walk into a network blind and secure it in hours. I have 2 decades of experience, and I've walked into places where it took days just to figure out w.t.f. they're running. It would take a day or more to figure out what all is going on in the network in my house -- and there's only 4 computers on at the moment.

    And if you're dealing with Windows(tm), it can take hours to download and install all the freakin' patches. (unless you happen to wander around with a fully populated WSUS/SMS server.)

  4. Ignore please by Arancaytar · · Score: 3, Informative

    Meant for this story, obviously. Sorry about that.

  5. Re:Where do you go to learn this stuff? by Metzli · · Score: 2, Informative

    As far as classes go, SANS (www.sans.org) is a great place. That's actually where the Red Team came from. Shoot, the students might have lucked out. At least they didn't unleash Ed Skoudis and Kevin Liston on them too. This might have been a dramatically shorted program. :)

    --
    "It's too bad stupidity isn't painful." - A. S. LaVey
  6. Good lesson for everyone! by IT072110 · · Score: 2, Informative

    "Once they were let loose, the team members quickly found and "owned" routers, osCommerce sites, and Linux servers simply because the systems were still using default accounts. Unfortunately, this is a real world problem that has turned more than one company into a victim. Or to put it another way, why attempt to locate and exploit a DCOMRPC vulnerability when the password to the Administrator account is blank!" It should be a good lesson for all including the company & students that this "small" thing is among the vital concern.