The Student vs Hacker Security Showdown Rematch

monkeyboy44 writes "Following up on last year's entertaining hacker vs. student showdown, InformIT.com once again covered the annual Mid-Atlantic Regional Collegiate Cyber Defense Competition where college students are put to the test. During the three day event, small teams from eight of the areas colleges are handed insecure networks that they have to lockdown and keep running — all while a team of hackers attempt to gain access any way they can. To keep it interesting, the teams also had to perform various tasks, such as program web applications, install IDS systems and more — and if hacked, the US Secret Service was on hand to determine if there was enough data to start an investigation. Once again, the hackers dominated — but not without a few surprises."

Re:Exercise in Futility

[AnonymousCactus]

It seems like the most reasonable step when someone is starting with a totally messed up system is to disconnect it from the network. Obviously, it's less than ideal, but it seems better than letting secure data get taken or allowing the hacker to get a stronger foothold. Obviously, you can't always bring down all IT systems in order to fix them, but, then, you probably also would have fixed these problems before the machines were attacked...

Re:Hack yourself

[cdrdude]

That's nice and all, but you won't think of everything they do. The things you can think of are the ones you can defend against, and that won't change it. I'm sure they try to look at their own network from the hacker perspective, but all it takes is one good idea that the hackers have and the student's don't.

Re:Strange that they don't allow that, eh?

[Cramer]

... not to mention the network having already been compromised.

Re:Student != Professional

[AJWM]

It takes significant experience to walk into a network blind and secure it in hours.

Not really arguing the point, but the first step is to unplug all the network cables. That doesn't take very long. Then you can take your time securing it before letting it back on the net.

If you don't know what's on it, and there's a cable attached, you pretty much have to assume it's already rooted.

Re:Hack yourself

[nametaken]

The problem with this is that they gave the teams securing the network 3 hours to prep.

As someone who had to take over company's network, exactly what this exercise is meant to simulate, I can say it does take more than 3 hours to secure the services and appliances they were given without taking things offline. What's more, you usually don't have four seasoned hackers banging on your network's doorstep in your first three hours of employment. Also consider that most businesses don't keep a 10k record CC# database on a machine behind an unsecured perimeter appliance with a bunch of hokey other services running on them, accessible from outside the lan. The expectations of the whole process are a bit ridiculous to begin with, but if you gave them a day or so to secure their network and services, I'm sure they'd have done much better.

Judging by the brief accounts of each teams actions, I'd guess that in more realistic scenarios they would make reasonably effective admins.

Re:Hack yourself

[Khashishi]

It's a contest. It supposed to be harder than real life.

Re:Veterans not as good as students?

[kent_eh]

(nobody cares how the job gets done as long as it gets done.)

In the competition, the organizers phrased the removal of "illegal" tools as being the result of a BSA style audit. I expect companies who have been the subjects/victims of such an audit care greatly about the legality of the tools their admins (even contracted ones) are using.

I think it's more about making a point: security is not simple;

I expect the contestants came away with a heightened respect for just how much work it is to implement effective security.
Which will make them better admins when they graduate and join the workforce.

Re:Completely Rigged

[cgenman]

If you put your servers physically in the hands of an attacker, there is nothing you can do to stop them quite by definition.

Of course there is. You can encrypt drives, encrypt information, use secure Mobos, etc.

As responsible for the integrity of your network, you're also responsible to let people know the level of physical security your network requires. As the article mentions, the servers were password-protected and expected to be secure. With physical access, the hackers got a suprisingly high level of penetration into the system without actually breaking it.

It seems that the only way to win this competition on the defensive would have been to re-install the latest fedora core on all four machines, and setup services that you trust instead of MS services, then hunker down and physically guard the boxes.

There was no way to "win" on the offensive. The offense wasn't being tested. The test was to see, basically, which group of sysadmins could outsurvive the rest. It wasn't an unfair competition between hackers and defenders. It was a task guaranteed to take out boxes, to see which team could best slow down the inevitable onslaught.

In a production environment you don't necessarily get to set the policy on what servers you are running, and off of what boxes. You inherit a messed up pile of old systems, legacy software that nobody can update anymore, buggy drivers, and Windows users installing trojans and giving their passwords away to the first person who comes along with a YourCompanySecurity username on AIM. The fact that they took the end users out of the equation was a huge blessing to the sysadmins.

Notice that they made damned sure that none of these computers were attached to the internet at the time of the task. These weren't the best of the best hackers the competition could find. These were a small pool of good hackers vs a small pool of sysadmins. If they had actually put these things on the internet, like production environments face every day, they would not have survived.

Hence, the pre-installed keyloggers.

You are completely missing the point..

[taosk8r]

It wasn't to inspire awe in the hackers, many people don't seem to realize this. The whole point of the excercise, indeed, it appears, was to give the hackers the advantage, and see how the admins coped.

Further, the point of the whole thing was to expose people who might one day face challenges such as those posed by the hacker teams some real world experience, and understanding of how much vigilance it really does take to secure a given system.

In other words, it was sort of DESIGNED as a scare-tactic to the admins. In the long term some of them may indeed become overly security-paranoid, but in fact the point of the challenge was to cause a greater level of anxiety, hopefully to insure that companies who chose to hire individuals from the admin team would be better protected from loss, and that those individuals would hopefully enjoy imporved job security.

The whole thing was setup to attempt to reverse the standard, day-to-day lackluster security practices employed by the majority of the IT industry.

Re:Completely Rigged

[Srin+Tuar]

Just to point out two things you said:

Of course there is. You can encrypt drives, encrypt information, use secure Mobos, etc.

In a production environment you don't necessarily get to set the policy on what servers you are running, and off of what boxes.

Those two assumptions are somewhat conflicting I would say.

On the first point
The performance tradeoff for encrypted filesystems is seldom worth it on servers when you can physically secure them fairly trivially. If your building is regularly invaded, you have bigger problems. In any case, even if you can stop data loss with disk encryption, the guy could just take a hammer to your server and cause a DoS at the very least, and there is nothing you can do if you allow him physical access.

On the second point: if you are such a low level peon in the a company that you are forced to accept bug ridden systems, then security is a forgone conclusion. Heck- acheiving it might compromise job security. I might suggest looking for a better job. Instead, if you are in a position to offer "services" to the company, such as email, DNS, or NAS then YOU (The IT dept) get to decide how to provide them, and then you can make decisions with security in mind. Before we get too separated from reality, we have to remember that the point of computers is to offer data services to the users, not to offer brand names. The rest of the company shouldnt even have to know whats behind the curtain, just that everything is up and running smoothly.

Being asked to secure pre-owned windows servers is like being asked to levitate. Just give it up and re-install something else. The entirety of the O/S is analogous to trojan horse malware to start with, being that you do not get the source code. Trying to hold back the tide with a spoon and a colander is not my idea of security.

It was a task guaranteed to take out boxes, to see which team could best slow down the inevitable onslaught.

That would be uninteresting. Why even try.
I think it should be not only possible, but fairly easy to setup a network that would provide service and not be penetratable over the network. You could even go for extra points by detecting unwanted probing or intrusions and blackholing the attacker's traffic so that you don't even suffer from a degradation of service. But assuming you will
lose is the wrong mindset, imo. You have to play to win.

don't blame the network

[it073543]

we should not blame the network because the students should have enough knowledge to protect insecured network from the hackers.they can use a tool such like honeypot to learn about the hackers and improve the network. By implemeting intrusion detection system, the students can detect the hackers and build a strong and secure network.