Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Student vs Hacker Security Showdown Rematch

Posted by Zonk on from the i'm-rooting-for-the-nerds dept.

monkeyboy44 writes "Following up on last year's entertaining hacker vs. student showdown, InformIT.com once again covered the annual Mid-Atlantic Regional Collegiate Cyber Defense Competition where college students are put to the test. During the three day event, small teams from eight of the areas colleges are handed insecure networks that they have to lockdown and keep running — all while a team of hackers attempt to gain access any way they can. To keep it interesting, the teams also had to perform various tasks, such as program web applications, install IDS systems and more — and if hacked, the US Secret Service was on hand to determine if there was enough data to start an investigation. Once again, the hackers dominated — but not without a few surprises."

12 of 83 comments (clear)

  1. Hack yourself by cyberbob2351 · · Score: 2, Interesting

    Seems like the best way to ensure your success in said competition is to walk through the door with every hacker tool known to man, and just go all out on your own network.

    The days of careful analysis and investigation are over. Why not learn a thing or two from the rapid fire, spray and pray, script kiddies?

    --
    for sale
    I'm a self-modifying sig virus
    1. Re:Hack yourself by hotdiggitydawg · · Score: 2, Interesting

      How is it harder than real life for the hackers then? If it really is supposed to be a contest (in the true sense of the word) then the least the participants could expect is a level playing field.

  2. Strange that they don't allow that, eh? by khasim · · Score: 4, Interesting

    Not to mention that the students were not trained in network security.

    So, you give someone who isn't trained in network security ... give him an unsecured network ... with default passwords and such ... and a time limit of less than a week ... with the restriction that he cannot just unhook his network ... and his network gets cracked.

    Big fucking surprise.

    1. Re:Strange that they don't allow that, eh? by rhartness · · Score: 2, Interesting

      Not to mention, it stated that they cut on their firewalls, and then they had to restore these settings to the defaults so that the scoring system would work. Um.... that doesn't seem like a problem to anyone else? Of course, I can't complain to much. I would have loved to have been a part of this just for the experience even with these unrealistic scenarios.

    2. Re:Strange that they don't allow that, eh? by cheater512 · · Score: 5, Interesting

      What? You think most sys admins are trained in network security? Think again. :)

    3. Re:Strange that they don't allow that, eh? by donaldm · · Score: 3, Interesting

      You are right on this. Most system Admin's I know (myself included) are fairly weak in network administration and the main reason for that appears to be the growing division between Network administrators and System administrators to the extent that nearly all our *nix tools are effectively blocked so you cannot determine if you have a problem and of course the Network people are adamant that their network is not at fault. This I have found to be especially true in large sites however I have found the reverse is true when the site is smaller.

      Back in the 1980's there was no division. The *nix Admin was the Network Admin as well.

      --
      There ain't no such thing as proprietary standards only proprietary formats. Standards are by definition open.
    4. Re:Strange that they don't allow that, eh? by Metzli · · Score: 3, Interesting

      True, but they're also not normally tasked with running firewalls and installing IDS. That usually falls on those who actually are trained in network security. They gave two groups of complete noobs a PIX? Hell, no wonder they were rooted. I know guys who ran them professionally and still had problems borking the rules on occasion.

      This just seems like a completely pointless exercise. Taking a group of college students, giving them an unrealistically short time, and then turning some experienced hackers on them just seems like a waste of time. It's like taking a high school football team, having them play the New England Patriots, and then saying "You can make a lot of money in a year playing football, but it's not as easy as it sounds." Duh.

      --
      "It's too bad stupidity isn't painful." - A. S. LaVey
    5. Re:Strange that they don't allow that, eh? by Anonymous Coward · · Score: 1, Interesting

      Its crazy that the students weren't trained in security. I'm working on a Masters in ISA at George Mason (one of the schools who attended) and didn't even hear about this event. It would have made sense to send some of us from the Masters program, seeing as we're actually being trained in network security. I wonder how they got these teams together.

  3. Re:Veterans not as good as students? by kent_eh · · Score: 2, Interesting

    I'm guessing that maybe this is because a seasoned veteran would expect for the network to be maintained correctly?


    Clearly you've never been a contractor.

    Starting a contract to "upgrade and secure our network" for a small company who doesn't have any IT staff, and only brings in contractors on a one-off basis a couple of times a year.

    The competition scenario sounds fairly plausible to me.
    --

    ---
    "I can't complain, but sometimes still do..." Joe Walsh
  4. Re:Veterans not as good as students? by wiremind · · Score: 2, Interesting

    Good point.

    Your scenario is quite realistic, but then, scoring should be based on time to secure the network, not how many times the hackers can break in.

    In that game, they were being scored for how many times they could get hacked, in the real world, if you did enter a hacked office, time would be critical, but over the course of a long weekend the office would be locked down and cleaned up.

    So in my mind, if this was supposed to be realistic, the scoring would be between teams of sysadmins, see who can completely secure their hacked network the fastest.
    Because given enough time, ( not counting 0day exploits and malicious employees ) a network CAN BE almost completely secured.

    Kyle

  5. Where do you go to learn this stuff? by maillemaker · · Score: 3, Interesting

    So where does one go to learn about this kind of security work?

    --
    A work that expires before its copyright never enters the public domain and thus enjoys eternal copyright protection.
  6. I was at the competition in Maryland by BobSixtyFour · · Score: 5, Interesting

    I was a member of one of the (losing) student teams.

    First, none of the members of my team are majors in network security (just "IT"), linux gerus, and we did not recieve any advice from the previous team that went last year (what fags).

    Second, two of the four boxes were Linux. Three monitors. The firewall box and the windows xp workstation box was KVM'd together.
    8 people trying to work on 3 machines = not cool.

    Third, oh god all of the systems were basically pre-fucked up. Rootkit/keyloggers on the 2003 server box, there was a wireless access point that was PLUGGED INTO our switch, broadcasting all internal traffic to the red team and allowing them DIRECT access to the internal network.

    Fourth, it wasn't clear to my team that we had to have THREE external IP addresses mapped to THREE internal IP addresses, so our firewall/router solution didn't work at all. Business inject on the first day? ha? none of the e-mails could get to us because they were sending it to another ip! At the end of day 1, they also said that they would reimage the firewall box to Fedora Core 4 and give us control over it. So, everyone crammed as much about configuring fedora core 4 and learning iptables... we walk in day 2 and the guy says that he locked us out of our firewall box and that we aren't allowed to change it. (because 7/8 teams fucked up the firewall on the first day). Awesome, three direct ip mapping into our private network!

    Fifth, there was a misunderstanding about what kinds of software we could use. We thought we were able to use ANY (non-pirated) software that was available on the Internet, including free trials. Turns out, we were only allowed to use commercial software ONLY if it was released as a beta version and had the appropriate enterprise use license. Hurray windows firewall? It's not like we could download zone-alarm.

    Sixth, there was just too much stuff that was already on the machines that no one on my team had any experience with. osCommerce? hah.

    Seventh, 70% of all the business injects are related to the website. When the red team broke into our Linux (fedora core 4) box, they completely fucked Apache and MySQL up (how to backup Linux? nothing to backup TO). So much for all those business injects.

    Eighth, we only had one laptop to use to download stuff from the Internet or to research free software alternatives. Granted, our team probably needed more people that knew how to use Linux, but still...

    Ninth, the network diagram was incorrect. How the hell do they expect us to configure a router if they provide the wrong DNS/default gateway information?

    Yeah, we got owned hard... but there's also the saying... you learn from your mistakes... I believe I learned more in those 3 days then my entire 3 and 1/2 years in my university.