Slashdot Mirror

← Back to Stories (view on slashdot.org)

The Student vs Hacker Security Showdown Rematch

Posted by Zonk on from the i'm-rooting-for-the-nerds dept.

monkeyboy44 writes "Following up on last year's entertaining hacker vs. student showdown, InformIT.com once again covered the annual Mid-Atlantic Regional Collegiate Cyber Defense Competition where college students are put to the test. During the three day event, small teams from eight of the areas colleges are handed insecure networks that they have to lockdown and keep running — all while a team of hackers attempt to gain access any way they can. To keep it interesting, the teams also had to perform various tasks, such as program web applications, install IDS systems and more — and if hacked, the US Secret Service was on hand to determine if there was enough data to start an investigation. Once again, the hackers dominated — but not without a few surprises."

3 of 83 comments (clear)

  1. Student != Professional by Cramer · · Score: 5, Informative

    It takes significant experience to walk into a network blind and secure it in hours. I have 2 decades of experience, and I've walked into places where it took days just to figure out w.t.f. they're running. It would take a day or more to figure out what all is going on in the network in my house -- and there's only 4 computers on at the moment.

    And if you're dealing with Windows(tm), it can take hours to download and install all the freakin' patches. (unless you happen to wander around with a fully populated WSUS/SMS server.)

  2. Re:Strange that they don't allow that, eh? by cheater512 · · Score: 5, Interesting

    What? You think most sys admins are trained in network security? Think again. :)

  3. I was at the competition in Maryland by BobSixtyFour · · Score: 5, Interesting

    I was a member of one of the (losing) student teams.

    First, none of the members of my team are majors in network security (just "IT"), linux gerus, and we did not recieve any advice from the previous team that went last year (what fags).

    Second, two of the four boxes were Linux. Three monitors. The firewall box and the windows xp workstation box was KVM'd together.
    8 people trying to work on 3 machines = not cool.

    Third, oh god all of the systems were basically pre-fucked up. Rootkit/keyloggers on the 2003 server box, there was a wireless access point that was PLUGGED INTO our switch, broadcasting all internal traffic to the red team and allowing them DIRECT access to the internal network.

    Fourth, it wasn't clear to my team that we had to have THREE external IP addresses mapped to THREE internal IP addresses, so our firewall/router solution didn't work at all. Business inject on the first day? ha? none of the e-mails could get to us because they were sending it to another ip! At the end of day 1, they also said that they would reimage the firewall box to Fedora Core 4 and give us control over it. So, everyone crammed as much about configuring fedora core 4 and learning iptables... we walk in day 2 and the guy says that he locked us out of our firewall box and that we aren't allowed to change it. (because 7/8 teams fucked up the firewall on the first day). Awesome, three direct ip mapping into our private network!

    Fifth, there was a misunderstanding about what kinds of software we could use. We thought we were able to use ANY (non-pirated) software that was available on the Internet, including free trials. Turns out, we were only allowed to use commercial software ONLY if it was released as a beta version and had the appropriate enterprise use license. Hurray windows firewall? It's not like we could download zone-alarm.

    Sixth, there was just too much stuff that was already on the machines that no one on my team had any experience with. osCommerce? hah.

    Seventh, 70% of all the business injects are related to the website. When the red team broke into our Linux (fedora core 4) box, they completely fucked Apache and MySQL up (how to backup Linux? nothing to backup TO). So much for all those business injects.

    Eighth, we only had one laptop to use to download stuff from the Internet or to research free software alternatives. Granted, our team probably needed more people that knew how to use Linux, but still...

    Ninth, the network diagram was incorrect. How the hell do they expect us to configure a router if they provide the wrong DNS/default gateway information?

    Yeah, we got owned hard... but there's also the saying... you learn from your mistakes... I believe I learned more in those 3 days then my entire 3 and 1/2 years in my university.