Details of Cyber Storm War Games Released

I Don't Believe in Imaginary Property writes "Apparently, the participants in the U.S. 'Cyber Storm' war games are familiar with the Kobayashi Maru, because some of them tried to cheat by hacking the games themselves. They also prepare for some very interesting scenarios. Among other things, the organizers are worried about having too many people on the 'No Fly' list show up at an airport, finding 'mystery liquids' in the subway, and having bloggers reveal the classified location of railcars with hazardous materials. The Department of Homeland Security has already analyzed the results of the games, and plans to hold 'Cyber Storm 2' in March."

Hacking the game is cheating?

[Shadow+Labs]

I find it interesting that they call hacking the game itself "cheating."

Reminds me of when I was in college and us CS people used to get together and play a computerized version of capture the flag. The premise of the game was simple enough -- players were divided into 4 teams of 2-3 people each, and each team got a machine that came pre-loaded with an older unpatched version of Linux that had well known and published security vulnerabilities (something like Red Hat 7.3). Each machine had 4 services running on it -- typically SSH, Bind, Apache, and telnet (yeah...*sigh*). Each of those services came configured to return a certain string (the so-called flag) when queried by a master scoring server that ran a fairly simple Python script. The script ran once every minute and then displayed up to date team scores on a video projector. The rules of the game stated that we could not patch the machine or use IPtables to lock down the machine. Anything else was fair game. The machines and the scoring server were all networked together on small private network, and each team was given one additional network drop to do with as they pleased.

Anyway, one night we got together to play CTF and there were only enough people for 3 teams of two. Since that doesn't make for such an interesting game, one of our professors who was just supposed to be observing decided to join in and be on his own team. As soon as the game started, everyone went to work furiously trying to defend their boxen and then the real fun -- the attacking -- began.

We were all quite surprised when the first round of results came in and our professor hadn't had anyone hijack his machine. He also evidently hadn't attacked anyone else. The night went on and each of the student teams went back and forth, attacking and defending, but our professor stayed the same -- he neither had anyone successfully compromise his box, nor successfully compromised anyone elses.

The last few minutes of the game saw my team dead last, our professor in third place, and two other teams above us. 5 seconds from the end, our professor's score suddenly increased to an ungodly high (and according to the rules unattainable) score, with the rest of our scores getting set to zero. As the clock ticked down and the game came to an end, we were befuddled as to what happened.

Suddenly it dawned on us -- our professor had spent the entire time hacking the scoring server (which was supposed to have been an up to date, secure Linux install) and replacing the Python scoring script with one of his own, all to his advantage. At some point during the game, he had actually replaced the running script with his own, without any of us ever noticing. We were all in awe and amazement at his creativity -- the idea to do such a thing had not even occurred to any of us. We learned several valuable lessons that night, one of which was that the mind of a creative attacker may not be confined solely within the nice little security box that you place it in. That, and never mess with your professors!