Cyber Defense Competition Has A New Champion

lisah writes "Several colleges across the country went head-to-head in San Antonio, Texas last weekend at the National Collegiate Cyber Defense Competition to see which team could best protect their networks against attacks. In a modern day version of Steal the Flag, the teams duked it out using identical network setups that included a Cisco router and five servers. In the end, Baker College took the champion's title from last year's winner, Texas A & M University."

Cyber war-gaming

[BWJones]

This is going to become more critical not just in terms of servers and informational or command based attacks, but also in terms of actual combat systems as we start to integrate more robots and remote networked combat platforms. For instance, my last visit to Creech AFB was very informative, but also illustrated a number of potential weaknesses in the system that controls remotely operated unmanned aerial vehicles actively engaging in combat.

Exercises such as these are critically important to war-game any networked system, particularly when that system is using commercial off the shelf solutions and commodity hardware that is accessible and easy to explore outside the realm of cyber warfare. i.e. war-gaming your attacks before going live...

Re:Cyber war-gaming

[Divebus]

Exercises such as these are critically important to war-game any networked system... ...like defending against RIAA network invasions of Colleges?

Re:Cyber war-gaming

[smallfries]

It's good to hear that people are still actively trying to hasten Judgment Day

Baker college?!?

[fain0v]

I always thought it was one step above a community college! Either I was wrong or they have improved a lot recently.

Re:Baker college?!?

[BosstonesOwn]

Solid proof one geek can make a difference ! :)

On your marks, get set...

[jibster]

Any word on when ESPN will start broadcasting these "games" live? Throw in a few hot cheer leaders and I'd watch. Actually, anybody know where I can get tickets?

Re:On your marks, get set...

[Mordok-DestroyerOfWo]

Coming up on ESPN 1011:

7:00 - Co-ed full contact bash programming
8:00 - PHP fantasy team preview
9:00 - X-Treme PERL recital!
10:00 - World's Strongest Stench competition
11:00 - Geekcenter

Re:On your marks, get set...

[g0bshiTe]

My guess would have been ESPN 1337

Re:On your marks, get set...

[beckerist]

ESPN Mil Trescientos Treinta Siete!

Re:On your marks, get set...

[Paradise+Pete]

Any word on when ESPN will start broadcasting these "games" live? Throw in a few hot cheer leaders and I'd watch.

When I was in high school we travelled to another school for a chess match. They actually had cheerleaders. But since there were no fans, and the cheerleaders of course had to be quiet, it was rather strange.

Re:On your marks, get set...

[lythander]

Seriously, I work with one of the major partners making this competition happen, and they're already in talks with ESPN2. They're working hard on visualization techniiques to make it TV-friendly.

Not sure what this proves

[menace3society]

Usually competitions like this are in "Which OS is most secure" kinds of settings, where the ostensible purpose is to find out which OS is the most secure. However, in this case, you had you had a bunch of different OSs all linked together, and you had to protect them from a bunch of security professionals. I imagine these "pros" probably weren't hard-core hackers, and given that, I'm not sure what the value of the exercise was. These pros won't have anything in their arsenal that everybody doesn't already know about it (at least, if they're studying computer security, they *ought* to know about it), and so we're basically left with (and this is something the article mentions) a bunch of people changing their conf files as fast as possible. If you ask me, they should six Eastern Europeans and North Koreans, and offer them $10,000 for every box they own. If the teams box doesn't get owned, they get the ten grand. Simpler, more interesting, and far more realistic.

Re:Not sure what this proves

[Dachannien]

All sounded pretty good until you used the word "owned". Damn straight. Everybody knows the technical term is "pwned".

Re:Not sure what this proves

A friend of mine, who knew the pros -- at least for the regionals that I *almost* got to compete in (not bitter, nope, not me) -- said they were Serious Business. The point is to go into a new system, figure out what's broken (because the systems the blue teams were provided were broken, sploitwise), and fix it. Changing your conf files as fast as possible means you have to know which files to change in which ways. I don't think the game is entirely realistic either, but it is important to know the methods. Between the in-depth study of a competitor's assigned system and the actual experience of an attack, you get a pretty good grasp of what it's like.

Re:Not sure what this proves

[ja1217]

I also participated in the competition, but due to issues with our Firewall (the stupid scanner the provided with us didn't work and we ended up taking our network down several times for unecessary reasons) we didn't pass the qualifying rounds. However, I went along to one of the later rounds and was allowed to sit in with the hackers. But as Anonymous said, the goal is mainly to fix a machine that already has holes as fast as possible. In my competition, we had two linux boxes (Red Hat 7 for DNS and Fedora 8 for web), a FreeBSD box for sendmail, a Win2k back up DNS, 2003 server for LDAP, and two Windows XP desktops. While the hackers weren't allowed to use 0 day vulnerabilities, they did have tools like CORE Impact at their disposal and within the first 5 minutes of the competition had owned every windows box. The only time I remember a *nix box getting owned was my groups. We were two busy fixing the LDAP server and forgot to change the default password of the BSD box from "password" because they were on the same machine (we had a virtual machine set up for our competition. This had its annoyances, but we could quickly recover from hacks by doind a revert to snapshot with VM ware. They probably disabled the revert feature in later competitions as in a real business environment, which they were trying to simulate, reverting could cause massive data loss.) Towards the end when things were winding down, one team had gotten owned really hard and wasn't about to recover, so they started doing trick programs on them. At one point, they had a screen cast of one of the competitors computers running on their own so they could see exactly what that school was doing. So they ran a trick program that made it look like it was running the Vista install process. We quick ran over and saw them frantically trying to cancel it with no effect. And then they ran a delete all on that computer. Even though my team lost, we had lots of fun and I was able to learn a lot. We'll be back next year (Millersville University) and hope to regain our position of at least 2nd place at Nationals, which we had for the 2 previous years.

Re:Not sure what this proves

[yabastaaa]

Usually competitions like this are in "Which OS is most secure" kinds of settings, where the ostensible purpose is to find out which OS is the most insecure. fixed that for ya

Re:Not sure what this proves

[thelordzero]

Usually competitions like this are in "Which OS is most secure" kinds of settings, where the ostensible purpose is to find out which OS is the most secure. However, in this case, you had you had a bunch of different OSs all linked together, and you had to protect them from a bunch of security professionals. I imagine these "pros" probably weren't hard-core hackers, and given that, I'm not sure what the value of the exercise was. These "pros" as you said are actually professional flown in from around the country who either are partners in consulting companies or just a level below that. Everyone on the red team does it for a living at the national level and certainly is not a bunch of non hardcore hackers who said o lets have fun. But then again what do i know, I was on the red team.

Re:Not sure what this proves

[luaplevap]

Usually competitions like this are in "Which OS is most secure" kinds of settings, where the ostensible purpose is to find out which OS is the most secure. However, in this case, you had you had a bunch of different OSs all linked together, and you had to protect them from a bunch of security professionals. I imagine these "pros" probably weren't hard-core hackers, and given that, I'm not sure what the value of the exercise was. These pros won't have anything in their arsenal that everybody doesn't already know about it (at least, if they're studying computer security, they *ought* to know about it), and so we're basically left with (and this is something the article mentions) a bunch of people changing their conf files as fast as possible. If you ask me, they should six Eastern Europeans and North Koreans, and offer them $10,000 for every box they own. If the teams box doesn't get owned, they get the ten grand. Simpler, more interesting, and far more realistic. being both from eastern europe and also a decent hacker, I like that idea

Re:Not sure what this proves

[menace3society]

Oh, so you make your living breaking into systems and either selling the information you find, or exploiting it directly to get rich?

My point wasn't that they didn't hire security professionals, or that they didn't hire people who knew how to break into systems. They hired people who don't break into systems professionally, and that's what you'll be up against in the real world. It's like putting Home Guardsmen on the front line.

Re:Not sure what this proves

[thelordzero]

actually pretty much everyone makes a living off of the profession. That being said I was completly humbled by the team that was assembled and learned alot being there with them. Team Hilarious was great.

Re:Not sure what this proves

[not_hylas(+)]

Didn't We Trash This Last Year?
Elite Network Counter Strike Force pwn Teens:

http://it.slashdot.org/comments.pl?sid=227039&cid=18391373 ... fun aside, it does sound as if they've/you all attempted to adjust the rules somewhat.

Re:Not sure what this proves

[menace3society]

I'm sure they do, and I'm sure they're very talented. But, my point is, they don't make their money through technical exploits. They do audits and maybe even some white-hack attempts at penetration, but they aren't real cyber-criminals like in the Real World (tm).

If I'm mistaken, please correct me. Also, see what kind of havoc you can cause next year by flooding the pipes with useless data. If the box is too busy serving bogus requests and it drops some legit ones, that counts as service outage, right?

Re:Not sure what this proves

[thelordzero]

not my place to comment on white hat or not and i certainly wouldnt name anyone on the team. not my place at all. the guys on the team are the ones who can write the sploits on the fly when needed. The team lead is a guy who knows his stuff in and out as does the rest of the guys who flew in. Also flooding a connection is forbidden for the most part. I know since I had a perfect sploit lined up for one of the servers that would of DOS'ed it easily but the red teams hands were tied on that point. But yes if the server couldnt respond its a service outage. Some teams did that enough just by themselves (dam those ASA cables ehh? ;) )

Re:Not sure what this proves

[TXISDude]

I have been to these events, and have experience in "the real world". And what does this event prove? It is an exercise designed to test student groups ability to work together as an IT department from a security perspective, and operational perspective in a simulated real world business environment. I agree theoretically that when you take over a network that has deficiencies that it would be "nice" to be able to disconnect, fix it and then reconnect to the internet - but in the real world, try telling your boss that email will be down, that e-commerce will be down, etc. . . you will quickly learn that the real world doesn't share the techie view of taking things off-line to fix them. So, you have to fix them on the fly. This is one of the most realistic aspects of this challenge - find and fix the security issues, while still keeping the systems up and running and answering management demands (the sysadmin part). Sounds simple until you try - the added dimension of finding and repairing problems while maintaining up-time makes this much harder than they typical CTF game. As for the Red Team chops, can't vouch for any of the regionals, but the finals uses a team that would impress the Defcon crowd, the bosses from China or Korea, and any realistic measure of professional hacker. Why do this: to train students to become better IT professionals when they graduate. And to work as a team - which is necessary in today's business environment. Kudos to all who tried, for in the end, they all are winners.

RIT

[Digi-John]

I'm just happy to see that my school (RIT) made it to the finals. Didn't even know we had a team.

In a previous life ..

[clint999]

In a previous life this is something I did with government networks on a daily basis .. as I'm sure most slashdotter's have done.

Re:In a previous life ..

[clint999]

nothing to see here, move along

from a Red Team member perspective....

[thelordzero]

Well this competition was actually a great one. I was one of the red team members for the nationals (and also the only person to have gone from a regional team captain to the national red team). The competition was very close to the very end with only a few subtle mistakes being made as of the second day. The run down is usually like this for the red team: Day 1: Boxes are extremly vulnerable and red team had a hayday with easily found exploits. We set some backdoors and have some fun with the servers. Looking for customer data that is stored on them. Day 2: Teams have patched most boxes and taken care of most of the vulns out there. Red team goes after websites finding exploits for the most part since boxes are locked down other than holes we inserted ourselves. Default passwords on ecommerce sites are usually one of the last things to change. Day 3: Boxes and teams are finally pretty locked down. Some last holes are left over from the red team. Nessus and Core Impact and other tools are worthless at this point at the latest (if not midday saturday). This day red team is pretty much just having fun, especially the team lead, Dave with his laughing that echos down the halls making the other teams nervous. In all every team did a great job. Everyone learned alot (heck I learned alot red teaming with some of these guys). Stupid mistakes were made by every team and we (the red team) loved the teams for it. Can't wait to come back next year and seeing what the teams will do then.

Someone hasn't played UT...

[bigstrat2003]

Clearly, the submitter is an FPS noob who doesn't know that it's "capture", not "steal", the flag! ;)

steal the flag? wth

[Tpl2000]

urgh....It's called CAPTURE THE FLAG!! oh come on....

Re:steal the flag? wth

[lisah]

Heh....you're right! Hey, it's been a while since I played. :-)

Re:CTF LOL!

[Ethanol-fueled]

Or insert "flags" into suspect customers...

More of a System Administration Challenge (SAC!)

[infiniteedge]

I led a team that competed in one of the qualifiers and found the competition extremely wanting. It's more of an arcane system administration challenge rather than anything about security. Some responses to the competition are collected at my lab's blog here: http://isisblogs.poly.edu/2008/02/29/pre-neccdc/ (see the comments)

Re:More of a System Administration Challenge (SAC!

[thelordzero]

This competition is about best defending a network in as short a time as possible. Each region creates its own scenario independent from the national level and it creates different levels of fun and realism for the teams. In essence this competition is realistic from a sys admin point of view and thats mainly the people who will be admining these system. Once again I say this as a red team point of view and that of someone who was team captain of the UTSA team this year (the hosts of the national competition every year).

Re:I can beat all of them to secure my network...

[Cedric+Tsui]

You can also build a plane that will never crash by filling the gastanks with cement so it will never fly. But, you have to ask if it's still a plane.

Re:God damn, revert this comments system already

[Sancho]

I like the new comments. Among other things, it means that my subscriber page views go a lot farther.

Re:CTF LOL!

[Ihmhi]

Oh, it certainly feels like Comcast is inserting something into customers...

Re:More of a System Administration Challenge (SAC!

[fatigue909]

I led a team that competed in one of the qualifiers and found the competition extremely wanting. It's more of an arcane system administration challenge rather than anything about security. Some responses to the competition are collected at my lab's blog here: http://isisblogs.poly.edu/2008/02/29/pre-neccdc/ (see the comments) I agree with you completely. I was a captain for a team that made it to the finals the first year they held nationals. The majority of business injects are related to system administration. Most of the strategies to win involve patching quickly and changing stupid defaults (among other things). However, I don't complain too much because it is a fun experience. Also, I haven't come up with better "rules" for the game. One of the biggest challenges was to devise a security competition that didn't promote hacking. That makes bad press and also makes it very difficult to obtain corporate sponsorship.

Re:More of a System Administration Challenge (SAC!

[infiniteedge]

Of course you had fun! You were on the Red team and you got to abuse groups of college students for a weekend! At least for the region we were in, the competition is NOT about how to best defend a network in as short a time as possible. It was about blindly following arbitrary rules and being a system administrator.

Re:More of a System Administration Challenge (SAC!

[thelordzero]

To be fair, I was red team at nationals (albeit I was humlbed greatly by the rest of the red team), I was the team captain for UTSA at regionals this year. I've seen it from the blue team, white team and red team viewpoint. Blue is the most frustrating I do say but in the end I've always walked away having learned something.

That should be the immediate first step

[peccary]

No systems should be networked until they are properly configured. If somebody hands you a crap infrastructure full of holes, the first thing to do is shut down as much internetworking as you possibly can get away with.

Re:That should be the immediate first step

[TheLink]

Which is why these competitions have about as much relation to "security for real world systems" as F1 racing has to real life goods delivery.

Red Vs Blue ?

[UberHoser]

Ok I call shotgun !

Who was caboose ?