NSA Launches 'Codebreaker Challenge' For Students: Stopping an Infrastructure Attack

Slashdot reader eatvegetables writes: The U.S. National Security Agency launched Codebreaker Challenge 2017 Friday night (Sept 15) at 9 p.m. EST. It started off as a reverse-engineering challenge a few years ago but has grown in scope to include network analysis, reverse-engineering, and vulnerability discovery/exploitation.

This year's challenge story centers around hackers attacking critical "supervisory control and data acquisition" (SCADA) infrastructure. Your mission, should you choose to accept it, is to figure out how the SCADA network is being attacked, find the attack vector(s), and stop the bad guy(s)/gal(s)/other(s).

Codebreaker-Challenge is unusual for capture-the-flag(ish) contests due to the scope/number of challenges and how long the contest runs (now until end of year). Also (this year, at least), the challenge is built around a less than well-known networking protocol, MQTT. It's open to anyone with a school.edu email address. A site leader-board shows which school/University has the most l33t students. Carnegie Mellon and Georgia Institute of Tech are at the top of the leader-board as of Saturday morning.
Last year, 3,300 students (from 481 schools) participated, with 15 completing all six tasks. One Carnegie Mellon student finished in less than 18 hours.

A resources page offers "information on reverse engineering," and the NSA says the first 50 students who complete all the tasks ths year will receive a "small token" of appreciation from the agency.

Infrastructure

[AmiMoJo]

Can we teach people to repel state level attacks on our internet infrastructure?

Like GCHQ before, it's weird when these agencies act like they weren't caught breaking the law on an unprecedented scale.

Re:Infrastructure

When somone loves their country, they will act accordingly. what you are asking for amounts to free work, which is no relevant to a capitalist society such as our own.

Re:Infrastructure

The problem isn't that they're breaking the law, the problem is that that kind of mass surveillance is a technical possibility.

Re:Infrastructure

I'm British and I love my country.

That's why I will never work for GCHQ.

They left out one important detail

It must be coded in Visual Basic, to make one helluva entertaining story.

You must be bonkers to participate

[Rosco+P.+Coltrane]

People who choose to take part will have their name permanently on the NSA's watch list for dangerous hackers - and potentially, on some terrorist watch list, or the TSA's no-fly list also.

Stay the fuck away from the NSA people. It doesn't matter if they say they have good intentions: the reality is, they don't.

Re: You must be bonkers to participate

[nehumanuscrede]

Nah.

These are the sorts of folks they'll actively seek to recruit.

Because if you can successfully attack their scenario, you can likely do it in the real world against an NSA target of choice.

Re:You must be bonkers to participate

The best of intentions can be expected to work against themselves. If your guidance is to abstain, then you're a great devil's advocate. I'd still rather give the blissfully unaware a hug than kiss the enemy that's soon to eat shit and die.

Why shouldn't I work for the N.S.A.? That's a tough one, but I'll take a shot. Say I'm working at N.S.A. Somebody puts a code on my desk, something nobody else can break. Maybe I take a shot at it and maybe I break it. And I'm real happy with myself, cause I did my job well. But maybe that code was the location of some rebel army in North Africa or the Middle East. Once they have that location, they bomb the village where the rebels were hiding and fifteen hundred people I never met, never had no problem with, get killed. Now the politicians are sayin', "Oh, send in the Marines to secure the area" cause they don't give a shit. It won't be their kid over there, gettin' shot. Just like it wasn't them when their number got called, cause they were pullin' a tour in the National Guard. It'll be some kid from Southie takin' shrapnel in the ass.

And he comes back to find that the plant he used to work at got exported to the country he just got back from. And the guy who put the shrapnel in his ass got his old job, cause he'll work for fifteen cents a day and no bathroom breaks. Meanwhile, he realizes the only reason he was over there in the first place was so we could install a government that would sell us oil at a good price. And, of course, the oil companies used the skirmish over there to scare up domestic oil prices. A cute little ancillary benefit for them, but it ain't helping my buddy at two-fifty a gallon.

And they're takin' their sweet time bringin' the oil back, of course, and maybe even took the liberty of hiring an alcoholic skipper who likes to drink martinis and fuckin' play slalom with the icebergs, and it ain't too long 'til he hits one, spills the oil and kills all the sea life in the North Atlantic. So now my buddy's out of work and he can't afford to drive, so he's got to walk to the fuckin' job interviews, which sucks cause the shrapnel in his ass is givin' him chronic hemorrhoids. And meanwhile he's starvin', cause every time he tries to get a bite to eat, the only blue plate special they're servin' is North Atlantic scrod with Quaker State.

So what did I think? I'm holdin' out for somethin' better. I figure fuck it, while I'm at it why not just shoot my buddy, take his job, give it to his sworn enemy, hike up gas prices, bomb a village, club a baby seal, hit the hash pipe and join the National Guard? I could be elected president.

Re: You must be bonkers to participate

Nah.

These are the sorts of folks they'll actively seek to recruit.

Because if you can successfully attack their scenario, you can likely do it in the real world against an NSA target of choice.

Grandparent's statement still holds:
"Stay the fuck away from the NSA people. It doesn't matter if they say they have good intentions: the reality is, they don't."

Re:You must be bonkers to participate

[bill_mcgonigle]

have their name permanently on the NSA's watch list for dangerous hackers

Or if not, on their employee list. But perhaps that's tautological. And who would want to anyway?

Re:You must be bonkers to participate

Or they will be on a watch list for high academic performers to recruit early as a talent pool.

Sometimes expectations are a self-fulfilling prophecy. If you expect negative, you act defensively, and induce a defensive counter-reaction. If you expect good, you react positively, and induce a positive counter-reaction.

Most people are generally good. The people who work in government, your party or the other guys, are not automatically evil or good by party affiliation.

Re:You must be bonkers to participate

Had this same thought. Made me think of the time the CIA kept trying to get my friend in college to sign up. He thought they were all criminals, but didn't want to tell them that for this reason. In the end he feigned disinterest and they finally stopped contacting him.

Schneier wrote a good article about how the NSA and CIA recruiting is largely dependent on loyalty, patriotism, and trust. Trust which NSA destroyed when they tapped the backbone and sacrificed the values they purport to defend.

Here we can see this distrust in action.

Re:You must be bonkers to participate

[sgt_doom]

You got it!

Re:You must be bonkers to participate

9-11 was an inside job. ae911truth dot org

Ob

[Hognoxious]

There you are. They'll cut through any common metal and they're barely an ounce each, including the blade.

You did ask for some light hacksaws, right?

"small token" of appreciation

[turkeydance]

a job?

Re:"small token" of appreciation

a job?

Not just a that, but also "An Adventure!"

Re:"small token" of appreciation

A spot on the watch list.

Re:"small token" of appreciation

[Actually,+I+do+RTFA]

I believe 20/10 vision is required for flying jets.

I'm sure the token of appreciation is an introduction to a contractor the NSA uses that can pay more than G-rating, which will lead to an immediate offer.

Re:"small token" of appreciation

Fighter jets. ISTR that the requirements were relaxed for non-fighter pilots , but I see no mention of that now.

20/10 vision is exceptionally good vision – I'd wager almost nobody has vision that good.. AFROTC web site says 20/40 uncorrected near vision for fighter pilots and no hay fever. Both of those would have eliminated me.

JUNIOR CODEBREAKER ALERT

The first lesson to learn is:

Only stupid people connect a critical SCADA infrastructure system to a public network.

Your mission, should you choose to accept it, is to tell the world that these people should be put in prison.

Good luck, Jim.

Alternative proposition:

[Gravis+Zero]

How about someone just turn off as many lights as possible until the NSA does their job? ;)

Simple solution: unplug it

[mveloso]

If your SCADA system is under attack from the Internet side, the way you mitigate it is by disconnecting the Internet. Why is your SCADA system connected to the Internet in the first place?

Re:Simple solution: unplug it

Wrong answer. The solution is to make your SCADA system safe to connect to the internet. Maybe you were not born at the time, but a few years ago dialup modems connection to the internet was very unsafe by today's standards. With what we know now our personal computer was wide open for remote access with zero line of defense against the internet. Did we mitigate it by disconnecting the Internet? Hint, today your still able to browse the internet. What's your thought about what we did to fix it?

3 purposes

NSA Launches 'Codebreaker Challenge' ...

Institutionalized thinking isn't working so the NSA is tapping into hacker free-form thinking to create/discover the next zero-day exploit.

... a reverse-engineering challenge ...

Think stuxnet: A virus that camouflaged itself so perfectly, it wasn't discovered in its natural habitat. This creates a problem for the attacker: A weapon so precise that it can be used against them. Obviously, they need people to detect such weapons. This event is job training and an employment exam.

Start at the data diodes, go from there

[ka9dgx]

The first thing is to do a traffic analysis of the data that has transited the outbound data diode. Look for unusual destinations. Then work backwards to see what system generated that data. Then start searching all of the computers for rogue USB devices or other media carried into the office. Actual fingerprints may help catch the culprit, if it wasn't a staff member who was social engineered into using the device.

Remove the hard drives from any affected systems, and do a bare metal restore from the most recent trusted backup. Then use the delta backups to bring things to a reasonably current state.

There should be no physical way for internet traffic to get inbound into the system, as it should be air-gapped except for the data diode. As we all know, a data diode has no physical inbound connection, and is thus secure.

If there isn't a data diode, start questioning the qualifications of the existing IT staff and engineers.

Re:Start at the data diodes, go from there

... no physical way for internet traffic to get inbound ...

Modern calculating machines provide an easy way to capture, store, calculate, disseminate and print information. That requires a certain level of connectivity: Now the IT staff can spend their time burning information to DVD and sneaker-netting it from subnet to subnet, but the rise of big data and endless searches makes that impractical for most corporations.

Go back to your ivory tower.

... rogue USB devices or other media ..;.

It is the point of virii, that they spread after the original vector or source, is gone.

... do a bare metal restore ...

If the virus can store itself in embedded controllers, the router/printer firmware, or even the motherboard's IME, a clean HDD and install, won't remove the virus. Worse, without an original copy of their firmware or controller memory, you won't know it's there.

Re:Start at the data diodes, go from there

[blackhedd]

All good thoughts and quite correct.

Practical questions: how many SCADA systems do you know that actually have data diodes? There's decent penetration of this technology in electric-power transmission/distribution and a certain amount in O/G upstream. Manufacturing/pharma/connected infrastructure/other sectors, not so much.

How much would you spend to secure a SCADA installation with data diodes? To a different poster, how about the spend (both capex and opex) for site-to-site VPN? This can make a lot of sense in enterprise networks where the ratio of connected devices to defensible network chokepoints is high. But with SCADA, what if your OT is highly distributed across physical space, and perhaps with sporadic networking and few IT-savvy personnel (oilfields, substations, smaller manufacturing facilities)? What if you're a company like a major automaker, for whom even $1000 is a lot to spend on a piece of technology that you'll have to replicate and manage across a huge global footprint?

How about the personnel problem? SCADA systems are generally managed by OT people. When they see IT people bearing gifts like data diodes, their first response in many places is to say "get your security stuff out of my production network before your latencies and your false positives disrupt my processes and violate my safety rules!" Then you say "but... security!" And they say "We're already airgapped here. We've been running SCADA since before you amateurs even had TCP/IP. We've never had a breach and never will." And then you say "but... what about that unsecured wireless access point right over there?" At this point, the OT guys will often start throwing things at you.

My point comes down to: doing this at scale is harder than it looks. The correct starting points are: first, get a C-level to knock heads together until the OT guys start listening to the IT-sec guys; and then do a standard risk/impact assessment to identify the systems at the top of the criticality list. Then you put the data diodes into those places, for a start. (In electric power companies subject to NERC compliance, you'll generally find that all of this has been done already for the CIP-high locations.)

To bring it back to what NSA are doing: it's valid to question their motives but keep in mind that a good chunk of their mission does involve network defense. (VADM Tighe, who used to be the deputy commander of US Cybercom, referred to this in her remarks last week about the McCain incident.)

It's also valid to question the ability of that other group of people, DHS, with a more explicit charter to keep the national infrastructure safe. For years, it's been hard to get these groups to talk effectively, but I would say this problem is really starting to get a little better these days. With that, I don't mean to suggest that the data sharing problem is close to resolution, because it's not. But as I say, I do believe some progress is now being made.

Re:Start at the data diodes, go from there

No, the best way is to 1) collect the biggest shit-tonne of data that you possibly can by overloading the tax payers and spying on every single one of them. You will need to do this for at least 20 years before you will have enough data. Step 2)

Here's another challenge ...

[CaptainDork]

... Which student(s) can paint a wall on my house the fastest?

A small token of appreciation will be given to the winner(s) once the house is painted.

Re:Here's another challenge ...

"painting with explosives"... google it.

Modern hacking techniques

[manu0601]

The reverse engineering lectures page lists "Modern Vulnerability Exploitation": stack and heap overflow, format strings. Yeah, modern!

No no no no no

I don't connect our SCADA system to the internet.
I don't connect my WAP's to their "cloud management"
I don't allow my IPMI / iDRAC to connect to the internet.
Users, they are the only internet vector and have zero access to our critical system LAN's.

How do I get any work done?
Happily knowing my systems are safe and OK, yeah I can't be lazy and punch the UPDATE button (and who in their right mind does that without putting the box in a lab first?)

Re:No no no no no

[BlueStrat]

OK, yeah I can't be lazy and punch the UPDATE button (and who in their right mind does that without putting the box in a lab first?)

Equifax?

[ducks]

Strat :)

How the other works on the US mil need for skills

[AHuxley]

Re ... and stop the bad /other(s). "
The other floods your nation with their trusted people over many decades.
Every few decades later their trusted, skilled, cleared next generation fills your most advanced, sensitive and trusted university courses.
Apply for education that feeds your mot sensitive mil/gov/clandestine work.
Some really rise up the ranks.
Stand next to very best US mil cryptographers in real time.
https://en.wikipedia.org/wiki/...
Other nations don't need billions to fund network security projects. They just wait to see who got more clearance deeper into the US clandestine services over decades.
They spend their billions in working out how to get the US to trust and advance their most trusted staff.
The US spends billions on fancy new collect it all networks every decade, the other spent their billions placing human spies in the US every few decades.
Networks change, funding changes, the best spies just stay on and get promoted into the next more secret project.
The "other" is a few decade worth of a trusted supervisor, boss, that contractor, a party political think tank, that demand for one trusted private sector no bid policy.
In place for decades and shaping US crypto policy.
They helped fund and designed your most secure networks.
While the US was distracted by collect it all global network success stories for decades, other nations spent their funds on placing trusted human spies all over the USA.
Occasional defectors with amazing stories helped over the years build on the myth of collect it all spending been the winning policy.

Equifax should hire...

one of those 5th graders.

I crashed a bunch of Iranian machinery..

.. and all I got was this stupid T-shirt.

Wrong answer, NSA person

[mveloso]

No, that is not the right answer.

If you need third-party access to your SCADA system, use a site-to-site VPN with a whitelist. Plug lock down and at least whitelist access to the SCADA system.

Your answer is exactly why security is fucked up. There are vulnerabilities that you may not know about. Do you really want to put that online? Only if you're a retard.

Re:Wrong answer, NSA person

That's odd. How come you are browsing Slashdot relatively safely without using a VPN then? I've just explained to you that before we secured our modems, connecting your computer to the internet was not any safer than SCADA today.

Only if you're a retard.

https://en.wikipedia.org/wiki/Ad_hominem
is where an argument is rebutted by attacking the character, motive, or other attribute of the person making the argument, or persons associated with the argument, rather than attacking the substance of the argument itself.

Re: Wrong answer, NSA person

Nice srrawman

Solved it!

Disconnect these systems from the Internet. There, solved that for you. Where do I go to collect my prize?

Re:Trump will sell access to Putin and cover it up

Faggot you don't even have a checkbook, you Trumpies are living on borrowed time. See you in prison - or under it.

several .gov comment lines are down

Whitehouse.gov no longer takes comments. Their web-form is damaged.
NSA web server for comments is down.

Is there a chance that Silicon Valley screwed the new administrations ability to communicate, but either hid it from the administration, or the administration is technically illiterate they can't tell it has happened.

An IT person who was moderately capable and very angry that Trump won could engineer the website so it looked okay when viewed from particular domains, or a percentage of the time, but cut off other domains, or randomly threw away some significant percentage of feedback. If that IT person knew higher value specific feedback sources, but the administration did not, those could be selectively rejected. Filtering could be by particular time of day (not working hours), particular geography (rust-belt), or particular system type (older vs. newer, cheap vs. expensive).

In other words . . .

[sgt_doom]

. . . NSA has embezzled all those billions they receive every year, and doesn't have any money left to hire any top people, so they want free mental labor!

NSA FAILED TO STOP SPY RING!

Petreus / McCain
Army Research labs
Navy Research Labs

KKR Pakistani ISI embedded into

CENTCOM
STATE DEPT
HOUSE
SENATE

123@mail.house.gov (one example of this shit, and it is SHIT!)
Oh what's that they want to make a DEAL with Awans? You don't even have a fucking mug shot of Rao Abbas motherfuckers!!!

Why the fuck don't the NSA tell us who these FAKE pieces of SPY SHIT ARE.
You know OPM id them and FBI background check them.

COMEON YOU TRAITORS who the fuck are these fake foreign people working in our most fucking classified communications!?

Iman Awan
Hina Alvi
Abid Awan
Natalia SOba
Jamal Awan
Rao Abbas

Students?

[geekoid]

Yeah, ignore those of use who ahve been doing security for decades involving SCADA get the student!

How about people who make those decision actual listen to security experts?