Slashdot Mirror

← Back to Stories (view on slashdot.org)

NSA Launches 'Codebreaker Challenge' For Students: Stopping an Infrastructure Attack (ltsnet.net)

Posted by EditorDavid on from the extracurricular-activities dept.

Slashdot reader eatvegetables writes: The U.S. National Security Agency launched Codebreaker Challenge 2017 Friday night (Sept 15) at 9 p.m. EST. It started off as a reverse-engineering challenge a few years ago but has grown in scope to include network analysis, reverse-engineering, and vulnerability discovery/exploitation.

This year's challenge story centers around hackers attacking critical "supervisory control and data acquisition" (SCADA) infrastructure. Your mission, should you choose to accept it, is to figure out how the SCADA network is being attacked, find the attack vector(s), and stop the bad guy(s)/gal(s)/other(s).

Codebreaker-Challenge is unusual for capture-the-flag(ish) contests due to the scope/number of challenges and how long the contest runs (now until end of year). Also (this year, at least), the challenge is built around a less than well-known networking protocol, MQTT. It's open to anyone with a school.edu email address. A site leader-board shows which school/University has the most l33t students. Carnegie Mellon and Georgia Institute of Tech are at the top of the leader-board as of Saturday morning.
Last year, 3,300 students (from 481 schools) participated, with 15 completing all six tasks. One Carnegie Mellon student finished in less than 18 hours.

A resources page offers "information on reverse engineering," and the NSA says the first 50 students who complete all the tasks ths year will receive a "small token" of appreciation from the agency.

21 of 53 comments (clear)

  1. Infrastructure by AmiMoJo · · Score: 2, Insightful

    Can we teach people to repel state level attacks on our internet infrastructure?

    Like GCHQ before, it's weird when these agencies act like they weren't caught breaking the law on an unprecedented scale.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:Infrastructure by Anonymous Coward · · Score: 1

      I'm British and I love my country.

      That's why I will never work for GCHQ.

  2. You must be bonkers to participate by Rosco+P.+Coltrane · · Score: 3, Insightful

    People who choose to take part will have their name permanently on the NSA's watch list for dangerous hackers - and potentially, on some terrorist watch list, or the TSA's no-fly list also.

    Stay the fuck away from the NSA people. It doesn't matter if they say they have good intentions: the reality is, they don't.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re: You must be bonkers to participate by nehumanuscrede · · Score: 3, Insightful

      Nah.

      These are the sorts of folks they'll actively seek to recruit.

      Because if you can successfully attack their scenario, you can likely do it in the real world against an NSA target of choice.

    2. Re:You must be bonkers to participate by bill_mcgonigle · · Score: 1

      have their name permanently on the NSA's watch list for dangerous hackers

      Or if not, on their employee list. But perhaps that's tautological. And who would want to anyway?

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re:You must be bonkers to participate by sgt_doom · · Score: 1

      You got it!

  3. Ob by Hognoxious · · Score: 1

    There you are. They'll cut through any common metal and they're barely an ounce each, including the blade.

    You did ask for some light hacksaws, right?

    --
    Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  4. "small token" of appreciation by turkeydance · · Score: 1

    a job?

    1. Re:"small token" of appreciation by Actually,+I+do+RTFA · · Score: 1

      I believe 20/10 vision is required for flying jets.

      I'm sure the token of appreciation is an introduction to a contractor the NSA uses that can pay more than G-rating, which will lead to an immediate offer.

      --
      Your ad here. Ask me how!
  5. JUNIOR CODEBREAKER ALERT by Anonymous Coward · · Score: 1

    The first lesson to learn is:

    Only stupid people connect a critical SCADA infrastructure system to a public network.

    Your mission, should you choose to accept it, is to tell the world that these people should be put in prison.

    Good luck, Jim.

  6. Alternative proposition: by Gravis+Zero · · Score: 1

    How about someone just turn off as many lights as possible until the NSA does their job? ;)

    --
    Anons need not reply. Questions end with a question mark.
  7. Simple solution: unplug it by mveloso · · Score: 1

    If your SCADA system is under attack from the Internet side, the way you mitigate it is by disconnecting the Internet. Why is your SCADA system connected to the Internet in the first place?

  8. Start at the data diodes, go from there by ka9dgx · · Score: 5, Interesting

    The first thing is to do a traffic analysis of the data that has transited the outbound data diode. Look for unusual destinations. Then work backwards to see what system generated that data. Then start searching all of the computers for rogue USB devices or other media carried into the office. Actual fingerprints may help catch the culprit, if it wasn't a staff member who was social engineered into using the device.

    Remove the hard drives from any affected systems, and do a bare metal restore from the most recent trusted backup. Then use the delta backups to bring things to a reasonably current state.

    There should be no physical way for internet traffic to get inbound into the system, as it should be air-gapped except for the data diode. As we all know, a data diode has no physical inbound connection, and is thus secure.

    If there isn't a data diode, start questioning the qualifications of the existing IT staff and engineers.

    1. Re:Start at the data diodes, go from there by blackhedd · · Score: 2

      All good thoughts and quite correct.

      Practical questions: how many SCADA systems do you know that actually have data diodes? There's decent penetration of this technology in electric-power transmission/distribution and a certain amount in O/G upstream. Manufacturing/pharma/connected infrastructure/other sectors, not so much.

      How much would you spend to secure a SCADA installation with data diodes? To a different poster, how about the spend (both capex and opex) for site-to-site VPN? This can make a lot of sense in enterprise networks where the ratio of connected devices to defensible network chokepoints is high. But with SCADA, what if your OT is highly distributed across physical space, and perhaps with sporadic networking and few IT-savvy personnel (oilfields, substations, smaller manufacturing facilities)? What if you're a company like a major automaker, for whom even $1000 is a lot to spend on a piece of technology that you'll have to replicate and manage across a huge global footprint?

      How about the personnel problem? SCADA systems are generally managed by OT people. When they see IT people bearing gifts like data diodes, their first response in many places is to say "get your security stuff out of my production network before your latencies and your false positives disrupt my processes and violate my safety rules!" Then you say "but... security!" And they say "We're already airgapped here. We've been running SCADA since before you amateurs even had TCP/IP. We've never had a breach and never will." And then you say "but... what about that unsecured wireless access point right over there?" At this point, the OT guys will often start throwing things at you.

      My point comes down to: doing this at scale is harder than it looks. The correct starting points are: first, get a C-level to knock heads together until the OT guys start listening to the IT-sec guys; and then do a standard risk/impact assessment to identify the systems at the top of the criticality list. Then you put the data diodes into those places, for a start. (In electric power companies subject to NERC compliance, you'll generally find that all of this has been done already for the CIP-high locations.)

      To bring it back to what NSA are doing: it's valid to question their motives but keep in mind that a good chunk of their mission does involve network defense. (VADM Tighe, who used to be the deputy commander of US Cybercom, referred to this in her remarks last week about the McCain incident.)

      It's also valid to question the ability of that other group of people, DHS, with a more explicit charter to keep the national infrastructure safe. For years, it's been hard to get these groups to talk effectively, but I would say this problem is really starting to get a little better these days. With that, I don't mean to suggest that the data sharing problem is close to resolution, because it's not. But as I say, I do believe some progress is now being made.

  9. Here's another challenge ... by CaptainDork · · Score: 2

    ... Which student(s) can paint a wall on my house the fastest?

    A small token of appreciation will be given to the winner(s) once the house is painted.

    --
    It little behooves the best of us to comment on the rest of us.
  10. Modern hacking techniques by manu0601 · · Score: 1

    The reverse engineering lectures page lists "Modern Vulnerability Exploitation": stack and heap overflow, format strings. Yeah, modern!

  11. How the other works on the US mil need for skills by AHuxley · · Score: 1

    Re ... and stop the bad /other(s). "
    The other floods your nation with their trusted people over many decades.
    Every few decades later their trusted, skilled, cleared next generation fills your most advanced, sensitive and trusted university courses.
    Apply for education that feeds your mot sensitive mil/gov/clandestine work.
    Some really rise up the ranks.
    Stand next to very best US mil cryptographers in real time.
    https://en.wikipedia.org/wiki/...
    Other nations don't need billions to fund network security projects. They just wait to see who got more clearance deeper into the US clandestine services over decades.
    They spend their billions in working out how to get the US to trust and advance their most trusted staff.
    The US spends billions on fancy new collect it all networks every decade, the other spent their billions placing human spies in the US every few decades.
    Networks change, funding changes, the best spies just stay on and get promoted into the next more secret project.
    The "other" is a few decade worth of a trusted supervisor, boss, that contractor, a party political think tank, that demand for one trusted private sector no bid policy.
    In place for decades and shaping US crypto policy.
    They helped fund and designed your most secure networks.
    While the US was distracted by collect it all global network success stories for decades, other nations spent their funds on placing trusted human spies all over the USA.
    Occasional defectors with amazing stories helped over the years build on the myth of collect it all spending been the winning policy.

    --
    Domestic spying is now "Benign Information Gathering"
  12. Wrong answer, NSA person by mveloso · · Score: 1

    No, that is not the right answer.

    If you need third-party access to your SCADA system, use a site-to-site VPN with a whitelist. Plug lock down and at least whitelist access to the SCADA system.

    Your answer is exactly why security is fucked up. There are vulnerabilities that you may not know about. Do you really want to put that online? Only if you're a retard.

  13. Re:No no no no no by BlueStrat · · Score: 1

    OK, yeah I can't be lazy and punch the UPDATE button (and who in their right mind does that without putting the box in a lab first?)

    Equifax?

    [ducks]

    Strat :)

    --
    Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
  14. In other words . . . by sgt_doom · · Score: 1

    . . . NSA has embezzled all those billions they receive every year, and doesn't have any money left to hire any top people, so they want free mental labor!

  15. Students? by geekoid · · Score: 1

    Yeah, ignore those of use who ahve been doing security for decades involving SCADA get the student!

    How about people who make those decision actual listen to security experts?

    --
    The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect