Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×

Students vs. Hackers 83

sethfogie wrote to mention Informit.com's coverage of the Mid-Atlantic Regional Collegiate Cyber Defense Competition. Students put their skills to the test, trying to lock down systems against intrusion from an invading hacker team. All in the name of learning. From the article: "When the three hour grace period was over, the Red Team slowly worked their way into attack mode. One member started to sort through the information they gleaned from their scans and investigated each possible exploit. Another member fired up a MySQL database client and started to poke around the students databases looking for sensitive data. The two others were adding/changing accounts to routers, firewalls, and systems. However, for the most part, the students were not being pelted with attacks. And this continued for the next several hours."
This discussion has been archived. No new comments can be posted.

Students vs. Hackers

Comments Filter:
  • Nice rules (Score:1, Informative)

    by Anonymous Coward
    I don't know about you, but I always hurt people for info. From TFA:

    The rules were fairly simple -- at least at first glance. Basically, the Red Team could do anything but hurt someone or perform a denial of service attack (network flood). The student teams were a bit restricted, with regard to changing IP addresses and messing with the infrastructure.

    Communication was allowed between team members, but only the team leader could talk to the white cell members about problems, etc. The feds could be called o
    • Restricting the student teams from messing with the infrastructure was the first mistake, since the hackers had somehow stolen the details of the entire system.

      First thing the students should have done was change EVERYTHING - the subnets, the IPs, maybe even the software being used. That would have forced the hackers to have to relearn everything they thought they knew.

  • FTFA: "Oh, and of interest, [the winners were] the same team that had only a week to prepare and were all programmers" Priceless!
  • by Ponga ( 934481 ) on Friday March 31, 2006 @05:48PM (#15037904)
    I'm all for this and from TFA, this sounds like a great thing (and lots of fun!) However, using the information gleaned here to apply to real-world situations is lacking in one MAJOR area: They neglect the aspect of social hacking. That is to say, attempting to gain access to a computer system through it's weakest link: THE USERS!
    It's one thing to pit technical skill againt the threat of hacking, but it's been done over and over, all that technical skill accounts for nothing if you have a user that has his/her password written down on a sticky - on thier MONITOR!
    Users must be educated and kept up to task on things like this, and it's my opinion that the IT/Security industry does not place enough emphasis in that arena, And to thier detriment...
    • This is so true. User *are* the weakest part of any system, and unless you eliminate 90% of your user base, you will never have a secure system. Enter restricted accounts.
    • using the information gleaned here to apply to real-world situations is lacking in one MAJOR area: They neglect the aspect of social hacking.
      i think you missed the vignette about the little tidbit obtained before the contest even started: the stat sheet on the systems the defendors had been issued, that the Red Team conned off someone. seems sorta equivalent of pulling a sales receipt out of a dumpster to me...
    • If you had RTFSummary, you would have known that:

      "Another member fired up a MySQL database client and started to poke around the students databases looking for sensitive data."

      This looks like social engineering to me.

    • Social Engineering was part of the competition. I took part in the Southeast competition, although social engineering wasn't defined as being part of it, we thought it would happen and it did.

      Turns out the RED team (ISS Xforce & PWC @ our competition), got bored after they destroyed everyone's setup... so they went out and walked into rooms and some folks they were able to sit down and plug in the network.
    • by arbiterip ( 625859 ) on Friday March 31, 2006 @06:50PM (#15038310)
      I actually participated at this contest for Millersville University. Social engineering was allowed. I must admit, I have not yet read the article but members of the Hacker/Red team would often walk around the room and try and to watch what people were doing. A few times they even stopped and tried to get information out of us. However, they had to leave our team area when asked. Our team actually left sheets with the wrong passwords on the tables in hopes that they would waste their time.
    • Woah there - chill a little on having IT jump all over it because of lazy users. I work at a company where IT felt having a password that is so convoluted and un-memorable that 80% of the people REQUIRE a sticky note just to remember the damn thing.

      Just because you CAN do a thing doesn't mean you MUST do a thing, and I think the natural reaction from most admins is to not think further about the impacts their changes will make.

      Things like "something you have, something you know" - use a hardware key along w
      • "I work at a company where IT felt having a password that is so convoluted "

        I'd call that jumping all over IT.

        Being from IT myself and having to implement a more complex password policy, it's not like we wanted folks to have a convoluted password. In our case, we got several branches involved, and had to make a tradeoff between security and usability, and it's something that we've had to struggle with for a long time. It's been a challenge for us AND our users.

        Similarly, we investigated implementing a certi
        • Okay, okay! you got me. I knew as soon as I clicked the post button that line was gonna get me basted.

          I know what you say is indeed true - it's just frustrating that's all, that policy is usually dictated by people who don't have to access these systems on a daily basis but who will also not release the funds to implement systems to do it right.

          Again, I apologize for sounding like an ass...

    • Not only is the end user normally the weak point there is also the complacency factor that hits the security team itself. But that only happens over time, usually an extended period of time. The longer a collection of systems are in place the more likely that one of the administrators will short cut procedures and leave a system exposed.

      In a similulation as described in the article everyone is hyper vigilant and actively looking at all aspects of security. In the normal world it is rare that the enti
    • Not for nothing, but I participated in the Midwest regional (we won, w00ty w00t), and social engineering actually played a huge part. Our team (SIU) spent multiple nights in the bar and the hotel getting drunk with the red team. At the end of it all, one of the hackers said that the entire red team voted us as the best. Unfortunately, the red team's vote was never used for scoring as was originally intended, but hearing that was one of the highlights of the weekend. Since then, one of the hackers pointe
    • I think a more interesting competition would be to bring the "security" team down to a few people, and split the rest up into the "hacker" group, with a few more "experts" dispersed into the "hacker" crowd.

      of course, the people that had their teams switched would be "let go" from the security team - accounts locked down/deleted, escorted "out of the building" so as to not steal anything on the way out, etc.

  • by Giant Ape Skeleton ( 638834 ) on Friday March 31, 2006 @05:51PM (#15037928) Homepage
    Poking around on other people's machines is all well and good, but in the most pervasive and damaging "hacks" (sic), there is usually a major social engineering component.

    In other words, it's a trivial matter to get into somebody's system; it takes a whole 'nother skill set to convince that person to hand you the keys to their data.

    I wonder if tech-savvy folks (the students referred to in TFA fior example) are as good at "locking themselves down" as they are at securing their computers. Have any studies been done on the credulosity of geeks?

    • Actually, this was allowed. As the article notes they were highly suspicious of the press, because they thought he could actually be a member of the opposing team. You are right though, with the teams sitting in front of the computers the whole time, the chances of any social engineering hacks were pretty limited and real systems admins can't be at every computer all the time.
      • Administrators cannot be there at all times. The red team actually broke into the building after hours to teach us that lesson!
        • When we came in the next morning there was actually a machine turned on. The day before we were told this machine "you are not allowed to configure it is part of the competition" so we figured it must be some part of the scoring system or something.... turns out it was a suse box they were using as a nice backdoor... I ripped it out @ 11am after the mail server went down. It also had "kitty porn" and fake ssn's of employees running on a web server. But yes it was turned on 1 hour after we left the buildin
      • > sitting in front of the computers the whole time, the chances of any social engineering hacks were pretty limited and real systems admins can't be at every computer all the time.

        every collegiate social event I attended served alcahol, were they allowed to buy drinks? (having a a little nip now, thanks for noticing my great spelling.)
    • I don't think the social engineering aspect was absent from this setup. FTA:

      He next reached inside his bag and pulled out a complete description of the student's setup, including all operating systems, services, web applications, and IP addresses he had obtained from an anonymous source. Everyone in the room immediately got a slightly evil grin on their face as they realized the results of this social engineering reward.
    • "Have any studies been done on the credulosity of geeks?"

      Ratio of people who visit slashdot to people who take slashdot seriously?

    • by Anonymous Coward
      Geeks are perfect skeptics. They're incredibly smart, and their preternatural awkwardness gives them a tendency to analyze all elements personal communication to the point where they can pick one bullshitter out of a dozen. It's astounding, seeing the results of studies that show that hard-core geeks are practically impossible to trip up, and I can vouch for this in my everyday experience: I've known dozens of people who installed Linux, and no one has ever managed to pull a fast one on any of them, ever.
    • Polygraph Technician: This is a control question, really. How would you say would be the easiest way to take a weapon away from a Grammaton Cleric?
      Brandt: [speaks into Preston's ear.] You ask him for it.

      In the social engineering context, I guess you give him chocolate for it.
  • GO MILLERSVILLE! (Score:1, Interesting)

    by Hinde01 ( 640943 )
    I go to this school and am friends with one of the guys that is on the team. From how they tell it, they prety much owned the other teams (or at least got the least owned by the red team). Hopefully one of them will log on and give you their perspective. I really wish I had heard about this before it happened, but I missed it. Oh well. The entire CS department here at Millersville will be pulling for them when they go onto Texas.
  • and another to not pay attention because you think you are safe...

    Sounds like fun though, kinda like the CS programming competitions I went to in high school
  • by __aaclcg7560 ( 824291 ) on Friday March 31, 2006 @06:05PM (#15038013)
    A school competition to hack and slash against harden servers? Wow! That's interesting. Considering that most schools discourage any form of hacking on the school network, and my local community college had called in the FBI on a few occasions. I didn't know that some schools taught "Script Kiddies 101", much less even mention hacking in the regular programming courses.
    • A. The students weren't hacking, they were trying to protect their server and keep it running. B. The hackers were intrusion specialists in the private sector. One used to work at the DEA and another was in the military.
    • maybe you should read... because the Blue teams (schools) were not allowed to send out a single malicious packet from their network. Doing so would get you disqualified from the network.
    • what is your problem? ahh, i know i g n o r a n c e. please keep up, these types of programs are not new. cssia.org [cssia.org]

    • At City College of San Francisco, one of our teachers sort of teaches "Script Kiddies 101". His computer security courses teaches how various simple tricks can be used to trick a sys admin into giving you root access (e.g., tricking him into running a standard command with root privilege which you have tricked out as a script that copies a shell with his privilege and then runs the command he thought he was running before erasing itself - stuff like that.

      It's very introductory, but it's better than the Wind
  • For those who read French here is a press release [web.crim.ca] about a team of Scheme hackers headed by Marc Feeley [umontreal.ca] participating in a Quebec security competition who won both the first prize for keeping the other nine teams out and the second prize for finding the most security problems in the other teams's servers.
  • by khasim ( 1285 ) <brandioch.conner@gmail.com> on Friday March 31, 2006 @06:25PM (#15038142)
    Unless those students were specifically chosen because they have CCNA's or better and MCSE's or better, etc. Why pick "students" for this "challenge"?

    The student teams were a bit restricted, with regard to changing IP addresses and messing with the infrastructure.
    The easiest way to defeat the attackers would be to lock them out at the firewall or router. Then all the sql-injection vulnerabilities wouldn't matter.

    And when your database app has those vulnerabilities, there isn't much the average network admin can do.
  • Let Google Fight [googlefight.com] handle this one.

    Students:
    2,890,000,000 results

    Hackers:
    87,700,000 results

    No contest.
  • I was at the competition (on the winning team).

    It was very fun. We really expected the hackers to be exploiting vulnerabilities much more than social engineering and such. Our downfalls were a) not changing the passwords of the users fast enough b) forgetting to configure the obscure mail server software. It was called "post.office"; never heard of it. By the time we remembered about it, the hackers had changed the password on it, although we (naively) assumed it had just been locked down somehow.
    • by khasim ( 1285 )
      Since you were in the contest, what was your background? Did you have any experience with that router and firewall? Any professional/vendor certifications or training?
      • by EdMcMan ( 70171 ) <moo.slashdot2.z.edmcman@xoxy.net> on Friday March 31, 2006 @06:59PM (#15038368) Homepage Journal
        We are all computer science majors. So, basically we learn to code.

        All of our knowledge from this competition is from experience outside of school. A little hands-on knowledge can go a long way. I worked primarily on the Linux servers (but also the e-commerce site on Windows). My knowledge of that is just through personal experience. I've been using Linux for a long time.

        I know at least one person on the team has a lot of certifications (Microsoft). Another person was trained on routers by the national guard. Although I have experience from a Cisco class in highschool, I let other guys who knew it better handle it. As a funny note, we locked ourselves out of our firewall almost immediately (due to mistyping the new password). We didn't attempt to reset it while we were in first place.

        So, our backgrounds are all pretty unique to answer your question. As a side note, we do have a security class offered at our school, but it is heavily based on theory.
        • We are all computer science majors. So, basically we learn to code.

          I'm impressed that you lasted that long.

          Seriously, aside from the physical entry (extremely uncommon in the Real World), a quick class on firewall/router configuration would have stopped the attackers.

          I think you guys were setup to fail on this. You gave an impressive performance, but the skills needed weren't what you were going to school for and, in the Real World, you wouldn't be limited to those "rules".

          Congrats!

          • at our competition (southeast) they even said we were setup to fail and the deck was stacked so high against us it was ridiculous. We didn't have most of the CDs to reinstall/install OS's or Applications. We also didn't have access to the internet except for a few proxied sites and it wasn't working so hot.
            • We had internet access (unrestricted), but it was only on one machine. So we had to copy everything via memory stick. It was extremely annoying.
            • Rule Zero: There is no security without physical security. The other team learned that.

              The first rule of security is to restrict the avenues of attack. You weren't allowed to do that.

              The second rule is to run only what you absolutely need. But without the install media, that's not very easy to do.

              The third rule is ... patching. Not easy with only one machine connected to the Internet. And not much use if your app had the same sql-injection vulnerability that the other team's did. Patching only works if ther
          • Thank you.

            One of the caveats of the firewall is that we couldn't block by source ip -- so, while it sounds like you can just stop any attack at will, that is not the case. Someone came up with the suggestion of blocking by destination ip... but I don't think the white team would have been very amused.
          • I agree - since the red team had access to the entire infrastructure setup, the first thing the students should have done was change everything - subnets, IPs, passwords, even what software was being run in some cases.

            That would have forced the hacker team back into information gathering mode for a longer time, and it's clear from the story that even though the students had three hours without attacks, they needed more time.

        • As a funny note, we locked ourselves out of our firewall almost immediately

          Are you sure you don't work for my company? They call this a security feature where I work,

    • Heh, we used Post.Office in 98-99 because our VP decided Windows NT was the future. It sucked. No surprise that you've never heard of it and I'm frankly surprised it's still around.

      kashani
    • I'm very amused because I was on the winning team for the midwest regional. It was held last weekend in Champaign and Southern Illinois University won.

      My question to you is this: Was your contest a totally unorganized snafu?

      At our competition, none of the machines were configured right, the scoring engine they used was pathetic (and constantly scoring teams incorrectly), and the rules were randomly enforced. Although teams hacking other teams was prohibited, our Red team openly discussed the fact that mo
      • Ours was fairly organized. The machines were mostly in working condition. They didn't take too much effort to get the services running. However, it did seem like people went out of their way to make them insecure. One thing I found amusing was on one webserver there were about 5 files like "debug.php", "index.php" (although it didn't load by default), and such with blatant vulnerabilities or phpinfo()'s in them.

        My only real complaint is that we didn't see anything the scorebot was doing. For a while, t
        • One of the highlights of the initial setup was that our Solaris box was a "default" install. When our Solaris guy poked around for a few minutes, he found out he had almost nothing (not even man pages). When he asked what kind of "default" install it was, the guy who set them up said that it was his normal production install. Technically, it was his default, but what the hell? Our Fedora box had no development tools, our 2K server box was basically dead on arrival, and there were files on the 2k3 server
  • Start reading from the description of what actually happened [informit.com], that is the interesting part of the article.
  • 1. Obtain an OpenVMS Alpha system [islandco.com].

    2. Read the docs [hp.com].

    3. Install the patches [hp.com].

    4. Let 'em try their damnedest to break in.

    5. TEH WIN!!!!!1111

  • Basically, I'm unimpressed with the Red Team. They stacked the competition in their favor by setting up systems so misconfigured they could not be secured in the three hours alotted, and broke into the room to install rootkits knowing the "victims" could not possibly physically secure their computers in this location. One must always assume that access to the console equals access to the entire system-- so this line of attack did nothing but pump up the egos of the Red team and teach the other teams nothi
    • Re:Not impressed (Score:2, Informative)

      by Desert Raven ( 52125 )
      The Red Team aren't the ones who were responsible for setting up the boxes.

      Though, for reasons even they can't comprehend, they were constantly consulted on what to install on them, and even were asked for *binary* install packages.... If you want to blame someone, blame the organizers, not the red team. I mean, c'mon, what would *you* do?

      Yeah, one of the Red Team members is a friend/co-worker of mine.
      • or how about the rogue mysterious box they had sitting plugged into our network that we were told not to configure and it was mysteriously turned on, on day 2... (southeast comp... dunno if they did this at the midwest)
  • RTFA? (Score:2, Insightful)

    by Yomer333 ( 918394 )
    A little clarification from someone who participated.

    This wasn't a competition to spawn a generation of script-kiddies.

    Social engineering played a part in the competition.

    When the article says "restrictions," it's not saying we weren't allowed to change shit. The "no changing ip's" business was that we had to have services on a certain IP for the duration of the competition.

    "The easiest way to defeat the attackers would be to lock them out at the firewall or router. Then all the sql-injection vulnerabiliti
    • "The "no changing ip's" business was that we had to have services on a certain IP for the duration of the competition."

      Oh, okay - if it had to be a public accessible service such as the Web server - but could you change the ports? No reason to use the standard ports for services if you don't have to and clobber the banners, too.

      "I'm convinced that the only secure computer is one that's not plugged in."

      That's about right. And the only secure computer that is running is the one that doesn't have anything on i
      • Yeah, you could change the default port for anything, but that only adds the time it takes to do an nmap.

        "Security by obscurity" - not necessarily using a program that few people know and assuming they don't know the exploits, but rather being inconsequential enough that no one will take the time to hack your ass.
  • I see that flooding was disallowed, but how about red-herring attacks to get caught in packet sniffers used by the good guys, for the purpose of distraction from the real attack?

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...