Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Education

The Student vs Hacker Security Showdown Rematch 83

monkeyboy44 writes "Following up on last year's entertaining hacker vs. student showdown, InformIT.com once again covered the annual Mid-Atlantic Regional Collegiate Cyber Defense Competition where college students are put to the test. During the three day event, small teams from eight of the areas colleges are handed insecure networks that they have to lockdown and keep running — all while a team of hackers attempt to gain access any way they can. To keep it interesting, the teams also had to perform various tasks, such as program web applications, install IDS systems and more — and if hacked, the US Secret Service was on hand to determine if there was enough data to start an investigation. Once again, the hackers dominated — but not without a few surprises."
This discussion has been archived. No new comments can be posted.

The Student vs Hacker Security Showdown Rematch

Comments Filter:
  • Hack yourself (Score:2, Interesting)

    Seems like the best way to ensure your success in said competition is to walk through the door with every hacker tool known to man, and just go all out on your own network.

    The days of careful analysis and investigation are over. Why not learn a thing or two from the rapid fire, spray and pray, script kiddies?
    • walk through the door with every hacker tool known to man, and just go all out on your own network
      Whatever two-player game you enjoy, play it against yourself a few times.

      The days of careful analysis and investigation
      I didn't study the whole article like scripture. I didn't see any mention of novel zero day exploits. I wouldn't be surprised if there were a few in the competition, though.
      • I didn't see any mention of novel zero day exploits.


        Well, there you go. You certainly wont find zero-day exploits in the featureset for nessus or metasploit.
    • Re: (Score:2, Insightful)

      by cdrdude ( 904978 )
      That's nice and all, but you won't think of everything they do. The things you can think of are the ones you can defend against, and that won't change it. I'm sure they try to look at their own network from the hacker perspective, but all it takes is one good idea that the hackers have and the student's don't.
    • Re:Hack yourself (Score:5, Insightful)

      by nametaken ( 610866 ) on Saturday March 17, 2007 @06:30PM (#18390305)
      The problem with this is that they gave the teams securing the network 3 hours to prep.

      As someone who had to take over company's network, exactly what this exercise is meant to simulate, I can say it does take more than 3 hours to secure the services and appliances they were given without taking things offline. What's more, you usually don't have four seasoned hackers banging on your network's doorstep in your first three hours of employment. Also consider that most businesses don't keep a 10k record CC# database on a machine behind an unsecured perimeter appliance with a bunch of hokey other services running on them, accessible from outside the lan. The expectations of the whole process are a bit ridiculous to begin with, but if you gave them a day or so to secure their network and services, I'm sure they'd have done much better.

      Judging by the brief accounts of each teams actions, I'd guess that in more realistic scenarios they would make reasonably effective admins.

      • Re: (Score:3, Insightful)

        by Khashishi ( 775369 )
        It's a contest. It supposed to be harder than real life.
        • Re: (Score:3, Interesting)

          How is it harder than real life for the hackers then? If it really is supposed to be a contest (in the true sense of the word) then the least the participants could expect is a level playing field.
      • by EdMcMan ( 70171 )
        We were also given multitudes of business injects to complete during this prep time. Each team only had three terminals to work on, as well. All in all, the odds are stacked (heavily) against the defending teams.
  • by fireboy1919 ( 257783 ) <rustyp AT freeshell DOT org> on Saturday March 17, 2007 @05:19PM (#18389875) Homepage Journal
    From TFA:
    Knowing how to secure both Linux and Windows, plus understanding Cisco firewall configurations (or Shorewall/iptables) -- not to mention having a firm grasp of web application security -- is not a realistic expectation of any newly graduated employee, much less a seasoned veteran.

    What? I'm guessing that maybe this is because a seasoned veteran would expect for the network to be maintained correctly? Especially the firewall?

    Really, this doesn't sound like a level playing field at all. My company support *three* services - IMap, HTTP, and ssh. We keep the programs that offer these services completely updated. There's not a lot to keeping those updated. There's one major player for ssh, two for web, and four or so for mail. Even the minor ones take less than an hour to figure out.
    We expect that the routers will handle almost everything else. Flaws coming out in IP stacks are a pretty major thing, and get fixed pretty quick, so it should mostly be a nonissue.

    If these guys only had to support features that people actually use and lock down everything else, things would be very different.
    • Re: (Score:3, Interesting)

      by kent_eh ( 543303 )

      I'm guessing that maybe this is because a seasoned veteran would expect for the network to be maintained correctly?


      Clearly you've never been a contractor.

      Starting a contract to "upgrade and secure our network" for a small company who doesn't have any IT staff, and only brings in contractors on a one-off basis a couple of times a year.

      The competition scenario sounds fairly plausible to me.
      • Re: (Score:2, Interesting)

        by wiremind ( 183772 )
        Good point.

        Your scenario is quite realistic, but then, scoring should be based on time to secure the network, not how many times the hackers can break in.

        In that game, they were being scored for how many times they could get hacked, in the real world, if you did enter a hacked office, time would be critical, but over the course of a long weekend the office would be locked down and cleaned up.

        So in my mind, if this was supposed to be realistic, the scoring would be between teams of sysadmins, see who can com
      • by Cramer ( 69040 )
        Except the contractor(s) are professionals being paid for their experience and expert knowledge. They will have more than "a few hours" to inspect things and do their patching; they won't be scolded for using "illegal tools". (nobody cares how the job gets done as long as it gets done.) And above all else, they're brought in to do a single job -- with the contract spelling out exactly what they are expected to provide.

        In the end, I don't think the game is supposed to be realistic. I think it's more about
        • Re: (Score:3, Insightful)

          by kent_eh ( 543303 )
          (nobody cares how the job gets done as long as it gets done.)

          In the competition, the organizers phrased the removal of "illegal" tools as being the result of a BSA style audit. I expect companies who have been the subjects/victims of such an audit care greatly about the legality of the tools their admins (even contracted ones) are using.

          I think it's more about making a point: security is not simple;

          I expect the contestants came away with a heightened respect for just how much work it is to implement

          • by Cramer ( 69040 )
            The BSA is unlikely to walk in exactly when the contractors are there. And I'm not saying the contractors are installing bootleg software on the company machines (at least not for long.) In the context of the competition, they weren't allowed to bring in anything. How many people bring in "naked" contractors? Contractors come in with their laptop(s) and tools.
    • by phasm42 ( 588479 )

      Knowing how to secure both Linux and Windows, plus understanding Cisco firewall configurations (or Shorewall/iptables) -- not to mention having a firm grasp of web application security -- is not a realistic expectation of any newly graduated employee, much less a seasoned veteran.

      What? I'm guessing that maybe this is because a seasoned veteran would expect for the network to be maintained correctly? Especially the firewall?

      I'm guessing that someone did a poor job of proofing that article, or just has th

    • Re: (Score:2, Informative)

      by wiremind ( 183772 )
      The part that made it all kinda absurd for me was this:

      "You also can't see the pre-installed rootkit/keylogger that resides on the server. These are the types of real world issues that IT professionals have to deal with..."

      thats not a real world scenario, you build your servers off the network, you have cd's with all the latest patches, you install antivirus. and you have trusted people do this. By the time a server hits the network its got antivirus, patches, and is totally locked down.

      Next absurdi
  • Completely Rigged (Score:4, Informative)

    by Srin Tuar ( 147269 ) <zeroday26@yahoo.com> on Saturday March 17, 2007 @05:44PM (#18390037)

    However, what you can't see is the rough access point that was installed behind the firewall in the 10.10.20.x range. You also can't see the pre-installed rootkit/keylogger that resides on the server.

    Okay, so they have a pre-installed rootkits on the machines, and 2/3rd of the boxen they are given are windows machines running fundamentally insecure protocols. ( such as ms's infamous technique of sending cleartext LM hashes over the local network) It also seems the machines are setup with easily guessable passwords to boot.

    Furthermore, they seemed to stress the "firewall" as if it was some sort of solution rather than just a roadbump as it is in reality. Disabling all blocking rules and simply serving as a router should have more than enough, since firewalls only ever provide the illusion of security anyway.


    As the red team clearly illustrated, it only takes a few minutes to gain access to a Linux box via single user mode, bypass BIOS passwords by shorting out the motherboard,


    This also has nothing to do with a sysadmins job. If you put your servers physically in the hands of an attacker, there is nothing you can do to stop them quite by definition.

    It seems that the only way to win this competition on the defensive would have been to re-install the latest fedora core on all four machines, and setup services that you trust instead of MS services, then hunker down and physically guard the boxes.

    • by Goaway ( 82658 )
      If you put your servers physically in the hands of an attacker, there is nothing you can do to stop them quite by definition.

      Having an encrypted filesystem stops anyone who's after your data even if they have local access.

      Assuming, of course, a perfect implementation.
      • I don't see where an encrypted file system would help unless the key is required to be typed in each time a server is raised above run level 1. Physical security is a primary foundation of any more sophisticated security scheme. It is a fundamental problem when your security is based oon, "What you have." If you have the machine, game over. If the machines were set up with easily guessed passwords, that is a fundamental problem called, "What you know." (What you can guess). It seems to me none of the net
        • by Goaway ( 82658 )
          I don't see where an encrypted file system would help unless the key is required to be typed in each time a server is raised above run level 1.

          Well, yes, that would kind of be the point, wouldn't it?
          • Thanks for your even response to my posting. If the hackers have physical control of the server and they reboot it, then fail to enter the proper key, the server would be offline and unavailable to perform its services, and therefore a denial of service would be effected. At least that much damage could be done without the key. I admit they wouldn't get the credit card numbers that way. Having the server offline, they could brung up their own device at the same IP address and there would be no IP conflict a
            • by Goaway ( 82658 )
              If the attackers have physical access to the machine, they can smash it with a hammer. This is why I specified that I was talking specifically about attackers who are after your data.
              • I meditated on what you said, and I see the wisdom now. Because you were gentle with me about it, I learned from you instead of being insulted. Thanks for giving me the chance to think and learn.
    • by cgenman ( 325138 ) on Saturday March 17, 2007 @08:25PM (#18391045) Homepage
      If you put your servers physically in the hands of an attacker, there is nothing you can do to stop them quite by definition.

      Of course there is. You can encrypt drives, encrypt information, use secure Mobos, etc.

      As responsible for the integrity of your network, you're also responsible to let people know the level of physical security your network requires. As the article mentions, the servers were password-protected and expected to be secure. With physical access, the hackers got a suprisingly high level of penetration into the system without actually breaking it.

      It seems that the only way to win this competition on the defensive would have been to re-install the latest fedora core on all four machines, and setup services that you trust instead of MS services, then hunker down and physically guard the boxes.

      There was no way to "win" on the offensive. The offense wasn't being tested. The test was to see, basically, which group of sysadmins could outsurvive the rest. It wasn't an unfair competition between hackers and defenders. It was a task guaranteed to take out boxes, to see which team could best slow down the inevitable onslaught.

      In a production environment you don't necessarily get to set the policy on what servers you are running, and off of what boxes. You inherit a messed up pile of old systems, legacy software that nobody can update anymore, buggy drivers, and Windows users installing trojans and giving their passwords away to the first person who comes along with a YourCompanySecurity username on AIM. The fact that they took the end users out of the equation was a huge blessing to the sysadmins.

      Notice that they made damned sure that none of these computers were attached to the internet at the time of the task. These weren't the best of the best hackers the competition could find. These were a small pool of good hackers vs a small pool of sysadmins. If they had actually put these things on the internet, like production environments face every day, they would not have survived.

      Hence, the pre-installed keyloggers.
      • by Srin Tuar ( 147269 ) <zeroday26@yahoo.com> on Saturday March 17, 2007 @10:02PM (#18391581)
        Just to point out two things you said:

        Of course there is. You can encrypt drives, encrypt information, use secure Mobos, etc.

        In a production environment you don't necessarily get to set the policy on what servers you are running, and off of what boxes.

        Those two assumptions are somewhat conflicting I would say.

        On the first point
        The performance tradeoff for encrypted filesystems is seldom worth it on servers when you can physically secure them fairly trivially. If your building is regularly invaded, you have bigger problems. In any case, even if you can stop data loss with disk encryption, the guy could just take a hammer to your server and cause a DoS at the very least, and there is nothing you can do if you allow him physical access.

        On the second point: if you are such a low level peon in the a company that you are forced to accept bug ridden systems, then security is a forgone conclusion. Heck- acheiving it might compromise job security. I might suggest looking for a better job. Instead, if you are in a position to offer "services" to the company, such as email, DNS, or NAS then YOU (The IT dept) get to decide how to provide them, and then you can make decisions with security in mind. Before we get too separated from reality, we have to remember that the point of computers is to offer data services to the users, not to offer brand names. The rest of the company shouldnt even have to know whats behind the curtain, just that everything is up and running smoothly.

        Being asked to secure pre-owned windows servers is like being asked to levitate. Just give it up and re-install something else. The entirety of the O/S is analogous to trojan horse malware to start with, being that you do not get the source code. Trying to hold back the tide with a spoon and a colander is not my idea of security.

        It was a task guaranteed to take out boxes, to see which team could best slow down the inevitable onslaught.

        That would be uninteresting. Why even try.
        I think it should be not only possible, but fairly easy to setup a network that would provide service and not be penetratable over the network. You could even go for extra points by detecting unwanted probing or intrusions and blackholing the attacker's traffic so that you don't even suffer from a degradation of service. But assuming you will
        lose is the wrong mindset, imo. You have to play to win.

      • If you put your servers physically in the hands of an attacker, there is nothing you can do to stop them quite by definition.

        Of course there is. You can encrypt drives, encrypt information, use secure Mobos, etc.

        Eh?

        Seriously... I've never heard of a "secure mobo" in a production server - ever. Sure, you can password-protect the BIOS, rig up the handy physical intrusion alarm on the box (if there is one) and whatnot... but, umm, I don't see that as fitting your definition as used.

        Encrypted drives? Cool... until you have to restore the things from backup a couple of years later and no one has the password, because the admin who installed it never wrote it down anywhere, and he left the company a long time ago.

  • by Cramer ( 69040 ) on Saturday March 17, 2007 @05:45PM (#18390045) Homepage
    It takes significant experience to walk into a network blind and secure it in hours. I have 2 decades of experience, and I've walked into places where it took days just to figure out w.t.f. they're running. It would take a day or more to figure out what all is going on in the network in my house -- and there's only 4 computers on at the moment.

    And if you're dealing with Windows(tm), it can take hours to download and install all the freakin' patches. (unless you happen to wander around with a fully populated WSUS/SMS server.)
    • by Cramer ( 69040 )
      PS: The entire "game" is heavily stacked in favor of the hackers. For example, the teams were told to leave the firewall alone (after 7 out of 8 broke theirs) and then one of the hackers turns around and breaks into the firewall; if you're going to make the players stay away from the firewall, then it needs to be off limits to the hackers as well.
      • I fail to see how making them leave the firewalls alone after they broke them is unrealistic. The simulation is of a small business network where the Boss is unlikely to have a good understanding of the seriousness of an intrusion, but is almost certainly likely to understand what losing his internet connection is costing him. So when the Boss discovers he can't send or receive mail,check his stock portfolio, chat with his mistress, and then gets calls from customers saying they can't connect to his website
        • by Cramer ( 69040 )
          I'm not saying it's unrealistic. I'm saying it's unfair in the context of the competition... if the firewall is off limits to the teams, it should be off limits to the hackers. No matter how well secured your internal network may be, if the hackers can sit on your network (on the firewall no less), it's game over.

          (Honestly, it wouldn't be much of a learning experience if it weren't tipped in favor of the hackers.)
      • The "game" is always in favor of the hackers. All the admin truly 'has', at any given moment, is his server; which he, usually, doesn't get the final word in setting up anyways.
    • Re: (Score:3, Insightful)

      by AJWM ( 19027 )
      It takes significant experience to walk into a network blind and secure it in hours.

      Not really arguing the point, but the first step is to unplug all the network cables. That doesn't take very long. Then you can take your time securing it before letting it back on the net.

      If you don't know what's on it, and there's a cable attached, you pretty much have to assume it's already rooted.
      • If you don't know what's on it, and there's a cable attached, you pretty much have to assume it's already rooted.


        Well said.
      • by Cramer ( 69040 )
        You don't even need to unplug them... the first step is math: 24 port switch with 19 cables (all active) and a network diagram showing 12 machines. Obviously there's something amis. Start with port 1, wrap your grubby finger around the cable and trace it back to whatever is on the other end; log this on the diagram. Repeat for the remaining cables.

        I've had to do this repeatedly everywhere I've ever worked. (even had to make a bellsouth tech literally do this to find a loop plug.)
        • by AJWM ( 19027 )
          Well, that's a different issue, and yes, often necessary. The "unplug them" was to get them off the network right now. If the box is rooted, "ifconfig" might be lying to you.
  • by not_hylas( ) ( 703994 ) on Saturday March 17, 2007 @09:16PM (#18391373) Homepage Journal
    Elite Network Counter Strike Force pwn Teens
    (translated version)

    In the annual Mid-Atlantic Regional Collegiate Cyber Defense Competition (CCDC), held at a secret location, a Network Counter Strike Force Team, consisting of seasoned veterans from several security technology firms and academia, PWNed several teams of IT students in a stunning display of 1337-ness.
    In summary, the students are handed a small network with various services, most of which are outdated, vulnerable, and pre-exploited (rigged).
    They, the students, then, have a few hours to get everything patched and secure, at which point the RED Team (a.k.a. the haxorz) are set loose to pwn them all.
    However, as IT professionals know very well, it isn't just the hacker you have to deal with!

    The Secret Service was on hand to make sure the competition went a lot like last year, as well as many other unplanned events ("interviews"). Welcome to the "Real World" -- CCDC style!!!

    The students' goal: lock down rigged Windows and Linux systems and secure their networks. The Hackers' goal: to pwn the students' networks, steal important data and embarrass them in front of their Mothers.
    Hylas Ipsum (not_hylas( )) read about the 2007 real-world competition and reported on the event from the perspectives of Slashdotters and first year Umpires everywhere.

    Last Year's Event

    This was the second year for the CCDC. I wasn't invited to last year's event, like this year, which turned out to be a very amusing experience for the haxorz. As with any first time adventures, unexpected "anomalies" played a very big role in the outcome of the event.
    Despite minor hiccups, the Secret Service benefited most by walking away with all the chicks.

    This Year

    Prior to attending the 2007 event, we were fairly certain the RED Team was going to have a more difficult time gaining access to the students systems.
    Perhaps the most amusing and educational aspect to this years Mid-Atlantic CCDC was how the RED Team managed to surprise everyone involved by cheating again, with no one saying a thing. Since the Prize Cups' disappearance the night before, this contest was for "sport".
    With the air of sportsmanship renewed, the game was afoot.

    As previously mentioned, each network contained a wide range of operating systems and services. In summary, the core network contained three computers:

    A Windows 2003 computer running an Exchange Server, telnet, DNS, and Active Directory
    A Fedora Core 4 server on a DMZ running Apache, telnet, PHP, MySQL, and osCommerce
    A Windows XP workstation running syslog, VNC and telnet
    In addition, two of the teams had a PIX firewall w/telnet and the other six had a Linux-based system running telnet on Smoothwall.

    Prior to the physical intrusion, the RED Team had the most success by exploiting default configurations and default accounts. Once they were let loose, the team members quickly found and "pwned" routers, osCommerce sites, and Linux servers simply because the systems were still using default accounts. Unfortunately, this is a "real world" problem that has turned more than one company into a victim. Or to put it another way, why attempt to locate and exploit a DCOMRPC vulnerability when the password to the Administrator account is blank!
    Why indeed?
    The RED Team then commenced to "trash talking" the students, seeing blood in the water.
    All this said, the event is much more than just a competition. It is a test of how well a person can perform under serious pressure. In fact, there was an unofficial "bonus" to the first hacker who could make a student cry.

    Default configurations and accounts were bound to be located and fixed within minutes. The RED Team would not be able to simply walk in, connect to a system, and login. However, CCDC predicted this and provided a few "unknowns" to assist the red team with their work.

    Since the "corporate network" was not truly connected to the internet for "security reasons", all patches and updates ha
    • Freaking hillarious... Except you got one thing wrong. This is the new millennium...the USSS got the guys (just dont tell!)
  • by maillemaker ( 924053 ) on Saturday March 17, 2007 @09:34PM (#18391461)
    So where does one go to learn about this kind of security work?
    • Re: (Score:3, Informative)

      by Metzli ( 184903 )
      As far as classes go, SANS (www.sans.org) is a great place. That's actually where the Red Team came from. Shoot, the students might have lucked out. At least they didn't unleash Ed Skoudis and Kevin Liston on them too. This might have been a dramatically shorted program. :)
  • by BobSixtyFour ( 967533 ) on Sunday March 18, 2007 @12:46AM (#18392269)
    I was a member of one of the (losing) student teams.

    First, none of the members of my team are majors in network security (just "IT"), linux gerus, and we did not recieve any advice from the previous team that went last year (what fags).

    Second, two of the four boxes were Linux. Three monitors. The firewall box and the windows xp workstation box was KVM'd together.
    8 people trying to work on 3 machines = not cool.

    Third, oh god all of the systems were basically pre-fucked up. Rootkit/keyloggers on the 2003 server box, there was a wireless access point that was PLUGGED INTO our switch, broadcasting all internal traffic to the red team and allowing them DIRECT access to the internal network.

    Fourth, it wasn't clear to my team that we had to have THREE external IP addresses mapped to THREE internal IP addresses, so our firewall/router solution didn't work at all. Business inject on the first day? ha? none of the e-mails could get to us because they were sending it to another ip! At the end of day 1, they also said that they would reimage the firewall box to Fedora Core 4 and give us control over it. So, everyone crammed as much about configuring fedora core 4 and learning iptables... we walk in day 2 and the guy says that he locked us out of our firewall box and that we aren't allowed to change it. (because 7/8 teams fucked up the firewall on the first day). Awesome, three direct ip mapping into our private network!

    Fifth, there was a misunderstanding about what kinds of software we could use. We thought we were able to use ANY (non-pirated) software that was available on the Internet, including free trials. Turns out, we were only allowed to use commercial software ONLY if it was released as a beta version and had the appropriate enterprise use license. Hurray windows firewall? It's not like we could download zone-alarm.

    Sixth, there was just too much stuff that was already on the machines that no one on my team had any experience with. osCommerce? hah.

    Seventh, 70% of all the business injects are related to the website. When the red team broke into our Linux (fedora core 4) box, they completely fucked Apache and MySQL up (how to backup Linux? nothing to backup TO). So much for all those business injects.

    Eighth, we only had one laptop to use to download stuff from the Internet or to research free software alternatives. Granted, our team probably needed more people that knew how to use Linux, but still...

    Ninth, the network diagram was incorrect. How the hell do they expect us to configure a router if they provide the wrong DNS/default gateway information?

    Yeah, we got owned hard... but there's also the saying... you learn from your mistakes... I believe I learned more in those 3 days then my entire 3 and 1/2 years in my university.
    • Bob, you had the deck seriously stacked against you. In my opinion, you were bound to lose. In the real world, I think computer networks and servers are what is called, "A Risky System", because you cannot absolutely guarantee the security and operation. If you came through the test, and still have any interest in computer security, then you really proved you can walk the path. It takes courage every day to be responsible for real world business networks and servers when there are lots of bad guys with time
  • we should not blame the network because the students should have enough knowledge to protect insecured network from the hackers.they can use a tool such like honeypot to learn about the hackers and improve the network. By implemeting intrusion detection system, the students can detect the hackers and build a strong and secure network.
  • "Once they were let loose, the team members quickly found and "owned" routers, osCommerce sites, and Linux servers simply because the systems were still using default accounts. Unfortunately, this is a real world problem that has turned more than one company into a victim. Or to put it another way, why attempt to locate and exploit a DCOMRPC vulnerability when the password to the Administrator account is blank!" It should be a good lesson for all including the company & students that this "small" thing
  • prepared each student with network security knowledge then we can talk business...
    • I don't think these student lack of network security knowledge but the greatest because they already done the test...I think the person who reallt need the preparation here is YOU!
  • I was at the competition, on Millersville's team. Overall, I'd like to say the competition is awesome. Casey and the rest of the white team organizers did another awesome job. The competition was fun, challenging and educational, as it should be!

    However, there are several things that could be improved. If you think the 3 hours of "prep time" could be used to secure our systems, you are mistaken. The three hours were actually used to complete business injects. Obviously, the systems were very "pre fuck

There's no sense in being precise when you don't even know what you're talking about. -- John von Neumann

Working...