Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Government Networking Security United States

NSA Launches 'Codebreaker Challenge' For Students: Stopping an Infrastructure Attack (ltsnet.net) 53

Slashdot reader eatvegetables writes: The U.S. National Security Agency launched Codebreaker Challenge 2017 Friday night (Sept 15) at 9 p.m. EST. It started off as a reverse-engineering challenge a few years ago but has grown in scope to include network analysis, reverse-engineering, and vulnerability discovery/exploitation.

This year's challenge story centers around hackers attacking critical "supervisory control and data acquisition" (SCADA) infrastructure. Your mission, should you choose to accept it, is to figure out how the SCADA network is being attacked, find the attack vector(s), and stop the bad guy(s)/gal(s)/other(s).

Codebreaker-Challenge is unusual for capture-the-flag(ish) contests due to the scope/number of challenges and how long the contest runs (now until end of year). Also (this year, at least), the challenge is built around a less than well-known networking protocol, MQTT. It's open to anyone with a school.edu email address. A site leader-board shows which school/University has the most l33t students. Carnegie Mellon and Georgia Institute of Tech are at the top of the leader-board as of Saturday morning.

Last year, 3,300 students (from 481 schools) participated, with 15 completing all six tasks. One Carnegie Mellon student finished in less than 18 hours.

A resources page offers "information on reverse engineering," and the NSA says the first 50 students who complete all the tasks ths year will receive a "small token" of appreciation from the agency.
This discussion has been archived. No new comments can be posted.

NSA Launches 'Codebreaker Challenge' For Students: Stopping an Infrastructure Attack

Comments Filter:
  • Infrastructure (Score:3, Insightful)

    by AmiMoJo ( 196126 ) <mojo@world3.nBLUEet minus berry> on Saturday September 16, 2017 @06:15PM (#55211495) Homepage Journal

    Can we teach people to repel state level attacks on our internet infrastructure?

    Like GCHQ before, it's weird when these agencies act like they weren't caught breaking the law on an unprecedented scale.

    • by Anonymous Coward

      The first lesson to learn is:

      Only stupid people connect a critical SCADA infrastructure system to a public network.

      Your mission, should you choose to accept it, is to tell the world that these people should be put in prison.

      Good luck, Jim.

  • by Rosco P. Coltrane ( 209368 ) on Saturday September 16, 2017 @06:23PM (#55211533)

    People who choose to take part will have their name permanently on the NSA's watch list for dangerous hackers - and potentially, on some terrorist watch list, or the TSA's no-fly list also.

    Stay the fuck away from the NSA people. It doesn't matter if they say they have good intentions: the reality is, they don't.

  • There you are. They'll cut through any common metal and they're barely an ounce each, including the blade.

    You did ask for some light hacksaws, right?

  • How about someone just turn off as many lights as possible until the NSA does their job? ;)

  • If your SCADA system is under attack from the Internet side, the way you mitigate it is by disconnecting the Internet. Why is your SCADA system connected to the Internet in the first place?

  • by ka9dgx ( 72702 ) on Saturday September 16, 2017 @07:54PM (#55211833) Homepage Journal

    The first thing is to do a traffic analysis of the data that has transited the outbound data diode. Look for unusual destinations. Then work backwards to see what system generated that data. Then start searching all of the computers for rogue USB devices or other media carried into the office. Actual fingerprints may help catch the culprit, if it wasn't a staff member who was social engineered into using the device.

    Remove the hard drives from any affected systems, and do a bare metal restore from the most recent trusted backup. Then use the delta backups to bring things to a reasonably current state.

    There should be no physical way for internet traffic to get inbound into the system, as it should be air-gapped except for the data diode. As we all know, a data diode has no physical inbound connection, and is thus secure.

    If there isn't a data diode, start questioning the qualifications of the existing IT staff and engineers.

    • All good thoughts and quite correct.

      Practical questions: how many SCADA systems do you know that actually have data diodes? There's decent penetration of this technology in electric-power transmission/distribution and a certain amount in O/G upstream. Manufacturing/pharma/connected infrastructure/other sectors, not so much.

      How much would you spend to secure a SCADA installation with data diodes? To a different poster, how about the spend (both capex and opex) for site-to-site VPN? This can make a lot of sen

  • by CaptainDork ( 3678879 ) on Saturday September 16, 2017 @08:49PM (#55212013)

    ... Which student(s) can paint a wall on my house the fastest?

    A small token of appreciation will be given to the winner(s) once the house is painted.

  • The reverse engineering lectures [ltsnet.net] page lists "Modern Vulnerability Exploitation": stack and heap overflow, format strings. Yeah, modern!

  • Re ... and stop the bad /other(s). "
    The other floods your nation with their trusted people over many decades.
    Every few decades later their trusted, skilled, cleared next generation fills your most advanced, sensitive and trusted university courses.
    Apply for education that feeds your mot sensitive mil/gov/clandestine work.
    Some really rise up the ranks.
    Stand next to very best US mil cryptographers in real time.
    https://en.wikipedia.org/wiki/... [wikipedia.org]
    Other nations don't need billions to fund network security
  • . . . NSA has embezzled all those billions they receive every year, and doesn't have any money left to hire any top people, so they want free mental labor!
  • Yeah, ignore those of use who ahve been doing security for decades involving SCADA get the student!

    How about people who make those decision actual listen to security experts?

A committee takes root and grows, it flowers, wilts and dies, scattering the seed from which other committees will bloom. -- Parkinson