NSA Launches 'Codebreaker Challenge' For Students: Stopping an Infrastructure Attack (ltsnet.net) 53
Slashdot reader eatvegetables writes:
The U.S. National Security Agency launched Codebreaker Challenge 2017 Friday night (Sept 15) at 9 p.m. EST. It started off as a reverse-engineering challenge a few years ago but has grown in scope to include network analysis, reverse-engineering, and vulnerability discovery/exploitation.
This year's challenge story centers around hackers attacking critical "supervisory control and data acquisition" (SCADA) infrastructure. Your mission, should you choose to accept it, is to figure out how the SCADA network is being attacked, find the attack vector(s), and stop the bad guy(s)/gal(s)/other(s).
Codebreaker-Challenge is unusual for capture-the-flag(ish) contests due to the scope/number of challenges and how long the contest runs (now until end of year). Also (this year, at least), the challenge is built around a less than well-known networking protocol, MQTT. It's open to anyone with a school.edu email address. A site leader-board shows which school/University has the most l33t students. Carnegie Mellon and Georgia Institute of Tech are at the top of the leader-board as of Saturday morning.
Last year, 3,300 students (from 481 schools) participated, with 15 completing all six tasks. One Carnegie Mellon student finished in less than 18 hours.
A resources page offers "information on reverse engineering," and the NSA says the first 50 students who complete all the tasks ths year will receive a "small token" of appreciation from the agency.
This year's challenge story centers around hackers attacking critical "supervisory control and data acquisition" (SCADA) infrastructure. Your mission, should you choose to accept it, is to figure out how the SCADA network is being attacked, find the attack vector(s), and stop the bad guy(s)/gal(s)/other(s).
Codebreaker-Challenge is unusual for capture-the-flag(ish) contests due to the scope/number of challenges and how long the contest runs (now until end of year). Also (this year, at least), the challenge is built around a less than well-known networking protocol, MQTT. It's open to anyone with a school.edu email address. A site leader-board shows which school/University has the most l33t students. Carnegie Mellon and Georgia Institute of Tech are at the top of the leader-board as of Saturday morning.
Last year, 3,300 students (from 481 schools) participated, with 15 completing all six tasks. One Carnegie Mellon student finished in less than 18 hours.
A resources page offers "information on reverse engineering," and the NSA says the first 50 students who complete all the tasks ths year will receive a "small token" of appreciation from the agency.
Infrastructure (Score:3, Insightful)
Can we teach people to repel state level attacks on our internet infrastructure?
Like GCHQ before, it's weird when these agencies act like they weren't caught breaking the law on an unprecedented scale.
Re: (Score:1)
I'm British and I love my country.
That's why I will never work for GCHQ.
JUNIOR CODEBREAKER ALERT (Score:1)
The first lesson to learn is:
Only stupid people connect a critical SCADA infrastructure system to a public network.
Your mission, should you choose to accept it, is to tell the world that these people should be put in prison.
Good luck, Jim.
You must be bonkers to participate (Score:4, Insightful)
People who choose to take part will have their name permanently on the NSA's watch list for dangerous hackers - and potentially, on some terrorist watch list, or the TSA's no-fly list also.
Stay the fuck away from the NSA people. It doesn't matter if they say they have good intentions: the reality is, they don't.
Re: You must be bonkers to participate (Score:4, Insightful)
Nah.
These are the sorts of folks they'll actively seek to recruit.
Because if you can successfully attack their scenario, you can likely do it in the real world against an NSA target of choice.
Re: (Score:2)
have their name permanently on the NSA's watch list for dangerous hackers
Or if not, on their employee list. But perhaps that's tautological. And who would want to anyway?
Re: (Score:2)
Ob (Score:2)
There you are. They'll cut through any common metal and they're barely an ounce each, including the blade.
You did ask for some light hacksaws, right?
"small token" of appreciation (Score:2)
Re: (Score:2)
I believe 20/10 vision is required for flying jets.
I'm sure the token of appreciation is an introduction to a contractor the NSA uses that can pay more than G-rating, which will lead to an immediate offer.
Alternative proposition: (Score:2)
How about someone just turn off as many lights as possible until the NSA does their job? ;)
Simple solution: unplug it (Score:2)
If your SCADA system is under attack from the Internet side, the way you mitigate it is by disconnecting the Internet. Why is your SCADA system connected to the Internet in the first place?
Wrong answer, NSA person (Score:2)
No, that is not the right answer.
If you need third-party access to your SCADA system, use a site-to-site VPN with a whitelist. Plug lock down and at least whitelist access to the SCADA system.
Your answer is exactly why security is fucked up. There are vulnerabilities that you may not know about. Do you really want to put that online? Only if you're a retard.
Start at the data diodes, go from there (Score:5, Interesting)
The first thing is to do a traffic analysis of the data that has transited the outbound data diode. Look for unusual destinations. Then work backwards to see what system generated that data. Then start searching all of the computers for rogue USB devices or other media carried into the office. Actual fingerprints may help catch the culprit, if it wasn't a staff member who was social engineered into using the device.
Remove the hard drives from any affected systems, and do a bare metal restore from the most recent trusted backup. Then use the delta backups to bring things to a reasonably current state.
There should be no physical way for internet traffic to get inbound into the system, as it should be air-gapped except for the data diode. As we all know, a data diode has no physical inbound connection, and is thus secure.
If there isn't a data diode, start questioning the qualifications of the existing IT staff and engineers.
Re: (Score:3)
All good thoughts and quite correct.
Practical questions: how many SCADA systems do you know that actually have data diodes? There's decent penetration of this technology in electric-power transmission/distribution and a certain amount in O/G upstream. Manufacturing/pharma/connected infrastructure/other sectors, not so much.
How much would you spend to secure a SCADA installation with data diodes? To a different poster, how about the spend (both capex and opex) for site-to-site VPN? This can make a lot of sen
Here's another challenge ... (Score:3)
... Which student(s) can paint a wall on my house the fastest?
A small token of appreciation will be given to the winner(s) once the house is painted.
Modern hacking techniques (Score:2)
The reverse engineering lectures [ltsnet.net] page lists "Modern Vulnerability Exploitation": stack and heap overflow, format strings. Yeah, modern!
Re: (Score:2)
OK, yeah I can't be lazy and punch the UPDATE button (and who in their right mind does that without putting the box in a lab first?)
Equifax?
[ducks]
Strat :)
How the other works on the US mil need for skills (Score:2)
The other floods your nation with their trusted people over many decades.
Every few decades later their trusted, skilled, cleared next generation fills your most advanced, sensitive and trusted university courses.
Apply for education that feeds your mot sensitive mil/gov/clandestine work.
Some really rise up the ranks.
Stand next to very best US mil cryptographers in real time.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Other nations don't need billions to fund network security
In other words . . . (Score:2)
Students? (Score:2)
Yeah, ignore those of use who ahve been doing security for decades involving SCADA get the student!
How about people who make those decision actual listen to security experts?