Collegiate Cyber Defense Competition

The consulting team headed up to Iowa State for the national Cyber Defense Competition last weekend. It's a pretty cool idea. There are two main teams: the Blue team, comprised of students from different universities, and the Red team, made up of professional hackers (like us).

The Blue team gets some time to build and secure a network of servers. The day of the event, the Red team shows up and starts to break in. Aside from being extremely fun for everyone involved, this is a great way to introduce students to practical matters in information security. They did surprisingly well, but just like in the real world, a single small error often led to a much larger compromise.

I was working on a team that had locked down their web server fairly well, but had misconfigured a single permission setting, allowing me to read a file out of their web root. I chose a configuration file for one of the web applications they were hosting, which contained the username and password to the database. I logged into the database and replaced the password hash to the Administrator account for that application. I could then log into the application and use the administration features to write files to the server and compromise it further.

Overall, I was impressed by the ways the students found to secure their systems in the face of an onslaught of professional hackers. The real world is a lot more complex, but they're certainly getting a good head start into the security industry.

0 comments:

Post a Comment