Collegiate Cyber Defense Competition

The consulting team headed up to Iowa State for the national Cyber Defense Competition last weekend. It's a pretty cool idea. There are two main teams: the Blue team, comprised of students from different universities, and the Red team, made up of professional hackers (like us).

The Blue team gets some time to build and secure a network of servers. The day of the event, the Red team shows up and starts to break in. Aside from being extremely fun for everyone involved, this is a great way to introduce students to practical matters in information security. They did surprisingly well, but just like in the real world, a single small error often led to a much larger compromise.

I was working on a team that had locked down their web server fairly well, but had misconfigured a single permission setting, allowing me to read a file out of their web root. I chose a configuration file for one of the web applications they were hosting, which contained the username and password to the database. I logged into the database and replaced the password hash to the Administrator account for that application. I could then log into the application and use the administration features to write files to the server and compromise it further.

Overall, I was impressed by the ways the students found to secure their systems in the face of an onslaught of professional hackers. The real world is a lot more complex, but they're certainly getting a good head start into the security industry.

The Return of the Blog

To say we've fallen behind on posting to the Security PS blog might be understating it a bit. The demands of a growing company have unfortunately pushed it to the back burner. Well, we're going to change that. Look for a lot more activity in this space over the coming weeks as we talk about all the projects, research, and cool ideas our consultants have been working on.

We also take requests. If you're interested in hearing more about a particular topic, let us know.