Home > Blogs > CCDC3 - Skewling college students on getting pwned

CCDC3 - Skewling college students on getting pwned

By  Mar 10, 2008

Topics: Computer Science, Security

We just got back from CCDC3 (Collegiate Cyber Defense Competition) and wanted to share our experience. This year we moved from observer to 'hacker', and discovered just how much fun it can be to mess with help educated college students. Read on for more details, pictures and more!

Earlier this year we were able to participate in the Collegiate Cyber Defense Competition 2008 event. At this event, which was a preliminary competition, we had the opportunity to let loose an arsenal of attacks against five groups of college kids who not only had to fight off our incoming assaults, but also lock down and manage a collection of systems that emulate a typical business. The top two teams from this event, and another preliminary competition, were selected to come together this last weekend for the Regionals.

Once again, the teams were handed a collection of systems and applications that would make most any IT professional cringe. However, this time around the event lasted about two full days and the red team was much larger. Needless to say, the odds were not in the students favor.

One significant upgrade to the CCDC was the scoring engine, which monitored who was attacking who, what services were up, as well as a bunch of other items. The 3D modeling system provided a very neat feel to the event as you could watch the results and see what the red team was up to in a very user friendly format. For a couple screen shots, check out the images at White Wolf Security, who hosted the event along with CyberWATCH.

The red team did have a few moments of amusement at the students expense. For example, one of the ‘hackers’ manipulated the Asterisk server and pointed the phone calls for one of the teams to his own phone. When the CEO called and requested the team to perform some action (AKA business inject), the hacker told the CEO – “No…I don’t think so” – and hung up. This prompted the CEO to go flying into the students room prepared to fire someone. While this caused for much enjoyment in the red teams room, the reality is that unprotected VoIP can cause great problems.

In addition to this, servers were repeatedly owned, services were shutdown, databases extracted and then deleted, firewalls altered to block all outgoing traffic, configuration files altered, backdoors installed, etc. etc. One other highlight was the use of one of the red cell members son, who was not seen as a threat by the students. While taking pictures of the teams (who volunteered for this), he also managed to snap a picture of a piece of paper with passwords on it. Social engineering scores again!

By the end of the event, the winner was Community College of Baltimore County, who now gets to go on to play in the nationals. Ironically, this team was a popular target for the red cell who did cause them much grief. However, at the end of the day this team was able to keep the majority of their services live – despite the constant injects, attacks, and general stress associated with keeping a difficult system up and running.

If you are interested in learning more, or even getting involved, check out http://www.nationalccdc.org/ for lots more information!