The event kicked off around 1PM on a Friday afternoon. All the students were sitting at the 'pod,' waiting for the green light. The Red Team was all set to go in a separate room with their equipment. After some general announcements, Tim Rosenberg introduced the students to their mission. "Your job is to keep the services up, the router routing and keep the store open — as well as everything else". After some brief descriptions as to what and who was involved, he gave the green light. At this point, the students had three hours to figure out what they had just inherited from 'the previous IT person' and fix it. Meanwhile, the Red Team was set loose to discover just who was out there and figure out what they were running. They were not to attack anything until after the three hour limit was up. However, the term 'attack' is very grey and seemed to include rooting routers and firewalls.
When the teams were set loose I positioned myself in the red room to see how the initial information discovery process would go. It was at this point one of the Red Team members stood up, kicked everyone out, and locked the door. Fortunately, I was labeled as trustworthy and was able to stay inside. He next reached inside his bag and pulled out a complete description of the student's setup, including all operating systems, services, web applications, and IP addresses he had obtained from an anonymous source. Everyone in the room immediately got a slightly evil grin on their face as they realized the results of this social engineering reward. Oh yes — things were about to get very bad for the students. Figure 3 gives you a shot of the Red Team in action.
Figure 3: Red team in action
After the disclosure of this damning piece of information, I stepped outside the room to see how the students were managing. Ironically, the students at this point knew less then the Red Team about what was running on their systems. Once again, fortune shined down on me because I happened to know one of the school’s teams leaders. After a short catch-up (I knew him from high school), I started to ask what he knew about the competition and what his students were dealing with. As it turned out, his team was all programmers who jumped into the event at late notice. That said, they seemed to be very busy figuring out what they had to fix and seemed to be fairly astute as to what they needed to do. I saw kernel recompiling, service packs being downloaded and installed, account permissions being locked down, and much more. In fact, as I looked around the room, all of the teams seemed to be in a frantic rush as they tried secure their VERY insecure systems.
I walked around from team to team and quickly realized that no one trusted me, which is a good thing as social engineering was allowed. After an introduction ("I am press") and assurance I was not going to tell the Red Team anything, they allowed me to be near, but still kept one eye on me and the other on what I was looking at. Paranoia had set in. Since the first three hours were critical to their success, I decided to keep my distance from the teams and watched from the sidelines. Considering the feat they were trying to accomplish, they did not need me interfering.
During this time, I was able to talk to several of the team leaders, who were not allowed to interact with their teams. Most of them are college professors (PhD types) who wanted to expose their teams to some real world experience. Since the bill was paid for by the grant, there was little to lose and much to be gained by joining the competition. In fact, I am pretty sure there will be at least one school that will be including a class on router configuration.
Back in the red room, the Red Team was working hard at 'information gathering.' This involved scanning the systems with nmap and popular GUI applications from Windows. After looking at the results, it was pretty obvious that the students had some serious issues to address. However, it was equally as obvious that the much of the content of the Red Team's information packet was going to be learned by the schools in the first half hour — except for the default passwords.
Since the Red Team knew the default passwords for most of the accounts and services of the running servers, they had logged into each of the teams routers and changed the default password to something a bit more hard to guess. They were also logging into the Linux servers via SSH and changing account passwords, plus doing a little system level recon to see what kind of vulnerabilities they could use to raise their newly acquired accounts to root level access. Some might call this active hacking, but the lines were not that clearly drawn, which leaves much to 'interpretation.'
This type of network and system recon continued for roughly three hours, during which time I bounced between the red room and student pods. There were several hiccups in the process, such as an overload on a power circuit that led to a complete loss of power for two teams, but that just made the event that more realistic IMHO. As the teams started to get things under control, they acknowledged my presence and started to talk a bit. I learned that most of the students were expecting to be slaughtered when the Red Team was set loose. I personally agreed. Even if everyone on the team was an experienced veteran, there was no way they could lock down everything in three hours.
Don't Let Your Momma Dress You
When I first entered the White Wolf Security lab, the first thing that caught my eye was a team that was wearing all blue. Everyone else was in typical student attire that mostly consisted of jeans and a t-shirt. Ironically, this attempt at professionalism turned out to be a bad idea because the Red Team also noticed the blue shirts. The result: 'the blue team' became target number 1.