A Student-Hacker Rematch at the Second Annual Collegiate Cyber Defense Competition
How many times have you heard a commercial telling you how much money an Information Technology professional can earn in a year? Well, trust me; the job is not as easy as it sounds. Just ask the eight teams that participated in the annual Collegiate Cyber Defense Competition (CCDC). During the event they are under immense pressure to a build web application, maintain a web server with an ecommerce system, manage an Exchange server, keep a DNS server up and running and more — all while protecting their network from four seriously determined hackers.
From the nationalccdc.org website, "The CCDC is a three day event and the first competition that specifically focuses on the operational aspect of managing and protecting an existing 'commercial' network infrastructure. Not only do students get a chance to test their knowledge in an operational environment, they will also get a chance to network with industry professionals who are always on the look out for up and coming engineers. CCDC provides a unique opportunity for students and industry professionals to interact and discuss many of the security and operational challenges the students will soon face as they enter the job market." All this said, the event is much more than just a competition. It is a test of how well a person can perform under serious pressure. In fact, there was an unofficial "bonus" to the first hacker who could make a student cry.
In summary, the students are handed a small network with various services, most of which are outdated and vulnerable to some exploit. They then have a few hours to get everything patched and secure, at which point the red team (a.k.a. the hackers) are set loose to own them all. However, as IT professionals know very well, it isn't just the hacker you have to deal with — power outages, router crashes, disk failures and many other unplanned events can also wreck havoc on the typical network. Welcome to the "Real World" — CCDC style.
Last Year's Event
This was the second year for the CCDC. We were fortunate to be invited to last year's event, which turned out to be a very amusing experience. As with any first time adventures, unexpected anomalies played a very big role in the outcome of the event. However, despite some minor hiccups, everyone benefited form the experience and walked away with a newfound respect to the challenges of the IT world. Perhaps the most amusing and educational aspect to the first Mid-Atlantic CCDC was how the red team managed to surprise everyone involved by incorporating a physical break-in to each of the team's "businesses." By the time the event was over, everyone clearly understood that locking down a server extends well beyond a secure user account. It also involves a security system that prevents someone from ever gaining physical access to the corporate systems. As the red team clearly illustrated, it only takes a few minutes to gain access to a Linux box via single user mode, bypass BIOS passwords by shorting out the motherboard, and gain administrator access to most any Windows 2000 box by resetting the password via a boot disk.
Prior to the physical intrusion, the 2006 red team had the most success by exploiting default configurations and default accounts. Once they were let loose, the team members quickly found and "owned" routers, osCommerce sites, and Linux servers simply because the systems were still using default accounts. Unfortunately, this is a real world problem that has turned more than one company into a victim. Or to put it another way, why attempt to locate and exploit a DCOMRPC vulnerability when the password to the Administrator account is blank!
Prior to attending the 2007 event, we were fairly certain the red team was going to have a more difficult time gaining access to the students systems. The reason for this is that all of the previous year's teams were returning, along with three new schools. In other words, most of the teams knew what they were walking into. Default configurations and accounts were bound to be located and fixed within minutes. The red team would not be able to simply walk in, connect to a system, and login. However, CCDC predicted this and provided a few "unknowns" to assist the red team with their work.