Each year, hundreds of hackers gather in computer labs around the world. Their goal? Like any other hackers, their goal is to manually exploit application and network level flaws in servers across the globe. If it sounds malicious, it’s just because it mimics real world vulnerability exploitations that happen every day. In fact, this specific activity is meant to be educational – and the hackers in question are actually students hacking from their universities.
This year, 123 teams from around the world simultaneously connected to UCSB’s servers from their respective countries for the iCTF ‘Capture the Flag’ competition. The theme was “Nuclear Cyberwar,” and each team was to patch and keep their own nuclear enrichment plant secure before trying to hack other teams’ system by seeking out and exploiting system flaws.
The competition was grown organically out of Vigna’s advanced computer security classes as well as his own experience with CTFs; in fact, his team, Shellfish, won the 2005 DefCon Capture the Flag. As a professor, Vigna would hold a vulnerability analysis contest at semesters’ end, where half the class would act as attacker and the other half defenders. It soon turned into a hacking contest and then became so popular that other professors took notice. The rest is hacking history. The competition has grown from 12 students in the U.S. to 1,300 participants from 40 different countries this year.
“It’s a lot of work – two weeks straight of writing code [with my grad student assistants] and checking it – but we always end up pulling it together, and it’s always great,” says Vigna. “People always ask if I’ll be doing it again, and they come back year to year. It makes it worth it.”
iCTFs main objective, as an inter-university contest, is to educate the teams in proper computer security techniques. Teachers, acting as mentors, help keep the teams in line, keeping the ego out of a movement notorious for it.
The educational component sets the competition apart from other big CTFs. A lot of the teams preparation for the iCTF happens in the 2-3 months before the competition, working outside of classwork and other responsibilities to learn both white-hat and black-hat security concepts as well as build the tools to use during the contest. The team effort required for the competition closely resembles a security structure within bigger organizations, helping prepare any future security decision makers on the teams for their coming roles.
The innovation that can come from the younger hackers is a competition highlight. One of the biggest trends Vigna has seen in recent years has been an increase in automation techniques.
“We had a group from Carnegie Mellon, the Plaid Parliament of Pwning, whose research is on automation. They run algorithms that automatically find vulnerabilities, so when other teams were searching through code trying to patch and exploit other teams, they were doing it automatically.”
Automation certainly paid off for Parliament of Pwning. The team not only won iCTF, but also this year’s DefCon CTf (This post gives an inside look at that competition). The group now hosts their own CTF.
In his decade-long tenure as a professor and his own research in application security and malware, he’s witnessed first-hand the changes happening in the industry. He’s seen a drift over the years from binary analysis to web app analysis, mostly, Vigna says, “Because while application systems are becoming harder to exploit, the best way to attack an organization is through their web presence. It’s very easy to use them as the main entryway.” Security-critical organizations like medical and financial entities have an increased risk with higher stakes and have trouble keeping on top of the changing trends.
He and his students have done everything from hacking voting machines to developing application and malware analysis to creating powerful exploits, and that’s just at school. In his ‘free’ time, Vigna’s also Co-Founder and CTO of Lastline, a company that develops cloud-based malware analysis tools. He’s used his research both as professor and as a security expert in his new endeavor.
Vigna says a looming risk yet to be addressed is SCADA systems that are now connected to the internet. So much of our society is controlled by these systems – water treatment plants, oil refineries, power plants, etc. – and not nearly enough is being done to properly protect them.
“The issue is that to keep their systems certified they can’t update the software without getting re-certified, so they stay un-updated. It takes just one person to make a mistake and connect to the wrong thing, or click a link in an email for something to happen.”
For any business, a breach can be potentially lethal, but when massive infrastructure systems are on the line, it’s a totally different threat level. And it’s exactly activities like iCTF that will prepare those future security pros in dealing with these major threats.
Big thanks to Prof. Vigna for taking the time to speak with me last week. You can read more about Vigna, his research and work here.
Sign up today & never miss an update from the Checkmarx blog
Interested in trying CxSAST on your own code? You can now use Checkmarx's solution to scan uncompiled / unbuilt source code in 18 coding and scripting languages and identify the vulnerable lines of code. CxSAST will even find the best-fix locations for you and suggest the best remediation techniques. Sign up for your FREE trial now.
Checkmarx is now offering you the opportunity to see how CxSAST identifies application-layer vulnerabilities in real-time. Our in-house security experts will run the scan and demonstrate how the solution's queries can be tweaked as per your specific needs and requirements. Fill in your details and we'll schedule a FREE live demo with you.