[ISN] Teens Fight Off Hackers

From: InfoSec News (alerts@private)
Date: Mon May 21 2007 - 22:40:21 PDT


http://cosmiclog.msnbc.msn.com/archive/2007/05/21/199009.aspx

By Alan Boyle
May 21, 2007

They weathered the worst that hackers could throw at them, and still 
kept their computer network running strong. Fueled by pizzas and pop, 19 
teams of high-school students pulled an all-nighter over the weekend, 
during a computer security competition aimed at rewarding kids for being 
the good guys rather than the bad guys.

"The kids had a blast," said Doug Jacobson, director of the Iowa State 
University's Information Assurance Center and one of the organizers of 
the weekend's High School Cyber Defense Competition at the Ames campus.

The idea behind Iowa State's high-school contest - as well as its big 
brother, the National Collegiate Cyber Defense Competition - is to turn 
students into system administrators for their own computer networks. On 
the big night, the student "Blue Teams" are pitted against a "Red Team" 
of upper-class and professional security experts who try to hack those 
systems.

"It's like the real world," said Jessica Archer, project manager for the 
collegiate program.

The competitions run overnight, lasting 15 hours for the high schools 
and 24 hours for the colleges. During that time frame, the students are 
asked to change passwords, reconfigure Web sites, deal with 
sometimes-clueless network users and cope with anomalies ranging from 
hardware failures to mock fire drills. All the time, the Red Team 
members are trying to hack their way into the networks - and often 
succeeding.

"One of the things they love to do is put pictures of themselves on the 
kids' Web sites," Jacobson said.

During last weekend's competition, judges doled out demerits for system 
downtime, exploited network vulnerabilities and anomalies that aren't 
dealt with. The teams could have some demerits taken away by fixing the 
problems and explaining how they did it. At the end of the competition, 
the team with the fewest demerits won.

For the second year in a row, West Des Moines Valley High School took 
the weekend's top honors. Team adviser Dave Cochran credited the win to 
a high degree of preparation, with support from professional mentors at 
a local computer security firm. But team member Michael Flagg, a 
17-year-old junior, said plain old vigilance played a role as well.

"How we won is that we watched our network activity like a hawk," he 
told me. "The purpose of my machine was for people to write code. The 
second they'd write, I would open that [code] up, and if I identified it 
as a threat, I would just delete it right beneath them, even before they 
could run it. We got a few points for that."

This might sound a lot like work and not much like play - but once the 
cat-and-mouse competition gets going, it's as gripping as a video game.

"Typically what we see is that none of the teams will take breaks," 
Archer told me. "They're so focused and so into it that they just sit in 
the room the whole time, working."

Archer was talking about college students, but the high schoolers 
clearly felt the same way. "I'm going to do this again next year," Flagg 
said. Here's what the other members of Valley High's team said:

* Ryan Tew, an 18-year-old senior and budding computer scientist, was 
  the school's only returning Blue Team member. "This time, it was 
  pretty much the same. There was a lot more activity throughout the 
  night. ... The thing I learned the most about was how to use Active 
  Directory to limit different users' activity on the computers."
    
* Jordan Shkolnick, a 17-year-old senior, was the team's only woman. She 
  admitted that she sometimes found herself doing "girlie" jobs but for 
  the most part was treated as one of the guys. And being a female 
  computer whiz isn't all bad: "Basically, it gives you an advantage, 
  because they don't think you know anything or can do anything - so you 
  can take them by surprise."
    
* Joel Miller, a 16-year-old junior, said this weekend's contest was a 
  huge learning experience: "Everything was a surprise. We just didn't 
  know what was going to happen when we went into this, because they try 
  to keep us on our toes. ... When you're working with other people, it 
  makes it a lot more fun."
    
* Trevor Nelson, an 18-year-old senior, said his classmates thought it 
  was "pretty cool" that he was on the Cyber Security team. "Some of 
  them wish they knew about it before, because they wanted to join," he 
  said.
    
* Joel Miller, a 16-year-old junior, said this weekend's contest was a 
  huge learning experience: "Everything was a surprise. We just didn't 
  know what was going to happen when we went into this, because they try 
  to keep us on our toes. ... When you're working with other people, it 
  makes it a lot more fun."
    
* David Turner, a 17-year-old junior, said that he had no experience 
  with computer security issues before joining the team - and that his 
  involvement has given him a new perspective on computer hacking. "I 
  hadn't heard about the bright side of hacking," he said. "I never 
  realized that this kind of stuff could be put to a good use."

Jacobson said that's a big take-home lesson for kids who run counter to 
the stereotype of a teenage hacker.

"It's not really complicated to get the hacking tools and go attack 
something," the professor told me. "What they realize is how challenging 
it is to defend. ... You have to win every confrontation, and the 
attacker has to win only one."

Of course, the Red Team gets to have their fun as well. "They look 
forward to the high school competition because they get to play on the 
other side," Jacobson said. "They get to be the bad people."

For high schoolers as well as college students, Cyber Defense marathons 
are much more than one night of geek glory: On the collegiate level, 
Texas A&M University won last month's nationwide competition and will be 
invited to the Department of Homeland Security's Cyber Storm II security 
exercise next year. I have a feeling those kids won't have to worry too 
much about finding jobs when they graduate.

On the high school level, the schools that participated in the Iowa 
contest get to keep the computer equipment they were given during the 
buildup to this weekend's event - thanks to the project's sponsors. And 
Jacobson is already laying plans for a bigger, better "IT-Olympics" at 
Des Moines' Hilton Coliseum next April.

"We hope to have about 1,000 kids next year," Jacobson said.


_____________________________________________________
Attend Black Hat USA, July 28-August 2 in Las Vegas, 
the world's premier technical event for ICT security 
experts. Featuring 30 hands-on training courses and 
90 Briefings presentations with lots of new content 
and new tools. Network with 4,000 delegates from 
70 nations.   Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on 
June 1 so register today. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon May 21 2007 - 22:55:05 PDT