http://www.burlingtonfreepress.com/apps/pbcs.dll/article?AID=/20080613/NEWS02/806130314/1007/NEWS02 By Tim Johnson Free Press Staff Writer June 13, 2008 NORTHFIELD -- The contest among computer-savvy graduate students was billed as a kind of novel spectator sport. Their competition, tantalizingly called a "digital combat exercise," was supposed to give onlookers a rare opportunity to watch a computer hacking job in progress, complete with play-by-play. It didn't work out that way, though, thanks to -- what else? -- some sort of technical glitch that obstructed efforts to monitor what the competitors were doing. So for the few non-techie spectators who showed up, the business of hacking was still as opaque and mysterious at the end of the 1 1/2-hour exercise as it was in the beginning. No great matter, because interesting talk filled the gaps -- talk about computer security and its breaches. That's a major focus of Norwich University's Master of Information Assurance program -- an online curriculum targeted at professionals around the country who want to learn about managing information security. Three six-month semesters culminate in a one-week residency here -- this week -- as students participate in a variety of activities and leave with master's degrees. One of those activities is a kind of computer challenge. Last year, it was called "capture the flag." The challenge was for participants to penetrate a system customized for the occasion and to find the "crown jewels." This year, the challenge was more complex. Justin Peltier, a computer-security consultant from Michigan, was on hand with another simulated system that competitors were invited to break in to. They would be awarded points based on their finding secret files, points of vulnerability or open portals, and based on their identifying operating systems and IT addresses. Twenty-one MSIA students, most of them in teams, sat at computer terminals in one room and used a software program Peltier supplied to explore the target system. Before they started, he laid down such ground rules as "Don't attack the router" and "Try not to do any arp cache poisoning." The spectators gathered in an adjacent room out of earshot, hoping to get a running commentary about how the competitors were doing. The commentary was to come from Peter Stephenson, a member of the program's faculty, who sat at his own terminal and displayed on a big screen something he called a "sniffer trace," a multi-colored table with columns of numbers and letters -- the first in what was to be a series of tableaus that held the promise of monitoring all the traffic on the network next door. The minutes passed, and not much happened. The sniffer trace stayed the same, and from time to time, when Stephenson tried to check on what individual teams were up to, the screen went blank. Could it be that the hackers weren't getting anywhere? Someone decided to check on them in the old-fashioned way -- paying a visit in person. The report came back that they were, in fact, getting somewhere -- finding holes and vulnerabilities of various kinds. The results weren't showing up on the big screen though. Keeping track of this competition was kind of like trying to follow a golf tournament without knowing anything about the sport or seeing anybody play but just by watching the leader board -- a leader board that's stuck on the first hole. Could the monitoring system have fallen victim to hacking, someone wondered. Unlikely, someone else said, but who could say for sure? Meanwhile, spectators in the know passed the time discussing such things as computer-security certification (this comes in many forms) and "penetration testing" -- a field of expertise in which security experts explore a computer-information system to find its vulnerabilities, with an eye toward adapting it to make it less prone to hacking. A complete "penetration testing" workup, it seems, includes not just a technical exploration, but "human engineering," in which the testers probe for human vulnerabilities -- as in, for example, employees who are willing to divulge passwords or IDs over the phone to someone with an authoritative voice. Next door, the team of Jeff Johnson of Kalamazoo, Mich., and Carlos Gomes of Phoenix, Ariz., was making the most headway. They found the most secret files, which won them the most points and earned them the top prize: $5,000 worth of "penetration testing" software. _______________________________________________ Attend Black Hat USA, August 2-7 in Las Vegas, the world's premier technical event for ICT security experts. Featuring 40 hands-on training courses and 80 Briefings presentations with lots of new content and new tools. Network with 4,000 delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.com
This archive was generated by hypermail 2.1.3 : Mon Jun 16 2008 - 02:16:19 PDT