[ISN] Hacking: A story untold

From: InfoSec News (alerts@private)
Date: Mon Jun 16 2008 - 02:06:37 PDT


http://www.burlingtonfreepress.com/apps/pbcs.dll/article?AID=/20080613/NEWS02/806130314/1007/NEWS02

By Tim Johnson
Free Press Staff Writer
June 13, 2008

NORTHFIELD -- The contest among computer-savvy graduate students was 
billed as a kind of novel spectator sport.

Their competition, tantalizingly called a "digital combat exercise," was 
supposed to give onlookers a rare opportunity to watch a computer 
hacking job in progress, complete with play-by-play.

It didn't work out that way, though, thanks to -- what else? -- some 
sort of technical glitch that obstructed efforts to monitor what the 
competitors were doing. So for the few non-techie spectators who showed 
up, the business of hacking was still as opaque and mysterious at the 
end of the 1 1/2-hour exercise as it was in the beginning.

No great matter, because interesting talk filled the gaps -- talk about 
computer security and its breaches.

That's a major focus of Norwich University's Master of Information 
Assurance program -- an online curriculum targeted at professionals 
around the country who want to learn about managing information 
security. Three six-month semesters culminate in a one-week residency 
here -- this week -- as students participate in a variety of activities 
and leave with master's degrees.

One of those activities is a kind of computer challenge. Last year, it 
was called "capture the flag." The challenge was for participants to 
penetrate a system customized for the occasion and to find the "crown 
jewels."

This year, the challenge was more complex. Justin Peltier, a 
computer-security consultant from Michigan, was on hand with another 
simulated system that competitors were invited to break in to. They 
would be awarded points based on their finding secret files, points of 
vulnerability or open portals, and based on their identifying operating 
systems and IT addresses. Twenty-one MSIA students, most of them in 
teams, sat at computer terminals in one room and used a software program 
Peltier supplied to explore the target system.

Before they started, he laid down such ground rules as "Don't attack the 
router" and "Try not to do any arp cache poisoning."

The spectators gathered in an adjacent room out of earshot, hoping to 
get a running commentary about how the competitors were doing.

The commentary was to come from Peter Stephenson, a member of the 
program's faculty, who sat at his own terminal and displayed on a big 
screen something he called a "sniffer trace," a multi-colored table with 
columns of numbers and letters -- the first in what was to be a series 
of tableaus that held the promise of monitoring all the traffic on the 
network next door.

The minutes passed, and not much happened. The sniffer trace stayed the 
same, and from time to time, when Stephenson tried to check on what 
individual teams were up to, the screen went blank. Could it be that the 
hackers weren't getting anywhere?

Someone decided to check on them in the old-fashioned way -- paying a 
visit in person. The report came back that they were, in fact, getting 
somewhere -- finding holes and vulnerabilities of various kinds.

The results weren't showing up on the big screen though. Keeping track 
of this competition was kind of like trying to follow a golf tournament 
without knowing anything about the sport or seeing anybody play but just 
by watching the leader board -- a leader board that's stuck on the first 
hole.

Could the monitoring system have fallen victim to hacking, someone 
wondered. Unlikely, someone else said, but who could say for sure?

Meanwhile, spectators in the know passed the time discussing such things 
as computer-security certification (this comes in many forms) and 
"penetration testing" -- a field of expertise in which security experts 
explore a computer-information system to find its vulnerabilities, with 
an eye toward adapting it to make it less prone to hacking. A complete 
"penetration testing" workup, it seems, includes not just a technical 
exploration, but "human engineering," in which the testers probe for 
human vulnerabilities -- as in, for example, employees who are willing 
to divulge passwords or IDs over the phone to someone with an 
authoritative voice.

Next door, the team of Jeff Johnson of Kalamazoo, Mich., and Carlos 
Gomes of Phoenix, Ariz., was making the most headway. They found the 
most secret files, which won them the most points and earned them the 
top prize: $5,000 worth of "penetration testing" software.


_______________________________________________      
Attend Black Hat USA, August 2-7 in Las Vegas, 
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings 
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com



This archive was generated by hypermail 2.1.3 : Mon Jun 16 2008 - 02:16:19 PDT