So Back in April 2008 I decided I would participate (loose term used) in the Pacific Rim Collegiate Cyber Defense Competition http://www.dc206.org/?page_id=14 here at Redmond WA. I wouldn’t say I am not much of a hacker (because to be honest I am not). Upon arrival on Sunday the tech support people were nice enough to arrange for me to have a span port on the network to observe the Red team and what they did to the poor 120 unsuspecting Snowflakes. Before that I decided to visit what they students were doing. Since most people here on the forums know that the clothes I wear is considered “Fedware” I was able to walk around and take a peak and shoulder surf most of the teams. I have to hand it to the UW Tacoma team for being the most paranoid.

Fast forward. I have heard that on Saturday the Red team wasn’t so organized but on the Sunday I was there, the Red team decided to use controlled restraint. They were at the point where they were saying “Maybe we should stop decimating Team x’s network and focus on another group.
Funny Moments: 1 team had nessus running on their server. The red team proceeded to use that to scan every computer on their subnet. Default password on Cisco routers and switches. In the last 10 minutes of the competition the Red team decided to have it go back to its default factory settings. Red team found a SQL table and proceeded to dump the entire table. Here is what one of the other Red team members found:
http://www.jwsecure.com/dan/
“Indeed, it’s kind of scary how fun it is. I found a few good ones: default “enable” (admin account, basically) passwords on a Cisco router and a switch (two separate teams). And a default MySQL password on a third team. Other red team members found cross-site scripting vulnerabilities, a cracked SAM database or two, and a few other compromised routers and switches.”

What I would like to rant about right now was the conversations I had with the instructors. These instructors are smart and knowledgeable people. However some of them don’t have industry experience with these types of threat vectors. How can you learn from that? What benefit does a student have to know the instructor haven’t had a scenario in an Enterprise environment where all goes to fubar (TJ Maxx credit card data breech for example). One instructor told me “We can’t teach these kids how to do what you folks do because they might use the information in committing crimes.” Wow thank you professor for thinking your students can be potential felons. However here comes the paradox. How do you protect something if you don’t know how to attack it. Imagine, some of the Red team members arrived only on Sunday with minimal software at their disposal. Imagine what havoc they would’ve been able to inflict with “the good stuff”. In the end all the teams were compromised, the Red team was able to make a good network map from day 1, compromised servers and information etc… all in one day. I wouldn’t know the actual hacker mindset is, but a real attacker would be patient, like a lion stalking its unsuspecting prey. Only to pounce when they know it’s a win win. This exercise was preformed in a lab environment where they knew they were going to be vulnerable from the moment they installed their OS CD. And yet. They got hit and hit hard. To quote a highly admired colleague of mine here “I weep for the future”. Instructors, the institutions they work in will need to find the delicate balance of what is considered an acceptable risk to teach students. To use another analogy of my colleague, “Would you stop teaching locksmiths the craft if that knowledge can be used for illegitimate reasons?”. This just reminds me back in the day when PGP came out and the US Customs service was investigating Phil Zimmerman for possible violations of the munitions act. There was an instructor at a University who wanted to teach cryptology to college students. Because it was a public University he couldn’t refuse foreign students from taking the class. He was investigated & was threatened with jail time if he would teach the class. In the end, the class that year was redacted from the schedule. Fast forward to today, you can teach the theory in the open. But imagine, not being able to teach the next generation the basics and advance theory whether be the dark arts of security or even cryptology. I hope the situation improves. You can’t protect yourself from a threat that you aren’t aware of or understand.
/end rant

ミー