Sunday, 24 March 2013

iCTF 2012

The UCSB iCTF was moved from December 2012 to March 22nd, 2013. I've been part of this event at my university for 2 years now and we keep getting better.

UTM has an information security program which I'm about to graduate from. We learn about hacking and other security related issues, but we don't have enough practice. For 2 years, we've been making a team of people who take our CSC347 Intro to InfoSec class and have them hack away at the competition. Our setup is usually just "show up day-of and do out best".

This year, I wanted to do it differently: I wanted to have an experienced team. For 10 weeks, I held 3 hour training sessions for the purpose of training students on security issues related to the iCTF. These issues comprised of Web application security (attack AND defense), Secure communication and Intrusion detection. In addition, we looked at writing homebrew exploits using Python to perform automated chaos.

The competition came around and we were prepared: VPN setup confirmed and tested, Backtrack on all machines, Twitter feed and mailing list updates live. Our team was set. Of course, as our prof says: All things technology must fail: Couldn't keep the VPN up more than 30 seconds... For 10 hours, we weren't able to log into our server running all of our services. We didn't do too well, but we were prepared and that's important.

I learned a lot about security this year. I'm about to graduate and I'm confident in what I know and what I can build on. Currently, we're talking about building our own little CTF for the security kids at UTM. We want them to learn on their own and capture flags in things they've never seen before: true hackers!

Imagine an android app with a MITM weakness revealing a flag. Alternatively, suppose we build a webapp with an SQLi vulnerability allowing a database dump of SHA1 passwords; can you find the flag? Better yet, a social network with a clever JS exploit which takes over your computer (malware)... can you find the C&C server and exploit it to find the flag?

Let's see. Coming to UTM Summer 2013?