After a brief break for lunch and some major discussions about the games and the physical break in, the Red Team gave a short talk to the students about what they did. Not including the physical attacks, 90% of the issues were related to default passwords. The remaining problems were related to bad code. They also brought up the blue shirt affect and that avoiding attention is a great technique to staying out of harm’s way. It was also discovered that most of the teams were expecting serious 0-day attacks that they would have to find and stop, when in reality telnet, SSH, and a web browser were the primary weapons. The winning team was actually the one that kept their router running (two teams hosed themselves on this issue), changed most of the default passwords, locked down their permissions, and didn't attract attention to themselves. Oh, and of interest, it was the same team that had only a week to prepare and were all programmers (as seen in figure 4).
Figure 4: The Winners!
The end result was that a group of students got a first-hand experience of just how bad it can be in the real world, and what they would need to do if they ever had to deal with a similar scenario. From setting up a secure shopping cart to understanding how the chain of evidence and how to deal with authorities, the experience was valuable for everyone there, including me. I for one will be back again next year to watch the games!
Winning Team: Millersville University
Todd E Echterling: System administrator for the computer science department
Chad A Billman
Edward J Schwartz
Thomas J Miller
Cory W Adams
Michael A Vicinsky
Mark A Olszewski
Bradley J Chronister
Joe Harwell: Joe is a Security Specialist for Nortel Government Solutions. He currently is responsible for design, integration and testing of many of the "three letter agencies" security systems, and has over 15 years of experience in the field. He was CERT penetration tester for the US Army in a previous life.
Ryan Trost: Ryan is a Senior Security Engineer for Criterion Systems, currently working on a DHS contract. When not overseeing the security architecture of his team, he spends his free time developing a Network Security Snap-on Application that involves IDS Geocoding (patent pending). Ryan will be graduating from George Washington University this May with a Masters in Computer Science.
Adam Meyers, CCE, IAM, IEM: As an information security professional and consultant, Adam Meyers provides clients with complete security expertise, ranging from assessments, forensics, incident response, penetration testing, and security architecture. Additionally he provides physical security assessments and threat analysis. Mr. Meyers is a Certified Computer Examiner (CCE). Prior to joining SRA, he worked with the George Washington University Security Team, as the Network Manager for the 2000 National Democratic Convention, and as a private security consultant, all while pursuing a degree in political science with specific attention to inter-state information warfare.
Tom Parker: Tom is a computer security analyst who, alongside his work providing integral security services for some of the world's largest organizations, is widely known for his vulnerability research on a wide range of platforms and commercial products. Tom regularly presents at closed-door and public security conferences, including the Blackhat briefings, and is often referenced by the world's media on matters relating to computer security.