Hacking Competitions and Their Untapped Potential for Security Education

Education Editors: Matt Bishop, [email protected] Cynthia Irvine, [email protected]

nformation security educators can learn much from room environment.

the hacker community. The word “hacker” is con- Network Warfare Perhaps the best-known com- troversial, and the idea of emulating this community petition in the hacker community is CTF, which challenges is problematic to some. However, we use the term in participants to attack and defend computing resources while solv- itsI purest form: individuals who creatively explore technology ing complex technical problems. Run by security experts includ- Gregory and push it in new directions. Be- better prepared to deter attacks and ing DDTek, Kenshoto, and the Conti, Thomas cause of this imaginative, playful defend against them. They’ll also Ghetto Hackers, CTF has been Babbitt, and spirit, most hacker conferences be more able to perform ethical an important catalyst for research, John Nelson sponsor diverse and intense com- hacking activities, such as penetra- innovation, and government, aca- US Military petitions, many organized by the tion testing, reverse engineering, demic, and industry collaboration. Academy attendees themselves and facilitat- and active network defense. CTF variants have emerged, such ed via the conference organizers. as the Collegiate Cyber Defense These competitions test partici- Types of Competitions Competition and the US National pants’ ingenuity and problem-solv- Hacker competitions touch on Security Agency-sponsored Cy- ing skills, are fun and innovative, many aspects of computer science, ber Defense Exercise.4 CTF has and draw large, enthusiastic groups information technology, electri- even spawned a business model in of participants and spectators. cal engineering, and informa- which White Wolf Security and Academia and the computer tion security education. They’re other firms host similar exercises security industry have widely ad- powerful ways to teach, inspire, for third parties. Innovation in opted hacker competitions, such build teams, recruit students, and CTF events occurs continually. as DEF CON’s Capture the Flag facilitate advanced skill building. For example, PacketWars com- (CTF), to augment information Competitions can also build the petitions operate like a spectator security education. Many other reputation of participating indi- sport. (For URLS for PacketWars hacker competitions, however, viduals and institutions. and other competitions mentioned are less known. Here we examine We researched the competi- in this article, see the sidebar.) these untapped competitions’ po- tions of major hacker conferences, Every rigorous information se- tential and identify those that can including DEF CON, CanSec- curity education program, wheth- energize and enhance informa- West, ToorCon, ShmooCon, er technically or policy focused, tion security education in both the HOPE (Hackers on Planet Earth), should include appropriately classroom and the industry. and the Chaos Communication scoped CTF competitions to avoid Over the past decade, educa- Congress. Addressing all the com- a significant knowledge gap in its tors have increasingly realized the petitions these conferences host graduates. value of the hacker mindset for is beyond this article’s scope. We teaching information security.1–3 instead highlight a spectrum of Wireless By learning the hacker perspective competition techniques that have Wireless-networking technologies and considering the unanticipated distinct pedagogical merit and are are on the rise, and wireless vul- use of technology, students will be readily translatable to the class- nerabilities and open access points

are increasingly common. Hacker competitions highlight these con- Related URLs cerns. For example, war-driving competitions, during which par- • Badge Hacking Contest, www.defcon.org/html/defcon-18/dc-18-contest-results.html# ticipants map open access points, dc18badgehack quantitatively illustrate the preva- • Collegiate Cyber Defense Competition, www.nationalccdc.org lence of insecure system configu- • Crack Me if You Can, http://contest.korelogic.com rations and raise public awareness. • Crawdad, http://crawdad.org Competitions have spurred new • Cyber Crime Center Digital Forensics Challenge, www.dc3.mil/challenge/2011 antenna designs and illustrated • Dual Core, http://dualcoremusic.com/nerdcore that consumer-grade wireless-net- • Hack Fortress, www.shmoocon.org/hack_fortress work transmissions are vulnerable • HOPE (Hackers on Planet Earth) conference badges, http://amd.hope.net at extreme distances. To explore • IEEE Conference on Visual Analytics Science and Technology (VAST) Challenge, http:// the implications of RFID tracking hcil.cs.umd.edu/localphp/hcil/vast11 and social networking, the HOPE • International Collegiate Programming Contest, http://cm.baylor.edu/welcome.icpc conference issued electronic badg- • International Olympiad in Informatics, http://ioinformatics.org/index.shtml es to volunteers, captured location • Open Backdoor Hiding & Finding Contest, https://backdoorhiding.appspot.com and demographic data, and facili- • PacketWars, http://packetwars.com tated attendee-developed projects • PWN2OWN, http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011 for display. Facilitators then sub- • Social Engineering Capture the Flag, www.social-engineer.org/defcon-social mitted this dataset to Dartmouth’s -engineering-contest Crawdad wireless research dataset • ToorCon Tamper Evident Contest, http://sandiego.toorcon.org/index.php?option=com repository, illustrating potential _content&task=section&id=11&Itemid=27 second- and third-order research benefits from hacker competitions. Educators can use wireless- tions require winners to share badge. DEF CON provides soft- hacking events to emphasize many their techniques for the benefit of ware tools for altering the badge’s learning objectives, such as ethics, all. DEF CON’s Crack Me if You firmware and facilities with tools privacy rights, antenna design, Can hash-cracking competition and parts for modifying and test- networking protocols, and the challenges participants to illustrate ing the hardware. Attendees have importance of usable security. weaknesses in the username/pass- converted their badges into such word paradigm by working back- devices as a barcode emulator, Cryptanalysis ward from hashes to passwords. breathalyzer, and social-network Code-breaking competitions at- Cryptographic competitions analyzer. Robotics challenges at tract significant interest while complement code-breaking as- hacker and other conferences are providing a deeper learning of signments. Educators can also also popular. cryptography. The US Cyber employ them more broadly out- At West Point, we’ve found Command created a buzz around side the classroom to facilitate that hands-on hardware-hacking its organization by embedding recruiting, enhance Information activities, often drawn from Make a code into its logo.5 The US Security Day activities, inspire magazine and Joe Grand’s ideas,7 Central Intelligence Agency’s self-learning, and exercise prob- are highly rewarding for students Kryptos sculpture draws intense lem-solving skills. at all skill levels. attention from amateur and pro- fessional code breakers, and even Hardware Hacking Secure Coding and numerous pop culture references.6 Many security compromises oc- Malicious Software Hacker conferences use cryp- cur when adversaries attack hard- Attacks have recently increased tographic competitions to great ware devices in unconventional against end-user application soft- effect. ShmooCon and Toor- ways. Hardware-hacking com- ware, including Web browsers, Con badges have included subtle petitions challenge hackers to word processors, and document codes, puzzles, and clues. Other build novel devices and modify viewers. One long-term solution conferences have disseminated existing hardware to behave in is to teach secure coding practices code-breaking contest sheets to similarly unanticipated ways. An that eliminate many vulnerabili- attendees and awarded prizes at excellent example is DEF CON’s ties early during software develop- their closing ceremonies. Badge Hacking Contest. Attend- ment, instead of dealing with them Importantly, some competi- ees receive a modifiable electronic through postdiscovery patches.

www.computer.org/security 73 Education

Although the ACM’s International the law and victimizing anyone. public. For example, the band Dual Collegiate Programming Contest Properly constructed social- Core has reached broad audiences and the International Olympiad in engineering competitions are with its high-energy security- Informatics facilitate development accessible to a wide range of stu- and-privacy-oriented music. Even of programming and algorithm dents. Using forethought and Snoop Dogg is helping to fight cy- skills, they don’t focus on securing creativity, educators could use hu- bercrime by working with Syman- the resultant programs from attack. man-centric competitions to great tec’s Norton on the Hack is Wack Conversely, some hacker compe- educational benefit. One example cybercrime rap contest.10 Hacker titions focus on the implications could be a phishing email writ- conferences frequently sponsor de- of secure software development ing contest during which students sign competitions, placing the win- and antivirus technologies. For design (without sending) messages ner’s designs online and on t-shirts, example, Core Security has spon- to entice recipients to open at- conference badges, and signage. sored the Open Backdoor Hiding tachments or divulge information. These competitions also invite in- & Finding Contest, highlighting Exercises such as these enable stu- terdisciplinary collaboration, such the difficulty in detecting back- dents to better appreciate the hu- as an information security program doors despite open source code. man component of an increasingly partnering with a local art school DEF CON’s Race to Zero contest technological world. to obtain graphic-design support. challenged contestants to modify Again, creative adoption of malicious code samples to by- Physical Security these practices into the classroom pass antivirus software, while still Information security education environment can reap valuable maintaining a functional payload.8 often overlooks physical secu- pedagogical rewards, as long as This contest helped determine rity. Rigorous network, system, educators clearly define the de- the real-world difficulty of avoid- and application safeguards matter sired learning outcomes. ing detection by different classes little if an attacker gains physi- of antivirus software. Considering cal access to information systems, Other how a hacker forces a system to fail storage devices, or network in- We encourage you to search on- while it’s being built is challenging frastructure. Hacker conferences line for other hacker competitions but highly educational.3 hold competitions in lock picking, you could apply to your curricu- Educators can use the compe- which employ scenarios in which lum. Of course, exciting and edu- tition models we just described, the participant must escape from cational competition ideas aren’t along with their variants, as infor- simulated captivity—that is, hand- just born to hackers. One example mal classroom demonstrations. Or, cuffs, a cell, and a locked door. is the US Department of Defense they can use these models more Another example is ToorCon’s Cyber Crime Center Digital Fo- formally as active components of an Tamper Evident Contest, which rensics Challenge, which you information security curriculum. challenges participants to bypass could adopt to teach computer purportedly tamper-resistant tech- forensics. Another is the IEEE Social Engineering nologies, thus testing vendor secu- Conference on Visual Analytics A social engineer influences peo- rity claims. Matt Blaze illustrated Science and Technology (VAST) ple to divulge sensitive informa- why computer scientists should Challenge, which poses challeng- tion and manipulates their actions. study safecracking to enhance se- ing research questions and pro- Hacker conferences feature dem- curity metrics and understand why vides data for analysis. Even LAN onstrations such as social engi- security systems fail.9 We agree parties, a hacker conference staple, neering by telephone and conduct and argue that physical-security can become a powerful education- scavenger hunts forcing teams to competitions are practical methods al tool. We’ve used them as social acquire various items through hu- for information security students events to attract members for our man manipulation. to better understand security vul- information security club, while Recently, DEF CON initiated nerabilities when an attacker gains teaching networking fundamen- the Social Engineering CTF, in physical access to a device. tals to our frequently nontechnical which participants passively gather participants. ShmooCon’s Hack information on a target company The Arts Fortress competition combines before the conference. During An important component of an in- hacker and gamer teams. A suc- DEF CON, participants gather formation security curriculum is cess in either a gaming or hacking specific target information during effectively communicating techni- challenge gives an advantage to a 20-minute attack. The contest cal security and privacy principles, team members competing in the rules deliberately avoid violating including to a non-tech-savvy other domain.

74 IEEE SECURITY & PRIVACY May/June 2011 Education

Incentivizing these necessary limitations on Defense Exercise on Curricula and Participation their activities. Learning Objectives,” Proc. 2nd Hacking competitions attract Conf. Cyber Security Experimentation many participants simply because and Test, Usenix Assoc., 2009, p. 2. they’re exciting and thought-pro- acking competitions can 5. N. Shachtman, “Crack the Code voking. However, many competi- H help educators infuse learn- in Cyber Command’s Logo,” tions also include prizes and public ing and excitement into informa- blog, 7 July 2010; www.wired. recognition at closing ceremo- tion security education programs. com/dangerroom/2010/07/solve nies. For example, CanSecWest’s Successful instructors will care- -the-mystery-code-in-cyber PWN2OWN competition chal- fully consider their learning ob- -commands-logo. lenges competitors to break into jectives, set the proper ethical tone 6. K. Zetter, “Solving the Enigma target systems, with the first suc- and context, and motivate par- of Kryptos,” Wired.com, 21 Jan. cessful team winning the machine. ticipation. A carefully constructed 2005; www.wired.com/culture/ Academia has greater resource and challenging competition will lifestyle/news/2005/01/66334 constraints. However, we can in- attract many participants. 7. J. Grand, “Research Lessons from centivize participation in numer- Hacker conferences are a rich Hardware Hacking,” Comm. ous cost-effective ways. Avoiding source of innovation. A diverse ACM, vol. 49, no. 6, 2006, pp. onerous rules while encouraging set of artifacts is available online, 44–49. innovation and excitement stimu- which you can employ as train- 8. R. Lemos, “Mandiant Research- lates learning; integrating com- ing aids to illustrate key learning ers Win Race to Zero,” Secu- petition into the curriculum and objectives and gain ideas for con- rityFocus, 11 Aug. 2008; www. awarding performance points structing your own competitions. securityfocus.com/brief/795. also motivates students. Books The hacker competition scene is 9. M. Blaze, Safecracking for the Com- are a low-cost but valued prize. dynamic, so continue to monitor puter Scientist, tech. report, Dept. Awardees might also receive pub- conference websites for the latest of Computer and Information lic recognition through media developments. Even better, par- Science, Univ. of Pennsylvania, coverage and sharing photographs ticipate in these contests yourself, 2004. and videos of the event through encourage your students to do so, 10. M. Lennon, “Snoop Dogg social media. This outreach also organize new ones, and join this Joins the War on Cybercrime,” spotlights the larger program and large, vibrant community. SecurityWeek, 1 Sept. 2010; www. informs the public about informa- securityweek.com/snoop-dogg tion security principles. Acknowledgments -teams-norton-fight-cybercrime. The views in this article are the au- Setting the Proper thors’ and don’t reflect the official Gregory Conti is an assistant profes- Ethical Tone and policy or position of the US Mili- sor in the US Military Academy’s De- Context tary Academy, the Department of the partment of Electrical Engineering and The hacking contests we’ve de- Army, the Department of Defense, or Computer Science and is responsible scribed are edgy, dual-use activi- the US government. for the academy’s information secu- ties that can lead to good or evil. rity education program. Contact him at Despite the dangers, the learning References [email protected]. outcomes far outweigh the risks. 1. S. Bratus, “What Hackers Learn Instructors must emphasize that That the Rest of Us Don’t: Notes Thomas Babbitt is an instructor in the responsibility accompanies skills on Hacker Curriculum,” IEEE US Military Academy’s Department of and knowledge, and they must Security & Privacy, vol. 5, no. 4, Electrical Engineering and Computer discuss improper behavior and 2007, pp. 72–75. Science. Contact him at thomas.bab- reprimand students who display 2. G. Conti, “Why Computer Sci- [email protected]. it. As we know, some students entists Should Attend Hacker might consider using these skills Conferences,” Comm. ACM, vol. John Nelson is an assistant professor in for malicious activities; the occa- 48, no. 3, 2005, pp. 23–24. the US Military Academy’s Department sional student will act upon these 3. M. Locasto, “Helping Students of English and Philosophy. Contact him urges. To counter this temptation, Own Their Own Code,” IEEE at [email protected]. the teacher must set the proper Security & Privacy, vol. 7, no. 3, ethical tone for each activity and 2009, pp. 53–56. Selected CS articles and columns across the entire curriculum, en- 4. W. Adams et al., “Collective are also available for free at suring that all students respect Views of the NSA/CSS Cyber http://ComputingNow.computer.org.