The Rensselaer Computer Security Interest Group competed in the International Capture the Flag competition last Friday, December 3. Connecting remotely to the organizers’ servers at the University of California, Santa Barbara, RPISEC engaged in a nine-hour simulation of cyberwarfare.
The iCTF event is organized annually by Giovanni Vigna, a professor of computer science at UCSB and co-director of UCSB’s Security Lab. Each year, Vigna themes the competition around a topical issue in the security industry; this year, Vigna explored the idea of disrupting a foreign government’s infrastructure through state-sponsored cyber attacks.
Enter Litya, a nation lead by a notorious dictator that has become known for an abundance of illegal activities—fraud, scams, malware, and other illegitimate dealings—that it uses to bolster its economy. After some of Litya’s secret plans are leaked to the LityaLeaks website, other nations—represented by RPISEC and other participating teams—work to compromise Litya’s plans and bring down the Lityan government.
Throughout the competition, RPISEC completed various challenges ranging from hacker trivia to sophisticated reverse engineering and data forensics. Solving these challenges earned the team cash, which is used to bribe Lityan system administrators into letting down the nation’s cyberdefense mechanisms. Once in, RPISEC had a limited amount of time to stealthily attack the software orchestrating Litya’s infrastructure.
One target, according to participant Wilson Wong ’13, involved gaining access to, aiming, and launching a “missile” (read: NERF gun) using a launch code that changed every 20 minutes.
Pulling off a successful service attack would earn the team a “flag,” a password which could be turned in for points. By the end of the competition, RPISEC had scored 300 points, tying for 32nd place among 72 teams from 16 countries. Among the 26 teams from the U.S., RPISEC placed 12th. The winning team was the Plaid Parliament of Pwning from Carnegie Mellon University.
“We didn’t do as well as we would have liked, focusing too much on solving challenges for cash instead of attacking Litya’s infrastructure, but the competition was well designed and a lot of fun,” said Ryan Govostes ’11, vice president and co-founder of RPISEC. “I’m especially glad that we had a number of first-year students and sophomores, who I hope will continue competing after the current officers have graduated.”
Jeremy Pope ’13 joined RPISEC last fall and participated with the team at the Polytechnic Institute of New York University’s Cyber Security Awareness Week in October, where RPISEC placed 3rd of 10 finalist teams in the capture the flag event. Pope mentioned that his favorite part of this year’s iCTF was “learn[ing] a few things about avoiding detection … and messing with Perl programs” in one of the challenges.
Mukkai Krishnamoorthy of RPI’s Department of Computer Science visited the team during the competition and participated with RPISEC on two of the tasks. “Both of them [were] quite challenging,” stated Krishnamoorthy. “I was shown the solution of one of the challenge problems [about] steganography, [and] while I knew the theory, [John McMaster ’11] was able to decode the challenge using clever tricks. The whole solution strategy [was] refreshing and the cooperative aspect of solving [the] problems was stimulating.”
RPISEC will compete in Russian Capture The Flag Extended on December 18.