Penetration Testing Resources: CTFs and Contests
Our last article provided a substantial background into what Penetration Testing is all about. Specifically, the following topics were covered:
- Black Box/White Box/Gray Box Testing
- The Penetration Testing Teams (Red/Blue/Purple Teams)
The Types of Penetration Tests (Network Services, Web Application, Client Side, Wireless,
- Computer Network Exploitation (CNE) and Computer Network Attacks (CNA).
Penetration Testing Teams are important when it comes to discovering the security weaknesses and vulnerabilities of a corporation (as both it is the intent of the Purple Team to be the facilitator of information and data between the Red and Blue Teams). But, there is one key factor when it really comes to pushing these teams to reach their full potential and find all of the security holes which are present.
It comes down to motivation. Obviously, a greatly motivated Pen Test Team will do all it can to find all of the gaps and fix them. In other words, far surpassing the minimum requirements which have been set forth. On the other hand, a Pen Test with lesser motivation will do what is just expected of them, and nothing more.
So, how do you motivate and inspire a Pen Testing Team? One of the best ways in which this task can be accomplished is through a special technique called “Capture the Flag”, or “CTF” for short. This can be applied to a virtual team participating in a contest. But when it comes to the world of Information Security, the object of a CTF is offer the Pen Testing Teams a particular type of competition where they can penetrate the most hidden and covert security “flags” or holes in a corporation.
Each flag which is found carries a certain amount of points associated with it. Obviously, the team with the most number of points wins the particular CTF competition. When it comes to Pen Testing, there are three types of CTFs which are very important:
This kind of CTF or challenge involves finding security vulnerabilities in all sorts of web applications, websites, and mobile based websites.
With this kind of CTF, the goal is to find and exploit and any security weaknesses which can be found in an encryption based protocol. A perfect example of this is the Secure Sockets Layer (SSL) which is used most commonly in the website to scramble the information and data which is transmitted by the end user.
The goal of this CTF is to find any and all security holes which can be found in the actual source of a particular application.
With this mind, these kinds of CTFs can occur at all levels which include:
- National Cyber Challenges
- Student Hacking Contests
- Security/Hacking Con Competitions
- Online Challenges.
National Cyber Challenges
In the United States, there are two organizations which are designed specifically for conducting CTFs at the national level. The first one is known as the “US Cyber Challenge.” Its primary goal is to create CTFs across all levels of businesses, higher education, and government. This foundation offers challenges across these levels:
- High Schools
- Community Colleges
- Land Grant and State run Universities
- Local/State Governments
- The Federal Government
- Businesses and Corporations (primarily those in the Fortune 500)
- Research Facilities and National Labs
- Publishing Companies and other types of Media Houses.
One of its major objectives is to find and train 10,000 individuals and train them to the best Pen Testers and Cyber Defense professionals here in the United States. Other than just CTFs they also offer Pen Testing competitions across these venues as well:
- Cyber Camps
- Sponsorship Opportunities
- Virtual based Challenges.
The second organization is known as the “National Cyber Analyst Competition”, or the “NCAC” for short. This is a joint venture between the Institute for Business and Information Technology located at Temple University; and the Lockheed Martin Corporation.
Unlike the US Cyber Challenge, this organization focuses primarily on the education sector. Their primary goal is to make students acquire critical skills through applying knowledge from the following domains:
- Cyber Defense
- Risk Analysis
- Threat Identification/Remediation/Communication.
Their CTF model design is based upon building more challenging competitions from the previous year; providing first class mentorship by Cyber and Pen Testing experts in the industry; and creating/implementing the best and most accessible resources possible for both the students and the faculty.
Student Hacking Contests
There are also groups and other types of organizations who have CTFs, which are devoted primarily to high school students. One of the main objectives of the CTF at this level is to spark the interests of the high school students into studying Cyber Security or Computer Science in a college or a university, and applying the knowledge they have learned to be the best computer security professionals possible.
One such organization is known as the “High School Capture the Flag”, or also known as “HSCTF” for short. A primary differentiator between this and another CTFs is that the focus is not just all about computer security. Rather, other aspects of computer science are also addressed such as the design and analysis of mathematical algorithms and the development of new kinds of programming languages.
Interestingly enough, this particular CTF is designed and created by high school students, with the help and advice given by adult mentors. The hacking contests which are created are designed to have middle school and high schoolers (grades 6 to 12) as the primary competitors. Teams consist of no more than five individuals. There are prizes for 1st place ($450); 2nd place ($300); and 3rd place ($200).
Another recently formed organization with the main purpose of creating very difficult CTFs is the “CBusStudentHack Coding For Community: Health and Wellness”. This is a contest which lasts for 12 weeks, in which they learn a new programming language from Microsoft called “Touch Develop.”
Teams composed of 2 to 4 students use Touch Develop to create various mobile apps, which must be designed in such a way that it will help to improve the health and wellness of end users. The judges give points to the teams by how well they can quickly discover any software holes and gaps in the other teams’ mobile apps. Also, points are awarded for the level of robustness which is displayed by the software which has been developed.
It should be noted that this organization is a joint venture and funded by AT&T and Franklin University
Security/Hacking Con Competitions
It should be noted that many of the hacking contests and CTFs occur in a virtual space-meaning, the team members may never meet each other personally, but a common bond and trust is developed to help ensure that the team will win.
On the flip side, there are those hackers who prefer to meet face to face and compete in an actual physical setting. These types of CTFs are known specifically as “Hacking Convention Competitions.” Probably one of the best known as “DEF CON.” This convention will occur over a three-day time span this year, from August 4th-August 7th in Las Vegas, NV.
In fact, this is deemed to be the largest and most in demand hacker convention, having been first started all the way back in 1993. It is not just the diehard hackers that attend and compete, even other professionals such as federal government employees (such as those from the FBI, the Department of Defense, the Secret Service, as well as the United States Postal Inspection Service), scientific researchers, lawyers, doctors, journalists, etc. with the remotest interested in hacking also participate as well.
At this convention, there is usually several tracks of speakers who lecture about and discuss on just about any computer related topic which is deemed to be “hackable” enough. The contests run the gamut from lock picking to cracking source codes to building a robot and tearing it down again, to even creating a Wi-Fi connection and hacking into it.
After DEF CON, another very popular hacker convention is known as “NorthSec.” This has been traditionally held in Montreal, Quebec. The last event was held from May 19th-May 22nd. There were over 400 competitors, which made up a total of 50 competing teams. There were three lecture tracks held at this convention, which included the following topics:
Application and Infrastructure:
This included topics in network security, web hacking, reverse engineering, malware rootkits, and hardware/software exploitation.
- Cryptography and Obfuscation:
This included topics in cryptocurrencies, private/public exploitation, covert communication systems, binary reverse engineering, and data forensics.
Society and Ethics:
This included general topics as to how hacking affects the social environment (primarily regarding the end user) and the political context.
Another popular, but lesser attended hacker convention is known as “Positive Hack Days”, or also known as “PHDays” for short. This two-day event was held just recently this past June, and an estimated 2,000 took part. This convention was open to anybody whom is involved in the field of computer security and includes such titles as CIOs and CISOs.
This convention is organized and facilitated by an entity known as “Positive Technologies,” with origins in Russia. The topics which were addressed at the last convention included:
- The security of Critical Information Systems
- Fraud Management
- The investigation of Cybercrime incidents
- Cyber wars and Cyber spying.
This convention also attracted a number of key sponsors such as Kaspersky, Cisco, PC Magazine, PC Week, and Check Point Software.
As mentioned in the last section, pretty much all of the hacking challenges take place in the virtual world. Because of this, anybody interested in hacking can literally Google a CTF based hacking website, join a team, and start breaking down the Cyber defenses of a fictitious (or even real) organization. There are also those online challenges in which you don’t actually have to join a team; rather you can hone your own skills.
A good example of this is the organization known as “Checkmarx.” They were founded back in 2006 as a way to focus on testing and hacking through software code to make it as secure as possible. Through its query language-based techniques, individual hackers are personally invited to hack and literally break the software code for which they have been assigned. Although the underlying goal is to find all vulnerabilities which are present, the focus is finding first any type or kind of logical and technical code vulnerabilities.
The types of source code which hackers pilfer through are:
- Static Code
- Mobile Security Applications
- Open Source Code
- Educational based services and solutions.
Also, a hacker can demonstrate his or her skills by participating in an online challenge, and present the results of that to a potential employer. One such organization that offers this is knowns as “HackerRank”. It was founded back in 2008 by two established software developers, Vivek Ravisankar and Hari Karunanidhi. They both worked on extensive software development projects at Amazon and IBM, respectively.
Their ultimate goal of their joint venture is vet out the highest caliber software engineers by examining their online hacking skills. They firmly believe that this probably the best way to identify talent, rather than simply seeing what is on a resume and interviewing a candidate. To facilitate this process, the organization has created a specific process known as “CodeChallenges.”
With this approach, a hacker is presented with pieces of code, and then is offered a chance to hack into it as quickly as possible, while at the same time finding all of the security holes which are both present, and difficult to find (meaning it takes many iterations of software code review to find, for example, a hidden back door).
The software code which is offered for hacking fall into the following domains:
- Mathematical Algorithms
- Machine Learning
- Artificial Intelligence
- Functional programming.
Overall, this article has looked the various online tools and conventions a hacker has at their disposal to not only show off their intellectual prowess but also to learn new skills and techniques from other seasoned hackers. It should be noted, though, that this realm of hacking this article has covered under the category of what is known as “Ethical Hacking.”
This means that all of the efforts undertaken and the results yielded are to be used for the betterment of not only businesses and organizations, but society as a whole. There are many benefits for the CTFs which fall under this category, and they are as follows:
- Helping to fight against terrorism, especially when it comes to Cyber Terrorism
- Fortifying the defenses of a corporation against malicious hackers intent on real damage and harm
- Increasing the layers of penetrative defenses which will allow the corporation to take a much more proactive stance against attacks and hacks
- Enhanced improvement and quality of Source Code
- An unbiased, extra set of eyes to discover even the most hidden of security vulnerabilities and holes.
But there are also the disadvantages of the CTFs which include:
- An ethical hacker turned over to a malicious hacker
- Allowing an outside individual to gain access to the most proprietary information and data which resides in a corporation
- The possibilities that an ethical hacker could purposely place malicious code into the Source Code itself to cause serious harm later on
- Gaining enough knowledge over time to cause a massive Security Breach.
In the end, it all comes down to the behavioral traits of the hacker. An Ethical Hacker can instantly “flip the switch” and cause widespread harm and damage if he or she really wants to. This is an issue which will haunt society as a whole for a long time and something to which there will never be an easy answer to find.