How much does it take to hack a mobile network?
Is electronic government secure
in the era of WikiLeaks and Anonymous?

Is SCADA hacking a Hollywood fiction
or the nowadays reality?
Internet banking: is there any chance to win
over the fraudsters?

Cyber-crimes, cyber-espionage, cyber-war: where do we draw a borderline?

Pages

Wednesday, November 28, 2012

PHDays CTF Quals

From time to time information security experts meet at competitions held on the principle Capture the Flag to check who the best in protecting and attacking is. These contests are frequently compared with Formula 1 and attract attention more and more often.

You know how to search vulnerabilities and want to participate, don't you?

PHDays CTF Quals, the qualifying stage of the PHDays CTF international information security contest, starts in December. The chances are even — not only well-known teams but newcomers as well can try to win a ticket to the final stage of the hacking battle. The finals will be held as part of the international forum Positive Hack Days III at the end of May 2013.

Make your own team, submit an application, and go ahead!


The plot is the key point

There are several reasons why it is interesting to partake in PHDays CTF. A new script is devised for each competition. Hackers do not only hunt flags but become participants of a reality show reminding of an involving computer game. It was required to protect a SCADA system controlling an alternative energy source named Monolith at the first PHDays CTF. The second PHDays was aimed at protecting the Earth suffered from genetic experiments (for the legends of the first and the second days see the forum's blog). The participants of PHDays III CTF will find themselves in new surroundings, where they will have to use their specific knowledge so important in emergency.

The conditions of PHDays CTF Quals, as opposed to many other competitions of the kind, are as close to real life as possible: all the vulnerabilities are not fictional, but indeed occur on present-day information systems. Contest topics cover all urgent issues and spheres of information security.


A layout of the game infrastructure of the first day

The CTF participants will try their hands at security assessment, vulnerabilities detection/exploitation, and fulfilling reverse engineering tasks.


A layout of the game infrastructure of the second day

The organizers try to include all current tendencies, which are of interest to the hacking and IS community: web security, operating systems, SCADA, ERP, mobile applications.

Constant changes are a peculiar feature of this CTF. For example, PHDays CTF 2012 provided the participants with an opportunity to attack and hold control over services as part of the competition King of the Hill for the first time. The longer you hold control, the larger your score.

Internet support is always up to date — it is evident that not everyone can visit a forum. When PHDays CTF 2012 was over, the Internet participants were provided with access to the King of the Hill infrastructure. The online contest was held from August 20 to September 3, 2012. 200 participants were registered, and only seven of them managed to earn points.


Point distribution for the King of the Hill contest held online

The $natch competition held on the second day of PHDays 2012 exemplified actual IS problems in a game. The organizers had developed a test remote banking system and included typical errors of such products in it. The CTF teams were required to protect the I-bank systems having only four hours to search and fix vulnerabilities. Internet users partaking in Online HackQuest were the hackers in this competition.

Entertainment is a weak point of the competitions based on the CTF principle. However, PHDays was boring neither for children nor for journalists. Bonus entertaining contests were the secret. First of all, it was a huge paper dumpster containing additional flags. Second, taking control over a quadcopter AR.Drone.


Paper dumpster — 7 points per a flag


 150 points for taking control over an AR.Drone

Money prize is not the least competitive factor. All the participants of PHDays CTF receives valuable prizes by tradition, and the winners of CTF 2012 shared 300,000 rubles.


The Eindbazen team's commemorative trophies

CTF is also a major part of PHDays, and PHDays is good music, tasty food, and free alcohol ;)


The musical band Undervud closes PHDays 2012

–°ontestants about PHD CTF 2012

CTF 2012 brought together specialists from 11 countries. General opinion: none of the participants remained indifferent.

0daysober, CTF Team
PHDays is a well organized conference with a large number of events held simultaneously including such a famous contest as "Too drunk to hack", in which a member of our team took the second place.
http://blog.scrt.ch/2012/06/04/ctf-phdays-2012

Arvind S Raj, BIOS
CTF is cool. We had a great time.
http://arvindsraj.wordpress.com/2012/07/11/phdays-ctf-2012

Thijs Bosschert, Verizon Business
Good job. An example for other conferences to follow.
https://twitter.com/ThiceNL/status/209653337912655872

Other reviews.

Recipe to win

There is no universal method to win PHDays CTF, but we, having assessed PHDays CTF 2012 very thoroughly, detected some mechanisms used by the leading teams to succeed.

For instance, the PPP participants (USA) were not only the first to find a vulnerability in the competitive services but to write a code automating its exploitation. Log analysis showed that they followed this tactics during the whole CTF — the flags were entered into the system with difference of no more than 2 seconds. The same tactics was used by C.o.P. and Leet More.

The Leet More team from Russia became the winner, they were awarded with 150,000 rubles, the second prize (100,000 rubles) was taken by 0daysober from Switzerland, and the third prize (50,000 rubles) went to the Spanish team Int3pids. The rules for point calculation were developed in such a way so that the teams unable to solve the tasks of the same type could compensate the gap and keep winning chances by solving other tasks. The teams needed to be active dealing with all the infrastructures not to lose the lead and win the competition. Everything as in real life — outsiders should not get into despair, and leaders should not get above themselves.

PHDays CTF 2012 was well balanced to make it as entertaining as possible and keep up the interest not only of its participants but of the audience as well throughout two days and a night.


Leet More — the winners of CTF 2012

The CTF winner, the Leet More team, lost to PPP by the points scored in classic CTF and to Int3pids in the contest of the shared infrastructure, but the points earned in the tasks of the King of the Hill infrastructure brought the team to the leading position in the overall rating. At the same time C.o.P. and Eindbazen were in the top three on the basis of the score for the shared infrastructure tasks, but couldn't enter the overall top list at the end of the competition.

The King of the Hill infrastructure, which played a lead role in the determination of the winner, was the climax of the competition. One more crucial point of the competition was a task in which the teams had to protect their bank accounts. This contest allowed the Internet participants from all over the world to affect the CTF results.


 The total score of the teams at the end of the CTF contest (by the contest types)

A large-scale analytical report on PHDays CTF 2012 is available here.

How to join PHDays CTF III?

The registration for the quals starts on the 28th of November and finishes on the 17th of December, 2012. PHDays CTF Quals will take place from 10 a.m. of the 15th of December till 10 a.m. of the 17th of December, 2012 (Moscow time).

The main contest will take place on May 22-23, 2013 in Moscow during the third international information security forum Positive Hack Days.

You can learn more about PHDays CTF Quals and register by following the link: http://quals.phdays.com.

No comments:

Post a Comment