On Saturday, October 10, 2009, James Madison University hosted their second annual Cyber Defense Competition. This year, there were three teams made up of JMU students, and two teams made up of high school students with JMU student advisors. The attackers were played by employees of Gemini Security Solutions, Computer Sciences Corporation, some JMU alumni, and other friends.

The competition is based loosely on the setup of National Collegiate Cyber Defense Competition events. Each team is scored on their ability to correct problems on their network of machines, perform IT-related business tasks, keep critical systems operating, and defend their networks from the attackers. In the JMU competition, the defenders are allowed to work to secure their systems for one hour before the attackers are permitted to perform attacks. This is opposite what typically occurs in the national competitions – the attackers get to probe and attack the systems before the defenders are called in.

Last year we chronicled how the event transpired. This year, there were some differences in what worked, and what didn’t.

• Default Passwords: This was far less successful an attack than the year prior. Most every team had changed every externally-accessible password from its default. What was a cakewalk last year was quickly frustrating (for the attackers) this year.
• Running Older (vulnerable) Software/Processes: This was also less common. The only time these attacks were successful were when systems had to be rebuilt because they were damaged beyond the team’s ability to repair them, the teams forgot to re-patch the servers.
• Installing Unknown Software: The teams were once again given a business task to install software on a server, but the digital signature on the email was invalid. Only two teams installed this software, and both quickly noticed it was not what was expected and removed or patched it.
• Physical Access: A physical attack we performed – erasing the drives on all firewall machines by inserting a DBAN disc – turned out to be the difference in the competition. One team thwarted this attack by disabling the keyboard on their firewall. We only had 5 minutes of uninterrupted access to their systems and failed to get the drive erased on one team’s system. Being the only team standing while the others had to rebuild their firewalls completely allowed them to score enough points to win the competition.
• Web Application Security: The E-Commerce Site/Engine that was installed by default on the team servers was not well understood by the defenders. The attackers used knowledge of the system and its back-end firewall to install back doors and disable the site. Most teams either never got the web application running, or had it disabled for the entire competition.
• Not finding the real problem: This was less of a problem this time. The teams were effective at rooting out the causes of attacks and defending against them.

The teams were all very effective in configuring their firewalls to prevent attacks, and prevent successful privilege execution even when attacks were successful. For example, we had compromised one of the web servers and the ability to run system-level commands on it. Unfortunately, their firewall would not let us use any mechanism to download additional attack tools to the system (we tried ftp, telnet, ssh, tftp among others). As a result, while we could take down the website (which was already at our mercy), we couldn’t use this to attack other systems.

All in all, I believe everyone had an enjoyable and educational time. We look forward to the next competition!