Modern field guide to security and privacy

In cybersecurity contest, hackers target critical infrastructure

At the inaugural Passcode Cup capture the flag challenge, competitors raced through hacking challenges that ranged from password-cracking to compromising a mock water treatment facility.

Michael Bonfigli for The Christian Science Monitor
Max Kim and James Pavur, team members from Georgetown University's team "Hoya Haxa," work through hacking challenges during Passcode's inaugural capture the flag event.

Joe Needleman was asking for trouble. 

Last week, inside an airy Washington office space, the junior at California State Polytechnic University, Pomona, linked together three clear plastic storage containers and filled each with water, mimicking a water treatment facility. Once he wired the containers to a computer network, Mr. Needleman invited a room full of hackers to attack them.  

If they're successful, "it starts jumping like crazy," Needleman said of his contraption, pointing to a circuit box that controls the water levels.

Needleman's mock water facility was one of the prime targets during Passcode's inaugural capture the flag contest in Washington that drew more than 50 participants in a digital skills challenge loosely based on the schoolyard pastime. In this version, however, teams earned points by solving puzzles, answering trivia questions, and attempting to seek out vulnerabilities in software.

Michael Bonfigli for The Christian Science Monitor
Joe Needleman, a computer science student at California State Polytechnic University, Pomona, built water tanks for the Passcode Cup capture the flag competition last week.

Capture the flag contests have become commonplace inside tech companies, at cybersecurity conferences, and in engineering schools as cybersecurity training tools. Cal Poly Pomona and Alex Levinson, a senior security engineer at Uber, helped build and facilitate the Passcode capture the flag contest, which was based on a capture the flag that Facebook developed and made available through the open source software repository GitHub.

As the Passcode contest revved up last Friday, techno music pulsating through the Washington coworking space and 13 teams, many of them college students, clicked through at a slew of hacking challenges.

The team "Hoya Haxa" from Georgetown University (their name was a play on the school's "Hoya Saxa" cheer heard at basketball games) immediately realized they were at a disadvantage. They brought Windows laptops to a contest largely designed for Mac operating systems. At their crowded table, covered in crinkled candy wrappers and chip bags, they fired files back and forth with Justice Suh, the only team member that brought a Mac.

Photo by Michael Bonfigli for The Christian Science Monitor
Casey Knerr (c.), a senior at Georgetown University, was part of the "Hoya Haxa" team that participated in the Passcode capture the flag contest last week in Washington.

And if the contest is any indication of what securing the internet looks like, it requires a lot of Googling. Hoya Haxa's search bars were filled with hacking queries that covered encryption, password security, and reverse engineering.

How to upload a shell to a web server and get root, James Pavur types, referencing a small bit of software code that hackers use to exploit computer vulnerabilities and gain administrative access. 

How to crack passwords using hashtag, Mr. Suh writes, looking for a free password-cracking software that identifies hashes to assist in his effort. 

"We're going down a rabbit hole," Mr. Pavur said as he tried to crack a particularly complex password.

"Somebody's pretty grumpy," team member Casey Knerr quipped.

But they also kept an eye on the scoreboard, and team member Pavur was more than a little frustrated when Tenable Network Security, the professional team in the game, climbed into the lead.

For them, he said, "It’s like showing up for little league."

Michael Bonfigli for The Christian Science Monitor
The team member from Tenable Network Security, which finished third in the inaugural Passcode Cub capture the flag contest last week.

Meanwhile, one team took aim at one of the water tanks. In an instant, the water began to undulate. It was a sign that one of the teams "pwned" the system, hacker speak for taking over or dominating a computer system. 

"Somebody is about to overflow the tank," Needleman, the Cal Poly computer science student said matter-of-factly, racing over to the other end of the room to reset the levels. 

Needleman's tanks added a physical element to a hacking contest that typically plays out on computer screens. And that was the point, he said. If the hack the competitors pulled off last week during in contest happened in real life, it could lead to contamination inside a water treatment facility.

It's a scenario that many people who defend real-life networks face, said Dan Manson, a professor of computer information systems at Cal Poly, who helped organize the contest. "People assume that we're trying to keep hackers out," he said. "They’re already in the networks."

The sorts of cyberattacks that can result in physical damage – whether to utilities or election systems – is the stuff that "keeps us up at night," said Phyllis Schneck, the top cybersecurity official with the Department of Homeland Security, who spoke with the teams before the competition started last week.

Michael Bonfigli for The Christian Science Monitor
CNSUVA – the team from The University of Virginia in Charlottesville, Va. – took first place at the inaugural Passcode Cup capture the flag contest.

But finding workers skilled enough to help companies and governments recover from cyberattacks has proven difficult. In the waning seconds of a competition, the significance of the game wasn't lost on Hoya Haxa.

"This is where the world's going to get shaped," said Knerr, referring to the cybersecurity profession.

Still, a talent shortage looms over the cybersecurity workforce as both the government and companies deal with sophisticated hackers. Last year alone, the average cost of data breach rose by 8 percent to $3.8 million, according to the Ponemon Institute, which studies privacy and data protection.

In the end, Hoya Haxa finished fourth, just behind Tenable, which took home a third place finish. A University of Virginia team bested Carnegie Mellon University's "Plaid Parliament of Pwning" to win the Passcode Cup.

And on a morning when a digital attack using hacked internet-connected devices caused web outages throughout the East Coast, the competitors know the security challenges ahead will be serious. "At scale, internet-connected devices could make thing really bad," Knerr said. "Consequences that are small for an individual can add up."

Michael Bonfigli for The Christian Science Monitor
Wires covered the floor on Friday at the first-ever Passcode capture the flag competition in Washington.

Security Culture

This journalism empowers people to understand the bigger picture of cybersecurity as it connects to some of the most personal parts of their lives: their job, their education, the evolving digital culture around them, and the technology they use on a day-to-day basis. As part of the Monitor’s overarching commitment to chronicling human progress, we see these very human issues within cybersecurity to be critical and overlooked parts of the conversation.

This initiative is generously supported by

  • Northrop Grumman
  • ISC
You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.