Many people walking through UCSB’s Harold Frank building last Friday, December 2, could have mistaken the active computer lab for the average finals week scene, never knowing these students were two teams of student hackers laundering fake money across the globe in an attempt to win an elaborate game of capture the flag in the world’s largest computer hacking competition.
These competitors, Team Omega and Mojojojo, took 34th and 12th respectively out of 85 teams at the International Capture the Flag Competition (iCTF), which was founded nine years ago by UCSB professor Giovanni Vigna and is still hosted on campus. The two UCSB teams were each one-half of Vigna’s graduate-level Advanced Topics in Security class. To add to the pressure, this was their final.
“We have the world’s largest hacking competition, and it’s only open to academic institutions, which makes it very prominent,” said Vigna. Adobe International provided prize money: $2,000 for the first-place team, $1,000 for second, and $500 for third. The winner is also invited to compete in DEFCON; the world’s premiere hacking competition held in Las Vegas annually.
The 2011 competition’s 85 teams included more than 1,100 participants, and that many users going through one server can have its hiccups. Commotion ensued prior to launch at the competition’s makeshift headquarters in the Harold Frank building’s foyer. “The scoreboard is down,” yelled a member of UCSB’s Computer Security Lab, which is Vigna’s team of research assistants and fellow organizers. As the Mission Impossible score blared from his laptop, Vigna echoed Project Runway in response: “Software designers, make it work.” And they did.
Every year, Vigna and his team create a new design to challenge participants and invent new ways to aid cyber security education for which they receive National Science Foundation funds. This year was the year of the money mule, which are money-laundering schemes in which criminals posing as seemingly legitimate companies recruit unsuspecting Internet users to move funds. The user is transferred money and then instructed to send it along to another account or person while keeping a certain percentage. These unsuspecting participants are laundering money and risk jail time and loss of assets. Money mule programs pose a real threat to society and an intriguing challenge to cyber security research.
“You unknowingly become an accomplice to these guys,” said Vigna. “It’s a huge problem.”
Within the safety of the competition, every team navigated the same puzzle. The same knowledge used to hack the services could protect the services, making it difficult for other teams to get flags and giving participants the tools to make it tougher for criminals to succeed. The teams’ goal was to find and break into services and steal the file, or flag. They received points after sending the file to organizers.
“We are experiencing the field of security,” said student Kowshik Prakasam. “The things we learn will help us protect ourselves in the future. We aren’t learning things to go out and pull pranks.”
But knowing the competition’s focus and its environs made it tough to remember that this is really a game, as in when Vigna shouted, “Someone from Russia is stealing money from someone on the East Coast!” Students quickly gathered around one computer to witness a red, vacillating arch illustrating the flow of funds.
“This really helps me understand what it’s like to work with [computer security] in a time frame, under pressure,” said student Ken Gronnbeck.
A group of Arizona State University researchers partnered with the Army Research Office observed the event with that in mind. They are studying how people and groups work together when dealing with cyber security and how that influences their process, actions, and success. Researchers hope this leads to better performance with real cases.
But iCTF remains a game of strategy, combining the board game Risk with a scavenger hunt. UCSB’s two teams organized themselves into sub-teams of service hunters and hackers and those tackling challenges, like trivia, puzzles, and posting photos, to earn money. The more money and points, the more likely a team wins. At 5 p.m., the team with the most points succeeds.
Three hours into the competition, Team Omega sat at 67th place with zero points and Mojojojo followed at 71st place with zero points, separated by money levels. Both teams took a more offensive approach as the competition progressed, focusing more on finding and hacking services than completing challenges.
Mojojojo climbed to 12th with 566 points as the day wound down, missing 11th by two points. Team Omega finished at 34th with 206 points.
Austria’s We_Own_You won the competition, $2,000, and an invitation to DEFCON with its 1,791 points.