Security Research Group @ CMU

The UCSB International Capture The Flag (also known as the iCTF) is a distributed, wide-area security exercise, whose goal is to test the security skills of the participants. The iCTF contest is organized by Prof. Giovanni Vigna of the Department of Computer Science at UCSB, and is held once a year (usually at the beginning of December).

The latest iCTF was held on December 4th, 2009, from 8am to 5pm, PST. It was won by the CInsect team, from the University of Hamburg, Germany.

There were 56 teams participating and more than 800 students playing. This was the largest security competition ever performed.

The theme this year was: “Know your enemy!”. The goal of the game was to compromise the browsers of a large set of simulated users, steal their money, and make them part of a botnet. In order to compromise the simulated users the participants had to analyze the code of a number of browsers, and find vulnerabilities that could be exploited by executing a drive-by-download attack. In order to perform the attack, each team had to lure the simulated users to a web site under their control by publishing blog entries and using search-engine optimization techniques. This procedure followed the scheme used by actual Internet criminals. The goals of the exercise was to test the participants security skills and also educate them about the nefarious criminal activities carried out on the network today, so that they could participate in the design of a more secure Internet.

We’ve participated iCTF2009 and placed 4th (internationally) and 1st (in U.S.)

This year (2009)’s iCTF had really unique and interesting structure.

You can download the presentation which describes the competition.

I know that very long time has been passed since CSAW’09.. but here it is
=============================================================

Cyber Security Awareness Week (CSAW) 2009
Final Round / Award Ceremony Afterthoughts

Plaid Parliament of Pwning Flag + Sang Kil's Thumbs up!

Overall, CSAW2009 was really exciting and fun

We met a LOT of people who are very passionate about security.
To be honest, I expected to see little bit dorky/geeky + dry people there.
But, I gotta say, they were really cool, funny and geeky AT THE SAME TIME :p

Anyways, the event we participated this year was Capture The Flag (CTF).
It was basically only on solving problems, instead of having attack/defense network

To illustrate, we had three big categories and one problem for each:

1. Writing a Shellcode – We were given the instruction manual for SuperH processor. For those who don’t know where SupherH is used, it’s used for Dreamcast. Then, we had to write a shellcode using the instructions for SuperH.
2. Reverse Engineering – We were given a virtual image containing Windows XP with two snapshots; before/after infected by a virus. So, we had to figure out what the ‘virus’ installed onto a computer and reverse engineer it to find out what it’s doing. After all, it was a Windows kernel driver communicating over IOCTL.
3. Java Applet – Java Applet was given, and when decompiled, it contained over 700+ class files. And guess what. We had only 2 hrs. So, we haven’t had enough time to look closely into this problem.

Since the competition started little late, we didn’t have enough time. So, we couldn’t fully finish the problems by the time that it was over. We just sent whatever we had. (shellcode + analysis on driver) Yeah. We really thought we lost the competition so badly.

We couldn’t believe our ears when we heard that we have won the competition xD

I thank everyone who prepared and participated CSAW 2009.

Here’s some pictures I took before/during/after the competition:

Seriously, weather sucked!

But the hotel was sweet..

internet access wasn't free

After the competition is over, we had a lunch where all the sponsors of CSAW did presentation for recruiting:

Then, we met Tyler’s friends in Brooklyn:

At Starbucks, Sang Kil - Andrew - Tyler

And we went to Japanese Ramen Place:

Then, we came back to hotel closer to Airport:
(I know.. we cannot live without computers)

=============================================================

Next day, we split up: I’ve went to NYC (since I lived 4 yrs in jersey) and others haven’t. So, they decided to have a tour.

I just took this picture while walking the street:

Foggy Empire State Building

Meanwhile, I went to a cafe and… did my homework..

Real Analysis HW w/ Hot chocolate

I met few old friends during the day
but didn’t have a chance to take pictures, though.

Everyone gathered to Korean Town around 4:00pm, but cuz it was little early for dinner,
we walked around few blocks:

As you can read, it's "museum of sex"

After we had AWESOME Korean food for dinner, we decided to experience some Korean culture
We went to karaoke:

It was the first time I’ve ever went to karaoke with non-koreans, but I figured that it gets crazy and fun whomever you are going with.

Way back to hotel:

In Airtrain..

=============================================================

So, here’s the plaque we’ve earned

Plaque hanging on the wall at CIC

-Cai

The CSAW Application Security Challenge is a cyber attack competition loosely based on the DefCon Capture the Flag Prequals. Participants will be given a series of challenges divided into different categories, each worth a specified number of points. This year, the competition will focus equally on Web Application security, Reversing and Exploitation. Make sure you are a jack-of-all-trades or put together a team with a diverse skill set.

We have participated CSAW 2009, which was hosted by NYU-Poly, past two days.

We ranked 1st and 2nd.

Since the regulation said that we are allowed to have only 4 people per group, we split our group into two: Undergrad team (ppop) and Grad team (CMU).

Both teams did excellent job in the competition.

Following is a final result of scoreboard *before* bonus points have been awarded:

http://pwning.net/csaw2009

Following is a final result of scoreboard after bonus points have been awarded:

http://pwning.net/csaw2009-final

It was really fun and interesting
We thank NYU-Poly for preparing awesome challenges!
Also, check out following press release!
http://www.businesswire.com/portal/site/home/permalink/?ndmViewId=news_view&newsId=20091013006038&newsLang=en

*PPOP will be flown to NYC for a final round of CTF and award ceremony!!*

On October 6th, annual hacking challenge competition in Korea hosted by Hong Ik University started.

This is their 8th year presenting challenges.

The competition lasted for 48 hours, and we have managed to place 1st!!

There were total of 15 problems, and we solved 14.

Here’s a list of members who participated this event:

Brian Pak (Undergrad, CSD)
Sang Kil Cha (MS ECE)
Jiyong Jang (PhD ECE)
JongHyup Lee (Postdoc, ECE)
Ed Schwartz (PhD ECE)
Andrew Wesie (Undergrad, CSD)

Screenshot right after the game is over:

HUST 8th - Pwned

Finally, we’ve got our blog set up.

This place is going to be used to communicate with other groups and public.

We plan to post update news and write-ups that we publish here.