How to do it wrong: Cyber Security Challenge UK

KONICA MINOLTA DIGITAL CAMERADuring a recent trip to the very interesting National Museum of Computing at Bletchley Park I saw non-descriptive sponsorship or advertising for “Cyber Security Challenge UK“.

All it said was something vague like “Want to work in cyber security?” and a nice picture and then the url. No details about what they are, what the website does or how you get the jobs.

It turns out to be some kind of “hacking competition”. Not such a bad idea but the advert really could have been clearer. I expect they lose a lot of young people because it isn’t obvious that you might actually have fun and learn things if you visit the website.

 

 

Even when you visit the website it still isn’t entirely clear what you are even doing on the site – however I signed up. Things started to go downhill from there.

Their website and twitter feed have pretty clear spelling mistakes:
https://twitter.com/Cyberchallenge/status/747780107033583616
“This moth we were delighted to win the prestigious Editors Choice award at the[..]”

Which also links you to a 404.

Anyway. Back to their actual code design:

First.. The sign up page resets most of the choices (tick boxes, radio buttons and date of birth selection) if it dislikes an input (password too short etc.).

Secondly.. and this is a HUGE NO NO in the security world.. their system will allow you to identify if you’ve guessed a username correctly. That is just utterly poor for something supposedly aimed at training or identifying security professionals.

cybersecurityinfoleak

If you do manage to sign in, the initial page load takes about 30 seconds!

slow login

It takes similar long times to load the challenges. Very frustrating to use.

The two challenges I’ve tried so far have been interesting and engaging. One was a quiz about finding bugs or potential problems in C code and the other was an example Wireshark / TCPDump PCAP and identifying problems.

The layout of the challenge question form is easy to understand. Sometimes some of the answers are not. For example one was “Free the pointer after the error catchment” yet it doesn’t caveat it with “whilst also removing the free function from the prior code”.. which caught me out.

Another question with vague answers is:

What does the FTP ‘PORT’ command do?

Select one:
a. Establish connection over port 20.
b. Move the sever away from the starboard side.
c. Open a connection with another computer. (X)
d. End the FTP connection.

To which I was marked as incorrect (the X).. but I guess they view the “Open a connection with another computer” means “an entirely different computer you are not using”.
I read or interepreted it as “the server makes a connection to another computer [i.e. not itself]”. Also I thought the port 20 answer was far too obvious.

Also in “the good old days” you could “FXP” FTP between different FTP servers using your computer as just the control channel and _not_ a relay for the data! (This practice has generally been configured out of networks as it was quite insecure and didn’t really have much use). So the answer really could be correct in the sense that they are understanding it.

One of the challenges was examining images of two systems for file access times and settings. Sadly a _lot_ of the questions fail to be specific enough.
One question was “What was the last command used in the run box on the Windows XP machine?”. But doesn’t cite if they are after this detail for a specific user or across every user who was on the system image. The multiple choice answers had both entries that could match for either the user that “was the person of interest” or for another user on the system.
Very often they also failed to cite which machine they were after information from. For example “According to X what was the most recent file accessed”.. I’m unsure if this is intentional for people to work out that the older OS doesn’t have that feature or they just forgot to put this detail in the question.

In another challenge you are asked to download a .exe file and run it.. seemingly some sort of Python game. Running random .exe files scares me and, even when run on a test machine, the game ran like total turd. Mouse input was about 100 times more sensitive than it should have been. I gave up with that exercise.

Even with all this.. If I were a student back in school with oodles of spare time. I would LOVE this. Lots of information and challenges to keep you puzzle solving and learning, researching or googling new skills.

Such a huge amount of time and resources must have gone into building this recruitment(?) / testing system.. I wonder (and hope) if it actually brings in the punters and skills they are after.

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Comment on this topic

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s