By Christiaan Botha & Martyn Ruks
Standing in the warm winter sunshine of a Friday morning in Johannesburg it was hard for the participants to imagine what lay in store for them at the inaugural HackFu ZA event. However, those responsible for organising the event, veterans of a teaching and skills development concept that began 10 years ago, knew exactly what was coming.
From the beginnings of a zombie uprising used to create a storyline and "HackFu Construct", to fiendish challenges and puzzles the attendees would attempt, everything in the event was to have a purpose and an authenticity brought by months of diligent preparation.
The primarily South African contestants were drawn from a wide range of roles and backgrounds both inside and out of the cyber security industry. These included MWR consultants, students as well as those filling roles as diverse as accountants and project managers. The commonality between everyone was a desire to learn, teach, investigate and push themselves to solve problems. On the 8th of July 2016 they came together at HackFu to put all of that into practice.
As they were led into a disused warehouse, acting as a safe-house from the zombie inducing infection. Unbeknownst to them at the time this was also the former laboratory for RWM, the company who had produced the virus now running rampant.
After being informed that they had in fact contracted one of two strains of this virus the participants were divided into two teams, tasked with saving both themselves and the entire human race. The story behind the creation, release and propagation of the virus is a fascinating tale of intrigue that the participants uncovered throughout the event and you can also read all its twists and turns.
As with previous HackFu events run in other locations round the World the primary purpose of all of this was to bring people together to share skills and experiences, collaborate to solve difficult challenges and as a result learn key skills needed to solve the cyber security problems faced in the real world on a daily basis. The event is also about sharing these experiences and spreading lessons learned as widely as possible. By doing so it enables others to benefit from them and draw on them when advertising what roles in our industry really involve. More importantly, by living the HackFu experience it allows those attending to educate people about the approach and thinking needed to succeed in these roles. However, this is no different to the aims and objectives of any HackFu event and the primary purpose of this site is to share our thoughts and ideas on this subject.
One thing we’ve learned from running these events for many years is that it’s easier to explain the concept and teaching approach employed at HackFu by looking at examples of the individual challenges that are run. One challenge at HackFu ZA that exemplifies the skills and attributes needed of those working within the cyber security industry, and how these are exercised during the event, is “The Mad Scientist’s Office”. As with any HackFu challenge there are many layers of complexity that lie behind a seemingly simple concept for the challenge. How these relate to the purpose of HackFu in its wider role in helping to close the skills gap within the cyber security industry, are what we’ll explore in the article about the challenge.
As for the inaugural HackFu ZA, well you can read for yourself how the in-event storyline played out. The competitors had a great time solving the wide variety of different technical and non-technical challenges presented to them. They demonstrated all the attributes of people who will be successful in this industry and we hope that the event inspired some of those still in academia that there is a role for them.
All that remains to be done is the planning for HackFu ZA 2017!
By Chad Richts & Martyn Ruks
There are few people in the World who won’t have been exposed in some way, shape or form to the latest craze in live experience challenges, known to many as “Escape Games”. The popularity has skyrocketed of an activity that involves a group of people paying to be locked in a room with the challenge of reaching freedom by solving puzzles. The Mad Scientist’s office challenge at HackFu ZA 2016 draws much of its inspiration from this phenomenon as well as the entire history of puzzling and gaming. However, in true HackFu style the re-imaging of an escape room in the guise of a HackFu challenge included a few surprises. The results of observing those completing it also shone a light on the way people interact and operate when working on problems together.
Over the course of HackFu “The Mad Scientist’s Office”
challenge was able to be run around 8 times, each one involving a group of
between 4 and 6 people. Each team had a mix of consultants, Project Managers and Account Directors. The concept of the challenge was a simple one; search the abandoned scientist’s office for clues and put them together to reveal the identity of “patient zero”.
By observing these groups attempting the challenge it was possible to draw out both common themes and interesting edge cases that can be used to penetrate the seemingly simple concept of the escape room and reveal what lies within it. What we observed is presented here and reveals more than you might expect about skills and approaches needed within the field of Cyber Security.
Completing the office challenge
required very little technical knowledge, making it accessible to a wide range
of people and groups thereof. However, it did contain a number of constraints
that were designed to encourage certain behaviours and make the optimal
approach one that exercises the skills we believe to be important in the real
world. For example, limiting the time that teams had to complete the challenge
means that efficiency in solving problems was important and promoted an
effective team dynamic and structure with a role for a leader. However, the
time pressure also had a noticeable negative impact on some behaviours with tunnel
vision and fixation on the wrong problems being the relevant outcomes.
It was immediately apparent that groups who worked well together found the challenge much easier than groups where the individuals operated independently. In practical terms those working well together self-organised and created roles for team members at different points in the challenge. The clear winners on this front were those with someone leading the team, delegating responsibility and maintaining a view of the bigger picture.
This turns out to be a key approach as individual puzzles often required multiple pieces of information or equipment to solve and needed findings to be shared, interpreted and applied back into the wider context of the game. It was often observed that individuals would get caught up with a particular puzzle for an extended amount of time, and as soon as another team member stepped in to help, the puzzle would be solved within minutes.
In all groups we observed the leader evolved out of individual behaviours and was not specifically selected by the team, an outcome believed to be primarily as a result of the challenge environment being a new one for the participants. It is commonly observed that the first time a team approaches a problem they get caught up in the detail and urgency of it and do not immediately take time to find the optimal solution.
In subsequent running of similar puzzles it has been shown that the team approach will develop and the value of a leader and roles within the team is learned and then implemented. The value that a leader brings is clear when examining all some observations made during the game. Indeed the value of leadership when approaching challenges in cyber security should also be clear as many of the same elements seen in games and puzzles like this are present. This theme of leadership is one you'll see woven throughout this article, another indication of its critical importance.
Although the challenge had a path that teams could follow towards their objective, on some occasions the challenge to be solved was actually to identify the direction within the game to head next. The game provided clues and feedback to the participants if they looked for this pathway but again, without someone taking responsibility for keeping it in view, this direction of travel was obscured or even lost. The effect was that the teams then spent their time working on the "wrong problems".
For example, at several stages of the challenge there were puzzles where progress could be achieved simultaneously. However, the teams often got caught up working together on individual puzzles, sometimes ones where there was insufficient information for them to be completed, or sometimes complete red herrings, at the expense of other puzzles for which signposting showed that they were in fact the direction to head in.
In this regard the skill of the puzzle maker needs to come to the forefront if the contestant experience is to be maintained. It is important that competitors are able to identify if the item or puzzle they are working on will advance them in the game, or is a dead end.
Assuming the puzzle maker has done their job correctly, there are two different approaches teams can take in these situations that can enable them to advance. The first is parallel working, where different team members work on different problems, looking to achieve a breakthrough on any one of them. The second is for the leader to use the feedback the game is providing to determine which is the most important puzzle to focus on at that point in time and ensure the right resources are deployed on that task.
The game can provide feedback to players in many ways but some common ones are showing how many pieces a puzzle requires, for example, a torch requiring 3 batteries but where only one is present. This shows that the item is probably intended to be used and that 2 more batteries are required before this can happen. Your approach should then be to search harder for a battery or leave the item until one is found.
Similarly, the revealing of an object by opening a lock on a drawer or a box can reveal its important in the timeline of the game. If a connection can be identified between the item and others then again the number of required pieces for completing the puzzle can again be assessed and the need to solve that component can then be assessed.
Due to the time constraints enforced on the challenge, teams had to manage the time that was spent on each puzzle. Teams obviously performed better when they did not spend too much time focused on a single puzzle at the expense of others. Often stepping back and attempting another puzzle when progress slowed, resulted in teams completing the challenge much quicker. Those that took account of the feedback the game was providing them were by far the best and avoided being stuck in dead ends for too long.
This ability to see the pathway ahead and to understand the information or capabilities needed to solve a challenge, whose solution pathway may be obscured, is also crucial for cyber security problem solving. For example, when conducting research or looking for solutions to complex problems there are a range of capabilities that if used effectively will result in the route to the solution being shorter, faster and cheaper. However, if you are stuck in the detail without a view of the bigger picture you can often spend your time working in a dead-end without realising.
In many instances we observed the competitors making similar mistakes when attempting to complete challenges. These are mistakes that would not have occurred if the next goals of the challenge were clearly understood. This can be neatly illustrated in the following example of one of the puzzle components. The contestants were provided with the items in the following picture, the two of most relevance being the picture with red tape on three of the corners and the strange black construction with a pinhole cut in one end.
Additionally, by moving a rug aside in the room it would have revealed the strange marks on the floor observed in the following picture.
At this point in the game the competitors should have been focused on the fact that to progress they needed to identify another 4 digit numeric code to be able to open the lock on a desk drawer.
If this goal was at the forefront of thinking the logical approach would be to look at the pictured items and find a method through which such a code might be revealed. One clue is the tape on the floor that indicates the positions that the objects should be placed, with colour coding directly linking them to the objects. However, the presence of a pinhole in the strange black object and the street-map in the picture frame containing numerous 4 digit numbers are indicators towards the intended solution. This is to “correctly position the hole above the map and look through it to see which number is correct”.
Without making this deduction about what the goal was, the majority of teams spent a lot of time investigating incorrect solutions to the problem. This resulted in them attempting to position the black wooden piece on its side or directly on top of the picture, as well as a variety of other humorous approaches that will not be repeated here to protect the dignity of those involved. This was all determined to be directly as a result of them lacking a sense of what their goal was. Those that understood their objective put the pieces, of what in reality is a very simple 2-piece jigsaw puzzle, together easily and recovered the 4-digit code to unlock the drawer with ease.
Understanding what the bigger picture looks like an what we are trying to achieve is another key cyber security capability. We often observe situations where the security of a system hasn't been correctly assured because those responsible for doing do didn't understand what they were trying to achieve. For example, solely investing time and effort proving whether the most complex attack path is viable or not whilst completely ignoring the easiest and most likely route the attacker will take. In many cases the reason for doing so was because those involved believed that particular activities, were absolute requirements in order to do security well, rather than focusing on what was most important to protect the system in question.
The phenomena of positive re-enforcement is well known, it’s where one person makes an assertion and then another person agreeing that it is correct causes others to also believe this to be the truth. This then acts as further re-enforcement and makes it difficult to break this perpetuating cycle of implied truth and to challenge where the initial assertion was correct.
One interesting example of this was observed during the challenge, when an audio clip of a disguised voice was played as a result of solving one puzzle. One member of the team upon listening to the sound expressed out loud what they thought the voice was saying; however, what they thought they had heard was completely wrong. Every team member who had heard them say this phrase before listening to the sound then agreed it was what was being said every time the voice clip was subsequently played. This example is slightly more than just positive re-enforcement as effects such as Mondegreen are also at play in this example.
After 5 minutes of being stuck on this issue, it took another team member who had been paying no attention to them and who had not heard the interpretation to listen to the voice and correctly identified what was being said on the first time of listening. This enabled the untangling of both the Mondegreen effect as well as the positive re-enforcement that was preventing the other contestants from challenging the original assertion.
This phenomena is often witnessed in cyber security where one person makes a false assertion, often based on an incorrect underlying assumption that others then believe and don’t question. During security research, for example, someone will say that a technology component doesn't have vulnerabilities because it "must have been looked at by lots of people in the past". It often takes someone not involved or more interestingly with an approach to naturally challenging assumptions to break down the misconceptions and arrive at the truth. In this example someone who refuses to believe that anything can be free from vulnerabilities or someone who has heard that false assumption before will naturally challenge it. But at a more fundamental level this ability to challenge the assumptions that have the most chance of being incorrect is something that is commonly observed in people who excel in cyber security roles.
The same challenge that delivered the positive re-enforcement also highlighted another aspect of how analysis of the clues and applying them in the game context differed between teams. The clue revealed in the aforementioned distorted voice clip was the phrase “To be or not to be”, the origin of which was immediately understood by every team. However, the majority of them initially looked at this phrase literally and immediately began searching the room for a book about Shakespeare (something that was in fact predicted by the puzzle makers). This was an incorrect approach although one that can be quickly eliminated once no books even remotely connected to Shakespeare can be found, an example of the game providing feedback.
At this point its worth a slight digression to mention the fact that having a book about Shakespeare in the room may outwardly seem like an opportunity the puzzle maker missed to make the game harder to play. But doing so without another clear indication that this route was a dead-end would be misleading and would reduce the rewards the players take from the game. This is a subject best saved for another article but one key takeaway here is that if you create dead-ends for players, with no feedback that they are, you will frustrate, confuse and demoralise the players. Outcomes that should never be desired by the puzzle maker.
Returning to the puzzle in the Office challenge, what the teams should have been doing is looking at alternative interpretations of the phrase and how they might lead to solving the puzzle. To some this might be obvious, to others it might be more obvious had I written the clue as “2B or not 2B”. However, only those who looked at such alternate interpretations of the data in front of them realised that their next search of the room should relate to “2B” instead of Shakespeare.
This clue would quickly lead the teams to a map and the contents of the square at the grid reference “2B”. This phrase was then required to be used in combination with another clue obtained from another puzzle.
There are also good parallels to draw between this and the real world. For example, the interpretation of patterns or information in multiple ways until a useful form is found is another useful skill to possess within a cyber security context. For example, when using anomalies in detecting signs of a compromise there pieces of data are often encountered that are clearly unusual and worthy of further investigation. However, their relevance in the attacker's context may require interpreting the data in different ways. This is therefore another interesting observation of how thought processes revealed by this challenge map directly back to the real world.
Another constraint introduced to the challenge was that no laptops, phones or other electronic aids could be used to solve the puzzles. Teams were provided with the somewhat old fashioned tool of a pen and paper, to make notes of interesting things found. While it is now 2016, a pen and paper is still incredibly useful in this situation, that is if they are used. It was consistently observed that teams would not use this resource effectively, some would not use it at all. Often, after writing down many irrelevant facts on the paper they would find what was obviously a clue or code to open a lock and then choose not write it down, with the result of having completely forgotten about it by the time it was necessary to use it.
In effective teams one person is often assigned the role of the scribe, on the outside a seemingly mundane role, but a critical one in the context of the game. By having visibility over all the clues and codes that are recorded, the ability to progress further in the challenge can often rest in the hands of this person.
In order to solve the Mad Scientist's challenge in the required time, teams had to divide and conquer by each searching a different part of the office. This was needed in order to get full coverage in the shortest time possible, and to be effective naturally forced the team members to communicate with each other. A big stumbling block for a lot of teams was lack of this communication. They would split up to look for clues, then when found they would neglect to share the clues they found with the rest of the team. In some cases it was observed that a team member would complete a puzzle to retrieve a code, then neglect to share it with the rest of the team. the result being that the power to use the code was concentrated in a small percentage of the overall team's capability.
The use of the aforementioned scribe role would help to address this problem, but only if their interactions with the team and ability to influence team member behaviours were correct. This is further illustration as to why the role can be critical and not simply something to give to the "rookie". So we are drawn back to role of the leader being to deploy their resources most effectively to ensure a key part of operational effectiveness is addressed.
Again in a cyber security context the ability to record and access information from all parts of a team is critical, a breakthrough, clever thinking or new piece of code implementing a game-changing capability is no use if others cannot benefit from it.
All of the observations we made while running this challenge at HackFu ZA were fascinating and while the nuances of the teams’ approaches may have given rise to some classic comedy moments, the problem solving capability of those participating was nothing short of impressive. Yes the teams made the mistakes highlighted here, but lets put those into context.
The examples we have drawn on in this article are made with the visibility of the puzzle makers who collectively possess a wealth of knowledge and experience in this field. Also, as with all challenges at HackFu, the contestants are always pushed outside their comfort zone and and are allowed to learnt through some of the mistakes made in their first attempt. Remember that one of the reasons for running HackFu is to provide an environment where people can fail-safe the first time they attempt something. This challenge is no different!
The challenge was created with the aim of teams finding a specific solution using a pre-determined pathway; however, teams were incredibly creative in how they made some of the leaps needed to solve each component and in many cases each team solved the same problem in a slightly different manner. Some teams also found unforeseen creative loopholes in the challenge allowing them to skip certain puzzles, but that's another subject.
It was, however, observed across all the teams that teamwork and leadership within the group, most specifically in-game communication within the team, was either the biggest stumbling block for the team or their greatest advantage. As we have explained, many of our observations about good solutions for solving the challenge map directly to the use of skills or capabilities that are important in the cyber security industry and for solving the challenges we face every day.
As a result of the challenge, our observations and further analysis of them, we’re pleased to be able to draw some conclusions. We believe that anyone involved in cyber security should challenge themselves against some of the multitude of escape games and live action puzzles that now exist.
In fact, if you’re not putting at least one of them in you and your team’s training objectives for the coming year then something isn’t right. One thing that’s certain though is that the concept as well as some fiendish new puzzle ideas will be returning to a HackFu event near you very soon!
By Nick Jones
At MWR we're always keen to foster new talent in the industry, so when Bournemouth University Cyber Security Society contacted us about running an event for them, we put together a version of our workshop on WiFi attacks and headed on down for an afternoon of fun exploiting vulnerabilities in the WiFi protocol suite.
The workshop consisted of an introduction to the technical side of WiFi, followed by an explanation of several potential attacks against different WiFi security protocols, including WEP, WPA/WPA2 and WPS.
Following on from each theoretical explanation of the attack (and a dire warning or two about the consequences of breaching the Computer Misuse Act), the participants launched their own attacks against the lab environment provided using a variety of open source tools in combination with the provided WiFi cards.
The students in attendance showed an intuitive grasp of many of the concepts, and all of the participants succeeded in completing each exercise successfully. Given the range of disciplines being studied by the students in attendance, we were impressed by the speed at which they picked up the material being taught.
In addition, a number of the students were able to diagnose many of the issues that occurred (such as locating and reloading the correct drivers to support packet injection) with little intervention from the MWR staff.
The solid turnout from the students within the society demonstrated that the university is both engendering interest in the cyber security industry and nurturing the talent of the students studying there.
Given all the dire portents about the shortage of skilled professionals in the security industry, it's fantastic to see such a promising range of students demonstrating both the aptitude and interest to go on to be the next generation of the information security workforce!
By Gabriel de Sousa
It's now over a month since the HackFu Challenge 2016 started and it's going really well! We have 110 registrants, with 59 of those having submitted at least 1 correct challenge
so at least more than half that are actively working on the challenges. Well done guys!
We're incredibly pleased to see 39 South African students signed up, some
of which are climbing the leaderboards quite quickly. In terms of geographic location we have
reached 20 different countries with majority being from
South Africa and the UK.
Most new contestants seem to check the
leaderboard to see which challenges most other people have finished and then
start with those first. So we have most people finishing challenges 1,2,6 and
7. We are still waiting for somebody to finish challenge 5 but hopefully someone will be able to make the puzzle pieces fit.
In developing the Hackfu Challenges, we sought to include a variety of subjects and cover multiple skill levels, with the challenges progressing roughly from easiest to most difficult. Once the challenges were in place, the story was built around them, starting from the basic and popular setting of human civilisation slowly rebuilding itself in the aftermath of a catastrophic nuclear war.
The story was expected to be read out of order and thus written to be reasonably modular, with each intro and outro comprising a solid, largely self-contained episode, while still forming a cohesive whole if read straight through. A surprise is included for those who finish the final challenge.
Skills tested by the challenges include creativity, persistence, the ability to cleverly automate tedious tasks and general technical sophistication and resourcefulness: many participants have prefaced their challenge emails to say that before completing a given challenge, they had never previously looked into that area of study (e.g., image processing) and ended up researching it and learning many things quite incidental to the challenge itself.
So all in all we are receiving some great feedback from you guys and we can't wait to see more of your entries before the competition closes on the 9th May.
Interested in the challenge?
By Sarah Field
The word HackFu can be heard on an almost daily basis around the MWR offices and one of the key ingredients to making the event what it is today is the unique and innovative challenges that are at its heart. Another key feature of HackFu is that it never stands still and is always looking to evolve and develop. A key part of that is finding new challenges and more importantly new challenge writers to contribute.
Everyone at MWR (and people at the other businesses that take part in the event) get involved in designing and submitting challenges. As a result we always have a diverse set of puzzles and cyber security challenges for the attendees to get stuck into at the event!
What’s more, if you are looking to run your own event or contribute to HackFu in future, you’ll need your own challenges and therefore you’ll need those wanting to give it a go to be successful in producing them. We’ve therefore put together a guide for both novice and experienced challenge builders alike to help you produce HackFu-quality puzzles and challenges.
You can find the handy advice in our dedicated advice section for building your own HackFu!
These tips were produced by HackFu veteran and challenge builder Matt H, who whilst putting his them together, took the time to tell us about some of the best challenges he’s seen at HackFu.
“From a technical perspective there was a challenge one year where you had to find and exploit a bug in a remote server without being given a copy of the binary or any source code. The creator built in just enough feedback from the challenge that you could see what direction you needed to go in and check if you were making progress along the way. Despite being quite difficult, you always felt you were getting somewhere. Of course, this was a highly technical challenge, and one that you really needed some specialist skills to complete. Despite this, we were able to explain the solution to our team mates who didn’t have these skills in a way that they understood the majority of how we completed it.“
“Another challenge a lot of people loved was a maze programming challenge. A web page presented you an image of a maze, different each time, and gave you a limited time window to submit encoded directions to get to the centre of the maze. There was no way to do this in human-time, so you had to write a program. This was a very simple concept, but required people get to grips with some aspects of programming they may not routinely use. In this challenge there was never any doubt of what you were supposed to do, but actually doing it took some thought.”
“Finally, another one that sticks out in my mind involved driving a purpose built remote controlled robot around a dark room, using it to find and disable various traps, before venturing in to the room to retrieve an Aztec idol without setting off any of the traps. If you failed, you were liable to get shot by an automated nerf gun or set off various booby traps that meant you lost some points. This one was really fun because it was very physical, and took the virtual nature of what we do into the physical world around us. It also had clear steps (the various traps to disarm), although that didn’t stop my team and I from failing to recognise a phone number because of the addition of some arbitrary colons between the numbers! It’s amazing how much less your brain works at 2am after 15 hours of tense hacking…”
If this has inspired
you to build your own challenge, check out Matts tips for building your own
By David Hartley
We are all familiar with the message that there is a skills shortage/crisis in the cyber security field. It is constantly perpetuated in the media, from our peers and from industry spokespersons. I've certainly felt it myself when meeting and interviewing many candidates looking for roles in this industry. It's really hard to find good people. At MWR we have been experimenting with innovative ways to attract the talent our industry needs to identify to be able to support our clients.
However, the point of this blog post is not to talk about those efforts. The simple point of this post is to share with you something very positive that I experienced that changed my bleak outlook on the whole situation.
I've been in this industry for a while. I don't have an academic background and didn't go to university. I've interviewed many candidates looking for a start in this industry over the years. Like a lot of others, I have become somewhat jaded with the quality of applicants that exit the numerous 'cyber security' education tracks on offer today. I'm not naming individual institutions. I also have no interest in blaming the education system and moaning like an old fart about how back in my day, yada yada yada.
Unfortunately, I've actually allowed myself to become quite pessimistic about the future of the industry and come to believe that we are going to be facing a worsening talent shortage for many years. So when an opportunity presented itself to speak to some young people about a career in cyber security, I seized it.
I volunteered to speak to some year 6 children (10/11 year old kids) at my daughter’s school as part of their "Dare To Dream" week. The school welcomed many parents and visitors to speak to the children about their careers. Many interesting and exciting occupations were represented; police and fire service, musicians, engineers from different fields, a vet, carpenter, health workers, and a local professional footballer etc. The list goes on and on. I was representing cyber security and billed as an "Ethical Hacker". This was my choice, and I thought this sounded a little more interesting to the potential audience than the usual "Cyber Security Consultant" billing. With such a list of impressive professions being represented I had to do something to stand out!
I prepared a slide show and had my own 5 year old daughter perform a QA. That was interesting! On the day I spoke to two different classes of boys and girls in two 40 minute sessions. I was blown away by them. Truly I was impressed. Smart cookies and one or two real smart alecs too - which I must admit I found brilliant. Certainly put me in my place a couple of times. Inside I was roaring with laughter at some of their quips.
The sessions were quite interactive, not too much by my design - but a welcomed interjection by their teachers. They discussed and debated the profession as well as the pros and cons of complex interconnected systems. They sat in groups and discussed the “Internet of Things” - the interconnected modern world from smart devices to smart trains etc. They talked about how useful it all was, but also pretty accurately talked about the possible attacks from hackers and the things you'd have to ‘protect’. They got it more than some engineers I have had meetings with who are building such things!
I asked if they had any experience coding - all of them did. They have started playing at school, “scratch” and the like. That’s cool, but what was cooler was in each class some of them were also doing this for fun at home. Some had parents teaching them and some were just self-learning. Scratch was not what they used outside of school - they were building websites, playing with Python and some looking at developing apps on mobile platforms too. Pretty impressive for kids that are 10 years old!
Every one of the questions they asked was a good one, without exception - including a girl who challenged me on why there aren’t many girls in the industry. I did feel like she looked at me like it was personally my decision and that I should be ashamed. I probably read too much into that, however it felt poignant.
I talked with them about the skills needed - such as creative thinking and problem solving and we went through some puzzles - one girl got one straight away without blinking (I've seen many adults, even those in this industry struggle for a while with the same puzzle). We discussed multiple ways to ‘solve’ various problems - and they gave me many 'out of the box' approaches. I was also impressed when talking about cheating systems, e.g. if anyone could think how you could get a max score in a video game. Another switched on kid suggested intercepting and changing values of variables as they are posted to a back end system.
The experience really left me feeling positive about the next generation of cyber security professionals - at least the potential that is likely to be out there. But then I started to wonder, what sort of impact did I have on them? Would they actually be interested in this field or the industry? Or were the long list of other professions being represented going to be far more appealing to these young and bright minds.
Around a week later I received several letters from the kids I'd spoken too. I've lifted some quotes from the letters below. See what you think.
"Thank you for coming to speak to my class about your amazing job as an ethical hacker. You really inspired me to take it up as a career.""I'd love to become a hacker because you get to learn how they (computers) work. You can then make them stronger to stop people hacking into them.""It would be amazing to see how they created whatever you are hacking during the process.""I only thought you were allowed to strengthen security, rather than try to break it. That made it seem better than I thought it was!""I'm good at programming, and can program my own games. You inspired me to become an ethical hacker."
Now I also admit that some of my messaging may have been too emphasized on some of the more glorious parts of the field that I personally operate in, but I promise I did speak a lot about being 'ethical'. More quotes are below.
"It sounded amazing because you are allowed to lie, cheat and steal without getting into trouble, even though that is not legal!""I never knew that you got to pretend to be someone else, to steal, as part of your job! Very cool.""Sneaking into buildings sounds very interesting!"
Although some did pay attention to the emphasis I placed on the ethical part and of course the legality of our profession.
"I'm extremely grateful to you for helping me to think about the good and bad side of hacking. You taught me it is important to stay out of trouble with the police if you want a job in ethical hacking.""Hacking through security with permission sounds exciting!""You taught me it's important to be ethical if you want to have an amazing career in hacking.""You have inspired me in many different ways, for instance doing bad things for good."
I really do think the essence of this profession resonated though.
"You taught me that it's important to always be resilient, perseverant and determined. Some things may take you a while to achieve.""I'm really grateful to you for helping me to think about how things work.""You have made me think of things in a different way. I'm making my own method to solving a 'rubiks' cube.""I am really grateful to you for helping me to think about my future job."
While the letters written were quite obviously done so as part of a class activity and a templated structure was suggested, the children had actually recorded their own thoughts and feelings about the profession. As well as explored the ideas we discussed further. When looking to describe what they thought about the field, they used the following words.
Magnificent, amazing, interesting, awesome, technical, terrific, inspirational, fun, exciting, fantastic, shady and sneaky.
The letters I received were from girls and boys. Why I feel the need to highlight that says a lot about the industry to me. But I digress and don't want to detract from my motivation for writing this. The kids I met and spoke with are obviously a credit to the school they attend, their teachers and parents - however I refuse to believe that there aren't millions of kids at thousands of schools across the country that aren't as bright, engaged or as enthusiastic about this profession as the ones I met with.
My faith in the next generation is restored. As long as they are nurtured and supported as they progress - the kid’s just might be alright!
By David Chismon
In an increasingly connected world, where even fridges and cars are being brought online, we need an increasing number of people to help defend our often fragile networks. But where are these people? The skills shortage in cyber security is regularly talked about and occasionally even referred to with words such as "Crisis". Companies often talk about how hard it is to find people, but what if they're not looking in the right places?
MWR has been a proud supporter of the youth outreach work at the University of Warwick for a few years now, such as providing challenges for the excellent Cyber Games, run by the UK's Cyber Security Challenge and hosted at Warwick. Recently we also took part in Warwick's week long "Head Start" programme for sixth formers interested in Maths and Computer Science.
Above: Web App Assessment workshop
We and others gave talks on the career options in computer/cyber security. One of MWR's senior consultants talked about the options on the
pentesting side and it was eye opening to see the raw excitement in some of the
audience at the possibilities. This was followed with a talk about the
defensive side of the coin and produced a great number of questions. Finally we
ran a workshop to introduce the audience to web application assessment, after a
solid run through of the computer misuse act! The day ended with a round-campus
challenge, with the winning team each getting an MWR Quadcopter.
There is a lot of negative blogging about how suited Gen Y / millennials are as professionals. Sure, the attendees were constantly selfie-ing (although in some cases we suspect ironically) but we were ourselves surprised not just by how keenly the audience leapt on the subject but by some of the ingenuity they showed in attacking the challenges.
Above: Winners of the final challenge (and MWR Quadcopters)
We were particularly impressed by some of the attendees who were solving the challenges we set in less time than those who beta tested them despite no previous familiarity with the subject. They just needed introducing to the problem and they dived straight in, their natural familiarity with living in a connected world quickly helping them find solutions through blogs, Google, etc.
In summary, maybe the solution to the cyber skills "crisis" isn't companies increasingly fishing in the small and increasingly expensive pool of experienced people, but taking generally bright, enthusiastic new people, giving them challenges, support and time and creating the people we need.
Further Reading: Warwick Head Start Blog
By Martyn Ruks
What we've come to realise by running the event for many years now is that the HackFu Mind isn’t something that’s restricted to the contestants at HackFu, it’s a common thread throughout everyone involved. So if you are looking to run your own event then our advice would be to find people who fit that description.
However, us trying to explain what you should look for in your “HackFu Hosts” isn’t easy, so to help you understand what type of people work best we'll let some of them tell you about themselves in their own words.
So here are the fabulous hosts of “HackFu 2015 – RCP Ashwell” to tell you their story.
A. Charlotte and I (Justin) started our business last year, with us both having worked in the Prison Service it seemed only right that we end up running a business in a Gaol (or Jail to those not familiar with the old English spelling).
A. The Gaol Events, offers a multitude of activities on site, from Airsoft, paranormal evenings and Filming Location to private hire of the venue for Companies to run their own events, with 4 of the former HMP Ashwell prison wings it offers a prison experience you're unlikely to get anywhere else (unless you are sent to prison that is).
A. As the site owner, we were involved in hiring the site to MWR for their event but also catering for the attendees throughout the three days. We also helped source certain items required for the event, enabling MWR to transform the prison into RCP Ashwell as well as helping them to get all of their puzzles and challenges up and running within the site
A. Our initial reaction was one of uncertainty as we were unsure if the venue would be suitable for the needs of the event. We’re sure that MWR would admit themselves that it’s tough to describe what HackFu actually is, while doing it justice, so being completely new to the concept it was tough for us to visualise what it actually was. However, in the months following the initial meeting we started to understand a bit more about what it would be like and then became more and more intrigued as to what the event would be like when it arrived.
A. We run a wide variety of different events on site so have built up a good understanding of what works and what doesn’t. We know where the “ghosts in the machine” are so to speak, or even the ghosts in cell number … wait, that’s one for you to work out. In all seriousness though the Team at MWR were great in taking on board some of our advice based on all of our experience. That’s really important when your event is at a site that you’re using for the first time. Falling into the pitfalls others have encountered when operating on such a diverse and complex estate would be foolish and the organisers at MWR were really keen to learn from us and prevent this from happening to them.
In terms of specific ideas that we contributed about the theme and concept, well The Rutland Corporation was an idea we have used previously and we were happy for this to be used by MWR in their scenario. Our background in the prison service also enabled MWR to create a highly authentic event where the attendees were really able to experience some of the unique atmosphere of a prison. Another area we were able to contribute is to take advantage of some of our current suppliers, saving MWR the time and effort of finding props and other items to add some nice touches to the event.
MWR also told us that giving them the ability to be creative in the puzzles and activities they devised was important. From our perspective this was more about keeping out of their way, lending a hand when needed but otherwise feeding their creativity.
A. We can honestly state the event was amazing, as we were providing the catering and supporting the organisers we were too busy to get to see all of what took place. However, what we saw and experienced was a pleasure to behold, with such a great group of friendly like-minded individuals.
A. We had no idea what to expect from the event, but we were blown away by the attention to detail regards the challenges and activities that where in place for the attendees. We still don’t know if we could easily describe what HackFu is to someone who hasn’t experienced it, but in some ways that’s a good thing.
A. Be prepared to work tirelessly for the 3 days, but the satisfaction of being part of events such as this is well worth the time you put in. Also, don’t be afraid to throw ideas into the mix during the planning stages, your knowledge and experience of your venue or site can be invaluable to someone running an event like this. It says it all that we would welcome MWR back anytime at all to run another event on site.
A. If anyone is unsure whether to attend something like this I would say definitely do it. At HackFu we chatted to people from a wide variety of backgrounds, with different skills and who took very different things away with them. If you come along it’s an experience you won’t forget and the more you put into the event the more you will get out of it.
A. An absolutely amazing experience.
We’d like to add to those words with a few of our own to help summarise what a great HackFu Host is for anyone looking to run a similar event.
As you heard from Justin and Charlotte they weren’t afraid to get involved in the planning, were happy to bounce ideas off and were a great source of advice about the theme, the site and the local area. They also gave us plenty of scope to be creative, come up with crazy ideas and then to support them any way they could.
As an event organiser that’s the perfect combination and are key things to look out for when searching for your amazing venue and hosts.
If this has inspired you to go and organise your own event then a final tip is to point your potential hosts at this article so they can see things from the hosts point of view. It's something we'll be doing when we find our preferred venue for the next HackFu!
By Martyn Ruks
Once the prison scenario for 2015 was selected and we started to develop it for our storyline, it became immediately clear that we needed something extra over previous events to to take things to the next level.
From personal experience attending Secret Cinema and other live theatre events, the interactions you can have with skilled, professional performers adds to the sense of immersion like nothing else.
So here are the awesome performers, who quite literally lit-up HackFu 2015, to tell you about the experience in their own words.
Q. Would you like to start by introducing yourselves to our audience?
Q. And can you tell us a little bit about your business?
A. Cat and Mouse Theatre was launched in Brighton in 2012 and specialises in creating interactive and immersive theatre: from individual characters all the way to fully immersive venues and spaces.
In the last 3 years we've done everything from creating a real life short span time machine, running a 1920's speakeasy complete with a gangster mob, jazz bands and shootouts, for private events and UK festivals, to speaking and performing at TEDx Courtauld Institute's event, ‘Colouring Life’.
Q. What was your role in this year's HackFu?
A. This year we were invited to Hack Fu as the Prison Guards at RCP Ashwell. Our role was really two-fold, firstly we were there to enforce the rules of the prison as the hackers carried out their daily challenges, ensuring no-one stepped out of line. This was all about creating an authentic prison experience for the contestants, whilst also using the characters to explain the scenario and move the story forwards. This was done through a combination of set-piece and improvised performances throughout the event. At this year’s event a key objective was encouraging the contestants to hand over information that would lead to the capture of the moles.
The second part of our role was equally as important and involved us delving into the results of the challenges, encouraging the contestants to explain how they solved them. Again we were in character and used improvised performances for interrogations and other meetings involving small groups of contestants. These were more intimate performances that were designed to create individual event experiences for those involved. However, the main reason for them was to ensure that the teams were sharing information about how they were solving challenges amongst the team. This helped to ensure that there was no room for “rockstars” who might otherwise solve the challenges on their own and not help the learning and sharing experience. We discovered through our experiences that this aspect of the event is the essence of what HackFu is all about.
Q. What were your initial thoughts when you were told about the event / asked to be a part of it?
A. When we were first asked to be involved - although unsure of what the nature of the event would be - we were immediately excited at the prospect of adopting the characters of prison wardens in an actual prison. From experience we all knew what an amazing benefit it would be to have such a fitting environment in which to adopt these characters, and how much more realistic and effective the event would be for everyone involved. If our experience is anything to go by we don’t think you can fully appreciate what the event is actually all about until you’ve experienced it for yourself.
Q. Were you able to contribute any ideas that made it into the final event?
A. Absolutely. We worked closely with the team at MWR on three set pieces that happened throughout the event. These included an initial brief to all the inmates, a raid on the party and the uncovering of a mole at the end. For these we were given a brief on what was required but were free to improvise and work around that brief as much as we wanted.
For the rest of the event we were completely free to think up skits, interview prisoners, patrol the site and take inmates to solitary confinement - this freedom allowed us to fully immerse ourselves in our roles and, with the inmates, bring the site back to life.
Having seen how much effort and planning went into the overall event you might have thought that it would have been difficult for the organisers to let go that much and allow us the freedom we had. However, even after the short time we had with the MWR team before and during the event it was clear that this approach is a key part of their culture and was quite natural to them. If others are considering doing something like this then we’d really encourage you to do the same thing and let your performers do what they do best, no matter how weird it feels to let go of your control over the event. We know for a fact that producing a strong brief and then granting freedom to improvise will always deliver a better result.
Q. What was your experience at the event like?
A. We had a fantastic experience at HackFu. Everyone taking part in the event immediately immersed themselves in the story from the second they arrived. This not only gave more gravity and excitement to the hacking challenges but also allowed for a huge amount of scope with how far we were able to push the story. Given the receptiveness and willingness to take part of everyone we encountered ultimately gave us the ability to push the people even further. This was a key part of what enabled us to create unique individual experiences for each one of the contestants.
Q. How have your opinions of HackFu changed now you've experienced it first-hand?
A. We didn't appreciate at first what a spectacle it would be. Having now seen the lengths that MWR went to in order to create a genuine environment, and with such attention to detail, we have all been inspired and can't wait to see what next year has in store!
Q. What advice would you give someone who's thinking about being involved in a future or alternate event of this type?
A. Don't hesitate and in order to get the most from it remain totally open to any task or unusual request or situation that is thrown your way.
Q. What would you say to someone who's thinking about attending a future event but is unsure about whether to come?
A. If the unsureness comes from not knowing what to expect, remember that these events are a surprise for everyone, which is exactly why you should go and experience it first-hand!
Q. Sum up HackFu in no more than four words.
A. Immersive, interactive and fun
So if you are organising an event of this type you’ll need people around you who can take responsibility for various aspects of it. Knowing that the storyline can be moved on and that all the participants can be kept informed and engaged in the concept can let you focus on some of the other aspects of the World you are creating.
If your performers are anything like our friends from the Cat and Mouse Theatre group then this aspect of the event will be a huge success.
By Alec Waters
Flashback to August 2014. Planning for HackFu 2015 is well underway:
Alec: Hmm, maybe HackFu could use a bit of DefCon-style badge hacking..?
Martyn (MWR): Can we do something cool for £10-£20 per badge? Max 100.
Alec: No problem.
Fast-forward to June 2015, skipping out many months of design, construction, frustration, late nights and burned fingers:
What you see here is a box containing 102 of these:
(Note the important instruction written at the top of the board)
Here’s the spec of the badge:
It’s a long way from the prototype:
This is based on an RFu development board and a Nokia 5110 mono LCD (48×84 resolution).
The venue for HackFu 2015 was ex-HM Prison Ashwell, closed in 2011 and now run by The Gaol Events as an urban airsoft site. The venue was chosen to match HackFu’s theme – the premise was that all of MWR (and guests!) were incarcerated, as some of them were suspected of being involved in plotting acts of cyber-nastiness. The name of the game was to identify the guilty and exonerate the innocent, although I’m not sure how many of these people look innocent:
So how did the badges fit into the gameplay? They had two primary functions:
The base stations looked like this, and comprised a WirelessThings Xino-RF, an Arduino ethernet shield, a clear acrylic enclosure, and some elastic bands:
It’s “upside down” in the enclosure so that I could have a wire whip antenna poking out. The ethernet shield is so that the base station can call web services on the game network to register the presence of the badges.
There were dozens of challenges for the inmates to attempt – the reward for successful completion of each wasn’t points (as usual), it was a clue to the identity of one of the guilty parties. Clues were of the form “the mole does not have a conviction for Racketeering”, or “the mole does not have a tattoo of tempura battered prawn” – this meant knowing all of the prisoner characteristics for all of the badges (even those of people on other teams) was critical to success. Now, you could just go around and ask everyone what’s on their badges, or perhaps you could find another way to get the information that doesn’t involve bartering with other teams…
The final menu item on the badge is “Maintenance Mode”. Selecting it shows you some stats and config about the radio module; it also warns you that the radio is inactive – this means it’s no longer responding to polls and is no longer contributing to the overall loyalty score (this is Bad! Remember there’s a party and booze at stake!)
Why is the radio inactive? The SRF module on the RFu board is attached to the “Arduino’s” serial port – if you want to talk to the Arduino, you have to turn off the radio – you can’t do both at the same time. If the inmates connected to the serial port whilst in Maintenance Mode they were presented with a request to enter a PIN – the challenge here is to write a simple brute-forcer that would operate over the serial port.
The reward for getting the PIN is a download of a “badge toolkit”. This consisted of a Python script and a dissector for Wireshark written in Lua. The purpose of the script was to allow the teams to use their issued SRF-Stick USB radios to sniff the radio network and have Wireshark parse the packets. I was using the RadioHead Packet Radio library – the badges would listen for RHReliableDatagrams (sent via the RH_Serial class), send an ack back to the sender, and act on the contents.
The problem here was that the stick could only see traffic to team’s own badges – the SRF supports the concept of logical separation of traffic via a PANID, and each team had their own (think of PANIDs like VLANs on an ethernet switch). If the teams looked at the contents of the Python script they’d find a simple tweak they could make. The script put the SRF into ATZD1 mode, allowing it to hexdump all traffic on its configured PANID. Commented out was a line which put it into ATZD2 mode instead – this hexdumps traffic on all PANIDs.
So now the teams can see all the traffic; if they look into the Lua dissector, they’ll see all of the message types the badge supports:
So, how does one send one of these messages? Inside the badge toolkit zipfile was a file called .gitignore. Which most people ignored. Because it’s .gitignore. Except it wasn’t – it was another Python script that allowed the user to send a ping to a badge and included all the necessary code to calculate the packet’s CRC. This could then be modified to send any of the other messages, with the results captured in Wireshark. Now the teams can start harvesting prisoner characteristics from all badges, and the answers to the other challenges will make sense.
So what’s the CHPID message for? Why cause a badge to change PANID? Changing PANID will also cause the badge to change the primary colour of the display – each team has their own colour and PANID, and if you change PANID the badge will change colour to match.
It turns out there’s a side benefit to accruing loyalty points, namely cold, hard cash. At the end of every sweep, the prison would work out how many badges were present and which PANIDs they were on. Money was then distributed to each team captain based on the number of badges seen on their team’s PANID. If you can command a badge to change its PANID to yours, that gets more money for your team. Cue “Badge Wars”, where people’s badges were rapidly changing colour as teams vied for control!
So what about the “Loyalty Enhance” menu option? Selecting it merely says “Enhancer not found”, with no other clue as to its purpose. However, one of the items on sale at the HackFu shop was a “nunchuk” (note singular, not plural). Purchasing one of these gave you a Wii Nunchuk, and connecting this to the edge connector made Loyalty Enhance do this:
Tetris, baby! By levelling-up in Tetris your badge’s response to a prison poll counted for more (a “loyalty multiplier” if you like) – up to sixteen times more if you played it for long enough, potentially allowing a team to reap huge rewards. But there weren’t many Nunchuks to go around, and it takes ages to get to that kind of level in the game. Surely there’s an easier way?
“Easier” probably isn’t the right word, but the Yellow Team (the “Framed Packets”) figured it out. At the peak of their activities, they were netting over £30,000 of in-game currency per hour – you can read about how they did it here. Extra credit also goes to the Green Team (the “Barred Coders”) for downloading the firmware from the badge, removing all the troublesome CHPID and SKILL/etc commands, and reflashing their patched code. Credit goes to all of the teams for their efforts – they all dug deep.
At the end of this year’s event, I was issued an instruction for HackFu 2016 – “come up with something awesome”. Hmmm, let’s think…
This article originally appeared on Alec's blog, Wirewatcher.
By Martyn Ruks
This HackFu website was setup with the aim of communicating some of the lessons we’ve learned on our quest to develop the skills needed to solve the current and future challenges in cyber security. It therefore seems right to include our thoughts about the annually run Cheltenham Science Festival here in the UK, which I spoke at last week.
For this year's event, we were asked to contribute to a panel session on Hacking the Internet of Things (IoT). This was a lively session where we looked at the security issues associated with the plethora of devices that are now connect to the Internet. As always the Science Festival audience were ordinary members of the public, yet were already very informed about the subject and challenged the panel and each other across a wide spectrum of topics. These ranged from questions about vulnerabilities in legacy systems, through to the issues around privacy and the need for legislation in order to improve security.
At MWR, one of our key beliefs around improving security is devoting time to educate people about it. In the world of IoT, this is particularly important as all of us are likely to be touched by it at some point in the future. There will always be security weaknesses in these types of devices but how those issues impact on us is largely determined by the decisions we make as users and the information we entrust to them. Being an informed consumer is therefore vitally important.
So this session in Cheltenham was important to us, as it enabled us to pass on our thoughts and guidance about IoT to the people who will use it. We know that if we do that in a clear and understandable way we’ll harness the power of multiplication we’ve discussed before in order to get that message out to a wider and wider audience.
But if we were to focus purely on this one session we’d be doing the Science Festival a big disservice and would be missing the bigger point of this site. We’ve explained previously about the challenges we’re facing in cyber security and whilst there is a need to identify people with a wide range of skills to help us solve them, there is a big role for those with skills in the subjects of Science, Technology, Engineering and Maths (STEM).
The whole ethos around the festival is engagement and access with all those present providing innovative and fun ways to engage with the subject areas. So this year at the festival there were, for example, lots of exhibits themed around Back to the Future film franchise, which is celebrating its 30th anniversary this year.
To the organisers credit, there were a myriad of thought-provoking STEM exhibits and plenty of presentations and sessions by notable people. My favourite guest speaker was Professor Heinz Wolff - but I’m a bit biased as I have many fond memories from my childhood of the Great Egg Race. For those of you who want to remind yourself of this great TV programme you can find a number of episodes in the BBC archive here.
When you take a step back from the hustle and bustle of the festival, it's plain to see the important role it plays in inspiring the next generation of thinkers and doers. For example, where young visitors were interacting with the problem-solving exhibits at the event, I could certainly see the HackFu Mind at work!
Attracting the people with the right skills and talents into the cyber security industry is absolutely key if we are to address the challenges we face - and this is another important way of doing that. One of our measures for success will be how many of the people who have passed through the festival this year, are competing at HackFu in the years to come.
The one thing we’re certain about is that they’ll be very welcome and we’ll be excited to meet them.
By Martyn Ruks
By now you’ll have heard about the cyber-security training event we run each year. One purpose of the event is to develop and refine methods of teaching the skills needed to address the cyber-security challenges we’re facing now and will continue to into the future. However, as HackFu is such an immersive and challenging experience how do you get the most out of it? The answer is to prepare for it in the right way and go there with your A-game.
So how do you prepare for HackFu? That’s a question we often get asked by those who haven’t attended before, as well as from a few who have! There is no single answer to that question. But we’d like to provide some suggestions and when reading them it’s important for you to remember that whilst HackFu is a cyber-security event it’s not all about hacking as we’ve highlighted in previous articles.
1. Escape Games
If you live in London you’ll probably have heard about the current craze for “escape games”. These are games where a small group is locked inside a room and set the challenge of escaping by searching for clues, solving puzzles and generally demonstrating both mental and physical dexterity. This type of activity is perfect preparation for HackFu as it develops teamwork, lateral thinking and lets you use all of your guile and cunning to achieve a clearly defined objective. If you want to know more then take a look at the following article from Timeout(we’d also like to say hi to our friends at ClueQuest and Hint Hunt).
2. Online CTFs
Being a cyber security event you’ll definitely need some hacking skills on your
team if you are going to triumph. If you want to be one of the technical elite
at the event then it will serve you well to hone your skills with some competitive
and legal hacking.
There are now a multitude of online hacking and capture the flag sites that you
can have a crack at. If you’re feeling really adventurous then take a look at
one of our favourites.
Its sometimes easy to fall into the trap of thinking that being good at quizzes is all about remembering facts. However, that’s not the case and a good quizzer will have an approach that includes general knowledge as a foundation but also applies an approach to “good guessing”. This technique involves giving yourself the percentage chance to guess right answer by identifying the constraints and parameters inside which the answer fits. By doing this you can find your way to answers you would not have found otherwise. This is a very useful skill to have and one that will serve you well at HackFu where the most difficult part of the puzzle is sometimes in working out how it should be solved. The same skills you employ when answering questions in your favourite quizzes should therefore be sharpened prior to attendance. You can play safe and opt for old favourites like University Challenge on BBC2 or Brain of Britain on BBC Radio 4. Alternatively you can turn things up a notch by listening to Round Britain Quiz on Radio 4 or our personal favourite, Only Connect, now in its new home on BBC2.
Fans of the latter won’t need any excuse to watch it every week but for everyone else what better incentive is there for watching a bit of early evening TV than HackFu glory.
4. Cryptic Crosswords
These are often a very black or white affair (coughs to cover up the satisfaction of making this pun) as you either know how to solve them or you don’t. There isn’t really a middle ground here but that’s not a problem. The type of logic and strict rules used by particular crossword setters, are also commonly encountered in challenges that are to be found at HackFu. So it won’t do you any harm at all to pull out a crossword or two and a freshly sharpened pencil on your journey to the event. So if you know why the answer to “HIJKLMNO” (5) is WATER or “A bar of soap” (6,6) is ROVERS RETURN then this is the preparation for you. So no matter what your skills or background there will be a HackFu preparation technique that works for you. It will also be no surprise that these are some of the skills that we find in those who are thinking with the HackFu Mind. So even if you aren’t lucky enough to be coming to HackFu, you can use these types of activity to develop your own awesomeness and equip you with the skills and way of thinking that’s needed in this industry. If you are in a position to tech others these skills then that would be even better..
Who said learning wasn’t fun?
By Martyn Ruks
Anyone involved in security knows the old adage that as soon as you think you are smarter than the bad guy then you have lost you battle with them. After all it was Luke Skywalker that reminded us that overconfidence was the Emperor’s weakness when the rebels were caught in an imperial trap (Star Wars conspiracy theories aside for a moment). Likewise, anyone involved in cyber security within the payment industry will know this better than anyone else. No matter how sophisticated your solution and the security controls you implement, the more ingenious and creative the attacker becomes. Sometimes even those who are responding to security breaches in payment solutions have to sit back and applaud the innovative way their controls were breached by a cunning and resourceful attacker.
Back in the real world though we don’t want to find that our payment system has been compromised to the point where we have incurred significant losses either financially or reputationally. So what can we do about it? How do we anticipate what the bad guys will do without simply waiting until the money is gone and then seeing what they did to steal it? One answer to this problem is to design and implement a payment system, put it in a hostile yet controlled environment and then sit back and see what happens. So what better place is there to try such a thing than at HackFu. By now you should know all about this event and its purpose but if not then you can take a look here.
At HackFu 2014 we therefore built and ran our own payment system, for a number of reasons. These included the ability to have an in-game currency as well as seeing how some of the brightest minds in cyber security poked, prodded and attacked a payment system. In this article we share some of what we learnt from doing this, including how we designed and built the technology, how it was used at the event and more importantly whether it survived the onslaught from some of the best in the business at hacking payment systems. Let’s start out by describing what we wanted our system to achieve and then we’ll explain how we implemented it.
HackFu is a hacking event so first and foremost we wanted our payment system to be a challenge for the teams as well as providing us with an opportunity to learn about how they would actually attack it. We were also constrained by our limited resources both in terms of time and money, so we needed to be pragmatic about how we would do things. Therefore in terms of equipment we could use we had a back-end Windows server, some USB RFID dongles, MiFare Classic 1k RFID tags and some old, battered laptops to use.
We started out with a number of key objectives we wanted to achieve. The first was that we wanted the teams to focus on the payment processing, not on the back-end systems or networks. The latter are really important to protect but we wanted them out of scope or infeasible to attack in the time available. We also wanted the system to be hackable within the duration of the event, 48 hours, and we also wanted there to be logic based vulnerabilities that could only be found by thinking through the problem and using real-world observation to identify them. We also wanted there to be sufficient penalty for being caught as well as plenty of reward for succeeding.
From our knowledge of the way people behave and specifically how they approach events like HackFu we knew there were a number of factors to consider in the scenario we provided for the teams. We summarise these as follows:
The potential reward for a successful attack must be high, therefore if one team steals large sums of money they would win a large percentage of the points on offer from this challenge.
Anyone who is caught abusing the system must have negative implications for their team in the form of imprisonment or the individual otherwise being unable to compete in the other challenges for a period of time.
Investigation of the system and security weaknesses requires an understanding of MiFare Classic RFID tags as well as protocol and data format analysis and therefore needed to be learned.
Remembering that there are so many other things going on at the event and this is just one small part of the overall challenge so it can’t be too complex to discover the vulnerabilities and execute the attack.
Our payment system consisted of a fixed wired infrastructure solution, with a back-end server and six Point of Sale (POS) terminals that then used contactless technology for triggering the payments. These POS terminals were Linux laptops with a full screen (kiosk style) browser based payment application and a USB dongle RFID reader. The browser interfaced to a python application on the POS that handled the NFC communications as well as the back-end web service calls. Messing around with this application was out of scope to the contestants as we simply didn’t have time to protect the system from kiosk break-outs and physical tampering.
Each contestant at the event was issued an RFID wristband
that could be used to make transactions on any of the POS terminals as can be
observed in the images.
Each terminal was setup in an identical manner and allowed anyone with an authorised RFID wristband to query their account details as well as send money to any other user.
The high level architecture of the solution can be observed below as well as a photo of one POS terminal in situ at the event.
The POS terminals were all configured to interact with a back-end web service that was protected using TLS, client certificates and other network based security controls. By including these controls we were focussing people’s efforts on how the system interacts with the data held on the RFID cards themselves and any security weaknesses at that point in the payment process. The application running on the POS was designed to be easy to use and allowed individuals to make payments themselves without a third party merchant being involved.
If a user simply presented their RFID wristband to the reader then information about the user’s account would be displayed, including the amount of money in their account and their bank account details. Alternatively a user could select one of the three on-screen options illustrated in the following screenshot:The icon on the left enabled them to transfer money from their own account into the team’s vault (where it was guaranteed safe by the bank). The icon on the right enabled money to be withdrawn from the vault and moved into the user’s account. Each of these options required a single RFID wristband to be presented to the reader.
The middle icon enabled a transaction to be completed between two users and when selected prompted the users to touch their wristbands to the reader in turn before requesting a transaction value to be entered. The sender then had to confirm the transaction by touching their tag to the reader again. The system proved to be robust and with the combination of python application, .NET web services and SQL server back-end provided a 100% uptime and a back-end failed transaction rate of less than 0.5% The majority of these were caused by the user removing their tag from the reader too soon and when the tag was presented again resulted in the transaction being successful for the user. So the front-end success rate of transactions, where unauthorised activity was not attempted, was 100%. Not bad for a do-it-yourself payment system!
At HackFu 2014 the winning team was the one who gained the most points over the course of the event. So to incentivise teams to earn money (either legitimately or illegitimately) it was decided that a large pool of points would be allocated to this challenge and distributed in proportion to the amount of money in each of their team members’ bank accounts at the end. So if a team made lots of money through good business practices they would be rewarded for it but if they could steal large amounts of money they could gain an even bigger advantage and therefore earn a greater percentage of the points. The ultimate victory in this challenge would therefore be for a team to have all the currency in circulation in their accounts at the end of the game. In this situation they would win all the points allocated to this challenge for themselves. If this were to happen it would result in a massive swing in the gameplay and could determine who the final winner of the event would be.
In order to provide a realistic environment within which to operate the system, a basic legal framework was constructed that provided some ground rules for the team as well as acting as a genuine deterrent from attacking the system. The legal framework therefore consisted of a basic set of laws about what activities were permitted and which were not.
This was implemented in two different ways, firstly there were the detection mechanisms that were built in to the system that would automatically raise the wanted level of an individual if they tried to process a transaction that didn’t conform to the rules. Anyone whose level rose to the highest level would then have a bounty on their head, which could be claimed by the other teams at the expense of the perpetrator who would be locked up and requiring their team-mates to bail them out of prison.
The second aspect of the legal framework was a guarantee of all money stored within the team’s vault. This was a special account that teams could only move money to and from when using their team’s wristbands and could not otherwise be attacked. Or at least if it was the bank would guarantee their money so that they weren’t penalised for an unforeseen vulnerability.
Over the 48 hours that the event ran for there were a total of 507 transactions across the six payment terminals. There were 78 unique senders and 87 unique receivers of money, with one person being responsible for making 98 of the total transactions. The average value for a transaction was relatively consistent across each payment terminal and was in the region of $60 (for reference a frosty beer would cost you $3 in TJ’s Saloon). So this shows us that the financial system was used for far more than simply buying drinks at the bar. In fact the transaction stats match what we observed ourselves, namely that the financial system was used by the teams to trade information as well as to research and investigate the workings of the system itself.
What we also observed was that the large transaction volumes were concentrated within a core group of about 10 people. Transactions involving the transfer of large sums of money were also primarily the result of one individual out of total of approximately 90 attendees. Things get even more interesting when we look at the status of each transaction. The breakdown of these was as follows:
So that gives you an idea about the scale of the system and its use, so what about the really interesting stuff? How many people tried to compromise the system and how many succeeded? Before we look at what the scale and success of the attacks was its worth reflecting on how we expected people to find their way to “loadsamoney”.
In order to exploit the vulnerabilities in the system and steal money from other bank accounts there were a number of things that the teams needed to understand. All of these could be discovered from observation, using the system legitimately and then only after that, attempting to use it illegitimately. The logic behind the challenge was therefore as follows:
By understanding all of this information it would therefore be possible for someone to steal any money sat in another user’s account. The methods for doing this could either by shoulder surfing the data values displayed on a payment terminal or deriving them and using “intelligent” brute forcing. It was therefore possible for teams to steal any money that had not been safely stored away in the team’s own vault. Once teams had gained this capability the type of unauthorised activity that would have been possible would have created a hostile operating environment for teams to perform transactions in but with smart use of the team vaults, would not have led to widespread fraud or money stealing without falling foul of the law.
What teams may also have noticed though is that there was another fundamental vulnerability in the system that could be used to steal far more money and with far lower risk of being caught. To use this flaw the teams were required to spot the following:
As a result it would be the destination tag’s transaction identifier that was checked, all of this would be data that was known to the attacker. For the sender’s tag they would only need to know an account number and not a valid transaction identifier for that account.
As a result of this logic flaw in the payment system it was possible to transfer money from any bank account. By discovering the bank account numbers for some of the in-game characters it would then be possible to steal money from them that was not technically in circulation and thereby significantly alter the percentage of money in the possession of a team as well as increasing their bank balance.
So after placing a clearly vulnerable system in the middle of an event full of hackers, what did we see? The one key thing we observed was that the deterrent that was put in place was largely effective in preventing large scale or widespread attempts to abuse the system. This is evidenced by the level of casual unauthorised investigation that was attempted. Of the 80 unique users, only roughly 10% of them had a transaction fail for a security violation. That number would be quite high for a transaction system in use by the general population but for a group of hackers we feel that it is quite a low percentage. What was more evident was that the vast majority of these attackers did not attempt any further unauthorised activity, probably as a result of the warning messages returned and the other punishments in place as deterrents.
So, despite the potential big upside for any successful attack, the legal framework and resulting impact on the teams’ chances of winning the event clearly had an impact on security. However, as you might expect it did not stop the teams from attempting to attack the system. It was discovered that the most common reason for a transaction failing was the presence of an unauthorised identifier value being present on the card. This was observed in log messages where an attacker rewrote the bank account number on their card to another person’s but did not set the correct transaction identifier for that account. By observing the transaction logs it quickly became clear that the users who failed in this way had not correctly analysed the system and had not systematically sought to understand and document how the system worked. This is indicative of the opportunistic attacker, one who knows enough to experiment but who isn’t determined enough to break the problem down in order to find the weaknesses. These are therefore the easiest to defend against and to detect as well as being the most prevalent.
What was also observed was that whilst there were roughly ten opportunistic attackers at work there was only one persistent and determined attacker in the whole of the user base. Therefore, of the five teams who were investigating the system only one discovered enough of the information about its security to perform a successful attack.
Analysis showed us that this persistent attacker systematically sought to understand and query how the system worked. They completed numerous low value transactions and observed the results. They tested assumptions about the security controls and also attempted low value unauthorised use of this system. As a result of this they actually tripped the fraud detection threshold after making a number of failed transactions, something that ended up with them being arrested. However, given the low value nature of the crime and after being given a slap on the wrist they were released and returned to their team where they continued to attack the system.
After clearly pondering the reasons for the fraud detection being tripped, they refined their attack and eventually identified all of the vulnerabilities needed to steal lots of money.
Therefore, from roughly 80 active users of the system, only one of them fully implemented the attack described above. After stealing $1 million from an in-game character, plus a few hundred dollars from other teams, their team ended up with 99.9% of the money in circulation and therefore won the same percentage of the points that were available.
Payment systems will always be an attractive target for attackers and in our not-very-scientific experiment conducted at HackFu 2014 we showed that vulnerabilities in a system will be spotted and exploited by the bad guys when the reward for doing so is great enough. However, even within the context of a game we also showed a number of things that relate directly to real-world payment systems:
By Martyn Ruks
Through this site we’ve been providing some insight into our innovative cyber security event known as HackFu. This event is far more than a capture the flag or training course and that is reflected by what we learn from some of the challenges within it. In this article we’ll look In detail at another component introduced for the first time at last year’s event, which we think tells us something interesting about the problem space HackFu is designed to address.
In last year’s event we introduced a final challenge for the teams that led them to a showdown borrowed from game theory that’s known as a prisoner’s dilemma. Daytime television watchers in the UK will recognise this from the ITV quiz show Goldenballs, where it was used to divide prize money between two winning contestants at the end of the show.
But for those of you who aren’t familiar with the dilemma
it works like this.
The Prisoner's Dilemma
There are two contestants, in our case we had representatives from the two teams that qualified for the final round of the showdown. At stake was a prize fund of points that could boost their team’s score at the event and ultimately allow them to claim victory overall. The catch was that each contestant might end up with all, half or none of the prize depending on whether they each chose to split or steal it.
In simple terms, if one steals and the other splits the stealer takes all the points, if they both split they each get half and if they both steal they both get nothing. They get a few minutes to discuss the dilemma with each other and then make a choice in secret about whether to split or steal. Both choices are then revealed to everyone at the same time.
So this creates a conundrum, be satisfied with half of the points (in this instance it wasn’t enough to take the overall lead in the event), be greedy and try and take them all or potentially end up with nothing.
To make this a dilemma there needs to be something at stake. Unless there is a real incentive to take a risk in an effort to grab all the money then we don’t learn anything from the result. When we look at HackFu and the way we used this challenge within the gameplay we made sure that this mattered to the teams and their representatives.
Firstly, all the teams and players were invested in the
event by the time the big showdown occurred. They were faced with this
situation after 48 hours of hard competition and many taxing challenges. Every
team was still in the running to win the event and the points on offer really
mattered to the overall result.
Whilst there are other more important things that attendance at HackFu brings you, being in the winning team is still a prestigious accolade. Therefore, our dilemma was important to the individuals concerned and stealing all the points would have tipped the scales in that team’s favour, potentially enabling them to take the champion’s crown. Add to that the fact that the two people involved in this were appointed by their teams to represent them, they weren’t acting purely on their own but truly representing the aspirations of their teammates as well.
In a world inhabited by machines and with no human interaction or relationships then the process for success is clear. Convince the other party you will share and then steal everything from them. If you use this approach as an individual though it turns out to be a very short term approach as the immediate benefit is clear but the long term fallout from a breach of trust with colleagues and industry peers. This is something that isn’t easy to measure and would usually be irrelevant if a machine were required to make the choice.
Likewise if you consider HackFu as purely a game or a simple competition to be won you could argue that the winner takes all approach is the optimum outcome. However, when we throw the fact that this is a dilemma for real people and more importantly for participants who need to work with each other after the event, the steal now and worry later approach becomes less desirable.
But at this point we shouldn’t forget that HackFu isn’t just a game, it’s a construct through which we are looking for solutions to the big picture. That big picture needs us to solve some tough problems and ones that we can’t solve on our own. In fact the challenges in cyber security that we collectively face must be solved together. This is something that immediately precludes short term individual gain at the expense of long term collective success.
To solve our problems we need to work with our competitors as well as other parties with different objectives and philosophies to our own. In that world, short term gain and breach of trust can be far more damaging in the long term when we realise that we must work together to be successful.
So what happened in the big showdown at HackFu?
You may or may not be surprised to hear that the
contestants chose to split the points and in the process ultimately sacrificed
a gilt edged opportunity of winning the event for their team. So what, doesn’t
this just show that they aren’t competitive people or that they didn’t realise
that victory was within their grasp?
Talking to the individuals involved in the showdown after the event it turned out that this wasn’t the case. The contestants know each other well and whilst they work in different departments, they rely on each other in their working lives. It turned out that they clearly saw that simply pursuing the short term gains would not adequately offset by the price of the loss in the trust and confidence of their peers in the longer term.
Deep down we all know that doing the right thing in the long term is what we should be doing, yet we generally find it very difficult to do that at the expense of short term success. What this outcome may have shown us is that if we are in this industry for the long haul then we can overcome the obstacles that short term profiteering can put in our way.
This single component in last year’s HackFu could therefore be viewed as a microcosm of our industry and one signpost pointing us at the approach we should be taking. Or maybe it’s just a bit of fun and a simple game with no relevance.
Whether the result we witnessed ourselves at HackFu was as a result of our company culture influenced long-termism, pure gameplay or whether it is something that tells us nothing at all, we’ll never really be sure. It may however provide a fascinating glimpse into the psyche of the people we’ll need to navigate the complex landscape of cyber security now and in the future.
So if you ran a prisoner’s dilemma in your company, with some real benefit to the participants as an outcome, what would the result be? What would that result tell you about your company and its people? And would it really matter?
By Martyn Ruks
Even in 2015, if you talk to security people about cyber skills in the UK (and indeed further afield), they will undoubtedly tell you the following:
This is a big problem as in this complex and interconnected world, we will increasingly depend on people with the right skills and aptitude to protect governments, businesses and critical infrastructure.
And the impetus is growing rapidly. In the past two years, there has been an explosion in the number of damaging and highly-visible system compromises. If you're reading this, I hardly need to mention who.
To those of us within the industry, these events have come as no
So why is this happening?
When we start to analyse the reasons behind why these events occur, we always come back to a single problem - a broad lack of cyber skills.
And whilst this post won't discuss
this in detail, one thing that most agree on is that both industry and government should be focusing
on developing these people who can prevent the compromises of tomorrow.
Despite my earlier point about the shortfall in British talent, we are
still a world leader in security, possessing some of the brightest minds
in the field. So on the industry side of things, my view is this -
we need to take advantage of our experience and specialism in a way that will benefit as many others as possible.
So what do we mean by that? If a single company like MWR can equip people with
the right approach and attitude for solving the difficult problems as well as
inspiring them to go on and teach others what they have learned - then, through the "multiplication factor" effect, we can
amplify our efforts and increase our influence.
I hope that doesn't seem like an oversimplification - we certainly don’t underestimate the scale of the
challenge. However, what we cannot do is leave the problem for other
people to address.
What sort of skills are needed?
Before we start the process of finding these solutions, it’s also important that we clearly understand what skills we need to pass on to others in order to equip people for the challenges we are facing.
isn’t solely about teaching technical security information, computer science
disciplines, hacking techniques or the use of defensive tools and technologies.
If it was, we could deliver those through professional training
courses, University degrees, industry bodies, security conferences and Capture
the Flag contests.
Make no mistake, all of those have their place but if this
is all we are using to inspire and teach the next generation of Cyber Security
professionals, then we are missing the bigger picture.
Teaching from a textbook can only teach what we know already, whereas the problems we face in the security industry every day need
constantly new approaches and different thinking.
I believe that to thrive in a rapidly-changing environment such as cyber
security, you need to sharpen the creative, problem-solving part of
This is something that we have come to call the "HackFu Mind" - something which will be covered frequently throughout this site and in our later blog posts.
How do you create this mindset?
We've now created a case for a progressive approach to cyber-skills education, but how do we do that in practice?
Well, we believe that the approach needed to develop this mindset should include the following key aspects:
In our opening article we discuss how we see the problem space and what some of the challenges are so given all of that, what are we looking to achieve with this website.
As we said previously we don’t claim to know all the solutions but we are certainly trying things that will enable us to find them. Along the way we’ll learn lots of lessons, we’ll no doubt have a few false starts but we’ll also get some stuff right. It’s that journey that we’re going to share on this site, including all the initiatives and events that we’re planning to run to support it all.
We don’t know yet exactly what will be on this site but the one thing we’re certain of is that it will be thought provoking, philosophical, challenging and most importantly it will be fun and engaging. We’ll get techie at times, something we make no apology for, as well as extracting the concepts and key points that we encounter along the way.
We also want your help on our journey. We want you to tell us your thoughts and experiences of what we’re doing and hopefully some stories about how you’ve taken our ideas and turned them into your own projects, events and general awesomeness. We want to know the good, the bad and the ugly and to get involved please get in contact via Twitter and then keep coming back to this hub for more insight and information.
So hold on tight, this will be a wild ride for all of us.