2014 HackFu Challenges

So what challenges did HackFu attendees face? That’s not a simple question to answer as the activities and challenges facing them were extensive and varied.

They had to try and exploit both common and bespoke weaknesses in all manner of systems and technologies, from replicas of corporate networks to smartphones, physical security devices, replica Hardware Security Modules, wireless networks and even locate radio tagged cattle (not real ones you’ll be relieved to hear).

Not only that but they also had to investigate compromised networks, solve logic problems, use their powers of observation, interact with custom network protocols, defend systems against attack as well as interacting and engaging with local business owners and other stakeholders within the construct that was created for them. Just to make things even more complex, the teams had to bond and get to know each other very quickly, identifying key strengths and specialisms. This also needed to be bundled with leadership skills to delegate responsibilities, map out a strategic plan and see the bigger picture. If you’re thinking that sounds a lot to pack into 48 hours then you are right, did we say already that HackFu is a massive test of endurance as well as skill?

We can’t go into all the details of the individual challenges here but for those that are interested there will be a more detailed breakdown of the individual challenges and some of the technical background behind them published on our blog. 

The first one we’ll look at is the mining & extraction industry, which was an obvious choice in a Frontier town like Hacksville where Gold had been discovered in the area a few years before the time at which our event was set.

In our fictional world a local mining company had been experiencing issues with their systems being compromised by attackers. What the attackers had been doing was obtaining sensitive information about exploration and survey data, as well as details of new business initiatives. Coupled with that they had also been altering the data passed to the computer controlled mining equipment, meaning that extraction rates were affected and the company was becoming less competitive.

At HackFu the attendees therefore had to attempt to retrace the attacker’s steps, identifying weaknesses in systems as well as signs of compromise and exfiltrated data. No better way to learn some of the challenges and constraints on what solutions are viable than seeing them first hand!

And it’s not just the individual challenges that mirror the real world issues that people get to explore at HackFu. At the 2014 event the contestants also had their own financial ecosystem to contend with. There were several layers to this, such as the financial market, where the teams could buy and sell everything from in-game intelligence to home brew beer. This required assessment of the value of the currency and of the commodities being traded. Underneath this was the technology that supported this market place including RFID wristbands for cashless and wireless payment along with vaults for teams to keep their money safe and a back-end processing infrastructure to control it all.

On the surface the construct and the theming of the challenges make this all seem like a bit of fun, but again the complexities within the system bring their own challenges that closely mirror the real-world. In this instance our payment environment included security bugs deliberately injected into the technology (as well as some that the developers may not have anticipated).

Then by observing how the teams learned about the technology, enumerated how it was implemented and how they then began to experiment with it, a whole new perspective on the real-world application of these technologies and the challenges facing their designers could be gained. This therefore provided insight on how attacks were attempted, what worked, what failed and how each of those altered the attitudes and approaches of the attackers.

So this sounds great but was it all just for show? Absolutely not!

What better way to equip people to test and provide advice about the security of real-world financial technology than to experience bank robberies and electronic heists both as the attacker and the victim. In our event one team pulled off an impressive attack that enabled them to steal a million dollars of Lily Heart’s vast fortune. As a result this skewed the market and affected all the other teams. If you are wondering how this was done and what we learned from running a financial system like this then keep your eyes open for a detailed breakdown that we’ll be publishing here in the near future.

Keep following us via social media and our website as we’ll be publishing more insight and information about HackFu in the coming months.

We’ve got lots more to tell you about our experiences and how you may be able to join us at our next event!
Copyright © 2017 MWR InfoSecurity.