Hacking Vegas at DEF CON 2017
Hacking Vegas at DEF CON 2017
Read on to see how one company has turning security training for developers into an intense, hackathon-like gaming scenario.
Join the DZone community and get the full member experience.Join For Free
For a quarter of a century now, thousands have gathered each year at the end of July in Las Vegas for one of the world’s largest hacker conventions – DEF CON. This year, DEF CON attracted a record-breaking 25,000 attendees. If you’re a computer security professional, IT professional, journalist, federal government employee (FBI, DoD), security researcher, or a hacker with an interest in software, computer architecture, phone phreaking, hardware modification, or anything else that can be hacked, then you know DEF CON is the place to be. Attendees come from all over the world to listen to talks about the latest threats and trends, but the real draw is the various contests for everything from who can most effectively cool a beer in the Nevada heat to capture-the-flag (CTF) style competitions.
Think Like a Hacker: Practicing Real-Life Scenarios With CMD+CTRL
Can you view your application from the eyes of a malicious attacker? To prevent attacks on your code, you need to understand what the hacker sees. Secure coding is not for the novice, but you can test your skills at one of the many CTF-style contests that take place at DEF CON. Security Innovation was again honored to run our CMD+CTRL Hackathon, this year in junction with Women in Security and Privacy (WISP). The two-day event started on Friday at 10 am and ended on Saturday at 6 pm.
CMD+CTRL is an immersive, gamified learning experience where teams compete to find vulnerabilities in commercial-grade applications or defend an IT infrastructure in real-time. Participants immediately become immersed in a real-world environment where they learn that attack and defense are about thinking on your feet combined with some creativity and adaptability. Security Innovation has a variety of real-life web applications, but for DEF CON, we used two: Gold Standard (an advanced banking website) and Shred (an eCommerce Skateboard Shop).
Given that the media has reported more and more widespread malicious attacks, it’s no surprise that the number of teams that entered the CMD+CTRL contest was up by 450% since last year, with over 450 people playing.
Dominating the Leaderboard
There’s nothing like a sweaty room full of wannabe hackers. Seriously. The 40-participant seating in our contest area was full throughout the event. Participants played from anywhere they could: the hallway floor, their hotel room, even the bathroom down the hall. It all got down and dirty.
The scoring system is a bit like a standardized test that you may have taken to get into college. Each challenge has a point value based on complexity, with challenges ranging from common vulnerabilities such as SQL Injection (SQLi) to advanced cryptanalysis and cipher cracking tests. 235 teams played, with almost half scoring more than 500 points.
Game Over: Lessons Learned
After two crazy, but fun days, several teams emerged victorious. In first place was BAH-Humbug; the second place winners were Savage Submarines and in third place the Flying Chaucers. All-in-all, participating teams got a chance to utilize techniques in a real-world setting, receiving real-time and post-game feedback.
It was great seeing how into the contest all of the players were. Everyone was heads-down and hacking away for hours. Tons of vulnerabilities were scored, and we had a number of non-intentional vulnerabilities pointed out as well.
Immersive learning like CMD+CTRL is a good way to learn what you do (or don’t) know about software security. It is fun, stimulates the senses, adds a gaming aspect, gives users the right to “safely” fail and learn by doing. This type of learning has a 100% attention rate from users, is 5 times more engaging than any other media, and yields a 75 – 90% knowledge retention rate.1
It is no wonder the immersive, gamified learning is becoming a popular way to train development teams.
Published at DZone with permission of Max Chauhan , DZone MVB. See the original article here.
Opinions expressed by DZone contributors are their own.