In cybersecurity contest, hackers target critical infrastructure

At the inaugural Passcode Cup capture the flag challenge, competitors raced through hacking challenges that ranged from password-cracking to compromising a mock water treatment facility.

Joe Needleman was asking for trouble. 

Last week, inside an airy Washington office space, the junior at California State Polytechnic University, Pomona, linked together three clear plastic storage containers and filled each with water, mimicking a water treatment facility. Once he wired the containers to a computer network, Mr. Needleman invited a room full of hackers to attack them.  

If they're successful, "it starts jumping like crazy," Needleman said of his contraption, pointing to a circuit box that controls the water levels.

Needleman's mock water facility was one of the prime targets during Passcode's inaugural capture the flag contest in Washington that drew more than 50 participants in a digital skills challenge loosely based on the schoolyard pastime. In this version, however, teams earned points by solving puzzles, answering trivia questions, and attempting to seek out vulnerabilities in software.

Capture the flag contests have become commonplace inside tech companies, at cybersecurity conferences, and in engineering schools as cybersecurity training tools. Cal Poly Pomona and Alex Levinson, a senior security engineer at Uber, helped build and facilitate the Passcode capture the flag contest, which was based on a capture the flag that Facebook developed and made available through the open source software repository GitHub.

As the Passcode contest revved up last Friday, techno music pulsating through the Washington coworking space and 13 teams, many of them college students, clicked through at a slew of hacking challenges.

The team "Hoya Haxa" from Georgetown University (their name was a play on the school's "Hoya Saxa" cheer heard at basketball games) immediately realized they were at a disadvantage. They brought Windows laptops to a contest largely designed for Mac operating systems. At their crowded table, covered in crinkled candy wrappers and chip bags, they fired files back and forth with Justice Suh, the only team member that brought a Mac.

And if the contest is any indication of what securing the internet looks like, it requires a lot of Googling. Hoya Haxa's search bars were filled with hacking queries that covered encryption, password security, and reverse engineering.

How to upload a shell to a web server and get root, James Pavur types, referencing a small bit of software code that hackers use to exploit computer vulnerabilities and gain administrative access. 

How to crack passwords using hashtag, Mr. Suh writes, looking for a free password-cracking software that identifies hashes to assist in his effort. 

"We're going down a rabbit hole," Mr. Pavur said as he tried to crack a particularly complex password.

"Somebody's pretty grumpy," team member Casey Knerr quipped.

But they also kept an eye on the scoreboard, and team member Pavur was more than a little frustrated when Tenable Network Security, the professional team in the game, climbed into the lead.

For them, he said, "It’s like showing up for little league."

Meanwhile, one team took aim at one of the water tanks. In an instant, the water began to undulate. It was a sign that one of the teams "pwned" the system, hacker speak for taking over or dominating a computer system. 

"Somebody is about to overflow the tank," Needleman, the Cal Poly computer science student said matter-of-factly, racing over to the other end of the room to reset the levels. 

Needleman's tanks added a physical element to a hacking contest that typically plays out on computer screens. And that was the point, he said. If the hack the competitors pulled off last week during in contest happened in real life, it could lead to contamination inside a water treatment facility.

It's a scenario that many people who defend real-life networks face, said Dan Manson, a professor of computer information systems at Cal Poly, who helped organize the contest. "People assume that we're trying to keep hackers out," he said. "They’re already in the networks."

The sorts of cyberattacks that can result in physical damage – whether to utilities or election systems – is the stuff that "keeps us up at night," said Phyllis Schneck, the top cybersecurity official with the Department of Homeland Security, who spoke with the teams before the competition started last week.

But finding workers skilled enough to help companies and governments recover from cyberattacks has proven difficult. In the waning seconds of a competition, the significance of the game wasn't lost on Hoya Haxa.

"This is where the world's going to get shaped," said Knerr, referring to the cybersecurity profession.

Still, a talent shortage looms over the cybersecurity workforce as both the government and companies deal with sophisticated hackers. Last year alone, the average cost of data breach rose by 8 percent to $3.8 million, according to the Ponemon Institute, which studies privacy and data protection.

In the end, Hoya Haxa finished fourth, just behind Tenable, which took home a third place finish. A University of Virginia team bested Carnegie Mellon University's "Plaid Parliament of Pwning" to win the Passcode Cup.

And on a morning when a digital attack using hacked internet-connected devices caused web outages throughout the East Coast, the competitors know the security challenges ahead will be serious. "At scale, internet-connected devices could make thing really bad," Knerr said. "Consequences that are small for an individual can add up."