By Tim Johnson
Free Press Staff Writer
June 13, 2008
NORTHFIELD -- The contest among computer-savvy graduate students was
billed as a kind of novel spectator sport.
Their competition, tantalizingly called a "digital combat exercise," was
supposed to give onlookers a rare opportunity to watch a computer
hacking job in progress, complete with play-by-play.
It didn't work out that way, though, thanks to -- what else? -- some
sort of technical glitch that obstructed efforts to monitor what the
competitors were doing. So for the few non-techie spectators who showed
up, the business of hacking was still as opaque and mysterious at the
end of the 1 1/2-hour exercise as it was in the beginning.
No great matter, because interesting talk filled the gaps -- talk about
computer security and its breaches.
That's a major focus of Norwich University's Master of Information
Assurance program -- an online curriculum targeted at professionals
around the country who want to learn about managing information
security. Three six-month semesters culminate in a one-week residency
here -- this week -- as students participate in a variety of activities
and leave with master's degrees.
One of those activities is a kind of computer challenge. Last year, it
was called "capture the flag." The challenge was for participants to
penetrate a system customized for the occasion and to find the "crown
This year, the challenge was more complex. Justin Peltier, a
computer-security consultant from Michigan, was on hand with another
simulated system that competitors were invited to break in to. They
would be awarded points based on their finding secret files, points of
vulnerability or open portals, and based on their identifying operating
systems and IT addresses. Twenty-one MSIA students, most of them in
teams, sat at computer terminals in one room and used a software program
Peltier supplied to explore the target system.
Before they started, he laid down such ground rules as "Don't attack the
router" and "Try not to do any arp cache poisoning."
The spectators gathered in an adjacent room out of earshot, hoping to
get a running commentary about how the competitors were doing.
The commentary was to come from Peter Stephenson, a member of the
program's faculty, who sat at his own terminal and displayed on a big
screen something he called a "sniffer trace," a multi-colored table with
columns of numbers and letters -- the first in what was to be a series
of tableaus that held the promise of monitoring all the traffic on the
network next door.
The minutes passed, and not much happened. The sniffer trace stayed the
same, and from time to time, when Stephenson tried to check on what
individual teams were up to, the screen went blank. Could it be that the
hackers weren't getting anywhere?
Someone decided to check on them in the old-fashioned way -- paying a
visit in person. The report came back that they were, in fact, getting
somewhere -- finding holes and vulnerabilities of various kinds.
The results weren't showing up on the big screen though. Keeping track
of this competition was kind of like trying to follow a golf tournament
without knowing anything about the sport or seeing anybody play but just
by watching the leader board -- a leader board that's stuck on the first
Could the monitoring system have fallen victim to hacking, someone
wondered. Unlikely, someone else said, but who could say for sure?
Meanwhile, spectators in the know passed the time discussing such things
as computer-security certification (this comes in many forms) and
"penetration testing" -- a field of expertise in which security experts
explore a computer-information system to find its vulnerabilities, with
an eye toward adapting it to make it less prone to hacking. A complete
"penetration testing" workup, it seems, includes not just a technical
exploration, but "human engineering," in which the testers probe for
human vulnerabilities -- as in, for example, employees who are willing
to divulge passwords or IDs over the phone to someone with an
Next door, the team of Jeff Johnson of Kalamazoo, Mich., and Carlos
Gomes of Phoenix, Ariz., was making the most headway. They found the
most secret files, which won them the most points and earned them the
top prize: $5,000 worth of "penetration testing" software.
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com