(Photo by Brady Dale)
Cybersecurity Awareness Week hit its tenth year this weekend, at the Polytechnic University of New York‘s downtown campus, and Julian Cohen has been showing up at the event since 2008.
He was a Brooklyn Tech high school student in 2008, but he cut class to come to CSAW. Sold on Poly, he decided to go there. Once he got in, he entered the Capture The Flag competition (where students have to break into websites of various kinds and in different ways) as a freshman and made it to the finals.
He ended up running the event the next three years. A 2013 graduate, he was back this year as a technical adviser. The event grew dramatically under his watch. The event size has doubled every year for four years. The 15 teams brought to Brooklyn to compete this year were winnowed down from 1,387 teams playing worldwide over the weekend of September 19-22.
Brooklyn was represented with competitors in another field at the weekend’s event. Technically Brooklyn spoke to Flatbush’s Nektarios Tsoutsos and Charalambos Konstantinou of the Modern Micro Architecture [MoMA] lab, which reached the finals in the Embedded Systems Security Contest this year as the “MoMA Avengers.”
The Embedded Systems Security Contest is one in which teams propose strategies for getting malware onto the chips used to control devices. So, for example, a radar system would work until a specific day and time, when the attackers planned to make some kind of move. Or a waste water treatment plant would reverse its pumps at a given signal.
The point of the contest, Tsoutsos explained, was for creative security academics to come up with vulnerabilities in embedded hardware systems so that the security industry could plan to address those weaknesses before anyone with malicious intent had a chance to try them.
Tsoutsos explained the trick that got his team into the finals: “We are using parts of the chip that are hidden from modern detection techniques.”
In other words, by looking for an underused section of a chip and hiding code there, so that it won’t cause any kind of hiccup or reaction in the chip’s output early on, they make it harder for security assessment software to find the malware.
Technically Brooklyn didn’t talk to any of the teams in either the Capture the Flag Competition nor the High School teams doing a simulated computer forensic analysis of a criminal investigation because they were all deep in competition mode.
We liked the fact that the event organizers were playing a running set of the most over the top music videos that the Internet can provide on a giant projection screen behind the competitors, and saw at least one dance off break out while we were in the gym at 6 Metrotech Plaza.
Shore gave us an example of the kind of challenges these teams were facing. He designed one of them, in which teams had to deliver a payload onto the administrative side of a website that they couldn’t see but was set up something like what a big site like a Facebook might use. This particular challenge featured a “cross site scripting vulnerability” that teams had to find and deliver a packet through that would then steal some information.
It’s a realistic scenario, and one many developers don’t anticipate because they’ve never seen it or assume that their sites safe from since only administrators can see the administrator side of the site, he said.
“These sort of help desk portals are used all over,” Shore explained. “It’s conceptually easy to understand, but many developers have never seen it.”
CSAW is oriented toward the education of students who are likely to be the Internet’s cybersecurity architects very soon. The event is sponsored by companies like Google, BlackRock, Thomson Reuters and Microsoft.
Here’s a video from last year’s event: