Over the last 6 weeks, I have competed in National Cyber League Fall Pilot.  This is the second pilot they have run.  This pilot was focused around individual challenges which made it very interesting.  It can be difficult to create a team of people with similar devotion to a challenge.

National Cyber League was broken in 3 – 3 hour rounds each separated by 2 weeks and a different focus.

Round 1: Capture the flag: 23 flags spread among 6 targets, 20% weight
Due to connection issues, only worth 20 weighted points per flag.
Max Weighted Score: 460
Max Participant Score: 300

Round 2: Logfile Analysis: 50 flags spread among 5 log files, 30% weight
Max unweighted Score: 30,000 total
Max Weighted Score: 9,000
Max Participant Score: 8,070

Round 3: Crypotgraphy: 25 flags including a chunk of challenges not yet solved, 50% weight
Max unweighted Score: 40,000 total
Max Weighted Score: 20,000
Max Participant Score: 6,250

550 students from 85 two/four year schools in 27 states signed up to be in the Fall Pilot. The top 10 participants from each of the 3 regions move on to a championship round: Eastern, Midwest and Western Regions.

Championship Round: : Mixed Topics: 25 flags spread among 6 categories

• Web Exploitation – 7 flags totaling 13,000 points
• Network Data Analysis – 5 flags totaling 7,500 points
• Linux Passwords – 3 flags totaling 6,000 points
• Basic Cryptography – 3 flags totaling 1,900 points
• Advanced Cryptography – 2 flags totaling 10,000 points
• Steganography – 5 flags totaling 6,600 points

Final Order is determined by Score then Accuracy then Time.

This challenge was a lot of fun and made me realize some areas that I really need to improve in. They announced they would publish official write-ups on how to solve the problems, but they have yet to be released. In the meantime and in the spirit of showing different methods fellow participants came up with, I am posting a few solutions to challenges from myself and people I met to help people in the meantime.

I have been asked “Why do you focus so hard on InfoSec Challenges?”

I started looking into how to get better technical skills in Information Technology and Information Security. As a child of the gaming generation, I ended up looking at Gamification of Learning, or learning through playing a game. When kids learn to type, they play Mavis Beacon Teaches Typing or something similar. That type of game convinces you to want to learn to type properly. The reason games are used is winning and competition drives and motivates people. InfoSec folks tend to be gamers as much as small children; We love challenging ourselves.

UC Berkeley ran a Starcraft class to link the game thinking to Finance
Many Professional Starcraft players end up working in Finance and excelling
SANS utilizes NetWars environment to supplement their classes
SAIC created the CyberNexs environment
iSight Partners created the ThreatSpace environment

InfoSec Challenges motivate us because at our hearts, we are games, but additionally they challenge us and give us the ability to be competitive with our peers. After most of the challenges, participants do write-ups on the questions. These write-ups allow others to learn how to solve the challenges and/or different ways to solve the same problem. The best challenges have multiple paths to find the correct answer, and sharing the pathways allows others to get insight into a teams techniques and thoughts.

I targeted InfoSec Challenges as my vehicle for learning, because it motivates me to learn and research. As I played, I realized that each challenge has difficulty describing how their challenge functions. Additionally when attempting to start players these challenges, it is very difficult to understand. To help new players to these challenges, I started a wiki to help detail the competitions, share the research I did on different challenges, and share write-ups in one location. I also started a meetup at Unallocated Space to discuss and work through challenges and eventually as a testing ground for my own challenges.

Gamification is the future of learning Information Security. It takes more time, creativity, and generally money to create, but it gives the participants a better understanding of what they are trying to learn. It always comes down to the player to make the most of the experience.