The We_0wn_Y0u team from the TU Vienna has won this year's international Capture the Flag (CTF) hacking competition, organised by the University of California in Santa Barbara (UCSB). In second and third place were the Wizards of DoS from the TU Darmstadt and WCSC from the University of South Florida in Tampa. Defending champions 0ld Eur0pe from the RWTH Aachen had to be content with fourth place. A total of 25 universities in the USA, Germany, Austria, Australia, France, Italy and Russia took part in the contest which lasted 11 hours.
At the start of the contest the same VMWare image of a bank server was distributed to all the teams. Services such as account processing, share trading, currency transfers and insurance services had been installed. These had been programmed in various languages and had a number of undisclosed security vulnerabilities. Each team represented a bank, which had to maximise the availability of its server on the VPN. At the same time little traffic should be generated - DoS attacks were banned.
With a virtual starting capital of a million dollars, each bank was able to earn money in three ways. The USCB "central bank" tested the availability of the different services at each bank at various points in time. If the test was successful, the team received a pecuniary reward. The central bank also rewarded teams for solving specific 'quests'. These included, for example, debugging a COBOL program and deciphering a punch card code.
However, the greatest profit could be made by stealing from other banks. To do so, the teams were allowed to open as many accounts at the other banks as they wished. The hackers paid in a little money and then tried to extract larger amounts by exploiting security vulnerabilities. Using such means, We_0wn_Y0u garnered around 12 of the almost 15 million dollars still in circulation at the end of the contest. At the same time, the teams also had to protect their own system from similar attacks without affecting its availability. A dozen teams ended the contest with losses. One bank ended up with just 637 dollars of the original one million.
CTF events are not just about entertainment, they also act as security training for the computer science students taking part. Each year Defcon in Las Vegas organises the largest contest of this type in the world, lasting three days.