HackEire CTF

Some Thoughts on HackEire @ Realex

2012-12-01T13:37:00.002Z

So HackEire @ Realex went very well thankfully on Thursday last (28/11/12) and I think we saw people actually learn and improve their security skills through the 4 hours of the CTF. There was a huge range in the skill-sets but from the feedback that I've received, everyone enjoyed themselves and they all feel like they learned, which is simply awesome.

I completely realise that the CTF is far from perfect, so any feedback on areas that should be improved, please let me know. As with all CTFs, the infrastructure did require a reboot to restore sanity to the machines at two points, which is really the challenge of running everything as VMs in the one physical box, under a finite amount of memory and CPU. However, I always feel that this is a great thing because the reboot typically only takes 5 minutes and it forces the attendees to actually talk to each other and communicate as opposed to ploughing straight in :)

The challenge had four elements that involved

passwords
known old vulnerabilities on that machine in the corner that couldn't be patched
two web applications with a load of various vulnerabilities, some hard and some easy

where a range of skills were required

network scanning
tcp understanding
http and application knowledge
database awareness
the ability to "google" the odd time for those things you've forgotten
some lateral thinking
common sense and the ability to step back and reason with oneself :)

Thanks to Marc Wickenden (of 7 Elements) for completing the tweaks that I made to his superb BSides web application challenge and being awesome; Securityninja for being so innovative and backing the CTF idea; and a huge thanks Realex Payments for supporting our original idea and putting on an excellent show as the host (great facilities, so welcoming, delicious food and a constant supply of refreshments). Some more pictures from the event can be found here. In my experience, it is truly rare that a company will support such an event on-premise, however, I believe that's another reason why Realex Payments are ahead of the game!!!

If you feel like you'd like to run a mini version of HackEire in your company to help educate your team and/or give back to the community, just like Realex have, let me know (mark [AT] kybeire [DOT] com).

--
HackEire

HackEire @ Realex

2012-11-28T21:55:00.002Z

So as per this blog post from @securityninja, a miniature version of HackEire will be running tomorrow (Thursday, November 29th) at the Realex Payments offices, in Dublin City Centre.

This event is probably the culmination of the waffle myself and Dave did in this blog post last year, i.e. we've decided to put into action what we were "mouthing" about. The game is smaller than what has previously run at IrissCon and the intention is to bring "security" into the developer world, a world that I have realised I now operate in as part of life with MongoDB.

Regarding keeping score, on this occasion, we decided that there was no point and it would act as a distraction but maybe on future occasions we'll put something up.

So if you're coming tomorrow, I'm looking forward to meeting you and remember, the goal here is to have fun and learn!! There's no need to worry about breaking stuff (I'll probably beat you to it) and please, don't be afraid about not knowing how to "break into" a XP SP2, everyone has to start somewhere.

--

HackEire

GitHub

2012-07-12T15:20:00.000+01:00

For quite some time, I've been wondering what to do with the various challenges from the last few years of HackEire. I've released quite a few of them through Dropbox links to folks on Twitter or boards.ie but that was a little ad-hoc and I'd no central repository. Working for 10gen has ~~encouraged~~ forced me to learn about git and I actually like it (a little bit) :)

As a result, I've decided that GitHub is the best place for it so I'm starting to upload what I have from the various contests. Unfortunately, the 2009 stuff is essentially gone, whilst I've misplaced some of the 2010 challenges :( Additionally, it's not possible to upload the web application, infrastructure or o/s challenges for a few reasons -

legal

licensing

the VMs are huge

Anyway, check it out here and enjoy :)

Packet Analysis 2011 Challenges

2012-06-03T22:24:00.002+01:00

The pcaps from HackEire 2011 have been posted here along with the questions, if you want to have some fun with them.

Enjoy!

--
HackEire

HackEire 2012 - On or Off?

2012-05-23T00:56:00.001+01:00

Quite a few people have recently been asking me about HackEire 2012 so just to clarify that I will not be running HackEire this year. It's a long story but to summarise, I just don't have the time to run such an event again and with each passing year, it got harder and there was less help forthcoming unfortunately.

I'd like to thank Singe for all his help over the three years and Brian Honan (Head of Iriss-Cert) for his support for allowing me to run an event where people come and hack boxes. Last year was the toughest yet and most complex infrastructure, probably too complex, but thanks to Damian, we were able to have a live scoreboard with some vulnerabilities and to Bob and David, we had some simply awesome reverse-engineering challenges.

I'd also like to thank everyone who has attended the event over the past three years, thank you because it'd obviously wouldn't have gone ahead if no-one turned up!!!

The good news is that Iriss-Cert team will be holding the IrissCon conference again this year and they intend on having a new ethical hacking contest, however, I am not sure as to what form this will take. If you have further questions, please email info@iriss.ie.

I still have some challenges from HackEire 2011 to release so I will do that over the coming months, once I get some proper free time (sorry for the delay).

Hopefully, at some point in the near future, time permitting, HackEire will make a return in some format......

Campus Con 2012

2012-01-16T19:12:00.000Z

I meant to do this sooner but I kept forgetting. Anyway, Campus Con 2012 is on in Waterford, Ireland, this coming weekend.

The list of talks can be viewed here and it looks like the WIT hacker folk have also organised a CTF, which looks like a good bit of fun.

The conference is being held here on WIT Sports Campus (the page linked includes directions).

It's great to see another #infosec conference in Ireland and I'd like to wish the organisers all the best and fair play to them for setting it up. Hopefully next year, I'll make it down.

--
HackEire

HackEire 2011 - Ramblings - Part 2

2011-12-20T22:42:00.000Z

At HackEire 2011, as I've previously mentioned, I was pretty ambitious with the network design. This had some interesting consequences, mostly good but yes, the odd one did cause a performance issue on the day :)

Anyway, one of the things that worked quite well was the NSM (Network Security Monitor) that I implemented. So for me, to put it simply, NSM is essentially something that makes an IDS useful as it gives the analyst a better view into their network as it provides the tools for the analyst to analyse their network traffic in an improved fashion so he/she may understand it better and so do a better job easier!!! This is what I wanted to do, understand the goings-on in the HackEire network better.

I won't talk about why this is as you're probably better following @taosecurity for a much better explanation of why a NSM rocks (or follow @dougburks, i.e. Mr SecurityOnion, for that matter).

As the Google Code Page for Security Onion says -

Security Onion is a Linux distro for IDS (Intrusion Detection) and NSM (Network Security Monitoring). It's based on Xubuntu 10.04 and contains Snort, Suricata, Sguil, Squert, argus, Xplico, tcpreplay, scapy, hping, and many other security tools.

So as you can seem deciding where to start with Security Onion is a difficult place as there's so much useful and cool stuff within it and it's definitely easier to configure than many commercial solutions :) Ever try figuring out how to install Sguil or Barnyard by yourself? So how did I configure Security Onion at HackEire? Well, consider this to be the only network diagram that you'll ever see of HackEire -

To configure this set-up, I manually edited the /etc/network/interfaces file and played with the brctl utilities until I had the set-up as I wanted. I didn't use Network Manager at all but maybe I should have for simplicity, ah well :)

Set-Up

There's really no point in me talking about this much when Doug's already discussed it so well here on the PaulDotCom website.

The recommended installation steps are here.

All I will add is that it's really simple :)

In this blog, I refer to the command-line but it's really easy to do configure a lot of things through the desktop interface as this screenshot shows that everything is there -

Sguil & Squert

Sguil and Squert are two things that truly turn Security Onion from an IDS into a NSM and with these you can really make sense of what's going on in your network. Unfortunately, I've lost the screenshots from the day :( so here's some vanilla-type stuff -

Sguil has its own GUI that enables the analyst to interpret the alerts, view the session data or the raw packets themselves. I've generated the alerts below by accessing httpo://testmyids.com with 'curl' -

OVERALL (including the raw packet data in the bottom righ-hand corner)

RULE MATCHED

Squert is a web-based tool, launched through the browser (Firefox by default on Security Onion) that is used to query and view event data stored in a Sguil database.

Sguil and Squert both put a context on the data that the analyst is viewing.

HTTPRY

So one of the cool things that Security Onion comes with is 'httpry', a packet sniffer that shows http traffic. As all of the HackEire competitors were browsing through the IDS device when attacking the Bhratach network, all their http traffic was being logged (unbeknownst to them :) ).

Below is a snippet of the 'ps' output showing httpry configuration residing in /etc/nsm/ids-br0/http_agent.conf with the exclude file in the same directory and the logs in /nsm/sensor_data_ids-br0/httpry/$date.log.

sguil 1436 0.0 0.2 6500 4392 ? S 16:58 0:00 httpry -f timestamp,source-ip,source-port,dest-ip,dest-port,method,host,request-uri,referer,user-agent -i br0 -o /nsm/sensor_data/ids-br0/httpry/2011-12-22.log -u sguil

root 1459 0.0 0.1 5512 2224 ? S 16:58 0:00 tclsh /usr/local/bin/httpry_agent.tcl -c /etc/nsm/ids-br0/httpry_agent.conf -e /etc/nsm/ids-br0/httpry_agent.exclude -f /nsm/sensor_data/ids-br0/httpry/2011-12-22.log

This is the standard configuration for Security Onion -

Log files from the Sensor under /nsm/sensor_data/NAME-OF-SENSOR

Configuration in /etc/nsm/NAME-OF-SENSOR

where NAME-OF-SENSOR is 'ids-interface' where interface is the monitored interface so in my case you'll see ids-br0, where br0 was the bridged interface combining eth0 and eth1.

There was almost a GB of data on the day so it's quite hard to analyse (with the limited time that I have), however, here's a few things that we saw -

There were two log files on the day due to a forced restart of the VM.
Using some shell fu, we see that there's 405434 lines/entries in httpry.log and of that total, 118314 contain dirbuster -

$ wc -l httpry.log && perl -ne 'if (m/dirbuster/i) {print $_}' httpry.log | wc -l
405434 httpry.log
118314

So roughly 29% of the http traffic through the IDS device was using DirBuster to attack a web-server that was very well locked down. This web-server actually had no none web vulnerabilities, hosted all of the forensic/packet/general challenges and was best attacked through pivoting off another box.
Sample log -

2011-11-23 14:16:34 10.20.5.189 59318 192.168.10.101 80 HEAD 192.168.10.101 / - DirBuster-0.12 (http://www.owasp.org/index.php/Category:OWASP_DirBuster_Project)

$ awk '{print $3 "\t" $5}' dirbuster.log | uniq
10.20.5.189 192.168.10.101
10.20.5.164 192.168.10.101
So of the 36 people there on the day, 2 felt the need to bombard the network with DirBuster :)

As I mentioned on the day of the HackEire event, the second log file contained multiple attempts to penetrate one of the honeypots on the Bhratach network :) Like I said, there will be 'red herrings' on the day, it's your responsibility to read the questions and correctly fingerprint the services and servers.

Snort Log Files

As we were using Snort as the IDS on Security Onion (you can also use Suricata, which also looks very cool but I haven't played with it yet), we logically had Snort log files, located under

/nsm/NAME-OF-SENSOR

Running 'ps auwx' shows that we've the Snort agent running with its configuration in /etc/nsm/NAME-OF-SENSOR/snort_agent.conf

root 1287 0.0 0.1 5536 2164 ? S 16:58 0:00 tclsh /usr/local/bin/snort_agent.tcl -c /etc/nsm/ids-br0/snort_agent.conf

Security Onion uses Barnyard (an output spool reader for Snort that decouples the output process from Snort so Snort can perform better and not worry about logging to a database) for Snort logging (/etc/nsm/$interface/snort.conf is set-up by default to log in unified binary mode) -

root 1349 0.0 0.0 8028 896 ? S 16:58 0:03 barnyard2 -c /etc/nsm/ids-br0/barnyard2.conf -d /nsm/sensor_data/ids-br0 -f snort.unified2 -w /etc/nsm/ids-br0/barnyard2.waldo -U

and Sguil logging its information to

/nsm/sensor_data/$interface/dailylogs/$date as expected -

sguil 1387 0.0 0.2 6204 4344 ? S 16:58 0:01 daemonlogger -u sguil -g sguil -i br0 -l /nsm/sensor_data/ids-br0/dailylogs/2011-12-22 -n snort.log -s 134217728

These log files are stored in Snort's binary format and to run them is as simple as -

snort -r snort.log.1322068350

which produces something like -

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/23-17:12:30.904710 10.20.5.245:39437 -> 192.168.10.101:80

TCP TTL:63 TOS:0x0 ID:48174 IpLen:20 DgmLen:266 DF

***AP*** Seq: 0x247B1B15 Ack: 0x3A3B75A2 Win: 0xFFFF TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

11/23-17:12:30.904838 10.20.5.203:38826 -> 192.168.10.101:80

TCP TTL:63 TOS:0x0 ID:9461 IpLen:20 DgmLen:455 DF

***AP*** Seq: 0xF6BD0441 Ack: 0xD626FD50 Win: 0x3908 TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

Basic Packet Statistics

I'd promised @dougburks some statistics on the day, hence one of the reasons why I was looking at the afore-mentioned snort log files because within the file they give some nice breakdown on protocols and packets -

=============================================================================

Run time for packet processing was 20.870504 seconds

Snort processed 592198 packets.

Snort ran for 0 days 0 hours 0 minutes 20 seconds

Pkts/sec: 29609

=============================================================================

Packet I/O Totals:

Received: 592198

Analyzed: 592198 (100.000%)

Dropped: 0 ( 0.000%)

Filtered: 0 ( 0.000%)

Outstanding: 0 ( 0.000%)

Injected: 0

=============================================================================

Breakdown by protocol (includes rebuilt packets):

Eth: 592198 (100.000%)

VLAN: 0 ( 0.000%)

IP4: 589797 ( 99.595%)

Frag: 0 ( 0.000%)

ICMP: 21830 ( 3.686%)

UDP: 13452 ( 2.272%)

TCP: 554515 ( 93.637%)

IP6: 22 ( 0.004%)

IP6 Ext: 22 ( 0.004%)

IP6 Opts: 0 ( 0.000%)

Frag6: 0 ( 0.000%)

ICMP6: 0 ( 0.000%)

UDP6: 22 ( 0.004%)

TCP6: 0 ( 0.000%)

-----------------------

--------------------------SNIPPED

Total: 592198

=============================================================================

which I'm not going to expand on in this blog post (due to lack of time).

These snippets are pretty useful as they give a good protocol breakdown on your traffic profile.

Performance

We were running IPTraf

which reported a maximum of roughly 5000 kbits/sec and 2500 packets/sec (obviously not in the screenshot above :) ), which admittedly isn't huge but Security Onion easily handled the load.

CPU - didn't exceed 20%. We did reconfigure the VM to use two vCPUs but it didn't make any difference as we expected memory was our issue but as explained below, we could do little about it other than reboot!!

Memory - we were using up to 800MB and we'd only assigned 1GB to the VM. As we were using Xen Server 5.6 (for stability reasons), we were unable to dynamically assign more memory (we'll upgrade for next year to 2GB and XS6).

Both 'top' and 'Cacti' reported large run queues (9-10) at regular intervals with 'tclsh' taking up a good chunk of memory -

Below are processes called by 'tclsh'. I am unsure as to which one was taking up most memory, however, I suspect the 'sguild' process simply because it's logically the most intensive. I didn't have time to troubleshoot on the day so didn't catch it unfortunately.

root 1099 1.7 57.6 2186564 1186708 ? S 16:57 6:28 tclsh /usr/local/bin/sguild -c /etc/nsm/securityonion/sguild.conf -a /etc/nsm/securityonion/autocat.conf -g /etc/nsm/securityonion/sguild.queries -A /etc/nsm/securityonion/sguild.access -C /etc/nsm/securityonion/certs

root 1228 0.0 0.1 5664 2716 ? S 16:57 0:00 tclsh /usr/local/bin/pcap_agent.tcl -c /etc/nsm/ids-br0/pcap_agent.conf

root 1253 0.0 0.1 6180 3304 ? S 16:57 0:01 tclsh /usr/local/bin/sancp_agent.tcl -c /etc/nsm/ids-br0/sancp_agent.conf

root 1287 0.0 0.1 5536 2164 ? S 16:58 0:00 tclsh /usr/local/bin/snort_agent.tcl -c /etc/nsm/ids-br0/snort_agent.conf

root 1459 0.0 0.1 5512 2224 ? S 16:58 0:00 tclsh /usr/local/bin/httpry_agent.tcl -c /etc/nsm/ids-br0/httpry_agent.conf -e /etc/nsm/ids-br0/httpry_agent.exclude -f /nsm/sensor_data/ids-br0/httpry/2011-12-22.log

root 1567 0.0 0.2 12628 6084 ? S 16:58 0:00 tclsh /etc/nsm/ossec/ossec_agent.tcl -o -f /var/ossec/logs/alerts/alerts.log -i 127.0.0.1 -p 5 -c /etc/nsm/ossec/ossec_agent.conf

Modifying Rules

So there are two rules files -

downloaded-rules
local-rules

These files reside in /etc/nsm/NAME-OF-SENSOR.

It's very easy to modify the local-rules, e.g. here's two that I used to monitor GUI access to devices that had GUI access open -

----------------------------------------------------------------------------------------------------------------------

more local-rules.txt
alert tcp any any -> $GUI_NET 80 (msg:"Alert HTTP Access to Router & LBGUIs";sid:1000005; rev:1;)
alert tcp any any -> $GUI_NET 443 (msg:"Alert HTTPS Access to Router & LB GUIs";sid:1000006; rev:1;)

----------------------------------------------------------------------------------------------------------------------

I had defined the $GUI_NET variable previously in my Snort configuration for 'ids-br0'.

I also played a little with Pulledpork, which will download and modify the rules. The files are located in /etc/pulledpork and are updated daily at 07:01 with manual updates by running /usr/local/bin/pulledpork_update.sh. It is very simple :)

Upgrade

I had Security Onion configured as the transparent network bridge several months before HackEire 2011 and one thing that I'm not keen on prior to such events is upgrading :), however, with Security Onion I actually kept updating as Doug has made it so simple with a simple one-liner -

sudo -i "curl -L http://sourceforge.net/projects/security-onion/files/security-onion-upgrade.sh > ~/security-onion-upgrade.sh && bash ~/security-onion-upgrade.sh"

I never once had an issue :)

Conclusion

This blog post could go on and on and to be honest, I've only touched on Security Onion. Therefore, to conclude, Security Onion was a great addition to HackEire and with its many NSM features, it truly makes an IDS useful :) whilst being amazingly easy to set up.

I will definitely be including it in HackEire 2012, where I hope to have taken the implementation several steps forward -

Keeping up with Doug's many Security Onion upgrades. For example, Snorby has since been added and it'll be a great addition IMHO.

Increased analysis (by us) of traffic during the day.

Upgrading the current VM to the latest VM software and assigning more memory (along with a Xen Server6 upgrade).

Make more use of the additional Security Onion features on the day but also in post-event analysis. There's so many features here!!!!!

Security Onion = simplicity and effectiveness :)

Further Information

For more information on Security Onion, check out the following -

Security Onion Homepage

Google Code Page

Holistic Infosec write-up on installation & playing around with Security Onion.

Network World playing with Security Onion.

Creator (@dougburks) presenting at BSides Atlanta. The really interesting aspect here within his presentation was not just how easy it is to configure but the amazing amount of new features and add-ons that Doug is adding to his baby - simply astounding. These new features include working on Bro IDS, adding new feaures from Snort and Suricata, upgrading Barnyard, moving to Ubuntu 12.04 64-bit as the base distro, working with the Sguil guys on their new release and integrating it into Security Onion.

In my humble opinion it's awesome and is definitely an open-source project worth playing with, supporting and contributing to :)

Video of HackEire 2011

2011-12-15T21:03:00.001Z

You'll be pleased to know that we've managed to condense 10 hours of fun, which would have ben 11 if Paul had've got his way, into 4 minutes!!!

Enjoy :)

As usual, any feedback (negative or positive), send it to NAMA!

--
HackEire

P.S. I forgot to credit @cathalfurey of @45snd for the awesome video, I think we can all agree that it rocked!!

Education Survey Results

2011-12-10T23:01:00.001Z

So you may or may not remember that on 25th November, I posted a blog that contained a survey concerning questions regarding what folk (in the IT Security field learn in formal education versus playing a CTF).

Firstly, in the aftermath of posting the survey - it was prompted by events at the HackEire event itself, interviewing candidates (for jobs), witnessing how I learnt myself, witnessing a well-known security professionals claim that we should prioritise graduates in selecting folk for jobs and many conversations with @securityninja - I realised that I should have modified the survey such that it was not specifically about a CTF but interactive learning and that it's hard to compare a 1 or 2-day event with 3 to 4 years of so-called learning :)

Anyway, the results proved to be interesting (to me anyway) with a few surprises. Therefore, without further adieu -

Number	Question	Yes	No	Skipped
1	Does what you learn at university or school through studying computer/network security help you when competing at a Capture The Flag contest?	22	37	0
2	Does university/school simply provide the theory without the chance to put the theory into practice?	40	19	0
3	Would hosting a CTF-type event (e.g. a mini-version of HackEire) on an annual basis in school/university have helped or help you understand computer/network security more?	52	5	2
4	Can you learn computer/network security simply by reading books?	3	56	0
5	Should we encourage folk to go into another discipline of IT before moving into computer/network security, e.g. development, system administration, operations etc (so he/she may gain knowledge)?	52	7	0

The only answer (above) that really surprised me was number 5, I expected 100% to say 'yes' but given the current skills shortage and numerous opportunities in the security field, I suspect that for many, this is no longer an option.

As you're probably guessing, I've summarised the answers to questions 6 and 7 for aesthetic reasons so here's the answers to 6 summarised -

Number	Question	Strong +ve	+ve	Neither	-ve	Strong -ve
6	Does what you learn at university or school through studying computer/network security help you when competing at a Capture The Flag contest?	38	14	4	3	0

and a few quotes -

"Learned through hands-on lab practice in university as my course focussed on security stuff. In the CTF I learned that I didn't know enough. The CTF puts the gaps into focus. The lack of published solutions from the CTF precludes a full opportunity to learn from it."

"HELL YEAH"

"More is a strange metric. More means quantity? As for quality: abstraction is key: abstract RCE through Graph Theory. Understand the formal consequences of several simarlity coefficients (for Malware Analysis or so.) Understand how to formally express a buffer overflow within a given system as a state-model. Quality. You need both sides of the coin to rule over complexity."

"No. Different topics. CTF don't learn you anything about maths, software engineering, etc. that you learn in univ."

"CTF's are fun, but you don't really learn much on the day, its in the analysis afterwards or prep before hand that i feel you learn most."

"The CTF for hackeire is a considerable challenge and would be difficult to replicate in a classroom."

"It is the doing and the pressure to put it into practice in an competitive environment. Triumph understanding the attack or defense."

"Yes. Theory is important, but it's definitely more beneficial to apply what you've learned in practice."

and many more of a similar vain, strongly agreeing with the last quote. If I haven't included your answer here, I apologise (running out of space on this article) but I do have it in my raw-date anonymous spreadsheet, if you'd like it :)

The answers to question 7 brought the following conclusion -

This question could've been worded better because it's not a straightforward comparison to compare 4 years of college versus a 1 or 2 day CTF. Overwhelmingly the answers reveal that folk believe that there is not enough hands-on, interactive, practical experience in 3rd-level education such that they are often unprepared for what happens in the real-world. Some feel that the theory they learn in university is necessary for what they do practically later on whereas others feel that they learned nothing useful at all in university, which I believe says more about the variance in the quality of education and teaching at universities. Additionally, the vast majority indicated that university education should be able to give the chance to apply stuff in practice so as to understand 'why' things need to be done the way they are recommended (be it, network design, system administration or programming). Finally, a few folk made the point that most lecturers do not have real-world, up-to-date technology or security knowledge and understanding."

Finally, some answers to question 7 -

"Teach how they work and make sure everyone understands those factors before teaching them how to break into them. Most people don't understand the basic fundamentals to know enough of how to break into systems. What happens when someone breaks into a system? There's no guarantee that they have any clue as to how to navigate the system or what to look for. These are basics not typically covered in an educational institute."

"I left full time 3rd level education in 2001, at the time IT/Information security as a full time course did not exist at my University. The single module on Computer Security needless to say was not enough, other modules briefly discussed certain aspects of security but over all security always ran second to programming. Definitely University's need more practical experience, have a mini HackEire a couple of times a year increasing in difficulty as a student progresses could spark a students interest in the field What I would have liked in college would have been a room of network equipment where students can build/configure a LAN, tear it down and do it again. Instead of just reading a text, although its still import to know the make up of a data packet/OSI etc Use virtualisation to create environments similar to real world environments for students to explore/break/fix. They could/should be doing that now....I dont know Apart from programming practicals my course was pretty much lecture/text based, the only hands on hardware practicals I had was after hours with my buddy who was obsessed with overclocking his PC, more hands on and practical.'

"Practical experience and relevant hands-on work" -> * many people.

"because there is no "target" or "goal" defined, it's harder to keep the knowledge from uni - for example, I learned how to use Java RMI in programming, but I didn't really grasp why I would use it, ie. what real-world problems does it solve? what are it's security implications? etc."

This has been a long post so quickly, I don't think a CTF can replace formal education, however, it can definitely complement it and in some cases, people feel they learn an awful lot more. This survey has confirmed that there is a need for more interactive learning where students/professionals can gain some practical, hands-on skills as opposed to always concentrating on theory and simply regurgitating information. So many times folk don't know what to do when the sh!t hits the fan because they've never practiced their theory or had a trial run, whilst the look of bemusement when someone is asked to figure out pivot off a box to get something-else as opposed to just busting the first box with MS08-067 exploit is all too frequent. So I guess the next question is, how do we change things? As some other security folk like to do, let's make it sexy :) Seriously though, there's more to this than just making things sexy, right?

Hopefully there'll be a "HackEire 2012" and we'll continue to change things there. In the meantime, check out @securityninja's blog as myself and Dave will be posting something over there in the next week as we take this topic further!

HackEire 2011 - Results

2011-12-10T22:16:00.001Z

I just noticed that I never published the results for HackEire 2011 so here you go -

Bitbucket	100
2 percent	92
Stragglers	83
3 Amigos	80
C Legends	63
404	52
csdf-lyit	39
Chuck Norris	28
Layer-8	28

The maximum total was 200, so Bitbucket hit 50%. Apologies for the delay in posting this, oops :)

--
HackEire

CTF Education versus Formal Education

2011-11-25T21:09:00.001Z

I've created a little survey here that's being caused by some recent observations of the IT industry on my travels across conferences, training courses, professional certifications, watching the big tech companies decide where/how to locate new offices and through many other dealings with folk in the industry, either on a professional or informal basis.

There's no hidden agenda, just natural curiosity :)

I'd be delighted if you could complete it and offer your thoughts. I will obviously publish (anonymously) the responses I get.

Cheers!

--
HackEire

HackEire 2011 - Ramblings - Part 1

2011-11-24T23:49:00.001Z

Initial Ramblings on HackEire 2011

So as those who competed on the day can testify, we had many network problems. Firstly, apologies for that but someone DOS'd our AP, though I believe that the extra 2 hours of CTF fun until 19:00 made up for it (though someone did want to play until 20:00).

We went with a commercial 802.11G solution and the firewall didn't work very well :( So our BCP kicked in and we enabled our back-up AP, though it couldn't handle the bandwidth and refused to authenticate some of the competitors :( As a result, we brought in the third (and final) element of our BCP, a 24-port switch with trust RJ45 cables connecting over trusty ethernet and everything was fine (thankfully).

Lessons learnt for next year - bring a 802.11N AP, bring a second-one for back-up or resilience (spreading the load) and STILL bring the good old 24-port (insisting that competitors bring one hub per team, just in case).

HackEire 2011 was incredibly ambitious -

There were 7 Class C networks and all networks genuinely had something on them that would respond to them.

As a result, your nmap fu had to be a little more advanced than simply running a '-sT -A' scan to do proper fingerprinting and system detection.

There were honeypots, which as it turns out, successfully fooled some teams.

There were other red herrings but if you paid attention to the clues scattered throughout the infrastructure as well reading the questions (properly), the red herrings could be figured out.

There were various security devices scattered throughout the infrastructure that modified the response of servers/applications (and these responses were not always the same).

We got some things right and others wrong, though we received fantastic feedback so ya gotta be happy with that!!

One of the challenges that we faced this year was 'scaling', i.e. how to truly scale a CTF. Most CTFs that I've seen (and yes, I haven't seen all of them) do not suffer such 'scaling' issues because they don't have such a wide IP range as a legitimate target, meaning that nmap scans could be running for hours or someone could run 'db_autopwn' or the like from MSF against an incorrect network.

This year we spent over 5 grand of our own money to build the infrastructure as the kit from HackEire 2009/2010 was far from adequate. Everything was run across three XenServer systems, with each host having at least 1GB of RAM, usually more, and some running 2 vCPUs. We even put a little bit of extra cash into buying better NICs to get around potential NIC buffering issues and slower performance through having to go through the DOM0 hypervisor. All hosts (13) apart from two (IDS and Scoreboard) suffered issues, one being CPU and the other being not enough disk space. Adding a second vCPU was easily done, though adding extra disk space dynamically is not possible on XS until version 6.0 :(, which didn't not receive its first patch until late 2011, much too close for HackEire 2012. So as you can see, we faced many of the same problems that a 'work' network would.

As I mentioned at 18:50 on the day, there was an IDS (it's actually a NSM to be correct) on the network. I need to thank the awesome @DougBurks for his work on Security Onion and I will blog about its implementation (and analysis of its log files) soon. I will say though that it (in its lovely bridge implementation) did not appear to impact on throughput in any way, which was great :)

On the day, I tweaked some TCP settings (receive buffer, window size, window scaling, sack etc). I did see some benefits (from a throughput perspective) so this is something I will look into further for 2012.

Finally, it's worth noting that the vast majority of folk completely ignored the Windows systems, not sure why???? There were some real goodies there :(

In a subsequent blog post, I'll talk a little more about the network (though not revealing too much so as to spoil future challenges) because the feedback from some of the competitors complimentarily confirmed what I thought beforehand, i.e. "Building HackEire 2012 was a bit of an engineering project".

I will also do a blog post covering what we saw in our honeypots, web-server in addition to the Security Onion logs.

-------------

HackEire

P.S. As I'm a nice guy, I thought I'd recommend some extra-curricular reading for next year :)

The nmap book is an incredible resource and I highly recommend it. Being written by Fyodor, the book really is a no-brainer purchase (even though the nmap tool has been updated many times since) and

it provides a thorough walk-through of the nmap tool,
links to many relevant industry presentations,
awesome explanations of TCP and many other protocols
a great introduction into NSE (Nmap Scripting Engine) and how to write your own :)
and much, much more!!

Similarly I really enjoyed the recent Metasploit Penetration Testing Framework book . The book is endorsed by HD Moore so do I really need to say more. OK then, it's written by some of best guys in the industry (creators of Backtrack, SET and countless other things that have helped the security industry). The book

walks you through the Metasploit Framework with a thorough description of the constituents and some history of MSF
provides examples from the very simple to the complex
describes many attack vectors and how MSF can be used to take advantage of these vectors to exploit vulnerabilities (e.g. Social Engineering with SET or Wireless with Karmetasploit)
and much, much more that I don't have time to explain so go buy

During the day, there were a few questions about SQL Injection. If you really want to dig deep into it, go check Justin Clarke's book out. Quite a bit of it was above me (as I am far from a SQL expert, not am I a penetration tester) but it's a superb book and each chapter is written by a leading application security expert (plus, @securityninja recommends it so that should be enough :) ).

HackEire 2011 - Thank You

2011-11-24T22:57:00.001Z

Just a few words of thanks -

Thanks to the competitors for turning up and having patience with us during our hours (two'ish) of wireless frustration. Hopefully running HE until 19:00 helped folks and removed the frustration.

Thanks to @BrianHonan for allowing HackEire to sit side-by-side with IrissCon since 2009.

Thanks to @vdbaan for providing the initial PHP code for the scoreboard and Damian C for taking that code and turning it into our wonderful PHP-based scoreboard application (so much fun troubleshooting SQL issues on the day :( ).

Thanks to @dsancho66 & @bobmcardle for the wonderfully frustrating reverse-engineering challenges.

Thanks to BOC & @BobDob for their troubleshooting skills and calm influence on the day.

Thanks to the person who screwed up our Access Point, causing us to invoke our back-up AP, which eventually got overloaded as it wasn't highly spec'd and ultimately caused us to bring out the 24-port switch with RJ45s all over the place. Anyway, lots of lessons learnt there and we'll move on the better for it.

There's essentially two guys behind HackEire, who both put a lot of our own time and their own money (not an insignificant amount) into HackEire 2011, and it gave us great pleasure to see so many people having fun. It was great to see both young and 'not so young' learning about both offensive and defensive security in a safe, fun environment whilst under a little pressure 'not too suck'. This is sadly something that we feel is lacking in our education system and many of the so-called computer security courses fail to deliver these skills other than in theory. All too often we see that theory!=practice :(

Over the next few weeks as we get our sanity back and introduce ourselves back into our families, we will blog more about the event yesterday, our observations, what we ourselves learnt and hopefully our future plans. The challenges and answers will (for the majority of cases) not be made public.

If you'd like us to run a similar event at your university or company, get in touch (hackeire AT gmail DOT com) and we'll see if we can work something out.

Finally we should thank the open-source projects that we used in HackEire - two who I have to mention is cacti and Security Onion, for the view into the network that they provided.

I really hope that I haven't missed anyone in my thanks, so if I have 'thank you, merci, gracias etc'!!!

HackEire

P.S. I've a great boss, who has indulged my HackEire project - he deserves lots of kudos :)

Tomorrow - HackEire 2011

2011-11-22T21:05:00.001Z

OK, so finally HackEire 2011 is almost there :) Thankfully!! Personally I'm knackered but with a mixture of nerves and excitement!!

Anyway, tomorrow, remember to be patient tomorrow and work as a team :)

See ya tomorrow (CTF begins @ 09:30 Berkley Court Hotel, Ballsbridge, Dublin 4).

--
HackEire

P.S. Be on the lookout for red herrings, not everything is as it seems and then on the other hand, sometimes there's more to things than meets the eyes :)

P.P.S. Be quiet!

HackEire 2011 - A Clue!

2011-11-20T11:55:00.001Z

Folks,

One thing that you'll notice on Wednesday (especially if you've played in either 2010 and 2011), is that the Bhratach has grown significantly over the past 12 months.

Fortunately for Bhratach, their CEO is a great salesman and like they say, "he can talk a fair amount of crap", such that they've bucked the recession trend and are exporting a huge amount of flags :)

As a result, it'd be a good idea to check out this link and be familiar with how to use nmap. We don't want you spending the first few hours learning what switch to use.

--

HackEire

HackEire 2011 - Almost There!

2011-11-19T01:42:00.001Z

Folks,

A few last minute pointers and instructions -

HackEire 2011 will begin @ 09:30 on Wednesday, 23rd November, 2011, in the D4 Berkeley Court Hotel.

The contest will end at 16:55 with a presentation at 17:00.

You can being setting up any time from 08:45.

The second HackEire pre-challenge will be released on Tuesday, 22nd November, to the 'Team Leads'. I do not want to find this on Google, this has been created for HackEire by the HackEire team.

There are people who have inspired us through their sites or books in creating challenges whilst there are also people who have helped us with HackEire 2011, some of whom have been thanked and credited already whilst the others will be credited afterwards so as not to give away any unnecessary hints.

The usual rules apply -

No DOS-type attacks of the HackEire infrastructure.
You may think of yourselves as hackers but remember, there's etiquette and we don't like cheating!!
No hacking of other contestants or HackEire syadmins' personal systems.
Have fun!

As a bit of advice -

split the challenges up between the time and communicate to each other, so many people don't do this.
Set up an internal IRC or IM system, take a break every hour or so and update each other quickly.
Please remember that this network has been set up by volunteers for you in their spare time, so show some appreciation to the HackEire team :)
We intend on having a wifi network this year and we hope that it will extend into the main conference room so in the event that there's a talk you'd love to see, you should be able to combine the both.

Prizes (the interesting part) -

The winners will get the excellent Wireless BT Pen Testing book by @securitytube and all we ask of the winners is to post a review on Amazon.
We're working on a booby prize so we'll see on the day.

Hopefully we haven't missed anything but any questions or issues, as usual please let us know via email.

Thanks & see you all next Wednesday :)

HackEire

P.S. If you could bring some RJ45 standard ethernet cables with you, it'd be greatly appreciated!

HackEire 2011 Winning Prize

2011-10-25T09:31:00.000+01:00

So I've put the order into Amazon for some books for the winning team this year. I realise it's not an iPad but hey, a prize for winning a "FREE TO ENTER" CTF ain't too shabby, is it?

I'm pretty happy with my choice so hopefully the winning team will enjoy it also :)

Otherwise, I trust everyone is enjoying the reverse-engineering challenge!! Remember we're here if you need us.

--
HackEire

Useful Links for Reverse-Engineering The First Challenge

2011-10-22T16:12:00.002+01:00

To help folk a little bit more :) I've included some links to tools and tutorials -

Ollydbg -> Tool & Tutorials from SecurityTube

IDA -> About & Tutorials

A Symantec paper on anti-debug tricks (kudos to @bobmcardle for the link)

--
HackEire

Clue for HackEire Challenge 1

2011-10-21T11:17:00.002+01:00

Morning,

Some folks have been asking for hints on the first reverse-engineering challenge so here's a short blog post that will hopefully help :)

First of all, however, this challenge is intended to stretch you, test you and make you work as a team whilst learning new skills.

The first challenge is a classical puzzle with three riddles that the contestant needs to get right, however, the riddles are not the actual reversing challenge.

The puzzle will not work unless three conditions are met and this is the key to getting it right.

Each contestant needs to reverse the binary to find what those conditions are.

As a clue for the first conditions are simple: the filename of the program needs to match an API needed for the program to decrypt properly.

You need to reverse the function to find out about the API.

Recommended Tools
-----------------

Olly-based debugger (OllyDbg itself, Inmunity etc.) or IDA (in its free or paid versions)

--
HackEire

P.S. To reassure you, this is one of the harder, if not the hardest, challenge due to the length of time that you have to solve it (almost two months) and the fact that most people aren't reversing specialist!!

You will definitely be able to solve quite a few of the challenges on the day. We will also be on hand during the day to provide some pointers (not too many now, but general nudges).

Additionally, the second pre-challenge is a lot easier and will involve skills that are more familiar to you.

HackEire2011 Challenge1 Published

2011-09-30T00:36:00.002+01:00

Evening,

Just a quick note to say that the first challenge for HackEire 2011 has been released :)

My previous blog covered the first challenge pretty well but if you've any questions, feel free to ping us.

Thanks again to @bobmcardle and @dsancho66!!

--
HackEire

HackEire 2011 - Challenge 1

2011-09-27T22:50:00.004+01:00

Evening,

It's hard to believe that it's almost time for the big day and HackEire 2011 is almost upon us :) We've put in a lot of effort to raise a game for this year so I'd advise anyone competing to raise theirs too because we've some cracking challenges for 2011, especially this first one, courtesy of @bobmcardle and @dsancho66 :)

Challenge 1 Instructions

On 30/09/2011, those folk who have entered HackEire 2011, will be sent a binary file that they will have to reverse-engineer to retrieve a password. The binary will be provided in a password-protected zip file with the password being the name of the CTF event (all lower case). From this point, you'll be on your own :)

We will use the email address that you provided when you signed up, if you do NOT want the file going to this address, please let us know via email.

This challenge is designed to take some time so please don't be dis-illiusioned and trust me, it will be fun.The analysis required is pretty linear and the final bit of text that is obtained when the binary is reversed is need for a further challenge so don't lose it!!!

We may or may not provide hints via the blog based upon feedback from competitors on their progress.

If you would like to confirm the answer that you have correct, feel free to drop us an email with your answer.

Stuck for a Team???????

As I've said before, if you're interested in trying HackEire 2011 but have no buddies to join you, then please email us confirming your interest and that you'd be willing on teaming up. Of course, if you want, you can compete as an individual!!

Timeline

The time-line of the event has been modified slightly as the first pre-event challenge has been created and published ahead of schedule, whilst the start time of the event has been moved forward:

Date	Time	Description
30/09/2011	-	First Pre-event Challenge Released
Late October	-	Second Pre-event Challenge Released
Early November	-	Each team receives final instructions
23/11/2011	09:00	Access for competitors to set-up
23/11/2011	09:20	HackEire Introduction & Final Words
23/11/2011	09:30	CTF begins
23/11/2011	Throughout the day	HackEire team on-hand for support, tech issues
23/11/2011	17:00	HackEire is finished for another year
23/11/2011	17:05	Declaration of Winners & Presentation
23/11/2011	ASAP after 17:05	Retire to a local establishment

Finally, if you have any questions about HackEire, you know by now where to find us :)

--
HackEire

HackEire 2011 - Guidelines

2011-07-20T23:19:00.001+01:00

Evening,

There are roughly four months to go until HackEire 2011 :) Quite a few devious folk have been asking "interesting" questions so here's a big of a lowdown -

If you're interested in trying HackEire 2011 but have no buddies to join you, then please email us confirming your interest and that you'd be willing on teaming up. Of course, if you want, you can compete as an individual!!

Regarding tools, I think after two years, most folk should know what tools to bring. If you're not sure, see here for some ideas for last year - http://hackeire.blogspot.com/2010/10/in-preparation-for-hackeire-2010.html.

Similar to last year (2010), the initial part of "HackEire 2011" will be posted in late October and will involve packet analysis, so get cracking with your packet ninja tools!!

The event is scheduled for Wednesday, November 23rd, 2011. It will start at 10:00 and finish at 17:00.

The event is open to both individual and teams (up to a max of 4).

Internet Access is allowed but not provided (i.e. use your 3G connection or buy a voucher on-site).

All competitors must enter as outlined here. There will be pre-event challenges released as per last year. More detailed instructions will be provided closer to the time.

Last year there was a pretty funky social-engineering scam performed by the winners "Team Bitbucket". As you know, in HackEire, social engineering of the HackEire team, the kit and the other competitors is allowed. All competitors are again allowed to "social engineer" prior and during the event, as long as it not a malicious, destructive attack. Definition of this is made by the HackEire team and their answer is final so if you're in doubt and thinking that your "social engineering" might be a little over-board then ASK, otherwise you risk being thrown out. Anything ILLEGAL is obviously NOT allowed!!

WE WANT TO SEE SOME NEW FACES, LOTS OF NEW FACES ACTUALLY SO PLEASE COME ALONG, GIVE IT A SHOT AND LEARN. We don't bite and will happily answer all questions to help (hopefully) put you at ease!!

The time-line of the event is as follows:

Rules & Timelines

Date	Time	Description
Late October	-	Pre-event Challenges Released
Early November	-	Each team receives final instructions
23/11/2011	09:00	Access for competitors to set-up
23/11/2011	09:30	HackEire Introduction & Final Words
23/11/2011	10:00	CTF begins
23/11/2011	Throughout the day	HackEire team on-hand for support, tech issues
23/11/2011	17:00	HackEire is finished for another year
23/11/2011	17:05	Declaration of Winners & Presentation
23/11/2011	ASAP after 17:05	Retire to a local establishment

Finally, if you have any questions about HackEire, you know by now where to find us :)

--
HackEire

P.S. It'd be nice to see "Team Bitbucket" sweating a little this year ;-)

HackEire 2011

2011-06-27T10:43:00.001+01:00

Details for HackEire 2011 can be found here.

Further details will be posted on the blog over the next few months and we hope to have a test challenge up by the end of August.

The format will follow previous years with instructions posted on this blog.

The event will be free, although all donations are welcome , as usual :)

See you on November 23rd!!

hackeire

Some Observations from HackEire 2010 CTF

2010-12-17T20:47:00.003Z

Organising

It will most likely not be ‘news’ to most people reading this blog (and hopefully it was blindingly obvious to those at HackEire 2010) that the motley crew of volunteers, who came together to create HackEire in 2009 and resurrect it in 2010, put in a phenomenal amount of work in creating a live, workable CTF.

From a ‘man-hours’ perspective, weeks of time was put into building the servers and their respective services/applications in such a way as to ensure that there were exploits (on the systems). They were configured so that they were not (all) easily detected nor easily discoverable. These systems were all begged, borrowed and not necessarily stolen, so if someone wants to sponsor us to purchase extra kit, please do (send an email to info AT iriss DOT ie or contact @hackeire via Twitter).

We did thoroughly test the systems over several late nights in a friendly datacentre, however, despite this great work, three power failures at the conference venue between 08:30 and 09:00 on the morning of HackEire sent what was a smoothly running CTF network into a downward spiral as the HackEire cloud turned black with missing routes and dirty sectors, which were finally solved after 60 minutes of fsck.

Afterwards the contest ran pretty smoothly and the atmosphere was excellent. As mentioned earlier, the feedback was great. However we do realise that there are one or two things we could do better, both before the event and on the day, but let’s remember folk, this event is both free and run by volunteers who give up weeks of their time to make this event happen and type nonsensical blogs like this!!

The Event

Due to the delay caused by the power failures, the event ran from 10:30 until 17:00.

The contest contained a network with multiple servers with different applications, some with vulnerabilities whilst others were highly tightened and patched and others containing what we like to call ‘red-herrings’ :)

Yet again, running automated tools would not have enabled you to win the contest (the winning score with only 68% of the questions completed and the second team achieved 67%). You needed a knowledge and understanding of all layers with application vulnerabilities (e.g. SQL Injection), password synchronisation, files with poor permissions, samba knowledge, ldap extraction mis-configurations and service fingerprinting as opposed to blindly running a scan.

Additionally, if life permits, we might publish some solutions (not necessarily the only solution) to the various challenges on the day but be warned life doesn’t always permit!

Competitors

A few observations on the competitors -

Some obviously had too much to drink the night before but sure, that’s happened to us all ;-) Funnily enough, this particular team came into their own late in the day (thanks to the Club Mate, I think).
Out of the eight teams, only one were in any way organised and watching these guys in action is quite impressive (we need someone to challenge them next year through this year they only won by 1%).
In general, the teams arrived with little communication strategy or thoughts around planning -
multiple members of a team doing the same task,
members struggling and repeating the same exploit techniques without either trying another challenge, taking a break or asking for help,
teams not communicating at all, very few teams took a ‘time-out’ to share observations or get a fresh opinion,
assessing the strengths and weaknesses properly of each team member and dividing the tasks accordingly, and
failing to take 5-10 minutes at the start to actually analyse the challenges and questions whereby the team could develop a strategy with an ‘A’ or ‘B’ plan
the scanning/probes/attacks would not be considered stealthy so next year when we hope to evolve the defences from static application defences and load-balancing to something more dynamic and intelligent.

You may be reading this and thinking “so what, it’s only a fun CTF” and I agree, it is only a bit of fun, however, sadly on a far-too frequent basis over the years I have seen people make those same mistakes on production environments:

whether it be a pen-testing consultation;
a major production-impacting incident with systems down and people running around like headless-chickens;
code pushed through a new application to deliver new, funky functionality; or
a security incident (be it an intrusion, IDS alert or malware traversing through the internal network) where no one knows where or what there incident response plan is.

One other thing, this contest allowed 'social engineering' and one of the teams (who shall remain nameless) spoofed an email from info@iriss.ie, whereby they set all other competitors a packet capture challenge the night before HackEire 2010 began, thus delaying a few of the teams and preventing them from focussing on the 'real' challenges. The lesson is to check your email headers when an unexpected email arrives ;-)

To conclude, this showed that the most successful teams aren’t necessarily those who are most skilled (though in this event, that was the case IMHO) but those who plan and communicate the best (which our winning team demonstrated this year yet again).

Next Year

We thoroughly enjoyed designing, building and running HackEire 2010 so it’ll be no surprise (and hopefully good news) that we aim to be back in 2011 with a bigger, improved version :). The amazing feedback that we received throughout the day and subsequently has only made us more determined to return with some new ideas. So stay tuned to this blog and also to @hackeire on Twitter (we suspect that it’ll be a similar date in November).

There are many noted improvements that we are going to try and improve such as providing easier access, more challenges, taking the atmosphere up a another notch (in a friendly way of course), a more interactive, dynamic monitoring system and facilitating learning in an even more conducive environment. But we don’t want to create a “stick” for you all to beat us with if we fail to deliver 100% so let’s just say “you’d better turn up because it’s going to rock” ;-) These may be steep challenges but we like to aim high, regardless of funding :)

Future Steps

We have 0.5 GB file of a 3 hour period during the contest so hopefully in the new year, we will have some to analyse it and publish our results on the blog.

--
Sláinte agus Nollaig Shona Daoibh

The HackEire Team

P.S. Thanks to Integrity Solutions for the sponsorship :)

HackEire 2010 - Summary

2010-11-21T23:20:00.062Z

So, as part of IrissCon 2010, the HackEire cyber-security challenge was held in the Berkley Court hotel, in Dublin, on Thursday, November 18th. Despite the various power cuts (love performing 'fsck' with over 100 people watching), the event was a great success and we were delighted to receive some phenomenal feedback.

"Thank you for yesterday, it was great!!! I really enjoyed it and we would like to participate next year again! I also have to say that you have done an excellent job and the effort that you putin is amazing."


"I learned so much and had my eyes open."


"...you did an excellent job and I think every one of the competitors had a very good time there. I definitely enjoyed myself and would very much like to attend next year."

This year's event had greatly expanded on last year's and was intentionally a much more true reflection of a real network. Additionally, it was not solely focused on the offensive element of security, but there were also quite a few defensive analytical challenges

Packet Analysis
Binary Analysis/Basic Reverse Engineering
Network Forensics

along with a fun, trivia round of questions of 'hackers in the media'. The event was won again by 'Team Bitbucket' so well done guys (you showed some superb skills), although it was much closer than last year (67% versus 66%) with '5CHF' finishing agonisingly close in second place. These two teams finished a good bit in front of the other teams though all teams did very well, learned a lot on the day and all vowed to return :) The guys from 'Team Bitbucket' said the following -

"After enjoying HackEire 2009, our team returned for another challenge. The event was professionally run by a friendly team and the challenges were engaging, occasionally frustrating but always enjoyable. IRISScon's atmosphere lended itself to the proceedings, with a great range of people from varied backgrounds being able to interact in a relaxed setting."


Thanks guys:) Furthermore received a lot of questions throughout the day regarding making the following available publically -
Question Sheet
Answers or Detailed Solutions
VM Images
Packet Captures
and the answer is that some elements will be made available over the following months so stay tuned to the blog or the @HackEire twitter feed.


Some pictures of the event can be found in @paperghosts Flickr feed and Matt Summers' blog of the event can be found here. Inside the next two or three weeks, we plan on releasing a video of the event.
 

Finally, I'd like to thank everyone for coming and if you've any feedback regarding this year's event, please get in touch!! We're already thinking about next year event and have some (what we think are) excellent ideas so spread the word and come back for HackEire 2011.

--
The HackEire Team

P.S. We'd like to congratulate ourselves a little on such an excellent exercise as we've been working on if for a few months (very much in our own time).