Security Contest Modelled On Mirai Botnet Attack

The first face-to-face round of this year’s Cyber Security Challenge UK highlights the risk of insecure IoT connected devices

Thirty promising computer security amateurs have completed the first face-to-face semi-final round of this year’s Cyber Security Challenge UK competition, carrying out a simulated attack modelled after a real-world incident last autumn that took several major websites offline.

The round, which took place in Bristol at the Cyber Academy premises of hosts Protection Group International (PGI), was based on a denial-of-service attack on DNS provider Dyn in October of last year that made major websites including Amazon, Twitter, GitHub, Spotify and Reddit temporarily unavailable.

CSC-logo-white-bg

IoT threat

The attack was carried out in part using traffic generated by a botnet called Mirai that infects “Internet of Things” connected devices such as routers, set-top boxes and web cameras.

Contestants attempted to find vulnerabilities in Internet-connected GPS tracking devices built into the vehicles manufactured by a fictional luxury car company and use those as a point of entry to gain access to the company’s network.

They made use of some of the vulnerabilities also exploited by Mirai, such as exploiting the devices’ use of factory-set default credentials.

The competition included a real-world element, with successful candidates able to manipulate the car company’s internal networks in order to gate-crash a fictional car launch event. The winners were given a test-drive of a new Audi SUV.

Other skills assessed included network analysis, digital forensics and brute force attacks.

The contest, launched in 2010, is part of a Cabinet Office-backed effort to raise awareness of the looming skills gap in the IT security industry – which increasingly requires staff who are able to think like attackers, while staying on the right side of the law.

To that end, candidates were asked at every stage to justify their actions against ethical guidelines.

Young contestants

The winning team of included a 17-year-old, with five of the 30 contestants aged under 18. A total of 10 are set to go through to the Masterclass in November.

More than half of the contestants taking part in the face-to-face and masterclass competitions have been hired into computer security positions over the past seven years, underscoring both the effectiveness of the competition and the acuteness of the skills shortage, which is expected to continue to deepen.

The event’s sponsors include government bodies such as the Cabinet Office, the National Cyber Security Centre, GCHQ and the Bank of England as well as such private-sector groups as PwC, Qinetiq, Barclays, Airbus and public-sector cloud provider UKCloud.

Last year an 18-year-old came first in the year-long series of contests as the challenge’s youngest-ever winner.

Ben Jackson, from Sussex, was crowned following a three-day competition involving 42 contestants aged 16 to 56 in a simulated attack on a fictional power company.

Do you know all about security in 2017? Try our quiz!