CTF; say what?
To stay on top of hacking, as a consultant, you have to constantly keep an eye out for new security developments, train yourself in their usage and find creative ways to combine them with the rest of your skillset. So what better way to do all of this than by turning it into a competition?
CTF games – short for Capture The Flag – are competitions where (teams of) hackers have to solve security related challenges to achieve points and prove that they are the best of the best. The name derives from the traditional children’s game where one team has to steal another team’s flag and bring it to their own base, while preventing the other team from doing the same (by hiding the flag or taking out the other team’s players). In a hacker’s CTF, flags are little bits of information or functionality that are guarded or hidden in some way by a security solution – for instance, it could be a hardcoded password in a piece of software, the contents of an encrypted message, or a specific row from a database – and it is up to the competing hackers to gain access to these flags in order to score points. This may involve hacking a web site, analyzing network traffic, taking advantage of certain cryptographic weaknesses or just plain old thinking outside of the box.
Depending on the type of CTF, teams may be given access to a central location that hosts all of the challenges (attack only/jeopardy style), or they may be given access to their own personal machine in a specialized CTF network, which runs a local version of all challenges and which they will have to defend from being attacked while attacking the challenges on other teams’ machines (attack& defense). Both types present a unique set of challenges for both the organizing and participating parties and can be breeding ground for new insights and experiences.
Because CTF organizers want their games to be both challenging and interesting, they are often packed with innovative ideas and tricks that cover a broad area of the security spectrum.
Want to witness a CTF in real life? During the May 2014 Hack In The Box conference in Amsterdam, the exhibition area will be free and open to public, to showcase the top of the hacking community in action. This ‘Haxpo’ (hacker expo) will also feature a developer hackathon, lock picking village and IT security exhibition and will take place at the Beurs van Berlage from 28-30 May 2014. For more info keep an eye on my twitter.