The worm that mushroomed
On November 2nd, 1988, a worm released by the Massachusetts Institute Of Technology (MIT) to probe and find vulnerabilities in the systems of that time, went berserk because of an error in the code. What followed was a cyber apocalypse that left around 6000 UNIX machines connected to the NSFNet (National Science Foundation Network) infected with multiple copies of the virus, estimated costs of the damage ran over $100,000, and internet was left partitioned for several days as the regional networks disconnected from the NSFNet to prevent the spread of, and to clean the infection. Robert Tappan Morris, a graduate student at Cornell university, who later went on to become a tenured professor at MIT and wrote the code, was sentenced to three years of probation, 400 hours of community service, and a fine of $13,326.
The worm, named 'Morris worm', was designed to exploit the vulnerabilities present in the system and the dangers of using weak passwords. Before infecting the system, the worm checked if it had already infected it. To prevent instances where the system administrators countered it by sending a ‘False positive’ report to present infection, Morris thought of infecting the system 14% of the time regardless of the status of infection on the device. This subsequently led to the worm getting copied on a device multiple times, rendering the device unusable.
This incident would set the stage for present-day DoS attacks.
Why care about cybersecurity?
With systems becoming increasingly dependent and inextricably linked to the internet, concerns about privacy and security of these systems have increased. Let us look into some common cyber-attacks that are prevalent in the present times.
Cyber attacks can be broadly bifurcated into two categories, one that occurs on web applications, the other which compromises a computer connected to a network.
Web based cyber attacks: As the name suggests, they occur on websites or on web applications. A panoply of attacks fall under this classification. Under injection attacks, a person can inject a code into a web application, which either alters the way in which it functions, or fetches sensitive data. There can be SQL injections, code injections, log injections and XML injections under this category. Under phishing, an attacker masquerades as a credible entity, and obtains sensitive and confidential information. Under DoS (Denial of service) attacks, an attacker floods a target with requests, thus crashing the server. This makes web resources on the server inaccessible to the users. Under 'Man in the middle attacks', a person intercepts the connection between a client and a server, and is thus able to read, delete or modify the information being sent over the intercepted network.
System based attacks : Under this category, the attacks compromise a device connected to a network. Viruses are pieces of code that can self-replicate on uninfected computers, while executing instructions that harm a device. Worms are similar, and are primarily meant to replicate themselves on uninfected devices connected to a network.
As the case of Morris worm indicated, cyber-attacks and cyber crimes can cause massive damage. In fact, estimated losses because of cyber crimes in 2021 amount to 6 trillion USD, an amount that would rank third after the US and China, if it were a nation’s economy. Cybersecurity Ventures estimates that the losses caused by cybercrimes would reach 10.5 trillion USD by 2025. Cybercrime losses are expected to cost more than the losses incurred during natural disasters. These figures are based on historical trends indicating annual growth of cybercrime figures, which includes attacks sponsored by hostile states as well as malicious organisations.
Cyber attacks can lead to loss and deletion of sensitive data, including personal data of several users. Using ransomwares and denial of service attacks, criminals can hold institutions such as hospitals, industries and businesses hostage. Cyber embezzlement and frauds are becoming increasingly common each day contributing to further losses. Cyber attacks can jeopardise a business, by leading to an increase in system downtime, thus reducing productivity. This also means additional costs for the restoration of systems, as well as the reputation of the organisation.
With organised cybercrime rearing its head, it is becoming increasingly difficult to prosecute the offenders. In fact, in the US, the likelihood of prosecution of the saboteurs is less than 0.05%, according to the World Economic Forum’s 2020 global risk report.
Ransomwares are malicious pieces of code that restrict a user’s access to crucial resources on their system, often threatening the deletion of aforesaid resources, unless a ransom is paid. Estimates point to an exponential increase in ransomware casualties over the years. For instance, while the losses attributed to ransomware were $325 million in 2015, they rose over to $11.5 billion by 2019, and are expected to overshoot $20 billion in 2021. Just a few months back, ransomware attacks claimed their first life. In an ostensible ransomware attack on a hospital in Dusseldorf, a woman who needed immediate attention couldn’t be admitted because of the failure of IT systems, and had to be rerouted to another hospital.
According to another estimate by Cybersecurity ventures, the world would store astronomical quantities of data (around 200 zettabytes) by 2025. This data would be stored on public and private IT infrastructures, public and private cloud services, IOT devices, and several user devices across the world. While it presents immense opportunity of transforming and influencing every profession, it also holds within an increased susceptibility to sabotage and cyber attacks.
This explains the dire need for businesses, as well as institutions such as healthcare, banking, airports, and governments to beef up their cyber defences.
Cybersecurity competitions, what are they?
Capture the flag(CTF) is a traditional outdoor sport involving two teams, with delineated territories and flags, where the objective of the game is for players to obtain the flag of the contending team and bring it to their territory. Well, your usual cybersecurity competitions are similar, just the flag in this case is a snippet of code, a software, or a piece of hardware, the contending team mustn’t have access to. The team is supposed to employ their expertise in cybersecurity concepts, and gain access to the flag. CTF competitions are organised in the following three formats:
Attack-defence: In this format, teams are supposed to defend their ‘flag’ against the contending team, finding and fixing vulnerabilities within a stipulated time before the contending team strikes. The contending team tries to find the same vulnerabilities, but for attacking the ‘flag’ in this case.
Jeopardy: The Jeopardy style requires the team to complete a sequence of tasks in a specified order. For completing a task, the teams are provided with questions which reveal clues that help them in solving the tasks at hand. The tougher the task that you solve, the higher are the points you get. It includes tasks typically involving the following four categories, Binary exploitation, Reverse engineering, Web exploitation and Cryptography. More on that soon.
Mixed: As the name suggests, Mixed style competitions involve both attack-defence and jeopardy formats. It can have an attack-defence competition having a couple of jeopardy tasks as bonus, or the other way around.
Participating in CTFs often requires you to have a certain skill set, as is the case for all competitions. You have to know stuff like Cryptography, Binary Exploitation, Steganography, Reverse Engineering, and Web exploitation. While the names might sound highfalutin and daunting, all one needs is a little programming experience, and interest in problem solving to get started. picoCTF is a CTF competition aimed at middle and high school students. They have a primer which helps you get started with the concepts. The rest is simply a matter of practice. The more problems you solve, the more you grow in your experience. Let’s now probe a little more deeply into the problem categories:
Cryptography: Cryptography is the process of ‘encoding’ a stream of information into an ‘apparently’ meaningless stream of information, which can be ‘decoded’ to obtain the required information, provided the key is known. Encryption is what makes our banking transactions and online communications secure.
In a cryptography problem, you might be provided with a stream of apparently meaningless text, say something like,
You might be provided with some hint within the problem, if you are attempting a beginner level CTF. For instance, you might be provided with the information that the above string is hex coded, and encrypted with a key using a XOR cipher (Which means every byte in the above hex string was obtained by performing the XOR operation over a byte from a string of the original message and the key). You would be required to find the flag, which in this case would be the text that was encrypted to obtain the above text.
Steganography: Steganography, like Cryptography, is a technique of hiding information. But instead of encoding the information directly, it is hidden within an apparently innocuous file. For instance, a piece of text might be hidden within other files such as images or videos. In addition, one might encrypt the bit of text as well.
Binary exploitation: Binaries are machine codes that can run on a system. Under this category, you are provided with Linux ELF files (Executable and Linkable format, which is a standard format for executable files, object codes, linkable files and core dumps) or windows executable files. One is required to find the vulnerabilities and bugs within a program and modify its contents. One can send in a certain ‘input’ to the program, which makes it behave in a way other than it was originally intended to. Such inputs are called ‘payloads’
Reverse engineering: Reverse engineering, as we know it, is a process of deconstructing machines and circuits to obtain information about how the system was designed and perhaps, functions. In the context of CTFs, Reverse engineering problems require one to do something very similar. A compiled program, which is understandable by the computer is called a machine code. Of course, a human being can’t glean out much from the machine code itself. The idea is to decompile the machine code to obtain a more human-comprehensible format, whereupon a human being can probe deeper into the vulnerabilities in the program.
Web exploitation: Web exploitation requires the participants to figure out vulnerabilities and bugs in websites. The basic architecture of any web resource involves a client (for instance a browser) that requests for the resource from a server (where the resources are stored). Websites are often integrated with relational databases, which makes it easier to store and modify the data displayed over it. Oftentimes, such an architecture, if lacking in proper safeguards, ends up being susceptible to attacks such as SQL injection, which involves adding additional ‘payloads’ to a SQL query thus making the database return information that wasn’t intended to be returned. Other common vulnerabilities are command injection, directory traversal, cross site request forgery, cross site scripting, and server side request forgery. Participants try to discover and exploit these vulnerabilities.
The big names
Let's look into some of the popular CTFs conducted around the world.
DEF CON: DEF CON is one of the world's largest hacker conventions, held annually in Las Vegas, Nevada. The attendees include students, cyber security professionals, hackers, and federal government employees. The event includes talks about cybersecurity, and several cybersecurity challenges and competitions, of which CTFs are quite popular. The qualifier round for the CTFs involves a jeopardy style competition. The qualifiers make their way to the finals to compete in an attack-defence format competition.
Global Cyberlympics: It is a global ethical hacking competition, where teams from around the world take part in a 12 hour long elimination round. Two teams from each continent qualify for the finals. The challenge involves categories like digital forensics and network exploitation.
CSAW CTF: CSAW is the most comprehensive student-run cybersecurity event boasting of being hosted across 6 global regions, and over 6000 annual competitors. The event receives participants from USA-Canada, Israel, India, Middle East and North Africa (MENA), Mexico and Europe. The event includes several workshops, talks, and cybersecurity competitions, of which CSAW-CTF is quite popular.
iCTF: The international Capture the Flag competition is organised by UC Santa Barbara. It is a traditional attack-defence style CTF competition. It is the world’s largest and longest-running educational hacking competition. The competing teams are provided with identical copies of a virtual host containing some services. The teams use their knowledge of cybersecurity concepts to find the vulnerabilities within their systems, and fix it. At the same time, they can attempt to compromise other teams’ systems with the knowledge of the vulnerability they uncovered. The aim is to maintain the services on the virtual host for the entire duration of the event.
Panoply: Panoply is quite similar in format to the iCTF, where contending teams defend the available resources from each other. The main difference is that the resources aren’t made available to all the teams, rather they have to compete for their control. It’s a timed event, in which teams have common resources made available to scan, assess, and penetrate. Once a team captures a service, they can plant their ‘flag’ which is used by a scanner to grant them the ownership of the service. Following it, they have to secure the resources, or else have the ownership taken away by rival teams. As long as a team maintains ownership of a service, while defending it against attacks by contending teams, they continue to gain points. More resources are made available during the competition for teams to penetrate and take control of. The team with the highest score wins the event.
CTFs are pretty popular in India too. Several cybersecurity enthusiasts, beginners and professionals alike, participate in these competitions to assess their skills. CTFs provide them with a safe and legal environment to test and improve their skill set. For several participants, CTFs can open a panoply of career opportunities, if they are recognised. Amrita University organises CTFs for university and high school students (InCTF and InCTF junior respectively). It is one of the oldest and prestigious CTFs organised in India. Nullcon’s HackIM and EMC defender’s league are a few other popular CTFs organised in India.
Several institutes are involved in serious research in this field. The Interdisciplinary centre for cybersecurity and cyber defence of critical infrastructures, abbreviated as C3I, at IIT Kanpur, was the first research centre set-up in India for education, research and training in developing safeguards for critical infrastructures. The centre is building India’s first cybersecurity test bed for critical infrastructure, along the lines of Idaho national labs, Sandia national labs, and NIST in the US. Having partnerships with institutes in Israel and the US, the centre indulges in exchange of technology and research collaborations, as well as organises workshops, conferences and cyber security competitions to spread awareness about cyber threats, and to develop interest among students in the field.
The origin of this team, and the inception of the culture of CTFs at IIT Indore began with a guy in the 2013 batch, Sudhakar. He was immensely interested in CTFs, but since there wasn’t any established 'cybersecurity wing' within the Programming club, he used to participate in the events with his friends from other colleges. He formed this team and a division within the programming club devoted to cybersecurity. Kunal and Bhor, from the 2015 batch were the earliest members of the team, apart from Sudhakar. Presently, the team consists of four members, Vishnu, Mrigank, Vaibhav and Sarthak. Currently, a large section of the members of the Programming club are interested in competitive programming, and cybersecurity and CTFs remain interests followed by a small esoteric group. The lukewarm interest in CTFs, the members believe, is because the students haven’t yet tried their hand at CTFs. According to them, CTFs might appear more daunting to several people, because of a comparatively more vague roadmap than CP, and a tonne of concepts to master. They believe the best way to approach CTF is to try one’s hand at the problems, and learn stuff along the way. The ByteBandits organise several workshops, and conduct their own CTF (ByteBandits CTF) for teaching cybersecurity concepts, and have an active discord server available for dispelling doubts. The team has participated in several CTFs, and achieved the feat of securing the first position in CSAW CTF among all Indian teams for two consecutive years, and the 8th position in CSAW CTF 2020.
Looking ahead: A career in cybersecurity
With an ever-increasing dependence of devices and systems on the internet, especially with the advent of IOT, cybersecurity has become, and would continue to be, pertinent in the decades to come. An increase in the ‘surface web’ (The portion of the world wide web accessible to the general public) means an increase in susceptibility to cybercrimes. NASSCOM predicted an increase in the demand for cybersecurity professionals, but reported that India lacked sufficiently skilled cybersecurity professionals to meet the demand. Clearly, professionals experienced in cybersecurity are going to remain relevant, and possibly, increase in importance. Here are some of the highest paying jobs one might secure in the field.
Network security engineer: Being responsible for overlooking the security of the systems present within any institution, a network security engineer’s position is crucial in an organisation. He tracks down the vulnerabilities, and ensures that they are resolved. They oversee the maintenance of firewalls, routers, switches, network monitoring tools, and VPNs.
Cyber security analyst: A cyber security analysis is concerned with planning and implementation of security measures for an organisation. They do periodic internal and external vulnerability testing, risk assessment, and security fortifications. They also train the employees and inform them about secure practices while using the internet to avoid security breach.
Security architect: They work with the programming team while designing the network and computer security architecture for an organisation. They are involved with planning, researching and designing security elements. They also delineate the company policies that guide the internet usage, and the punitive action to be taken against employees for infringements.
Chief information security officer (CISO): The CISO has come to be an ubiquitous position in the management team of around 80% of organisations, according to an estimate by PWC. They are responsible for seeing the planning and implementation of the cyber security plan, and ensuring that it is in accordance with the technologies used by the business’ visions and operations. They work with a dedicated staff to deploy security processes for an organisation, and ensure that there is either none or limited downtime in the event of a security breach and sabotage.
Thus cybersecurity is going to remain a fecund field, and can be a good career option for students interested in problem solving. CTF competitions are an excellent way to learn cybersecurity concepts and polish learned skills.