Capture the flag

 

Image from Pixabay

Click. The door closes behind you. The light flickers. A timer indicates that you have exactly one hour left to find a way out. You look around you. You are in a fully furnished room, or perhaps in a laboratory. The atmosphere is mysterious. You’ll have to find a solution to get out of here. Welcome to the escape room.

Have you ever been locked up for fun? There are more than a thousand escape rooms in the Netherlands (and about 1500 in the UK, three thousand in the US and over fifty thousand worldwide). You usually go there with a self-composed group of people and try to find the exit within the allotted time. To do this you have to solve all kinds of puzzles; every solution takes you one step further. For example, you have to figure out the code of a combination lock, after which you can open a chest that contains the next clue. Or you have to find a hidden message, perhaps by wetting a painting. Escape rooms contain all kinds of challenges in different levels of difficulty.

Security technicians also like to solve puzzles and their game is called capture the flag. Not real flags of course, but text strings that are hidden in a computer program or on a website. The players' task is to capture as many flags as possible. The game can be played in roughly two ways: in one variant, teams play against each other, in the other against the organizer. Each flag earns you points and the person who has the most points at the end of the day wins.

Just like with the escape room, a CTF comprises multiple puzzles. In one you may have to analyze a program to understand what it does (reverse engineering), in another you may have to consult information on public sources (open source intelligence, OSINT) and in yet another you may have to perform forensic research. Another similarity with escape rooms is that the whole thing is wrapped up in a story. If you enjoyed word problems at school, then you are already on the right track to participate in a CTF.

A few of my teammates organized a CTF for colleagues earlier this week. I would have liked to take a look, but since covid it is not done to appear in the office coughing and sneezing and that is why I unfortunately cannot give you a first-hand account. We are certainly not the only organization that does CTFs for their personnel. But why exactly, I asked the organizers. Participating in a CTF increases the knowledge and skills of the participants; this could be anyone who deals with security and wants to learn more about it – also highly recommended for developers! In the CTF you see all kinds of ways in which something can go wrong. If you later encounter a similar situation in your work, hopefully it will ring a bell: hey, this is dangerous, it makes us vulnerable, this has to change! CTF’s are usually played in small teams, which adds some team building for free. Commercial companies also organize CTFs for outsiders. This provides publicity and talent scouting opportunities.

There are websites where you can do finger exercises in this area. The PortSwigger site provides fairly accessible explanations for all topics. And there’s HackShield for children aged 8-12, in different languages. For the record: there’s no intention to breed small criminals, it’s about making everyone cyber aware. Escape rooms can also be played at home: you can buy them in a box at the toy store. There will of course be much less tangible surprises, but it is still surprisingly fun. [DUTCH]

 

And in the big bad world...

• Webex leaked meeting data. [DUTCH]
• the Dutch government is angry with Cisco because of the Webex leak. [DUTCH]
• political fears about the American cloud are growing. [DUTCH]
• Many companies are already turning their backs on the cloud (due to security, costs and too high expectations).
• Google appears not to have been honest about its data collection.
• a German political party has been hacked.
• this malware asks you to cut and paste malicious code and execute it yourself.
• the Dutch government is tackling disinformation. [DUTCH]
• PostNL wants to outsmart phishers with the anti- phishing code. [DUTCH]
• Of course, your toothbrush does not necessarily have to be connected to the internet or have AI.