News

Cadets, students 'CANVAS' networks in hacking challenge

  • Published
  • By Ann Patton
  • Academy Spirit staff writer
U.S. AIR FORCE ACADEMY, Colo. --  Seventy college and high school students huddled in teams of three in Fairchild Hall April 2 to hunt down weaknesses in system design and implementation for a fictional social networking site set up in a closed networking environment during the 2010 Computer and Network Vulnerability Assessment Scenario here.

Aptly chosen prizes for the 2010 CANVAS were writing pens inscribed with the National Security Administration's logo.

This is the first year high school students took part in CANVAS. College students from Colorado State University, the University of Colorado at Colorado Springs, Fort Hays State University, Arapahoe Community College and the Community College of Aurora also participated.

"One cool thing is we have all levels of skills, from grad students to high schools," said Dr. Steve Fulton, Academy computer science instructor. "It brings a very positive spin on this."

In turn, he expected to also see a wide range of outcomes in the competition.

"It's an opportunity to use what they've learned in class," he said of the event's overall purpose.

Not only were competitors charged with identifying vulnerabilities and documenting them, they were also responsible for reporting the weaknesses and suggesting fixes.

"People do this every day and in the real world," said Cadet 2nd Class Derek Kvedar, Cadet Squadron 26. "Knowing how it is done is to know how to defend against it."

Competitors used desktop machines holding the "BackTrack 4" set of tools to sniff out vulnerabilities. Among the program's functions are information gathering, network mapping, web application analysis, privilege escalation and digital forensics.

Basic hacker methodology begins at the bottom of the trail with information gathering, then moves on to scanning and probing networks, gaining access, elevating his privileges within the network, and finally installing backdoors and removing traces of the intrusion.

Competitors received hints in handouts along the way, such as database applications' vulnerability to SQL injection -- a hacking method that attempts to execute code on the computer hosting the database.

But hints were also built into the social networking sites themselves as well, like the name of a pet that computer users may commonly designate as a password. Cadet Kvedar said substituting a special character into the password name would make users' accounts less vulnerable, but added that "part of it is just getting lucky."

The event gave students the chance to network with fellow computer enthusiasts.

"It was pretty fun," said Fort Hays senior Daniel Pearson, a media studies major. "I gained some new experiences, and it was good to be exposed to something new."

Cadet 1st Class Jase Garcia, a computer science major with CS 02, said he also enjoyed the event's opportunities.

"I learned a lot and gained some valuable practical knowledge," he said.