This year’s Syskron Security CTF just ended. As previously announced, we were involved in preparing and organizing this event. More than 2,000 users registered for the CTF and more than 1,000 teams submitted flags.
A real-world story
The CTF focused on OT security with a unique story: The fictional Czech manufacturer BB Industry a.s. and its (also fictional) German subsidiary Senork Vertriebs GmbH needed external security expertise for a week. After reading a welcome letter, all participants had to solve challenges categorized from Monday (easy) to Friday (hard). Solving four trivia challenges granted additional points.
The real background
Most challenges are based on real-world security problems since one of the CTF’s main goals is to raise awareness for OT security. Let’s look at some examples:
- Redacted news shows a screenshot of a news article. There is a removed, transparent area in the picture. This challenge features a problem discovered in February 2020: GIMP marked “deleted” areas with an alpha channel as transparent instead of actually deleting the area. Removing the alpha channel allowed participants to restore the “redacted” flag.
- DoS attack features a packet capture file. The packets mimic the SIPROTEC DoS module of the Industroyer malware.
- Security.txt is about the upcoming security.txt standard that describes “A File Format to Aid in Security Vulnerability Disclosure.”
- Bash history contains obfuscated commands that were executed on the targeted system.
- Leak audit demonstrates the problems of storing passwords in cleartext and reusing passwords.
- HID mimics the content of a Rubber Ducky. Social engineers use such USB flash drives to get their malware into facilities.
- Security advisory requires the participants to parse an advisory. Reading or writing advisories is one of the less exciting job tasks in the security industry.
- Exposed webcam demonstrates the risks of a camera that shouldn’t be on the internet. It revealed configuration details and credentials.
- Firmware update shows the problem of including secret keys in the firmware. All of us saw a very similar story in July 2020, when someone discovered the D-Link firmware encryption key.
- Red teaming features a social engineering scenario. By parsing public information on the Senork website and combining it with the previous Leak audit challenge, participants could access a restricted folder on the Senork website to get the flag.
- EPES 2 (Enhanced PLC Encryption Standard) is about home-brewed encryption that uses secure cryptographic primitives but combines them insecurely. Participants had to reverse the protocol to get the flag.
- Security report shows the risks of an exposed .git folder and password reuse. You see exposed .git folders frequently in the media. There is even a new tool for this – Gitjacker.
OT security requires custom solutions
Many best practices in IT security don’t work in OT security. For instance, patching devices is sometimes impossible, deploying encryption has no priority, and you need to work with legacy software and hardware. While IT security orders confidentiality of information in the first places, followed by integrity and availability, safety and availability rank first in OT security.