Ensuring Cybersecurity: Hacking to Stop Hackers
At the end of April, Ekaterinburg hosted an annual Russian Cybersecurity Competition known as Russian Capture the Flag (RuCTF). ITMO University’s student team LC↯BC took the fourth place in the overall ranking and the second place among Russian teams. RuCTF is a team competition in cybersecurity when participants have to protect their own servers and hack the opponents’ servers. A team from Ural Federal University has been hosting this competition for more than ten years. ITMO.NEWS talked to Vlad Roskov and Alexander Menschikov, the coordinators of SPbCTF project which holds weekly seminars in competitive hacking at ITMO University, and asked them some questions about CTF.
Tell us a bit about LC↯BC team. When was it founded and by whom?
Vlad Roskov, LC↯BC team captain: LC↯BC is an alliance of several Russian teams. ITMO’s students joined it in 2008 when a group of students at the Department of Security of Cyberphysical Systems learned about CTF. They formed a team and decided to give it a try. The team was called CIT. When I came to ITMO University, the guys from CIT gathered all the freshmen and told us about CTF. I liked hacking and I was excited to find out that there were competitions in this sphere. Next year we changed the name of the team to Leet More which sounds like LITMO (“leet” is derived from the word “elite”). We participated in every single competition we could find (about 15 competitions a year) and soon became one of the best teams in Russia. At the end of 2011, we played together with a team from Chelyabinsk called Smoked Chicken. We took second place and decided to play together in 2012.
So we teamed up and formed the More Smoked Leet Chicken team (a combination of Leet More and Smoked Chicken). During the first year we took first places in Mozilla CTF, Korean CODEGATE CTF, PlaidCTF, Hack in the Box, Positive Hack Days in Moscow, hack.lu in Luxemburg and PoliCTF. All these competitions were international, and by the end of 2012, we became world leaders in competitive hacking. We played like that together until 2015, when some players graduated and started working. So we started looking for new players and teamed up with the BalalaikaCr3w team from Moscow. That’s how we came up with the LC↯BC name (LeetChicken + BalalaikaCr3w = LC↯BC).
Tell us a bit more about the members of the team.
Alexander Menschikov, LC↯BC team captain in RuCTF: according to the RuCTF rules, participants should represent a university, as it is a student competition. Our team consisted of seven people: Nikita Tikhomirov, Grigory Sablin, Sergey Borisov, Nikita Sychev and I from ITMO University, and Yegor Bogomolov and Innokenty Sennovsky from MEPhI.
This year, ITMO student team won the QCTF Starter competition and took the first place in the national ranking. What is the difference between QCTF and RuCTF?
Alexander Menschikov: QCTF is a so-called Task-Based CTF, which means that instead of hacking each other, the teams are to complete particular tasks in a range of categories (cryptography, forensics, etc.). RuCTF uses a classic, Attack-Defence format of CTF, which means that participants interact with each other during the competition. Each team receives a server with a set of vulnerable software services. The players try to secure a victory by hacking their competitors’ servers and protecting their own. The “battle” lasts for about eight hours.
What is the difference between competitive hacking and сompetitive programming?
Alexander Menschikov: Competitive hacking is derived from competitive programming to make it clear that we don’t hack just for fun, but to learn how to improve security; we’re the so-called White Hats. The main difference between competitive hacking and сompetitive programming is the level of interaction between the participants, especially when it comes to a classic format of CTF, when you constantly come up with new strategies on how to hack the opponents’ servers, which is way more fun than just sitting in your own sandbox.
What benefits does participation in hacking competitions bring? Employer’s approval? Money?
Vlad Roskov: Both. Many employers require their employees in the field of cybersecurity to have experience participating in CTF competitions. As for the money, international CTF competitions for professionals can be a very profitable activity. For example, some Asian competitions offer a prize of about 30 thousand dollars for the first place.
The largest and the most prestigious competition is DEF CON which is held annually in Las Vegas. What is special about this competition is that participants don’t get paid, and the whole thing costs about 15 thousand rubles for a team. But still, we’ve been participating in this competition since 2011.
Are there any big CTF competitions in Russia?
Vlad Roskov: Yes, there are some competitions for professionals organized by cybersecurity companies. For example, a competition by BI.Zone: last year they offered 10 thousand dollars for the first place.
Who pays for the trips?
Vlad Roskov: Universities usually pay for student teams. For example, ITMO’s Faculty of Information Security and Computer Technologies paid for LC↯BC last year. Adult team members usually pay for themselves, if travel expenses are not paid by the inviting party. So we save all the money we win to go to DEF CON. We've been there six times so far. But during the last few years, we’ve been sponsored by MTS and Kaspersky Lab. We’re now going to go to China and this time all the expenses will be paid by the inviting party.
You have established the SPbCTF project, one of the biggest Russian training centers for CTF. How did you come up with such an idea?
Vlad Roskov: It was Ksenia Kravtsova who founded SPbCTF back in 2015. Now she works at ITMO University at the Department of Computer System Design and Security. I think that the main purpose of the project was to unite CTF players in St. Petersburg.
Students who attend your seminars say that you teach real hacking techniques there and that they can learn the things that their curriculum does not include…
Vlad Roskov: Our curriculum doesn’t include many topics important for cybersecurity experts. For example, I graduated in 2014. We learned the legal aspects of cybersecurity, learned what the terms “information” and “security” mean, but nobody taught us how to create a system without vulnerabilities. But I’m still glad that I studied at ITMO, because that’s where I learned about CTF.
Alexander Menschikov: It is not the problem of ITMO University or any other Russian university. The thing is, cybersecurity is a very fast-changing field. A good cybersecurity expert is someone who follows all the latest technologies and thinks about how you can make a mistake using them.
Share a bit more about your educational program.
Vlad Roskov: At first, we had a new topic every time. We didn’t have any particular program. The purpose of those seminars was to introduce the participants to the basics of CTF. We always communicate with our students and ask them to give feedback after the seminars, so we could answer their questions and find out what they liked and didn’t like about the classes, etc. We think that the program should be flexible and try to give a personal approach to every student. It’s not that easy but it’s one of our goals.
Now we change the topic every season. Besides, we have started to split seminars into several parts to make it easier for students to perceive information.
What will the next topic be about?
Alexander Menschikov: We are now preparing a course of seminars on Attack-Defence CTF. Students can learn about various tactics and strategies used in this kind of CTF, learn how to write scripts, work in teams and take part in competitions. It is the first project of this kind in Russia. Besides, our students can join our team and participate in real competitions. Our seminars are open for everybody and free of charge.