Monday, 11 August 2014

How Your Security System Could Be Hacked To Spy On You

On a recent Friday evening, Logan Lamb and his girlfriend turned up at a co-worker’s birthday party in Knoxville, Tennessee with a 12-pack of cheap beer, 4 craft beers for the birthday boy, and some hacking tools, namely a software-defined radio (SDR) capable of monitoring wireless transmissions. Lamb had been doing research on the way popular security systems, such as those from Vivint and ADT, can be turned against their owners to spy on their activity or suppressed so that they fail to go off when an intruder enters the home. His co-worker had a 2GIG Go!Control panel from Utah-based Vivint and was willing to be a guinea pig. Lamb asked the birthday celebrant to arm the system and then let the guests wander normally. The alarm did not get triggered as it should when the system’s armed and a door opens, and the Vivint central control station that would call the police when such a thing happened did not get a heads up. Lamb was able to suppress the alarm through intercepting the system’s unencrypted wireless communications with the sensors around the home, and sending his own signals to the main controls. After about an hour, though, the alarm started shrieking. Logan had neglected to plug his computer in and it went to sleep to conserve battery power, allowing the system to do what it was meant to do. “It didn’t ruin the party,” says Lamb. But it did make the security system seem less secure.
Lamb is a cybersecurity researcher at the Department of Energy’s Oak Ridge National Laboratory. “I primarily break things,” he explains. He started probing security systems in his spare time after a co-worker ordered one at the office. He was able to play around with an ADT system thanks to the graciousness of his girlfriend’s father, who had one at home. The different vendors’ products all had the same problem: legacy wireless communications from the 90s that failed to encrypt or authenticate signals. He could be pick up the signals being sent from sensors on windows and doors to the main control system using a cheap SDR, meaning he could see transmissions from sensors — which are sent even when the system is unarmed — and track when people were opening and closing windows and doors. With a more sophisticated SDR, he could interfere with transmissions, setting the alarm off falsely by telling it doors were opening when they weren’t or jamming the system so that it wouldn’t go off, even if doors did open. He could do this from 65 to 250 yards away– basically a house over. Using his methods, a would-be tech-savvy thief could suppress an alarm while going in and out with your stuff; a prankster neighbor could set your alarm off; or someone could monitor when you’re active at the house. At the very least, someone with an SDR could determine based on signals being sent whether you actually have an alarm system, or have just planted a “Protected by ADT” sign in your front yard.
Lamb plans to present his findings in Las Vegas next month. He’s not the only presenter at the popular back-to-back hacker conferences there, Black Hat and Defcon, who has set his sites on the way security systems can be subverted to make their owners less secure. Researchers Colby Moore and Patrick Wardle of Synack turned their hacking skills against Dropcam, the wireless video monitoring device recently acquired by Google-owned Nest. “We saw Dropcams popping up all over here in Silicon Valley with tech incubators and big tech start-ups using them as security cameras,” said Moore. “It seems like the future of where video monitoring for consumers is going.”
Dropcam's access-granting button
Dropcam’s access-granting button
Moore and Wardle discovered a small number of flaws in the Dropcam that could lead to it being compromised, but the attacker would need to get his or her hands on the cam to crack it. The most notable problem they discovered was a button on the back of the device that can be pressed when it’s booting up to put the camera into receptive USB mode. Once in that mode, an attacker could install spyware to turn the surveillance camera into one that surveils audio and video of its owners, or install a program that could make them see video of the attackers’ choosing. And as with another Black Hat presentation about jailbreaking the Nest, the security hack could be used to enhance consumer privacy — allowing a data-protective Dropcam owner to install a program that would prevent their video feed from being sent to Dropcam’s cloud. All in all, the researchers thought the Dropcam was far more secure than other Internet-connected cameras, some of which have been hacked remotely by strangers on the Internet — ahem, Foscam — but that Dropcam’s security could be improved by only running signed software from the company. Your own Dropcam is probably secure, as long as it’s never been in the hands of someone who might want to turn it against you. “Don’t accept cameras from strangers. It’s a good motto,” says Wardle, who also advised against buying them used.
Both Dropcam and the security system vendors were dismissive of the hacks. Dropcam is more concerned about protecting customers from remote hacks than ones done by someone with the device in hand. The general rule of thumb in the security community is that if someone has physical access to your device, you’re pwned. “All hardware devices – from laptops to smartphones – are susceptible to jailbreaking. If anything, Dropcam might actually provide the best solution for preventing physical access because we’ll notify you if someone were to approach or disconnect your camera,” said Greg Duffy, Dropcam’s CEO. “What’s far more important is preventing remote access, and Dropcam has excellent security to prevent this. Our cameras won’t communicate to anyone on the Internet – only Dropcam cloud servers, and we haven’t had any intrusions or access to private data to date.”
Meanwhile, the security system vendors said the hacks had never occurred in the wild, to their knowledge. “Safety and security is a top priority at ADT, and we have spent the past 140 years earning the trust of our customers,” said ADT spokesperson Jason Shockley. “Because we have yet to see the details of this particular research, we are unable to comment on the specifics.”
Vivint and another security company with the vulnerability that asked the researcher not to name it both said they have a jamming detection feature in their wireless security systems, though Lamb says he was able to program around it and that the companies didn’t detect his suppression of their alarms. Vivint’s vice president of innovation Jeremy Warren said the company is investigating the vulnerability that Lamb found in the jamming detection with plans to fix it. He also said that Vivint has never actually detected anyone jamming a system’s signal. As for the spying that could be done by a techno-lurker, Warren said it’s easily replicated by a person without an SDR sitting outside the house watching people opening windows and doors. Lamb though says that an adversary could make an embedded system to stash in the vicinity of a home to gather information all the time.
“It’s in the realm of hypothetical possibilities but I think people just driving their car around and looking at a community is a simpler and less costly, exotic way of doing this. This requires someone to have sophisticated tools that are not widely available, and that mitigates the impact,” said Warren by phone. “It shouldn’t be a concern to consumers. We really think this is an extremely exotic thing that will have zero impact on our customer base.”
Lamb argues though that SDRs are getting cheaper and more ubiquitious; a simple one goes for $10 on Amazon.
Warren said Vivint has looked at encrypting communications on the system but that it has a negative impact on “range and battery performance” and decided it wasn’t worth it after “balancing that against a highly hypothetical situation where a person needs to be nearby anyway.”
“Wireless transmissions by their nature are subject to potential risks,” said one security system maker in a statement. “Our security systems meet or exceed industry standards and include a variety of protections, such as available encryption, tamper resistance and jamming detection, which when employed significantly improve security.”
Those worried about this kind of monitoring may want to go ahead and employ those options.
“The idea of covering a home with more security sensors does not translate into a more secure home,” says Lamb. “The end goal of all this is to make better systems.”

CIA Insider: U.S. Should Buy All Security Exploits, Then Disclose Them


hack
LAS VEGAS — To increase the security of the internet and computers, the government should corner the market on zero-day vulnerabilities and exploits, offering top-dollar to force out all other buyers. At least, that’s what Dan Geer thinks, and his opinion matters. Geer is chief information security officer at the CIA’s venture capital arm In-Q-Tel, which invests in technologies that help the intelligence community.
Geer, an icon in the world of computer security, delivered his controversial stance during a keynote at the Black Hat security conference in Las Vegas today. His talk, entitled “Cybersecurity as Realpolitik” was provocative throughout, including advocating that software companies make their unsupported products open source to keep them secure. He even quoted the Code of Hammurabi (circa 1700 B.C.) while suggesting that product liability be applied to source code. “If a builder builds a house for someone, and does not construct it properly, and the house which he built falls in and kills its owner, then the builder shall be put to death,” he said. While the death penalty may be a little severe for software makers who fail to adequately secure their products, criminal and civil liability isn’t, he suggests.
Dan Geer.
Dan Geer. Mark Bristow via The Open Web Application Security Project
But the highlight of Geer’s talk was definitely his suggestion that the U.S. government own the zero-day market. Zero-day vulnerabilities are security holes in software that are yet unknown to software makers or to antivirus firms. They’re unpatched and unprotected, leaving them open to exploit by spy agencies, criminal hackers, and others. Once the government purchases zero-days, he said, it should burn them by disclosing them. Showing all of these zero-days to the software makers so that they can be fixed would produce a dual benefit: Not only would it improve security, but it would burn our enemies’ stockpiles of exploits and vulnerabilities, making the U.S. far less susceptible to cyberattacks. He said that paying big for zero days would improve security because it would allow hunting for vulnerabilities to be profitable without being destructive. “Once vulnerability finding became a job and not a hobby, those finding vulnerabilities stopped sharing,” he said. “When bug hunters find bugs just for fun and fame, they share the information immediately because they don’t want someone else to find it and take credit for it.” But those doing it for profit don’t share and don’t care. He proposes that the U.S. government openly corner the world market on vulnerabilities. Under such a program, the government would say, “show us a competing bid, and we’ll give you 10 times.”
These comments are not likely to win Geer friends at the NSA or CIA; both agencies rely on the U.S. government’s own massive stockpile of secret zero-days to exploit and attack the systems of enemies and surveillance targets. That shouldn’t bother Geer, who is used to making his bosses angry. In 2003, he co-authored a provocative and groundbreaking paper titled “CyberInsecurity: The Cost of Monopoly,” which argued that the dominance and ubiquity of Microsoft’s operating systems was a threat to national security. He was subsequently fired by his employer @Stake over the paper. His firm was a supplier to Microsoft.
Geer acknowledges that there will be some who refuse to sell to the U.S. government on principle, no matter the price. But under his plan, anyone who refuses to sell to the U.S. has to live with the reality that the vulnerability will likely be discovered by someone else who will be willing. This plan should encourage the holdouts to eventually become vendors to the U.S. as well.
And when that happens, the U.S. can drastically lower the impact of international cyberwarfare. “We don’t need intelligence on what weapons our adversaries have if we have something close to a complete inventory of the world’s vulns and have shared that with all the affected software suppliers.”

It's war: say experts on cyber security

FOLLOWING the recent stunning revelation that Russian crooks have stolen 1.2 billion user names and passwords, the biggest breach on record, experts say making the internet more secure will take a massive global effort.
EVERYTHING from bolstering website security to a stronger push to prosecute the criminals, to better vigilance by consumers, will be needed.
How much all this might cost is unclear, with some experts estimating it could take billions of dollars, while others insist it's more a matter of redirecting what already is being spent toward more fruitful areas. But even then, critical information on the internet may never be entirely safe, given the growing sophistication and ability of hackers to find new ways to steal it. The attack by a Russian gang, uncovered by a Milwaukee security firm, has inflamed concerns about data protection on the internet and whether the security practices of thousands of companies around the world are sufficient to protect the financial and personal information of consumers. Security experts say businesses need to take the lead in tackling the threat, particularly since the software and computerised gadgets they make to access the internet are frequently riddled with weaknesses hackers can exploit. "There is zero or very little corporate responsibility being taken to insure products in the market are safe," said Melissa Hathaway, a former top federal cybersecurity official with the National Security Council and the Office of the Director of National Intelligence. "If we continue to see the market the way it is, we'll see more victims." Critics have faulted many companies for being slow to address their cyber vulnerabilities, because of factors ranging from ignorance about the extent of their flaws, to the cost associated with patching them. Alan Paller, director of research at SANS Institute, an organisation that trains computer-security experts, said that because software can be easily manipulated by crooks, it's essential to either make programmers responsible for the financial damage that results when their code is hacked, or at least make them demonstrate they know how to write safe software through a skills test. Paller said companies also need to improve the ability of their security staff to deal with cyber crooks who sneak into the corporate networks. "I don't think they know how to do it in many cases," he said. Companies should also stop wasting money writing security-related reports - some of which are required by the federal government - and focus more on actually battling hackers. That's why he believes tackling cyber crime wouldn't require a huge additional expenditure, because "fundamentally, it's a shift from talking about the problem to fixing the problem." But others argue that companies will need to spend substantially more, because many of them so far haven't taken the threat seriously. Avivah Litan, an analyst with the research firm Gartner, estimated that many companies could protect themselves reasonably well by spending $50,000 to $100,000 a year on security, while larger firms might have to spend $5 million to $10 million. While that's a lot of money, she said the cost of a breach that results in the company losing its commercial secrets or alienating its customers could be much higher. One key measure companies could take is to shift from having their websites accessed with user names and passwords to employing biometric identification systems, according to Larry Ponemon, whose Ponemon Institute studies data protection and privacy issues. He noted that some companies already offer voice identification technology for accessing computer gadgets, and he predicts retinal and facial identification devices could become widely available within five years. FIVE TIPS FOR PROTECTING YOUR PERSONAL DATA - Never click on links in email from people you don't know or vaguely know. - Beware of phony websites. - Don't shop on a site unless it has the green "https" and a padlock icon to the left or right of the URL. - Use an extremely uncrackable password. - Back up all of your data on your computer, smartphone and tablet in the event of loss, theft or crash.

Security experts call for government action against cyber threats


(Reuters) - Alarmed by mounting cyber threats around the world and across industries, a growing number of security experts see aggressive government action as the best hope for averting disaster.
Even though some experts are outraged by the extent of U.S. Internet spying exposed by former NSA contractor Edward Snowden, they are even more concerned about technologically sophisticated enemies using malware to sabotage utilities, wipe out data stored on computer drives, and steal defense and trade secrets.
Such fears and proposals on new laws and executive action to counter these threats were core topics this week in Las Vegas at Black Hat and Def Con, two of the world's largest gatherings for security professionals and hackers.
At Black Hat, the keynote speech by respected researcher Dan Geer went straight for national and global policy issues. He said the U.S. government should require detailed reporting on major cyber breaches, in the same way that deadly diseases must be reported to the Centers for Disease Control and Prevention.
Critical industries should be subjected to "stress tests" like the banks, Geer said, so regulators can see if they can survive without the Internet or with compromised equipment.
Geer also called for exposing software vendors to product liability suits if they do not share their source code with customers and bugs in their programs lead to significant losses from intrusion or sabotage.
"Either software houses deliver quality and back it up with product liability, or they will have to let their users protect themselves," said Geer, who works for In-Q-Tel, a venture capital firm serving U.S. intelligence agencies. Geer said he was speaking on his own behalf.
"The current situation - users can't see whether they need to protect themselves and have no recourse to being unprotected - cannot go on," he said.
Several of Geer's proposals are highly ambitious given the domestic political stalemate and the opposition of major businesses and political donors to new regulation, Black Hat attendees said. In an interview, Geer said he had seen no encouraging signs from the White House or members of Congress.
But he said the alternative would be waiting until a "major event" that he hoped would not be catastrophic.
Chris Inglis, who retired this year as deputy director of the National Security Agency, said disaster could be creeping instead of sudden, as broad swaths of data become unreliable.
In an interview, he said some of Geer's ideas, including product liability, deserved broader discussion.
"Doing nothing at all is a worse answer," said Inglis, who now advises security firm Securonix.
SOFTWARE FLAWS
Some said more disclosures about cyber attacks could allow insurance companies to set reasonable prices. The cost of cyber insurance varies, but $1 million in yearly protection might cost$25,000, experts say.
High-profile data breaches, such as at Target Corp and eBay Inc, have spurred demand for cyber insurance, but the insurers say they need more data to determine how common and how severe the intrusions are.
The ideas presented by Geer and other speakers would not give the government more control of the Internet itself. In that area, security professionals said they support technology companies' efforts to fight surveillance and protect users with better encryption.
Instead, the speakers addressed problems such as the pervasive number of severe flaws in software, which allow hackers to break in, seemingly at will.
Geer said the United States should try to corner the market for software flaws and outspend other countries to stop the cyber arms race. The government should then work to fix the flaws instead of hoarding them for offense, he said.
Black Hat founder Jeff Moss said he was reminded of the importance of data security while advising a government agency that had no way to tell which of its millions of records were accurate and which had been tampered with.
In the security industry, Moss said, "we're so day-to-day that we forget we're a piece of a bigger system, and that system is on the edge of breaking down."
Dire projections have led some professionals to despair, but others say the fact that their concerns are finally being shared by political leaders gives them hope.
Alex Stamos, who joined Yahoo Inc earlier this year as chief information security officer, said the Internet could become either a permanent tool of oppression or a democratizing force, depending on policy changes and technology improvements.
"It's a great time to be in the security industry," Stamos said. "Now is the time."

FBI Academy: Cyber security

 A warning from the FBI on cyber crime vulnerability.

It's in our report from the FBI citizens academy...it's a story you will only see on News 2.

What do online dating, facebook, cell phones have in common?

Your personal information. Vulnerable to hackers.

We start with online dating sites. FBI experts say an app called Picfind-contains facial recognition software.. That software will give away your identity… if that picture is already published on the internet.

FBI experts say a picture can be worth a thousand words literally, if you don't protect yourself, they say if you are going to do a dating website or social media, take a new picture of yourself that is not published anywhere and can't be recognized by facial recognition apps.

David Thomas/ Special Agent in Charge, FBI Columbia, “It makes you very very vulnerable… if you are using it for dating sites, or any other type of social media…. Where you don't want anyone to know who you are until you are ready to identify yourself to them.”

And when sending a picture, experts say you need to turn off your GPS in your privacy settings for the camera.

“Depending on your phone setting, every time you take a picture on the phone and if you don't specifically set it, it embeds a GPS of exactly where you are, and if you took if from your house, I'll know exactly where you live.”

Here are some tips from the FBI for making your computer less vulnerable to hackers.

Make sure you read before accepting window pop ups, or opening email attachments, always run the latest updates on your computer, make sure to have anti-virus software.. and get it from a reliable source.. and make sure to open a new page to access an account, never click on a link from email  and don't pirate software as this is how many viruses get into your computer.

FBI experts say to use a middle name and general occupation for social media or dating sites, so people can't identify you, before you are ready…

Other ways to protect yourself: think before handing your cell phone over in a store, (most cell phones contain your personal information) have the store associates do the work in front of you, and with job applications and buying a house.. be careful to whom who you are giving your bank accounts and Social Security numbers

The FBI recommends checking your credit every 3 months or so. It is free, and they recommend checking a different service, Experian, etc… every few months.

Snowden granted 3-yr residence permit in Russia - lawyer

Edward Snowden has received a residence permit in Russia, which is valid for three years, starting on August 1, the former NSA contractor’s lawyer announced.
Snowden's life in Russia: ‘Much happier than be unfairly tried in US’
“On the first of August he received a three-year residence permit,” lawyer Anatoly Kucherena told reporters.
He added that Snowden had not asked for political asylum.
“He will be able to travel freely within the country and go abroad. He’ll be able to stay abroad for not longer than three months,” Kucherena said.
The former NSA contractor will be able to apply for the Russian citizenship in five years.
“A foreign citizen, who got a residence permit, will certainly be able to apply for citizenship,” Kucherena said.
Edward Snowden has not yet made up his mind whether he wants Russian citizenship.
By all means he is homesick," his lawyer said. "It was hard for him to find himself far from home, especially for the first time. Of course, in the future Edward will make up his mind on whether to stay in Russia and apply for citizenship or to leave for the US. He hasn’t done this yet.

Member of the Public Chamber, lawyer Anatoly Kucherena at the press conference on Edward Snowden's case.(RIA Novosti / Grigoriy Sisoev)
Member of the Public Chamber, lawyer Anatoly Kucherena at the press conference on Edward Snowden's case.(RIA Novosti / Grigoriy Sisoev)
Edward Snowden was granted temporary asylum in Russia a year ago. It expired July 31.
He left the US and went to Hong Kong in May 2013, from where he leaked confidential files to mass media concerning the NSA’s overwhelming surveillance.
Snowden then planned to seek refuge in Cuba, but found himself stranded at Moscow’s Sheremetyevo airport, after his American passport was annulled by US authorities.
Kucherena dismissed a letter from the US Prosecutor General’s office to the Russian Ministry of Justice as insufficient grounds for handing Snowden over to the US.
“There has been no request which complies with international law,” the lawyer said.
Snowden: 'If I end up in chains in Guantanamo I can live with that'
If Edward Snowden does one day travel back to the US, it’s not going to be extradition, his lawyer assured.
No extradition is possible under Russian law,” he said. “He has not committed any crime. He faces no charges in Russia.”
Snowden’s security in Russia is being ensured by a private firm, Kucherena said.
He’s without state protection and he can’t possibly have it. To arrange state protection you have to go through many bureaucratic procedures.”
Snowden makes first public appearance, secretly visits Moscow’s Bolshoi theatre
Kucherena also told reporters that Snowden was satisfied with his job in Russia, as he was able to continue his profession and work in the sphere of computer technology. The former NSA contractor’s Russian salary is adequate, the lawyer added.
The lawyer said Snowden will hold a press conference in Russia as soon as it will be possible.

Hacker swipes $83,000 from Bitcoin mining pools


bitcoin-digital.jpg
It's no longer surprising when we hear that a cryptocurrency exchange has suffered a security breach, but now a hacker has targeted mining pools -- and managed to steal $83,000 in cryptocurrency as a result.
The Dell SecureWorks Counter Threat Unit (CTU) research team said Thursday it has identified an exploit that can be used to lift cryptocurrency from mining pools, and at least one hacker has already taken advantage of the security flaw.
A hijacker was able to use a fake Border Gateway Protocol (BGP) broadcast in order to compromise networks belonging to some of the biggest names in the field -- including Amazon, Digital Ocean, and OVH -- between February and May 2014. According to the researchers, at least 51 networks were compromised from 19 different ISPs, and at least one hijacker was able to use this flaw to redirect cryptocurrency miners' connections to a hijacker-controlled mining pool, therefore collecting the miner's profit for themselves.
Miners were able to continue searching for blocks, which results in the minting of new bitcoins, but spoofed servers ensured that miners never received their cut -- instead, the hijacker took off with all of the earnings.
In total, it is believed this single hijacker has been able to earn $83,000 in roughly four months.
Although Bitcoin was the main target of the heist, with 1 BTC currently worth $589, it was not the only cryptocurrency affected.
"The threat actor hijacked the mining pool, so many cryptocurrencies were impacted," the researchers said. "The protocols make it impossible to identify exactly which ones, but CTU researchers have mapped activity to certain addresses."
One miner spoken to by Dell SecureWorks said he estimates 8,000 dogecoin were hijacked and stolen in March, worth $1.39. The miner later added a firewall rule to reject connections from the hacker's mining server, which rejected the hijack and led to normal mining regularity. While $1.39 is a tiny amount, if widespread, such hacking can be lucrative.
The researchers were eventually able to trace the fake broadcasts to a single router at an ISP in Canada. While the hijacker has not been identified, CTU believes the scheme can be blamed on a rogue employee of the ISP, an ex-employee with an unchanged router password, or simply a black-hat hacker.
The CTU research team provided its evidence to the ISP closest to the source of the activity, and the malicious BGP announcements stopped three days later. The team says that despite approximately $2.6 million in cryptocurrency mining activity occurring each day, the chance of future BGP attacks is "minimal," writing:
"BGP peering requires that both networks be manually configured and aware of one another. Requiring human interaction for proper configuration makes BGP peering reasonably secure, as ISPs will not peer with anyone without a legitimate reason. These hijacks and miner redirections would not have been possible without peer-to-broadcast routes."

GCHQ recruits spotty teens – for upcoming Hack Idol

The GCHQ-backed Cyber Security Challenge UK is bringing cybersecurity education to UK schoolkids aged from 12 to 18 with the importation of the US-created Cyber Patriot programme.
The US Air Force Association ​CyberPatriot youth programme involves as battle of wits in cyberspace involving 1,500 international teams of under-18s representing countries ranging from Japan to South Korea. The scheme is credited with engaging more than a quarter of a million children in cybersecurity across the US.
Four in five (80 per cent) youngsters who participated in the US programme said they aimed to pursue higher education in cybersecurity or another STEM (science, technology, engineering and mathematics) field, according to US Air Force Association polling. This compares to a national average of only 13 per cent selecting science and technology degrees. The vase majority (86 per cent of the 254 survey respondents) said that their participation in CyberPatriot somewhat or significantly impacted their career and educational goals.
CyberCenturion, as the scheme will be called in the UK, will sit between the existing Cyber Security Challenge schools programme for secondary schools, and the main Challenge competition programme. Sponsors include US defence giant Northrop Grumman Foundation.
Backers claim the UK CyberCenturion scheme will pit "thousands of British Army cadets, scout groups and hundreds of schools and colleges across Britain" against each other in face-to-face team-based national cybercrime contests. The whole set-up is based on real challenges existing professionals face, as organisers explain.
CyberCenturion is played by teams of between four and six people. Each team must include a responsible adult as the liaison between the organisers and the participants and the participants must be 18 years or under when the game is played. The competition consists of two rounds. Both rounds involve downloading a virtual computer image full of vulnerabilities that could present opportunities for a cyber criminal. The teams have approximately six hours, within a window of approximately two days, to identify and fix these vulnerabilities. The game runs on an internal clock, so judging can be based both on the vulnerabilities identified and fixed and the time taken to complete the task.
Different scores are assigned to each vulnerability depending on its complexity with an increase from basic to advanced level weakness as you move from the first to the second round. The scores from both rounds are combined to create a final result and the top six teams will advance to a face to face showdown in April 2015. The prizes on offer for those who win the grand final are all career enhancing opportunities such as internships at Northrop Grumman and places at industry conferences.
The team competition begins in October with a practice round, followed by two competition rounds. More details on the competition itself along with information on how to register can be found on a Cyber Security Challenge microsite here.