Two contestants brief PWC's Andrew Miller on
Koffee Café's problems, while Alex Hern observes in the background.
Photograph: Rupert Hartley
Koffee Cafe has a problem: its website, while just about useable for
the small coffee chain, is held together with string, chewing gum and
hope.
For the past few years, it's survived because no one
important has bothered to pay attention to it, but that's due to change.
A multinational coffee chain has expressed interest in an acquisition,
and now the auditors are being brought in to make sure there aren't any
hidden dangers. If they look hard enough, they'll find some blinders.
Not
only has the company left up a voucher code generator that can get
crafty users free coffee for life – it's also storing the credit card
numbers of at least 20,000 of its customers in an insecure database.
Thankfully,
Koffee Cafe doesn't exist. The company is a fiction, put together to
test the ability of some of the UK's best hackers while promoting the
idea that cyber security is a career which people can, and should,
consider entering.
The cafe - and its website and IT infrastructure – were created by Cyber Security Challenge UK,
a not-for-profit that works with some of the UK's biggest tech
companies to design and run events that aim to close the gap between the
country's need for talented cyber security staff, and the number of
people actually working in the industry.
Its flagship events, the
challenges themselves, are only open to those who aren't employed in
cybersecurity: Dan Summers, the winner of the first challenge in 2011,
was a postman. He still works for Royal Mail, but these days as a
security consultant for their IT department.
"What we try to do is
inspire people," says Stephanie Daman, the organisation's chief
executive. "Using the competition, we identity those who are good. We
try and tell them to develop their talents and skills, and several of
them play with us for several years. And at that point, a lot of them
have got to the point of thinking 'OK, I really do want to do this as a
career' so they start sending their CVs out, and most of them end up in
the industry."
Hacking challenges are nothing new. Even before
"penetration testing" took over as the term for hacking into systems to
test their security, companies and individuals were setting up systems
and offering prizes to those capable of breaking into them.
Money, fame and prestige
Some do it for the money, such as a share of the £1.6m Google
is offering to the victors of the Pwnium 4 challenge to break into
their Chromebook laptops. Others do it for the prestige or fame; the Cicada 3301 puzzle continues to entice code breakers worldwide with no discernible prize at all.
But the cyber security challenge differs from many in calling for more than just coding ability from its contestants.
The
vulnerabilities in the Koffee Cafe website are very real, and Symantec,
who provided the technical background to the event along with
consultants PWC, say they are all based on flaws seen in past clients
(although few companies would have quite so many all at the same time).
But it's not enough to just break into the server.
"There are two
sides to this challenge," says Symantec's Sian John. "One is the
technical bit… but what's great about today is that being technical
isn't the full skill."
"Information security has been around for
years, but now you're talking about cyber security. People think it's
the same thing, but the difference is that the rest of the business
cares now. If you look at most of the senior security professionals now,
they suddenly realising they need to learn how to talk."
A different set of pressures
PWC's
contribution to the event is an effort to mimic those pressures. The
contestants also have to brief Koffee Cafe's chief information security
officer, speak to the press, and give Koffee Cafe's executives a plan of
action, all based on what they have been able to find in just hours of
testing. That leads to a very different set of pressures.
"Some
bits are so much easier than others – like the infrastructure hacking,
for example," explains Andrew Stockwell, who works in user support and
taught himself cybersecurity basics from podcasts on the Tube.
"We
discovered there was a Windows XP server, and it was vulnerable to a
certain attack, so we used that and we were in… I'm trying to avoid the
presentations as much as possible. I don't like standing up in front of
crowds. I did a Toastmasters course at school, and that didn't help."
Sitting
in on the briefings with the information security officer (played by
Andrew Miller, the cybersecurity director of PWC UK), it's clear that
even among those contestants who felt confident enough to volunteer to
represent their teams, some are better than others.
One starts
listing version numbers of installed software as though it's obvious to
all concerned what the problem is. Even when pushed, it takes several
tries for Miller to encourage a non-technical answer; eventually, the
contestant recommends downloading the latest patches from Microsoft.
'Freak out and turn the site off'
Some
go too far in the other direction. A pair arrive for the briefing with a
slick slideshow and well-rehearsed lines, but also seem afraid of
delivering bad news. When they tell Miller that there is a leak which
exposes the administrator password, their only advice is "be careful".
"Freak out and turn off the site until you get this fixed" might sound
less professional, but in the circumstances it may well be better
advice.
However, this is a learning experience, and by the time of
the press interview a few hours later, everyone is far more polished.
Symantec's Emma Jeffs played the part of the reporter interviewing
Koffee Cafe's security team, and I was invited to join in. In order to
keep up the role-play, I had to pretend to pretend to be a journalist – a
novel experience, but one I was well qualified for.
Sadly, it
seems like the first thing everyone is taught about dealing with the
press is "tell them nothing", and even with my professional skills I
could not wheedle out more than a vague statement that "Koffee Cafe's
customers will be notified if there's any risk to their credit card
data".
Beyond the games, Daman reiterates the core purpose of the
challenges: "To get the right number of properly qualified people into
the cyber security profession. We've got a skills gap; loads of jobs,
not enough people. We sit in that gap, trying to close it."
In the
end, the challenges themselves can only go so far – the 30-or-so
attendees aged between 17 and 50 are all likely to be seriously
considering a change in career, but you can't fix an industry a roomful
of people at a time. For more widespread change, Daman pins her hopes on
the organisation's school's programme, which teaches students the
basics of cryptography.
"We teach students what cyphers are all
about," she says, "and then they are given the chance to break some
cyphers that we provide. Then the second stage is designing their own
cyphers, and pitting them against other schools.
Women and girls
"What
it does is it keeps people interested in these sorts of subjects. It
also, I hope, encourages women and girls to stay interested, because
you'll notice there are very few women and girls here today."
The
focus on cyphers – the rudimentary basis of encryption and codebreaking –
hints at another of the event's supporters. It obtains much of its
funding from the government, and a GCHQ spokesperson says the agency is
"proud of its association with, and sponsorship of, the cybersecurity
challenge".
"It is through initiatives such as this," they
continue, "that organisations, be they in the public or private sector,
can continue to develop and maintain our leading edge in cyberspace by
being able to recruit the right people with the right skills."
Somewhat
less of a deliberate goal, but an achievement nonetheless, is showing
self-taught hackers that they can use their talents in a more productive
way. Daman emphasises that they don't ask contestants about that side
of their history, but some admit it anyway, volunteering, for example,
that they prodded their school network to see what would happen.
Aaron
Devaney, a 38-year-old software developer from Leeds who won the
overall prize at the end of the challenge, had a more traditional route
into the field, but still one driven as much by curiosity as by
professional ambition.
"In my day-to-day work we have
[penetration testing] companies report on the security of our products
and looking through the reports, I started to get interested in how they
found out the information they did."
Daman sees her role as
taking that curiosity and convincing people that it shouldn't stop
there. "These are valuable skills," she says. "Not everyone can do this.
And if, on top of that technical ability, you are able to articulate
what you're doing, you're a very prized individual. There is a job out
there for you."
• How to be a hacker
Nenhum comentário:
Postar um comentário