Earlier this month I congratulated the Def Con Capture The Flag winners from Giovanni Vigna's team. One of the contestants, Vika Felmetsger, was kind enough to answer questions about her experience and the role she played on team Shellphish. I thought I would publish Vika's thoughts in the hopes that she could provide an example of how one becomes a serious security practitioner.
Richard (R): What is your experience with security, and what are your interests?
Vika (V): I am starting my second year as a computer science Ph. D. student at UCSB, where I work as a research assistant in the Reliable Software Group (RSG).
Everybody in the group works on various computer security areas and my current focus is web application security. Even though now security is a part of my everyday life, I am still pretty new to this area.
As an undergraduate student at UCSB I learned some security basics, however, my real introduction to practical security, and hacking in particular, was last fall when I took "Network Security and Intrusion Detection," which is a class taught by my graduate advisor Prof. Giovanni Vigna.
In this class I learned various techniques that can be used to break the security of computer systems, how to detect attacks, and how to protect a system against possible attacks.
Most importantly, as a part of the classwork, every student was able to apply the learned techniques to write actual exploits to attack various vulnerabilities in real programs within a testbed network.
Also, during the class, I participated in two Capture The Flag (CTF) exercises (which are organized every year by Prof. Vigna) where, together with other students in the class, I could practice attacking other systems as well as defending my team's system. As a result, after that class, I had the background necessary to further develop my hacking skills on my own as well as be able to work on various security problems.
Later I was very lucky to be involved in setting up the UCSB International CTF which was organized by Prof. Vigna on June 10th, 2005. This provided me with a valuable experience being on the organizers' side and helped me to improve my system administration, networking, and network traffic analysis skills.
R: How did you join team Shellphish?
V: Hmmm, I did not really join the team ... Everybody in the RSG is a member of the Shellphish team :-).
R: Did you have a specific role on the team? If yes, can you describe it?
V: During the DefCon CTF I was a "human IDS." I was analyzing (using scripts and manually) network traffic in real time looking for attacks on our system. This helped the team to discover many successful attacks on our system, find out which particular vulnerabilities were exploited, patch the system, and even reuse some of the attacks against the other teams.
[Note: Against sophisticated intruders, only human analysts can prevail.]
R: What was it like to compete at Def Con? Did it meet your expectations?
V: I was dreaming about competing at DefCon the whole year and it certainly met my best expectations! :-) I don't have enough words to describe the feeling that I had sitting 3 days straight in front of the computer when I was absolutely consumed by the game. That is something everybody should experience for him/herself ;-).
I was very lucky to be a part of such an amazing team, to work together with the people whom I highly respect and from whom I have so many things to learn. What can be better?
When we came to DefCon this year, we did not care that much about winning, we simply wanted to enjoy ourselves doing the things that everybody in the team is fascinated with. And, it certainly worked out perfectly!
R: Do you plan to compete next year?
V: Of course.
R: What advice could you give to those who might like to compete, or have skills like yours?
V: Well, I am probably not the best person to give advices right now because I am still have a long way to go myself, but if you ask ;-) ...
Knowing theory is not enough, you need to practice everything that you read about hacking or security (I don't mean attacking real systems, of course ;-).
There are many ways to do it, for example, install known vulnerable software on your own machine and write an exploit for it.
Also, even if you don't think that you have enough skills to actually compete at Defcon, sign up for the quals anyway and try it for yourself.
From my own experience, I can say that I learned many practical things from this year quals, not to mention that it was incredibly fun :-). Also, what I am planning on working now is to improve my scripting skills which are very important when competing in real time.
Thanks to Vika for responding to my questions.
If you like these sorts of interviews, let me know. I plan to incorporate these sorts of stories into the TaoSecurity Podcast, when I get time to launch it.