Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

A "Divergent"-themed Capture The Flag and Urban Race

2016 USENIX Advances in Security Education, Austin TX, Aug. 9, 2016
by

Wu-chang Feng

on 7 September 2017

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of A "Divergent"-themed Capture The Flag and Urban Race

Motivation
A ``Divergent''-themed CTF and Urban Race for
Introducing Security and Cryptography

CTF
Curriculum
Why?
Introduce students to computer security early

Camps and classes
CyberDiscovery, CyberPatriot, CyberAcademy, GenCyber

Capture-the-Flag (CTF) security games
picoCTF, hs-CTF, abctf
Expanding the security pipeline
Overview
Modules
Curriculum goals
Data encoding and cryptography
Security concepts and tools
Module #4: Modern ciphers
Public-key cryptography
Dominating set problem
Lecture format
Alternating lecture and collaborative practice
Each team given a puzzle made up of sub-puzzles
Individual members solve a sub-puzzle
Solutions combined
Enables horizontal learning
Format
24 scaffolded challenges
Given in sets during the week based on daily module
Designed to cultivate confidence and competence
Example
Structure
5 modules and a movie ("The Imitation Game")
No prior experience assumed
Module #1: Motivation
Importance of cryptography and security in history
This work
Goal: Create a positive first experience with computer security
Storyline
Idea
Embed CTF challenges into a familiar, contemporary story
Provide extra level of engagement
Challenges open up individual parts of story
"Divergent" series by Veronica Roth
Why Divergent?
Plot
CTF adaptation
Story of 5 clans
Dauntless, Abnegation, Erudite, Candor, Amity
"The Traitor" short story
Divergent as told through the eyes of Four
Four suspects plan to eliminate Abnegation
Works to break into computer systems of Dauntless and Erudite leaders to thwart plan
Uses shoulder surfing, backdoors, trojans, and rootkits
Four has disappeared just before camp
Tris contacts campers for help
Security Jeopardy!
Revisiting curricular goals
Introduce cryptography
Done via CTF challenges
Mechanics
Diary set in preceding month
Each entry describes a method Four employs
Tools and techniques central to computer security
Urban race
Live story
Capstone activity
CTF storyline leads to climax in the present
Pivot from scheduled lecture to live action
Students inserted into plot directly
~2 hour Urban Race finale
Using the material
Flow
Coined in 1990 by Mihaly Csikczentmihalyi
Single-minded focus on a task that aligns a person's emotions and motivation with objective at hand
Characterized by deep enjoyment, creativity, and a total involvement with life.
Powerful intrinsic motivator
Designing for Flow
Steven Kotler, "The Rise of Superman", 2014
Offerings
CyberDiscovery Portland State (7/2015)
Portland State New Beginnings (9/2015, 7/2016)
Lewis and Clark College (1/2016)
Lincoln High School (4/2016)
CyberPDX (7/2016)
Scaffolded CTF game to cultivate confidence and competence
Urban Race to augment learning with physical activity
Embedded fictional storyline to blend real and virtual world
Module #3: Simple ciphers
Transposition ciphers
Columnar transposition, Scytale
Example
Module #5: Cryptographic protocols
Man-in-the-Middle attacks
116 104 101 32 107 101 121 32 102 111 114 32 116 104 101 32 115 101 118 101 110 116 104 32 105 115
t h e k e y f o r
t h e s e v e n t
h i s
Example
Challenges
Encoded messages are CTF challenges
Printouts containing scaffolded levels
Must decode each to reveal key
Key unlocks an individual diary entry
Difficulty steadily increases
Familiar to this generation
Books > 30 million copies
Employ known triggers for flow
Within CTF
Clear goals
Balance of challenge and skill level
Immediate feedback
Rich environment
Additionally in urban race
Risk
Common, shared goal
Constant group communication
Story
Follow Four and figure out how he....
Story setup
Race
Modeled after CitySolve, ChallengeNation, Amazing Race
Tris relays a set of cryptographic clues given to Four
Once decrypted, clues send teams throughout campus
Communication with "virtual" Four to relay answers
the key for june

thirteenth is
Four-bot
Four as a Twitter bot
Gives illusion of interacting with the actual character
Takes answers and updates storyline state
Each team given independent story instance
Allows each team to "save the city"
First place team quietly given extra challenge
Leads to a lock box and special prize
Example entry
Uses a surveillance camera to obtain Max's password
Attempts to monitor all network traffic
Performs anonymous reconnaissance on Erudite systems
Installs a backdoor to maintain access to Max's computer
Discovers an intrusion detection system protecting the computer
Exfiltrates data covertly from the system
Covers his activity to avoid detection
Breaks the encryption employed on Max's files
Is caught via the use of a fake program
Attempts to subvert Max's hardened replacement computer
Employs a social engineering attack that fails as a result of a password manager
Attempts a session hijacking attack that fails due to script blocking and encryption
Exploits vulnerabilities to move laterally within the Erudite network
Uncovers an air-gapped system at the heart of the Erudite plan
Tris relays urgent message from Four
Trapped outside of Erudite control room
Protected by puzzles to ensure only Erudite get in
Module #2: Data encoding
Information in the digital age
Binary, hexadecimal, ASCII, barcodes, QR codes, steganography
AEGMNR
nededf
ahtese
lwtloa
ctfeah
.tse.l
GERMAN
defend
theeas
twallo
ftheca
stle..
Substitution ciphers
Monoalphabetic substitution (Caesar, simple)
Polyalphabetic substitution (Vigenere, Enigma)
Introduce security concepts and tools
Attempt to inspire curiosity and appreciation for computer security
Best done in context in a memorable way
Requires advanced cryptography skills
Gives each team Four's Twitter handle
Must be solved quickly with under 10 incorrect attempts
Knowledge of the Erudite (PSU) campus
Relevant plot to overall CyberPDX GenCyber camp
Use and abuse of technology
Diversity theme
Female protagonist
Importance of people with diverse skills and expertise
Computer security subplot amenable to adaptaion
Mihaly Csikczentmihalyi, "Flow: The Psychology of Optimal Experience", 1990.
Focus on intrinsic motivation
Simple, common gameplay mechanism
Decode message to find the key that unlocks a file
Focus on technical skills being developed
Printouts encode keys to unlock diary entries
From Four's control room security training
Training that is now being given to students
Clues include a USB key with an electronic diary on it and some printouts of encoded messages
Tris asks campers to find out what Four was working on
Use engagement in story and plot device of the diary
Four's first-person account of penetration testing
Jeopardy! mechanic
Actual tool or technique not disclosed directly
Puzzle within a puzzle
Students research an aspect of computer security to identify Four's method
Key in making engaging learning experiences
Often brought out in CTF events and games
For teachers
All course material available at:
https://cyberd.oregonctf.org
For access to source code to customize CTF or Urban Race
Contact wuchang@pdx.edu
Play the game
Copies of CTF challenges
Demo mini-urban race with prizes after session
2016 CyberPDX Urban Race Winners
Success?
Students
I liked the crypto challenges a lot because it was really satisfying to figure out the hidden codes.
Solving the crypto challenges. I thought that it was extremely well put together and was equally challenging and fun...The problem-solving and creativity part of this thread is something that everyone on our team enjoyed and appreciated.
The cryptography was a lot of fun to crack and solve.
Teachers
Love the puzzle within a puzzle hook and motivator.... Students definitely got into this.
The interconnectedness built into the progressive challenges was superbly handled, and the scavenger hunt was phenomenal!
Well planned and implemented. My students were able to apply their knowledge and have fun.
Specific feedback
Combined camp and CTF for introducing security topics in an engaging way
54 10th grade students (32 female, 23 male)
1=strongly disagree
5=strongly agree

I am more comfortable learning about cybersecurity. 4.24
I learned a lot about cybersecurity 4.53
I enjoyed learning about cybersecurity 4.30
I enjoyed the projects and activities at this camp 4.40
I would like to learn more about cybersecurity 4.02
CyberPDX student evaluation
An educational unicorn...
Full transcript