Vienna's tech University practises money laundering at hacking contest
Simulated money laundering was this year's task at the annual "International Capture The Flag" (iCTF) hacking contest. 87 teams made up of computer science students from around the world, including 14 from Germany and three from Austria, competed in the eight hour tournament, organised by the University of California Santa Barbara (UCSB). There was just one UK entry, that scored zero points. The We_0wn_You team from the Vienna University of Technology's Seclab took first place, overtaking the team from NRU ITMO in St. Petersburg, which had led for much of the competition. In third place, a respectable distance behind the top two, was the FluxFingers team from Germany's Ruhr University of Bochum.
Each team started with an identical system image with a range of outgoing services, such as email and SMS gateways. The objective was to patch the security vulnerabilities in these services, to defend the system from attacks and to keep it up and running. Teams earned 'dirty funds' by performing tricky tasks. To launder this money and exchange it for clean points, teams were required to steal hash values from other teams' systems. The exchange rate applied when converting money to points was modified depending on the level of security of the team's system (defence level).
Systems targeted for attack needed to be carefully selected. The more times hash values from a service were used, the greater the risk that the police would catch anyone using them, causing the user to forfeit the dirty money generated from their use. The team operating the hacked system was also awarded a cut of the laundered money. Teams could also tip off the police about other teams, making the exchange of hashes a little more complicated.
"The key to our success was our automated money laundering system, which automatically analysed risk", explained Adrian Dabrowski from Vienna University of Technology. "Depending on the odds, we either laundered money or passed the hash value to the police." Forwarding hash values to the virtual cops reduced the defence level of the compromised team and with it the money-to-points exchange rate.
The team from Vienna, which has previous form, having won the 2006 iCTF, has now qualified for Defcon CTF in summer 2012. In contrast to iCTF, which runs over the web, Defcon CTF requires teams to travel to Las Vegas. The team is now looking for sponsors.
(Daniel AJ Sokolov / crve)