Background

On November 1, 2018 HyperQube let over 150 hackers into our infrastructure. Don’t worry, we did it on purpose. We hosted a global Capture The Flag (CTF) exercise with participants from universities all over the world. For those not familiar, participants in a CTF break into computers and retrieve a code word, the flag, to prove they did it. The competition was hosted by INCS-CoE (AKA InterNational Cyber Security Center of Excellence), a consortium of over 20 universities around the world founded by Keio University.

HyperQube is a “cyber range as a service” offering that enables enterprises to quickly and easily build an exact copy of any IT infrastructure. Our virtualized test environments can be built in minutes and just as easily modified, re-used and shared. The possibilities are infinite, but our technology was particularly helpful for solving the biggest pain points of international CTFs (unreliable connectivity to a virtual environment, inability to support international and real-time gameplay).

Our infrastructure held up – performed beautifully – but we learned several valuable lessons, which I want to share.

Lesson #1: Encourage good behavior

If you have over 150 hackers participate in a CTF exercise, the first thing they are going to do is try to break the platform which is hosting the CTF. We had several hackers break the platform so instead of immediately banning them and kicking them out of the competition, we asked them how they did so we could fix the problem. The reaction we got was incredible. They wrote detailed explanations of how their exploits worked and even offered suggestions on how we could fix the problems.

Lesson #2: UUID is your friend

One of the easiest ways to try and hack a web app is to access try and access a URL the developer had not intended. We use the python web framework Django. There is a particular Django design pattern that can let users guess a URL they shouldn’t have access to. That pattern is as follows:

www.mywebsite.com/exercise/207

Where “exercise” is the type of an object and “207” is the unique id of the object in the database. But if that URL works, it is easy to guess that a valid URL might also be,

www.mywebsite.com/exercise/206

So instead of using the default Django primary key for the object, use a UUID instead. For example:

class Exercise(models.Model):
    id = models.UUIDField(primary_key=True, default=uuid.uuid4, editable=False)

This will result in a URL that is borderline impossible to guess:

www.mywebsite.com/exercise/bafda8d3-fa0e-4ae9-94d2-289ae398e980

Don’t use django’s default primary keys for anything that could show up in a URL!

 

 Founder and CEO of HyperQube Craig Stevenson in Tokyo announcing the winners of the INCS-CoE Capture the Flag Competition, sponsored by Sasakawa USA

 

Lesson #3: Learn From Your Users

If you pay attention to your users, they may surprise you with their imagination. By giving users complete freedom, we were encouraging them to use creativity to hack into machines. We were not disappointed. By instrumenting the environments, we have the ability to record and playback the hacks our user used. The administrators become the students – and we’ll be better off because of that.

Launching in Q1 of next year we will be offering access to our database of live hacks. If you are an AI or Machine Learning startup who needs access to a dataset, get in touch with us.