Capture the Flag (CTF) in computer security is an exercise in which participants attempt to find text strings, called "flags", which are secretly hidden in purposefully-vulnerable programs or websites. They can be used for both competitive or educational purposes. In two main variations of CTFs, participants either steal flags from other participants (attack/defense-style CTFs) or from organizers (jeopardy-style challenges). A mixed competition combines these two styles. [1] Competitions can include hiding flags in hardware devices, they can be both online or in-person, and can be advanced or entry-level. The game is inspired by the traditional outdoor sport of the same name.
Capture the Flag (CTF) is a cybersecurity competition that is used to test and develop computer security skills. It was first developed in 1996 at DEF CON, the largest cybersecurity conference in the United States which is hosted annually in Las Vegas, Nevada. [2] The conference hosts a weekend of cybersecurity competitions, including their flagship CTF.
Two popular CTF formats are jeopardy and attack-defense. [3] Both formats test participant’s knowledge in cybersecurity, but differ in objective. In the Jeopardy format, participating teams must complete as many challenges of varying point values from a various categories such as cryptography, web exploitation, and reverse engineering. [4] In the attack-defense format, competing teams must defend their vulnerable computer systems while attacking their opponent's systems. [3]
The exercise involves a diverse array of tasks, including exploitation and cracking passwords, but there is little evidence showing how these tasks translate into cybersecurity knowledge held by security experts. Recent research has shown that the Capture the Flag tasks mainly covered technical knowledge but lacked social topics like social engineering and awareness on cybersecurity. Therefore, researchers recommend that there should be a focus on non-technical topics as well in order to address cyber threats that are advanced. [5]
CTFs have been shown to be an effective way to improve cybersecurity education through gamification. [6] There are many examples of CTFs designed to teach cybersecurity skills to a wide variety of audiences, including PicoCTF, organized by the Carnegie Mellon CyLab, which is oriented towards high school students, and Arizona State University supported pwn.college. [7] [8] [9] Beyond educational CTF events and resources, CTFs has been shown to be a highly effective way to instill cybersecurity concepts in the classroom. [10] [11] CTFs have been included in undergraduate computer science classes such as Introduction to Information Security at the National University of Singapore. [12] CTFs are also popular in military academies. They are often included as part of the curriculum for cybersecurity courses, with the NSA organized Cyber Exercise culminating in a CTF competition between the US service academies and military colleges. [13]
Many CTF organizers register their competition with the CTFtime platform. This allows the tracking of the position of teams over time and across competitions. [14] These competitions can be community, government or corporate. Since CTFtime began in 2011, there have been seven teams who have ranked as #1 in the worldwide position[ original research? ]. These include "Plaid Parliament of Pwning", "More Smoked Leet Chicken", "Dragon Sector", "dcua", "Eat, Sleep, Pwn, Repeat", "perfect blue" and "organizers". Overall the "Plaid Parliament of Pwning" and "Dragon Sector" have both placed first worldwide the most with three times each. [15]
Every year there are dozens of CTFs organized in a variety of formats. Many CTFs are associated with cybersecurity conferences such as DEF CON, HITCON, and BSides. The DEF CON CTF, an attack-defence CTF, is notable for being one of the oldest CTF competitions to exist, and has been variously referred to as the "World Series", [16] "Superbowl", [9] [17] and "Olympics", [18] of hacking by media outlets. The NYU Tandon hosted Cybersecurity Awareness Worldwide (CSAW) CTF is one of the largest open-entry competitions for students learning cybersecurity from around the world. [4] In 2021, it hosted over 1200 teams during the qualification round. [19]
In addition to conference organized CTFs, many CTF clubs and teams organize CTF competitions. [20] Many CTF clubs and teams are associated with universities, such as the CMU associated Plaid Parliament of Pwning, which hosts PlaidCTF, [4] and the ASU associated Shellphish. [21]
Governmentally supported CTF competitions include the DARPA Cyber Grand Challenge and ENISA European Cybersecurity Challenge. In 2023, the US Space Force-sponsored Hack-a-Sat CTF competition included, for the first time, a live orbital satellite for participants to exploit. [22]
Corporations and other organizations sometimes use CTFs as a training or evaluation exercise.[ citation needed ] The benefits of CTFs are similar to those of using CTFs in an educational environment.[ citation needed ] In addition to internal CTF exercises, some corporations such as Google [23] and Tencent host publicly accessible CTF competitions.
L0pht Heavy Industries was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area. The L0pht was one of the first viable hackerspaces in the US, and a pioneer of responsible disclosure. The group famously testified in front of Congress in 1998 on the topic of ‘Weak Computer Security in Government’.
DEF CON is a hacker convention held annually in Las Vegas, Nevada. The first DEF CON took place in June 1993 and today many attendees at DEF CON include computer security professionals, journalists, lawyers, federal government employees, security researchers, students, and hackers with a general interest in software, computer architecture, hardware modification, conference badges, and anything else that can be "hacked". The event consists of several tracks of speakers about computer- and hacking-related subjects, as well as cyber-security challenges and competitions. Contests held during the event are extremely varied and can range from creating the longest Wi-Fi connection to finding the most effective way to cool a beer in the Nevada heat.
Jeff Moss, also known as Dark Tangent, is an American hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences.
George Francis Hotz, alias geohot, is an American security hacker, entrepreneur, and software engineer. He is known for developing iOS jailbreaks, reverse engineering the PlayStation 3, and for the subsequent lawsuit brought against him by Sony. From September 2015 onwards, he has been working on his vehicle automation machine learning company comma.ai. Since November 2022, Hotz has been working on tinygrad, a deep learning framework.
EC-Council is a cybersecurity certification, education, training, and services company based in Albuquerque, New Mexico.
David Brumley is a professor at Carnegie Mellon University. He is a well-known researcher in software security, network security, and applied cryptography. Prof. Brumley also worked for 5 years as a Computer Security Officer for Stanford University.
A computer security conference is a convention for individuals involved in computer security. They generally serve as meeting places for system and network administrators, hackers, and computer security experts.
Jeffrey Carr is a cybersecurity author, researcher, entrepreneur and consultant, who focuses on cyber warfare.
In hacking, a wargame is a cyber-security challenge and mind sport in which the competitors must exploit or defend a vulnerability in a system or application, and/or gain or prevent access to a computer system.
Radare2 is a complete framework for reverse-engineering and analyzing binaries; composed of a set of small utilities that can be used together or independently from the command line. Built around a disassembler for computer software which generates assembly language source code from machine-executable code, it supports a variety of executable formats for different processor architectures and operating systems.
Positive Hack Days (PHDays) is an annual international cybersecurity forum. It has been held by Positive Technologies since 2011. PHDays brings together IT and infosec experts, government officials, business representatives, students, and schoolchildren. The forum hosts talks and workshops on the most interesting information security topics, The Standoff cyberexercises, practical competitions in which participants analyze the security of industrial control systems, banking and mobile services, and web apps.
Lazarus Group is a hacker group made up of an unknown number of individuals, alleged to be run by the government of North Korea. While not much is known about the Lazarus Group, researchers have attributed many cyberattacks to them between 2010 and 2021. Originally a criminal group, the group has now been designated as an advanced persistent threat due to intended nature, threat, and wide array of methods used when conducting an operation. Names given by cybersecurity organizations include Hidden Cobra and ZINC or Diamond Sleet. According to North Korean defector Kim Kuk-song, the unit is internally known in North Korea as 414 Liaison Office.
The 2016 Cyber Grand Challenge (CGC) was a challenge created by The Defense Advanced Research Projects Agency (DARPA) in order to develop automatic defense systems that can discover, prove, and correct software flaws in real-time.
PACTF was an annual web-based computer security Capture the Flag (CTF) competition for middle and high school students. It was founded by a group of students at Phillips Academy in Andover, Massachusetts. The competition's sponsors include the Abbot Academy Association at Phillips Academy; the Information Networking Institute and CyLab at Carnegie Mellon University; the Hariri Institute for Computing, Massachusetts Open Cloud (MOC) project, and Modular Approach to Cloud Security (MACS) project at Boston University; and other entities.
The Carnegie Mellon CyLab Security and Privacy Institute is a computer security research center at Carnegie Mellon University. Founded in 2003 as a university-wide research center, it involves more than 50 faculty and 100 graduate students from different departments and schools within the university. It is "one of the largest university-based cyber security research and education centers in the U.S."
Election cybersecurity or election security refers to the protection of elections and voting infrastructure from cyberattack or cyber threat – including the tampering with or infiltration of voting machines and equipment, election office networks and practices, and voter registration databases.
Chris Kubecka is an American computer security researcher and cyberwarfare specialist. In 2012, Kubecka was responsible for getting the Saudi Aramco network back up and running after it was hit by one of the world's most devastating Shamoon cyberattacks. Kubecka also helped halt a second wave of July 2009 cyberattacks against South Korea. Kubecka has worked for the US Air Force as a Loadmaster, the United States Space Command and is now CEO of HypaSec, a security firm she founded in 2015. She lives and works in the Netherlands.
Christopher James Hadnagy is an American author and information technology security consultant. He is recognized for his contributions to the field of social engineering in information security.
Magda Lilia Chelly is a Polish-Tunisian cybersecurity expert and is amongst the first Tunisian women to be on the advisory board of BlackHat Asia Executive Committee. Born in Krakow, Poland, and educated in Tunisia and France, Chelly worked as an IT consultant, university lecturer, business leader, and cybersecurity professional.
Cybersecurity in popular culture examines the various ways in which the themes and concepts related to cybersecurity have been portrayed and explored in different forms of popular culture, such as music, movies, television shows, and literature. As the digital age continues to expand and the importance of protecting computer systems, networks, and digital information grows, the awareness and understanding of cybersecurity have increasingly become a part of mainstream culture. Popular culture often portraits the gloomy underworld of cybersecurity, where unconventional tactics are used to combat a diverse range of threats to individuals, businesses, and governments. The integration of dark and mysterious elements into cybersecurity stories helps create a sense of uncertainty, rule-breaking, and intriguing ambiguity. This captures the public's attention and highlights the high stakes involved in the ongoing struggle to protect our digital world. This article highlights the creative works and cultural phenomena that have brought cybersecurity issues to the forefront, reflecting society's evolving relationship with technology, privacy, and digital security.
{{cite journal}}
: Cite journal requires |journal=
(help){{cite web}}
: CS1 maint: multiple names: authors list (link){{citation}}
: CS1 maint: others (link)