Winner’s Circle – 2023 Hacker of the Year

I am excited to announce that our student Hacking Challenge has been solved.  Levi Keyton has claimed the title of Hacker of the Year in our 4th annual contest.  Levi solved our challenge in just under two days, bettering last year’s six.

Extreme Networks, Howard Education, and PCS sponsored the event give-aways this year.  Details on the challenge are posted below. Please join me in congratulating our champion, Levi Kayton.  His name will be on the Eckerd Hacker trophy outside the ITS front desk until next year.

3rd place: Andrew Kennedy

Past champions Alec Brandman (2022) and Penh Alicandro ’22 (2021, with Sam Randall) joined us to present the trophy to the new champion.

Left to right: Hailey Diaz, Levi Keyton, Alec Brandman, and Penh Alicandro. Photo by Anna Molina-Lense

2022 Champion Alec presents the trophy to Levi. Photo by Penh Alicandro

The Challenge

• First clue: an announcement that was an acrostic paragraph.  The paragraph was hint number one.  It spelled out the word countermeasure – hints on the page indicated you should edit the web page address (URL) to display the second clue
  • Acrostics are a simple example of hiding data inside other information. Examples go back many centuries.
• Second Clue: directed the user to the Hacker Hotline, a disused phone in Brown Hall. Once there, the nice voice on the phone directs you to join a Hidden Wifi Network (SSID), Hacker
  • Once you join the hidden SSID, the guest pass page directs you to the third clue
  • Experienced hackers look for open Wifi networks when they do physical reconnaissance. They also have access to tools to detect traffic on hidden Wifi SSIDs, so being hidden alone is not enough. This is why ECwifi requires layers of authentication (https://en.wikipedia.org/wiki/Protected_Extensible_Authentication_Protocol and https://en.wikipedia.org/wiki/MS-CHAP)
• Third Clue: “My emails from today” contains an obvious phishing message. Find the clue in the headers, and this takes you to the next clue
  • We receive fake or misleading emails almost every day. It’s important to be on guard against the many ways these enders try to make their email appear authentic (https://resources.infosecinstitute.com/topics/phishing/how-to-scan-email-headers-for-phishing-and-malicious-content/)
• Fourth Clue: Audio Steganography – we hid information in an audio file (both in the sound, by reversing a section), and in the metadata so the clue was accessible).
  • Steganography is an array of methods to hide data inside other data to bypass security mechanisms or permit exfiltration (https://en.wikipedia.org/wiki/Steganography)
• Fifth Clue: A blockchain ledger with a ringer entry, once you find it and replace the web address, you’re on to..
  • Blockchain ledgers are central to cryptocurrencies and other systems for immutable records of online transactions. https://en.wikipedia.org/wiki/Blockchain#:~:text=A%20blockchain%20is%20a%20distributed,nodes%20are%20represented%20by%20leaves).
• Sixth Clue: A puzzle involving discovering a server on the network, then using nmap and telnet to display the final clue
  • Nmap is a scanning tool, you can use it to discover hosts and services. In this case we are using it to find out what ports are open on our mystery server (https://en.wikipedia.org/wiki/Nmap)
  • Once you know your port, you can use nmap or telnet or other tools to connect, and a small python program returned the latitude and longitude to use for the final clue.
• Seventh Clue: A bluetooth beacon that displays the name of the winning page.
  • This involved installing a Bluetooth Beacon Scanner to find the beacon on the sailing cove observation deck and discover the final clue! (https://en.wikipedia.org/wiki/Bluetooth_Low_Energy_beacon)