What I learned from my first CTF

My older son is a hacker. He’s going off to school to learn to be a better hacker. And the way hackers compete for fun, apparently, is a game called Capture the Flag. Two weeks ago, my hacker started a new CTF. It looked so fun, I decided to give it a shot as well.

The game I joined was picoCTF. It works like this: you create an account (usually with a pseudonym) and solve challenges for points. Each challenge results in a “flag,” which you can enter into the website. The flags are often strings of numbers and characters, and they may be found in any number of ways and require a multitude of tools and skills. Here is the one that got me hooked:

You’ve found a mystery machine with a sticky note attached to it! Oh, there’s also this picture of the machine you found.

While I’ve talked about Enigma to my classes, I’d never actually used it before. And a lot of the challenges were like that for me. I knew about SQL injections, where a poorly coded website can be made to execute foreign code through an input box like login name. Now, I have actually done it.

Most of the questions took me between ten minutes and 10 hours of research to solve. One particularly frustrating problem I finally managed dealt with decrypting an RSA-CRT code. I had to write a program in Python (in which I am not proficient) to solve it, using math I have never used before. While I’d heard of RSA and knew generally what it was used for, I had never bothered to look into the details. Now I know a lot more about both RSA and Python, including the difference between using exponents in the form x**y, which may take hours to computer, and using the pow() function, which may take seconds.

And this is the real value of the CTF to me. I have learned a lot of things that are good to know, such as the basics of assembly language or steganography. And I’ve learned to use some really neat tools, such as hex editors and debuggers. And I really got familiar with command-line tools such as nc and pico. And, aside from some help from my son, I learned all this on my own at the prompting of the contest. All for points which can’t be exchanged for anything but pride.

I highly recommend giving picoCTF a try. Even if you only solve a couple challenges, you are sure to learn something. I will definitely be taking some of these ideas into my classroom!




Breakout challenge


I made my 6th graders a second breakout challenge, after they kept clamoring for one. It was slightly too long for the 45 minutes they had, and did require some collaboration  between groups. I had two groups out of 8 finish, both a few minutes after the 45 minutes. A number of other groups were close behind. The students said afterward that they had fun and that it wasn’t too difficult, but I would either use more time or a couple slightly easier puzzles next time.


Students given Black Ammo Box, Clue Sheet, and lockpicks

Black Ammo Box with lockout hasp, 3 locks
Lock 1- pickable clear padlock
Lock 2 – directional lock, clue #2, combo is Up – Left – Up – Right
Lock 3 – clue #1 Hex decodes to “How you get wifi + the ultimate answer” combo=WAP42

Inside box – Final Challenge sheet (taped in place to avoid box tampering)
Has website and quiz with clues to key (Key is TURING)

Website – “The clue is below:”
Clue is white text on white background, encrypted with Vigenere, key is given by quiz
Clue decodes to: Who was called the Father of Information Technology Tell Thom
Answer is Claude Shannon

Challenge skills:
Google search
Recognize hexadecimal numbers and decode to ASCII
Search hidden text on a website
Decrypt Vigenere cipher
Remember important CS facts
Find an IP address

Clue Sheet

48 6f 77 20 79 6f 75 20 67 65 74 20 77
69 66 69 20 2b 20 74 68 65 20 75 6c 74
69 6d 61 74 65 20 61 6e 73 77 65 72

Frogger! The Frogger Musical

Directional lock directions:
push hasp in twice to clear BEFORE putting in combination
Combination is four movements

Final Challenge

The final challenge is at https://sites.google.com/cliffvalley.org/finalpuzzle/home

You’ll need a key, though. Use the clues below to find it.

Which of the following is an input device?
Hard Drive E
Monitor S
Speakers K
Microphone T

What part of a computer processes information?

What are the first three digits of your computer’s IP address?
255 S
168 W
192 R
120 E

Which type of memory is the fastest?
Hard Drive D
Cache I
Flash Drive S

What is measured in GHz?
CPU speed N
Amount of memory C
IP Address D
Hard Drive F

What decimal number is represented in binary as 10011?
19 G
18 B
21 T
35 S

Malware email

Malware is malicious software that can infect your computer and affect its behavior. Malware includes viruses, worms, trojan horses, spyware, adware, ransomware, and more. These are classified by the method they infect a system or by what they do afterward. For example, viruses infect when you open an infected file. Worms do not require any user action to spread – they spread automatically to unprotected computers. Malware can be a serious problem, but it is usually fairly easy to protect against these days.

There are just a couple things to do to stay safe from malware. The most critical step is keeping your operating system up to date. Go to Windows Updates or System Updates on Windows or Macs, and turn on automatic updating. The second thing is to be extra vigilant when opening emails. That’s really it! That will protect you 95% of the time from the really harmful stuff.

That said, there are two types of malware you should be familiar with.

The most frequent malware I see recently is adware. This is often an extension installed in an internet browser, with a name suggesting that it allows people to work with PDFs, for example. When installed, the extension hijacks the browser to serve up ad sites, and may install other extensions as well. This type of malware is usually just an annoyance, but could also cause serious problems. Fortunately, removing it is usually as simple as deleting the extension in the internet browser settings.

A more dangerous type of malware is known as ransomware. When ransomware infects a computer, it encrypts the user’s files. It then demands a payment for the key to decrypt them. Ransomware has been on the rise recently, and has made tens of millions of dollars from businesses, hospitals, and schools. Because it has been so lucrative, ransomware attacks are expected to increase. If you are infected with ransomware, you should contact a professional immediately.

As with most security, the first line of defense is you. Take care when opening email attachments or clicking suspicious links.

Steps to take:

  • Make sure your operating system and software is up-to-date.
  • Be careful opening files from an unknown source, including email, even if it LOOKS like it’s known
  • Keep your anti-virus software updated.
  • Make sure your system is backed up regularly.

Internet of things email

The “Internet of Things”, or IoT, is the name given to the barrage of consumer devices recently released that connect to the internet. These include security cameras, baby monitors, DVRs, thermostats, light bulbs, refrigerators, and all kinds of devices that somehow we can’t live without anymore. We tend to think of them as devices with a computer attached. These devices can be a huge security problem, though, and it is more accurate to think of them as a computer with a device attached. These devices sit behind your home network’s defenses and interact with all of your other devices in what should be a safe area. They are designed as consumer devices, and there is just not much of a concern for their security. Most users never change their default passwords or update their programming, and many of these devices have backdoors that their owners have no control over. This makes them a rich target for hackers, who can take control of them and use them to attack other targets.

There are a number of steps you can take to protect your home network and limit your exposure to security risks. The first step is to secure your router, which I discussed in the last letter. That will secure your perimeter. Next you need to look at all of the devices that can punch holes through it.

You should take an inventory of all of the network-connected devices in your home. You will very likely be surprised at how many there are. They include all your computers, smart phones, tablets, and smart watches. Cable boxes, DVRs, and gaming consoles all connect, as do security systems and cameras. If you have Amazon’s Dash buttons or Echo, they go on the list. Smart thermostats, lighting systems, and networked speakers do as well. Most likely, you will need to include your printers. And there are a whole lot of new connected devices you probably don’t have yet: door locks, smoke detectors, washers and dryers. Pretty soon, everything will be connected.

The second step is to change the default passwords on each device and update its firmware. This may seem like a daunting task, but if you’ve started using a password manager (hint!) it will go a lot quicker. You can find directions on changing the passwords on the manufacturers’ websites. Updating firmware is only a little bit more tricky. Firmware is the built-in programming on a device, and will usually be updated periodically by the manufacturer. Unfortunately, the manufacturer usually leaves it to the consumer to check on available updates and install them. Consequently, it seldom happens. This is one of the most important steps you can take for securing these consumer devices, however, so set aside some time to do it!


Computer backup email

Maybe the most critical piece of your information security is the backup. Backing up your data can save you in case of computer failure, malware infection, or just a bad user decision. I’ll give you some backup methods that are adequate for most people. However, if you have really critical information, you may need to take additional steps for complete security.

There are a number of ways to go about backing up, but the first step is to decide what you need protect. It’s possible to backup an entire machine, so that absolutely everything can be restored to it’s prior condition. I usually recommend only backing up your personal data, as your operating system and software can usually be downloaded and reinstalled anyway. If you have small amounts of data, you may be able to use cheap or free cloud-based system like Google Drive, Dropbox, Microsoft OneDrive, or Apple iCloud for your backups. This is a great way to keep your documents available to you wherever you are, as well.

For larger amounts of data, like photo and video collections, you need either a paid online backup, such as Mozy, CrashPlan, or Carbonite, or to backup locally to an external hard drive. The paid backups have a couple advantages. First, they are stored far away from your computer, which can protect you from physical disasters or theft. Second, the setup process is often a bit more intuitive.

Backing up your computer to an external hard drive also has some advantages. These devices are cheap and dependable, and backups are very fast. The software to backup is built into your computer.  For a Mac, use Time Machine. For Windows 10 and 8, use File History. For Windows 7, use Windows Backup. You can set these programs to automatically back up as well, so that you don’t have to remember to do it.

Your work documents on your computer are automatically backed up. If you would like to access them remotely, however, I recommend moving them into your Google Drive, which is also backed up. This is as simple as opening Google Drive in a browser window, and dragging your files into it. As always, please come to me with any questions or for more specific help. And please, please, please back up your files!

Home network security email


You probably don’t think much about your home network. When it’s working correctly, you usually don’t need to. It’s worthwhile, though, to make sure that your network is secure, and that there’s a good barrier between what’s inside and outside your network. This can seem daunting, but taken a step at a time it is not too difficult. Your network will probably consist of one to three devices, fulfilling the roles of modem, router, wireless access, and firewall. You may need to look around to find the needed settings for each role, but they should all be there somewhere.


First, if your equipment is more than a couple years old, you should consider replacing it. You will almost certainly notice a boost in performance, as well as better security. If your internet provider supplied your equipment, they will probably give you updated equipment for the asking. Otherwise, there are many great options for relatively little money.


Before starting, you should write down the manufacturer and model number for each device. You’re going to need to find the manual for each device online, and record the default username and password. I recommend finding the procedure for a factory reset, just in case something goes wrong. The manual will also tell you the management address, which you will type into your internet browser. This is most commonly, but may differ according to the device. Once you pull up the management site, you’ll need to make a number of changes. The device may need to reboot between changes, so allow 45 minutes or so for the whole process.


  • Change the default password

This is the most critical step, and the one most often forgotten. If you do not change the default password of your network equipment, there is a good chance that your device will be hacked. One side of your equipment is on the internet, so it can be probed from anywhere to see if passwords have been changed.


  • Update the firmware

The manufacturer will patch security problems as they are identified. These are applied through firmware updates. You should check for updates every few months, at least. There should be an easy way in the management page to check for and apply these.


  • Disable remote management

Remote management allows you to change your device setting from the internet. Unless there is a specific reason you want to do this, you should turn the feature off.


  • Disable Universal Plug and Play (uPnP)

Universal Plug and Play is a feature meant to allow certain devices and applications to get through your firewall. It has a number of known vulnerabilities, however. Unless there is a specific reason you need this service, you should disable it.

  • Wifi settings

There are a number of settings needed to secure your wireless network. Most importantly, you should make sure you are using WPA2 encryption with a strong password. Without encryption, someone can easily monitor everything that goes over your wireless network from a quarter mile away. Make sure a good password protects your network. You should also change your network name (also called SSID) to something other than the default. You should avoid using identifying information. Finally, you should disable WPS. This is a service meant to make connecting easier, but it has some significant security flaws.


This may seem like a lot of work, but it will go much faster than you may expect. Once it’s done you will have a fairly secure home network, and you won’t have to think about it again other than occasional checks for firmware updates.



United States Computer Emergency Response Team


Password security email

Welcome to the third letter in my series of information security tips!


It’s time to talk about passwords. You know them. You hate them. We’re stuck with them. I’d be willing to bet that almost all of you have many poor passwords that are duplicated across a whole bunch of sites. Shame on you! Full disclosure: I did, too, until last week, when I went through the entire list and changed old and duplicate passwords in anticipation of this email. So do as I say…


Fortunately, there is a shortcut to good password management. It’s called a password manager!  I use one called LastPass. It stores my passwords, protected by one super-strong password that I have written down in a safe place so that I can never forget it. I can retreive my passwords from anywhere using a web browser or an app on my phone, and it will let me know if I have duplicate passwords, old passwords, passwords that have been compromised online, or other vulnerabilities. It will even generate random passwords for me, and since it can automatically fill in the passwords in websites it can make the passwords especially strong (and hard to remember).


I strongly recommend using a password manager. LastPass is great, and free. There are other reputable options as well. There’s really no reason not to start using one.


If you do decide to manage your passwords manually, there is a recommended way to produce secure but memorable passwords. Pick a long phrase and create a variation on it. For example, if you start with “A long time ago, in a galaxy far, far away,” you might create the password ALongta@44away. That’s a pretty good password, and you can probably remember it pretty quickly. For more detail on this method and passwords in general, see this link.


Another security feature you should be aware of is two-factor authentication. This means you need a password as well as another way to authenticate. This may be signing in from a known computer or receiving a code on a known email address or phone number. While this can be a hassle, it is definitely worthwhile on your critical accounts. Two-factor authentication is now mandatory on many financial accounts, in fact. You can often turn on two-factor authentication for accounts such as Google, Paypal, and Ebay, for example. It will be an option in the settings, and you should seriously consider enabling it.


United States Computer Emergency Response Team


Phishing security email

Sent to my teachers and staff, names and addresses changed:

Welcome to the second letter in my series of information security tips!

Phishing is an attempt to get your information, including financial information, by masquerading as someone else. It most often takes the form of an email purporting to be from a trusted source. Take, for example, this recent actual example from right here at Cliff Valley.

From: Head of School [mailto:head@school.org]

Sent: Wednesday, May 06, 2015 12:08 PM

To: Finance

Subject: Request

Hi Finance,

 Hope you are having a splendid day. I want you to quickly email me the details you will need to help me  process an outgoing wire transfer to another bank.

I will appreciate a swift email response.


Head of School

Finance recognized this as suspicious right away. But look at all the things this phishing attempt got right. It’s a well-written email, apparently from Head of School’s actual email address, with a perfectly reasonable request. There are also number of red flags here, such as the slightly stilted language, the vagueness, and a few formatting issues. But place this email in an environment where people don’t know each other as well, and it seems pretty convincing! If Finance weren’t so sharp, the email response would go to the phisher (the actual return address is different from the one appearing in the email, a process known as spoofing), and money would quickly disappear from Cliff Valley’s bank account to an untraceable account.  A phishing attempt that is targeted at specific people, like this one, is called “spear-phishing,” and can be very effective.

Phishing attempts happen all the time! Check your spam or junk mail folder, and it will likely be filled with mail apparently from your bank, FedEx, and social media sites. These may look exactly like actual email from these sites and may have links that lead to legitimate looking sites as well. There may not be any obvious warning signs that they’re phishing attempts.

Fortunately, there is an easy and foolproof way to protect yourself from these. NEVER follow a link from an email to a financial site. Just type the site’s name directly into the browser (do not cut and paste), and you can be sure to end up at the legitimate site. If you think you may have followed a suspicious link by mistake, you should log in to the legitimate site as soon as possible and change your password. Fortunately, most phishing attempts are easy to spot when you are looking for them. It’s important to be vigilant, however!