Rules

These rules must be respected by all players.


I. Online pre-selection challenge

This website is the support of the pre-selection challenge for the final Capture The Flag event at European Cyber ​​Week in Rennes (see below). The pre-selection will take place from October 6 to October 21, 2018 for the final of November 21, 2018.

Attendance:

  • Participation in the pre-selection challenge is strictly individual (teamwork is not allowed). This edition includes the participation of European institutions and will therefore take place in English.
  • A visualization of the individual scores will be accessible on the one hand between all the participants and on the other hand between French or invited schools.
  • The selected candidates will then be invited to form the teams of their choice (team from the same school), with a maximum of 3 participants.
  • Subject to an individual level, nationals of the invited countries may form teams and 1 place in the final is reserved per nation.
  • The institutions of the nations invited for this edition are: Germany, Belgium, Estonia, Finland and Canada (Quebec)
  • All participants in the pre-selection challenge must be students and commit to providing authentic information. It is up to the schools to which the students belong to make a first check on the authenticity of the application.
  • Further verification for students selected for the final challenge will be done. A copy of the student card will be requested.
  • Each participant has the right to create only one account. Any participant violating this rule will be disqualified.
  • Each participant has the obligation to accept and respect these rules.
  • Any dispute will be submitted to the organizing committee of the event.
  • The selection for the final will be weighted according to the prorate of entries by school.

Qualifying Challenge:

  • The qualification challenge for the final is composed of several events divided into three categories: web, forensic and analysis of binaries. Each test yields a number of points specific to it which is indicated on the site.
  • The first of the successful candidates will receive 15 bonus points, the second 10 points and the third 5 bonus points.
  • In case of a tie, the first participant who validated the last event will be ranked highest.
  • Events are available from Friday, October 6, 2018 21:00 UTC + 2 to Sunday, October 21, 2018 23:00 UTC + 2.
  • The more points a participant earns, the better his ranking.
  • The flags to be recovered are of the form "ECW {MD5}"
  • The proofs published on the site are covered by the copyright. Any resumption is conditional on the respect of the intellectual property right with regard to authors and rights holders. In order to respect the work of the authors and the search work of the players:
    • The publication of solutions during the duration of the challenge is not allowed and is penalized.
    • Fraud through the use of these solutions is strongly penalized by disqualification or cancellation of the relevant event.

Restrictions:

  • It is totally forbidden to attack another IP address than the one hosting the challenge (IP 54.36.205.82).
  • Any attack of type DOS or DDOS is formally forbidden.
  • Any attempt to manipulate the site will be penalized by the elimination of the player.
  • It is strictly forbidden to attack the infrastructure and website hosting the challenge. The only attacks allowed are those directly related to the different tests.
  • Any attempt to distort individual results by cooperation between participants will be sanctioned up to the final exclusion of the event.

Legislation:

  • The test is held in France, therefore, in accordance with the Data Protection Act and the General Data Protection Regulation (GDPR), each participant has a right to access, rectify and delete information about them. To exercise this right, simply send an email to the challenge administrators.
  • The player database and its processing comply with the requirements of the GDPR. In particular, the processed data respect the principle of minimization. Optimum protection of personal data is achieved through the implementation of data protection measures respecting the principle of traceability.
  • Competitors are subject to French law and in particular:
    • Article 323-1, paragraph 1 of the Penal Code: "The fact of fraudulently accessing or remaining in all or part of an automated data processing system is punishable by two years of imprisonment and 30,000 euros fine". The simple attempt is repressed in the same way (article 323-7 of the Penal Code)
    • Article 321-1, paragraph 2 of the Penal Code: "When this results in either the deletion or modification of data contained in the system, or an alteration of the functioning of this system, the penalty is three years' imprisonment and a fine of 45000 euros"
    • Article 323-3 of the Criminal Code: "The fraudulent introduction of data into an automated processing system or the fraudulent deletion or modification of the data contained therein is punishable by five years' imprisonment and 75000 euros fine"
    • Article 323-2 of the Penal Code: "The fact of hindering or distorting the operation of an automated data processing system is punishable by five years' imprisonment and a 75,000 euro fine. When this offense has been committed against a system of automated processing of personal data implemented by the State, the penalty is increased to seven years of imprisonment and a fine of € 100,000."

II. Final Challenge on the spot (Rennes)

This regulation concerns the final of the challenge which will take place on November 21, 2018 from 11am as part of the European Cyber ​​Week at the Jacobins convent in Rennes. This final round will consist of 16 teams of 3 candidates selected following the online preselection challenge.

Attendance:

  • All participants in the challenge final must be students and commit to providing authentic information.
  • Each participant has the obligation to accept and respect these rules.
  • Any dispute will be submitted to the organizing committee of the event.
  • Participation is subject to registration at one of the partner schools or universities.

Hardware:

  • It is strongly recommended that each participant come with his own laptop with a Kali Linux intrusion test distribution. Laptops may however be made available to certain participants if they have made a prior request by email to the organizing committee of the event before 9 November 2018.

Challenge:

  • The challenge will take place on Wednesday, November 21, 2018 from noon to 7 pm
  • Candidates will be welcomed from 11am by the representative of the cyber center of excellence, coordinator of the challenge, then can eat on site. A retex of the preselection by Thales from 12:00 am followed by a briefing by Airbus will precede the launch of the final at 13:00.
  • Each team is put in the role of cyber defense specialists to anticipate a campaign of attacks targeting communities. A few weeks after the unprecedented attack by the Wannacrypt ransomware, there are signs of a new attack campaign targeting communities as a matter of priority. In fact, once again an intelligence service was stolen data relating to an espionage project aimed mainly at connected cities infrastructure.

    These data (malicious codes, vulnerabilities, and operating modes), having been published on the Internet, the risk of their use by malicious actors is high. Power distribution network, traffic management, security or health are all potential targets of attacks with potentially dramatic consequences.

    The mayors of the 16 most connected cities gathered yesterday to jointly develop a crisis management plan. The best experts in European cyber security have been called to form a line of defense and try to avoid a new disaster. Your mission: take up this challenge by qualifying for the ECW 2018 Challenge final.

    You will start your mission directly connected inside the smart city operations center for which you are responsible.

    You will need:

    • Mapping the agency's network to identify the different services and potential vulnerabilities and then regain control over the systems compromised by the attackers.
    • Then strengthen the security of connected infrastructure and investigate the group of attackers behind the cyber attacks.

    Different information and related missions will be communicated to you as you progress.

  • Each hardship will allow to recover a "flag" which will then be validated and posted on a common portal of points, allowing the different teams an instantaneous follow-up of their classification and in fine at the end of the time allotted to the team having won the most points corresponding to the difficulty of the hardships.
  • In case of a tie, the team with the most complete and accurate network topology will be ranked highest. This assessment is left to the discretion of the organizing committee of the final round.
  • The flags to be recovered are of the form "ECW {MD5}".
  • The events set up as part of the final of the challenge are covered by copyright. Any resumption is conditional on the respect of the intellectual property right with regard to the authors and assigns. In order to respect the work of the authors and the search work of the players:
    • The publication of solutions during the duration of the challenge is not allowed and is penalized.
    • Fraud through the use of these solutions is strongly penalized by disqualification or cancellation of the relevant event.

Restrictions:

  • It is strictly forbidden to attack the infrastructure hosting the challenge and the score portal shared by the different teams. The only attacks allowed are those directly related to the different tests put in place in the virtual infrastructures for each team.
  • Each team has its own virtual infrastructure. It is strictly forbidden to enter the virtual infrastructure of another team in any way.