UK.gov unleashes 3D virtual world to train GCHQ's kiddie division

Cyber-workforce to learn in 'Cyphinx' land from an early age, just like Nork hackers


The next generation of Blighty's cybersecurity workforce is to be trained without even realising it, in a Cabinet Office-funded cyber skyscraper built "solely to find, test and recruit cyber talent".

The cyber skyscraper, which is pleasingly hosted in Skyscape's cloud, has been dubbed Cyphinx.

Cyphinx is a browser-based MMO-inspired platform for Play-on-Demand (PoD) cyber-security games and ciphers, running on the vuln-ignoring Unity's Web Player, with levels peppered with advertisements from sponsors.

According to Cyber Security Challenge UK's (CSCUK's) CEO Stephanie Damon, Cyphinx was developed in direct response to an ISC² study which estimated there would be a workforce cyber-skills shortage of 1.5 million by 2020.

Attending the launch, the Cabinet Office's deputy director at the Office for Cyber Security and Information Assurance, David Raw, stated that the gaming platform was a perfect fit for the Government's Cyber Security Strategy priorities.

"We believe Cyphinx has huge benefits in identifying the cyber professionals of the future," he said.

CSCUK's Jay Abbott, the techie project head, explained that although Cyphinx was currently just a portal to the PoD games, later contributions would develop immersive gaming experiences to complement players' current abilities, allowing them to show off their achievements and seek help through a mentoring system – due to launch later this week – in the skyscraper's lobby.

"We need to get back to gaming," said Abbot, who reminisced about his Commodore Amiga 1000 and noted a significant overlap between gamers and those with cyber-skills.

"It was a fundamental design feature of what we're doing, Cyphinx had to be an open platform which anyone could contribute to. The skyscraper has no limit to its floors, which don't even have to resemble floors. One could be a battleship," he said.

Abbott added that CSCUK's "engagement with schools and universities means that those at a similar level, across all levels, can compete against each other to develop the most difficult challenges".

Among the games launched is a Whitehatters Academy challenge, designed by Dave Mound, which encourages players to decipher a hidden message from an ego-hacker, before moving on to analyse geotagged tweets in an interesting introduction to Geospatial Intelligence.

Whitehatter Academy's initial hidden message.

Cyber Security Challenge UK's sponsors, both public and private, have declared their interests in the organisation as a means of mitigating a "cyber-skills shortage".

An event staged at HMS Belfast earlier this year was the culmination of a ten-month process to find new talent for Blighty's infosec workforce, and pitted 42 whitehats against the FSociety-esque Flag Day Associates.

In that instance, challenges had been developed by Lockheed and Airbus, with input from GCHQ and NCA, to handle a cyber-terrorist incident.

Cyphinx, however, features different challenges, including:

  • A game in which a corrupt worker has caused havoc on a room of full of computers and machines, requiring candidates to download and work through various files in order to restore the network, which was developed by a team of cyber-apprentices from Malvern aged between 17 and 20.
  • A game using the Minecraft platform to hide "codes in walls, behind pictures and in a virtual game of hopscotch".
  • A series of mini-challenges developed by Clearswift, which ask candidates to find hidden information within files buried by an employee.
  • A game created by pen-testing company ProCheckUp, in which candidates are asked to analyse a network trace using traditional methods of file extraction.

Games for Cyphinx were developed by Clearswift and ProCheckUp, as well as "talented cyber hobbyists", one of the youngest of which – Ben Rackliff – is 12 years old.

Rackliff told The Register about his game, Schlep, which requires players to investigate an office environment for suspicious items and security mistakes, including post-it notes showing Wi-Fi passwords and unattended and logged-in terminals.

Rackliff developed his game using Blender, a free and open-source 3D creation suite, which he supplemented with his own Python scripts.

Cyphinx is backed by the Cabinet Office and other public and private sector sponsors including BT, Northrop Grumman, SANS Institute, and Skyscape Cloud Services.

Those interested can sign up to Cyphinx on the Cyber Security Challenge UK website. ®


Other stories you might like

  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022