Students capture the cyber flag

Stu­dents Michael Weiss­bacher, left, and Amat Cama, right, are mem­bers of Northeastern’s Cap­ture the Flag team. Photo by Wil Robertson.

Ear­lier this month, more than 1000 teams across the globe tried to hack their way to a spot at the biggest cyber­se­cu­rity edu­ca­tion con­fer­ence around. Fif­teen teams were final­ists, earning travel grants to Cyber­se­cu­rity Aware­ness Week (CSAW) and the chance to par­tic­i­pate in the event’s Cap­ture the Flag Com­pe­ti­tion in November. With the guid­ance of Com­puter and Infor­ma­tion Sci­ences pro­fessor Wil Robertson, Northeastern’s team placed fifth in this qual­i­fying round, beating out the likes of Boston Uni­ver­sity and MIT. “The com­peting was stressful because only a few teams make it to the finals,” said third-​​year stu­dent Amat Cama. “It’s fun though, because the goal is to have a good time learning new things.”

The qual­i­fying com­pe­ti­tion and the later CSAW event are designed to test the skills of under­grad­uate stu­dents inter­ested in cyber­se­cu­rity. “The idea is to bring together a bunch of under­grads, people who are just starting their careers in secu­rity and expose them to issues to spark fur­ther interest,” said Robertson. By joining the com­pe­ti­tion, par­tic­i­pants are pro­vided access to a game net­work, which is iso­lated from the rest of the Internet. Each team, which con­sists of four players or less, is required to pro­tect a body of sen­si­tive data (akin to credit card infor­ma­tion in the real world) using a variety of ser­vices also pro­vided by the game host. Each of these has some kind of vul­ner­a­bility, just as real world pro­tec­tion soft­ware in its cur­rent form can never be truly secure.

The goal of the game is to hack through other teams’ secu­rity walls using your own pro­grams, therby gaining access to your com­peti­tors’ sen­si­tive data–or, cap­turing their flag, so to speak. This model of applying the attacker’s mindset is now widely accepted as a strategy for teaching cyber­se­cu­rity. “The focus is teaching people how to break stuff,” said Robertson. “Our view­point is that unless you under­stand the attacks it’s really dif­fi­cult to come up with robust defenses.”

Northeastern’s CTF team is just under a year old, but is has already par­tic­i­pated in a variety of CTF com­pe­ti­tions around the globe. The group meets on weekly basis to come up with strate­gies that may prove useful in a com­pe­ti­tion. Ulti­mately, though, they are never cer­tain what kinds of secu­rity pro­grams they will encounter, so they must be ready to think on their feet. “We do a lot of brain­storming and try to solve some of the chal­lenges together,” said Cama.

The CSAW com­pe­ti­tion will take place between November 15 and 17 at the Poly­technic Insti­tute of New York University.