Students capture the cyber flag

Students Michael Weissbacher, left, and Amat Cama, right, are members of Northeastern’s Capture the Flag team. Photo by Wil Robertson.

Earlier this month, more than 1000 teams across the globe tried to hack their way to a spot at the biggest cybersecurity education conference around. Fifteen teams were finalists, earning travel grants to Cybersecurity Awareness Week (CSAW) and the chance to participate in the event’s Capture the Flag Competition in November. With the guidance of Computer and Information Sciences professor Wil Robertson, Northeastern’s team placed fifth in this qualifying round, beating out the likes of Boston University and MIT. “The competing was stressful because only a few teams make it to the finals,” said third-year student Amat Cama. “It’s fun though, because the goal is to have a good time learning new things.”

The qualifying competition and the later CSAW event are designed to test the skills of undergraduate students interested in cybersecurity. “The idea is to bring together a bunch of undergrads, people who are just starting their careers in security and expose them to issues to spark further interest,” said Robertson. By joining the competition, participants are provided access to a game network, which is isolated from the rest of the Internet. Each team, which consists of four players or less, is required to protect a body of sensitive data (akin to credit card information in the real world) using a variety of services also provided by the game host. Each of these has some kind of vulnerability, just as real world protection software in its current form can never be truly secure.

The goal of the game is to hack through other teams’ security walls using your own programs, therby gaining access to your competitors’ sensitive data–or, capturing their flag, so to speak. This model of applying the attacker’s mindset is now widely accepted as a strategy for teaching cybersecurity. “The focus is teaching people how to break stuff,” said Robertson. “Our viewpoint is that unless you understand the attacks it’s really difficult to come up with robust defenses.”

Northeastern’s CTF team is just under a year old, but is has already participated in a variety of CTF competitions around the globe. The group meets on weekly basis to come up with strategies that may prove useful in a competition. Ultimately, though, they are never certain what kinds of security programs they will encounter, so they must be ready to think on their feet. “We do a lot of brainstorming and try to solve some of the challenges together,” said Cama.

The CSAW competition will take place between November 15 and 17 at the Polytechnic Institute of New York University.