Virginia Tech team tops in cyber capture-the-flag
A group of Virginia Tech students took their skills to the bank this spring.
Seven computer engineering students took first place in MITRE’s Embedded Capture-the-Flag (eCTF) contest, which tasked them with designing a secure ATM banking system and then attacking the designs of 10 other universities.
“When we started, we were like, let’s just not get last, guys, because it was our first time,” said team member Riley Cooper.
Their competition included Massachusetts Institute of Technology, Tufts University, Northeastern University, and University of Nebraska Omaha.
Not only did the team score first place overall, they also were awarded the Iron Flag Award for best Defensive System and the Flag Factory Award for most flags captured.
“They were the strongest team this year,” said Jeff Hamalainen, an embedded security engineer who helped oversee the competition.
In its third year, the nonprofit research and development firm’s contest aims to improve embedded security education and build relationships with the universities where the subject is taught.
Embedded security focuses on safeguarding the type of low-power, low-cost small electronic devices that might fall out of the purview of traditional cybersecurity.
For the first half of the contest, each student team was supplied the basic framework for an ATM, an ATM card, and an online bank server.
“We took what they gave us and identified the flaws we saw and then tried to basically get rid of those flaws and make it more secure,” team member Ryan Burrow said.
Once the more-secure designs were submitted, universities began attacking one another’s systems in order to capture, “flags,” by exposing security flaws.
Despite being a game, team advisor and assistant professor of computer science Matthew Hicks stressed the level of difficulty the students were successfully navigating.
“They’re actually working around commercial-grade defense systems and still finding vulnerabilities,” Hicks said. “You’re really making a lot of concepts sink in, so maybe when they go into the real world and try to design things … they’ll have a head start on everyone else.”
The students said the competition tested their knowledge in ways far greater than a typical class exercise because the other university teams weren’t concerned about allowing for any level of success to promote learning.
“None of these systems were designed in a way where they want you to get in,” Burrow said. “There’s no expectation that we’re going to get anything out of another team’s system.”
The diversity of navigating and defending multiple security systems at one time also increased the difficulty of the contest.
“Usually when we’re taught security concepts, we’re taught one program at one time and this is how the program can be vulnerable,” Cooper said. “But this competition forced us to create multiple different pieces that all had to communicate, and that communication could become very complex in order to try to increase security.”
Hicks said that in his experience working with other industrial professionals, students with this type of experience have a big advantage in their job search.
“It would set you so far apart from the best students from other places. It would be like an automatic hire and make you very competitive for negotiations,” Hicks said.
— Written by Travis Williams