NUSec competitive cybersecurity team clinches a third – and final? – win
Thu 07.01.21 / Madelaine Millar
NUSec competitive cybersecurity team clinches a third – and final? – win
Thu 07.01.21 / Madelaine Millar
Thu 07.01.21 / Madelaine Millar
Thu 07.01.21 / Madelaine Millar
NUSec competitive cybersecurity team clinches a third – and final? – win
Thu 07.01.21 / Madelaine Millar
NUSec competitive cybersecurity team clinches a third – and final? – win
Thu 07.01.21 / Madelaine Millar
Thu 07.01.21 / Madelaine Millar
Thu 07.01.21 / Madelaine Millar
On the morning of April 15th, 2021, the NUSec competitive cybersecurity team felt good. They had a substantial lead in the MITRE Embedded Capture the Flag (eCTF), a capture-the-flag style competition focused on embedded systems security which they had won two years running.
However, as the clock ticked down the final hours of the attack phase of the competition, another team suddenly began collecting points – a lot of points. With less than 12 hours remaining, the NUSec team fell into second place.
“At this point, I was already asleep because I felt like, yeah, it’s the last couple hours, nothing happens, we should be safe,” said doctoral student Dennis Giese, the team’s captain. “[It was] the most stressful moment in the three-month competition. You have hours before the competition ends, and everything you did two months before – all the attacks and everything – is useless, because someone else figured out something. Now, you need to figure out what to do about that.”
The team called an emergency 2 a.m. meeting and spent the next two hours working to reverse-engineer and implement the other team’s strategy.
“The thing is, every design is very different – teams make their designs independently during the design phase, and so you see a lot of designs working in very fundamentally different ways once you enter the attack phase,” explained Erik Uhlmann (BSCS ’21). “If a team is [suddenly] submitting a lot of flags, that must mean they have some class of exploit that covers a lot of designs, and so that basically eliminates [the need to examine] any part of teams’ designs that is unique.”
“The thing is, every design is very different – teams make their designs independently during the design phase, and so you see a lot of designs working in very fundamentally different ways once you enter the attack phase.” – Erik Uhlmann
With mere hours left in the competition, the NUSec team uncovered the exploit — a vulnerability having to do with the environment provided by MITRE, which the NUSec team had initially believed would be off-limits — and turned it back against the challenging team, capturing enough flags to secure first place.
This marks the third consecutive win at the MITRE eCTF competition for the NUSec team. According to Guevara Noubir, executive director of cybersecurity programs at the Khoury College of Computer Sciences and the NUSec faculty advisor, this is very impressive; no other team has won the competition three years in a row.
“[The team has] quite good overlap in terms of capabilities, but they also complement each other in terms of [an] attitude towards problems. Some like to be very focused – they take a task and they focus on one specific aspect; others like to approach the problem from every angle, being creative about how to attack it themselves,” said Noubir. “The way they approach the problem is complementary, not only with the technical fixes but also in terms of attitude.”
The team was awarded $2,000 in prize money, which is being matched by Khoury College so they can attend DEF CON 29 later this summer. The four-day event features competitions, research talks, barbecues, and movie nights with top computer scientists from around the world, and opportunities to test individual skills against a variety of secure systems and devices. Giese, who describes DEF CON as a “summer camp for hackers,” will be speaking about the potential to hijack robotic vacuum cleaners to spy on people in their homes.
NUSec believes this ‘three-peat’ MITRE win may mark the end of their competitive career as a team. Uhlmann and Cameron Kennedy (BSCY ‘20), the team’s third member, have both graduated. Uhlmann is going straight into a position with MITRE that they secured in part thanks to their prowess at the eCTF competitions. Giese is entering a phase of his doctoral program that requires him to focus more on his research, leaving him with little time to lead a new team. Additionally, as Noubir pointed out, unlike many other college teams this is a team that competes out of a passion for cybersecurity rather than for class credit. As a result, there is no requirement or clear incentive for new members who haven’t yet developed a love of the game to join the team.
Uhlmann admitted they wish that more students had an interest in “doing CTF stuff,”; for them, the competitions have led to job offers, prize money, and travel opportunities. To new students who might be considering it, what would they say are the key attractions to getting involved? “It’s a lot of fun and it’s a valuable experience that can help you gain cybersecurity skills, make connections for your career, and maybe win some prize money too.”
On the morning of April 15th, 2021, the NUSec competitive cybersecurity team felt good. They had a substantial lead in the MITRE Embedded Capture the Flag (eCTF), a capture-the-flag style competition focused on embedded systems security which they had won two years running.
However, as the clock ticked down the final hours of the attack phase of the competition, another team suddenly began collecting points – a lot of points. With less than 12 hours remaining, the NUSec team fell into second place.
“At this point, I was already asleep because I felt like, yeah, it’s the last couple hours, nothing happens, we should be safe,” said doctoral student Dennis Giese, the team’s captain. “[It was] the most stressful moment in the three-month competition. You have hours before the competition ends, and everything you did two months before – all the attacks and everything – is useless, because someone else figured out something. Now, you need to figure out what to do about that.”
The team called an emergency 2 a.m. meeting and spent the next two hours working to reverse-engineer and implement the other team’s strategy.
“The thing is, every design is very different – teams make their designs independently during the design phase, and so you see a lot of designs working in very fundamentally different ways once you enter the attack phase,” explained Erik Uhlmann (BSCS ’21). “If a team is [suddenly] submitting a lot of flags, that must mean they have some class of exploit that covers a lot of designs, and so that basically eliminates [the need to examine] any part of teams’ designs that is unique.”
“The thing is, every design is very different – teams make their designs independently during the design phase, and so you see a lot of designs working in very fundamentally different ways once you enter the attack phase.” – Erik Uhlmann
With mere hours left in the competition, the NUSec team uncovered the exploit — a vulnerability having to do with the environment provided by MITRE, which the NUSec team had initially believed would be off-limits — and turned it back against the challenging team, capturing enough flags to secure first place.
This marks the third consecutive win at the MITRE eCTF competition for the NUSec team. According to Guevara Noubir, executive director of cybersecurity programs at the Khoury College of Computer Sciences and the NUSec faculty advisor, this is very impressive; no other team has won the competition three years in a row.
“[The team has] quite good overlap in terms of capabilities, but they also complement each other in terms of [an] attitude towards problems. Some like to be very focused – they take a task and they focus on one specific aspect; others like to approach the problem from every angle, being creative about how to attack it themselves,” said Noubir. “The way they approach the problem is complementary, not only with the technical fixes but also in terms of attitude.”
The team was awarded $2,000 in prize money, which is being matched by Khoury College so they can attend DEF CON 29 later this summer. The four-day event features competitions, research talks, barbecues, and movie nights with top computer scientists from around the world, and opportunities to test individual skills against a variety of secure systems and devices. Giese, who describes DEF CON as a “summer camp for hackers,” will be speaking about the potential to hijack robotic vacuum cleaners to spy on people in their homes.
NUSec believes this ‘three-peat’ MITRE win may mark the end of their competitive career as a team. Uhlmann and Cameron Kennedy (BSCY ‘20), the team’s third member, have both graduated. Uhlmann is going straight into a position with MITRE that they secured in part thanks to their prowess at the eCTF competitions. Giese is entering a phase of his doctoral program that requires him to focus more on his research, leaving him with little time to lead a new team. Additionally, as Noubir pointed out, unlike many other college teams this is a team that competes out of a passion for cybersecurity rather than for class credit. As a result, there is no requirement or clear incentive for new members who haven’t yet developed a love of the game to join the team.
Uhlmann admitted they wish that more students had an interest in “doing CTF stuff,”; for them, the competitions have led to job offers, prize money, and travel opportunities. To new students who might be considering it, what would they say are the key attractions to getting involved? “It’s a lot of fun and it’s a valuable experience that can help you gain cybersecurity skills, make connections for your career, and maybe win some prize money too.”
On the morning of April 15th, 2021, the NUSec competitive cybersecurity team felt good. They had a substantial lead in the MITRE Embedded Capture the Flag (eCTF), a capture-the-flag style competition focused on embedded systems security which they had won two years running.
However, as the clock ticked down the final hours of the attack phase of the competition, another team suddenly began collecting points – a lot of points. With less than 12 hours remaining, the NUSec team fell into second place.
“At this point, I was already asleep because I felt like, yeah, it’s the last couple hours, nothing happens, we should be safe,” said doctoral student Dennis Giese, the team’s captain. “[It was] the most stressful moment in the three-month competition. You have hours before the competition ends, and everything you did two months before – all the attacks and everything – is useless, because someone else figured out something. Now, you need to figure out what to do about that.”
The team called an emergency 2 a.m. meeting and spent the next two hours working to reverse-engineer and implement the other team’s strategy.
“The thing is, every design is very different – teams make their designs independently during the design phase, and so you see a lot of designs working in very fundamentally different ways once you enter the attack phase,” explained Erik Uhlmann (BSCS ’21). “If a team is [suddenly] submitting a lot of flags, that must mean they have some class of exploit that covers a lot of designs, and so that basically eliminates [the need to examine] any part of teams’ designs that is unique.”
“The thing is, every design is very different – teams make their designs independently during the design phase, and so you see a lot of designs working in very fundamentally different ways once you enter the attack phase.” – Erik Uhlmann
With mere hours left in the competition, the NUSec team uncovered the exploit — a vulnerability having to do with the environment provided by MITRE, which the NUSec team had initially believed would be off-limits — and turned it back against the challenging team, capturing enough flags to secure first place.
This marks the third consecutive win at the MITRE eCTF competition for the NUSec team. According to Guevara Noubir, executive director of cybersecurity programs at the Khoury College of Computer Sciences and the NUSec faculty advisor, this is very impressive; no other team has won the competition three years in a row.
“[The team has] quite good overlap in terms of capabilities, but they also complement each other in terms of [an] attitude towards problems. Some like to be very focused – they take a task and they focus on one specific aspect; others like to approach the problem from every angle, being creative about how to attack it themselves,” said Noubir. “The way they approach the problem is complementary, not only with the technical fixes but also in terms of attitude.”
The team was awarded $2,000 in prize money, which is being matched by Khoury College so they can attend DEF CON 29 later this summer. The four-day event features competitions, research talks, barbecues, and movie nights with top computer scientists from around the world, and opportunities to test individual skills against a variety of secure systems and devices. Giese, who describes DEF CON as a “summer camp for hackers,” will be speaking about the potential to hijack robotic vacuum cleaners to spy on people in their homes.
NUSec believes this ‘three-peat’ MITRE win may mark the end of their competitive career as a team. Uhlmann and Cameron Kennedy (BSCY ‘20), the team’s third member, have both graduated. Uhlmann is going straight into a position with MITRE that they secured in part thanks to their prowess at the eCTF competitions. Giese is entering a phase of his doctoral program that requires him to focus more on his research, leaving him with little time to lead a new team. Additionally, as Noubir pointed out, unlike many other college teams this is a team that competes out of a passion for cybersecurity rather than for class credit. As a result, there is no requirement or clear incentive for new members who haven’t yet developed a love of the game to join the team.
Uhlmann admitted they wish that more students had an interest in “doing CTF stuff,”; for them, the competitions have led to job offers, prize money, and travel opportunities. To new students who might be considering it, what would they say are the key attractions to getting involved? “It’s a lot of fun and it’s a valuable experience that can help you gain cybersecurity skills, make connections for your career, and maybe win some prize money too.”
On the morning of April 15th, 2021, the NUSec competitive cybersecurity team felt good. They had a substantial lead in the MITRE Embedded Capture the Flag (eCTF), a capture-the-flag style competition focused on embedded systems security which they had won two years running.
However, as the clock ticked down the final hours of the attack phase of the competition, another team suddenly began collecting points – a lot of points. With less than 12 hours remaining, the NUSec team fell into second place.
“At this point, I was already asleep because I felt like, yeah, it’s the last couple hours, nothing happens, we should be safe,” said doctoral student Dennis Giese, the team’s captain. “[It was] the most stressful moment in the three-month competition. You have hours before the competition ends, and everything you did two months before – all the attacks and everything – is useless, because someone else figured out something. Now, you need to figure out what to do about that.”
The team called an emergency 2 a.m. meeting and spent the next two hours working to reverse-engineer and implement the other team’s strategy.
“The thing is, every design is very different – teams make their designs independently during the design phase, and so you see a lot of designs working in very fundamentally different ways once you enter the attack phase,” explained Erik Uhlmann (BSCS ’21). “If a team is [suddenly] submitting a lot of flags, that must mean they have some class of exploit that covers a lot of designs, and so that basically eliminates [the need to examine] any part of teams’ designs that is unique.”
“The thing is, every design is very different – teams make their designs independently during the design phase, and so you see a lot of designs working in very fundamentally different ways once you enter the attack phase.” – Erik Uhlmann
With mere hours left in the competition, the NUSec team uncovered the exploit — a vulnerability having to do with the environment provided by MITRE, which the NUSec team had initially believed would be off-limits — and turned it back against the challenging team, capturing enough flags to secure first place.
This marks the third consecutive win at the MITRE eCTF competition for the NUSec team. According to Guevara Noubir, executive director of cybersecurity programs at the Khoury College of Computer Sciences and the NUSec faculty advisor, this is very impressive; no other team has won the competition three years in a row.
“[The team has] quite good overlap in terms of capabilities, but they also complement each other in terms of [an] attitude towards problems. Some like to be very focused – they take a task and they focus on one specific aspect; others like to approach the problem from every angle, being creative about how to attack it themselves,” said Noubir. “The way they approach the problem is complementary, not only with the technical fixes but also in terms of attitude.”
The team was awarded $2,000 in prize money, which is being matched by Khoury College so they can attend DEF CON 29 later this summer. The four-day event features competitions, research talks, barbecues, and movie nights with top computer scientists from around the world, and opportunities to test individual skills against a variety of secure systems and devices. Giese, who describes DEF CON as a “summer camp for hackers,” will be speaking about the potential to hijack robotic vacuum cleaners to spy on people in their homes.
NUSec believes this ‘three-peat’ MITRE win may mark the end of their competitive career as a team. Uhlmann and Cameron Kennedy (BSCY ‘20), the team’s third member, have both graduated. Uhlmann is going straight into a position with MITRE that they secured in part thanks to their prowess at the eCTF competitions. Giese is entering a phase of his doctoral program that requires him to focus more on his research, leaving him with little time to lead a new team. Additionally, as Noubir pointed out, unlike many other college teams this is a team that competes out of a passion for cybersecurity rather than for class credit. As a result, there is no requirement or clear incentive for new members who haven’t yet developed a love of the game to join the team.
Uhlmann admitted they wish that more students had an interest in “doing CTF stuff,”; for them, the competitions have led to job offers, prize money, and travel opportunities. To new students who might be considering it, what would they say are the key attractions to getting involved? “It’s a lot of fun and it’s a valuable experience that can help you gain cybersecurity skills, make connections for your career, and maybe win some prize money too.”