World's Biggest Student Cyber Security Contests Reveal Best Young Hackers and Researchers

NYU Polytechnic School of Engineering Cyber Security Awareness Week Awards Prizes and Scholarships to Students from High School through Doctoral Programs

Climaxing months of preliminary competitions involving tens of thousands of contestants, 18 North American teams ascended to the stage this weekend, winners of the world’s largest and most comprehensive student cyber security competition.

The 11th annual New York University Polytechnic School of Engineering Cyber Security Awareness Week (CSAW) brought to Brooklyn hundreds of student finalists from across the United States, Canada, and beyond, from November 12 to15, to test their skills in hacking, protection, and detection.  In yet other CSAW competitions, some of the world’s best young researchers presented their work; others designed government policy to protect the emerging Internet of Things—interconnected electronic devices found in more and more homes and offices.

Meanwhile, conferences and workshops for students and professionals addressed cutting-edge threats and offered pragmatic solutions. Yahoo Chief Information Security Officer Alex Stamos offered the young people career advice and outlined some of the most pressing ethical issues in privacy and security, telling students that they are living in a unique moment, when specialized engineers impact history as moral actors: “Your personal decisions will have an effect on hundreds, thousands, or even billions of people,” Stamos told the students in the keynote address.

The centerpiece event of CSAW is Capture The Flag (CTF), in which 15 teams of undergraduates won a trip to New York to compete in the final round of the world’s largest CTF. They had already bested more than 18,000 contestants from 75 countries in the preliminary rounds in September, and came to Brooklyn to undertake 36 straight hours of challenges developed by security experts working with NYU student team leaders.

For the sixth consecutive year, Carnegie Mellon University students finished in first place. Second place went to another Carnegie Mellon team, comprised of last year’s winner, George Hotz, who played solo last year but this year teamed with three freshmen. Hotz, well known in the security field, is recognized as the first person to unlock the iPhone. Rensselaer Polytechnic Institute, another school that regularly scores highly in the CSAW finals, finished in third place, and its students placed first and second in another contest, the fast-paced game show-like Homeland Security Quiz.

Another noteworthy team was fourth-place finisher 1064Bread, comprised of alumni of last year’s only high school CTF team, from Dos Pueblos (California) High School. This year, the one remaining member of the team still in high school, John Grosen, competed both in the 36-hour CTF and as a solo contestant in the High School Forensics competition.

Winners of the 2014 CTF were:

1st place with 4,000 points: team PPP1 of Carnegie Mellon University—Maxime Serrano (senior), Ryan Goulden (senior), Chris Williamson (senior), and Ned Williamson (junior)

2nd place with 3,500 points: team PPP2 of Carnegie Mellon University—George Hotz (junior), Christopher Ganas (freshman), Tim Becker (freshman), and Carolina Zarate (freshman)

3rd place with 3,150 points: team RPISEC of Rensselaer Polytechnic Institute—Markus Gaasedelen (senior), Sophia D’Antoine (senior), Patrick Biernat (junior), and Austin Ralls (sophomore)

Students in the High School Forensics challenge solved a fictitious retail store breach and murder mystery using digital evidence, including an Android mobile phone, and their knowledge of rootkit detection and analysis, steganography, file carving, and live system forensics.

The finalists were chosen from a record number of competitors in the preliminaries and won prizes for their school science programs, along with $10,000 scholarships each to the NYU School of Engineering. Each of the first-place finishers was also awarded a scholarship of up to $56,000, with significant scholarship winnings for runners up. Twelve teams of finalists, including two from Dubai, United Arab Emirates, competed as part of an international pilot.

The CSAW High School Forensics Challenge winners were:

1st place: team PHS 1437 of Poolesville (Md.) High School—Umesh Padia, Kent Ma, and Jonathan Ni

2nd place: team xD of Thomas Jefferson High School for Science and Technology (Alexandria, Va.)—Samuel Kim, Hyo Won Kim, and Hayden Hollenbeck

3rd place: team X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* of Pocono Mountain East High School (Swiftwater, Pennsylvania)—Gus Naughton, Brian Duhaime, and Alex Vanderpot

Just to be nominated for the Applied Research Paper Challenge, students needed to have published in a top-level scientific journal or peer-reviewed conference. Ten researchers were selected for the finals, where they presented their work to a blue-ribbon panel of judges. The Best Applied Research Paper winners were:

1st place: Vasileios Kemerlis, Columbia University, “ret2dir: Rethinking Kernel Isolation”

2nd place: Frederico Araujo, The University of Texas at Dallas, “From Patches to Honey-Patches: Lightweight Attacker-Misdirection, Deception, and Disinformation”

3rd place: Xiaoyong Zhou, Yeonjoon Lee, Nan Zhang, and Xiaofeng Wang of Indiana University, Bloomington; and Muhammad Naveed of the University of Illinois at Urbana-Champaign,  “The Peril of Fragmentation: Security Hazards in Android Device Driver Customizations”

Five schools were selected as finalists in the inaugural CSAW Policy Competition. They developed and presented research on the best policy to implement to protect not only the currently interconnected electronic devices that comprise the Internet of Things, but devices that have not yet been invented. The winners were:

1st place: team [REDACTED] of computer science master’s degree students of the University of Illinois at Urbana-Champaign—Whitney Merrill  and Nick Ciaglia

2nd place: team Frostbyte of undergraduate students of the United States Naval Academy—
Xisen Tian (computer science/IT), Naadia Puri (cyber operations), and Nicolas Shyne (cyber operations)

3rd place: Team USNA of undergraduate students of the United States Naval Academy—
Kevin Doran (quantitative economics), William Young (cyber operations), and Zane Markel (computer science)

The Embedded Security Challenge deals with the security and trustworthiness of hardware. This year, students were challenged to focus on emerging technologies and materials and to prove to us why they are valuable and secure. Representatives of 10 student teams were invited to the finals, where they presented their research to judges. All three winners were from Florida:

1st place: SECurity Researchers in Emerging Technology (SECRET), University of South Florida—Jayita Das and Kevin P. Scott

2nd place: SSL@UCF, University of Central Florida—Dean Sullivan, Yu Bi, and Kaveh Shamsi

3rd place: LOGICS, University of South Florida—Kenneth Ramclam, Anirudh Iyengar, Cheng Lin, and Jae-won Jang

All CSAW participants were eligible to participate in the Homeland Security Quiz, a game show that wrapped up the competitions on Saturday, November 15. Many of CTF contestants broke from their 36-hour-long competition to qualify for the quiz, and a number of high school teams scored high in the finals. The winning teams were:

1st place: team RPISEC0 of Rensselaer Polytechnic Institute—Kibo Schaffer, Benjamin Kaiser, and Alex Bulazel

2nd place: team RPISEC1 of Rensselaer Polytechnic Institute—Patrick Biernat, Austin Ralls, Sophia D’Antoine, and Markus Gaasedelen

3rd place: team Catbug comprised of students who met at the NYU Polytechnic School of Engineering’s weekly Hack Nights: Stuyvesant High School (New York) junior Loren Maggiore, NYU School of Engineering freshman Christopher Thompson, and New York City College of Technology junior Nolan Hu.

CSAW was founded by Professor Nasir Memon, chair of the NYU School of Engineering Computer Science and Engineering Department, along with his students. Students continue to run the competitions, working with professionals and academics to ensure that the challenges are relevant and engaging to other students. 

But CSAW has grown in the past decade to become a valuable venue for security professionals to learn and connect and for security-oriented companies to recruit talent. A career fair drew some 30 top companies and government institutions to recruit for internships and career positions.  For the first time, a series of short workshops opened CSAW, in which professionals offered insights into today’s biggest information security issues. The THREADS conference on cutting-edge issues expanded to a second day, opened by featured speaker Michael Tiffany, CEO of White Ops. This year’s theme was automation. More than a dozen top researchers presented work designed to integrate security into modern software development and operations with a focus on automation, integration, detection, and response time. Presenters came from Facebook, Twitter, Yelp, Intel, GitHub, Harvard, the U.S. Defense Advanced Research Projects Agency (DARPA), and more, and National Security Agency Chief of Tailored Access Operations Robert Joyce delivered the keynote address to an audience of students and professionals who filled the school’s auditorium.

Sponsor participation in the CSAW games is crucial, and the 2014 competition benefited from the support of a record 33 partners. Gold Sponsor was the U.S. Department of Homeland Security; Silver Sponsors were GitHub and Yahoo; Bronze Sponsors were Bank of America, Facebook,  Lockheed Martin,  National Security Agency, NCC Group North America, Palantir, and Raytheon; and Supporting Sponsors were Accuvant,  BlackRock, Cigital, CipherTechs, FireEye, Goldman Sachs, Intel, Microsoft,  MIT Lincoln Laboratory, Motorola, NAVAIR, Ntrepid, Phoenix Contact,  PwC, Qualcomm, RSA, Sandia National Laboratories, SilverSky,  Stroz Friedberg, Trail of Bits, Two Sigma,  United States Secret Service, and Yelp.

CSAW is supported by the NYU School of Engineering’s Information Systems and Internet Security Laboratory, a security research environment where students gain a unique perspective and a foundation that allows them to master any area of cyber security. The lab is run solely by students and advised by hackers-in-residence and industry partners. Support also comes from the school’s Enterprise Learning unit, New York Information Security Meetup, and Peerlyst.

The NYU School of Engineering was one of the first universities to develop a cyber security program, launching its master’s degree in cyber security in 1999. Since then, alumni have advanced to careers as security product developers, security application programmers, security analysts, penetration testers, vulnerability analysts, and security architects. The school also offers numerous cyber security courses and extracurricular opportunities for undergraduates. It has received all three Center of Excellence designations from the National Security Agency and the United States Cyber Command. Its cyber security program was previously singled out by the Sloan Consortium as the outstanding graduate online program.