Found: Our Best Future Cyber Protectors in World’s Biggest Student-Led Cybersecurity Games

NYU Tandon Wraps Up 14th Cyber Security Awareness Week, Expanded to Universities in Abu Dhabi, France, India, and Israel

Capture the flag 2017

Teams hack together in the Capture The Flag competition during the 14th annual CSAW games at NYU Tandon School of Engineering. Pictured clockwise from top-left: Jason Lam, Brian Chen, Ashley Kim, and Aleksejs Popovs, members of the CTF team Don't Hack Alone from the Massachusetts Institute of Technology.

BROOKLYN, New York – The 14th annual New York University Cyber Security Awareness Week (CSAW) games — already the world’s largest and most comprehensive set of student-led security challenges — closed on Monday, November 13, in the last of five countries, setting records and surprises.

For the first time, the CSAW finals expanded to include students from across Europe hosted by Grenoble INP-Esisar, in Valence, France — one of six engineering schools of the Grenoble Institute of Technology — and Israeli students hosted by Ben-Gurion University in the new Advanced Technology Park in the Negev, Israel. CSAW Israel is organized by BGU’s Department of Software and Information Systems Engineering and the IBM Cyber Security Center of Excellence, located in Ben-Gurion University.

Universities and schools joined the Center for Cyber Security in NYU Abu Dhabi (CCSAD), which hosted finalists from the Middle East, North Africa and selected teams from Asia; the Indian Institute of Technology Kanpur (IIT Kanpur), one of the top universities for computer science education in India; and CSAW founding institution NYU Tandon School of Engineering in Brooklyn.

More than 400 elite students from high school through doctoral programs who had beaten over 12,000 participants from 98 countries in preliminary rounds gathered at four of the regional hubs November 9-11, 2017; in Israel, the CSAW finals ran November 12-13.

“The CSAW games have proved an outstanding tool to engage and educate students, and we are proud that this year we could reach students on three continents through our four university partners. Like us, they recognize that cybersecurity is borderless — and growing in opportunities for our students, with an anticipated shortfall of 1.8 million jobs worldwide by 2022,” said NYU Tandon Professor of Electrical and Computer Engineering Ramesh Karri, the faculty lead for NYU CSAW.

He continued: “In North America, CSAW finalists and our students who run the challenges have gone onto some of the most meaningful positions in industry, and others are preparing for a safer future by producing important research and teaching at universities across America. Our snowball is rolling — and growing internationally now. I’m also proud about this year’s addition of the CSAW Cyber Journalism Award, which we hope will encourage investigative reporting in the vital realms of privacy and security.”

The North American finals comprised six hotly contested competitions among 133 students and 46 teams, supported by over 40 judges from academia and industry. In the High School Forensics competition, the stakes were high — $1 million in NYU Tandon scholarships — as the young cyber sleuths tried to solve a murder mystery using digital clues. Altogether, a record 600 high school teams competed in CSAW preliminaries and 30 teams competed on site at three regional CSAW hubs.

The NYU Center for Cyber Security also offered doctoral scholarships and fellowships to the NYU Tandon School of Engineering to the first-place winners in the Capture The Flag (CTF), Embedded Security Challenge, and Applied Research Challenge at all five regional hubs.

(Watch csaw.engineering.nyu.edu for international winners and more details.)

For the first time in CSAW history, a team from Rensselaer Polytechnic Institute — solving a game-changing challenge in the last three minutes of the 36-hour competition — took the North American top prize in the signature CTF hacking competition for undergraduate students.

Another first: a CSAW competition for professionals rather than students. Andy Greenberg, senior writer for WIRED, won the inaugural NYU CSAW Cyber Journalism Award for magazine’s July 2017 cover story, Lights Out: How An Entire Nation Became Russia's Test Lab for Cyberwar. The competition was co-sponsored by NYU Tandon and the NYU Arthur L. Carter Journalism Institute and exposed Russian hacking of the Ukraine power grid.

Besides the competitions, including the six student challenges, NYU Tandon hosted an industry career fair, speeches, and networking events.

Capture The Flag

Players of all levels and ages registered for CTF, the flagship event of CSAW. After 48 hours of around-the-clock software hacking contests in September, a top-notch group of college students bested nearly 2,400 teams from 95 countries to become finalists at the five global CSAW hubs. For 36 straight hours, 10 North American teams competed in the infamously difficult student CTF final competition. CTFs are considered essential training for students and cybersecurity professionals.

First Place – Team RPISEC, Rensselaer Polytechnic, Troy, New York: Jack Dates (’20), Kareem El-Faramawi (’19), Josh Ferrell (’19), and Max Shavrick (’18).

The school has been a regular winner of both the CTF and the Security Quiz Bowl throughout CSAW’s history, and in each of the last three years RPISEC finished in the second or third CTF spots. This year, with two returning competitors from last year’s team, RPISEC not only took first place — ending an eight-year reign by Carnegie Mellon teams — but went directly from its nail-biting surge in the 36-hour competition to compete in the finals of the fast-paced Security Quiz Bowl alongside another RPI team that had also qualified for the difficult final round. It proved quite the CSAW for RPI: other RPI students successfully hacked a mobile phone and won top prize in the Red Balloon Hardware Hacking Contest.

Second Place – Team 1064CBread: Audrey Dutcher, University of California, Santa Barbara (’18); John Grosen, Massachusetts Institute of Technology (’20); Alex Mieburg, California Institute of Technology (’18); and J.P. Smith, University of Illinois, Urbana-Champaign (’17).

Originally formed as a team of high school students in Dos Pueblos High School in Goleta, California, the team members had been so impressive that CSAW organizers made a one-time exception to its undergraduates-only rule for CTF and allowed them to compete against university students. The team members stayed together and took on new teammates as they went off to their university studies. They have become a regular fixture at the CSAW finals, as has the next-generation team at Dos Pueblos, also called 1064CBread. For 2017, the elder 1064CBread team, apparently still fresh despite 36 hours of CTF, topped off their strong showing by taking third place in the rigorous trivia contest, the CSAW Security Quiz Bowl, that immediately followed the CTF.

Third Place – Team PPP, Carnegie Mellon: Corwin de Boor (’18), Samuel Kim (’20), Matthew Savage (’18), and Zachary Wade (’18). The team has been a CTF force since CSAW opened to schools beyond NYU Tandon, taking first place for eight consecutive years.

csaw 2017
George Klees, Kevin Higgs, Noah Singer (middle three, left to right) from Montgomery Blair High School, Rockville, Maryland, accept their first place award in the North American High School Forensics competition

High School Forensics

The CSAW HSF challenge introduces high school-age novices to the cybersecurity field, attracting students who enjoy solving puzzles and encouraging newcomers to solve a fictional murder mystery using their digital skills. This year, two teams from Montgomery Blair High School in Rockville, Maryland, finished among the top three. The students were challenged to find clues in physical and digital evidence to unmask the identities of a murdering hacking squad.

First Place – Team b1c, Montgomery Blair High School, Rockville, Maryland: Kevin Higgs, George Klees, and Noah Singer. Both Klees and Singer competed last year, when the school took third place.

Second Place – Team Producing Perfection, Poolesville High School, Poolesville, Maryland:  Ching-Yuan Lin, Kevin Shen, and Claude Zou. Both Shen and Zou were part of Poolesville teams that placed first in 2015 and 2016.

Third Place – Team n0de, Montgomery Blair High School: Ian Rackow, William Wang, and Daniel Zhu. The three students were finalists with Team n0de in 2016.

Embedded Security Challenge

Founded in 2008, the Embedded Security Challenge — the oldest and largest hardware hacking competition in the world and the most difficult event at CSAW — contributes to worldwide scholarship in the emerging field.  The tournament employs a “red team, blue team” format that mimics real-world attacks. This year’s challenge, developed in partnership with the U.S. Office of Naval Research, required competitors to make programmable logic controllers more resilient to cybersecurity threats by employing novel fault detection and recovery techniques. Teams demonstrated their solutions on Raspberry Pi microchip platforms. The judging was difficult: only a half-point separated the top four contenders.

Security Challenge

Rishabh Das (standing) and Team UAH of the University of Alabama, Huntsville won first place in the Embedded Security Challenge. Avi Weinstock (seated) was a member of Team RPISEC57, which won second place in the CSAW Security Quiz Bowl.

The competition is a cornerstone program of NYU’s hardware security group. Part of NYU Center for Cyber Security and comprising researchers at NYU Tandon and NYU Abu Dhabi, the group has become a leading force in microchip security. Participants and the student leaders of the competition have spread knowledge of the emerging field to leading universities as faculty members.

First Place – Team UAH, University of Alabama, Huntsville: Thiago Alves and Rishabh Das, advisor Professor Thomas Morris.

Second Place – Team CARES, University of Delaware: Patrick Cronin, Fateme Hosseini, and advisor Professor Chengmo Yang.

Third Place – Team Wildcats, University of New Hampshire: Timothy Harry, Ethan Stewart, Joshua Kuun, Zhiming Zhang, and advisor Professor Qiaoyan Yu. This is the third consecutive year that Team Wildcats won the third-place CSAW prize.

As a side hardware challenge, sponsor Red Balloon Security challenged students and professionals to hack the hardware of a VoIP phone to win a literal sack of cash and a drone.

Law and Policy

This competition attracts students who are interested in the nexus of law, policy, and emerging security issues. In the United States, teams presented their recommendations related to the disclosure of investigative methods that use computer code. The competition is led by NYU School of Law students with Zachary K. Goldman, Executive Director of the Center on Law and Security and an adjunct professor of law at NYU School of Law, serving in an advisory role.

First Place – United States Naval Academy: Morgan Giraud, Chris Kay, and Lexi Mendolia. Naval Academy teams have been among the top three winners every year since CSAW introduced the Policy Competition in 2014, and took top prize in 2015.

Second Place – Nihar Sheth of the University of Southern California, and Kartik Singh of the University of California, Berkeley.

Third Place – The Bush School of Government & Public Service, Texas A&M: Shannon Abbott and Anne Richmond.

Applied Research

Recognized as the leading competition for young cybersecurity researchers, the Applied Research Competition considers only peer-reviewed security papers that have already been accepted by scholarly journals and conferences. This year, top academics and practitioners in the field reviewed a record 170 papers to arrive at the list of finalists. During the CSAW final round, one of the student authors of each paper presented their research to judges, who reported a particularly difficult selection because of the impact they expect the research will have both immediately and in the future.

First PlaceDRAMMER: Deterministic Rowhammer Attacks on Mobile Platforms. Presenter: Victor van der Veen, Vrije Universiteit Amsterdam. Co-authors Yanick Fratantonio, Martina Lindorfer, and Giovanni Vigna, University of California, Santa Barbara; Daniel Gruss and Clementine Maurice, Graz University of Technology; Herbert Bos, Kaveh Razavi and Cristiano Giuffrida, Vrije Universiteit Amsterdam.

Second PlaceNEZHA: Efficient Domain-Independent Differential Testing. Presenter: Theofilos Petsios, Columbia University. Co-authors: Adrian Tang, Salvatore Stolfo, Angelos D. Keromytis, and Suman Jana, all of Columbia University.

Third PlaceNORAX: Enabling Execute-Only Memory for COTS Binaries on AArch64. Presenter: Yaohui Chen, Northeastern University. Co-authors: Dongli Zhang and Rui Qiao, Stony Brook University; Ruowen Wang, Ahmed Azab, Hayawardh Vijayakumar, and Wenbo Shen, Samsung Research America; Long Lu, Northeastern University.

Security Quiz Bowl

During the NYU Tandon CSAW finals, 42 teams — comprised of finalists from other CSAW contests as well as students from throughout New York — tested their knowledge of security technology, history, and culture in a fun and fast-paced Security Quiz Bowl, leading up to the final round that followed on the heels of the 36-hour CTF. Undaunted by sleep deprivation, three of the four finalist teams were comprised of CTF participants.

First Place – Team UMBC Cyber Dawgs, University of Maryland, Baltimore County: Seamus Burke (’20), Christopher Gardner (’18), Robert Galvan ('18), Zack Orndorff (’18).

Second Place – Team RPISEC57, Rensselaer Polytechnic: Aidan Noll (’19), Kevin Phoenix (’19), Avi Weinstock (doctoral candidate), and Anthony Delorenzo (’19).

Third Place – Team 1064CBread: Audrey Dutcher, University of California, Santa Barbara (’18); John Grosen, Massachusetts Institute of Technology (’20); Alex Mieburg, California Institute of Technology (’18); and J.P. Smith, University of Illinois, Urbana-Champaign (’17).

A Time to Learn and Network

CSAW was founded in 2003 not simply to engage and educate students but to introduce them to leading professionals and peers who would be able to form important networks when they would become professionals and academics themselves. The 2017 NYU CSAW was no exception.

The keynote presentation was delivered by Andrew H. Tannenbaum, chief cybersecurity counsel for IBM Corporation, whose speech, “How Future Cyber Security Leaders Can Save the World,” explored Capture the Flag, both as a rough-and-tumble field game and as a metaphor for cyber security’s opportunities and challenges.  And nearly 30 corporate and government employers and universities were on hand to recruit CSAW finalists and other New York-area cybersecurity students for internships and career positions. Dino Dai Zovi, co-founder and CTO of Capsule8, keynoted the Security Expert Luncheon with insight into scaling up security using automation techniques.

CSAW ’17 North American Sponsors are:

Note: Images at http://dam.engineering.nyu.edu/?c=2002&k=82eaa3b204.

 

About the NYU Tandon School of Engineering
The NYU Tandon School of Engineering dates to 1854, when the NYU School of Civil Engineering and Architecture as well as the Brooklyn Collegiate and Polytechnic Institute (widely known as Brooklyn Poly) were founded. Their successor institutions merged in January 2014 to create a comprehensive school of education and research in engineering and applied sciences, rooted in a tradition of invention, innovation and entrepreneurship. In addition to programs at its main campus in downtown Brooklyn, it is closely connected to engineering programs in NYU Abu Dhabi and NYU Shanghai, and it operates business incubators in downtown Manhattan and Brooklyn. engineering.nyu.edu.

About NYU Abu Dhabi
NYU Abu Dhabi consists of a highly selective liberal arts and science college (including engineering), and a world center for advanced research and scholarship — all fully integrated with each other and connected to NYU in New York. Together, NYU New York, NYU Abu Dhabi, and NYU Shanghai form the backbone of a unique global network university, with faculty and students from each campus spending "semesters away" at one or more of the numerous study-abroad sites NYU maintains on six continents. For more information, visit nyuad.nyu.edu/en.

About IIT Kanpur
Indian Institute of Technology, Kanpur, is one of the premier institutions set up by the Government of India. Registered in 1959, the institute was assisted by nine leading institutions of U.S.A in the setting up of its academic programs and laboratories during the period 1962-72. With its record of path-breaking innovations and cutting-edge research, the institute is known the world over as a learning centre of repute in engineering, science and several inter-disciplinary areas. In addition to formal undergraduate and postgraduate courses, the institute has been active in research and development in areas of value to both industry and government. For more information, visit iitk.ac.in.

About Grenoble INP - Esisar
Grenoble INP - Esisar is part of the Grenoble Institute of Technology, which brings together six renowned engineering schools, close to the industrial world and open to international exchanges. The Grenoble Institute of Technology is one of Europe's leading technology universities, at the heart of innovation for more than a century. It offers a range of engineering, masters and doctoral courses both in French and in English, driven by world-class research in 37 laboratories, and 6 state-of-the-art technology platforms, developed in partnership with other institutions. Esisar engineers are trained in Embedded Systems and IT technologies, with a cutting-edge curriculum spanning Electronics, Computer Sciences/IT, Control and Networks. Esisar and the associated research laboratory LCI host the industrial chair of Excellence Trust which aims at developing innovative teaching and research programs in cybersecurity.

About Ben-Gurion University
Ben-Gurion University of the Negev is the fastest growing research university in Israel, fulfilling the vision of David Ben-Gurion, Israel’s first prime minister, who envisaged the future of Israel emerging from the Negev. From medicine to the humanities to the natural sciences, BGU conducts groundbreaking research and offers insightful instruction. The University is at the heart of Beer-Sheva's transformation into the country's cyber capital, where leading multi-national corporations leverage BGU’s expertise to generate innovative R&D. A third of Israel’s engineers graduate from BGU, with that number destined to rise as the IDF moves south and sends its brightest to swell the ranks of BGU’s student body. To accommodate that growth, BGU has launched an ambitious campaign to double the size of its main campus. As it counts up to its fiftieth anniversary, the University's research becomes ever more relevant as its global reach broadens. bgu.ac.il
CSAW Israel is organized by BGU’s Department of Software and Information Systems Engineering and the IBM Cyber Security Center of Excellence, located in Ben-Gurion University.