World’s Largest Student Security Contest Names Top Cyber Sleuths, Hackers, and Researchers

Students from high schools through doctoral programs throughout America and beyond competed in the largest student-run security games November 12-14, 2015 in the final round of the 12th annual New York University Cyber Security Awareness Week (NYU CSAW).

Winnowed from approximately 20,000 participants worldwide who competed remotely in preliminary rounds of six separate competitions, some 150 finalists competed in the final rounds at the NYU Tandon School of Engineering for scholarships, cash prizes, and glory. They and their mentors spent the three days at seminars, networking events, and challenges designed by NYU students working with security professionals and faculty.

Winners of the NYU CSAW contest and highlights included:

Capture the Flag

The signature event of NYU CSAW, Capture the Flag (CTF), pitted 15 undergraduate teams in notoriously difficult hacking challenges that lasted 36 consecutive hours. The scene in the NYU gymnasium changed as the deadline neared: midnight pizza, thumping music videos, napping contestants stretched across folding chairs, and speed chess games played against CTF mentor and student leader emeritus Kevin Chung to clear the brain.

For the first time, contestants were also tasked with penetrating a retro Nintendo game specially designed by Vector 35. Company founder and CSAW judge Jordan Wiens explained that speed gamers employ the same techniques used in computer security, so games such as Pwn Adventure Z: Bearly Alive should become efficient training tools and gamers could potentially become a pool of talent for the data security industry, which is expected to suffer a shortage of 1.5 million experts by 2020.

For the seventh consecutive year, a Carnegie Mellon team took top honors in the CSAW CTF, this time wresting the win from a team that included two high school students and which led the contest until late in the 36-hour marathon hack.

Finishing in second place was a team called 1064CBread, which had formed while all its team members were students at Dos Pueblos High School in Goleta, California. Two team members graduated and went onto university but the team continues to play together, and the fourth studies at Thomas Jefferson High School of Science and Technology. The only Dos Pueblos student still playing on the CTF team, John Grosen, competed just yards away from his brother, Paul, who was playing as a finalist in the CSAW High School Forensics Competition (HSF) as part of the high school team from Dos Pueblos, also called 1064CBread.

Three of the four 1064CBread CTF contestants closed their 36-hour hackfest by immediately playing together in the CSAW Homeland Security Quiz. Apparently far from exhausted, they took second place in the fast-paced game show.

First place: PPP1, Carnegie Mellon University (Pittsburgh)
Team members: Ned Williamson, Tim Becker, Chris Ganas, Richard Zhu

Second place: 1064CBread
Team members: Andrew Dutcher, University of California, Santa Barbara; John Grosen, Dos Pueblos High School (Goleta, California); Samuel Kim, Thomas Jefferson High School of Science and Technology (Alexandria, Virginia); Alex Meiburg, California Institute of Technology (Pasadena).

Third place: Shellphish Nigiri, University of California, Santa Barbara         
Team members: Jake Corina, Siji Feng, Mark Mossberg, Schuyler Rosefield

Embedded Security Challenge

This year’s hardware security contest—the most difficult at NYU CSAW—challenged students to use their skills in the emerging field of homomorphic encryption to disable what is likely to become the next-generation voting system. To qualify for the final round, teams submitted papers describing the techniques they would use to stealthily disrupt voting. Finalists brought their programmable computer boards for the ultimate test and presented their solutions to a team of judges.

The only team able to hack the CSAW system designed by a team led by NYU Abu Dhabi doctoral student Nektarios Georgios Tsoutsos was from the University of Texas, Dallas. It was the second time UT Dallas took the gold medal in the Embedded Security Challenge (ESC): Its team won in 2011. This year’s team was mentored by Professor Yiorgos Makris and a new member of the UT Dallas faculty, Jeyavijayan (JV) Rajendran, former NYU Tandon student leader for the ESC.

The University of Central Florida repeated its podium showing, placing second in the ESC for the third consecutive year. Its mentor this year, Assistant Professor Yier Jin, was part of the winning ESC team in 2011 and a finalist in 2008 and 2009.

First place: TRELA, University of Texas, Dallas
Team members: Gaurav Rajavendra Reddy, Liwei Zhou, Mohammad-Mahdi Bidmeshki

Second place: SSL, University of Central Florida (Orlando)
Team members: Orlando Arias, Kelvin Ly, Jacob Wurm, Khoa Hoang

Third place: Wildcats, University of New Hampshire (Durham)
Team members: William Melanson, Chenghua She, Jaya Dofe

High School Digital Forensics

The 10 teams from the United States and two from Abu Dhabi playing in the final round of HSF in Brooklyn had already bested a record 800 teams from across the world that competed remotely in the preliminary rounds in September. The charge to the finalists: use their digital forensics skill to solve a fictitious murder mystery that involved financial crimes including Bitcoin.

At stake were $450,000 in scholarships, trophies, and an opportunity to network with some of the country’s best known professionals, academics, and university cybersecurity students.

For the first time, the Digital Forensics Consortium—a nonprofit founded by a former Department of Defense cyber investigator Jim Christy—brought its realistic crime scene to  NYU CSAW. Students donned gloves and searched a mannequin-criminal for digital evidence.

For the second year running, a team from Poolesville (Maryland) High School captured the top HSF honors—and this time the school also walked away with second place. That second-place team, “chicken nugger,” also won the US Digital Forensics Crime Scene Challenge. The winners walked off the awards stage with a plaque and a cuckoo's egg—the code name of the first computer espionage case, in 1986. Poolesville students have been finalists in every HSF since that contest’s inauguration in 2009.

Thomas Jefferson High School for Science and Technology in Alexandria, Virginia, was among the podium finishers for the second straight year. Another student from the school, Samuel Kim, placed second in CTF and the Homeland Security Quiz.

First Place: PHS Absol, Poolesville (Maryland) High School
Team members: Parth Oza, Kevin Shen, Claude Zou

Second Place: chicken nugger, Poolesville (Maryland) High School
Team members: Seungkyoon Bong, Karan Chawla, Matthew Feng   

Third Place: The Deductive Fuzzyhashers, Thomas Jefferson High School for Science and Technology, Alexandria, Virginia
Team members: Samuel Damashek, Hyo Won Kim, Fox Wilson  

Policy Competition

The NYU CSAW Policy Competition challenges students to propose public policy solutions to real-world computer security challenges. The 2015 challenge centered on the controversial question of whether or not the United States should implement a “bug bounty” program—a system of rewards for security researchers who find vulnerabilities in major software programs and networks. Although their proposals differed widely, all finalists recommended legislative changes that would eliminate penalties for white hat hacking that helps institutions find flaws in their networks.

Both the U.S. Naval Academy and the University of Illinois claimed winners for the second year of the contest’s existence.

First place: United States Naval Academy
Team members: MIDNs Zachary Dannelly, Max Goldwasser, William Young

Second place: NYU School of Law
Kevin Kirby, Clay Venetis

Third place: University of Illinois
Jeffrey Bigg, Magdala Boyer, Michael Burdi, Matt Loar

Applied Research Competition

The CSAW Applied Research Competition is a prestigious contest for graduate and doctoral-level security researchers who have published papers in the past year. An esteemed pool of 48 judges from academia and companies including Google, Facebook, AT&T, IBM, and others reviewed a record 82 submissions, selecting the 10 leading papers for presentation at CSAW.

First place: ObliVM: A Programming Framework for Secure Computation
Authors: Chang Liu, Xiao Wang, Kartik Nayak, Elaine Shi, University of Maryland; Yan Huang, Indiana University

Second place: Nomad: Mitigating Arbitrary Cloud Side Channels via Provider-Assisted Migration
Authors: Soo-Jin Moon, Vyas Sekar, Carnegie Mellon University; Michael K. Reiter, University of North Carolina

Third place: Preventing Use-after-free with Dangling Pointers Nullification
Authors: Byoungyoung Lee, Chengyu Song, Yeongjin Jang, Tielei Wang, Taesoo Kim, Wenke Lee, Georgia Institute of Technology; Long Lu, Stony Brook University

Department of Homeland Security Quiz

Open to every cybersecurity student who shows up during CSAW, only 11 teams reached the finals—many participants competing after the grueling 36 hours of the CTF. This year, the fast-paced game show sponsored by the U.S. Department of Homeland Security focused on control systems security but also included other technical and current affairs questions involving security. Contestants competed using iPod Touches with an app developed by NYU Tandon’s Kevin Chung.

Rensselaer Polytechnic Institute continued its historic dominance and took first place for the second year running, as well as third place. The second-place team, 1064CBread, consisted of three of the four contestants who took second place in CTF.

First place: RPISEC, Rensselaer Polytechnic Institute, Troy, New York
Team members: Patrick Biernat, Nick Burnett, Branden Clark, Austin Ralls

Second place: 1064CBread
Team members: Alex Meiburg, California Institute of Technology, Pasadena; John Grosen, Dos Pueblos High School (Goleta, California); Samuel Kim, Thomas Jefferson High School of Science and Technology, Alexandria, Virginia

Third place: RPISEC2, Rensselaer Polytechnic Institute, Troy, New York
Team members: Daniel Fitzgerald, Avraham Weinstock, Michael Macelletti

Educational Elements

Supplementing the competitions were speeches by noted security professionals, a career symposium for women considering entry-level jobs or mid-career switches, and a career fair in which nearly 30 prominent institutions sought to entice the talented students competing in CSAW and other cybersecurity students in the greater New York area for internships and full-time positions. The field has a shortage of more than 200,000 experts, so the CSAW finalists are always highly prized.

A new session opened NYU CSAW, introducing participants to tech startups and the venture capitalists who fund them. In the NYU Urban Future Lab overlooking Brooklyn and Manhattan, students also heard tips from entrepreneurs in NYU Tandon’s incubator initiative, recognized for its success throughout New York City.

Brendan Hannigan, general manager of the IBM Security Business Unit, outlined the escalating power of cyber criminals and urged students to join in technical and other solutions in his keynote address, “The Current State of Cyber Security-A New Era of Crime and Defenses.”

Goldman Sachs brought Managing Director Kevin Zerrusen and a panel of its foremost women in security to host Discovering Cyber Security: A Women’s Symposium Workshop. They outlined the wide range of skill sets and opportunities in the field.

Closing NYU CSAW was Neil Hirschfield, deputy section manager of Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the U.S. Department of Homeland Security, who stressed the need for expertise in protecting the automated control systems that are integral to manufacturing and infrastructure.

NYU students and volunteer judges spend months preparing challenges and organizing NYU CSAW, which has grown from an internal event at the school to one of the best known competitions for students. This year it was supported by a record 30 sponsors.

Sponsors for CSAW 2015 are Gold Level—U.S. Department of Homeland Security; Silver Level—Goldman Sachs, GitHub, IBM (which also hosted the welcome reception and a networking event for CTF and High School Forensics finalists), and MWR Info Security; Bronze—Bank of America, Facebook, FireEye, LifeLock, National Security Agency, Navy Civilian Careers-U.S. Navy, NCC Group USA, Oceans Edge Inc., Palantir, Palo Alto Networks, Qualcomm Inc., Raytheon, Two Sigma, and Yelp; Supporting Level—Accuvant, Bloomberg, Cubic, Cypher Tech Solutions, Intel Corporation, LIFARS, MIT Lincoln Laboratory, PWC, Rakuten Loyalty, Sandia National Laboratories, and the U.S. Secret Service. The Center for Advanced Technology in Communications at NYU Tandon is a CSAW partner.

NYU Tandon is an internationally recognized center for cyber security research, education, and policy. It has received all three Center of Excellence designations from the National Security Agency and the United States Cyber Command.  NYU Tandon has joined with other NYU schools to form the NYU Center for Cyber Security to research new approaches to security and privacy by combining security technology, psychology, law, public policy, and business. NYU Tandon Online, the school’s online learning unit, delivers 16 online graduate programs worldwide, including the virtual cyber security program, which was named the nation’s best online program by the Sloan Consortium (now the Online Learning Consortium) in 2011.

For more information on NYU CSAW, visit https://csaw.engineering.nyu.edu.

The NYU Tandon School of Engineering dates to 1854, when the NYU School of Civil Engineering and Architecture as well as the Brooklyn Collegiate and Polytechnic Institute (widely known as Brooklyn Poly) were founded. Their successor institutions merged in January 2014 to create a comprehensive school of education and research in engineering and applied sciences, rooted in a tradition of invention, innovation and entrepreneurship. In addition to programs at its main campus in downtown Brooklyn, it is closely connected to engineering programs in NYU Abu Dhabi and NYU Shanghai, and it operates business incubators in downtown Manhattan and Brooklyn. For more information, visit http://engineering.nyu.edu.