The 14th annual New York University (NYU) Cyber Security Awareness Week (CSAW) games — already the world’s largest and most comprehensive set of student-led security challenges — closed on November 13, in the last of five countries, setting records and surprises.
For the first time, the CSAW finals expanded to include students from across Europe hosted by Grenoble INP-Esisar, in Valence, France — one of six engineering schools of the Grenoble Institute of Technology — and Israeli students hosted by Ben-Gurion University in the new Advanced Technology Park in the Negev, Israel. CSAW Israel is organized by BGU’s Department of Software and Information Systems Engineering and the IBM Cyber Security Center of Excellence, located in Ben-Gurion University.
Universities and schools also joined in at the Center for Cyber Security in NYU Abu Dhabi (CCSAD), which hosted finalists from the Middle East, North Africa and selected teams from Asia; at the Indian Institute of Technology Kanpur (IIT Kanpur), one of the top universities for computer science education in India; and CSAW founding institution NYU Tandon School of Engineering in Brooklyn.
More than 400 elite students from high school through doctoral programs who had beaten over 12,000 other participants from 98 countries in preliminary rounds gathered at four of the regional hubs November 9-11, 2017; in Israel, the CSAW finals ran November 12-13.
“The CSAW games have proved an outstanding tool to engage and educate students, and we are proud that this year we could reach students on three continents through our four university partners. Like us, they recognize that cybersecurity is borderless — and growing in opportunities for our students, with an anticipated shortfall of 1.8 million jobs worldwide by 2022,” said NYU Tandon Professor of Electrical and Computer Engineering Ramesh Karri, the faculty lead for NYU CSAW.
He continued: “In North America, CSAW finalists and our students who run the challenges have gone on to some of the most meaningful positions in industry, and others are preparing for a safer future by producing important research and teaching at universities across America. Our snowball is rolling — and growing internationally now. I’m also proud about this year’s addition of the CSAW Cyber Journalism Award, which we hope will encourage investigative reporting in the vital realms of privacy and security.”
The North American finals comprised six hotly contested competitions among 133 students and 46 teams, supported by over 40 judges from academia and industry. In the High School Forensics competition, the stakes were high — $1 million in NYU Tandon scholarships — as the young cyber sleuths tried to solve a murder mystery using digital clues. Altogether, a record 600 high school teams competed in CSAW preliminaries, and 30 teams competed on site at three regional CSAW hubs.
The NYU Center for Cyber Security also offered doctoral scholarships and fellowships to the NYU Tandon School of Engineering to the first-place winners in the Capture the Flag (CTF), Embedded Security Challenge, and Applied Research Challenge at all five regional hubs.
For the first time in CSAW history, a team from Rensselaer Polytechnic Institute — solving a game-changing challenge in the last three minutes of the 36-hour competition — took the North American top prize in the signature CTF hacking competition for undergraduate students.
Another first was a CSAW competition for professionals rather than students. Andy Greenberg, senior writer for WIRED, won the inaugural NYU CSAW Cyber Journalism Award for the magazine’s July 2017 cover story, Lights Out: How An Entire Nation Became Russia's Test Lab for Cyberwar. The competition was co-sponsored by NYU Tandon and the NYU Arthur L. Carter Journalism Institute, and exposed Russian hacking of the Ukraine power grid.
Besides the competitions, including the six student challenges, NYU Tandon hosted an industry career fair, speeches, and networking events.
Capture the Flag
CTF challenges are considered essential training for students and cybersecurity professionals, and players at all levels and ages registered for the flagship CTF event of CSAW. After 48 hours of around-the-clock software hacking contests in September, a top-notch group of college students bested nearly 2,400 teams from 95 countries to become finalists at the five global CSAW hubs. For 36 straight hours, 10 North American teams competed in the infamously difficult student CTF final competition.
Team RPISEC from Rensselaer Polytechnic Institute won the top prize in the 2017 Capture the Flag competition at the 2017 North American CSAW finals at NYU Tandon. Left to right: Josh Ferrell (’19), Kareem El-Faramawi (’19), Max Shavrick (’18), and Jack Dates (’20). At far right is Josh Hofing, one of the NYU Tandon student leaders who organized the CTF. (Image courtesy of NYU Tandon/Elena Olivo.)
This year, with two returning competitors from last year’s team, RPISEC not only took first place — ending an eight-year reign by Carnegie Mellon teams — but went directly from its nail-biting surge in the 36-hour competition to compete in the finals of the fast-paced Security Quiz Bowl alongside another RPI team that had also qualified for the difficult final round. It proved quite the CSAW for RPI: other RPI students successfully hacked a mobile phone and won top prize in the Red Balloon Hardware Hacking Contest.
Second Place – Team 1064CBread: Audrey Dutcher, University of California, Santa Barbara; John Grosen, Massachusetts Institute of Technology; Alex Mieburg, California Institute of Technology; and J.P. Smith, University of Illinois, Urbana-Champaign.
Originally formed as a team of high school students in Dos Pueblos High School in Goleta, California, the team members had been so impressive that CSAW organizers made a one-time exception to its undergraduates-only rule for CTF and allowed them to compete against university students. The team members stayed together and took on new teammates as they went off to their university studies.
They have become a regular fixture at the CSAW finals, as has the next-generation team at Dos Pueblos, also called 1064CBread. For 2017, the elder 1064CBread team, apparently still fresh despite 36 hours of CTF, topped off their strong showing by taking third place in the rigorous trivia contest, the CSAW Security Quiz Bowl, that immediately followed the CTF.
Third Place – Team PPP, Carnegie Mellon
This team has been a CTF force since CSAW opened to schools beyond NYU Tandon, taking first place for eight consecutive years.
High School Forensics
The CSAW HSF challenge introduces high school-age novices to the cybersecurity field, attracting students who enjoy solving puzzles and encouraging newcomers to solve a fictional murder mystery using their digital skills. This year, two teams from Montgomery Blair High School in Rockville, Maryland, finished among the top three. The students were challenged to find clues in physical and digital evidence to unmask the identities of a murdering hacking squad.
First Place – Team b1c, Montgomery Blair High School, Rockville, Maryland: Kevin Higgs, George Klees, and Noah Singer. Both Klees and Singer competed last year, when the school took third place.
Second Place – Team Producing Perfection, Poolesville High School, Poolesville, Maryland: Ching-Yuan Lin, Kevin Shen, and Claude Zou. Both Shen and Zou were part of Poolesville teams that placed first in 2015 and 2016.
Third Place – Team n0de, Montgomery Blair High School: Ian Rackow, William Wang, and Daniel Zhu. The three students were finalists with Team n0de in 2016.
Embedded Security Challenge
Founded in 2008, the Embedded Security Challenge — the oldest and largest hardware hacking competition in the world and the most difficult event at CSAW — contributes to worldwide scholarship in the emerging field. The tournament employs a “red team, blue team” format that mimics real-world attacks. This year’s challenge, developed in partnership with the U.S. Office of Naval Research, required competitors to make programmable logic controllers more resilient against cybersecurity threats by employing novel fault detection and recovery techniques. Teams demonstrated their solutions on Raspberry Pi microchip platforms. The judging was difficult: only a half-point separated the top four contenders.
Rishabh Das (standing) and Team UAH of the University of Alabama, Huntsville won first place in the Embedded Security Challenge. Avi Weinstock (seated) was a member of Team RPISEC57, which won second place in the CSAW Security Quiz Bowl.
The competition is a cornerstone program of NYU’s hardware security group. Part of NYU Center for Cyber Security and comprising researchers at NYU Tandon and NYU Abu Dhabi, the group has become a leading force in microchip security. Participants and the student leaders of the competition have spread knowledge of the emerging field to leading universities as faculty members.
First Place – Team UAH, University of Alabama, Huntsville
Second Place – Team CARES, University of Delaware
Third Place – Team Wildcats, University of New Hampshire. This is the third consecutive year that Team Wildcats won the third-place CSAW prize.
As a side hardware challenge, sponsor Red Balloon Security challenged students and professionals to hack the hardware of a VoIP phone to win a literal sack of cash and a drone.
Applied Research
Recognized as the leading competition for young cybersecurity researchers, the Applied Research Competition considers only peer-reviewed security papers that have already been accepted by scholarly journals and conferences. This year, top academics and practitioners in the field reviewed a record 170 papers to arrive at the list of finalists.
During the CSAW final round, one of the student authors of each paper presented their research to judges, who reported a particularly difficult selection because of the impact they expect the research will have both immediately and in the future.
First Place – DRAMMER: Deterministic Rowhammer Attacks on Mobile Platforms, From students collaborating from Vrije Universiteit Amsterdam, University of California, Santa Barbara, and Graz University of Technology
Second Place – NEZHA: Efficient Domain-Independent Differential Testing, from students at Columbia University.
Third Place – NORAX: Enabling Execute-Only Memory for COTS Binaries on AArch64, from students at Northeastern University, Stony Brook University, Northeastern University and Samsung Research America.
Security Quiz Bowl
During the NYU Tandon CSAW finals, 42 teams — comprised of finalists from other CSAW contests as well as students from throughout New York — tested their knowledge of security technology, history, and culture in a fun and fast-paced Security Quiz Bowl, leading up to the final round that followed on the heels of the 36-hour CTF. Undaunted by sleep deprivation, three of the four finalist teams were comprised of CTF participants.
First Place – Team UMBC Cyber Dawgs, University of Maryland, Baltimore County
Second Place – Team RPISEC57, Rensselaer Polytechnic
Third Place – Team 1064CBread: University of California, Santa Barbara,, Massachusetts Institute of Technology, California Institute of Technology and University of Illinois, Urbana-Champaign.
A Time to Learn and Network
CSAW was founded in 2003 not simply to engage and educate students but to introduce them to leading professionals and peers who would be able to form important networks when they would become professionals and academics themselves. The 2017 NYU CSAW was no exception.
The keynote presentation was delivered by Andrew H. Tannenbaum, chief cybersecurity counsel for IBM Corporation, whose speech, “How Future Cyber Security Leaders Can Save the World,” explored Capture the Flag, both as a rough-and-tumble field game and as a metaphor for cyber security’s opportunities and challenges. Nearly 30 corporate and government employers and universities were on hand to recruit CSAW finalists and other New York-area cybersecurity students for internships and career positions.
To learn more, visit the NYU Tandon CSAW website.
Source: NYU Tandon Newsroom