World’s Largest Student Cyber Security Contest Names Winners
Top Student Researchers, Hackers, and Cyber Sleuths Compete at NYU Tandon, NYU Abu Dhabi, And Indian Institute of Technology, Kanpur for Cyber Security Awareness Week Finals
Students from high schools through doctoral programs throughout North America, the Middle East, North Africa, and India competed in the final rounds of the world’s largest student-run security games, the 13th annual New York University Cyber Security Awareness Week (NYU CSAW), held November 12-14, 2016.
For the first time in the history of NYU CSAW, the final round of contests expanded beyond NYU Tandon School of Engineering in Downtown Brooklyn to regional hubs at NYU Abu Dhabi – for finalists from North Africa and the Middle East – and the Indian Institute of Technology, Kanpur (IIT Kanpur).
Finalists bested more than 10,000 students from more than 100 countries who competed remotely in preliminary rounds of six separate competitions. The best high school cyber sleuths tangled in the final rounds for over $1 million in scholarships. Additionally, the NYU Center for Cyber Security will offer doctoral scholarships and fellowships to the NYU Tandon School of Engineering to college-level finalists who prevailed against student hackers and researchers at NYU CSAW’s three hubs.
Capture the Flag
For the signature event of NYU CSAW, Capture the Flag (CTF), 34 teams from a preliminary field of more than 2,500 teams earned finalist slots in Brooklyn, Abu Dhabi, and Kanpur. Fifteen undergraduate teams in the United States, eight in the United Arab Emirates, and 11 in India competed in notoriously difficult final-round hacking challenges that lasted 36 consecutive hours.
In Brooklyn, a CTF challenge created by tech firm Vector 35 required contestants to reverse engineer a derivation of the popular Pokémon Go game. Players had to hack the game so that they could amass in hours a score that would normally take weeks or even months to achieve. “To do that requires real-world network analysis and program reverse-engineering skills,” said Jordan Wiens, CTF judge and co-founder of Vector 35. “These are the same kinds of tools the data security world has a dramatic need for right now.” Unemployment in cybersecurity hovers near zero, and according to estimates by Cisco, there are one million cybersecurity job vacancies this year alone, including more than 200,000 in the United States. Frost & Sullivan, in an often-cited report, predicts 1.5 million unfilled security positions worldwide by 2020.
The team 1064 Shellphish from the University of California (Santa Barbara) featured brothers Brandon and Andrew Dutcher. Andrew had competed in the CTF team 1064CBread, which won second place in 2015, when all members were graduates or students of Dos Pueblos High School in Goleta, California.
John Grosen, who was also on that original 1064CBread team, is now a freshman at the Massachusetts Institute of Technology and competed with MIT’s CTF team Don’t Hack Alone. His brother Paul, who competed last year as a freshman on Dos Pueblos High School’s High School Forensics (HSF) team 1064CBread, returned this year as well. The team became the first HSF competitor to place in NYU CSAW’s rigorous Department of Homeland Security Quiz.
For the eighth consecutive year in Brooklyn, a team from Carnegie Mellon took top honors in the CSAW CTF.
NYU Tandon Winners:
First place: PPP1, Carnegie Mellon University, Pittsburgh
Team members: Tim Becker, Corwin de Boor, Samuel Kim, Matthew Savage
Second place: RPISEC, Rensselaer Polytechnic Institute, Troy, New York
Team members: Nick Burnett, Joshua Ferrell, Kareem El-Faramawi, Branden Clark
Third place: Batman’s Kitchen, University of Washington, Seattle
Team members: Dan Arens, Stanley Hsieh, Alex Kirchhoff, Bo Wang
NYU Abu Dhabi Winners:
First place: dcua2, Mundiapolis University, Morocco
Team members: Amine Cherrai, Bilal Kardadou, Ilyas Rahmani, Mohammed Belcaid
Second place: MrAdmin, ENSIAS, Morocco
Team members: Anass Bouchnafa, Azzeddine Djekmani, Oualid Zaazaa, Yaakoub Najih
Third place: DC21321, Bordj Bou Arreridj University, Algeria
Team members: Adel Merabet, Mohamed Zehraoui, Ramzi Bourahli
IIT Kanpur Winners:
First place: InfoSecIITR, Indian Institute of Technology, Roorkee
Second place: Bi0s, Amrita University
Third Place: d4rkc0de, Indian Institute of Technology, Delhi
Embedded Security Challenge
This year’s hardware security competition — the most difficult hacking event at NYU CSAW — brought five finalists to Brooklyn, seven to NYU Abu Dhabi and two to IIT Kanpur. The challenge was designed by a team of top NYU security faculty and students mentored by NYU Assistant Professor Michail Maniatakos and Nektarios Tsoutsos, a computer science doctoral candidate studying under Maniatakos at NYU Abu Dhabi. Using special chipsets supplied by CSAW sponsor Intel, teams were tasked with modifying a configurable microchip to make it immune to memory corruption, a common attack used by hackers.
To qualify for the final round, teams submitted papers describing the techniques they would use to enhance a basic chip design so that memory corruption could not harm the system.
NYU Tandon Winners:
First place: KnightSec, The University of Central Florida, Orlando
Team members: Orlando Arias, Dean Sullivan, Heather Lawrence, Kelvin Ly
Mentor: Yier Jin
Second place: Esisar, Grenoble INP-ESISAR, France
Team members: Cyril Bresch, Adrien Michelet-Gignoux, Thomas Meyer, Laurent Amato
Mentor: David Hely
Third place: Wildcats, University of New Hampshire, Durham
Team members: Sean Kramer, Zhiming Zhang
Mentor: Qiaoyan Yu
NYU Abu Dhabi Winners:
First place: Breakfast Club(), NYU Abu Dhabi, U.A.E.
Team members: Pablo Pacareu, Pedro Zufiria, Martin Slosarik, Vasily Rudchenko
Second Place: Leopards, American University of Sharjah, Sharjah, U.A.E.
Team members: Shams Eddeen Shapsough, Aly Elhakim, Mazim Alikarar
Third place: Null, King Abdulaziz University, Jeddah, Saudi Arabia
Team members: Mohammed Ali Al Ghamdi, Majd Zaki Baik, Khalil Yahya Almenqash
IIT Kanpur Winners:
First place: Gandalf, IIT Madras
Team members: Prasanna Karthik, Patanjali SLPSK, Gnanambikai Krishnakumar
Faculty Adviser: Chester Rebeiro
Second Place: Smash Clean, IIT Kharagpur
Team members: Manaar Alam, Debapriya Basu Roy, Sarani Bhattacharya, Vidya Govindan
Faculty Advisors: Rajat Subhra Chakraborty, Debdeep Mukhopadhyay
High School Forensics
The finalists — 11 teams from the United States and 10 from the United Arab Emirates — had bested over 400 teams competing remotely in the preliminary rounds in September. The finalists competing on site at NYU Tandon and NYU Abu Dhabi faced a daunting challenge: solve a fictitious murder in part by obtaining the victim’s biometric data from real LG smart watches supplied to the teams by CSAW sponsor Google.
In the United States, top-performing teams from the Midwest, West, South, and Northeast earned prizes to travel to NYU Tandon in Brooklyn to compete in the finals. Additionally, seven wildcard teams were invited based on their outstanding scores. For the third year running, a team from Poolesville (Maryland) High School captured the top HSF honors. Poolesville, which had both a regional winner and a wildcard team in the finals this year, has fielded finalist teams in every HSF since that contest’s inauguration in 2009.
NYU Tandon Winners:
First Place: Transcendent Gluten-Free Pudding, Poolesville (Maryland) High School
Team members: Kevin Shen, Claude Zou, Parth Oza
Second Place: FailSec, Adlai E. Stevenson High School, Lincolnshire, Illinois
Team members: Austin Zhou, Jason Lu, Alexander Shi
Third Place: Darkside, Montgomery Blair High School, Silver Spring, Maryland
Team members: Noah Singer, George Klees, Andrew Komo
NYU Abu Dhabi Winners:
First place: Leaders, Leaders Private School, Sharjah, U.A.E.
Team members: Mulla Jaasim Mohammed Junaid, Jonathan Sumon, Pranav Joy
Second Place: The 404s, Greenwood International School, Dubai
Team members: Youssef Awad, Lutfil Hadi Bin Jumadi, Mohammad Ibrahim, Abdulla Sayed, Ahmad Alhashimi
Third place: Bohemian, Raha International School, Abu Dhabi
Team members: Lee Gungyu, Kim Jung Yun
Policy Competition
The third annual NYU CSAW Policy Competition, organized by the NYU Center for Cyber Security, challenged students to propose public policy solutions to real-world computer security challenges. This year finalists fashioned proposals addressing ways to appropriately align business incentives with the true costs of data insecurity.
First place: Antonin Scalia Law School, Arlington, Virginia; George Washington University School of Law, Washington, D.C.
Team members: Katie Morehead, Austin Mooney, Julian Flamant
Second place: United States Naval Academy, Annapolis, Maryland
Team members: Dennis Devey, Sydney Frankenberg
Third place: University of Illinois College of Law, Champaign, Illinois
Team members: Magdala Boyer, Michael Burdi, Matthew Chang, Kathleen Kramer, Matthew Loar, Mark Nagel, Bradley Williams
Applied Research Competition
The CSAW Applied Research Competition (ARC) is a prestigious contest for graduate and doctoral-level security researchers who have published papers in the past year. An esteemed pool of 41 judges from academia and companies including JPMorgan Chase, Trend Micro, EY, and Jefferies reviewed a record 90 papers (up from 82 last year), choosing 10 as finalists. Almost all were published in the four most prestigious scholarly conferences’ proceedings.
NYU Tandon Winners:
First place: Hidden Voice Commands
Authors: Nicholas Carlini, Pratyush Mishra, and David Wagner, University of California, Berkeley; Yuankai Zhang, Micah Sherr, Clay Shields, Tavish Vaidya (presenter), and Wenchao Zhou, Georgetown University
Second place: Trusted Browsers for Uncertain Times
Authors: David Kohlbrenner (presenter), Hovav Shacham, University of California, San Diego
Third place: Acing the IOC Game: Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence
Authors: Kan Yuan (presenter), Xiaofeng Wang, Luyi Xing, Indiana University, Bloomington; Raheem Beyah, Xiaojing Liao, Georgia Institute of Technology; Zhou Li (ACM member)
NYU Abu Dhabi Winners:
First Place: Post-Quantum Key Exchange – A New Hope
Author: Erdem Elkim, Ege University, Bornova/Izmir, Turkey
Second place: Sparse Polynomial Multiplication for Lattice-Based Cryptography with Small Complexity
Author: Sedat Akleylek, Ondokuz Mayis University, Atakum/Samsun, Turkey
Third place: Towards a Novel Privacy-Preserving Access Control Model Based on Blockchain Technology in IoT
Author: Aafaf Ouaddah, Cadi Ayyad University, Marrakesh, Morocco
IIT Kanpur Winners:
First place: Shuffling Across Rounds: A Lightweight Strategy to Counter Side-channel Attacks
Authors: Sikhar Patranabis, Debapriya Basu Roy, Praveen Kumar Vadnala, Debdeep Mukhopadhyay, Santosh Ghosh, IIT Kharagpur
Second place: Theory and Application of Delay Constraints in Arbiter PUF
Authors: Urbi Chatterjee, Rajat Subhra Chakraborty, Hitesh Kapoor, Debdeep Mukhopadhyay, IIT Kharagpur
Third place: Integrated Sensor: A Backdoor for Hardware Trojan Insertions?
Authors: Xuan Thuy Ngo, Zakaria Najm, Shivam Bhasin, Debapriya Basu Roy, Jean-Luc Danger, Sylvain Guilley, IIT Kharagpur
Department of Homeland Security Quiz
Twenty-one teams participated in the fast-paced contest sponsored by the U.S. Department of Homeland Security. Since the quiz is open to every cybersecurity student who shows up during CSAW at NYU Tandon, CTF competitors joined part-way through, coming off 36 straight hours of competition. The contest, run like a quiz show, was hosted by Jordan Wiens, founder of Vector 35; Brad Antoniewicz, NYU Tandon hacker in residence; and Bryan Hatton of Idaho National Labs.
NYU Tandon Winners:
First place: Don’t Hack Alone, Massachusetts Institute of Technology
Team members: John Grosen, Ashley Kim, Jason Lam, Aleksejs Popovs
Second place: Applied Research
Team members: Rui Qiao, Oleksii Starov, Stony Brook University; Tavish Vaidya, Georgetown University; David Kohlbrenner, University of California, San Diego
Third place: 1064CBread Jr., Dos Pueblos High School, Santa Barbara, California
Team members: Paul Grosen, Kenzie Togami, Kenyon Prater
NYU Abu Dhabi Winners:
First place: Youssef Awad, Hamza Khaled, Mohammed Ibrahim, Lutfil Hadi
Second place: Archit Tiwar, Yaakoub Najih, Satya Anirudh P., Ronit Pawar
Third Place: Ismail Turk, Mohammed Ali Al Ghamdi, Majd Baik, Mohammed Sinan
Educational Elements
Supplementing the competitions were speeches by Lucas Moody, chief information security officer at Palo Alto Networks, and Eduardo E. Cabrera, chief cybersecurity officer of Trend Micro. Cyber Investigations’ Lucie Hayward and Courtney Dayter, managing consultant and consultant, respectively, for Kroll, led “Women in Cybersecurity: Decrypt your Future,” a workshop for students and professionals.
For the first time CSAW included a one-day workshop on open source security software, “Security: Open Source.” Organized by Brendan Dolan-Gavitt, an assistant professor of computer science and engineering at NYU Tandon, the workshop featured developers discussing their software and how it has been used to solve real-world security problems.
The yearly career fair featured 20 prominent institutions that came to entice the talented students competing in CSAW and other cybersecurity students in the greater New York area for internships and full-time positions.
Closing NYU CSAW was Neil Hershfield, deputy section manager of Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) of the U.S. Department of Homeland Security, who spoke about the threat posed by control system malware and the dearth of analysts with control systems expertise.
NYU students and volunteer judges spend months preparing challenges and organizing NYU CSAW, which has grown from an internal event at the school to one of the best known competitions for students. This year it was supported by 26 sponsors.
For more information on CSAW, visit csaw.engineering.nyu.edu. Follow @CSAW_NYUTandon.
Sponsors for CSAW 2016 are: Gold Level — Palo Alto Networks, Trend Micro, and U.S. Department of Homeland Security; Silver Level — Bridgewater, Google, IBM, and Kroll; Bronze Level — Bank of America, Facebook, Jefferies, Navy Civilian Careers, NCC Group, Raytheon, Two Sigma; Supporting Level — Bloomberg, Cubic, EY, Intel, National Security Agency, Optiv, The Ruth & Jerome A. Siegel Foundation, Sandia National Laboratories, and U.S. Secret Service; Contributing Level — ACSA, Carnegie Mellon University, and Cigital.
NYU Tandon is an internationally recognized center for cybersecurity research and education. One of the first universities in the United States to offer a master’s degree in cybersecurity, it has received all three Center of Excellence designations from the National Security Agency and the United States Cyber Command. It joined with the School of Law and other NYU schools to form the NYU Center for Cybersecurity (CCS). This interdisciplinary consortium explores new approaches to security and privacy by reaching beyond technology in its research and education, as well as in outreach to shape the public discourse on policy, legal, and technological issues of cybersecurity.
Note: Images available at http://dam.poly.edu/?c=1854&k=b1d372354c
About IIT Kanpur
Indian Institute of Technology, Kanpur, is one of the premier institutions set up by the Government of India. Registered in 1959, the institute was assisted by nine leading institutions of U.S.A in the setting up of its academic programs and laboratories during the period 1962-72. With its record of path-breaking innovations and cutting edge research, the institute is known the world over as a learning centre of repute in engineering, science and several inter-disciplinary areas. In addition to formal undergraduate and postgraduate courses, the institute has been active in research and development in areas of value to both industry and government. For more information, visit www.iitk.ac.in.
About the NYU Tandon School of Engineering
The NYU Tandon School of Engineering dates to 1854, when the New York University School of Civil Engineering and Architecture as well as the Brooklyn Collegiate and Polytechnic Institute (widely known as Brooklyn Poly) were founded. Their successor institutions merged in January 2014 to create a comprehensive school of education and research in engineering and applied sciences, rooted in a tradition of invention, and entrepreneurship and dedicated to furthering technology in service to society. In addition to its main location in Brooklyn, NYU Tandon collaborates with other schools within the country’s largest private research university and is closely connected to engineering programs in NYU Abu Dhabi and NYU Shanghai. It operates business incubators in downtown Manhattan and Brooklyn and an award-winning online graduate program. For more information, visit engineering.nyu.edu.
About NYU Abu Dhabi
NYU Abu Dhabi consists of a highly selective liberal arts and science college (including engineering), and a world center for advanced research and scholarship — all fully integrated with each other and connected to NYU in New York. Together, NYU New York, NYU Abu Dhabi, and NYU Shanghai form the backbone of a unique global network university, with faculty and students from each campus spending "semesters away" at one or more of the numerous study-abroad sites NYU maintains on six continents. For more information, visit nyuad.nyu.edu/en.
About the NYU Center for Cyber Security
The NYU Center for Cybersecurity (CCS) is an interdisciplinary research institute dedicated to training the current and future generations of cybersecurity professionals and to shaping the public discourse and policy, legal, and technological landscape on issues of cybersecurity. NYU CCS is collaboration between NYU School of Law, NYU Tandon School of Engineering, and other NYU schools and departments. For more information, visit cyber.nyu.edu.