Students Capture the Flag and Seven Awards in Hacking Competition

Hacking into computer systems could easily land you a seat in jail. But what if you could freely test your break-in abilities under legal circumstances? Four students from the Internet Security Research Lab (ISRL) in the Computer Science Department were able to explore their forbidden talents by participating in — and dominating — a hacking competition.

On July 19 and 20, a group of organizations interested in promoting STEM (science, technology, engineering, and math) education sponsored a cyber capture-the-flag competition (see https://www.mitrestemctf.org/). High school and college teams were invited to join in a race to capture the “flags,” or hidden files, that flecked the event’s computer system. BYU took first place in the competition against other teams from UC Berkeley, South Florida, Texas A&M and various student and co-op intern teams from MITRE, a federal research and development organization.

Undergraduate students Austin Whipple and Kin Hou Lei, along with graduate students Kimball Germane and Scott Ruoti, joined together to create the BYU team. Each brought varied levels of experience, and this is exactly what Germane identified as BYU’s ticket to victory — a “really diverse set of talents.” Thus equipped, they approached the competition with enthusiasm.

Dr. Kent Seamons is the Director of the ISRL. Since his lab usually specializes in keeping the bad guys out, he was curious to see how his students would do in trying to break through defenses rather than build them.

“We recently launched a penetration testing group at BYU to learn how systems are exploited, and I was planning to enter this kind of competition once we had gained more experience,” he said. “This opportunity presented itself earlier than I anticipated, and the students performed extremely well.”

At 7 a.m. on July 19, the contest system opened, and teams all over the country signed in for the first full day of web exploitations and puzzle solving. Since he was out of state during this event, Seamons anxiously texted the team for an update while on a layover in Denver. He found out that they had “quickly raced to the lead.” And they never lost it.

“BYU earned over ninety percent of the available points,” Seamons reported. Three other teams tied for second place at sixty-nine percent . . . so BYU beat them pretty handily.”

Not only did BYU students rack up the points, but they also gathered an impressive collection of seven awards — twice as much as any other team. In fact, the administrators had to invent a new award, the Root Award, to recognize them for subverting a system in a way the organizers hadn’t anticipated.

Although the system was designed to have specific weaknesses and defects for the hackers to find, Whipple was able to gain root access to the operating system and find flags from an administrator’s bird’s-eye view.

“A good administrator should not allow someone else to take over a system,” said Seamons. “Austin compromised the system in a way they were not expecting.”

When asked what he learned from this challenge, graduate student Scott Ruoti said it was the importance of carefully choosing one’s security software.

“A lot of times just hiding your information . . . isn’t enough,” he said. “I always knew people made a lot of security mistakes; I never realized how easy it was to make them pay for making them.”

For Kin Hou Lei, it was stretching out some rarely used muscles in a restricted area that made this experience enjoyable.

“We don’t get much opportunity to do stuff like that,” he said, noting its illegal status.

Pleased with the success of his students, Professor Seamons looks forward to helping students participate in more events like this. He feels these competitions provide an educational experience to train students for security careers, and they are a lot of fun.

“Computer systems are being compromised constantly,” he said. “There aren’t enough trained professionals to stay ahead of the attacks. The best way to learn how to defend a system is to understand the attackers.”

As a result of their impressive victory, the team has received an invitation to participate in another competition in Las Vegas at the DEFCON hacker conference. They will also be honored at a security conference in Florida.

Want to learn more about internet security? You can listen to an interview with the team’s professor, Kent Seamons, on Thinking Aloud.