By Ben Hosking
This spring, the software company Security Innovation will host its second annual Cybersecurity Beanpot Challenge. Students will compete for scholarships and prizes by mounting cyber-attacks on a fictional website in a “capture the flag” competition. Last year, cyber students attacked a fictional bank’s website in order to find vulnerabilities called “flags” that could be patched to protect the bank.
Competitors in this year’s Cyber Beanpot will face stiff competition from last year’s reigning champion, Northeastern University. The Khoury College team took home the overall trophy, as well as 1st, 3rd, and 5th individual places out of 80 competitors from Suffolk University, Boston College, Northeastern University, and the University of Massachusetts, Lowell.
Brian Yeung (BSCS ‘20), William Tan (BSCS ‘19), and Erik Uhlmann (BSCS’21) took home the 1st, 3rd, and 5th place prizes respectively. Tan first heard about the competition from Khoury College Professor and Director of the Cybersecurity and Information Assurance Graduate Program, Guevara Noubir. Tan and his friends decided to go together. When asked what challenged him, he says, “During the competition, it was managing time spent on any particular question.” Tan, who learned new techniques that he will use for attacking fictional web applications in the next competition, plans to work in cybersecurity after graduation and later pursue a graduate degree in computer science.
Fellow student Uhlmann found that the most difficult part of the competition was near the end, when he “ended up trying to flip through all the site pages repeatedly, searching for the last few point opportunities.” Uhlmann emphasized that “with the timer close to finish, there was a lot of pressure.” He was first drawn to cybersecurity by playing online capture-the-flag competitions like the Beanpot. “CTFs are fun to play because they test a wide range of skills, and every challenge is like a puzzle.” Uhlmann thanks Cameron Kennedy (BSCY’21), his friend and fellow Khoury College undergraduate, for playing CTFs with him.
One part of the competition that Uhlmann did not end up solving was the use of social media pages for fictitious bank personnel to find human passwords. This open source intelligence component intrigued him because it showed that cybersecurity is not just about code, but also “about human vulnerabilities,” he says. First place winner Yeung agrees. “I liked how creative a lot of the exploits seemed. Sure, you need technical knowledge, but afterwards it was less about following the guidelines, APIs, idioms and more about not following them.”
Professor Noubir congratulated the students. “We are very proud of our students’ performance in the Cybersecurity Beanpot. It is a joy to see them do so well. It is also a testimony to Northeastern’s experiential learning approach.” Looking forward to this spring’s lineup, Noubir added, “We are thankful to Security Innovation for organizing the event – it provides an environment for students to learn and demonstrate their abilities.”