April 28, 2016
A gasp filled the room when ‘Canada’ – in the form of four Carnegie Mellon University (CMU) students – launched a simultaneous attack against 40 other countries. As the contestants of Microsoft’s Build the Shield (BTS) competition watched in shock, a large world map lit up with dozens of attack arcs striking Team PPP 2’s targets.
Forty-seven teams of four students flocked to Microsoft’s Redmond Campus for the March 12 BTS competition. As the seven-hour day of attack and defense drew to a close, three Carnegie Mellon teams emerged victorious in first, second and third place.
“We’re very thrilled with this result, and we think the strong placement of all Carnegie Mellon teams reflects the commitment and passion that the university has for the field of computer security,” said Robert Xiao, member of first place team PPP 2 and Ph.D. student in the Human-Computer Interaction Institute (HCII).
With at least nine competing teams representing Carnegie Mellon, the university was a force to be reckoned with at the event. The winning teams were composed of students drawn from the College of Engineering’sInformation Networking Institute (INI) and department of Electrical and Computer Engineering (ECE); the H. John Heinz III College; the School of Computer Science; and Carnegie Mellon CyLab.
“As security increasingly becomes top-of-mind for organizations around the world, Microsoft is focused on advancing the ways in which companies identify weaknesses and protect against cyber threats,” said Brian Fielder, principal engineering manager at Microsoft Corp.
“Through our Build the Shield events, we bring together future security leaders to solve real-world problems. This year’s Carnegie Mellon teams demonstrated the levels of passion and innovation that are necessary to accelerate security and protect against malicious actors,” he added.
Protect and Hack
The event combined two types of capture-the-flag (CTF) competitions: live attack-defense and jeopardy.
Teams were assigned a country’s tourism department and charged with defending a server running vulnerable software and web services. Multitasking and prioritizing became the name of the game, as each team worked to discover and patch their own vulnerabilities while also developing exploits to use against other teams.
One method for raking in points was to purchase travel packages from another team’s vacation tourism website. Teams worked against time to write scripts automating purchases and exploit bugs that allowed them to buy more trips for less than face value while also luring other participants into traps on their own website.
Occasionally, comments like ‘Oh no! Chad is stealing all our packages!’ and ‘I think Bolivia is messing with anyone who visits their site!’ peppered the air as teams flexed their CTF abilities. None were as bold as PPP 2’s ‘Canada,’ whose modus operandi was to attack dozens of teams at once.
“In simple words: protect your machines and hack other machines,” explained Ben Draffin (MS27, ’16), INI student and member of third place team C0debr8kers.
The second competition category, known as jeopardy, consisted of offline security puzzles in forensics, cryptography and web application security. The teams who rose to the top of the leaderboard were those who diversified and focused their attention on both categories.
“It seems that every week we hear about a new data breach, information leak or computer hack,” said Xiao. “Playing these CTFs is a great way to practice crucial security skills, develop a security mindset and have fun while doing it.”
Why Go Plaid (Parliament of Pwning)
A common theme among Carnegie Mellon’s teams was membership in the Plaid Parliament of Pwning (PPP), CMU’s internationally ranked hacking team. With back-to-back wins at DEFCON and a consistent number-one ranking on CTFTime.org, PPP is one of the strongest CTF teams in the country, and perhaps even the world.
“Beyond the opportunity to compete in events like BTS and many others, PPP also gives its members an opportunity to learn from one another’s skills,” said John Kotheimer, a Heinz graduate student and member of second place team PPP72. “It has been a great experience for all of us, and membership has definitely helped us grow in our ability as CTF competitors.”
In fact, a former PPP member was one of the winners of last year’s Microsoft BTS: INI alumnus Shrikant Adhikarla (MS23, ’13). Today, he is a software security engineer at Microsoft.
“It was really exciting to see multiple CMU teams make it to the final this year,” said Adhikarla. “CTFs develop computer security skills that enable students to identify new vulnerabilities, which is very useful as a security engineer.”
For that reason, security competitions like Microsoft BTS are a gentle lead-in to the world of system security analysis.
“Microsoft and many other companies want to hire thousands of security professionals, but it is difficult to find people with practical experience,” said Draffin. “There are few legal or safe ways of ‘tinkering around’ with security skills, leading to a lack of practical skills among students interested in security.”
“Competitions like these are closing that gap,” he added.
First Place Team (PPP 2) – Surface Book
Second Place Team (PPP72) – Surface 3
Third Place Team (C0debre8kers) – Xbox One Elite Bundle
For more information about Microsoft Build the Shield, please visit https://buildtheshield.microsoft.com/us/#about
For photos from the event, please visit the Microsoft BTS Facebook page.
See all CyLab News articles