OSU Security Club members (L-R) Jack Wright, Otso Barron, Brandon Ellis, Lucas Ball, Gabriel Kulp, Lyell Read, Casey Colley, Michael Carris Jr., and Robert Detjens celebrate a win after a cybersecurity competition. Photos courtesy of the OSU Security Club.
Students involved in the Oregon State University Security Club have won or placed near the top in several computer security competitions over the past year, most recently qualifying for DEF CON 30 CTF. Oregon State’s team ranked 15th out of 469 teams around the globe in preliminaries for the capture the flag-style information security competition.
The club, known informally as OSUSEC, participates in many competitions geared specifically toward college students. But the competition at DEF CON CTF will include industry professionals, researchers, national and international security professionals, and other hackers. One of the world’s most prestigious capture the flag competitions, DEF CON is scheduled to take place in August 2022.
In addition, the team achieved the following results this year:
- First place, Pacific Rim Collegiate Cyber Defense Competition (130 teams)
- Fifth place, National Collegiate Cyber Defense Competition (top 10 teams from regionals)
- First place regionally, seventh place nationally, U.S. Department of Energy CyberForce Competition (105 universities)
- Third place, NSA Codebreaker Challenge (5,400 individual participants)
- Fifth place, N1CTF (601 teams)
- Fifth place, NahamCon CTF (3,272 teams)
- Seventh place, hack.lu CTF (563 teams)
Yeongjin Jang, assistant professor of computer science and cybersecurity researcher, serves as the club’s faculty advisor. He notes that while the competitions are fun for the students, they’re also helping them build valuable, real-world skills.
“The contests mimic realistic environments, so the students are gaining experience that is directly transferable to the types of hacking that help keep computer systems safe for everyone,” he said.
OSUSEC participates in two types of competitions: capture the flag, or CTF, and cyber defense competitions, also known as CDCs.
Capture the flag competitions
Capture the flag competitions usually consist of 30-70 challenges of varying types that can be solved by anyone on a team. The challenges generally fall into the categories of binary exploitation (hacking a program), reverse engineering (understanding how a program works), cryptography (finding a weakness in a cryptographic scheme in order to break it), steganography (finding hidden data or images), open source intelligence (using the internet to solve problems), and web exploitation (finding security holes in a website).
Much of the club’s success is due to their preparation for competitions in weekly training sessions.
During the COVID-19 pandemic, the club’s then-president created an in-house version of capture the flag as a way for club members to stay active and to keep up their skills. The in-house CTF lets novice students hone their skills while more experienced students share their knowledge by mentoring others.
“People who might be new to the field can come in and get assigned to a small team of three or four with a coach and they’re given a typical CTF challenge,” said Lyell Read, president of the club. “It’s a great way to learn CTF because it’s a small, internal game and it’s not scary because you’re not on a big stage playing against all the other teams in the world.”
Assistant Professor Jang participated in competitions as a student at Georgia Tech and the Korea Advanced Institute of Science and Technology, where his teams advanced to the final round of DEF CON CTF eight times, winning the contest in 2015 and 2018. He enjoys passing on his knowledge to the students.
“I have been at DEF CON CTF many times, but OSUSEC qualifying for the competition is an even better feeling than when I won,” he said.
Jang also teaches the basics of hacking computer systems in his Cyber Attacks and Defense course at Oregon State. “Most of the CTF team members start learning about hacking in this class,” he said.
Cyber defense competitions
In CDCs, teams are housed on site and are not allowed to leave for the duration of the competition, which is usually one weekend.
“We’re cut off from the outside world and have to defend a set of machines against real attackers,” Read said. “We have to do the tasks to keep our system safe, just as people working in IT security in the real world do.”
“I always say a CDC is a group of college students stuck in a room together for eight hours, slowly going insane, and it’s wonderful,” said Brandon Ellis, a graduate student in computer science.
Most often the competitions involve keeping some critical infrastructure — such as an industrial control system (water tower, hydroelectric turbine, etc.) or e-commerce site — online and safe against outside attacks.
“The reason CDCs exist is that they’re very good at teaching people real IT security skills in a gamified environment,” Read said. “It’s much more fun than reading a textbook. We’re gaining hands-on experience in a safe manner.”
During the National Collegiate Cyber Defense Competition, where the Oregon State team took fifth place in the nation, the Linux team was able to catch and correctly analyze custom-written malware that had never been seen anywhere else in the world. In addition, the Windows team was able to keep the attackers out of their domain controller and DNS system.
“We were able to keep our system up 100% of the time during the competition, which is quite challenging,” said Ellis, one of the individuals responsible for this feat.
“A 100% uptime during a national competition is pretty much unheard of for a first-time team,” Read said. “There are skilled professionals that we’re competing against whose goal is to disable the machines, so that’s a great accomplishment.”
Read, Ellis, and Jang all emphasized that the club’s success is not only because students learn new skills, but because they all enjoy sharing their knowledge.
“People have specific areas of cybersecurity that they’re particularly interested in,” Ellis said. “Our industry can suffer from people being elitist and stingy about their knowledge, but everyone in our club is very good about sharing things they know, and some will bend over backward to share that knowledge with new up and comers.”
Welcoming online students
The COVID-19 pandemic forced the club, like everyone else, to operate remotely. But this gave OSUSEC the opportunity to include Oregon State’s online students to easily participate in the club’s activities, including the CTF practice sessions and competitions.
They continue to involve online students as much as possible today, even though classes and other activities have returned to in-person settings. “We stream all the meetings we can to our Discord server,” Read said.
Remote students can easily participate in CTF competitions, since they are held online, and they may also participate in CDCs, if they can travel to the event venues.
The competitions are typically sponsored by companies interested in hiring the best cybersecurity talent. After the NCCDC, students were invited to attend a networking event with sponsors, which included defense contractors and the Central Intelligence Agency.
“We had people interviewing with companies and agencies right after the networking event,” Ellis said.
“It was 10 teams, eight people on each team at the event. That’s the 80 best cyber defenders in the country who have applied their effort to NCCDC and I think that our team definitely represents that,” Read said. “And we’re glad to represent Oregon State this way.”