NSA Invites Students to 'Hack Us!'
September 27, 2017
Ever think about hacking into the U.S. government’s data system? Wanna
If you can develop a network signature for an intrusion detection system
(detect hacking), or perform forensic analysis of a compromised endpoint
(detect hacking before it collapses the system), the National Security
Administration wants you to try.
Registration is open for the 2017 Codebreaker Challenge. The contest
asks college students to use reverse engineering or the ability to take
apart code and fix from scratch a fictional break-in of a government
data system. The scenario helps the Department of Homeland Security
disarm an improvised explosive device using cybersecurity skills to
prevent civilian casualties.
“Reverse engineering is a crucial skill for those involved in the fight
against malware, advanced persistent threats, and similar malicious
cyber activities,” the NSA website says. “As the organization tasked
with protecting U.S. government national security information systems,
NSA is looking to develop these skills in university students (and
prospective future employees).”
Each year, undergraduate and grad students who compete to master six
tasks will receive a small token of appreciation from the NSA for being
among the first 50 finishers, and possible credit from the student’s
college or university.
•Setup a test instance of the system (Task 0)
•Analyze suspicious network traffic
•Develop a network signature for an
intrusion detection system (Task 2)
•Analyze critical system components
for vulnerabilities (Tasks 3 and 4)
•Perform forensic analysis of a
compromised endpoint (Task 5)
•Craft an exploit for the botnet
server and devise a strategy to clean the infected endpoints (Task 6)
Registration for students with a valid email address ending in .edu
started September 15 and continues until December 31.
This year, some have gotten close, but no one has completed all six
tasks, so far, says the Codebreaker Challenge website. As of September
25, students from 335 colleges and universities have tried.
The most participants in 2016 came from Georgia Institute of Technology
in Atlanta, with 149 students taking the challenge, but only five
completing all six tasks, which also ranks first for most successful
In addition to Georgia Tech, three students from Carnegie Mellon
University in Pittsburgh, completed every task; as well as three from
the U.S. Naval Academy in Annapolis, Md. one from University of
Maryland, College Park, one from Naval Postgraduate School in Monterey,
Calif., one from Lesley University in Cambridge, Mass., and one from
Williams College in Williamstown, Mass.
Last year, 3,325 students from 481 colleges and universities attempted
to finish all six tasks; only 15 students were successful. Robert Xiao
from Carnegie Mellon University in Pittsburgh completed every task in
just under 18 hours, which was nearly two and a half days quicker than
the next fastest finisher.
“I find computer security to be a fascinating subject, and I was really
lucky to be accepted at Carnegie Mellon, which has an excellent computer
security reputation,” said Xiao, who was born and raised in Canada.
Carnegie Mellon ranks in the top 20 for cybersecurity schools in the
U.S. and is known nationwide as a pipeline for future computer security
experts. Xiao is on the Plaid Parliament of Pwning (PPP) hacking team at
CMU and says the team, “participates in worldwide computer security
competitions and does very well.”
not an understatement. In fact, the PPP hacking team has won eight
straight virtual capture-the-flag competitions at New York University’s
Cyber Security Awareness Week and won the World Series of Hacking
college competition four of the past five years.
The 2017 Codebreaker Challenge “is very challenging and covers a wide
range of subjects ... but it takes a lot of time and effort at first,”
Xiao says. “Don’t get discouraged if it seems too hard, that’s totally
normal at first.”
Xiao is doing a Ph.D. in what he calls “human-computer interaction,” in
which he wants to merge computer security and human interaction.
“The subject of ‘usable’ human-friendly security is really important and
only a handful of people are thinking really hard about it,” he said.
Essentially, Xiao wants to expand the use of computer security for those
who might not be the most adept at using computers; in other words, make
computer security easier for the everyday user.