November 2024 Update: The name of JWU’s Cyber Threat & Intelligence Defense program has been updated to Cybersecurity.
Three driven students from Johnson & Wales University’s Cybersecurity program worked together to create CyberPaw — a capture-the-flag style competition to test students’ hacking and security skills. Jordan Limor ’24, Andrew Bugera ’24 and Christopher Lorme ’24 planned, designed and built challenges for the game all on their own.
Teamwork was fundamental to making this project successful; 55 students participated in the competition, proving that when there’s a will and dedication, no goal is out of reach.
CyberPaw was designed as a CTF, or Capture The Flag, an exercise in computer security that challenges participants to find hidden text strings or “flags” in a simulated environment. Challenges can cover multiple categories, such as cryptography (decoding data), steganography (finding hidden info in files or images), binary (reverse engineering), web (exploiting a webpage to find the flag) or pwn (exploiting a server to find the flag).
“Capture The Flag consists of a bunch of different cybersecurity or computer science focused challenges, where each one has a sort of a flag that you're looking for. That could be a hacking challenge or reverse engineering. You could be given something that you don't really know what it is and you figure it out, or it could just be something like a simple puzzle, something miscellaneous, something just fun to solve,” explained Jordan.
The main goal of the project was to create a virtual space for their peers to test their own skills. “We wanted to run this competition to help underclassmen — juniors, sophomores and first-years — better their coding skills and give them practice for the real world,” shared Christopher.
Cyber threat intelligence & defense students could work individually or in teams up to three through a series of twelve challenges. Automated tools were allowed, but plagiarism, use of third-party services or sharing information with other teams would disqualify teams.
After talking about this idea throughout their time at JWU, Jordan, Andrew and Christopher began working on CyberPaw at the start of the semester, giving themselves just over a month to complete the work before the start of National Cybersecurity Awareness Month in October.
“Capture The Flags are something that I’ve done a lot of to review my own material. There are a lot of different groups that run them and I’ve always wanted to try and run one. This year, we were able to get it going,” added Jordan.
They had some help, too. A team of graphic design majors developed the branding, creating a logo and lock graphic to help advertise the competition. They also enlisted the National Cybersecurity Student Association, an academic student-run club, to help with outlining competition rules and handling promotion, which included getting the word out through the Student Engagement Office.
Assistant Professor Anthony Chavis served as the faculty advisor for this project and mentored the students when they ran into challenges. “Professor Chavis helped us with logistics, funding and talking to other professors to get students to sign up. I don’t think we would have had this opportunity at a larger school,” Jordan added.
Once CyberPaw became a reality, the team worked with faculty to get the word out to their peers. After showing the project to professors, they offered extra credit to students for completing challenges that matched up with course learning objectives.
As an added incentive, prizes were awarded to the top teams. The leaderboard winner received $500, second place was awarded $200, and the third-place team won $100.
“We ended up having 55 participants who at some point submitted a challenge. We were expecting 20 or 30, so I’m pretty proud of that,” said Jordan. Only one team completed all dozen challenges, but five teams completed at least ten of the challenges.
Jordan and Christopher’s favorite challenge was Echo on the Wire. “It was a network packet capture that contained a voice call and you had to find the voice call, reconstruct it and then listen to it to get the flag. It was an interesting challenge because I never really thought about doing something like it before.”
A challenge that stumped most participants was Bad Assignment. “A common phishing method is to email a Word document with malicious macro code. If the document is opened, it gives attackers a connection to your computer. Basically, I was just teaching to always check to see if attachments are malicious. A lot of people learned from that one,” described Andrew.
CyberPaw was the first time any of these students built a large-scale website from scratch. Since the website hosted the simulation environment for the CTF, it needed extra layers of security. In fact, executing CyberPaw was as close to real-world as these students have experienced as they prepare to graduate in May.
“Classes prepared us for this work, especially Software Reverse Engineering. That one was helpful for a lot of the challenges we were building and solving,” said Chris. “Human Computer Interaction helped me get preparation for building a full website because the final project for that class was building a mock web application,” added Jordan.
Each student developer offered different strengths that ultimately complemented the project and resulted in a successful collaboration. Jordan was mainly responsible for platform engineering and building the infrastructure to host the competition. Chris and Andrew spearheaded many of the dozen challenges that created CyberPaw.
Andrew also served as the team’s security tester, testing the website for vulnerabilities prior to launch. “Not that I was trying to ‘attack’ our site, but getting to test a live site was a great experience,” he noted, adding that he found a lot of issues that were fixed before the competition began.
CyberPaw was live during the month of October. Now that it’s concluded, the team has been working on write-ups for each challenge so that participants can learn from their mistakes and understand how to capture all twelve flags. But that’s not the end. CyberPaw was always intended to become a recurring competition. Jordan, Andrew and Chris are preparing to run the competition again in the spring with a new set of challenges.
“Next semester, we’re being offered more resources to run it on better hardware and we’ll have more time to flush it out and make it more secure and build it into a really big thing that might actually continue after we graduate, which is just really cool,” shared Jordan. “I don’t think we would have been given this chance anywhere else, where the faculty goes, ‘Yeah, sure; make it and see what happens.’”
Plans for the next CyberPaw include letting students submit challenges for consideration, expanding the challenges to cover other facets of cyber competitions and opening it up to students at other universities to participate.
Even though Jordan, Andrew and Chris are still immersed in their creation, they have one eye on the future. Jordan plans to pursue a career in application security, figuring out weaknesses in source code to make it stronger. Andrew plans to go into security testing, simulating what real hackers would do to expose network vulnerabilities. Chris aspires to do work that combines both offensive and defensive efforts.
Overall, these students have enjoyed their experience as cybersecurity students at Johnson & Wales, reflecting that “The cyber program is widespread, so you get exposure in different aspects of it. You’re not coming out of the program as an expert in one area, but with experience in every little part so when you go into the field, you know where you want to end up. The cyber field is changing so fast, so getting this overarching view is a lot more useful because it helps us point ourselves in the right direction after college,” concluded Jordan.