By Jennifer He
A six-person team from Stanford’s Applied Cybersecurity club placed first for the third straight year at the annual National Collegiate Penetration Testing Competition (CPTC) last month.
Since it began competing in CPTC in 2017, the team has won first place every year. The fast-growing club — which turned a basement server room closet into its club space — attributes its success to its members’ dedication to training for the competition, equipping themselves with the necessary technical skills, and the communication and bond that the team shares.
The team includes Colleen Dai ’20, Anna Zeng ’20, Pierce Lowary ’21, Jack Cable ’22, Michaela Murray ’22 and fourth-year physics Ph.D. student Will DeRocco. They first competed in a regional competition in October, where they won first place and were one of the 10 teams out of 60 collegiate teams internationally to go to nationals. The team then flew out to the three-day national competition held in Rochester, New York, starting on Nov. 22.
The CPTC competition is meant to teach students how to behave like real-world penetration testing consultants, as though a team were hired to perform a penetration test on a pseudo-company’s network and system.
In penetration testing, a team looks for vulnerabilities within the system, trying to exploit applications or services they are given. This year, the competition also included a physical ATM and an interactive voice recording system for teams to hack into.
Teams receive a copy — the entire domain(s), IP addresses, sites that make up the system, and a virtual environment — and conduct penetration testing on these systems for the first two days. They submit a report and presentation by 2 a.m. on the second night, and they deliver presentations the next day, judged based on accuracy and thoroughness.
During the regional competition, the Stanford team found two “zero-days,” vulnerabilities previously unknown to the creator that have no security patch. By reconstructing some of the systems and hosting them in their lab at Stanford, the team members found a SQL injection attack, which allowed them to look at the database, as well as a path traversal vulnerability that allowed them to gain administrator access to the database. While the team was initially uncertain about its chances of winning because there were twice as many teams competing this year, due to its zero-day findings, the team became more confident in their chances, according to Dai.
In 2017, the first time Stanford competed in CPTC, its team had two of the three females present at the entire competition. At that time, it was a shock to most people, and the Stanford team was known as the team with females, according to two people on the team that year. That year, team members described being faced with sexism. One judge, a tech executive, implied that the only reason women are needed in cybersecurity is that they’re “empathetic,” according to three members of the team who were present.
“What made a super big impression on me and even make me question my interest in security was the ratio I saw when I first did CPTC — it was three girls among 60 people in the competition, two of which were from Stanford,” said Dai, who later founded Women in Applied Security at Stanford. “It was just a very big shock, and I didn’t expect it to be that bad.”
“We’ve seen the gender gap close in the past three years, which is really inspiring and makes me feel like we can do something about this disparity,” she added.
Additionally, because the winning team from Stanford has had a large proportion of women these past few years, Dai and Zeng said they have heard that their team’s gender diversity has encouraged other teams to be more diverse.
Almost all team members in the past three years came into the club with little to no experience with cybersecurity, and through participating in the club, doing practices and asking people for help, they were ready for the competition.
“It’s definitely learnable, and one of our goals is to make security more accessible to people,” Zeng said.
Members come from all different majors ranging from computer science and physics to English, and some go on to complete security internships and pursue careers in cybersecurity. As new members make up the majority of the CPTC team each year, the club is actively integrating interested new members through workshops and speaker events.
The club also has several active projects such as writing ita own metasploit modules, reversing malware, developing the Stanford Bug Bounty Program (where students hack Stanford websites like Axess to win money) and testing Stanford RFID card scanners. The club is also currently preparing for the Collegiate Cyber Defense Competition (CCDC), which happens in spring.