Chris Underhill studied Physics at Trinity, graduating in summer 2020. He is now a Global Markets Strategist for Goldman Sachs. As 1o Trinity students prepare for this year’s global ethical hacking competition, C2C-CTF, on 6 December, Chris reflects on the challenges and benefits of cyber security events where participants must uncover secret codes known as ‘flags’ hidden in websites, embedded in servers, or locked behind vulnerable software applications.
How useful are cyber security competitions in enhancing your skills, knowledge and team working?
When I first took part in Cambridge UK-2-Cambridge MA (C2C) in 2017 I hadn’t really done any serious cyber security other than some very basic forensics on practice Capture the Flag (CTF) websites, so I learnt an enormous amount just by watching the more experienced members of my team.
By the time it came to Inter-ACE in 2018 I had improved my skills and was able to contribute more, but each challenge was still a learning experience. CTFs are very good at coming up with unique problems, so each challenge generally requires you to try something new that you’ve never seen before, which is a really fantastic way to learn a lot in a very short space of time.
At the Higher Education Cyber Challenge (HECC) in 2019, on a team with fellow Trinity students Dimitrije Erdeljan and Simon Crane, and the Palo Alto CTF in 2019, I was lucky enough to be placed in experienced teams with complementary skillsets, and we quickly discovered how best to divide up the work between us so no manpower was wasted.
They are also a brilliant way of meeting like-minded people, and I’m still great friends with people I met at various CTFs.
What does it feel like to be on a winning team?
It’s fantastic! At the Palo Alto CTF we were assigned random teams; mine really came together well and we quickly built up a sense of camaraderie. The top three teams were incredibly close just before the leader boards were turned off, and I remember the competitive drive really kicking in during the last half hour. We were all on the edge of our seats at the closing ceremony and it was a great feeling to discover we’d won. It ended up being my final student CTF and it was such an adrenaline rush to come out of it with first place in an international competition.
How do you go about a particular challenge in a cyber security competition?
Challenges are so varied you can always find something to match your skillset. Some feel like a treasure hunt – poking around on a website, looking for any location that might have a flag hidden behind an exploitable form, such as an insecure database or encoded into a picture.
For others the problem is obvious and you just have to get in: how can I recreate this partially obscured QR code? How can I run the commands I need to read this text file when the program won’t let me run them directly?
I like CTFs because they reward having a really diverse skillset, even categorized challenges (eg a ‘web exploitation’ challenge) usually require many different skills.
You might have to break into a server and get it to drop its passwords by hiding commands inside a password, only to have your knowledge of version control systems tested when the flag needs to be reassembled from many different pieces in different branches; then figure out how it was encoded so you can decrypt it.
Even if you’ve not got much experience yet, Google is your friend, and you can learn a massive amount from write-ups of previous CTFs.
How demanding are CTF challenges on your brain power?
It’s definitely a full-on experience! The actual hacking time can be pretty frenetic, there’s usually a lot of challenges to choose from, so you can switch around frequently if you get stuck, but it means your mind is working on many problems at once.
I can’t count the number of times I’ve moved on from one problem, only for an unrelated task in another challenge to trigger a sudden brainwave that leads me to the solution. Nothing makes you feel like more of a hacker than spending an hour poking around in a system only to spot the solution and break in in only a few minutes.
You can read ‘Bad guys are organised, so we have to be organised too‘ with Professor Frank Stajano, founder of Cambridge to Cambridge’ (C2C) cyber security challenge.