Capture the Flag

Cybercrime hunters

May 6, 2024


Last November, teams of University of Richmond students, faculty, and staff spent a weekend breaking into encrypted files, intercepting web traffic, and taking advantage of database flaws.

It sounds like a training session to become a hacker, but the intent was the opposite. The capture-the-flag event concluded Cyber Security Awareness Month with a hands-on opportunity for participants to learn to protect their information online.

The exercises, which participants call CTFs, are in-person and online gatherings of IT professionals, students, and others with an interest in cybersecurity. Participants seek out and exploit vulnerabilities in a system while capturing and collecting digital “flags” buried in encrypted files or embedded in a webpage.

After their team won the capture-the-flag competition, sophomores Leah Le and Maggie Song, along with Svetla Walsh from Information Services, appeared on the Assura podcast Unmasked.

John Craft, director of information security, participated in several such competitions at IT conferences and wanted to replicate the experience at Richmond. To host the event, he partnered with Assura, a leading cybersecurity consulting service, and MetaCTF, which creates the simulations and other cybersecurity trainings.

While most CTFs are limited to a few hours, Richmond’s took place over a four-day weekend, allowing more participants to work around their job and class schedules. Teams of up to four participants made their way through a series of “Jeopardy”-style challenges with increasing complexity across a variety of categories.

“It started with questions that were very fundamental and gave a basic understanding of a computer or a web browser,” Craft said. “As their knowledge increased, teams were able to tackle more difficult problems. For people who were less comfortable with computing or cybersecurity in general, it allowed them to ease into it.”

Sixteen teams comprising computer science majors and IT staff, as well as competitors from non-technology backgrounds, participated in Richmond’s CTF event. Winners received prizes, including hoodies, notebooks, and Apple AirTags from event sponsors.

Sophomores Leah Le, Maggie Song, and Padmaja Karki made up the first-place team, Lovely Ladies. It was their first CTF, and they signed up after their computer science professor, David Balash, encouraged them to participate.

“We were even more incentivized to win this competition as that would gain some more recognition for our women in the STEM community,” said Le of the all-female team.

After the competition, Le and Song were featured on an April 2024 episode the Assura podcast “Unmasked.” During the interview, Le said her favorite exercises involved cryptography and password hashing, which connected her interests in computer science and math. Song said the competition was a chance to test new tools and see how SQL, a programming language for databases, could be used to hack a website.

Le also said the competition contributed to her growing understanding of cybersecurity. “Before, I only thought of it as the rule of thumb, ‘Don't put your personal information in your password.’ The competition revealed a whole new world.”

Craft said he hopes the CTF becomes an annual opportunity where students can explore their interests and career possibilities in the cybersecurity field. But, he added, the hands-on format is also an engaging way for any computer user to learn how to protect their data.

“They were able to think like a hacker, but in a safe, controlled environment,” he said. “It gives you perspective on what a malicious person might try to do.”