A team of Stanford students took the top prize at a recent international cybersecurity hacking competition.

For the third year in a row, the Stanford Applied Cyber team placed first at the Collegiate Penetrating Testing Competition. (Image credit: Mariah Rose Whitmoyer)

The Stanford Applied Cyber team beat out nine college hacking teams from around the world at the Collegiate Penetrating Testing Competition at the Rochester Institute of Technology. At the annual event – now in its fifth year – students showcase their technical skills and gain professional experience in the practice of testing a computer system, network or web application to identify security vulnerabilities.

Colleen Dai is a Stanford graduate student studying statistics and a member of the Stanford team. She attributes the team’s success to the members’ strong technical training, but also their camaraderie.

“It means a lot to win,” she said. “[The victory] has a lot to do with our team dynamics and how well we work together.”

The Stanford Applied Cyber team includes computer science majors Anna Zeng and Jack Cable; Michaela Murray, who is double majoring in computer science and math; Pierce Lowary, who created his own track consisting of computer science, cybersecurity and policy; and physics PhD student Will DeRocco. The students were coached by Alex Keller, the senior systems security engineer at the Stanford School of Engineering.

During the three-day competition, each college team was tasked with identifying weaknesses in a simulated corporate environment without impacting the operations of business activities. For one challenge, students had to break into the networks of DinoBank, a fake financial services and cryptocurrency company, with event organizers serving as company employees. An ability to hack into accounts without passwords was among the vulnerabilities identified by students. Students also investigated web and software weaknesses, including ones found in the Windows operating system.

“There was also an ATM challenge where we had to figure out how we could extract money without knowing someone’s PIN code,” Dai said. Each team was given a real ATM and teams that successfully hacked the machines got to keep the cash inside.

The Stanford team distinguished itself by uncovering two previously unknown software vulnerabilities. One was a weakness known as a SQL injection that allowed attackers to access and read private databases. The other was a vulnerability in which attackers could add themselves as an administrator to online group spaces. The Stanford team reported these weaknesses and repaired them within 24 hours. Their success earned them the winning trophy for the third year in a row, while a team from the Rochester Institute of Technology came in second and a team from California State Polytechnic University in Pomona placed third.

Stanford Applied Cyber is a student-organization focused on teaching students practical skills, such as analyzing, exploiting and defending computer systems. The club hosts events that are open to the Stanford community, as well as workshops ranging from the introductory level to the more technical. For more information, visit the club’s webpage.