European cyber security challenge: Italy second in the standings

(To Giorgio Giacinto)
16/12/19

Interview with Emilio Coppa, Giovanni Lagorio and Mario Polino coaches of the Italian team of cyber defender "TEAM ITALY" formed by students of the training path Cyberchallenge.IT (link).

Emilio Coppa is a research fellow at the Department of Computer, Automatic and Management Engineering at Sapienza University of Rome. He received a doctorate in Computer Science in 2015 and his research interests focus on static and dynamic software analysis techniques. Since 2017 he is part of the organizing committee of CyberChallenge.IT and is one of the leaders of the national team for the European Cyber ​​Security Challenge (ECSC).

Giovanni Lagorio is a researcher at the DIBRIS of the University of Genoa. Interested in information security and ethical hacking, he is one of the founders of the ZenHack team and organizer of CyberChallenge.IT for the Genoa office. From 2019 he is one of the leaders of the national cyber-defender team for the European Cyber ​​Security Challenge (ECSC).

Mario Polino is a research fellow at the DEIB of the Politecnico di Milano where he deals with Malware and Binary Analysis. Since 2009 he has participated in CTF competition with the Tower of Hanoi team and since 2018 with mhackeroni. From 2019 he is the coach of the national cyber-defender team for the European Cyber ​​Security Challenge (ECSC)

First of all a brief overview of the team members. What are the cities of origin? What are the study courses of origin?

We remind readers that the members of the team come from the CyberChallenge.IT training course, organized by CINI's National Cybersecurity Laboratory, which initially saw 20 students form in each of the 18 participating university locations. At the end of the training period, each site selected four boys to form the local team that participated in the national final in Chiavari, last June 27th.
Thanks to the national final it was possible to form the national team.
The team is composed of ten boys who come from different Italian realities.

Andrea Biondo (the captain) and Riccardo Bonafede are two students of the University of Padua. The former lives in Cassier (Treviso) and is currently enrolled in the Masters in Computer Science, while the latter comes from Padua and is completing the Triennial in Computer Engineering. Also from the Veneto region comes Antonio Groza, who lives in Mirano (Venice) and after graduating from ITIS Levi Ponti in 2018, he decided to start a professional career directly.

Marco Bonelli, Andrea Laisa and Samuele Turci study in Milan. Marco comes from Terni and attends the three-year degree in Computer Engineering at the Politecnico di Milano. Andrea instead comes from Bergamo, he always studies at the Milan Polytechnic but is enrolled in the three-year degree in Computer Science. Finally, Samuele comes from Gatteo (Forlì-Cesena) and is enrolled in the three-year degree in Computer Science at the University of Milan.

Three team participants are studying in Rome: Qian Matteo Chen, Dario Petrillo and Michele Lizzit. Matteo lives in Rome and is a three-year Computer Science student at the La Sapienza University of Rome. Dario also lives in Rome and studies at La Sapienza, but is attending the three-year Computer Engineering course. Finally, Michele lives in Pasian di Prato (Udine) and attends the Triennale in Management and Computer Science at the Free International University of Social Studies (LUISS) Guido Carli.

Going geographically further south, Davide Palma studies at the Computer Science University of Bari and lives in Apricena (Foggia).

With which criterion were the members of the national team selected starting from the participants in the final?

The pool of choice was composed of the participants of CyberChallenge.IT of 2019, but also of the previous years. The initiative was very effective and introduced to this type of competition many capable young people, who over time have improved a lot up to the point of competing at the highest levels despite their young age. Choosing was not easy, there are many good guys, but some constraints on the composition of the team in the competition rules have simplified this choice.
All 10 players must be under 25, and 5 of them must be under 20 years old. There are so many good guys with less than 25 years. Less, however, as regards the range up to 20. This regulation basically divides the team into two parts: Senior (21-25) and Junior (under 20). We then created two rankings, one for the Senior and one for the Junior, in which we evaluated the candidates' performance in past events. In particular, we evaluated the local test, that is the individual challenge that each participant of CyberChallenge.IT faced at the end of the training course, the national competition, which takes place in teams between the various venues, but also external competitions to which several Final team members took part. The result was a formidable team and the second placement confirms this.

At this point we move on to the training and construction phase of the real "team game". How did you manage the different geographical origins and basic training?

The coach has selected the participants, choosing, on purpose, a heterogeneous formation, essential to be ready to face any kind of challenge. The different geographical origin, on the other hand, was mitigated by organizing, in mid-September, a four-day retreat at the IMT Alti Studi di Lucca School.

There the boys got to know each other, forming a real team, thanks to various group activities. Among these, also activities not strictly related to information technology, but no less important, such as, for example, shooting and editing of the video, goliardic, presentation of the team and evening brews.

Can you tell us how the team organized itself in terms of division of tasks? Has a leader been appointed or has a spontaneous leader emerged? Surely this aspect is closely linked to the type of competition. Can you give us a brief description of the game mode?

Thanks to the Lucca gathering, the team was able to identify the skills that each team member could make available for the competition.

As team captain, we immediately saw Andrea Biondo as the best candidate: part of the team that won CyberChallenge.IT 2018, member of the CTF Spritzers and mHACKeroni teams, member of the national team for ECSC in 2018 and also co-author of scientific articles in major conferences in the field of cybersecurity.

The competition took place in two days following a jeopardy format, in which the teams have to solve challenges to get points. Each challenge can be seen as an IT challenge, both software and hardware, which replicates a real scenario but in an isolated context, allowing kids to have fun without doing damage in the real world. Concrete examples of these challenges can be web portals in which administrative access must be obtained or embedded systems on which to identify loopholes to carry out unauthorized actions.

The 36 challenges prepared by the Romanian organizers were equally divided between the two days of the competition, not allowing the boys to solve the first day's challenge on the second day. The score of each challenge was obtained dynamically: this mechanism avoids having to assign an a priori score based on the estimated difficulty (always very difficult to evaluate).

In addition to hardware and software challenges, the organizers assigned additional points based on the ability of the various teams to: (a) pass an escape room characterized by hardware challenges within a maximum time of 30 minutes, (b) present the solution in 5 minutes one of the challenges resolved to a jury composed of non-experts.

During the last two hours of the competition, the scoreboard with the scores was obscured, pending the awarding of the evening of the following day.

And now we come to the moments of competition, divided into three days. Can you describe what were the emotions experienced by the team during the days? Italy from the second part of the first day was part of the leading group, also taking first place in different stages of the race. How were these moments experienced?

What was the most difficult aspect of the race? Which one gave you the most satisfaction?
At the beginning we were all very excited but, once we started facing the various challenges, the concentration was such that we didn't think much about anything else.
Some challenges took several hours and the joint work of various members, partly due to technical difficulties, partly because it was not clear what was to be done and communication with the organizers was sometimes difficult. Clearly, getting stuck for hours on a challenge can be extremely frustrating but, as they say, the one who wins it wins, and in the end we managed to solve many. Being part of the leading group immediately created a bit of tension, but every challenge resolved gave us a great boost and self-confidence, which helped us to keep the grit for all those hours.
The team worked very well and this aspect has borne fruit, bringing us up in the rankings. This is probably the aspect that gave us the most satisfaction.

Now that the race has ended by taking home the second place, what are the reflections of this experience that will surely have an effect in your future activities in the field of teaching and research? Did any of the guys think about starting a job with a start-up? When do they think about their future do they see themselves in Italy or abroad?

We will certainly treasure this experience; some guys already have work experience and are also considering the possibility of launching into some startups. Others point to research activities: there are those who think of a doctorate and those who would like to become part of the research and development sector of some big industry. Fortunately for our country, when they think of the future some see themselves in Italy, even if they do not miss those who consider the possibility of going to work for some computer giant on the other side of the ocean.

As for the team, will you continue to participate in other competitions? What do you intend to do to share your experience with young people?

Surely the team will also participate in ECSC next year, some members will exceed the age limit and therefore the team will have to change a little. But these are assessments to be made downstream of the next edition of CyberChallenge.IT where we expect, as has happened in the past, that the current members of the team help form new recruits.
Meanwhile, immediately after the competition in Romania, a large slice of the team flew to Abu Dhabi for Hack in The Box CyberWeek, where they took part in two different competitions:

  • A part of them participated and won the "Cyber ​​Battle of The Emirates" a competition designed for young people entering the world of Capture the Flag and security in general.
  • Another part instead took part in the ProCTF as "mhackeroni". The ProCTF is a competition without age restrictions, and designed for professionals. Team mhackeroni came in third place.

Many of the Team Italy players, but also the other CyberChallenge.IT participants, after this experience continue to play in the local teams of the various universities. These teams are formed not only by novices, but also by long-time players, who challenge each other in various competitions during the year. There is a public list of Italian Teams that have absorbed CyberChallenge.IT participants or who were born from the boys who participated in this initiative: https://cyberchallenge.it/ctf-teams.

One of these teams is the "mahckeroni" team (https://mhackeroni.it/) that for several years now has been participating in the DEF CON CTF, one of the most difficult competitions in this category. To participate in this competition you must qualify by winning one of the selected events. There are no restrictions on age, number, or profession, and many professionals in the sector also take part in this type of competition. And only the best 16 teams in the world can win a seat in the Las Vegas final. Several members of the "Team Italy" are part of the "mhackeroni" team which last August ranked 5th in this competition.

Thank you for your efforts, keep us informed about your activities. Online Defense and its readers support you. Good luck to all!

https://europeancybersecuritychallenge.eu/