Like boot prints left in the dust on the moon, your digital footprint can never be erased. So, how do you protect data that’s meant to last forever?
With the moon rising on a cold February evening, two University of Wisconsin-Stout student organizations made up of computer science; computer networking and information technology; and cybersecurity students – future cybersecurity agents – meet to learn ways to help keep your digital footprint under lock and key.
The Collegiate Cyber Defense League (CCDC) team meets weekly to rigorously prepare for competitions and offers students a more competitive cybersecurity experience, while the Information Security Professionals student club gatherings host more leisurely cybersecurity activities.
CCDC President David Tesar, a computer science senior from Lety, Czech Republic, became interested in cybersecurity his junior year in high school after attending a Cisco-sponsored event.
“In our student clubs, we have opportunities to use professional tools that we may not use in our labs and classes. We work on our skills in our free time and outside of class,” he said. “I encourage other students to attend and to open their eyes to what you don’t learn in school.”
In Micheels Hall’s Cybersecurity Lab, the CCDC team gathers in small groups around three computer stations. Several six-foot-tall servers blink with red and green lights in large, locked black cases. New server switches are stacked in the corner waiting to be installed.
At the recent CCDC qualifying state round, the team won first place among teams from Wisconsin, Illinois and Missouri. They’re now gearing up to compete in the 2024 Midwest Collegiate Cyber Defense regional competition this March, in Chicago.
“Our UW-Stout team will have the honor of representing the state of Wisconsin, competing against all other top-ranked Midwest schools,” said CNIT and cybersecurity Program Director Holly Yuan. “The team’s success was fueled by their unwavering passion, commitment and discipline. Their hard work and dedication truly paid off, and I couldn't be prouder of what they've achieved.”
Around their stations, they open their laptops and share light-hearted jokes and fist bumps in greeting. Some are playing Oregon Trail, waiting for practice to start.
Tesar and CCDC Vice President Liam Nicholson manage practices and individual tasks, get their team up to speed and hold each teammate accountable.
“Everyone on the team has basic cyber knowledge, but we each have our own specialization,” Nicholson said. “In the Cybersecurity Lab, we can re-create the competition within our own practice environment. We can emulate steps on the computer and research to find out what might be vulnerable to hackers.”
“Our goal is to build the best team possible,” said Tesar, who opens practice with a quick review.
“What is a shell,” he asked his team.
“The thing on the back of a turtle,” someone suggested, as the playfulness continues.
“That is one correct answer,” Nicholson replied.
Unlike a turtle’s protective shell, a web shell enables a hacker remote access to a targeted server or system, giving them a backdoor for additional attacks.
The team returns to cyber-mode and discusses field-related terms before moving on to reviewing their playbook, a step-by-step document naming each team member’s strength and assignment for the upcoming competition.
“Everything you do online is stored somewhere – your social media posts, purchases, personal information,” said Nicholson, a cybersecurity sophomore. “If data is stored, it can be accessed. Cybersecurity measures are in place to prevent the wrong people from gaining access.”
Nicholson, of South Milwaukee, realized he was interested in cybersecurity when he joined his high school’s cyber-patriot team. He was one of the first students in UW-Stout’s major, which began in 2022.
As CCDC practice winds down, several students head to the Information Security Professionals meeting. It’s a long walk through the longest building on campus. From Micheels Hall, you pass by windows that look into Stout’s construction and plastics engineering labs in Jarvis Hall Technology Wing, before entering the Science Wing.
It’s a tool demonstration night, and ISP club members tinker with cybersecurity and hacking tools and devices to learn how to protect an individual’s and organization’s data.
There are many types of hackers, all with different motivations, explained Nicholson and Jacob Mengel, ISP president. Black hats, as they’re known in the industry, break into networks with malicious, criminal intent and for financial gain. Gray hats hack for their own sake, sometimes to play a prank on users.
A white hat, or ethical hacker, is hired by an organization to test and evaluate vulnerability and to suggest potential security improvements at both the cyber and physical levels. These are skills the club is practicing tonight.
At the first station, you hear metal scraping on metal. Two students are picking Brinks padlocks, the same you would use to lock up your bike, fence or tool shed.
“We practice physical lock-picking because once you can fake your way into a physical building, you’re one step closer to hacking the files you’re looking to exploit. Physical lock-picking stresses finding those vulnerabilities,” explains Mengel, a CNIT junior from Stevens Point.
Mengel always knew he wanted to work with computers and be able to work with his hands. “In high school, I learned that Stout has one of the few CNIT majors in the state. I instantly knew I wanted to go here,” he said.
At a second station, a student straightens a paperclip. He’s handcuffed himself to his classmate and set the key off to the side. He inserts the paperclip into the keyway. Can he pick the lock, or will they be cuffed together for the rest of the meeting?
“This is layer one, the physical protection of a building,” he said. “Physical security is important. Keeping doors locked is such a simple thing to do, but sometimes we forget. Or we may think we’re being polite by letting someone into a building who says they forgot their key. Maybe it’s a trick, and they’re looking for an easy way into a building. It’s the same as leaving your computer open. Your valuables, either physical or digital, are left vulnerable.”
He twists the paperclip and – clink – the ratchets on his cuff release and his wrist is free. Now to uncuff his classmate.
“We’re understanding how to better protect people,” said Nicholson, ISP vice president. “You’re not going to let someone walk into your house. It’s the same with cybersecurity – protecting your digital home. Think about a firewall as the structure of your house. If you don’t know someone’s password, it’s the same as not having the key to the front door. We’re looking to make sure passwords, networks or software can’t be used by the wrong people.”
At a third station, a student connects a small black device with several antennas to his laptop. It’s a Wi-Fi Pineapple, a portable device developed as a penetration testing tool to help cybersecurity specialists identify and test vulnerabilities.
Unfortunately, it can also be used to trick unsuspecting users into connecting to a fake public Wi-Fi network.
“A hacker will trick you to connect you to the fake network, similar to phishing,” Mengel said. “They might be out to steal your data or just to play a prank, like RickRoll. It’s a joke older than the dinosaurs. Even my dad knows RickRoll.”
With the RickRoll prank, which crept onto the Internet around 2007, a user connects to what they think is real public Wi-Fi. Instead, they’re directed to a video of Rick Astley’s song “Never Gonna’ Give You Up.”
Dominic Kavalary, ISP treasurer, a CNIT senior from New Berlin, has interned with Heartland Business Systems, in Eau Claire. He snacks on a coconut cookie as he reflects on how reading documentation and finding out how software works can help you learn to protect it.
“By finding the loopholes in a software, you can exploit features in ways unintended,” Kavalary said. “If you can learn how to break something, you can learn how to keep it from breaking. If you know there’s an issue, you can provide advanced measures to protect it.”
Mengel and Nicholson are working on just such side projects – Mengel is cracking the encryption code of an RFID scanner, or key card scanner, to learn how to exploit it in order to protect it. Nicholson is learning Kali Linux, an advanced penetration testing, research and security tool.
“Cybersecurity is a battle that keeps on going. The greatest weapon in this field is knowledge – knowledge of how to defend, learn and adapt,” Mengel said. “Encryption is ancient. We’ve been doing this forever. Think of the Caesar Cipher in Roman times or Navaho Code Talkers and Enigma in World War II. Modern encryption is crazily complex, with mathematical equations on top of equations.”
UW-Stout student cyber teams have now won four Wisconsin CCDC titles and took fourth place among 13 national teams, and No. 1 among Wisconsin teams, at the National Centers of Academic Excellence Cyber Game last spring.
UW-Stout’s 2017-22 designation as a National Center of Academic Excellence in Cybersecurity for Cyber Defense was recently renewed through the 2028 academic year by the National Security Agency.
UW-Stout was the first four-year university in the state to receive it in 2017. Only about 4% of schools in the United States earn the designation.