Guide to Creating a Cybersecurity Challenge for Kids
By: Stephanie Carruthers and Nolan Kennedy
“Right now, we’ve got about 300,000 unfilled cybersecurity positions as a nation,” said Rick Driggers, from DHS at the Cyberthreat Intelligence Forum, reported on FedScoop. Driggers goes onto ask “So what are we doing to engage K-12”? As a Cybersecurity consulting firm, MindPoint Group (MPG) deals with this industry deficiency daily. To address the issue the company decided to utilize its Volunteer Initiative Program to begin a partnership with a local Washington DC school and begin cultivating future Cybersecurity professionals. MindPoint Group’s cyber challenge strives to introduce the growing field of Cybersecurity and hopefully get the kids excited through education and peak their interests in Cybersecurity as a possible career path.
On June 2, 2018 MindPoint Group hosted its second annual Ludlow-Taylor Elementary School Cyber Challenge. The event hosted at MindPoint Group’s Alexandria, VA facility comprised 4th and 5th grade participants from Ludlow-Taylor Elementary.
This year’s Challenge introduced the kids to two Cybersecurity-related fields of study,
- Online Cyber Sleuthing using Social Media and
- Secret Writing with Codes and Ciphers.
Descriptions of how each category was presented is broken out in the sections below.
Online Cyber Sleuthing using Social Media
The activity’s objective was to express the importance of using discretion when sharing information online. The topic was reinforced by guiding the class through a specially tailored social media page and allowing students to interactively call out as they spotted information that could be leveraged by someone with bad intentions. Data was seeded throughout the social media page to highlight several common vectors of information sleuthing:
- Geotagged posts
- Friends and family tagged in photos
- Personal information such as phone numbers, email and home addresses, as well as places of employment
- Daily routines and schedules
- Personal interests and hobbies
Once a potential attack vector was identified, the class was asked to provide creative examples of how the information could be misused. Practical demonstrations of how the information could be leveraged were also shown, including using Google Maps street view to eerily scope out a home address and wielding personal interest data for password guessing and account hijacking.
Sleuthing Pippy’s Profile
The class started by visiting the public social media page of Pippy Horsse.
We browsed through Pippy’s timeline to get a quick overview of what Pippy had been posting lately.
We saw posts including phone numbers:
We saw posts with geotagged locations and schedules:
Finally, we some silly posts that though personal, provided contrast to the higher risk posts to help the students discern between the two:
After looking through Pippy’s timeline, the class then proceeded to dig through the “About” section of her profile. We quickly noticed a home and email address, and decided to put the home address into Google Maps and saw Pippy outside her home!
Pressing forward, we came to a list of family members. Used alongside a tagged photo posted by Pippy, we could now identify Pippy’s immediate family.
The real gold was in the “Details About Pippy” page, where we used the information provided to make an educated password guess against Pippy’s email address that we saw earlier.
After logging into Pippy’s email, we had the social media site send us a Password Reset email to demonstrate how we could potentially compromise every account associated with this email address.
This activity came to an end with a reminder to the class that we do not always know the people looking at the information we share online. Being smart about the information we share is an important habit to build as we continue to invest more and more of our time using the internet.
Secret Writing with Codes and Ciphers:
For this activity each student received a Secret Writing Manual. The manual contained information and images on numerous types of codes and ciphers. Students learned that codes have replacement symbols, letters, or numbers and that ciphers have a key that both parties would need to know.
Many of the methods covered can be found in the book Top Secret: A Handbook of Codes, Ciphers and Secret Writing by Paul B. Janeczko. After discussing each method in the manual, the students broke into two groups and received their kits. The kit included:
- two Caesar Cipher wheels (paper template located here);
- one wooden rod (a dowel cut down to about 10” in length then sanded);
- one strip of red film (similar to the red one in the pack here);
- and an envelope containing their first puzzle.
Kit and Puzzle #1
Once students opened their first puzzle they received a strip of paper with unreadable letters. In order to decipher the message, the students then needed to use the wooded rod included in their kit. This cipher is called a Scytale cipher.
Once the students wrapped the strip of paper around the rod, their message read “Good job the password you seek is Hulk.” After telling the MindPoint Group team their password was Hulk, they received their next puzzle envelop.
In this envelope the students received a piece of paper with a message they would need to decipher. The paper’s text read “qlfhob grqh wkh qhaw sdvvzrug brx qhhg lv frpsxwhu.” This cipher is a Caesar Cipher and by using their Caesar Cipher wheels with a traditional shift of 3, when decoded the message read “nicely done the next password you need is computer.” After telling the MindPoint Group team their password was computer, they received their next puzzle envelope.
After opening the envelope, students received a paper containing groups of numbers that they would need to decipher. The cipher used is called a Greek Square Cipher (also known as Polybius Square). The key to this cipher was located in the student’s manual. After deciphering this message, the student were able to read “Congrats your new pass is kit kat.” After telling the MindPoint Group team their password was kit kat, they received their next puzzle envelope.
After opening the envelope, students would find a piece of paper with what appeared to be yellow and red scribbles on it. For this puzzle, students would need their red film strip to read the message. This is called a Red Reveal (you can read more information on how to make them here).
Once the students used their film to read the hidden message, it read “Cool now you see me! Password: (five symbols).“ The symbols used a Pigpen Cipher, which students would decipher to receive the word “Sloth.” After telling the MindPoint Group team their password was sloth, they received their next puzzle envelope.
This final puzzle contained two items: a deck of playing cards and a key.
This Playing Card Cipher needs a key in an agreed upon suite pattern and card pattern. In order to read the secret message, you’d need to put the cards in the right order, by using the key.
When all of the cards are stacked using the correct key, the message is readable on the side of the deck.
When the students informed the MindPoint Group team their password was pizza, they received their prize for completing the challenge.
Tips for Administering the Challenge for Older Student’s
If you are working with an older age group here are some tips to making these challenges a little more difficult:
- The messages that need to be decoded can be a lot longer.
- You should make the deciphered code word as another cipher. For example, on Puzzle #1 and using the Scytale, instead of plain text you could use a Pigpen cipher for the whole message.
- When giving a Caesar Cipher puzzle, don’t tell the students what the shift number is, but have a clue hidden somewhere. For example, add six stickers on the envelope for a shift of six.
The students had a lot of fun and are already looking forward to next year. MindPoint Group is honored to continuing this journey and work with the next generation of future cybersecurity professionals.
About MindPoint Group’s Volunteer Initiative Program
MindPoint Group’s Volunteer Initiative Program (VIP) is a group of employees who are dedicated to community outreach through direct support of various charity organizations and programs. As a company, we recognize that with prosperity comes the responsibility to give back to the society of which we all are members. Since 2012, our volunteer initiatives have ranged from rolling up our sleeves providing direct physical support to charities, to financial support through donations as well as representing the company at national charity events. VIP is led by a committee that regularly convenes to approve sponsorship requests, support event planning, and coordinating events throughout the year. VIP actively promotes and encourages all employees to get involved and support both local and extended communities particularly those in which we all share membership.
VIP STEM Project:
- 2018 Sponsorship/Enrollment of William-Ramsey Elem. School Top Math students in Congressional ‘s Cybersecurity Specialty Camp
- 2018 Ludlow-Taylor Elementary School Cyber Challenge
- 2017 Ludlow-Taylor Elementary School Cyber Challenge
- Social Engineering Part 3: Phishing - September 6, 2018
- Social Engineering Part 2:Open-Source Intelligence (OSINT) - August 15, 2018
- Guide to Creating a Cybersecurity Challenge for Kids - June 26, 2018