27 November 2017

At Berkeley, a New Generation of “Ethical Hackers” Learns to Wage Cyberwar

By Anna Wiener

“Whenever I teach a security class, it happens that there is something going on in the news cycle that ties into it,” Doug Tygar, a computer-science professor at the University of California, Berkeley, told me recently. Pedagogically speaking, this has been an especially fruitful year. So far in 2017, the Identity Theft Resource Center, an American nonprofit, has tallied more than eleven hundred data breaches, the highest number since 2005. The organization’s running list of victims includes health-care providers, fast-food franchises, multinational banks, public high schools and private colleges, a family-run chocolatier, an e-cigarette distributor, and the U.S. Air Force. In all, at least a hundred and seventy-one million records have been compromised. Nearly eighty-five per cent of those can be traced to a single catastrophic breach at the credit-reporting agency Equifax. That hack was reported in early September—just as Tygar and his students were settling into the third week of a new course called “Cyberwar.”

The purpose of the course, according to Tygar’s faculty Web page, is to teach Berkeley’s budding computer scientists to “forensically examine real cyberwar attacks” with an eye toward preventing them. Occasionally, this might mean mounting attacks of their own. Penal codes around the U.S. are not especially lenient when it comes to cybercrime; in some states, certain computer crimes are considered Class C felonies, on par with arson and kidnapping. So, for the hands-on portion of their studies, Tygar’s students rely on HackerOne, a sort of marketplace-cum-social-network devoted to “ethical hacking.” Companies, organizations, and government agencies use the site to solicit help identifying vulnerabilities in their products––or, as Tygar put it, “subject themselves to the indignity of having undergraduate students try to hack them.” In exchange for information about what they’re doing wrong, many of these clients offer monetary rewards, known as bug bounties. Since 2012, when HackerOne was launched, its hundred thousand or so testers have earned a total of twenty-two million dollars, a figure that the platform’s Dutch-born founders, Jobert Abma and Michiel Prins, hope to quintuple by 2020. For Tygar’s students, there is an added incentive: every bug they catch through HackerOne also gets them points toward their final grades.

Late last month, about fifty “Cyberwar” students, shouldering overstuffed backpacks and dressed in various forms of U.C.-stamped apparel, gathered in a nineteenth-century building on campus for a “hack night.” HackerOne swag was sprinkled across the desks—T-shirts, laptop-camera covers, branded fidget spinners. Tygar darted around the room in a sweaty teal polo shirt and Birkenstocks, enlisting volunteers to set up stacks of boxed pizza and distribute cans of soda. Once fortified, the students set about looking for bugs. HackerOne had sent a cadre of cybersecurity professionals––most skinny young men, most wearing sweatshirts––to provide counsel. One of them, Tanner Emek, an engineer at the personal-finance company NerdWallet, had recently received a fourteen-thousand-dollar bounty at Def Con, an annual hacker convention in Las Vegas, for discovering a flaw in Salesforce, a platform for customer-relationship management. (“It’s definitely fixed,” Emek assured me.)

Tygar’s students were after more modest prizes. “There are certain companies that are considered low-hanging fruit for hackers,” Vy-An Phan, a junior, explained. “For me, state Web sites and local-government Web sites, are, like, the fruit that’s already fallen onto the ground.” Although HackerOne’s government clients tend not to offer cash bounties, Phan had decided to focus on various secretary-of-state Web sites around the country, which house tools central to the electoral process—voter registration, ballot measures, candidate information, Election Day guidelines. So far, she had found eight bugs spread across four sites. One was a clickjacking vulnerability, in which a user might be unwittingly manipulated into clicking something undesirable. Several others were cross-site-scripting (XSS) vulnerabilities, an especially flexible and malicious type of attack, in which hackers inject their own code into a domain or Web application. “I could trick someone into registering for the wrong party, or not registering at all,” Phan said. “It all really depends on what I want to do.”

Across the room, two exchange students from China’s Wuhan University were testing the U.S. Department of Defense’s Web site. “We’re just finding bugs,” Angus Zhu, a junior, said cheerfully. He and his classmate, Farlui Li, had discovered that part of the site was susceptible to XSS attacks, making it relatively easy for a malicious actor to steal data from other visitors’ browsers and impersonate them. Zhu and Li were also testing social networks such as Facebook, Twitter, and Quora for vulnerability to homograph attacks, in which hackers use similar-looking characters from different writing systems to confuse their targets. The technique is particularly popular in e-mail phishing scams. If, for instance, a hacker wanted to fool people into handing over their credit-card information, he might send them a link to a fake version of Paypal.com, replacing the Latin letters in the URL with Cyrillic look-alikes—the English “p” for the Slavic “р,” which actually sounds like “r”; the English “y” for the Slavic “у,” which sounds like “u”; and so on.

Christian Ng, a freshman, was sifting through the source code of a venture-backed cryptocurrency platform. He seemed unimpressed. “They were using Flash, which is notoriously insecure,” he said. “If I can inject code into the Flash object, I can create an XSS vulnerability.” Attackers could theoretically use such a vulnerability to steal transaction or bank-account data––and Ng could receive a bounty of as much as seventy-five hundred dollars for finding it. A few tables away, Jobel Kyle Vecino, a junior, was working with a partner to hack into a children’s entertainment site. “Our line of thinking is that the parts of the Web site that are primarily for the children are probably not very well tested,” he said. (In July, after a number of Internet-connected smart dolls and stuffed animals were found to harbor security flaws, the F.B.I. released a public-service announcement warning about “opportunities for child identity fraud.”)

Abma, the HackerOne co-founder, had been pairing up with students throughout the evening. Now, sitting at the back of the classroom, he told me that some of them had the potential to become “really successful” hackers. But he also expressed some skepticism. “Persistence and creativity and the drive to keep going are things that are really hard to teach someone,” he told me. He likened hacking to a Rubik’s Cube: “You don’t know how to do it, necessarily, but you know there’s a solution.” For Tygar, the solutions themselves are less important than the experience and perspective that “Cyberwar” will provide his students. “We’ve all read the news with these reports that Russian hackers broke into infrastructure that’s helping to support the integrity of elections,” he said. “It puts a whole other twist on it when you think that undergraduate students in college can also break in.” 

No comments: