Deal Saver - brought to you by the Charlotte Observer

0 comments
  • Print
  • Reprint or License
  • Share Share

They're the good-guy hackers

UNCC teaches 'white-hat hacking' so students can protect software from attackers

By Tyler Dukes
Special Correspondent
Posted: Monday, Feb. 07, 2011

More Information

  • Established: 2001.

    Chair: Bill Chu.

    Students: 400-plus.

    Faculty: 15.

    What sets the program apart: The program teaches students to build secure systems as part of the initial design, not as an add-on feature. This includes secure software development and secure network infrastructure.

    SOURCE: Bill Chu


  • If you find a security hole, e-mail the software developers first.

    If you don't hear back in five working days, go public with the problem.

    The developers should keep you in the loop as they work to fix the problem.

    Provide help if the developer asks.

    The developer should give you credit for pointing out the security flaw.

    After the problem is fixed, you and the developer should go public with the problem and solution together.

    SOURCE: wiretrip.net



The first time Zach Mayo infiltrated a security program, he was barely in his teens.

At home with his family's computer, he bristled at the parental control software cutting him off from the Internet after curfew.

"I'm 12 years old. Of course I'm going to try to break into it," Mayo said. "Then you realize you can."

The breach didn't go unnoticed by his father.

"He was mad at me because I broke in. I looked at him and said, 'This is what I want to do for the rest of my life,'" Mayo said. "But I want to help people."

That realization led Mayo to UNC Charlotte, where he's now a senior studying how to make programs and networks more secure.

But before professors showed him how to shore up cyber defenses, they taught another lesson: how to be a better hacker. It's a fundamental tenet of UNCC's program, which pairs a curriculum in "penetration techniques" with cyber defense research to equip graduates to battle digital criminals.

Although teaching attacks is common with similar programs, UNCC's Department of Software and Information Systems was one of the first in the U.S. recognized by the National Security Agency as a Center for Excellence in Information Assurance.

"Learning enough about attack techniques is a mandatory step, a critical step, for learning defense," said Ehab Al-Shaer, a professor of software and information systems. "It's a matter of experience, not feeling."

And to guide the actions of these "good guy" hackers, or white hats, professors drill home a professional code of conduct: an ethical guide written by white-hat hackers, for white-hat hackers.

With great power...

It all starts in the lab. Cut off from the Internet, professors and students build self-contained networks similar to those in banking or e-commerce. The networks may also be populated with computer viruses professors pluck from the wild. The quarantine ensures neither virus nor hacker can escape onto other networks to cause harm.

"We give the students a strong sense about the tactical problems these fields are facing in the lab environment," Al-Shaer said. "They can do whatever they want and they don't break anything."

While students are busy discovering and exploiting weaknesses in security, they're also getting a "healthy dose of ethics," said Bill Chu, chair of UNCC's Department of Software and Information Systems. That means showing them how to responsibly disclose any real-world security flaws they find.

Following guidelines published by a white-hat hacker known by the online moniker "Rain Forest Puppy," professors teach students their obligation to educate system owners - and the public if necessary - about vulnerabilities in the interest of public safety.

"As long as the owner is willing and is putting a good effort into fixing it, we should help them," Chu said. "But if they're not spending enough effort, the researcher has the responsibility to go public. So that's a judgment call."

Students like Mayo say those lessons have hit home, especially since they've often had experience dabbling in "grey-hat hacking" before arriving on campus.

Thinking like a criminal

"The mark of a true professional white hat and ethical hacker is using your power for good," Mayo said. "It's a big awakening for a lot of students - and me, too."

Chu points out the idea of responsible disclosure is "very controversial to some people." But according to Al-Shaer, the curriculum better prepares students to fight crime by thinking like criminals and confronts the reality about hacking.

"This information, how to hack, is already available. If you do a really simple Google search, you will find these things. It's not secret anymore. Kids 14, 15 years old, they can do this stuff," Al-Shaer said.

"Why would we keep our students behind?"

UNCC white hats such as senior Josh Schroeder have wasted no time applying their skills outside the classroom. To create a university hacking community, Schroeder founded a student group called the 49th Security Division, which participates in hacking competitions and conferences.

"Students would do these competitions, they'd do them over and over again, but the student backbone wasn't there," Schroeder said. "In the last three to four years, it's changed from being something the professors tell the students to do to something students want to do."

Group members also trade tips and tricks, work together to solve problems and monitor trends in the hacking community at large.

"It's such a different style of learning that's incredibly conducive toward an educational atmosphere," Mayo said. "We're there with friends. We learn from each other, we make mistakes and we pick up from there."

The result, Schroeder said, has transformed the study of cyber security from work to a passion.

"The classroom environment is a good start, but if you don't have other resources and other things to keep it going, then the fire's just going to die," Schroeder said.

Changing the rules

It takes more than just academics and extracurriculars to keep up with cyber criminals. That's why researchers are also working on new weapons for a rapidly evolving battle.

"In some areas we are ahead of the bad guys, but to be honest, in many areas we are reactive," Chu said. "This is not just us; this is the field as a whole."

Al-Shaer is developing a "moving target defense" that changes network addresses according to a predefined pattern, confusing hackers and viruses. It's the physical equivalent to foiling thieves by regularly relocating the door to the loot.

"If we cannot win the game, let's change the rules of the game," Al-Shaer said. "The rule of the game is that the configuration is always static."

Throughout the research process, Al-Shaer said tapping students' skills is crucial to simulating the unpredictable nature of human ingenuity that every new security measure will face in the real world.

"When (students) are engaged in such a large-scale experiment, they understand the nature of this battle, the nature of this war," Al-Shaer said.

And that understanding will mean continued job security in a world growing more and more dependent on well-guarded data, he said.

"Cyber (security) is about to change from something that's good to have to something that is essential to have," Al-Shaer said. "When we move past that, security is going to become priority No. 1 on any agenda you can think of."

tyler.dukes@gmail.com

Hide Comments

This affects comments on all stories.

Cancel OK

The Charlotte Observer welcomes your comments on news of the day. The more voices engaged in conversation, the better for us all, but do keep it civil. Please refrain from profanity, obscenity, spam, name-calling or attacking others for their views.   Read more

Quick Job Search
Advanced Job Search | Search by Category
Salary Databases
City of Charlotte | Mecklenburg County
Charlotte-Mecklenburg Schools
Charlotte Observer Featured Jobs »

Recent Blogs

Lottery

Most Viewed