Beating Them at Their Own Game

These Hackers Wear White Hats

By Krista Burns

For many, it was an “interview” better left unseen, but it did once again bring cybersecurity to the forefront.

The controversial action-comedy film about the assassination attempt on North Korean dictator Kim Jong-un was thrust into the spotlight late last year after a group of hackers conducted what could be the largest cyber attack in history, crippling Sony Pictures Entertainment and issuing warnings to any theater that showed the movie.

In response, Sony canceled the New York City premiere and movie theater chains either delayed or canceled screenings to the chagrin of James Franco and Seth Rogen fans, leaving many asking, “How can we prevent future cyber attacks?”

David Brumley (pictured) says the answer is simple: beat hackers at their own game.

Brumley, an associate professor of electrical and computer engineering and technical director of CyLab, is training the next generation of “white hat” hackers — ethical hackers trained to spot vulnerabilities in systems.

“My research team’s goal is to check software for exploitable bugs,” Brumley explained. “We want computers to find bugs that attackers may use first, so that those bugs get fixed. We’re currently working on tools and techniques that simulate what an attacker can do, so we can find security problems before they find them.”

In a recent interview on ABC’s Nightline, Brumley explained how students are learning to protect our systems and networks.

“We’re teaching students how to identify vulnerabilities and how to show that they are really exploitable,” Brumley said. “We need to teach students to identify vulnerabilities before the bad guys.”

In order to stay one step ahead of would-be criminals, it’s crucial that high schools and universities offer courses in computer security.

“Growing the computer security field is essential. The field has huge opportunities. It pays well, and it’s in high demand,” Brumley said.

While there are many computer security courses available at Carnegie Mellon, there are minimal opportunities for high school students to become exposed to this growing area.

“At the high school level, most guidance counselors don't even know it’s a field. That is what motivates my work in educational outreach,” Brumley said.

Brumley, along with Peter Chapman and Jonathan Burket, created picoCTF, a computer security game targeted at middle and high school students. The game consists of a series of challenges centered around a unique storyline in which participants must reverse engineer, break, hack and/or decrypt code to solve challenges.

The challenges are set up with the intent of being hacked, making it an excellent — and legal — way for them to get hands-on experience. Students form teams to compete for cash prizes.

“Last year, we gave away about $50,000 in prizes, and reached about 10,000 high school students to promote the field,” Brumley said.

Many computer-savvy students also choose to participate in hack-a-thons to test their knowledge in real-life hacking situations.

“The way we measure the best is to compete in international [hack-a-thon] competitions, and we often win,” Brumley noted.

Last summer, Carnegie Mellon students demonstrated their cyber prowess at one of the world’s largest annual computer security conferences, DEFCON 22, by winning the “Capture the Flag” and “Crack Me If You Can” contests.

“Our team competed against universities and large defense contractors. This win is a huge accomplishment for our team,” said Brumley, the team’s adviser.

Many are quick to blame hackers for cyber attacks, but Brumley sees it a bit differently.

“I don’t view it as being at war with hackers. Our war is with insecure computers and programs. It’s far too easy to break into a system. We need to program computers so that they can check themselves for bugs and vulnerabilities. This doesn’t happen yet, but it’s something we aim to fix,” he said.

Watch Brumley’s interview on ABC’s 
Nightline at http://abcn.ws/1x6DEQJ.