How Can Hacking be a Good Thing?
Aug 31, 2016 10:29AM ● Published by Hilary Daninhirsch
CyLab Security and Privacy Institute at Carnegie Mellon University
Gallery: CyLab Security and Privacy Institute at Carnegie Mellon University [5 Images] Click any image to expand.
The word “hacking” applied to computers often has a negative connotation, calling to mind people who break into software systems with bad intentions. However, Dr. David Brumley, CMU professor and director of CyLab Security and Privacy Institute at Carnegie Mellon University and CEO of ForAllSecure, says that trained individuals who are able to hack into software systems successfully can also protect us from evildoers.
Brumley wrote a paper entitled Checking the World’s Software for Exploitable Bugs, and last month, based on his research, CMU’s competitive security team won its third World Series of Hacking title at the DefCon Capture the Flag Competition. A week previous, ForAllSecure won a $2 million prize at the DARPA Cyber Grand Challenge from the Department of Defense (DOD). We decided to sit down with Dr. Brumley to find out what was new in the world of cyber security.
North Hills Monthly Magazine: What is the definition of hacking?
David Brumley (Brumley): Hacking really has a cache in the media—bad guys doing bad things. But for us, the term ‘hacker’ denotes an expert in computer security who is really good at figuring out what flaws the bad guys may find. This is an in-demand skill that people do for good with the idea that we should check the security of the systems that we use. And we should think a little bit like an attacker so that we make sure we are not overlooking something. It’s the old analogy where you don’t want to put an expensive door lock on the front door and have a glass window right next to it.
NHM: What is the basis of your research?
Brumley: CMU sees computer cyber security and privacy as one of the bigger challenges facing us as a society, so they created a university-wide institute. As part of this, we do quite a bit of novel research. One area is called usable privacy, which is all about making sure your browser control or Facebook privacy settings are usable for a normal user. Another is what some people call hacking, which is how do you find and protect vulnerability in computer systems.
NHM: What types of information can illegal hackers obtain?
Brumley: There are really a few different scenarios. There is the personal level, where someone breaks into your computer; that’s the one most people worry about. When breaking into a person’s account, hackers look for personal identifiable information and things like credit cards and log-ins to banks. They may disable your computer until you pay them a ransom. There is a lot of malicious software out there, so if a person’s computer gets compromised, it does things like encrypts the hard drive and demands a payment before it decrypts it. Defenses at this level typically revolve around good security hygiene, such as keeping software up-to-date.
Businesses are also worried, but for different reasons. Businesses worry about hackers stealing customer data, and also their intellectual property. Defenses for businesses are more complicated, as businesses have to worry about protecting whole networks.
Finally, there is the national security level, where countries are worried about everything from spies to military-sanctioned cyber attacks against infrastructure. The DOD takes cyber defense really seriously – at the same level as air, land, sea and space. They have a really difficult defense problem: they have to protect their country against really powerful and well-funded adversaries.
CyLab considers all different levels– personal, corporate, and national security–and the different threat models and defenses that come with them.
NHM: Tell me about the work that you’re doing with cyber security.
Brumley: The main way hackers break into systems is that they look for exploitable bugs, or flaws in computer programs. The programs are just like anything else made by a person: it can have mistakes. However, right now, we don’t have a way of automatically finding those mistakes. Instead we ship out software to the world. When people download software, if it has bugs, hackers can use those bugs to break into computers. Our goal is to check that software for users and to let them know when it might be unsafe.
NHM: How are you doing that?
Brumley: We’re developing new algorithms that search through programs much like an attacker would.One of the parts that’s novel is that we’re starting to do this on a really big scale. A single hacker may be able to look at one program a week; we can look at one program every minute. We think of it as akin to adding a safety rating to cars.
NHM: How does the World Series of Hacking tie into this?
Brumley: CMU has a competitive hacking team; in the World Series, this group of hackers is put on an isolated network with the best hackers from all over the world, and they fight it out. Carnegie Mellon won. From a local perspective, one of the things that I’m most proud of is that here in Pittsburgh, we really do have the world’s best in computer security.
NHM: What impact will your research have on the future of cybersecurity?
Brumley: We hope that we can bring a new level of safety to cybersecurity. At the core of the issue is that today’s computers are really insecure and run insecure programs. ForAllSecure is building the tech to ‘think like an attacker’ to check computers, find flaws, and fix them before attackers can break into them.
The average user right now has no idea how insecure his or her system is—we’ll give them a security rating, like the safety rating on a car. We think we can make the world much safer with better defenses, more in-depth testing for security problems, and ways of letting everyone check to see if their computers are insecure. n