Devansh Batham is one of those young ethical hackers. The 17-year-old boy from India claims he has so far reported fifteen security leaks to Erasmus University. He told us in an e-mail why he does this kind of work. “I’m not going to be diplomatic about it,” he wrote. “I’m doing it for the money, the freebies and the recognition!”

Batham is by no means the only hacker who contacts the university for so-called responsible disclosures. The team that follows up on such disclosures – ICT officers Richard van Schaijik, Assad Baig and Sebastiaan Kamp – spends a lot of time dealing with hackers. A responsible disclosure is a strict procedure to address a security issue in the university’s systems in a legal and damage-free way. As long as the hacker complies with this procedure, his hack is considered an ethical hack.

Devansh BathamEthical EUR hacker: Devansh Batham

Batham is a first-year computer science student from India. He hunts for security issues in his spare time. Sometimes he will study a target for ten to fifteen days. He claims to have made many responsible disclosures. “To more than sixty companies!” he writes, proudly. He is listed twice in EUR’s Hall of Fame. Among other things, he drew EUR’s attention to cross site scripting (XSS), a security issue where hackers can execute their own scripts on the victim’s website.

Focused search

EUR’s website explains in detail how to go about it. “It is important that the hackers perform a focused search, rather than scanning our entire system every day, so as to prevent the system from overloading,” explains Richard van Schaijik. Furthermore, hackers must not collect more evidence than is strictly necessary to notify the university of a problem. “For instance, a SQL injection leak might allow them to perform database commands that would allow them to download the entire database from the site very easily. However, they can also simply download one line from this database, which is enough to demonstrate that the site can be breached.”

If a hacker finds a bug, he can report this through a webform. He must explain how he found the bug, so that Van Schaijik and his colleagues can reproduce the problem.

Ethical hacker: Eusebiu Blindu

Blindu lives in the Czech Republic, but was born in Romania. He regards the search for bugs as some kind of investigation, ”like I’m an investigative journalist or detective”. Being an experienced ethical hacker – “ha ha, I’m old, I’m 35!” – he mainly chases financial rewards, but appreciates any present he gets. “EUR’s present arrived nicely wrapped up. It contained a beautiful notebook. I really love those.”

Completely inundated

‘Since we understand the technology reasonably well, it generally doesn’t take us too long to determine the gravity of the problem’

Richard van Schaijik

The number of disclosures varies enormously, but on average, the three men receive about twenty per month, Van Schaijik believes. Sometimes the department is completely inundated, for instance because several hackers report a security issue at the same time – let’s say, when they have found a bug in the software used by the university. “Since we understand the technology reasonably well, it generally doesn’t take us too long to determine the gravity of the problem.”

The bugs often aren’t serious. In nearly half of all cases, the reports concern minor risks. “Security always leaves some room for improvement, but sometimes it’s not worth taking that additional step. In such cases we accept the risk.” As for the other half of disclosures, these leaks have generally been reported before. “We only thank the first person to report an important issue by sending him a gift set and listing his name in our Hall of Fame.”

De kentekenplaat die Dave Jong van de RDW kreeg

Ethical hacker: Dave Jong

Jong is a Dutch security expert who has so far disclosed two bugs to EUR. He mainly does it because of the ”adrenaline rush you experience when, after searching for hours, you find a leak that must be closed by the webmaster very quickly”. But he also wishes to help companies and organisations keep their services secure. “Some black hat hackers like to cause as much damage as possible, but I can’t for the life of me understand the use of that.” Bounty-hunting is a hobby to him. So far he has received a grey hoodie, a personal letter, a mouse pad and a pencil from EUR. His coolest freebie is a number plate issued by RWD, the Dutch vehicle registration authority (see image).

CV-building

Sometimes this results in friction with proud hackers. “In such cases we’ll have a difference of opinion. Generally they remain friendly, but they do sometimes push pretty hard,” Van Schaijijk says, reminiscing. “I understand why, because such listings are very important to them. They are building CVs with links to recognised disclosures, such as our Hall of Fame. This will give them a better shot at a job in ICT security.”

Van Schaijik occasionally discloses issues himself, “particularly to universities I know use the same software we do”. The disclosures come from all over the place. A lot of them come from India, but sometimes they will come from the Netherlands. “We even receive disclosures from the university’s own students and staff, or from security companies who wish to get their foot in the door at Erasmus University.”

Website hack

‘We didn’t find out until we received a disclosure from one of those hackers. By then it had already happened’

Van Schaijik about the big hack of eur.nl in 2016

Of course the university can also be targeted by unethical hackers, also known as ‘black hat hackers’. For instance, the university was targeted in November 2016, when hackers gained unlawful access to EUR’s website and possibly stole personal data. This happened a month after Schaijik commenced employment at the university. “That was a very interesting time. A lot of things changed, and we were able to implement many security measures. So in the end, it wasn’t all bad.”

Ironically, the hack might have gone unnoticed if it hadn’t been for the ethical hackers. “We didn’t find out until we received a disclosure from one of those hackers. By then it had already happened.” The question arises as to whether otherwise the university would have realised that personal data, including students’ medical records, had been inspected by hackers. Van Schaijik does not really want to discuss this, though. “I think I’ve already said too much on this subject.”

Read one comment