Donning the White Hat

Students couldn’t believe their luck.

Disguised as technicians from an internet service provider, these “white hat” hackers walked into a business and asked to scan company computers for viruses. A believable cover story got them in the door and gave them minimally supervised access to key electronics. They knew which electronics to target from video surreptitiously recorded on a previous facility tour.

It should’ve been a 20-minute visit, but the ruse worked too well, and the visit dragged into an hour. A couple “discovered” viruses scared office staff into asking the team to scan the entire facility. Students with improvisational comedy backgrounds kept the team’s story intact to satisfy worried staff.

The team finished and rendezvoused with professor Jake Young and the scout team a few blocks away. No “get out of jail free” card needed.

“It was almost too good to be true; We thought we would be caught,” said management information systems alumna Kerstyn Campbell ’17. “We were nervous, but relieved they believed our story. By the end, we felt a sense of accomplishment knowing we completed the most challenging task.”

Under Young’s guidance, the class explored a new level of legal espionage for university courses and inspired Bradley’s new cybersecurity major and minor. Instead of trying basic digital probes on campus IT infrastructure, students launched a full-scale assault on a business that volunteered to be tested. The first-of-its-kind project went undetected until students’ final presentation to the business’s executive team.

“The CEO fell out of his chair when he recognized us,” Campbell said. “He hired us and knew what was going on, but we were so smooth he never realized what was part of the attack. It was exciting, yet scary, that a bunch of college students hacked a real company so easily.”

Campbell’s social media interest took her deep into social engineering to find personal or company information. While she and several classmates did that, others tried network attacks and even old-fashioned espionage — dumpster diving for documents and discarded devices. A third team scouted the business’s physical location for weaknesses in operational and physical security.

Social media profiles, fun online quiz answers, unshredded documents and other data disposal faux pas yielded detailed profiles on most company’ employees. With this information, students successfully probed for more information through phishing emails and calls. They even posed as IT vendors and recorded an hour of video inside the facility — after being told not to use cameras.

“It was shocking how easily students lied their way into the business, but unfortunately, that is what happens every day to all sorts of organizations,” Young said. “I was confident in them, but they are still amateur hackers making their first attempts on a live client. If we can successfully infiltrate your business, black hats will likely have no trouble at all.”

The class gave Campbell new appreciation for “good” IT staff who try to find security issues before information falls into the wrong hands. Shortly after graduation, she entered the field in Caterpillar’s digital and IT development program.

“It’s rewarding to do something that helps other people,” she said. “Growing up, I thought of police, doctors and firefighters as important jobs to help people,” she said. “I discovered we’re valuable because we help keep people safe from cybercrime.”

(Photo by Duane Zehr)