Just the Hackers You Need

We are under attack.

Every millisecond, the billions of people across the globe who rely on the Internet for information and email for communication are assaulted by an unknown number of constantly evolving criminals. They prey upon our technological stupidity to take over bank accounts, sell us fake products that never arrive, and otherwise extract money from our wallets in creatively devious ways. It is nothing short of the biggest crime wave in human history, but, as individuals, we have very little to use to defend ourselves, save not opening suspicious emails, avoiding weird Web sites, and keeping our computer software up to date. Add to that the growing threat of cyberwar against nations and corporations, which — as shown in the ongoing online battle over WikiLeaks and recent attempts to attack Iran’s nuclear reactors with a computer virus — might be effectively launched by anyone from state soldiers to pissed-off hacktivists.

But while this cyber-crime monster salivates over your hard drive, there’s a team of good guys working overtime in an ocean-view office on the second floor of UCSB’s Harold Frank Hall to slay the beast. This is the lair of the Computer Security Group, a collection of professors, researchers, and students who are considered critical players in this global game of cops and robbers. In recent years, these professional hackers — led by longtime computer science professor Richard Kemmerer, Italian-born ringleader Giovanni Vigna, and Austrian whiz kid Christopher Kruegel — have infiltrated the State of California’s electronic voting machines (legally, by request), hosted the world’s biggest hacking competition ever (just two weeks ago, with 17 countries and 900 participants), won the world’s most competitive hacking battle (DEFCON 2005 in Las Vegas), and taken over one of the cyber underground’s most devious networks, a “botnet” that’s infected nearly 200,000 computers in order to illicitly snag credit card numbers and bank account information.

“UCSB is one of the top research centers in the country and world in cyber security,” said Virgil Gligor, a professor at Carnegie Mellon University in Pittsburgh and possibly the world’s foremost expert on the matter. “Dick Kemmerer and his colleagues have accumulated a large pool of talent that produces very good research results to really important problems. There are only a few schools worldwide with the same level of competence.”

What truly sets UCSB apart is the ability to make research work in the real world, from prosecuting the bad guys to analyzing how we cast our votes. “They have been involved at a national level working on cyber crime and cyber security and have managed to have a significant impact on a number of major cases,” said one federal law enforcement source who spoke on condition of anonymity. Debra Bowen, California’s Secretary of State, hired UCSB and others to test the hackability of the state’s electronic voting machines in 2007. She said the group’s work “is felt by every California voter, each election cycle. … The work carried out by the top-to-bottom reviewers strengthened voting system security requirements in the state, and ultimately across the nation, since many states piggybacked on the work done in California.”

But as the ongoing cyber war over WikiLeaks reveals, the fight has just begun. The U.S. government — which noted a 450-percent jump in cyber crime in just the past four years — is expected to spend more than $13 billion annually on cyber security by 2015, and much of that will come to UCSB and institutions such as Princeton, Purdue, and Georgia Tech, which are also leaders in this field. Early next year, the group will be unveiling the Center for Cybersecurity at UCSB, where experts from different disciplines can come to work on security issues. It’s a sign that the Computer Security Group is evolving to the next level, but the center will also pave the way for more government money to come through the door, much like the $6.2-million grant that the U.S. Army Research Office allocated to UCSB and two other schools to investigate the Internet’s underground economy.

“It’s clear the arms race is going to continue,” said Kruegel, who finally signed on as a professor in 2008, after nearly a decade of popping between Santa Barbara and Vienna. “When you have well-funded, clever, multi-headed adversaries, they don’t just stop when you put up a good defense. We’re in this for a little longer.”

Litya vs. The World

Two Fridays ago, the usually lackluster lobby of UCSB’s nondescript Harold Frank Hall was the epicenter of a global battle: On one side was the fictional country Litya, which had gone rogue with the help of the Computer Security Group organizers, thereby attracting the ire of the other side: 72 teams of 900 computer security students from 17 countries who were competing against each other to see who could hack Litya the hardest. The teams — two of which were UCSB grad students — were simultaneously tallying extra points for completing various security breaches, such as sending in launch codes to aim a tiny foam missile at a cardboard target or scouring Google Maps street views to find the license plate number of a car parked outside Joe’s Café on State Street.

This ninth annual UCSB International Capture The Flag tournament was the world’s largest hacking competition ever, and it’s the perfect example of what makes the Computer Security Group tick: Students aren’t just taught codes in classrooms and then tested on what they learn — they’re actively engaged with the process, taking part in competitions where real-world security scenarios are at play.

“Really doing it is the only thing that makes you understand exactly how it works,” explained Giovanni Vigna, who founded the competition a few years after coming from Milan to UCSB in 1997. “That’s why I love the hands-on approach. It’s not like other fields of computer science that are a bit more gray. In security, it’s ‘Can you break it or not?’”

That learning-on-the-fly ethic reflects the spirit of Richard Kemmerer, who grew up in Pennsylvania but was lured to Anaheim by the government to work on Minuteman missiles in 1966. A grad student in mathematics at the time, he’d never taken a computer science course and was simply given a thick textbook about how to keep the missiles on course.

“It was trial by fire,” he said of the task, undertaken when he was just 22 years old. But when a senior staffer started giving him problems to solve during their lunch breaks, Kemmerer began understanding computers. That led to a job for UCLA, where he was part of a transportation research team that — with the help of an often-faulty $30,000 computer that did what a $500 laptop can do today — tracked whether weaving through traffic gets drivers ahead (it doesn’t) and how well drunk and stoned drivers fared (not very).

Then came marriage, a year of globe-trotting, and more grad school at UCLA, where he took his first computer science course. “When you see a cartoon and the lightbulb flashes,” he recalled, “that’s how I was in the class.” He went on to take a computer security class — one of maybe five such courses offered anywhere at that time — and worked on a project to create a perfectly secure system for the Department of Defense. “Nobody’s done the equal of that,” said Kemmerer, who also was one of the few users of the original Internet at a time when “you knew everybody on it by their first name.”

In 1979, just months after several UCSB professors started a computer science department, Kemmerer was the first official hire, making him one of fewer than 10 professors worldwide at that point who had a specialty in computer security. Today, said the fit but graying Kemmerer, “I am the last survivor of the original computer science people.”

He began teaching a computer security class for grad students in 1983 (the undergrad class wouldn’t start for another 20 years) and, as computers entered the consumer world, he and his students began finding flaws under the banner of the Reliable Software Group (which was renamed the Computer Security Group in 2007). Among other early landmarks were discovering problems with Sun Microsystems software, finding spyware potential in Netscape’s early Web browser, and investigating a Latin American bank and revealing massive security holes. Kemmerer also cofounded the first-ever cryptology conference in 1981; this year, the conference — which brings in experts from all over the world to discuss their research about encrypting everything from everyday emails to classified documents — marked its 30th year.

But one of Kemmerer’s smartest moves must have been hiring Vigna in 1997. As a Sicilian boy raised in Milan, Vigna and his older brother would go to a small electronics shop in the middle of town that had the first personal computers for sale. “They would allow us to go in the morning and code while standing in front of the display so that parents would come, see kids using computers, and get excited,” recalled Vigna, who would program simple games like tic-tac-toe. “We were pretty much part of their demo setup.”

After his dad purchased the family’s first computer, Vigna began wondering about all the aspects of programming, but found it nearly impossible to track down any related texts in Italy. Then he found a book in the library called MS Dos Internals. “That book had all the answers to all the questions that I always had,” he said. “It was an amazing moment when I found that book. I still have it.” He became fascinated by computer viruses — which were transmitted by floppy disks at the time — but with no real academic track for security issues in Italy, he pursued a degree in electronic engineering. An advisor pointed Vigna in Kemmerer’s direction, and the two met during a conference near Harvard and went out to a bar to chat. “I was really trying hard to look smart so he would hire me, but the beer was piling up,” laughed Vigna, who was offered a five-month stint at UCSB. He never left.

As a kid in Vienna, Kruegel was drawn to computers due to his inner engineer. “Like all engineers, you like to tinker with stuff and figure out what’s going on under the hood,” he said, but programming was especially alluring. “You make stuff work by creating something.” Kruegel first came to UCSB in 2000, but returned to Austria sporadically before finally signing on in 2008. As with Kemmerer and Vigna, he seems pretty satisfied with his choice of academics over the more lucrative private sector.

“I always liked this idea that you can do whatever you want,” Kruegel said of academia. “You don’t have a boss, and you can always work on new stuff, get exposed to new things.” And it’s clear that he’s picked a topic with plenty of growth potential. “Many research funding agencies have identified security as one of the big problems,” said Kruegel. “Everyone has understood that security is very important and that, currently, it’s very bad.”

… And They’re Good-Looking

On a recent Tuesday, I wandered down to 1401 Phelps Hall, where the dapperly dressed Vigna was teaching his Advanced Topics in Computer Security class to grad students. After reeling off a series of coding scenarios from the projected screen — something unintelligible to untrained ears about using your stack pointers, finding your call instructions, pushing out ESPs, popping in EBPs, and dropping local variables into the EAX — Vigna turned to the class and asked, “Is that absolutely clear?” Most of the students — none of whom seemed to be taking notes — nodded accordingly, and some even found a flaw in the example that Vigna never noticed. These are the next generation of hackers, who have traded the swords and pistols of yesteryear’s soldiers for weapons expressed on computer monitors as lines of code, an arsenal where ampersands, dashes, and dollar signs serve as the bullets, bombs, and torpedoes of the cyber realm.

If you visit the class, you’ll probably notice two things very quickly: One, it’s mostly men, and, two, there are more foreign accents — from Eastern European to Indian — than American ones. Vigna said there’s a constant struggle for computer science programs to attract more women, who often excel in high school but choose career paths considered more social. “But look at my guys!” argued Vigna, who admitted to being “super nerdy” as a kid. “They’re good-looking guys, and they don’t just do computer science: They surf; they climb; they do anything an active, interesting person would. That’s one of the things that is eventually going to change: It’s slow-moving, but we’re going to convince a whole generation that computer science is actually cool.”

As to the foreign factor, Vigna said that about 30 percent of the security-interested students are American. Every year, they only let in about 20 students out of 450 applicants. “We choose as carefully as we can and try to maintain a good balance,” said Vigna. But given the risks of teaching young students how to be expert hackers — and the xenophobic, terror-addled mindset of the mainstream American — the makeup of the class is prone to make some wonder whether UCSB might be training potential enemies of the state or just plain criminals. Teaching people to be good guys, after all, mainly requires revealing what it takes to be bad, and the bulk of cyber criminals seem to be coming from places like China, Nigeria, and Eastern Europe, where educated people live in poor or corrupt societies. “That’s sort of the ideal,” said Kruegel, “all this talent and an easy way to make money, and they don’t have a lot of options to make money elsewhere.”

So Vigna includes a strong ethics component in his curriculum and gives the constant reminder that the bad guys ultimately get caught and go to jail. During the class I sat in on, for instance, he revealed a new hacking tool available for Firefox that lets users take over accounts of anyone using Gmail or Facebook on their network, but then warned in a serious tone, “If you run this, you are committing a felony.”

Beyond that, Vigna is quick to point out that everything he teaches is available on the Internet anyway. “What we do is we train good people in an ethical way,” said Vigna. “You have to have a basic trust and confidence that you can show these people how to use these skills in the right way.” Kruegel put it more bluntly. “If someone is determined to do bad stuff, I don’t think that we can do much to stop them,” he said. “But the net balance is positive.”

Seventeen Locks

So why not just build computer systems that are 100-percent secure? Because it’s impossible. This is largely related to the balance between security and ease. Theoretically, everyone could use exceedingly long and complicated passwords on computers that offered very few features (since every application offers a new way for hackers to enter your system). “Think about 17 locks on your car,” said Vigna one evening at Santa Barbara Brewing Company, the first place I met all three of UCSB’s hackerazzi together. “Would you buy a car like that?”

There’s also what they refer to as “the grandma problem” — most users aren’t too proficient in the art of hacking detection or can’t even determine which Nigerian-in-need emails or your-computer-is-infected pop-up ads should be believed (answer: none). “We need to find metaphors so people can understand computer security as well as they understand physical security,” said Vigna, who likens hackers’ attempts to get your digital information to thieves who randomly twist doorknobs to see which one’s unlocked. “If you make one little mistake, you’re completely opening your door to the entire world. Everyone in the world can twist your doorknob.”

Plus, no one can predict next year’s method for twisting that doorknob. “You can’t ever be 100-percent secure,” said Kemmerer, “because you don’t know what the threats are.” The prime example, said Kruegel, is the explosion of Facebook, which is increasingly tapped by hackers. “Who could have foreseen that suddenly there’d be a social network with 500-million users?” he asked. “Five years ago, that was unthinkable. That’s why it’s so hard to predict.”

Meanwhile, the bad guys are evolving to be more clandestine. The days when you could tell your computer was compromised because it acted sluggish are fading, as new malware — the shortened term for “malicious software” that infects your computer to do its evil bidding — comes attached to data (like PDFs) you think are trouble-free, knows how to hide when you turn on your computer, and sometimes even protects you against competing bad guys, a parasite fighting off other parasites. And the attacks are more personalized, such as when your friend’s account sends you an email or a link via Facebook with a personal note to “Check out this site!” (Don’t.) And there’ll be more to come, too, because starting your hacking career is easier than ever. Not only are the required weapons for sale on the Web, but you can even rent a botnet, a network of compromised computers controlled by a “botmaster” that you can use to blast your spam all over the globe.

Earlier this year, the Computer Security Group made international headlines by taking over one such botnet named Torpig and watching it from the bad guys’ perspective for 10 days. In that time, they accumulated 60 gigabytes of personal data, including 900 credit card numbers (complete with the secret codes on the back) and more than 400 bank accounts, which cost banks nearly $4,000 per hacked account on average. They turned their evidence over to the FBI, which accepted it with open arms and put the group in touch with the affected banks.

Even though his earliest work was paid for by the government, Kemmerer is surprised at how accommodating and open the FBI — as well as the Department of Homeland Security and an obscure but effective law enforcement wing of NASA called Computer Crimes Division — has been with his group. But it makes sense. “They need all the help they can get,” he explained. “These guys are trying to prosecute people, and for that, they need the evidence. People like us can collect the evidence for them — even better if we can analyze and come up with insights they didn’t get. It’s a freebie for them. I think they’re overwhelmed. There is so much cyber crime out there.”

There’s never been a better time, then, to launch the Center for Cybersecurity at UCSB, which is coming in 2011 but is already at work investigating the Internet’s underground economy, looking into topics like how much it costs to rent a botnet such as Torpig. The center is also already offering malware analysis tools, or as Vigna explained, “Every time you think a Web page is trying to screw you, you can send it to us, and we’ll tell you.” Vigna and Kruegel have also partnered to form Last Line Inc., a company that will give them a commercial outlet to turn their research into available goods. “It’s our attempt to put the research we do into practice,” said Kruegel. “If you want to have an infrastructure to make the research available to users, then you’d better have a commercial framework where you can pay support people who maintain the system rather than just develop new things.”

As it stands, all three admit that the bad guys probably have the upper hand right now, which is evidenced in the ongoing WikiLeaks cyber war. But all three are also optimistic about the future. “It’s not going to be totally secure, but there are enough of us good guys that I’m sure the bad guys aren’t going to win,” promised Kemmerer. “But the bad guys are always going to be there.”