kirill_makarov - Fotolia

Dutch IT expert takes an ethical hacking sabbatical

Ethical hacker discovered nearly 1,000 vulnerabilities after taking a year off from his job in the Netherlands government to set up a hack group

This article can also be found in the Premium Editorial Download: CW Benelux: CW Benelux: Dutch IT expert on a mission to expose vulnerabilities

What kind of person takes a sabbatical to do more work instead of less? Who chooses not just more work, but possibly thankless work and an uphill battle? A man with a mission – that’s who.

Dutch ethical hacker Victor Gevers took full-time leave from his IT job last year and used the time to hunt for vulnerabilities – anywhere, any time, anyhow. His mission was not just to hack around, but to find vulnerabilities, report them responsibly and then, hopefully, get them fixed by the vulnerable parties involved.

So, not a hacker in the cyber criminal sense, and not a hacker in the sense of shaking digital trees to see what falls out. No, this hacker is a concerned digital citizen. Gevers – better known by his online handle 0xDUDE – wants to make the internet and therefore the modern world a safer place. Seriously.

Gevers’ endeavour echoes a similar effort by a Netherlands IT news website six years ago. Webwereld, a Dutch-only publication of IT content publisher IDG, declared October 2011 to be “Lektober”, which translates into English as “Leaktober”, a self-explanatory title for the hack campaign. Dutch security expert Brenno de Winter was the public face of a month-long daily publication of information leaks via IT vulnerabilities.

Previously, De Winter had become known for exposing fundamental flaws in the Netherlands’ chip card for public transport. The security of the so-called OV-chipkaart was initially faulty, despite denials by card issuer Trans Link Systems. This led to the loss of public trust in the chip card, parliamentary questions, and eventually measures to improve the security of the payment card. All this was achieved after much controversy, interwoven with successful (and easy) hacks, and threats of lawsuits.

October 2011 saw the start of an intensive campaign in which volunteer hackers reported vulnerabilities. They did so through an intermediary, who informed Webwereld of the technical details. Then the editorial staff at the Dutch IT news website would inform the data-leaking organisations and urge them to fix the vulnerabilities, so that the cases could be publicised after they had been fixed.

The overall goal was to make people, companies, organisations and government bodies aware of vulnerabilities – both their own and those of others. Since that campaign, some progress has been made. The reporting of vulnerabilities via an intermediary – and employing journalists to inform vulnerable organisations – was necessary because the Netherlands had a lack of procedures for responsible disclosure. Nowadays, the country has official guidelines for, and practical experience with, responsible reporting of vulnerabilities.

Read more about ethical hackers

  • Even as blackhat hackers remain on the prowl, ethical hackers save the day. Here are some pointers on how you can build your ethical hacker career.
  • UK intelligence agency GCHQ has launched an online code cracking challenge to attract the next generation of web-savvy spies, targeting mainly self-taught ethical hackers.
  • The Certified Ethical Hacker certification gained popularity recently. Expert Joseph Granneman explains the CEH and why it is relevant again.

But this does not mean that the world, or the Netherlands, has secure IT. The base level of security might have improved, but dependence on IT has grown significantly since then. Opportunities to gain by abuse and misuse of IT have also grown – so have the risks.

Senior security specialist Gevers is keenly aware of this. Besides being an innovation manager in the Netherlands government, he is also an ethical hacker who had reported 4,000 vulnerabilities in 16 years. But then he decided that ethical hacking needs more time and attention – at least a year of full-time attention, in fact.

So, together with colleague Vincent Toms, he created the non-profit GDI Foundation to actively work towards a safer internet for everyone, everywhere. “To protect you, me and our kids. And prevent any misuse of information,” states the organisation’s FAQ. And in contrast to many well-meaning initiatives, lobby organisations and IT efforts, the GDI Foundation set out to do some actual hacking.

Well, not actually performing digital break-ins and stealing data, because that would be illegal. Its mission was to scan for “hackability”, map out vulnerabilities and advice affected organisations on how to fix them.

Project 366

The foundation relies on contributions from donations, sponsorships and participating members. This enabled Gevers to take a year off work to focus solely on finding and reporting vulnerabilities, and 1 January 2016 marked the start of Project 366 – named after the number of days in leap year 2016.

Somewhat similar to 2011’s Leaktober, this year-long security campaign targeted low-hanging fruit, like cyber criminals do. These vulnerabilities are easy to reach and yield relatively big rewards for malicious hackers – simple security problems that can cause a lot of trouble and damage.

The range of targets for Gevers’ hack sabbatical was broad, ranging from FTP servers, NAS devices and MongoDB databases with unintentional wide open access, to vulnerable computers connected to critical infrastructure, as well as data-leaking consumer electronics.

In the first month alone, Gevers found and reported no fewer than 170 vulnerabilities, and the total for the year-long hack sabbatical was 960 vulnerabilities. In amongst all this hard work, Gevers received the Digital Impact Award from Dutch IT trade organisation Nederland ICT and the ECP (Platform for the Information Society).

His year-long hack effort to secure the digital world concluded on 31 December, 2016. But, just as with 2011’s Leaktober, the world has not yet been secured. Certainly, the hard work of Gevers and Toms has made many systems more secure, but the march of IT goes on, and dependency continues to grow. There is still much insecurity.

No end in sight

Fortunately, Gevers has not ended his mission. He has not only become a sought-after public speaker who shares insights about IT security, but the ethical hacker and the GDI Foundation continue their good work and have uncovered many more vulnerabilities this year, such as open access to MongoDB databases. That popular example of a so-called NoSQL database has been ransacked and ransomed in multiple waves of attack, hitting tens of thousands of installations.

Another example of the need for continuing vigilance over vulnerabilities was the discovery and reporting of open Jenkins servers. That open source automation software serves continuous delivery and DevOps, but can be wrongly configured and then hacked. Gevers found open Jenkins installations at hospitals in the Netherlands this summer, with real medical data seemingly accessible.

Just two days later, Gevers discovered wide-open Telnet access to gain administrator rights on almost 3,000 Chinese bitcoin mining machines. And this September, an international outreach was undertaken to inform internet service providers in dozens of countries that the Arris broadband devices they had supplied to their customers were vulnerable.

The list goes on and on, and the work to secure the internet goes on and on. Gevers’ year-long hack sabbatical was impressive in its own right – but it was just the start.

Read more on Information technology (IT) in Benelux