Students in Singapore won big when they took on the role of “student hackers,” hacking into their own university after finding weak points in network security.
The students attend the National University of Singapore, which used a “bug bounty challenge” to motivate students to hone their hacking skills as part of a larger approach to securing its infrastructure and bridging the cybersecurity skills gap by building students’ practical cybersecurity skills.
A bug bounty challenge incentivizes ethical hackers to look for software vulnerabilities in exchange for a monetary reward or “bounties” in return for the disclosed vulnerabilities or “bugs.”
Related content: New trend sees evolution of higher-ed hackathon
The bug bounty challenge was sponsored by HackerOne. Prior to the challenge launch, students were equipped with comprehensive training from HackerOne’s dedicated web security training platform, Hacker101. Hacker101 offers webinars, lectures and online training exercises. This is the second time HackerOne has partnered with a university to empower students to secure their school. In 2017, the University of Berkeley in the U.S. enrolled in an experimental “cyberwar” course, powered by HackerOne. HackerOne continues to invest in the next generation of hackers, partnering with community groups and educators to ensure the internet of the future is a safer place.
During the NUS’ three-week hacking challenge in August 2019, more than 200 students participated, hunting for security vulnerabilities in NUS’ digital infrastructure. Bounties ranged from $100 for lower-severity vulnerabilities to $1,500 for critical ones. Overall, 13 valid vulnerabilities were safely reported by students, with $4,550 awarded in total. Participating students were also eligible to earn extra academic credits for select course modules on the completion of the training sessions.
Prior to the launch of the bug bounty challenge, students were equipped with training from HackerOne’s web security training platform, Hacker101.
“By allowing our students to hack our own applications, we are breaking conventional and conservative notions, and offering students the unique experience of hacking on production systems,” says Tommy Hor, chief information technology officer at NUS. “It is not possible to be ‘100 percent safe’ in cybersecurity. Therefore, we adopt a proactive and predictive approach to cybersecurity and the bug bounty challenge is a great example of this. In this case, participating students are given the opportunity to search for vulnerabilities in the systems and applications they are already familiar with because of regular usage. This complements the regular vulnerability scanning and penetration testing performed by our staff. Collectively, these efforts help us to identify and remediate security vulnerabilities before they can be exploited by malicious threat actors.”
“The bug bounty program provides a great opportunity for us to put our technical skills to the test to find bugs in high-value web applications,” said Ngo Wei Ling, a Year 2 undergraduate from NUS School of Computing who participated and won a bounty.
Another winner, Ahn Tae Gyu, a Year 3 undergraduate from NUS School of Computing, adds, “We carried out reconnaissance and active enumeration, which enabled us to uncover vulnerable systems and web pages, in which we were able to discover hidden security bugs. This process provided us with the understanding of how web servers in production mode are configured and it is commendable that NUS is aiming to resolve security bugs before malicious attackers are able to exploit them by fostering responsible disclosure.”
Competitions for student hackers are becoming more commonplace as institutions, companies, and educators strive to give students all the skills they’ll need to tackle cybersecurity.
The National Cyber League (NCL) is a biannual cybersecurity competition for high school and college students. The competition consists of a series of challenges that allows students to demonstrate their ability to identify hackers from forensic data, break into vulnerable websites, recover from ransomware attacks, and more. Students compete in the NCL to build their skills, obtain scouting reports of their performance for hiring purposes, and to represent their school.
The Cyberlympics is a competition aimed at a broad scope of IT security professionals. It enforces the idea of teamwork by providing challenges that span nearly all areas of IT security, such as pen testing, forensics, malware, log analysis, system exploitation, and physical security. Cyberlympics is not solely focused on offense or defense but rather, it’s an all-encompassing approach allowing teams to compete with whatever cybersecurity strengths they bring to the competition.
The CSAW games, founded in 2003 as a small contest by and for NYU Tandon students, have grown to become a comprehensive set of challenges by and for students around the globe. NYU students continue to design the contests under the mentorship of information security professionals and faculty. NYU Tandon’s student-led Offensive Security, Incident Response and Internet Security (OSIRIS) laboratory, home to weekly student-led Hack Night training and student research, leads the Red Team and CTF challenges.
The U.S. Cyber Challenge (USCC) aims to significantly reduce the shortage in today’s cyber workforce by serving as the premier program to identify, attract, recruit and place the next generation of cybersecurity professionals. USCC’s goal is to find 10,000 of America’s best and brightest to fill the ranks of cybersecurity professionals where their skills can be of the greatest value to the nation. USCC works with the cybersecurity community to bring accessible, compelling programs that motivate students and professionals to pursue education, development, and career opportunities in cybersecurity.
- First-generation students are more likely to seriously consider leaving college - April 17, 2024
- How higher ed can meet workforce needs - April 15, 2024
- Higher ed leaders believe continuing education units are undervalued - April 10, 2024