Nicholas Carlini enjoys hacking into UC Berkeley’s cybersystems.
The UC Berkeley graduate student in computer security devotes one week of every month to this task — hunched over his Macbook Pro, scanning for holes or bugs in the system.
But Carlini is not a lawbreaker. He hacks the system from a high-tech cubicle on UC Berkeley’s campus, prowling for “loopholes in the law,” as he describes it. Specifically, he looks for weaknesses in campus systems such as CalMail — UC Berkeley’s email platform — that hackers could exploit.
“It’s just an exercise of trying to think of all the perverse ways you can do something that someone hasn’t thought of yet,” Carlini said.
Carlini works as a penetration tester for UC Berkeley’s Information Security and Policy Office, which is undergoing a three-year overhaul to strengthen UC Berkeley’s online security. The overhaul, which began in July, is a response to the rise of cybercriminal syndicates and state-sponsored cyber warfare teams over the last decade, said Interim Chief Information Security Officer Paul Rivers.
The campus’ overhaul aims to establish new policy that defines the roles of various people on campus in keeping information secure — from students to department heads — and develops distinct levels of security to ensure that the most important data is also the most protected. Additionally, security experts will implement new hardware, hire new staff and increase their efforts to scan and update campus systems.
“We really are taking a long-term view on this,” Rivers said. “I don’t see us ever backing off.”
A popular destination
UC Berkeley is a “destination resort” for the worldwide hacker community, said Larry Conrad, the campus’s chief information officer and associate vice chancellor for information technology.
“They know we have a lot of smart, creative people here to try to exploit,” he said.
Although the campus faces a variety threats from hackers, the biggest dangers are those to campus data, according to a report from the security office. In the past, hackers might attempt to attack UC Berkeley infrastructure, such as computers or Web servers, but today, the attacks focus largely on research data and personal information, the report states.
This is representative of a larger trend in hacking over the last decade, according to associate professor Vern Paxson in the department of electrical engineering and computer sciences.
“Attackers shifted away from attacks that were essentially joyriding, vandalism, etcetera, and became profit-oriented,” Paxson said. “When money’s on the line, the attackers are a lot more motivated to do a good job.”
UC Berkeley unwittingly became involved in a bank scam in September 2012 when a group of hackers took over a CalNet account and used it to set up a fake banking website on the UC Berkeley network. They also hacked into and used about 20 other university networks, Rivers said. The hackers then sent out an official-looking message telling people to enter bank account information on the site. A number of people fell victim to the scam.
Rivers added that the campus sees about five times as many email scams today as it did just five years ago.
Additionally, the security office identifies about 2,000 hacking attempts monthly, according to the security office report. About 200 of those attempts are severe enough that the office either tracks or stops them.
“One thing about cybercrime: You shouldn’t really have a picture of ‘it’s the new mafia’ or ‘it’s the new drug lords,’ ” Paxson said. “It’s not that thoroughly organized, hierarchical or just plain big. There’s certainly some millionaires coming out of it, but it’s just a few. And no billionaires.”
Carlini and others in the security office work to shield the campus from hacking. But they say they are at a disadvantage.
Hackers need to find only one weakness in the programming to gain access to a system, Carlini said.
“They can have 20 people spend a month, two months looking for it,” Carlini said. “And eventually, they are going to find it.”
UC Berkeley is not alone in attempting to strengthen itself against hackers. Large information thefts are relatively common at universities and in the private sector, Carlini said.
An attack against the University of Delaware in July succeeded in stealing the confidential information of more than 74,000 people, including names, addresses and social security numbers.
On Oct. 3, the computer company Adobe revealed hackers had potentially stolen the data of 2.9 million customers.
Carlini said there is “basically nothing you can do” when facing attacks such as these, in which expert, organized hackers target vast swaths of data.
“You can’t say we’re going to prevent us from being broken into by the most motivated attacker,” Carlini said. “But what you can say is a kid on his mom’s computer can’t take all the health information from all the students in Berkeley and publish it online. And that’s mostly what you worry about.”