All the web addresses of primary schools in The Hague appear on a computer screen about one and a half meters wide. A trainee hacker behind the screen, using ChatGPT, writes a computer program that can pinpoint which of the school’s websites are using outdated encryption. “Exactly what cybercriminals are looking for,” he says. “If a school does not update this encryption, malicious hackers could lock down the entire site.” Such a digital hostage situation recently happened to the KNVB – in order to regain access to its membership database, the football association reportedly paid more than a million euros in ransom to cyber criminals.
From a government building in The Hague, a few floors away from the Nuclear Safety and Radiation Protection Authority, interns from the Dutch Institute for Vulnerability Disclosure (DIVD) search for vulnerabilities in the internet. The goal is to find these holes before cybercriminals do. The DIVD is a research institute and training school for ‘ethical hackers’ in one. They commit attacks via the internet like cybercriminals do, but to protect things. “You can also build with a hammer,” says DIVD co-founder and former Member of Parliament Astrid Oosenbrug (PvdA). It is the unofficial motto of ethical hackers.
About the author
Frank Rensen is a science journalist and writes about technology for de Volkskrant. He studied astronomy in Leiden.
The supervisor of DIVD trainees is co-founder Victor Gevers, who hacked Donald Trump’s Twitter account in 2016 and 2020. With some clever tricks and guessing the passwords ‘yourefired’ and ‘maga2020’ (from Trump’s slogan, make America great again) Gevers managed to log in. ‘If cybercriminals had done this, they could have done who knows what kind of damage. Trump’s tweets could lead to, say, the storming of the Capitol,” Gevers said. It may not seem like it at first glance, but with his hack Gevers protected Trump’s account. By alerting his presidential staff to the breach and not abusing it, they were able to better secure the account, this time with two-step verification.
Gevers’ hack of Trump’s Twitter account is a standard example of ethical hacking: “When I was logged into Trump’s Twitter account, I didn’t post a message or even look at his personal messages, no matter how tempting that was.” The goal is to expose a cybersecurity flaw, nothing more. But this sometimes goes wrong: for example, then 50Plus party leader Henk Krol was fined after he downloaded entire patient files from a Brabant research center to demonstrate that medical files were insufficiently secured. ‘You have to learn ethical hacking: what are you allowed to do as an ethical hacker and what are you not allowed to do? And how do you control yourself when you have entered somewhere you are not supposed to be?’, says Gevers. ‘That is central to the DIVD training programme’.
Scouted by cybercriminals
Studies have shown for years that cybersecurity is not sufficiently on the Dutch agenda, compared to countries such as Germany or Sweden. Moreover, there has been a shortage of IT professionals on the Dutch labor market for years: the demand for security specialists, for example, has increased by 167 percent between 2017 and 2022. Relatively small companies in particular hardly invest in research into their own cybersecurity. When a budget is available for new digital protection, it is not consistently tested for vulnerabilities that malicious hackers have known about, possibly for months. That’s where ethical hackers can help.
But anyone who hacks enters a moral gray area. For example, a DIVD volunteer turned out to commit data theft in the evenings last year. The Dutch education system therefore only rarely ventures into ethical hacking. That doesn’t really matter to the young computer hackers: most of them are self-taught, who can easily figure out how to hijack a webcam, for example. ‘But no one teaches them the rules,’ says Oosenbrug. ‘And there is a risk that impressionable, curious young people are scouted by cyber criminals before companies or training courses teach them about hacker ethics.’
This does not stop at a risk: the number of young hackers who come into contact with the police has been increasing for some time, the Public Prosecution Service has noted. That is why the Police and the Public Prosecution Service set up Hack_Right, an intervention carried out by the Halt Foundation, the Dutch Probation Service and the Child Protection Council. Hack_Right places young people who are guilty of cybercrime for the first time with companies where they can use their talents for ‘the right thing’.
“Nowadays, young hackers can cause so much damage that their attacks sometimes resemble those of state actors,” says Floor Jansen, team leader of the High Tech Crime Team of the Dutch police and founder of Hack_Right. When a major internet provider suddenly shut down completely a few years ago, it turned out to be a young Dutch hacker behind it, who only wanted to download free films. ‘That is the classic profile of a young cybercriminal: a lot of knowledge, with not even the worst motives. Hack_Right was founded to get them on the right path.’
Obsession
For example, Hack_Right once placed a young hacker at IT service provider CGI. The 16-year-old had hacked into his school’s administration to exempt himself from classes. As punishment, Bureau Halt decided to put him to work for Ad Buckens, cybersecurity expert at CGI: ‘We had him rewrite the Coordinated Vulnerability Disclosure guideline of the National Cyber Security Center, so that young people can understand and consult it,’ says Buckens. . According to Jansen, the young hacker found a sparring partner in Buckens, with whom he was able to share his obsession with cybersecurity for the first time. Buckens: ‘When we contacted him again later, he was a successful software developer.’
Although ethical hacking is hardly on the Dutch curriculum, the niche is growing steadily: for example, the DIVD Academy, the training branch of the DIVD, had around four thousand registrations in 2023 – a doubling compared to the previous year. This success is largely due to the informal nature of DIVD Academy: it is a training school by and for hackers, where thinking differently is welcomed instead of punished. Oosenbrug: ‘One of our interns had to write an essay about artificial intelligence (AI) at his college. He did this with the help of AI, to show what artificial intelligence can and cannot do. His grade: a failing grade. I think it’s scandalous – this is exactly the kind of thinking we reward.’
Hack game
Another form of extracurricular hacker education is HackShield, an educational game for children. It has around 200,000 players in the Netherlands, who act as heroic cyber agents to protect friends and family against cyber attacks. Players learn about the internet, privacy and cybersecurity by solving puzzles.
“The world is changing faster than education can handle, especially in terms of digitalization,” says Tim Murck, co-founder of HackShield. ‘In my opinion, it is more important to help children think about technology, privacy and reliable information online than about German grammar – they will use translation software for that in a few years’ time. It’s as if we’re preparing children for our own lives from ten years ago.’
Murck puts players with a high score in touch with the DIVD or IT companies for internships. “We also organize live events, where our cyber agents are thanked by the police and a mayor for their services in HackShield,” says Murck. ‘It is a play that they take very seriously: the police swear in children as ‘real’ cyber agents. You really see an identity developing in those kids. I’ve seen children confidently explain to packed halls how parents in the audience can install two-step verification.’
Coen Zandstra (19):
‘I was once approached by someone to commit credit card fraud together, but I said no’
‘I study ICT at The Hague University of Applied Sciences. I am also a volunteer at the Dutch Institute for Vulnerability Disclosure (DIVD) and I want to do investigative work for the police as a volunteer. It’s really my thing. I see hacking not only as hacking systems, but also as being curious about circumventing the rules for your own gain: for example, in group 3 I put my homework book on the pile of marked booklets, with my own grade in it. That’s hacking too, just not digitally.
‘I was recently sitting in the waiting room at the orthopedist’s office and looked at which devices were connected to the guest WiFi. There I saw that all kinds of dental equipment was connected to this network. I could see right through their security cameras. I told them that. That shocked them, but they thought it was good to know.
‘I have never broken the law myself. It is attractive because there is good money to be made from it. I have been approached by someone about committing credit card fraud together, but I said no. What I like about the DIVD programs is that you get to know all kinds of other hackers with whom you share a passion. Together you discover what good you can do.’
Malaika Mughal Uribe (11)
‘The HackShield game changed my life, I now know almost everything about hacking’
‘I started playing HackShield when I was 8. It was Covid then and the police were looking for junior cyber officers. I decided to help by downloading HackShield and playing all the levels. I played it on the iPad, all the time: in bed, in the kitchen, in the bathroom. I didn’t even know I was number one in the Netherlands until I was sworn in by the police as the best cyber agent in the Netherlands and Belgium. That felt great, I was proud of myself. HackShield changed my life, I now know almost everything about hacking.
‘I have been children’s mayor of Alkmaar since September. My motto is: ‘Fighting together for a cyber-safe and bullying-free world.’ I used to be bullied because I have glasses, so I think it’s important to talk about it. As children’s mayor, I will go to schools with the police to talk about bullying and cybercrime. I think that is important, to protect people, for example against identity fraud or phishing. They must be more alert not to be misled. Some children still open links on their phones with advertisements for a free bicycle, where they then fill in personal information. Then the hacker thinks: ‘Ha, someone else fell into my trap!’
Tim van der Sluiszen (19)
‘You put yourself in the shoes of an attacker, which is quite exciting.’
‘I am doing an MBO game development course and doing an internship at DIVD Academy. The typical image of hackers is that of dark figures in hoods typing super fast, with all kinds of strange pop-ups on their screen. That’s not true at all: hacking takes time. You keep looking at how a system, for example a website, responds to a specific command, in the hope that it reveals too much information.
‘You can navigate on a website by clicking on links, the site will then refer you to another page. The names of those pages, so-called URLs, are also at the top of the search bar. If you play around with those URLs, the website sometimes accidentally directs you to a hidden page containing all kinds of secret information. I only do this with the permission of the website owner. Hacking gives me a kind of Robin Hood feeling: it’s not really allowed, but you do it for the good. You put yourself in the shoes of an attacker, which is quite exciting.’
Tags: institute Netherlands cultivating talented ethical hackers asked commit credit card fraud
-
