Richard Roe has an app on his phone that can take down almost any website.
Roe and fellow student Sebastian Florez developed the app last spring for a class on computer and network security at Stetson University.
Computer Science and Math Professor Dan Plante, Ph.D., challenged students to find vulnerabilities in the Internet and the two students stumbled upon something that grabbed the attention of senior officials at Microsoft, Oracle and a national Internet-security consortium.
Florez graduated in May with a B.S. in Computer Science and now works as a software developer in Houston for i2k Connect, a technology company. Roe has a lucrative job offer waiting to work for Apple when he graduates next summer.
Roe said he got the idea for the Android app from a news story.
“I read a story online about a hacker called the Jester who was able to hold down the website of Westboro Baptist Church for six weeks from a cell phone supposedly,” Roe said, referring to the Kansas group known for its antigay stance and for protesting at military funerals. “And I thought that was interesting.”
Roe has been fascinated with Internet security since a hacker interrupted his Minecraft game when he was 14 and growing up in Williston, near Gainesville. Florez became a whiz at developing Android apps, teaching himself how to do it beginning his sophomore year of college.
In less than a week, the two wrote a computer code that could disable websites, email servers and more. They exported it to Android, where an app on Roe’s phone says, the “Big Red Button.” He can push the button, type in a website address, hit go and the site crashes.
“We were actually surprised,” said Roe, 20, a senior majoring in computer information systems. “When we initially discovered it, we thought that it wasn’t something that people didn’t know about, because our way of getting to it was so simple and we discovered it so easily.”
Added Florez, 23, “We didn’t really think it was going to go anywhere. We were just doing it for fun. When it became a big thing, it was surprising for us.”
Professor Plante described the computer code and resulting attack as “very destructive and very dangerous.” He felt “kind of nervous” when he first learned about the students’ discovery. “We were concerned about the repercussions of this,” he said.
KEEPING IT QUIET
Their fears were confirmed when they talked to a computer security expert. The expert had once been a notorious hacker and then “crossed over to the good side,” conducting security audits for companies and institutions to see if he could penetrate their computer networks, Plante said.
The security expert told Plante that his students’ discovery was “a really big deal.”
“He thought it was extremely evil,”added Roe. “(He said) once every 12-year-old gets their hands on this, the Internet will really be disrupted.”
“It was that bad,” Plante said.
Plante and his two students kept the discovery a secret through the spring and summer — until they could make contact with top industry leaders and develop a way to disable the attack.
They were put in touch with Microsoft’s Security Response Center. Officials there asked to see the students’ code and eventually modified Microsoft software and changed configuration settings to ward off the attack, Plante said.
Microsoft also shared the code with other technology companies and with the Industry Consortium for Advancement of Security on the Internet, or ICASI, an industry trade group that analyzes and mitigates global security challenges.
Roe recalls one conference call with 30 to 50 top security experts from companies like Microsoft, Oracle and Cisco. They asked Roe and Florez to walk them through the code and how it worked. Then, the companies worked with ICASI to devise a strategy to mitigate the attack.
ICASI posted a blog item on its website late last month about the students and Professor Plante. The headline reads: Stetson University Students Discover Potential TCP Vulnerability and Use ICASI to Mitigate.
The story explains: “In short, Plante’s students spend a semester figuring out how to attack and exploit vulnerabilities in the university’s computer network. The idea being that if you know how to attack, you’ll know how to defend and, just maybe, uncover new and undiscovered security vulnerabilities in the meantime. And that’s just what happened.”
‘THE ETHICS OF HACKING’
Professor Plante has been teaching students to be ethical hackers since 2008.
That’s when he started a computer and network security class at Stetson. Plante wanted it to be hands on and useful, not just focused on theories and textbooks. He approached the head of Stetson’s IT department at the time and asked if the students could conduct a security audit on the university, trying to penetrate and find vulnerabilities in its computer network.
They reported on their findings to top Stetson administrators in a closed-door meeting at the end of the semester, Plante said. And that became the model of his class. Students sign a non-disclosure agreement. They conduct a full audit like a computer security consultant would do. Then, they present their findings to top Stetson administrators at the end of the semester.
“We have to abide by the ethics of hacking,” professor Plante explained. “If we gain access to a database, that doesn’t mean we’re allowed to go in and look at your salary and your Social Security number. Once you gain access, you stop.”
Last spring, he asked his students to focus on two kinds of computer attacks, and see if they could replicate how they work.
A COMPUTER HANDSHAKE
Roe and Florez paired up in class and set out to understand the principles behind one of the most common attacks on websites, the Slow Loris, a so-called denial of service attack because it prevents others from being able to sign onto a website.
Typically, these attacks can use thousands of computers to log onto a website at once, shutting it down because it can’t handle so much traffic. For example, the hacking group Anonymous used thousands of computers to connect to the Bank of America website all at once, making the site crash, Plante said. The computers belonged to Anonymous members and also were “slave machines,” computers that belonged to unsuspecting people and were taken over by the group remotely to do its bidding.
While Anonymous can use thousands of computers to crash a website, Roe and Florez were able to do the same thing with a single smartphone.
“It’s probably the most highly optimized denial of service attack,” Plante said of his students’ discovery. “I’ve never heard of another one that’s more optimized to work with so little resources, and it works against everything. That’s what got Microsoft interested.”
When a computer tries to connect to a website, such as Google, the computer and the website send data back and forth to each other multiple times, kind of like a handshake when two people first meet. The students’ attack targeted this handshake, although they and Professor Plante would not reveal the exact methodology.
The ease by which the two students made the discovery reveals a fundamental flaw in the Internet – it’s intrinsically vulnerable to attacks, Plante said.
Plante worked as a government contractor years ago and used the ARPANET, the precursor of the Internet. The U.S. Defense Department’s Advanced Research Projects Agency Network, or ARPANET, served as the foundation for many of the protocols used by the Internet today, he said. It was used to conduct research around the country. Nobody worried about online security, he said. No one encrypted data to ensure users’ privacy.
“This is how things were established: In a very non-secure way because nobody thought, who’s going to put their energy into trying to find the information in the first place,” Plante said.
“The Internet really wasn’t designed for what we’re using it for,” Roe added.
“That’s right,” Plante said. “It was never designed for this.”
Which means demand will likely remain high for students like Roe and Florez and for classes like Plante’s computer and network security.