It would be alarmingly easy for a hacker to steal your private information starting simply with your Instagram selfies and connecting them to your online shopping.
That’s what Nithin Gangadharan, a master’s student of computer science at Northeastern, was trying to do on a recent Wednesday in a programming lab. So to speak: It was all part of a hacking competition for students attending universities in Boston.
Gangadharan, who won third place that day, was part of the group of Northeastern students who dominated the competition by taking the top five spots.
As he stared at his computer for hours, trying to hack a mock online skateboard store, Gangadharan poked holes in the website to log into the back end without a password. Could he inject code to make a purchase without a credit card?
More than 100 students with different backgrounds were sitting in the same lab, tampering with the website to buy skateboards at substantially reduced prices, break into private databases, and conduct other clever tricks to exploit it.
It was the first time Gangadharan had attacked a vulnerable website. Because his background is not in cybersecurity, he said the competition made him more skeptical about functions in that website—and websites in general—that seem normal but that can be security concerns.
“Like that clicking a link in a comment chat box can lead you to misleading websites [that could extract your private information],” Gangadharan said. “I did not realize that that was a kind of security vulnerability, because people just do that anyways.”
Called the Cybersecurity Beanpot Challenge, the competition was organized by Security Innovation, a company based in Wilmington, Massachusetts, that provides cybersecurity consulting to multinational corporations. Suffolk University, in Boston, hosted the first installment of the competition in 2018, when students hacked a make-believe banking website.
Matthew Kline, a third-year cybersecurity major at Northeastern who participated in both competitions, said the three-hour challenge gets real during the last 30 minutes. That’s when the event organizers kill the screen that shows everyone’s scores. Kline placed fifth this year, and remembers typing “furiously” into his keyboard to try and stay ahead of others.
“Programming and attacking can be frustrating in itself, but being timed and competing against other people adds another layer of tension,” Kline said, adding that the pressure pushes hackers to be as creative as possible. “Either you know there’s a vulnerability but you just can’t manage to exploit it, or you’ve exhausted a lot of your ideas, and you’re not sure where to go next.”
The mock website, part of a virtual environment used for cybersecurity training, awards points to hackers according to the vulnerabilities they spot. Finding the administrative login portal to the site is easy, and it scores fewer points. But logging into another user’s account without the password? That can move hackers high on the scoreboard.
That was the case for Kyle Sferrazza, a third-year cybersecurity major at Northeastern who was also participating in the competition for the second time. In 2018, Sferrazza fell several spots after the scoreboard shut off. This year, he won first place—and the $5,000 scholarship that came with it.
“I had like 25 or 30 percent more points than the second person,” he said. “I was kind of worried that they would find something big while the scoreboard was off.”
Although he didn’t know it at the time, the person Sferrazza was watching out for was Anand Hegde, a master’s student of computer science at Northeastern. Hegde won second place, and said that the competition served as an exercise for him to figure out solutions on the go. That meant googling hacks, watching online tutorials, and using cheat sheets from the competition organizers.
Bahruz Jabiyev, a doctoral student of cybersecurity at Northeastern, also was part of the top five. Jabiyev works with machine learning to prevent the spread of fake news as part of his doctoral research, and came to Northeastern in 2017 after working in cybersecurity in Turkey. Jabiyev, who finished fourth, said the Beanpot was the perfect opportunity to test his skills in completely new turf.
“It was my first time in the U.S. that I was doing something like that, and I gained a little bit of confidence,” he said. “Now I think I can compete more frequently in more competitions.”