Monday, December 16, 2019
Digital forensics major takes on bug bounty hunting
As a 10-year-old playing video games Jeremy Dilliplane had his first experience with the darkness of cyberspace. Battling against online cheating and game-based cyberattacks fostered a passion for cybersecurity.
That passion and now hobby — further sparked by a digital forensics class on small devices last year — led the Bloomsburg University digital forensics major to uncover a data exposure by a well-known networking company. “My discovery was quite shocking,” Dilliplane said. “Not only did I find sensitive information, but my own data was also at risk.”
According to Dilliplane, the foundation of his digital forensics skills on small devices started with Diane Barrett, professor of mathematical and digital sciences and director of BU’s cyber defense education. “I learned how to interface with small devices to see data and acquire a forensic snapshot of the phone,” Dilliplane said. “I also learned key places to look for evidence in Apple iOS and Android OS file systems that hold different kinds of valuable information, such as address books, call logs, web browsing history, application configurations, and several other locations that a typical user wouldn’t see unless they are using forensic tools.”
A special interest immediately developed and Dilliplane started exploring on his own smartphone in his makeshift digital forensics lab at home. “I was able to pull data from my phone, which led me to uncover a networking company’s sensitive information that was exposed to all users who had downloaded this application,” Dilliplane said. “While I was going through the acquired data for all of the applications I installed on my smartphone, and with my hobby being information security, my alarm went off when I recognized private API keys and a private server authentication key.”
Dilliplane said API keys are generally not considered secure, however, are mainly distributed to only customers and clients for usage. In this instance, he said the networking company was a client to multiple other companies that provided different types of services from storing application usage statistics to containing other private information.
“The exposed keys were a vulnerability and could have been abused to pull and read private data belonging to customers and employees,” Dilliplane said. “As soon as I encountered the vulnerability, I wrote a full, thorough report on my findings and contacted the networking company’s security team right away.” According to Dilliplane, he was a tad late. In a good way. “I was thanked by the team for reporting the issue,” Dilliplane said. “However, no bug bounty was rewarded for the find, because they were already processing a report from another bug bounty hunter.”
A bug bounty is a deal offered by websites and software developers for reporting bugs and vulnerabilities. According to Dilliplane, bug bounty hunting can be very competitive.
“A common courtesy when finding such vulnerabilities — especially those that could lead to massive data leaks — is to keep it private until the company can securely patch the vulnerability and no one can exploit it for personal gain,” Dilliplane said. “Bug bounty hunters and hackers know that where there’s one vulnerability, there are often more. In this case, the company asked to not be disclosed.”
Dilliplane’s ability to uncover the data exposure and to “compete” in the bug bounty world can be directly attributed to groundwork laid by BU’s digital forensics program.
“The digital forensics program (here) provides students with not only the investigative and recovery skill sets, but also the knowledge and skills in almost every area I can think of when it comes to cybersecurity,” Dilliplane said. “All of the material is covered in depth, and most importantly, the faculty care about you and your future. It’s also recommended and encouraged that all students in the major join available clubs, such as the Digital Forensics and Cyber Defense Club, where you can learn even more.”
Dilliplane, who for the past two years has assisted NETGEAR Inc. privately test its products for bugs prior to market release, has his sights set on a cybersecurity career somewhere in the government sector. “We can see in the news that hackers (both foreign and domestic) often attempt and are sometimes successful at hacking into our critical information systems to steal or exploit them,” Dilliplane said. “These critical information systems can contain intellectual property, control our infrastructure (like power grids), or even allow us to vote. I believe (BU’s) digital forensics program has prepared me to apply my skills to identify these malicious actors and hopefully defend against them.”