Informatics students know how to work hard and earn high grades. One student, Marie O’Connell, found another way to ensure that she earned an A: by hacking her professor.
Andrew Reifers, an associate teaching professor at the University of Washington Information School, offers students a unique opportunity in his INFO 415: Emerging Topics in Information Assurance and Cybersecurity course.
“If one of you can hack me successfully, you get an A in my class,” he tells students on the first day.
An Informatics and French double major, O’Connell decided to take Reifers up on the challenge during spring quarter. Reifers has a reputation as an engaging lecturer and a cybersecurity expert, yet even the experts can sometimes be hacked.
It was the first successful hacking attempt in his three years of teaching the course.
Reifers asks students to do outside learning about cybersecurity. With inspiration from lectures and from listening to almost every episode of the “Darknet Diaries” podcast, O’Connell decided to try her hand at a spear-fishing attack.
Unlike broad phishing attempts, which target many potential victims at once, spear-phishing attempts depend on familiarity. They often use a pretext, a scenario that a hacker can use to engage their target.
In O’Connell’s case, a casual conversation with Reifers about her involvement in the UW Blockchain Society led to his request for more information — a perfect pretext.
“We were having a conversation about blockchain technologies,” said Reifers. “She invited me to check out the student organization she’s part of and then followed up with an email. It seemed very natural. I was fully expecting the email. In no way was there any indication that this was going to be a spear-phishing attempt.”
O’Connell’s previous study of web design was pivotal. She crafted a page that mimicked the University’s sign-on page. But a masked link directed to a page that harvested Reifers' credentials.
O’Connell had taken advantage of the opportunity that their after-class conversation created, and she was happily surprised to find that it worked. She created a comedic landing page for Reifers to discover.
“She got me,” Reifers said. “As I reflected on her hack, I was impressed with how seamless it was. It transitioned from a social engineering attack to a digital attack in a very professional manner.”
The hack was considered an ethical one, without repercussions besides a slight boost in grade. While O’Connell created a proof of concept and wrote out her method, she did not access or save any protected data. Plus, Reifers’ two-factor authentication prevented her from seeing his password or files.
After taking Reifers’ class, O’Connell sees more connections in what she has learned in both her majors. The combination of skills required in cybersecurity shows the usefulness of interdisciplinary studies.
“I'm really happy that I went out of my comfort zone and took a class that I knew nothing about,” O’Connell said. “I would like to get into cybersecurity, and I see this as a foot in the door.”
Reifers expressed pride in his student. “I hope that she continues investigating cybersecurity as a potential career. I think she’d be an excellent engineer.”