Cybersecurity and Ethical Hacking

A key part of Baldwin’s mission states that Baldwin will develop girls into confident young women that will have  “... the competency to make significant and enduring contributions to the world.” Upper-school students in Dr. Thomas Heverin’s “Cybersecurity and Ethical Hacking” class are already making these types of contributions.

 

Since early September, Baldwin students have ethically hacked into 60 unique devices across government agencies, universities, non-profits and other types of organizations. Ethical hacking is defined as the authorized exploration of organizations’ devices and networks to uncover vulnerabilities and security weaknesses. The primary goal is to improve organizations’ security and to protect people in those organizations.

 

Types of devices ethically hacked by the students include printers, digital systems that control physical key boxes, building automation systems, satellite phone terminals, logic controllers, file servers, communication servers, security cameras and more.

 

To enhance organizational security, the class has submitted vulnerability reports to security teams, aiming to promptly notify them of potential threats and drive essential security improvements. A notable example of their impact is a U.S. university's response to a comprehensive vulnerability report, which spurred significant university security enhancements based on the students' findings. For this case, students discovered they could access the system logs of the university’s printers. Within the logs, students found various IP addresses attempting to access the printers. They analyzed the IP addresses to determine that several were associated with malware. The university’s security team was highly impressed with the girls’ analysis.

 

The students’ global impact is evident through their discovery of a critical security flaw in a widely used printer model from a prominent vendor, allowing any public user to establish an administrator account, effectively gaining complete control and access. This vulnerability has been identified in 30 organizations spanning the United States, Mexico, Canada, Greece, France, Hungary, Slovenia, Macedonia, Germany and Slovakia, highlighting the widespread significance of their findings.

 

The girls use various publicly available cybersecurity tools, such as Shodan and Censys, to find devices and then use ethical hacking tools developed by Dr. Heverin to identify vulnerabilities on the devices. Dr. Heverin developed the tools with the aid of ChatGPT, a generative artificial intelligence (AI) resource. The students also use ChatGPT in class to help define cybersecurity technical terms and to help explain the risk associated with their findings.

 

Dr. Heverin stated, “Teaching Baldwin students has been an amazing experience. Their motivation to learn and their critical thinking skills have led us to discovering vulnerabilities across the world. They are already making significant contributions in cybersecurity as high school students. I can’t wait to see what they ethically hack into and what organizations they help next.”