7 questions for Niels Zondervan
‘Hacking is surprisingly easy’
‘A wealth of data also leads to a wealth of risks’
Niels Zondervan is a PhD candidate in Systems Biology from Wageningen and a businessman, but he has also been a white hat hacker — an ethical hacker — for years. He knows better than anyone how important it is to store your research data properly.
How do you become an ethical hacker?
I own Bitcoin and you need a password to access your digital wallet. But I couldn’t remember my own password because I’d been a little too careful. So I had to hack my own wallet. It worked. Then I had a thought: if I can hack myself, I can hack others too. My company, Walletrecovery.nl, was born from this idea. I help people who own Bitcoin who can’t remember their passwords. Every password is linked to a hash. When you login to an account, the password you type is hashed and compared to a hash in a database. I hack the hashes to recover peoples passwords.
Is WUR interesting for hackers?
Absolutely. The plans for research stored in on-campus computers alone is a reason for hackers to be interested in WUR. Suppose someone writes a research proposal and I can view it remotely. I study at a crappy university somewhere in the middle of nowhere. I copy your proposal, tweak it a bit and make sure I submit it to a research spot first. Your idea is then less original because you’re second. And your chances of being able to claim funding are massively reduced. WUR can be hacked. Everything can be hacked because everything has its weaknesses. For example, I have a keylogger here. This is a cable that you use to link the keyboard to the computer. It is a sort of USB stick that stores everything that you type. Very easy to place somewhere you cannot see it. After six months, you can remove the keylogger. No one will notice because who actually checks the back of their computer? As a result, your passwords and emails have been hacked. More expensive versions even allow you to look at someone’s screen remotely. The chance of getting caught with this kind of remote accessible keylogger is almost zero. I bought this keylogger somewhere in Eastern Europe. It is not illegal to buy, but it is illegal to use.
What can WUR employees learn from hackers?
The first thing you can learn is that hacking is pretty easy. All you have to do is watch a YouTube video and install an operating system that contains all the hack tools you need. A hack tool is a piece of software that you use to break into a computer. You start the hack tool, such as Wireshark. You choose a network using public Wi-Fi, then click ‘hack password’. Fifteen minutes later and without any real effort, you’ll have figured out most Wi-Fi passwords.
Photos: Anne Reinke
The second thing to know is that most passwords can be hacked. It is therefore important that you use a password specifically for that one account when storing important data, like bank accounts, DigiD and for research data. Do not use parts of other passwords either. If you have been hacked and you use the same password for both your Facebook account and your WUR account, then you've got a problem. Incidentally, good passwords do not need to be complicated. A password consisting of one word in two different languages is very strong. A phonetically written word or a deliberate misspelling works too.
What are stumbling blocks for researchers when it comes to data management and security?
I often see people sharing sensitive information very casually and doing so without security, such as in an attachment or a link to Google Cloud or OneDrive in an unencrypted email.
For example, if you have medical data from test participants, it is extremely important that this information is encrypted properly, so you have to separate the medical information from the specific participants. You can do this using a hash, a random series of numbers and letters instead of a name and surname. Hackers can attack this kind of hash. As an academic, you can protect against this using a ‘salt’; a password. The combination of a strong password in addition to the names of patients results in too many combinations for the information to be easily hacked.
Name
Niels Zondervan
WUR career
BSc Biotechnology MSc Bioinformatics
Will be doing a PhD with the Systems & Synthetic Biology group Has been running his own company, WalletrecoveryNL, since 2019
Hobbies
Parkour, martial arts, yoga, piano, crypto
Marital Status
Niels is married and has two children. There is a third on the way.
Lots of researchers work and share files sharing using public Wi-Fi. Nowadays, people work a lot from home, but they also do ‘work on the go’, in coffee shops. This is not really safe because the passwords are often quite easy to crack, coffeebean123, for example.
What are the main developments in the field of data science, management and security?
We are moving towards a stage where all data will be linked. Web 3.0 means that all datasets will be put online. Blockchain, Internet of Things, Artificial Intelligence are all linked to each other. In the past, you had a single server with a dataset. Today, you have a network of datasets connected like the threads in a spiderweb. This is achieved through FAIR data-management which leads to data being ‘Interoperable’ and as such interlinked. But this wealth of data also leads to a wealth of risks, as data breaches can have major consequences. If a person makes a mistake by adding user names, ID numbers or patient hashes, it is easy for black hat hackers to hack, and if ten datasets are linked to each other, this means that the data in the other nine datasets are also not anonymous anymore. So, as a researcher, you need to think about how to annotate, manage and keep data safe, or seek advice from an internal expert, such as a data steward.
What are your recommendations for WUR employees to work safely?
I understand that WUR employees now log in using a Virtual Private Networkserver (VPN). This is quite safe and it protects your data from people who want to view your Wi-Fi traffic, for example. Another stage of protection is two-factor authentication (2FA). This means you have to perform two actions to log into your computer, for example. The simplest form of 2FA is a bank card with a PIN number: you need both to withdraw money. Another form of 2FA uses a finger print in combination with a code. I understand that WUR now uses 2FA. There are access cards with up to 100,000 keys for encryption and 2FA. You can use these to log into your computer.
How serious are you about Data?
Very serious because, as a white hat hacker, I have access to other people’s data. If I am hacked, this is a business risk. If one of my computers is stolen, it is of no use to the thief because everything is encrypted and secured using 2FA.