Victor Gevers is a Dutch ethical hacker who searches the internet for possible leaks and information that is vulnerable to “bad” hackers and reports it to those involved.
Gevers has been tracking down vulnerabilities on the internet for years. He does this selflessly and according to the guidelines of the National Cyber Security Centre (NCSC). In 2015, he collaborated on the book Helping Hackers by Chris van ’t Hof, author and speaker in the field of cyber security.
This eventually resulted in the pair founding the Dutch Institute for Vulnerability Disclosure (DIVD), together with former MP Astrid Oosenbrug, in September 2019 to give all Dutch “helping hackers” a common identity. “Moreover, a foundation gave us the chance to attract more participants,” says Van ’t Hof.
Many cyber security organisations only scan and report their own clients or a specific segment of the internet, but DIVD makes no distinction and its mission is to make the internet safer worldwide. “Criminals also don’t look at a specific part, but see the entire internet as an opportunity. So that’s how we approach the internet as well,” he adds.
On the map
“We really didn’t think two years ago that we would grow so fast,” says Van ’t Hof. “We thought we would attract about 10 or 20 people in total, but we already have 72 participants.”
That popularity and notoriety is due to a number of things. “The discovery of the vulnerability in Citrix in early 2020 was a kind of flywheel for DIVD. Some smaller issues followed, such as vulnerabilities in SolarWinds, Pulse and Fortinet, but DIVD really got on the map with the leak in the Kaseya software,” says Van ’t Hof.
Eight vulnerabilities had been discovered by DIVD researcher Wietse Boonstra two months earlier, and together with Kaseya they worked very hard to find a solution. “We were really almost there,” adds Van ’t Hof.
REvil cyber criminals, who in the meantime had discovered the last vulnerability that needed to be fixed, chose Friday 2 July to roll out the attack. “They probably thought, ‘It’s the 4th of July weekend and everyone in the US is drinking beer and having a barbecue’,” says Van ’t Hof. But they hadn’t counted on the DIVD.
“We had long been scanning which organisations were using Kaseya software, so on Saturday morning we were able to immediately warn numerous companies worldwide to turn off their servers: 2,200 managed service providers, each with 100 to 1,000 customers. That potentially saved 1.5 million victims,” he adds.
“When you consider that 1,500 organisations worldwide were victims of the REvil attack, you can see what impact our reports have had. The damage could have been much greater. In fact, within two days, we had zero vulnerable companies here in the Netherlands. That’s when DIVD became really interesting to the outside world and we were definitely on the map.”
After this, DIVD wanted to expand its activities and work more closely with companies and the government, as well as attract new volunteers. This required a professionalisation of the foundation.
“We still wanted to work with volunteer researchers, but a budget had to be created for other functions,” says Van ’t Hof. For this purpose, he submitted a proposal to the Digital Trust Centre (DTC), the Dutch organisation that helps entrepreneurs with safe digital entrepreneurship.
“At the same time, a number of other things happened. We started working with the NCSC [National Cyber Security Centre], for example. That was special, because we were not recognised as a CERT [cyber emergency response team], but a separate construction has been made for that. Moreover, the Dutch Safety Board concluded in its Vulnerable through software report that the deployment of volunteers to search for vulnerabilities is essential.”
To complete the roller coaster ride, the American cyber security company Huntress contacted the DIVD to ask if it could be of any help.
“We told them about our international ambitions and they offered to make a financial contribution. Then we heard nothing for a while, so we contacted them to ask what exactly they expected from us. ‘Just give us your account number,’ was the reply. Not much later it turned out they had transferred $100,000,” says Van ’t Hof. “We were flabbergasted.”
New structure
However happy the foundation was with the donation, it did lead to a slight panic. “It was just before the turn of the year, the term ‘wealth tax’ came up, so we hastily set up a fund and found an administration office to handle the annual accounts,” says Van ’t Hof.
This accelerated the professionalisation of the foundation. A new structure was set up, with DIVD as the fundamental institute. “Victor Gevers was the chairman of that before, but because we wanted a different structure, that stopped and we had to look for a director. Surprisingly, everyone pointed in my direction. I took on that task,” says Van ’t Hof.
Chris van ’t Hof, DIVD
Under the flag of the DIVD Institute is the fund that is meant to bundle all subsidies, donations and other money flows. “From that fund, we can finance projects that contribute to a safer internet,” explains the DIVD director.
To give shape to the global ambition, a separate foundation was also set up, CSIRT.global, of which Eward Driehuis is in charge. “That foundation will set up departments in other countries so that volunteer hackers there can also help to scan and report,” says Van ’t Hof.
Finally, there is the DIVD Academy, under the care of Astrid Oosenbrug. The academy focuses on young computer enthusiasts who do better online than at school. “With this, we have a twofold objective,” says Van ’t Hof. “First, we want to let unknown talent enter the labour market, because there is an unprecedented need for good security people. Second, we hope to prevent young people from being drawn to the wrong side. Vulnerable young people are recruited in abundance on hacker forums. We want to offer them an alternative.”
Personal development
The construction with different foundations was a conscious choice. “Not only does it offer a certain form of risk spreading, but we especially want to empower our volunteers and other people involved,” says Van ’t Hof. “We now have 72 volunteers who do their jobs during the day and save the world in the evenings. We want to give them a place where they can be recognised.”
For example, a volunteer who finds a zero-day threat and then becomes an international celebrity can get a position in one of the foundations. “In this way, we offer people the opportunity to develop in other areas as well. DIVD is there to save the internet, but we also want to be able to give people a place to do that and contribute to their development.”
Chris van ’t Hof, DIVD
Van ’t Hof explains, jokingly, that DIVD’s fame worldwide has led to confusion. “During Kaseya, some journalists in America thought we were the Dutch CERT and were surprised we are just a group of volunteers,” he says.
When asked how DIVD can guarantee that new volunteers are actually ethical hackers, the director explains that new people can only join the foundation through a web of trust. “We only work with people who are known and trusted by our volunteers,” he says. “We also do background screening. Finally, we never work alone on a project – we always work in teams.”
Scanning and reporting
The DIVD has since received a grant from the DTC of €192,000 per year for a period of three years. This will be used to fill staff positions.
“We also share our information with the DTC,” says Van ’t Hof. “We already did that with other parties, but now we do so with the DTC as well.” This is an important development, since the DTC focuses on Dutch small to medium-sized enterprises (SMEs). “There are 1.8 million SMEs in the Netherlands, and as far as cyber security is concerned, this is where the greatest challenge lies. Those SMEs are often suppliers to large organisations and governments, so it is crucial that they are also warned in the event of a vulnerability.”
Whereas other organisations focus on scanning a particular segment of the internet, DIVD scans the entire internet. “We do 4.2 billion IP addresses. Sometimes we get a list of 100,000 IP addresses that we need to warn, which results in a good day’s work doing notifications. We also have our own autonomous system (AS50559) for this and some heavy servers in a datacentre near Amsterdam, because we use an enormous amount of computing power and bandwidth.”
In addition to the internationalisation of DIVD, Van ’t Hof has another goal. “I want a guaranteed independent research board within three years and sufficient funding. Our researchers must remain volunteers, to keep it pure, but as a foundation we have a lot of work to do, so more support would be nice. Our ambition is to make an important contribution to finding, reporting and fixing vulnerabilities worldwide, and in that respect we are well on our way.”