It's easy to create malicious code, penetrate
firewalls, and steal personal and financial information. "Ethical hacker" Andrew
Whitaker can show you how
I
didn't wake to Reveille in army barracks. I wasn't dressed in fatigues. And no
way was I marching around holding a rifle above my head. But in the wee hours
one recent Thursday I was headed to boot camp nonetheless -- hacker boot camp.
For a full day, I would immerse myself in
the tricks of the computer hacking trade, getting hands-on training in how scam
artists construct the code that wreaks havoc on the world's computers. The key
distinction: This is "ethical" hacker boot camp, put on by a company called
TechTrain, which hosts about 24 of these intensive training sessions each
year.
My drill instructor (read: teacher) is Andrew Whitaker, TechTrain's
director of enterprise security, who's had stints protecting online banks, and
teaching other financial institutions what's wrong with their security systems,
over the last ten years. Before class, he gives me the rundown of what we'll
learn: how to use viruses, how to compromise wireless networks and how to evade
firewalls.
"PRETTY SWEET." I am in a
classroom full of middle-aged high-tech system administrators. They're all men,
from all over the country, attending the $4,300-a-week course to brush up on the
skills needed to combat a rising tide of computer threats.
Mainly, they
work for computer makers and software firms, and boy do they love their
computers. One describes the tension between himself and his wife over how much
he uses the computer. Another student agrees. "Don't make me choose, because you
won't like the outcome," he says, to raucous laughter.
Each time Whitaker
unveils a new way to compromise a company's security, "Cool!" is exclaimed
throughout the room. Even Whitaker, who tackles hacking challenges in his spare
time, pauses from time to time to ask, "Pretty sweet, huh?" It's a bad-boy
thrill, and it's as infectious as the attacks we're trying to
thwart.
NEW BREED. Thrill or no, this is
boot camp, and there's a big task at hand: earning the right to be called a
"certified ethical hacker," a distinction bestowed by the International Council
of Electronic Commerce Consultants. The e-commerce trade group has been
administering the program for several years, but the need for IT professionals
who know how to think -- and code -- like the enemy is as urgent as
ever.
Time was, companies that wanted to fight hackers would go out and
hire the bad guys themselves. But as hackers proliferate and get smarter,
companies increasingly want homegrown experts, so-called white
hats.
Another shift they're responding to: Increasingly, attacks are
financially motivated. These are no longer mere "hacktavists" who spread viruses
to take down Corporate America or spread social and political commentary. Nor
are they out to make a name for themselves. Today's hackers want to fly under
the radar (see BW Online, 1/23/06, "Coming
to Your PC's Back Door: Trojans"). According to the latest Interne threat
report by Symantec (SYMC),
attacks that have the potential to give bad guys confidential information rose
74% in the second half of 2005 to comprise 80% of all threats.
ALARMING LAPSES. And here's what may be the scariest
part: to be a hacker, you don't even have to be a hardcore techie or
particularly good at writing code. Take me, for instance. I'm an English major
who hasn't written a line of code since third grade when I wrote a BASIC program
that quizzed you on state capitals. Camp got started at 9 a.m., and within an
hour, I was hacking into fictional banks' Microsoft databases and retrieving
credit card numbers.
It's a matter of knowing tricks and what to look
for. For instance, the default Microsoft database user name is "SA" and there's
no default password. An alarming number of administrators never change these
settings, so once hackers get into a system, they often try this first --
successfully.
Here's another trick. Put a single quote mark in the user
name line of a password. If you get a particular error message, you know that
site is vulnerable to a technique of stealing database contents called "sequel
injection." "Pretty cool, huh?" Whitaker says to the stunned crew. "You guys
want to see some more scary stuff?"
OPEN TO
ALL. It wasn't a real bank's site I was hacking into. And I was
pretty much typing instructions written out for me. Still, Whitaker says there's
an enormously large number of sites with these types of basic vulnerabilities,
largely because database administrators don't know security -- and the security
administrators don't know databases. If I could master basic database hacking in
an hour, how much damage could a truly technically proficient person
do?
So, do ethical hackers go bad, I wonder aloud? Whitaker says he knows
of a few cases, but companies like his screen candidates carefully. They have to
be gainfully employed in the security field and must sign waivers saying they
won't use these tricks for ill. For more sophisticated classes there are
background and criminal checks. In any case, the sad truth is that anyone who
wants to be a hacker can do so these days -- with or without these
classes.
A large percentage of the materials used to train ethical
hackers are freely available over the Web. Just like the mainstream software
world has been turned on its head by the open source revolution of coders
creating free databases and operating systems, there's a whole open source world
of viruses and trojans.
BEAUTY AND THE
BEAST. After about six hours of crash training, the class embarks
as a team "capture the flag hacking challenge" that entails stealing credit card
numbers from a fictional bank and posting all the numbers to the site. It gives
pupils a chance to apply all the skills learned over the week.
I must
concede it's too sophisticated for my grade-school BASIC skills and a half day
of hacking tips, so I hang back as Whitaker shows me how he infected another
machine with a trojan called "Beast."
Beast was written by a college guy
in love with a girl who didn't love him back. So he did what any lonely geek
would do. He wrote a vicious program that could control her dorm room Web cam.
Beast can also control your CD drive, Internet browser, and chat windows --
anything on your machine. And you can download it free on the Web today. Sure,
most security software can catch it -- but nearly half of PCs in the U.S. don't
have basic security software. And for just a few hundred bucks, mercenaries will
write you a new, undetectable version.
FACT AND
FICTION. According to research by Symantec, most hacking activity
goes on Monday through Friday from 9 a.m. to 5 p.m. -- it's a career for some.
"We were stunned by their brazen indifference to law enforcement and the extent
to which they emulate a sophisticated economy," says David Cole, director of
Symantec's security response team, who spent months watching hacker activities
online.
Earlier in the day, I ask Whitaker if he's seen the recent movie
Firewall, where Harrison Ford portrays a security specialist forced to rob the
bank he's protecting so he can save the life of his kidnapped son. "Yeah, it's
not really like that in the real world," Whitaker says, condescendingly. After a
day at hacker camp, I agree. The real world is scarier.
Lacy is
a reporter for BusinessWeek Online in Silicon Valley
READER COMMENTS
BW
MALL SPONSORED LINKS
Enterprise-Grade Link Failover and Load Balancer
Easy to install. Fully transparent to existing firewall and router. PePLink
Balance offers link failover and load balancing for branch office networks.
Supports DSL, T1, Wireless & Cable. Centralized Configuration, Management
and Traffic Reporting.
TechExcel CRM TechExcel CRM sets the standard for
high-end CRM: powerful, configurable, affordable and easy to use.
Prove Advertising ROI: 100% Accurate Call Tracking
CallSource tracks over 100,000 advertising sources with unique toll-free and
local numbers. Detailed reports are delivered by web, email, FTP and XML.
Track all ad sources to calculate ROI --online and off.
NetSupport DNA - IT Asset Management Software Facing
compliance issues? Manage your IT assets. Track and monitor software and
hardware inventory, distribute software, manage licenses, monitor Web usage,
pull graphical reports, web based helpdesk, remote control and more. Free
trial.
Metadata Management Software MetaCenter: Plug &
play metadata management software for enterprise systems. Features: data
dictionary, process documentation, impact analysis, search across multiple
systems, web-based interface, reports, dashboards, import, export and more!
Printer-Friendly Version