What I Learned at Hacker Camp
I didn't wake to Reveille in army barracks. I wasn't dressed in fatigues. And no way was I marching around holding a rifle above my head. But in the wee hours one recent Thursday I was headed to boot camp nonetheless -- hacker boot camp.
For a full day, I would immerse myself in the tricks of the computer hacking trade, getting hands-on training in how scam artists construct the code that wreaks havoc on the world's computers. The key distinction: This is "ethical" hacker boot camp, put on by a company called TechTrain, which hosts about 24 of these intensive training sessions each year.
My drill instructor (read: teacher) is Andrew Whitaker, TechTrain's director of enterprise security, who's had stints protecting online banks, and teaching other financial institutions what's wrong with their security systems, over the last ten years. Before class, he gives me the rundown of what we'll learn: how to use viruses, how to compromise wireless networks and how to evade firewalls.
I am in a classroom full of middle-aged high-tech system administrators. They're all men, from all over the country, attending the $4,300-a-week course to brush up on the skills needed to combat a rising tide of computer threats.
Mainly, they work for computer makers and software firms, and boy do they love their computers. One describes the tension between himself and his wife over how much he uses the computer. Another student agrees. "Don't make me choose, because you won't like the outcome," he says, to raucous laughter.
Each time Whitaker unveils a new way to compromise a company's security, "Cool!" is exclaimed throughout the room. Even Whitaker, who tackles hacking challenges in his spare time, pauses from time to time to ask, "Pretty sweet, huh?" It's a bad-boy thrill, and it's as infectious as the attacks we're trying to thwart.
Thrill or no, this is boot camp, and there's a big task at hand: earning the right to be called a "certified ethical hacker," a distinction bestowed by the International Council of Electronic Commerce Consultants. The e-commerce trade group has been administering the program for several years, but the need for IT professionals who know how to think -- and code -- like the enemy is as urgent as ever.
Time was, companies that wanted to fight hackers would go out and hire the bad guys themselves. But as hackers proliferate and get smarter, companies increasingly want homegrown experts, so-called white hats.
Another shift they're responding to: Increasingly, attacks are financially motivated. These are no longer mere "hacktavists" who spread viruses to take down Corporate America or spread social and political commentary. Nor are they out to make a name for themselves. Today's hackers want to fly under the radar (see BW Online, 1/23/06, "Coming to Your PC's Back Door: Trojans"). According to the latest Interne threat report by Symantec (SYMC), attacks that have the potential to give bad guys confidential information rose 74% in the second half of 2005 to comprise 80% of all threats.
And here's what may be the scariest part: to be a hacker, you don't even have to be a hardcore techie or particularly good at writing code. Take me, for instance. I'm an English major who hasn't written a line of code since third grade when I wrote a BASIC program that quizzed you on state capitals. Camp got started at 9 a.m., and within an hour, I was hacking into fictional banks' Microsoft databases and retrieving credit card numbers.
It's a matter of knowing tricks and what to look for. For instance, the default Microsoft database user name is "SA" and there's no default password. An alarming number of administrators never change these settings, so once hackers get into a system, they often try this first -- successfully.
Here's another trick. Put a single quote mark in the user name line of a password.
If you get a particular error message, you know that site is vulnerable to a technique of stealing database contents called "sequel injection." "Pretty cool, huh?" Whitaker says to the stunned crew. "You guys want to see some more scary stuff?"
OPEN TO ALL.
It wasn't a real bank's site I was hacking into. And I was pretty much typing instructions written out for me. Still, Whitaker says there's an enormously large number of sites with these types of basic vulnerabilities, largely because database administrators don't know security -- and the security administrators don't know databases. If I could master basic database hacking in an hour, how much damage could a truly technically proficient person do?
So, do ethical hackers go bad, I wonder aloud? Whitaker says he knows of a few cases, but companies like his screen candidates carefully. They have to be gainfully employed in the security field and must sign waivers saying they won't use these tricks for ill. For more sophisticated classes there are background and criminal checks. In any case, the sad truth is that anyone who wants to be a hacker can do so these days -- with or without these classes.
A large percentage of the materials used to train ethical hackers are freely available over the Web. Just like the mainstream software world has been turned on its head by the open source revolution of coders creating free databases and operating systems, there's a whole open source world of viruses and trojans.
BEAUTY AND THE BEAST.
After about six hours of crash training, the class embarks as a team "capture the flag hacking challenge" that entails stealing credit card numbers from a fictional bank and posting all the numbers to the site. It gives pupils a chance to apply all the skills learned over the week.
I must concede it's too sophisticated for my grade-school BASIC skills and a half day of hacking tips, so I hang back as Whitaker shows me how he infected another machine with a trojan called "Beast."
Beast was written by a college guy in love with a girl who didn't love him back. So he did what any lonely geek would do. He wrote a vicious program that could control her dorm room Web cam. Beast can also control your CD drive, Internet browser, and chat windows -- anything on your machine. And you can download it free on the Web today. Sure, most security software can catch it -- but nearly half of PCs in the U.S. don't have basic security software. And for just a few hundred bucks, mercenaries will write you a new, undetectable version.
FACT AND FICTION.
According to research by Symantec, most hacking activity goes on Monday through Friday from 9 a.m. to 5 p.m. -- it's a career for some. "We were stunned by their brazen indifference to law enforcement and the extent to which they emulate a sophisticated economy," says David Cole, director of Symantec's security response team, who spent months watching hacker activities online.
Earlier in the day, I ask Whitaker if he's seen the recent movie Firewall, where Harrison Ford portrays a security specialist forced to rob the bank he's protecting so he can save the life of his kidnapped son. "Yeah, it's not really like that in the real world," Whitaker says, condescendingly. After a day at hacker camp, I agree. The real world is scarier.