The dark underbelly of cyberspace is rarely exposed – but experts at one elite school teach Peter Warren how to get inside the mind of a computer hacker .
To the untrained eye it looked just like any computer screen. There were programs, files and the accumulated digital junk that sits on most people’s desktops. But as I looked closely, I could begin to see everything that was happening: every document opened, every password entered, every program activated. It was as if I were looking at my own computer – except I wasn’t. What I was secretly observing was someone else’s screen: after just three days of training, I had become a fully fledged hacker.
To be honest, it didn’t take much effort. A basic grasp of how a computer works, a tiny bit of familiarity with programming and the ability to force yourself into a puzzling and sometimes tedious world are the raw ingredients for becoming a hacker. The key element though, as my tutor, Byrne Ghavalas, told me, is “intent”: you have to want to think like a hacker to become one.
Ghavalas is no ordinary teacher, and this is no ordinary course. He describes himself as “a computer penetration expert” for 7Safe, the security specialists who jointly run the course with Glamorgan University as part of an MSc in computer forensics. It serves a serious purpose: the Glamorgan course, split up into hacking and forensics modules, is one of the few in the country where you can learn these skills legally. The aim is to teach computer security experts what to look out for when protecting against hackers – by teaching them how they think.
My hacking classmates are all computer network engineers, whose jobs include keeping hackers out of the companies and public institutions for whom they work.
For, as Ghavalas reminds us, while thinking like a hacker may be “cool”, acting like a hacker is not just uncool, it is also illegal and highly damaging. Police estimate that last year, hacking in all its forms cost the UK £2.4bn, with £177m of that from small businesses.
The seriousness of our mission is underlined by our surroundings. We are taught inside a police college in Bedfordshire, where the doors slam locked behind you and everyone must wear identity passes at all times. We hone our skills from 9am to 6pm in a brightly lit, air-conditioned classroom where each bench has two sleek computers. The contrast with the real hackers – our future opponents – could hardly be more striking. The typical image of the hacker, after all, is of a lone, usually scruffy, young male, sitting in an attic bedroom through the night, trying to break into networks around the world.
This was certainly the image projected by the first generation of hackers, such as Hans Huebner, Kevin Mitnick and Matthew Bevan, known by their “handles” or nicknames. Huebner (“Pengo”) and fellow German hacker Karl Koch (“Hagbard”) sold defence secrets from the west to the KGB during the cold war. Mitnick, known on the internet as “Condor”, was the first to be convicted under US anti-hacking legislation in 1989, and was arrested and jailed for further offences in 1995. Meanwhile, the Welsh hacker Bevan (“Kuji”) was arrested in 1996 for breaking into US air force networks.
Yet my fellow pupils and I have one thing in common with hackers – we have to learn how to target a computer’s weak points. I begin by understanding how a computer works, how it communicates and how it talks. This is when I realise that their basic flaws were there from the very start. I discover that computers talk in a strange sort of pidgin English – a very basic language, restricted in size and sophistication by the small amount of memory available when computers were first developed. I learn phrases of that language, which is a bit like text speak – “English lite” for computers.
Ghavalas points out that all computer operating systems have fundamental flaws. One is that, like the people who created them, they are by nature social beings. Say “hello” to a computer and its response will be “hello, who are you?”. A computer is designed to respond to questions, yet as soon as it does it starts to leak vital information, data that can be and is used to commit cyber crime.
It is easy to see why some hackers have a fondness for darkened rooms and green screens: there is an odd sense of immersion as you tunnel your way into a computer system
Our first lesson is in “sniffing” traffic; analysing the data coming out of an internet-enabled machine. I need more information, so I provoke my intended victim. The computer responds, emitting a little jet of information – a mixture of message types and data. This means almost nothing to me, but with the help of some neat programs and a little expert guidance, I begin to discover more useful information about my target.
I find out the machine’s name and address and, using a variety of hacking tools, a detailed picture of begins to emerge. Gradually, I discover how many users that computer network has, how many programs are being run, and what kind of attack it might be vulnerable to. When it comes to hacking, information really is power.
One ingenious program allows me to ask a computer for its password policy – what the length of password is, how the company arrives at them and, eventually, where the passwords are stored.
Now it is time for the first hacking run, and after just three minutes, the first low-level passwords are broken. I am yet to gain the ultimate prize, the administrator’s password which would let me control the entire computer and its network.
As my experience and knowledge increase, I can see why hacking is so addictive. It is easy to see why some hackers have a fondness for darkened rooms and green screens: there is an odd sense of immersion as you tunnel your way into a computer system. It is also voyeuristic. You feel as though you are on the other side of a two-way mirror – there is a feeling of power, achievement and acute excitement caused by knowing you could be caught at any moment.
At some point during all this I also start to sense what many cyber-cops believe, that hackers break down into three main groups. So far I had been playing in the kindergarten of the joyriding “script kiddies”. This is where people intent on hacking can find off-the-shelf tools to help them exploit known weaknesses in computer systems. Once I had reached this level, I then felt the urge to do even more, and this is where danger for the unwary lies. They go that little bit further, becoming known in the jargon as a “cracker”, and then they are hooked – and get caught.
One example is Briton Gary McKinnon, who is fighting extradition to the US. If he fails, he will face a 78-year jail sentence from American courts for hacking into the US military computer network. By his own admission McKinnon is not a great hacker: he simply discovered that much of the US military computer network used a particular route, and that a lot of them used passwords such as “admin” and “password”.
Both these groups – hackers who get caught and script kiddies – use hacking tools that have already been created. Out in cyberspace there are websites where you can buy or find these easily enough. These include sites where someone will sell you stolen credit card numbers, and those where for £200 you get penetration code adapted to run on any computer without alerting most security software.
However, someone has to create this endless stream of programs in the first place – and these people are the uber-hackers. They also rumoured to know of “zero day releases”: flaws in computer code that nobody else knows about, which they exploit until they have no further use for – at which point they throw them to the script kiddies.
Only then do companies such as Microsoft work out a fix for the weaknesses that the uber-hackers have exploited. By definition, of course, no one can be sure just who these elite hackers are – precisely because they never get caught.
“There is no doubt in our minds that uberhackers are out there, people who are ahead of the game,” says Alan Philips, 7Safe’s managing director. “Maybe they just want money, maybe they just like the thrill of knowing some weakness that no one else knows, maybe they have tried it out and are scared of being caught.”
Their presumed presence, however, is why his firm runs the hacking course – from which, three days later, I graduate. “We want people to understand just what the top hackers can really do,” says Philips.
Knowing what I can do after just a few days’ training, that is quite a scary thought.
Appeared in The Guardian under the headline ‘School for Scoundrels’, 6th of October, 2005.