'Ethical' Hacking, John Reid Blackwell, Richmond Times-Dispatch

Intense boot camp separates computer-security professionals from the also-rans

At almost 9 p.m. Wednesday, a handful of computer-hacker trainees hunched over their laptops in a conference room at a local hotel.

They had spent all day in the windowless room, scarfing junk food and bottled water and tapping at their keyboards. Their objective: infiltrate the supposedly secure computer networks of targeted companies and agencies. Then pillage, steal and destroy.

Their instructor in the art of hacking, John Nunes, strolled around the room monitoring their progress, answering questions and offering advice. After three days of intense training, the students were about to make a breakthrough. The Web sites they had targeted would be defaced; the prices on a commercial site would be changed.

"This is the fun part," Nunes said as he watched his students toil to crack computer-security systems on their own, using only their wits and some hacking tools and tips he provided.

The students were all computer-security professionals, and the networks they were attacking were only simulated. But the tools they used are genuine and could be applied to infiltrate real-world systems.

Viruses and terrorism

The enemies they face are real, too, and very tough. Computer hackers are thought to cause billions of dollars in losses to businesses every year. A spate of malicious computer viruses and the threat of terrorism have prompted some private companies and government agencies to take novel approaches to security.

The idea behind the weeklong class at the Wyndham Hotel on Laburnum Avenue was to teach computer-security professionals how to think like hackers. Twenty employees from businesses and government agencies, including the Department of Defense, attended the class. Their employers shelled out more than $4,000 for each seat.

Positive hacking

Intense School, a Florida-based information-technology firm, offers the classes around the country. The company calls it an "ethical hacking boot camp" because students learn how to hack for good, not evil.

"It is really hard-core, intense training," said Ned Snow, the firm's marketing director. Students often spend 14 hours a day in class. At the end of the week, they take an exam offered by the International Council of E-Commerce Consultants. If they pass, they become "Certified Ethical Hackers."

Nunes, the instructor for last week's class, is an independent consultant who, to some, might look like a hacker. The 34-year-old has a mullet-style hairdo, dyed green in back. Both ears and one eyebrow are pierced.

"It started out as a joke," Nunes said of his body decorations. "But it turned into one of the best marketing tools I have."

Nunes said he has been tinker- ing with computers since he was a boy, but he learned the hard-core stuff, such as cryptography, during his 12 years in the Navy. He told trainees he also worked at the National Security Agency.

The students were there to learn how to protect their employers' computer systems, but Nunes said he doesn't teach defense. "My mind-set is geared more toward the attack," he said. He dislikes the term "ethical hacking" and prefers "professional hacking."

Nunes told students about some stories of his own exploits, including how he once hacked a fax machine at a retail store in Northern Virginia and obtained thousands of pages of documents that customers had faxed, including credit-card applications. "Fax machines are very dangerous little pieces of gear, especially public ones," he said.

At this boot camp, Nunes took students through various approaches for breaking into secured computer systems. Most of the material was too technical for the layman (the students were all seasoned veterans of the field), but some of the training dealt with old-fashioned, low-tech methods of theft and deception.

The best hackers know a lot more than how to use a computer. Equally important - or more so - is what Nunes called "social engineering," the skill of manipulating people to obtain information.

"Even for technical people, it is often much simpler to just pick up the phone and ask someone for his password," instead of spending days trying to steal it on a computer, Nunes said.

One low-tech way to swipe information is "Dumpster diving," simply going through someone's trash and finding sensitive documents.

"It's amazing the amount of stuff you can pull out of the trash," Nunes said. "It's not illegal as long as you don't trespass. Once you throw something away, you've given up expectations of privacy." (To avoid becoming a victim of this, always shred your documents, he advised.

Snow said Intense School is aware that teaching people the best methods of breaching computer networks is controversial. Nunes said he has been accused of being unethical, but he contends his work is no different from a firearms instructor teaching someone how to use a gun.

"It's like I'm giving them a hammer," he said. "You can use a hammer to build a house for someone, or you can use it to bludgeon someone to death."

Dan, an employee of a major defense contractor who flew from Germany to take the class, said any arguments that it is wrong to teach hacking are "bunk."

"They're not teaching anything here that you can't learn on your own," said Dan, who declined to give his last name.

Dan said he is authorized by his employer to try to break into the company's computer systems as a way to find security flaws. As he sees it, the "white hats," the people who try to protect computer networks, need to understand how the malicious hackers, or "black hats," think.

"It's all about the mind-set," he said. The most important lesson from the class, he said, is that it's no good to have "a $50,000 fence with a $30 lock." That is, no matter how much money you spend securing your technology, it's no good if the people who use it don't understand security.

Any ideas? Staff writer John Reid Blackwell can be reached at (804) 775-8123 or jblackwell@timesdispatch.com