What I Learned at Hacker Camp

It's easy to create malicious code, penetrate firewalls, and steal personal and financial information. "Ethical hacker" Andrew Whitaker can show you how

by Sarah Lacy

I didn't wake to Reveille in army barracks. I wasn't dressed in fatigues. And no way was I marching around holding a rifle above my head. But in the wee hours one recent Thursday I was headed to boot camp nonetheless -- hacker boot camp.

For a full day, I would immerse myself in the tricks of the computer hacking trade, getting hands-on training in how scam artists construct the code that wreaks havoc on the world's computers. The key distinction: This is "ethical" hacker boot camp, put on by a company called TechTrain, which hosts about 24 of these intensive training sessions each year.

My drill instructor (read: teacher) is Andrew Whitaker, TechTrain's director of enterprise security, who's had stints protecting online banks, and teaching other financial institutions what's wrong with their security systems, over the last ten years. Before class, he gives me the rundown of what we'll learn: how to use viruses, how to compromise wireless networks and how to evade firewalls.

"PRETTY SWEET."

I am in a classroom full of middle-aged high-tech system administrators. They're all men, from all over the country, attending the $4,300-a-week course to brush up on the skills needed to combat a rising tide of computer threats.

Mainly, they work for computer makers and software firms, and boy do they love their computers. One describes the tension between himself and his wife over how much he uses the computer. Another student agrees. "Don't make me choose, because you won't like the outcome," he says, to raucous laughter.

Each time Whitaker unveils a new way to compromise a company's security, "Cool!" is exclaimed throughout the room. Even Whitaker, who tackles hacking challenges in his spare time, pauses from time to time to ask, "Pretty sweet, huh?" It's a bad-boy thrill, and it's as infectious as the attacks we're trying to thwart.

NEW BREED.

Thrill or no, this is boot camp, and there's a big task at hand: earning the right to be called a "certified ethical hacker," a distinction bestowed by the International Council of Electronic Commerce Consultants. The e-commerce trade group has been administering the program for several years, but the need for IT professionals who know how to think -- and code -- like the enemy is as urgent as ever.

Time was, companies that wanted to fight hackers would go out and hire the bad guys themselves. But as hackers proliferate and get smarter, companies increasingly want homegrown experts, so-called white hats.

Another shift they're responding to: Increasingly, attacks are financially motivated. These are no longer mere "hacktavists" who spread viruses to take down Corporate America or spread social and political commentary. Nor are they out to make a name for themselves. Today's hackers want to fly under the radar (see BW Online, 1/23/06, "Coming to Your PC's Back Door: Trojans"). According to the latest Interne threat report by Symantec (SYMC), attacks that have the potential to give bad guys confidential information rose 74% in the second half of 2005 to comprise 80% of all threats.

ALARMING LAPSES.

And here's what may be the scariest part: to be a hacker, you don't even have to be a hardcore techie or particularly good at writing code. Take me, for instance. I'm an English major who hasn't written a line of code since third grade when I wrote a BASIC program that quizzed you on state capitals. Camp got started at 9 a.m., and within an hour, I was hacking into fictional banks' Microsoft databases and retrieving credit card numbers.

It's a matter of knowing tricks and what to look for. For instance, the default Microsoft database user name is "SA" and there's no default password. An alarming number of administrators never change these settings, so once hackers get into a system, they often try this first -- successfully.

Here's another trick. Put a single quote mark in the user name line of a password.