Hackers Learn To Think Like the Enemy
BUSHKILL, Pa. -- Five computer engineers specializing in information security are gathered around flat-panel personal-computer screens in a resort hotel room here in the Pocono Mountains and listening to their instructions.
Hack into the credit-card accounts of Juggy Bank, a fictitious financial institution represented by a working computer server in the back of the room, and steal the account data, they are told. "Extra credit every time you crash the server," jokes Andrew Whitaker, who has been instructing the group in hacking techniques for three days.
A few years ago, hacking was a way for teenagers and hobbyists to show off their computer skills by unleashing viruses and worms online. Though some caused significant financial losses, such as the "I LoveYou" virus that spread to an estimated 45 million email accounts in a single day, most passed without causing lasting damage.
Now chief information officers responsible for protecting corporate data are more worried about malicious hackers looking for profits rather than kicks. These hackers, including some associated with organized-crime rings, try to gain access to information -- usually personal financial data about customers that they can use to run credit-card charges, take out loans and otherwise take advantage of the identity theft.
That has given rise to "hacker camps," programs to train network-security professionals in the same techniques used by the hackers they are trying to thwart. Some 30,000 technology professionals around the world have received training as part of a "certified ethical hacker" program set up in late 2001 by the International Council of Electronic Commerce Consultants, an organization for e-business professionals.
Hacker camp doesn't dwell on theory. Richard Van Luvender, president of InfoSec Academy, which runs a program offered in the Poconos and in several other locations, says the aim of teaching actual hacking techniques -- thinking and acting "dirty," as he calls it -- is to instill the malicious mindset into students. The approach, says Mr. Van Luvender, a U.S. Marine Corps veteran, is drawn from Sun Tzu's "The Art of War": "If you know the enemy and know yourself, you need not fear the results of a hundred battles."
"Hacking can be unbelievably easy these days," says Mr. Van Luvender, noting that hacking tools have become widely available.
Not everybody is eligible to receive the five-day intensive training. Potential students enrolling in a certified hacker program need a minimum of two years of information-security-related work experience. Attendees also sign an agreement promising they won't misuse the knowledge acquired from the program. Mr. Van Luvender accepts only applicants sponsored by their employers for fear that trainees might abuse the hacking skills once out of camp. The instruction costs about $3,500.
In the exercise involving Juggy Bank -- a pseudonym for an actual East Asian bank whose online-banking system was successfully attacked three years ago -- InfoSec's Mr. Whitaker walks around the room checking on progress, giving students hints if they are headed in the wrong direction. "Remember, there are many ways of hacking," he says during the session held last fall. "Try to think out of box."
Hackers attacking Juggy Bank found that they could use a technique called sequel injection to gain access to customer account information. Sequel injection allows a hacker to deliver a malicious command to a server through a Web browser in a remote place and hijack the server.
One of the hacker students, Troy Lilly, a 32-year-old information-security officer at City Holding Company Inc. in Charleston, W. Va., sees hundreds of automatically programmed attempts to breach the regional bank's network every day. Now trying to hack into Juggy's system, he knew that the first thing he should do was to scan for vulnerabilities.
Within minutes, he found four ports, or entrances, to the computer network that weren't protected by a firewall.Using the sequel-injection technique and tools he downloaded from the Internet, Mr. Lilly was able to write a command that posted an unauthorized message on Juggy's Web page.
But a second part of the mission -- downloading credit-card account information -- proved harder. Mr. Lilly spent almost three hours trying various hacking techniques without success. "I have never done that before, and am not familiar with it," he said of trying to penetrate the database.
Classmate David Moured, a security engineer at information-security company G2 Inc., of Columbia, Md., brought firsthand hacker experience to the effort. Mr. Moured, 27, conducts security testing for private and public institutions, requiring him to work as a legal hacker.
Still, it took Mr. Moured 2? hours to break into Juggy's database and download a list of cardholder names, account numbers and expiration dates. He used sequel injection to find an open port on the server, then sent a computer-program command through a tunnel he created between the server and his own PC. On the command, the server sent all credit-card information to him.
Before long, Mr. Whitaker and Mr. Van Luvender found that two students were trying to break into the instructors' files to find the answer to the competition.
That wasn't part of the game they planned. But the instructors were delighted. "They've learned to think dirty," Mr. Whitaker says of the students.
正义黑客──知己知彼,百战不殆
在波可诺山区的度假酒店客房中,五名专门研究信息安全的电脑工程师聚在几台平板电脑前,仔细聆听分配给他们的任务。
他们的任务是,攻入Juggy Bank的信用卡帐户、窃取帐户信息。Juggy Bank这个金融机构并不存在,它其实就是房间后面的一台服务器。安德鲁?惠特克(Andrew Whitaker)已经为这些电脑工程师讲了三天黑客技术。他开玩笑说,“攻入服务器有加分。”
几年前,一些青少年和电脑爱好者通过在网上传播电脑病毒和蠕虫病毒来炫耀自己电脑技术。虽然有些病毒造成了巨大的经济损失,比如“我爱你”病毒,它一天能向大约4,500万邮件帐户散播病毒,但大多数病毒稍纵即逝,不会引发严重后果。
如今负责数据安全的公司首席信息长们对恶意黑客更为关注,因为这些黑客的目的是赚钱而不是为了好玩,有些恶意黑客还和犯罪集团有所往来。他们试图盗取客户的个人财务信息,以此支付信用卡帐单、获得贷款以及盗用身份。
“黑客训练营”因此诞生了,它向网络安全专业人员传授黑客的技术,以更好地阻止黑客的攻击。全球各地约有3万名技术专家接受了训练,该项目属于国际电子商务顾问局(International Council of Electronic Commerce Consultants)在2001年底设立的“正义黑客认证”项目的一部分。
黑客训练营不仅仅拘泥于理论学习。InfoSec Academy在波可诺山区和其他地区开展此种培训,学会总裁范?卢文德(Richard Van Luvender)表示,传授黑客专业技术是为了让学生从坏人的角度思考问题──用他自己的话说就是学会“卑劣地”思考和行动。曾是美国海军陆战队员的卢文德说,这种方法是从《孙子兵法》中学来的:“知己知彼,百战不殆。”
卢文德说,“如今做黑客简直轻而易举。”他发现入侵工具随处可见。
并非所有人都有资格参加为期五天的高强度训练。认证黑客项目要求申请者必须拥有至少两年的信息安全相关工作经验。学生还必须签署一项协议,保证今后不滥用所学知识。卢文德只接收由公司资助的学生,因为他担心学生一旦离开训练营可能会随意使用所学知识。课程的学费约为3,500美元。
在Juggy Bank的相关练习中──Juggy Bank代表的是一家真实存在的东亚银行,该银行的网上银行系统三年前被成功攻击──InfoSec的惠特克在房间里走来走去,观察学生们的进展情况,如果他们的方向有误就给予一些指导。他在去年秋天的一次课上说,“记住,攻击方法有很多种,试著跳出来想一想。”
攻击Juggy Bank的“黑客”发现他们可以利用一种名为“资料隐码”(sequel injection)的技术来获取客户的帐户信息。黑客可以利用资料隐码通过浏览器向服务器远程发出恶意指令、并攻入服务器。
训练营学生、32岁的特洛伊?利利(Troy Lilly)在西弗吉尼亚州查尔斯顿的City Holding Company Inc.负责信息安全。他知道每天有成百上千个自动程序指令试图闯入这家地区银行的网络。现在轮到自己作黑客,攻入Juggy系统,他明白第一件事就是找到网络的弱点。
在几分钟以内,他找到了四个网络入口,它们都没有得到防火墙的保护。利用资料隐码技术以及从互联网下载的工具,利利编写了一个命令,让Juggy网站登出了一条未经许可的信息。
不过事实证明,任务的第二部分──下载信用卡帐户信息要困难得多。利利花了近三个小时尝试了各种黑客攻击技术但均未成功。他说,“我从未攻击过电脑,对此并不熟悉。”
利利的同学戴维?穆雷德(David Moured)来自马里兰州哥伦比亚的信息安全公司G2 Inc.,他是个安全工程师,并拥有当黑客的亲身经历。27岁的穆雷德为私人和上市公司从事安全测试,因此他是名合法的黑客。
不过穆雷德仍然花费了两个半小时才攻入Juggy的数据库并下载了持卡人姓名、帐户号码以及到期日等信息。他利用资料隐码技术找到了服务器的入口,还在服务器和自己的电脑间创建了通道,然后通过该通道发出了电脑程序指令。服务器根据指令向他传送了所有的信用卡信息。
不久以后,惠特克和卢文德发现有两名学生试图闯入他们的电脑来找到破解的答案。
这并不在老师们的学习计划之列。不过他们仍很高兴。惠特克评价学生们说,“他们学会了卑劣地思考。”
