How computer security pros hack the hackers


The long, awkward silence is always the first sign that a previously over-confident hacker realizes he's suddenly become the victim. It happens every time.

The malicious hacker had been firing his “ion cannon” at my network address trying to overwhelm my home computer and internet connection. I had sent him an email the day before letting him know that I knew who he was, what he did for a living (he was a budding wedding photographer), his name (Rick), and that he was newly married to a beautiful girl. That’s enough to frighten off most hackers, but sometimes, like Rick, they persist.

On his private, Tor-protected instant messaging channel, Rick was telling his buddies that he was getting ready to launch an even bigger distributed denial-of-service (DDoS) attack against me. He had been using a child-like hacker tool, but now he was thinking of paying a professional hacking service to attack me.

DDoS attacks, where hundreds to hundreds of thousands of otherwise innocent computers and devices can be directed to attack one targeted victim, can be devastatingly hard to stop — not just for me, but for anyone, nearly any company. The sustained flood of malicious network traffic consisting of billions of unwanted digital bits can knock all but the biggest and richest companies (think Google) off the internet. Once they start, the victim (in this case, me) can be kicked off the internet for several days.

I broke into his messaging channel and told him to knock it off. The hesitancy in his reply let me know that I had caught him off guard. He responded by calling me several unprintable names and accused me of being someone already a member of his hacker forum. When I replied that I wasn't, he renewed his taunting and said I would regret breaking into his private forum. I politely asked him to quit trying to attack me because I had to real work to get done.

The next night around the same time, I could tell by the sluggishness of my internet connectivity that the threatened DDoS attack was starting to happen. If I didn’t do something soon I was going to be out of commission for days. So, out of pure frustration of having to meet a work deadline, I hacked into his computer.

I had identified the computer and software he was using (this is known as “fingerprinting” in the hacker world), and I knew he was using an outdated firewall to protect it. One of my favorite hacker techniques is to break into computers and companies using the very software and devices they think will protect them. So, using a known vulnerability in that firewall, I broke into his computer, modified a file, and left a new script behind. I then connected to him on his messaging channel and told him to check out my work.

My “work” was a file that would have reformatted his computer’s hard drive and destroy everything on it if he rebooted his computer. I had “remarked” the fatal lines out of my script so that it was currently harmless. But I could have removed literally three characters (i.e., rem) and rendered the previously harmless script quite deadly, at least to his computer.

The DDoS attack stopped immediately. The obviously humbled remote hacker came back online to the chat channel and incredulously asked, “Man, how did you do that?” Finally, he was talking like a normal human with all the false swagger gone. I replied, “Rick, there’s a lot of hackers who are better than you. Stop your malicious hacking and use your skills to do good. Spend more time with your new hot wife. One day you may mess with the wrong guy or agency. This is your wake-up call.”

With that, I dropped the chat channel and started to get to work on my day job. It’s not the first time that I had to do a little offensive hacking to get another hacker to leave me alone, and I’m certainly not the only one with the skills to do so. In fact, the best, smartest hackers I know are the good guys and girls, not the malicious creeps who plague our digital lives. I’m a 30-year computer security veteran, always out fighting the good fight, along with tens of thousands of others just like me. Our adversaries are, on average, less smart than we are.

This is not to say that all malicious hackers are dumb. That’s not the case. It’s just that the vast majority aren’t overly bright; they are average. In a given year, I’ll see maybe one or two smart hackers do things that no one else has ever done before. But most malevolent hackers I come across aren’t brilliant or creative. They simply use tools, techniques and services that other smarter hackers previously created. Far from being the mythic hackers that Hollywood celebrates, most are regular, run-of-mill rubes who couldn’t code an emoji icon.

If you want to meet a really smart hacker, talk to a cybersecurity defender. They have to be experts in their technology and able to figure out how to stop all the threats that are trying to take it down. They are the hidden Henry Fords and Einsteins of our digital society. While the media is portraying rogue hackers as the smarter element, the defenders are tightening the net and helping to stop and arrest more of them than ever.

Right now hacking is almost risk-free

Like the Tommy Gun-toting bank robbers of the early 1900s, hackers today are very successful. The riches of our digital society have been accumulating faster than the needed protections. And the chances of being caught, much less arrested, for cybercrime were nearly zero. A hacker could steal millions of dollars with almost no risk.

Rob a real bank and the chances are you’ll get less than $8,000 and you'll probably be arrested (55 percent of bank robbers were identified and arrested in 2014, the latest year for which FBI statistics are available) and go to jail for years. The negative risk/reward ratio contributes to there being fewer than 4,000 U.S. bank robberies each year.

Contrast that with cybercrime. The FBI says it receives over 22,000 cybercrime complaint reports each month, and there are likely many more crimes being committed. The average reported loss is almost $6,500, and from over 269,000 criminal complaints, only 1,500 cases were referred to law enforcement. Although the FBI’s most recent annual reports didn’t include conviction rates, its 2010 report, with a similar number of complaints and referred cases, resulted in just six convictions. That's one jailed cyber criminal for every 50,635 victims, and these are just the cases reported to the FBI.

Steal a million dollars online and you’ll enjoy your newfound wealth with almost no worry. The difficulty of collecting legal evidence of the crime, jurisdiction issues (Russia and China are not going to respect United States search warrants and arrest requests anytime soon), and law enforcement’s cybercrime enforcement abilities make it a low-risk venture. And, as I said before, you don't have to be smart to be a successful hacker. Any kid or crime syndicate can do it. All you need to know is a few tricks of the trade.

The secret of hacking

The secret to hacking is there is no secret. Hacking is like any other trade, like a plumber or electrician, once you learn a few tools and techniques, the rest is just practice and perseverance. Most hackers find missing software patches, misconfigurations, vulnerabilities, or social engineer the victim. If it works once, it works a thousand times. It’s so easy and works so regularly that most professional penetration testers (i.e., people paid to do legal hacking) quit after a few years because they no longer find it challenging.

In my 30 years of professional penetration testing, I’ve hacked into every single company I’ve been hired to legally break into in three hours or less. That includes every bank, government agency, hospital and type of business. I barely got out of high school, and I flunked out of an easy college with a 0.62 grade average. Let’s just say I’m no Rhodes scholar.

On a scale of one to ten, with ten being the best, I’m maybe a six or seven, and I can break into nearly anything. I’ve worked with hackers that I’ve thought were tens, and they almost universally think of themselves as average. They can list off the people they think are tens. And so on. This is to say that a lot of people can hack into anything they want to. There’s no official count of hackers in the world, but the number is easily in the upper tens of thousands. Luckily, most of them are on the good side.

The people who hack the hackers

The people who fight hackers and their malware creations cover the gambit of computer security jobs, including penetration testers, fixers, policy makers, educators, product developers, security reviewers, writers, cryptographers, privacy advocates, securers, threat modelers, and other computer security wonks in all fields.

Here are some of the interesting computer security defenders I cover in my latest book, Hacking the Hackers:

Brian Krebs

Krebs is a long-time investigative journalist who is famous for bringing down some of the web’s most notorious criminal gangs. He routinely identifies previously anonymous malicious hackers by name, often leading to their arrest. Krebs learned to speak and read Russian so he could track and report on Russian cybercrime companies and syndicates. He is so successful that hackers routinely try to have him arrested by SWAT teams by sending drugs, fake currency and false hostage reports. His best-selling book Spam Nation was a takedown of the Russian spam industry and revealed that sometimes our own legitimate industries are intentionally allowing more cybercrime to occur because it benefits them financially. Anything Brian Krebs writes is worth reading.

Bruce Schneier

As the creator of multiple trusted encryption ciphers, Schneier is considered the father of modern computer cryptography. He is the top industry luminary in the computer security field and regularly speaks to Congress and to the biggest media outlets. Today, Schneier is mostly concerned with human issues behind computer security failures. I consider reading anything Schneier writes a mandatory part of any computer security education.

Dr. Dorothy Denning

Professor emeritus at the Naval Postgraduate School, Denning was an early computer security pioneer, creating seminal works on computer encryption, intrusion detection, cyberwarfare and access control. She invented the Lattice security model, which underlies many modern access control models. She was concerned about (and writing about) cyberwarfare before there was cyberwarfare.

Kevin Mitnick

The world’s most famous hacker, once prevented from even using a phone, Mitnick has long been out of prison and gone legit. Today, he is the CEO of his own computer security defense company and regularly writes about the threats of social engineering and privacy invasions. Many former malicious hackers can’t be trusted, but Mitnick is an exception.

Michael Howard

Howard, and friends, created a secure software programming method known as the Security Development Lifecycle (SDL), which is now used by hundreds of companies around the world to decrease the number of bugs in their software that can be exploited by hackers. Most early SDL critics now use it after years of seeing how well it worked.

Joanna Rutkowska

Polish computer security expert, Joanna Rutkowska, gained fame for releasing the details of her “Blue Pill” attack, which revealed a hacker method so ingenious and difficult to stop or detect that defenders are still happy that hackers aren’t using it yet. She decided she couldn’t trust any of the publicly available operating systems to be secure enough, so she created her own “reasonable secure” OS called QubesOS. The world’s most talented spies and privacy advocates use her operating system.

Lance Spitzner

Spitzner is considered the father of the modern honeypot. A honeypot is any fake computer asset (e.g., computer, router, printer, etc.) that exists solely to detect malicious hacking activity. Honeypots are considered one of the best defenses any company can deploy for early warning detection. Today, Spitzner works for SANS, one of the world’s most trusted computer security organizations, teaching companies how to successfully respond quickly to malicious computer breaches.

Cormac Herley

Herley is a computer security researcher whose craving for data is turning the computer security industry on its ear. Using real data, he is disproving long-held security dogma, such as the effectiveness of long and complex passwords. Herley proved that using long, complex and frequently changed passwords is not only not helpful, it is likely causing more problems than it solves. His research and conclusions are so revolutionary that it is likely going to be ten years before we see the majority of his recommendations being implemented.

Michael Dubinsky

The constantly attacked state of Israel is known worldwide for turning out very good computer security software. Dubinsky, an Israeli, is a senior product developer for a product that is known for detecting the previously undetectable. His product detects sneaky, otherwise hidden, hackers going after a company’s crown jewels … and it is getting better faster than the attackers.

These smart defenders are part of a massive army of “white hat” hackers who are making it harder and harder to maliciously hack each year. A critical mass is starting to build and within the next decade online cybercriminals will likely to become as rare as traditional bank robbers. They will still exist, but there will be far fewer of them and they will be far more likely to be identified and prosecuted.

This story, "How computer security pros hack the hackers" was originally published by CSO.