The world of hackers comprises many flavors. There are the tinkerers, or hobbyists, whose intellectual curiosity begets skills that are glorified by the modern media. There are the trained hackers – soldiers in modern-day cyber armies that may or may not have started out as overzealous teenagers seeking an outlet for their technical acumen. Then there are cybercriminals, whose lone goal is to profit from the skills they have honed. Finally, there are the novices, who learn on the fly and take advantage of today’s readily available, automated hacking tools.
There is also perhaps another (less skilled) category – the completely ignorant. With enough simple instruction, this group can execute rudimentary hacking techniques through the combination of skilled instructors and automated tools. I found myself in this category one autumn afternoon in Amsterdam while attending a ‘master hacking class’ for journalists facilitated by Rapid7, a company that specializes in penetration testing and vulnerability management. Of course, Rapid7 is known in the infosec community for maintaining the Metasploit pen testing platform employed by security professionals and black hats alike.
The course was taught by Rapid7’s Mike Belton, a security expert and team lead for the company’s Assessment Services unit. Our instructor walked us through some of the steps that any hacker would be familiar with, and provided assessment for various motivations behind exploits. Criminals are, of course, mostly driven by financial goals, whereas governments are primarily concerned with national security interests. There’s politically motivated hacking, such as that perpetrated by Anonymous-like collectives, and then those who are out to create sheer chaos. “But while the motivations are unique”, Belton said, “the attack vectors are static”. So, it got me wondering how hackers of all stripes, offenders and defenders, learn their craft.
Creation Stories
“Casual attacker power grows at the rate of Metasploit”, says Josh Corman, CTO at Sonatype, and former security analyst and researcher. He calls it HD Moore’s Law; a tip of the cap to Metasploit’s founder and Rapid7’s chief security officer. Yet, simply opening a terminal window, and firing up the highly popular pen testing tool, is hardly the danger posed by highly skilled hackers who view the world of computer and network security in a vastly different light than a novice like me. For those who do have some rudimentary skills, and perhaps an engineering background, tools like Metasploit are invaluable.
As it turns out, however, some of the ‘hackers’ I spoke with acquired their hands-on education by very informal means. They were self-motivated, curious, and all interested in understanding the technology at its core to produce previously unintended effects.
Peter Wood began his work in electronics and computing in 1969, and his formative ‘education’ on hacking techniques pre-dates the internet age. “When I started it was phone phreaking”, he says, referring to methods that manipulated public telephone networks – often considered a precursor to the world of computer hacking. For Wood, the experimentation was entirely a curiosity.
Wood is – and by his account, always has been – an ethical hacker. “I’m not an academic-type person”, he admits, noting that in his entire life, he took only one programming course. “I experimented as a youngster”, he says, recalling his first PC (a Commodore), “but I never released anything into the wild.”
Wood is a member of ISACA’s London Chapter, and the founder of First Base Technologies, an IT consultancy launched in the early 1990s that specializes in penetration testing. When asked why he never crossed the line from experimentation to the dark side of cybercrime, his response is rather straightforward: “I did it just for fun, but didn’t attempt to break into any systems. I had the rather selfish idea that I could deploy my skills to make money.”
Speaking to younger generations with the same skills, Wood says simple explanations about what’s right and what’s wrong can have a tremendous impact that prevents some from crossing the line between curiosity and crime.
At 39 years of age, Tod Beardsley is a Metasploit guru and engineering manager with Rapid7. “If someone calls me a hacker, I’m quite happy to hear that”, he muses.
His cracking skills were partly self-taught, and he claims that any good hacker “looks at things differently.”
Beardsley has been in the game for 25 years, and describes his younger self as “a teenage malcontent – a skate punk that played around with things”. His formal education is in the form of a BS in IT management, not in computer science or engineering.
"If you’re not careful, [Metasploit is] like giving a kid with some ability an automatic rifle" |
Peter Wood, ISACA, First Base Technologies |
Marc Maiffret is the CTO of BeyondTrust, a former hacker who parlayed his skills into pioneering security research. At the age of 33, he has operated with a foot in both eras of computing, before and after the availability of the consumer-facing internet. He received his first computer at about age 14, but even before this was introduced to phone phreaking. His intent, he recounts, “was to make technology work in a way that was unintended.”
Maiffret is another one of those self-taught hackers. He put those skills to use between the ages of 15 to 17, breaking into systems maintained by both governments and the private sector. The FBI came knocking for Maiffret by the age of 18, but since then the hacker turned researcher has put his skills to good use, even testifying before the US Congress on numerous occasions about cybersecurity issues. For this self-taught man, hacking was an escape from an unstable home life. Maiffret jokes: “I could have picked up a guitar just as easily.”
Formal vs Informal Training
Maiffret believes that, to hack effectively, a lack of formal education is actually an asset. “Most people who are trained in forensics or programming at universities are doing the poor coding that appears in the commercial software world”, he observes. In Maiffret’s experience, the majority of quality hackers lack a computer science degree, and he acknowledges the double-edged sword involved with formally training people about the adversarial techniques that security professionals defend against every day.
Peter Wood sees both positives and negatives arise from formal educational training. “You need a lot more than just technical skills to be an ethical hacker”, he says, adding that good hackers “need to think outside the box.”
Know your Enemy
Acquiring formal hacking skills, whether for defensive purposes (security) or offensive (crime, espionage, pranks), is a difficult proposition. There are certainly moral issues that university education programs face in teaching these skills, but as any military analyst would say, it’s almost impossible to vanquish a foe without understanding their tactics. And this is where governments, security services, the private sector and – yes – university programs fill in the missing gaps of informal education.
Where university programs fall short, says Wood, is instruction on the attacker methodology. It’s a problem he has encountered when hiring for his consultancy business. “When we take on a new employee, we spend a lot of time training them to think like a criminal”, he tells me. It seems that, despite the advanced training, real-world experience can seldom be conveyed in a classroom setting.
"You can’t do defense research without knowing a bit of offense" |
Tod Beardsley, Rapid7 |
Bringing practical experience to the classroom is indeed a unique challenge, which many universities are attempting to address. “It’s not uncommon for schools with strong cybersecurity programs to have courses where students not only learn about adversarial techniques, but also practice some of them in labs and competitions”, notes Dorothy Denning, a security researcher and Distinguished Professor for the US Naval Postgraduate School’s Department of Defense Analysis. These techniques can be found baked into the cybersecurity and computer science curricula at renowned university programs, including Carnegie-Mellon and Georgia Tech in the US, and Royal Holloway in the UK, just to name a few.
City University London is an example of one institution developing a brand-new master’s program in cybersecurity, of which many now seem to be popping up – the program will commence in 2014. “We’ve decided that ‘hacker training’ will be featured but not in the formal teaching/examining”, says Kevin Jones, head of Computer Science and Deputy Dean for the School of Informatics at the university. “Instead we are proposing integrated coursework across all the modules in the program, which will feature practical hands-on exercises, giving both attack and defense aspects.”
Jones explains that City University will also begin offering “war game scenarios” as extra-curricular activities for the school’s computer science undergraduates.
He also underlines his belief that both formal and practical aspects are a necessary part of a comprehensive education, especially if ‘white hat’ hackers wish to keep up with their black hat counterparts. “I’m an assessor for the [UK’s] Cyber Security Challenge, and it seems quite clear that the best ‘hackers’ (white hat, of course) have a strong formal education in computer science, supplemented with lots of time put into getting experience with applying tools and exploits in practical scenarios. Not too many people have this strength in both spaces, which makes them an incurably valuable resource – just ask GCHQ.”
Tools of the Trade
Maffriet says it’s a whole lot easier to steal data than it is to actually get away with it. And while any good hacker needs a general aptitude toward computers, anyone who views the world through the hacker’s creative lens can become proficient in breaking into computer systems. When he has younger, in the mid to late 1990s, you needed to break into things to learn about operating systems. Today, he tells me, you can deploy virtualization for the purpose of vulnerability research.
While both Wood and Maiffret scoff at the value of automated tools in the hands of a novice, they both underscore the importance of one particular vulnerability testing tool, Metasploit.
“They make it more difficult”, says Wood, referring to some of the automated hacking tools that I learned to deploy during Rapid7’s hacker course. Automated tools “tend to make new trainees quite lazy”, he claims, because without the engineering foundation, people can perform exploits, but they don’t know exactly why they work.
Metalspoit, on the other hand, “is the preferred exploitation framework for our testers”, Wood admits. “It’s a brilliant tool”, but he warns that outside the hands of ethical hackers, a tool like Metasploit has the potential for profound misuse. “If you're not careful, it's like giving a kid with some ability an automatic rifle.”
Tod Beardsley, the aforementioned Metasploit guru from Rapid7, says the platform is widely used by pen testers and hobbyists to educate themselves, and admits that “it’s good for both attackers and defenders”. He is also keen to acknowledge the role virtualization has played in allowing security professionals to test their skills without breaking the law. “Attacker research, like Metasploit, helps out defenders way more than it helps out the attackers.”
How so, I ask. “Metasploit has a vaccination effect”, Beardsley asserts, in that patches are created as a result of what goes into the platform. “There’s a symbiotic relationship – you can’t do defense research without knowing a bit of offense.”
Wood, who previously cautioned about the use of Metasploit in the hands of a misguided individual, is quick to point out that if it didn’t exist, other such tools would fill the void. “If Metasploit was not available, then criminals would simply use something else offered on the black market”, he says. At least, in this case, “it still allows security professionals a low-cost venue to do research and educate themselves on available exploits.”
So, while there are automated tools, the likes of which I used in my crash course on hacking, it appears without the proper foundational experience – whether formal or informal – they are simply turnkeys in the hands of a mostly unremarkable foe. It’s easy to teach someone how to hack, but it’s another thing entirely to be a hacker – and to think like one.