How computer security pros hack the hackers

If you want to meet a really smart hacker, talk to a cybersecurity defender. These talented professionals are working every day to make cybercrime harder and less lucrative.

The long, awkward silence is always the first sign that a previously over-confident hacker realizes he’s suddenly become the victim. It happens every time.

The malicious hacker had been firing his “ion cannon” at my network address trying to overwhelm my home computer and internet connection. I had sent him an email the day before letting him know that I knew who he was, what he did for a living (he was a budding wedding photographer), his name (Rick), and that he was newly married to a beautiful girl. That’s enough to frighten off most hackers, but sometimes, like Rick, they persist.

On his private, Tor-protected instant messaging channel, Rick was telling his buddies that he was getting ready to launch an even bigger distributed denial-of-service (DDoS) attack against me. He had been using a child-like hacker tool, but now he was thinking of paying a professional hacking service to attack me.

DDoS attacks, where hundreds to hundreds of thousands of otherwise innocent computers and devices can be directed to attack one targeted victim, can be devastatingly hard to stop — not just for me, but for anyone, nearly any company. The sustained flood of malicious network traffic consisting of billions of unwanted digital bits can knock all but the biggest and richest companies (think Google) off the internet. Once they start, the victim (in this case, me) can be kicked off the internet for several days.

I broke into his messaging channel and told him to knock it off. The hesitancy in his reply let me know that I had caught him off guard. He responded by calling me several unprintable names and accused me of being someone already a member of his hacker forum. When I replied that I wasn’t, he renewed his taunting and said I would regret breaking into his private forum. I politely asked him to quit trying to attack me because I had to real work to get done.

The next night around the same time, I could tell by the sluggishness of my internet connectivity that the threatened DDoS attack was starting to happen. If I didn’t do something soon I was going to be out of commission for days. So, out of pure frustration of having to meet a work deadline, I hacked into his computer.

I had identified the computer and software he was using (this is known as “fingerprinting” in the hacker world), and I knew he was using an outdated firewall to protect it. One of my favorite hacker techniques is to break into computers and companies using the very software and devices they think will protect them. So, using a known vulnerability in that firewall, I broke into his computer, modified a file, and left a new script behind. I then connected to him on his messaging channel and told him to check out my work.

My “work” was a file that would have reformatted his computer’s hard drive and destroy everything on it if he rebooted his computer. I had “remarked” the fatal lines out of my script so that it was currently harmless. But I could have removed literally three characters (i.e., rem) and rendered the previously harmless script quite deadly, at least to his computer.

The DDoS attack stopped immediately. The obviously humbled remote hacker came back online to the chat channel and incredulously asked, “Man, how did you do that?” Finally, he was talking like a normal human with all the false swagger gone. I replied, “Rick, there’s a lot of hackers who are better than you. Stop your malicious hacking and use your skills to do good. Spend more time with your new hot wife. One day you may mess with the wrong guy or agency. This is your wake-up call.”

With that, I dropped the chat channel and started to get to work on my day job. It’s not the first time that I had to do a little offensive hacking to get another hacker to leave me alone, and I’m certainly not the only one with the skills to do so. In fact, the best, smartest hackers I know are the good guys and girls, not the malicious creeps who plague our digital lives. I’m a 30-year computer security veteran, always out fighting the good fight, along with tens of thousands of others just like me. Our adversaries are, on average, less smart than we are.

This is not to say that all malicious hackers are dumb. That’s not the case. It’s just that the vast majority aren’t overly bright; they are average. In a given year, I’ll see maybe one or two smart hackers do things that no one else has ever done before. But most malevolent hackers I come across aren’t brilliant or creative. They simply use tools, techniques and services that other smarter hackers previously created. Far from being the mythic hackers that Hollywood celebrates, most are regular, run-of-mill rubes who couldn’t code an emoji icon.

If you want to meet a really smart hacker, talk to a cybersecurity defender. They have to be experts in their technology and able to figure out how to stop all the threats that are trying to take it down. They are the hidden Henry Fords and Einsteins of our digital society. While the media is portraying rogue hackers as the smarter element, the defenders are tightening the net and helping to stop and arrest more of them than ever.

Right now hacking is almost risk-free

Like the Tommy Gun-toting bank robbers of the early 1900s, hackers today are very successful. The riches of our digital society have been accumulating faster than the needed protections. And the chances of being caught, much less arrested, for cybercrime were nearly zero. A hacker could steal millions of dollars with almost no risk.

Rob a real bank and the chances are you’ll get less than $8,000 and you’ll probably be arrested (55 percent of bank robbers were identified and arrested in 2014, the latest year for which FBI statistics are available) and go to jail for years. The negative risk/reward ratio contributes to there being fewer than 4,000 U.S. bank robberies each year.

Contrast that with cybercrime. The FBI says it receives over 22,000 cybercrime complaint reports each month, and there are likely many more crimes being committed. The average reported loss is almost $6,500, and from over 269,000 criminal complaints, only 1,500 cases were referred to law enforcement. Although the FBI’s most recent annual reports didn’t include conviction rates, its 2010 report, with a similar number of complaints and referred cases, resulted in just six convictions. That’s one jailed cyber criminal for every 50,635 victims, and these are just the cases reported to the FBI.

Steal a million dollars online and you’ll enjoy your newfound wealth with almost no worry. The difficulty of collecting legal evidence of the crime, jurisdiction issues (Russia and China are not going to respect United States search warrants and arrest requests anytime soon), and law enforcement’s cybercrime enforcement abilities make it a low-risk venture. And, as I said before, you don’t have to be smart to be a successful hacker. Any kid or crime syndicate can do it. All you need to know is a few tricks of the trade.

The secret of hacking

The secret to hacking is there is no secret. Hacking is like any other trade, like a plumber or electrician, once you learn a few tools and techniques, the rest is just practice and perseverance. Most hackers find missing software patches, misconfigurations, vulnerabilities, or social engineer the victim. If it works once, it works a thousand times. It’s so easy and works so regularly that most professional penetration testers (i.e., people paid to do legal hacking) quit after a few years because they no longer find it challenging.

In my 30 years of professional penetration testing, I’ve hacked into every single company I’ve been hired to legally break into in three hours or less. That includes every bank, government agency, hospital and type of business. I barely got out of high school, and I flunked out of an easy college with a 0.62 grade average. Let’s just say I’m no Rhodes scholar.

On a scale of one to ten, with ten being the best, I’m maybe a six or seven, and I can break into nearly anything. I’ve worked with hackers that I’ve thought were tens, and they almost universally think of themselves as average. They can list off the people they think are tens. And so on. This is to say that a lot of people can hack into anything they want to. There’s no official count of hackers in the world, but the number is easily in the upper tens of thousands. Luckily, most of them are on the good side.

The people who hack the hackers

The people who fight hackers and their malware creations cover the gambit of computer security jobs, including penetration testers, fixers, policy makers, educators, product developers, security reviewers, writers, cryptographers, privacy advocates, securers, threat modelers, and other computer security wonks in all fields.


. . . . . . . .

Leave a Reply