Hackers for a day
To protect computer systems, companies send key employees to workshops where they become ...
NEW YORK — The best way to keep a hacker from breaking into a computer system from the outside may just be to have one on the inside.
That's what John Brozycki and Darien Ford's company figured when it paid $7,000 so they could learn to think like a computer interloper.
"Ultimate Hacking: Hands On," a four-day course in Manhattan, gives them a legitimate opportunity to hack their way into computer systems. When they return to their regular jobs, keeping the network secure at a credit union in upstate New York, they'll be much better equipped. "You feel more confident, seeing how many of the exploits are done," Mr. Brozycki says, surrounded by fellow techies in a hotel conference room. "Once you see how they're done, you know how to prevent them."
Demand for these training seminars has expanded as businesses scramble to keep up with the weedlike persistence of hackers. Academic computer-science programs are not turning out enough network-security specialists, and the field changes daily, so companies jump at the chance to boost employees' skills.
Hacking, or unauthorized access to computer systems, is an urgent problem in the corporate world. According to the Computer Crime and Security Survey conducted last year by the Computer Security Institute and the FBI, 25 percent of respondents said they had "detected system penetration from the outside"; 71 percent indicated unauthorized access by insiders.
Foundstone Inc., a computer- security consulting firm based in Irvine, Calif., runs hacking workshops throughout the United States. Its premise: that security specialists don't just need to know about hacking, but should know how to do it themselves.
"We teach how hackers think. Forewarned is forearmed," says Dane Skagen, Foundstone's director of training.
In the past, keeping up with the latest devious techniques required learning on one's own time, reading and surfing the Web and newsgroups - something many professional hackers do full time. "The hacker network out there shares information much more readily than the corporate world," says Mike Emerson, a spokesman for Foundstone.
Next lesson: session hijacking
Even computer geeks have probably never found school as much fun as at the Foundstone workshop, which was started last year by six network security experts with corporate and military backgrounds.
Tucked away in a hotel conference room, some 30 students - most of them male computer-systems technicians from large companies - are stationed behind sleek laptops. They learn the uses and abuses of software like Big Brother and AntiSniff, and fuel up at websites like Geektools and CompanySleuth.
They also practice ominous-sounding skills like session hijacking, password decoding, and zone transfers.
The instructors are mostly practitioners who spend the majority of their time coming head to head with security problems.
"This gives the students the opportunity to see what hackers are really up to, because this is the stuff we're seeing in the real world," says Will Chan, vice president of training at Foundstone. The company does not hire reformed hackers to teach.
Students type and hack along with the instructor during class on laptops. Then, at the end of each day during a two-hour "intrusion exercise," they use what they've learned to break into a series of computers set up in the back of the room.
"I'm amazed how easily everything is broken into once you know what you're doing," says Ted Amor, an information-security consultant in New York.
Students are supposed to confine their hacking practice to the network set up in the classroom, but they are often eager to pry into their own companies' systems. And occasionally, students do break the rules by testing their newfound skills on more-challenging targets.
"A few months ago, a couple students tried to hack into NASA," Mr. Skagen says. "It wasn't more than a couple hours before we started getting calls that they'd traced it back to us."
If there is any company that should know what's happening on its computer system, it is Foundstone. An instructor warned a recent class: "We've got our eye on you." Each key typed at every laptop is logged.
In addition, Foundstone makes sure students sign a nondisclosure agreement stating they will not use their hacking skills to hack; if they do, Foundstone waives responsibility.
Can't check up on motives
How does the company know it is not grooming a malicious hacker? "We don't," Skagen admits.
The class's sign-in sheet shows that the majority of students are from large, well-known companies like the Big 5 accounting firms, brokerages, and banks. But anybody who comes up with the $3,500 course fee is welcome, including independents.
Foundstone isn't the only company providing hacker training. Ernst & Young has been running an open-enrollment "Extreme Hacking" class for three years (started by the now-CEO of Foundstone). Other training sessions around the country focus on more traditional hacking prevention methods, such as how to build a better firewall.
Although the classes are designed to give those with legitimate computer jobs the same know-how that hackers have, some don't like the idea of training a corps of computer green berets.
"You come out of this class with enough knowledge to be dangerous," says David Raikow, technology editor at a business- technology trade magazine.
While he understands Foundstone's philosophy, he says that companies should still think twice about who they send for this expert knowledge.
In one day, the students learn how to create a back door into a company system to access it from the outside, then erase their footprints.
"This class is all about finding ways of getting around security defenses," says Mr. Raikow, who himself took the course. "This stuff is fun, and you're going to be very, very tempted to come back to your company and hack your way around your own system."
Or worse, somebody else's system. Since staying abreast of the latest exploits is key to maintaining security, he says, "to keep up to date you'll probably be out there trying things and seeing what works."
(c) Copyright 2001. The Christian Science Monitor