New academy teaches 'ethical hacking'
To protect computer networks against attacks, students learn to 'think like a hacker.'
CHICAGO — At the brand-new Hacker Academy, here in the Windy City, students learn about phishing schemes and ping sweeps, malware, firewall breaches, and the sort of advanced Google tricks that can quickly unearth classified documents.
But it's not nearly as shady as it sounds.
The academy doesn't teach people to be hackers, but to "think like hackers" – and perhaps to stay one step ahead of them. Students here graduate with certificates in "ethical hacking."
While this might seem an oxymoron at first, the academy is the newest in a growing field of security companies that help corporations and the government keep their data safe from attacks that are increasingly sophisticated.
"Why are people scared of the word 'hacker'"? asks Aaron Cohen, a young entrepreneur who founded the academy and runs its business side. "If you're able to think like a hacker, you're able to prevent some of the attacks that are happening."
Those attacks can range from indiscriminate globe-trotting viruses – like the "I love you" virus that racked up billions of dollars in damages several years ago – to corporate spying and targeted efforts to gain sensitive data from banks, credit card companies, or individuals. Massive, headline-grabbing viruses seem to be waning, experts says, but lower profile targeted attacks are on the rise, making it ever trickier for companies to secure their networks.
"Those lone gunman hackers are still out there, though they're doing it for more explicit monetary reasons now," says Chris Painter, deputy chief of the Department of Justice's Computer Crime and Intellectual Property section. "But there are also more organized criminal groups.... If the motivations are financial, you don't want to make a big splash, so it's not surprising that what they're trying to do is more targeted."
In the first half of 2006, for instance, Symantec, an Internet security company, documented more than 150,000 unique phishing messages, an increase of 81 percent over the prior six months. (Phishing scams involve soliciting sensitive information, often for identity theft, by appearing to be a legitimate company or charity.)
Computer Economics, which estimates damage caused by viruses and other malicious code attacks, put the 2005 figure at $14.2 billion – a slight decline from the year before – and 2006 numbers are likely to be similar.
"Subtle attacks are way up," says Mark McManus, vice president of research for Computer Economics. "There are more targeted attacks, and people are less likely to want to report them." With ransom attacks, for instance, hackers will infiltrate a company's networks, and threaten to unleash devastation or give the information to a competitor unless they're paid.
"It's the same as the old protection rackets in Chicago back in the '30s," he says. "If you didn't pay the guy money, they'd tear your store down."
Given all the threats, many companies are sending IT professionals to courses like those Mr. Cohen offers and the "ethical hacker" certification – offered by the International Council of Electronic Commerce Consultants – has sprung up.
Cohen's list of inquiries includes an FBI special agent, NASA employees, independent consultants, and corporate IT security directors. Some want the 5-day on-site certification course they offer in Chicago, Washington, Orlando, and Seattle. Others just want a quick overview, like the $695 "midnight hacking" course, given online and – as the name suggests – late at night.
While neither Cohen nor Ralph Echemendia, his lead instructor, worry much about students using their courses for nefarious purposes ("hackers don't need our help," says Cohen), they both agree, unlike many other firms that offer ethical hacking certification, that it's important to keep one foot in the "black hat" hacking world.
"Certain organizations say if you associate with hackers you can't be a certified professional," says Mr. Echemendia, who started hacking when he was a young teenager, first playing with ham radios and "phone freaking," and gradually moving into computers. These days, he works for the military and Fortune 500 companies, but also runs an underground hacker meeting in Florida, where no names are exchanged, and maintains friendships in that murkier world.
Echemendia says he gets valuable, real-world information from his hacker associates, and sometimes tries "turning" a few of them to the legal side of hacking. "They're blown away," he laughs. "They'll say, 'There are companies who will pay me to hack them?'"
Sitting in a coffee shop, Cohen shows how easy it is to make a phone call, for instance, and have it show up on caller ID as a totally different number. "Now say you're the receptionist, and you get a phone call that looks like it's from the head of IT, saying he's doing tests and is going to send you a link," he says, playing out a scenario that can be used to get sensitive information.
"What I preach is, it's not a technology issue, it's a people issue."