This article originally appeared in Shelbyco Magazine, April 2012 Issue.
In a dimly lit room on the other side of the world…
a man squints through the haze of cigarette smoke at the glare of his computer. His pecking at the keyboard stops abruptly and he mutters something to his friend in a language you can’t understand. “мы находимся в.” It’s Russian. “We’re in.” A river of numbers flows upward on his screen – MasterCard, Visa, bank accounts, Social Security numbers.
And one of them is yours.
According to the Bureau of Justice Statistics, in 2010, one in 14 households in the United States suffered some kind of identity theft. Many of these thefts occurred online. The FBI’s Internet Crime Complaint Center reports that cybercrimes are up 1700% in the last ten years. Criminals here and abroad are lining their wallets as they focus their crosshairs on naïve computer users.
One fact is clear: If you have a computer and it’s connected to the Internet, you are a target.
People on the Internet are like the cast of a spaghetti western. Most of them are simple citizens, busying about their daily routine. They go here and there. They have conversations. They buy and sell. Then there are the bad guys. They wear black hats. They blow into town like an unwelcome dust storm and create chaos. They rob banks and tie petticoated ladies to railroad tracks. But then there are the good guys. They wear white hats. They’re just as tough as the bad guys, and they do their best to thwart the schemes of the villain and keep the citizens safe.
I live on a quiet street in a suburb of Birmingham, Alabama – the kind of street where normal is normal and a visit by the ice cream truck is the most interesting thing that ever happens. Little did I know that just around the corner in a bedroom office in a nondescript home, a white hat hacker fights a never-ending battle for truth, justice and the American way.
His name is Daniel Clemens, and he’s one of the good guys.
Daniel is someone you’d see on the other side of the coffee shop and have no doubt in your mind that he does computers for a living. And he has for almost 20 years. When he was 16, Daniel wrecked two cars within 6 months of getting his license. “I decided at that point that it was not in my best interest to keep to paying for insurance so I could just get into more wrecks,” Daniel recalls. “I was interested in computers, so I sold my car and saved up my money.” Daniel’s uncle ran a computer business and helped him select the parts to build his first PC. Over the summer, Daniel worked with him and learned programming and web design.
The next year, Daniel’s family moved from Texas to Colorado. Soon after, he walked into the offices of a local Internet service provider and asked if they needed any help. He walked out with a job as a technical support specialist. It was there that Daniel’s interest in computer security took root. “I tried to learn as much about my computer system as I could so that things didn’t break and so other people couldn’t break them,” he says.
A year later, he moved to San Francisco to work with a computer security startup. “I was living with a bunch of other hackers in a huge house on an old Navy base in Alameda,” Daniel says. “We were living the Dot Com life.” Unfortunately, the dot com bubble was about to burst. So, in the summer of 2000, Daniel moved to Birmingham where he worked for a while at another Internet service provider as a network administrator and later for HealthSouth as a system administrator and security specialist.
It was at HealthSouth where he came into contact with companies who were offering freelance computer security services. “They were providing hacking services but their professional integrity was awful,” he says. Believing he could offer better service, Daniel began doing freelance work, incorporating his business in 2005 as PacketNinjas, LLC.
Daniel and his team of white hats are hired by businesses to hack into their computer networks and software to try to find and exploit vulnerabilities before the black hat hackers do. He reports back to his clients, who can then take steps to plug the holes that were found. Daniel also provides automated intelligence gathering for investigators and works with a company that provides bleeding edge security data to customers from Governments to Google. And he loves what he does. “I believe in this stuff,” Daniel says passionately. “I was doing this work before it was cool. I’d be working at Starbucks and still doing this work if there wasn’t any money in it.”
It’s a good thing Daniel and others like him are so passionate.
As the world grows up in the information age, privacy and security are paramount. Reports of corporate giants like Sony and Citibank falling victim to data breaches have become commonplace, as the personal information of millions of Americans is compromised
“There are bad guys out there,” Daniel says matter-of-factly as a serious look comes over his face. “Hackers have a game plan. They’re going after a goal. They want your information and your money.” He goes on to explain how companies often don’t even realize they’ve been hit until long after a compromise has occurred. “Professional hackers don’t let you know they’ve gotten in. They want to keep you thinking that your security is working. It’s to their benefit to keep their hacks a secret so they can keep coming in.”
One of the great misconceptions is that hackers are loners who do what they do for the same reason teenagers spray paint highway overpasses. In reality, hackers frequently collaborate, sponsored by organized crime syndicates who have created a black market for personal information. Facebook logins, credit card numbers, social security numbers, and other personal information have been commoditized. “There’s a going rate for this data,” says Daniel.
Hackers not only target personal information, they also target corporate secrets and are sometimes hired by Governments to do espionage. One of his most interesting cases came when Daniel and a colleague were hired by a Venezuelan business shortly after Hugo Chavez came to power. “Chavez was in the process of turning over companies to state-owned assets,” Daniel remembers. “If you funded his opponents and didn’t back down from intimidation, he had a hacker team that would break into your systems and steal information that he would turn around and use against you.” Though he is still unable to talk about many of the specifics of this case and others due to non-disclosure agreements, Daniel told an intriguing tale of entering the country undercover to see if the company’s systems had been infiltrated.
As thrilling as stories like this can be, Daniel is careful not to paint an inaccurate picture of exactly what it is that he does. “Everybody likes to hear about the interesting cases,” he smiles, “but nobody wants to hear about how you sit in front of your computer with a debugger for 3 weeks going over code line by line to figure out how to exploit something.” He shakes his head at movie portrayals of hackers who sit in front of a row of screens and break into a system in a matter of minutes. Daniel scoffs, “Like that would happen in real life in less than four months.”
Media coverage of hackers tends to focus on high profile breaches of big businesses and financial institutions. Should the average person be concerned? “Absolutely!” Daniel insists. “Because they are hacking by numbers now. If you have a web browser and it’s not up to date, or if you have Flash or Java installed on your computer and they are not up to date, you are vulnerable.”
Daniel goes on to describe a common scenario in which a normal person is victimized. “Say you’re doing research on flowers and you find an interesting article on Wikipedia,” he explains. “And that article links out to another page that has pictures of the flower you’re reading about. And that page links off to a forum that’s just run by some guy because he likes to talk about flowers. But he doesn’t keep his forum software up to date. Those are easy sites for the bad guys to go after. So when you go there, your computer gets compromised and you’re caught in their net.
That’s when the truly scary things start happening.
“Once they compromise your computer, they have the ability to capture your passwords, access your financial information, and even use your computer to send spam without your knowledge,” Daniel explains. One of the common targets for hackers has become Facebook passwords. If hackers can post a booby-trapped link on your Facebook wall and lure your friends into clicking it, with that single click, they can compromise your friends’ computers as well.
There are many misconceptions the average person has about the security of computer systems. “Like Anti-Virus programs,” Daniel says. “They can only catch what they know about. And most viruses haven’t been identified yet when they compromise people’s computers.” Another misconception is that you have to download a file on the web or open an email attachment to get infected. While these things can pose a risk, the real danger is far more sinister. “There are what we call Drive-By Exploits,” Daniel continues. “All you have to do is visit an compromised web site, view an malicious PDF file and if you’re browser or Flash or Adobe Reader software is not up to date, your computer will get compromised too.”
The Internet is a dangerous place.
What precautions should a regular person take? “The most important thing is to make sure you do your updates,” Daniel says. “When Windows prompts you to download and install updates, do it. If a window opens up asking if you want to run a program, think twice before you click OK.” Daniel continues, explaining the importance of keeping the most recent updates installed for Adobe Reader, Java, Flash, and Microsoft Office, as these programs can have huge security holes. “When I meet with a company that has had an intrusion, I can just about guarantee that somebody didn’t keep their Java or Flash updated,” Daniel says.
So next time you connect to the Internet, remember that you’re walking down main street in an old west town at high noon. There’s a shootout going on all around you, and black hats are taking aim. Thankfully, there’s an army of good guys like Daniel that are on our side.
Daniel Clemens is the CEO and Head of Research for PacketNinjas, LLC (www.packetninjas.net). He is available for computer security consulting with businesses and individuals. He can be reached at firstname.lastname@example.org.
The Hacker’s Recommendations…
A Security Checklist for Regular People
- I have up-to-date antivirus software and firewall on my computer
- I install all updates for Windows, Flash, Java and Adobe Reader.
- I never buy anything when I’m on a public Wifi network.
- My wireless network is password protected.
- I only purchase from web sites that have an SSL lock at the bottom of the page.
A Security Checklist for Small Businesses
- I have updated anti-virus software installed on each computer in my network.
- I keep the software on each computer in my network up to date with the latest patches.
- I know where my data is, where it goes and who has access to it.
- I have a system to perform regular, automated backups.
- I have a hard copy of all important information about financials and clients.
- I know who I’m hiring (lots of information can leave on a thumb drive).
How to Know if You’ve Been Hacked
- Your computer is suddenly running very slow.
- People are getting emails from you that you didn’t send.
- A link was posted on your Facebook wall that looks like it came from you.
- Your bank calls with questions about strange charges.
How to Respond to a Hack
- Immediately disconnect your computer from the Internet.
- Make sure your important files are backed up.
- Take your computer to a knowledgeable IT professional and request that it be completely wiped clean and reinstalled.
- If you have critical information on your computer that was compromised, treat it like a crime scene and contact authorities.
- Change your passwords with your financial institutions, social media sites, and commercial sites that store your credit card information.
- Activate a fraud alert with the three major credit bureaus.
How to Create a Strong Password You Can Remember
- Think of a phrase that’s meaningful to you, such as “WordPress Rocks”
- Replace every ‘a’ with @
- Replace every ‘e’ with 3
- Replace every ‘s’ with $
- Replace every ‘o’ with 0 (zero)
- Replace every ‘i’ with !
- Replace every space with ~
- So your new more secure password phrase becomes “W0rdpr3$$~R0ck$”
The Hacker’s List
- Operating System: Mac OS (Although Windows 7 is slightly more secure, there are far fewer real world exploits available for Mac).
- Web Browser: Google Chrome (If you must use Internet Explorer, be sure you’re using version 9+)
- Security Software: Kaspersky
- Smart Phone: iPhone (The Android Marketplace contains compromised apps)