'Hacker Boot Camp' teaches security tactics
PHILADELPHIA - Trevian Mathis taps his computer keyboard just a few times to hack into Juggy Bank's customer accounts. Within minutes, he has checking, savings and credit card numbers.
His maneuvers may look sneaky, but Mathis is on the side of justice.
He is learning to be an ethical hacker in a course offered by a Philadelphia company, Training Camp, which employs about 40 people and offers a variety of classes for computer professionals. Juggy Bank and its customers are fictional.
Training Camp calls its weeklong course "Hacker Boot Camp." Fueled by donuts, Oreos and fruit available in the break room, participants learn to protect their companies' computer systems.
They start by learning how to break into them.
"Want to create a fake record in a database? Want a $1 million account with your favorite bank? We can do that," instructor Steve Kalman said, urging Mathis and the six other students on to more phony crimes.
Most of the hacker deceptions taught in the five-day course at a Poconos resort are well known and easy to find on Web sites.
But the students, who work for corporate information-technology departments, say learning these tricks helps them understand how hackers think and what makes systems vulnerable. And even though participants sign a statement saying they won't use their newfound knowledge to flee to the dark side, Training Camp avoids spreading information that might help real hackers.
"What we teach in this course are a lot of techniques that have long been patched and fixed because we're not trying to create a new generation of hackers," Kalman said.
Michael Trpkosh, a senior software engineer for Verizon Communications Inc. in Dallas, said the course immersed him in a fascinating world.
"I have a real passion," he said. "Some people like studying World War II. I like studying this."
He also said he believes an ethical-hacker certificate could help his career.
If he passes the test at the end of the week, he can call himself a "Certified Ethical Hacker," an educational program overseen by the International Council of Electronic Commerce Consultants, a trade group. With incidents of stolen data regularly making headlines, the certification is in demand.
"It's pretty much a wide-open field out there," Trpkosh said. Besides, "you can only attack your kids' computer so many times before it gets old."
At boot camp, Trpkosh and other students get two computers each - a victim machine and an attack machine. From one, they attack the other.
Modern hackers want more than infamy. They want money.
Some hack into computer systems and hold data for ransom. They exploit new technologies to crack systems. The rise of the BlackBerry, for example, has led to "Blackjacking," or using hand-held devices to gain access to corporate or personal information.
Kalman, a bearded, bespectacled man, spends about half his time teaching. The other half of his life, as a consultant in "penetration testing and computerized forensics," keeps him up to speed in the classroom.
Penetration testing involves helping businesses identify vulnerabilities in their information-technology systems. Computerized forensics is a digital version of "CSI: Crime Scene Investigation. A recent case: Kalman helped determine that a will was probably fake because phrases in it closely resembled those often used by the document's biggest beneficiary and not by the deceased.
In the class, he covers a wide range of topics - from wireless hacking to evading honeypots (a decoy system set up to attract and catch hackers).
Boot campers don't wake up to morning runs or salute their instructors, but they do spend 12 to 14 hours a day in class. Kalman said he has occasionally arrived in the morning to find a student who has slept in the classroom building all night.
Kalman frequently throws out tips for breaking into systems. Writing in blue magic marker on a white board, he shows how putting a single quote mark in the password field on a log-in page can tell a hacker whether a site is vulnerable to a data-theft technique known as "SQL injection." SQL, often pronounced sequel, stands for "structured query language."
Kalman and his troops make hacking look easy. No one's financial information or trade secret seems safe.
But some companies guard this data better than others, Kalman said. He recently moved some money to the online bank ING because of what he considers its stellar security, which includes having users choose both an image and a phrase as passwords.
The course attracts people with a strong grasp of computer languages and techniques, but uneducated customers and employees often create the biggest risks.
"Users can be your worst enemy in a lot of cases," said Erich Melcher, a student who manages IT security for a large construction and engineering company.
People such as Melcher can patch vulnerabilities and keep an eye out for hackers, but an employee who simply tries to help by sharing a password can destroy all that.
So the ethical hackers soldier on, trying to educate those problems out of existence. As they work, phrases from the movie The Matrix, about a group of hackers trying to fight an evil cyber-intelligence, mysteriously appear on their computer screens.
"Wake up, ethical hacker," it reads. "The Matrix has you."