You’re not safe online. Trust me, I’m a professional computer hacker
Accounts stripped of millions. Websites stolen. Emails faked and sent round the globe. Welcome to the world of cybercrime... and the Scottish students fighting it
DUNCAN sits in an IT room at Dundee’s Abertay University, a desktop computer in front of him and a laptop to his left. He is big and solemn, but a smile is in his eyes. We shake hands and I follow his gaze to the screen of the laptop. My own face looks back at me.
‘Is that your website?’ he asks. I nod, wondering what the point is going to be. A Google search of my name would have brought it up. ‘No it isn’t,’ he says. ‘I cloned it earlier.’ Duncan is a hacker. With just a few clicks of the mouse, he could destroy my computer records and clean out my bank account. Indeed, moments later he is demonstrating how to generate emails that would appear to be from me to any email address in the world.
But online, things are not always what they seem. Duncan is one of the good guys. This summer, he will graduate from Abertay with a degree in Ethical Hacking. It is the only course of its kind in Scotland and is, perhaps unsurprisingly, oversubscribed.
Last year the course accepted 60 students, this year there are 45. Well over 100 wannabe hackers applied for the positions. The lucky ones will spend four years studying cybersecurity, hacking and counter-attacks. In essence, it is a degree in how to hack the hackers.
As a student, Duncan has been using his hacking skills for good, working with the Scottish Business Resilience Centre (SBRC), an organisation closely allied with the Scottish Government, Police Scotland, clearing banks and other agencies that tries to stop the hackers hacking.
Unsurprisingly, he is in high demand. He already has a job lined up in industry with a firm he can’t name. The world he inhabits is secretive, and while sources estimate the cost of cyber-crime in Scotland is £5billion-£8billion a year – the UK figure is £27billion – few victims wish to advertise that they have been hit, or even that they might be a target.
Understandably, Duncan prefers not to put his surname or his face into the public domain. He hopes to have a long career doing battle with organised crime, albeit from the relative safety of his computer.
He is unlikely ever to be out of a job. Hacking is a multi-million pound industry that is becoming increasingly sophisticated. In a world where most of us are online every day, no one is immune from the hackers, whether it is a multi-national bank or an individual posting pictures of their grandchildren on their Facebook page.
I ask Duncan to talk me through how he tests a company’s online security. It’s something he does regularly for the SBRC, and he is incredibly good at it. His findings are chilling.
Working in the offices of a substantial Scottish firm just before Christmas, even he was surprised at how easily he could enter the firm’s financial server, and astonished to discover that by the end of the day he had all the details he required to get his hands on £69million in a holdings account he didn’t even know existed. The company’s security was so poor he not only uncovered the account, but could have cleaned it out – had he wished to.
‘When we go in to a company, we don’t ask them for passwords or anything that isn’t in the open,’ he says. This, he explains, mimics how a hacker would go about finding the same information. ‘We stick a USB stick into one of their computers and secure any passwords it holds in encrypted form, then “brute force” them on our computers.
‘This involves our software throwing out every possible consecutive sequence that makes a pronounceable word. People’s names and names of football teams might crop up, and significant dates.
‘If we are looking at your company and your password is in the dictionary, we’ll have it from the software within five minutes. The hacker who wants to defraud the company could get it as easily with the right access, perhaps from a disgruntled or former employee. Often, the passwords are not secure because directors and employees alike think the machines are in their building and in their control.
‘Among companies where everyone has to change their password every year, it’s incredible how many people keep the same password but update the year they’ve changed it.
‘If there is nothing unique about your password and you simply change the numbers on the end from 2013 to 2014, you’re likely to attract trouble.’
THE cost of any disruption for big companies is colossal, but it’s rarely quantified in public. When one of the big banks shuts down its internet banking for a day, or even a few hours, it can cost them millions. If such problems are connected to hacking, they don’t advertise it.
‘No one wants to look vulnerable,’ says Duncan. ‘But Scotland is losing £5billion a year to this type of crime, so there are plenty of victims.’
What we should all be doing, he says, whether setting up a password in the workplace or for our sensitive online dealings, such as banking at home, is to generate long, complex passwords with a random mix of upper and lower case characters and numbers interspersed with spaces and punctuation marks.
‘If you use your kids’ names shoved together with a date, we’re going to break that easily, and so would the hacker who wants to get into your bank account,’ he says.
‘The best alternative to a long, random password is a pass phrase or sentence. The longer it is, the more
symbols and spaces in it, the more secure, especially with something unusual at the end of it. That would be virtually impossible to crack.’
While companies are prime targets for organised crime because of the resources they control, massproduced emails sent to millions of inboxes round the world can also be lucrative for e-gangsters. I ask Duncan to test how vulnerable I am. He searches for me on Facebook. ‘Open profile,’ he mutters disapprovingly. ‘I can look at all your friends and photos.’
He looks me up on the electoral roll, my Twitter account and company website. Within five minutes, he knows where I live, the names of my wife and children, he has dates of birth for me and my daughters and knows where they study. He hasn’t had to do anything clever.
If he had to devote more time to this, he would soon discover causes close to my heart and those of my relatives, information a hacker could use to target me more effectively. Personal information should be treated with caution online, he says. Be careful about what you share with others on social media networks. Even the most personal – and sensitive – information can be exploited by a hacker.
Duncan adds that if you had recently lost a loved one to cancer, you might be vulnerable to an email apparently from a cancer charity. By coincidence, on the day we meet in Dundee, a story about such a scam hits the headlines.
A moving cancer story is hitting millions of inboxes, and there’s a link for those who want to help, much the same as the link attached to millions of emails that appear to originate from HMRC suggesting the very unlikely scenario that we are all due a tax refund.
These links infect your computer with a virus that will destroy all your files within a day unless you pay the ransom for the antidote, typically $200 or $300. If 0.1 per cent of 10 million recipients opened the link to a virus and only half paid the ransom, it could be as rewarding as taking a single large sum from a big business, and potentially less likely to attract a concerted effort from law enforcement.
Given the difficulty of tracing the sources of these scams, and that the sums of money requested are within the means of the average working person, many people pay up and don’t bother to report it. Apart from anything else, says Duncan, they are likely to feel embarrassed at being caught out.
IP addresses – the individual ‘ i nternet protocol’ addresses assigned to each computing device – are also harvested by the criminals when people click on links in the scam emails, and these can be used to produce a list of passwords for the computer on which the email was opened.
They will be encrypted, but the unethical hacker can ‘brute force’ them as easily as Duncan, and decipher them in seconds.
Duncan says: ‘Once a hacker has the IP address, he can use a tailored programme to attack the computer and obtain control, operating it as if he were sitting at the keyboard.
‘He would gain access to all passwords the owner had asked the computer to remember, have access to all its files and history and could be “watching” f r om his own machine, anywhere in the world, as the owner was logging into his online banking.
‘It is a multi- billion pound business and the criminals will be creative in finding ways to part you from your money. There are people who do it to cause nuisance but the majority are involved in organised crime and when you look at the volume of scams and the vast amount of email traffic they generate, you know it’s an industry involving thousands of people.’
EnTER then, the SBRC, which alongside Duncan and his f ellow ethical hackers, has senior police officers and civil servants on secondment who work closely with centre director Mandy Haeburn-Little and her team, fighting a battle on ever- changing terrain against unseen enemies who could be anywhere in the world.
Some are particularly close to home – such as Lauri Love, a former Glasgow University student who in February was charged with hacking into US Federal Reserve computer servers and stealing the personal information of users. He faces up to 12 years in prison if convicted.
A key part of the SBRC’s work is to assess businesses in Scotland to test the strength of security attached to IT systems such as the one in which Duncan discovered he could clear out a £68million holdings account.
‘Somebody using the skills I have for crime would have been able to make the same discovery and make that money disappear in a few hours,’ he says. ‘A configuration error had occurred and it made them vulnerable. It might never have been exploited, or even spotted internally, but it could have damaged them and a similar error could have been fatal for a smaller firm. But we caught it, dealt with it and the company is now secure.’
Given the riches that can be tapped into, you have to wonder whether Duncan or any of his fellow ethical hackers have been tempted to join the dark side.
He says: ‘At Abertay, first semester, you learn about the law and the penalties for fraudsters. Then you do modules on digital forensic investigation and see how easily you might be caught by investigators who know what they’re doing.
‘We’ll finish our degrees and go into well-paid, challenging jobs most of us would happily pursue as a hobby. Why put that at risk, spend all your time looking over your shoulder, then go to jail and make yourself unemployable?’