Cracking The Code

  • The dress code is business casual--no jeans allowed, not to mention pierced noses. It's the first day of class--hacking class--and the instructors, smartly attired in matching corporate polo shirts, point at screens full of code and step-by-step directions on how to hack a host computer. "Get this: No username, no password, and we're connected," says one. "I'm starting to get tingles. They're going to be toast pretty quick." Geekspeak, at least, is still de rigueur.

    In the world of corporate espionage, a company's host computer is the mother lode, which means that protecting it is vital. That's the goal of Extreme Hacking, one of a growing number of counterhacking courses that teach perfectly respectable people the how-tos of cracking their own networks so they can better protect them. "We're kind of wearing the white and black hats at the same time," says Eric Schultze, the Ernst & Young instructor who gets tingles from an exposed password file.

    How easy is it to hack? If these guys can teach a novice like me how to break through a firewall, I figure, then all our networks are in trouble. Guess what? All our networks--at least, the ones without encryption keys or extremely alert administrators--are in trouble. Why? Because this is the information age, and the average computer gives up far too much information about itself. Because a network is only as strong as its weakest user. And because the most common log-on password in the world, even in non-English speaking countries, is "password." With users like this, who needs enemies?

    How big a problem is this in the real world? "Rarely is there a moment when a hacker isn't trying to get into our networks," says a senior Microsoft executive. "People go looking for that weak link." Recently hackers found a backdoor through a user in Europe--an administrator, no less--with a blank password. This allowed the hacker root access--the ability to change everyone else's password, jump onto other systems and mess up the payroll file.

    In our first class, we have no problem rooting around in the Web servers of a top Internet company. We find three open ports on the firewall and a vulnerable mail server. "This network is a f___ing mess," says a classmate. "We need to have a word with these people."

    Over the next few days, any faith I had in the security of the world around me crumbles. Think your password is safe because it isn't "password"? If it's in the dictionary, there is software that will solve it within minutes. If it's a complex combination of letters and numbers, that may take an hour or so. There is software that will hijack your desktop and cursor--and you won't even know about it. Hacking doesn't require much hardware; even a Palm Pilot can do it. What protection do you have? "Minimize enticements," say the teachers. If you don't want to be a victim of information rape, in other words, don't let your network give out so many details to strangers.

    Old-school hackers scoff at the notion that businesses can stop them. "Corporations can't teach hacking," says Emmanuel Goldstein, editor of the hacker quarterly 2600. "It has to be in you." Perhaps. But if a few more firms learn to avoid becoming toast, that's no bad thing.