I had signed up to become a hacker for the day. I had no idea what to expect, or how difficult it might be. But it turned out that the hardest part about taking control of somebody else’s computer was just getting my own laptop connected to the internet — which indicates the scale of the security problem that we all face.
Our master class was trying to accurately simulate hacking into a decrepit Windows XP computer in the office of a multinational corporation, and Michael Belton, head of the penetration testing team at cybersecurity firm Rapid7, soon had me fully connected. And then the fun began.
‘’Penetration testing’’ is a euphemistic term for hacking. The crucial difference is that penetration testing is done with the permission of the network owner, so it is the digital equivalent of stores paying someone to shoplift from them to ensure their security staff are awake.
But if the motivations of the two are different, the methods — and end results — are the same. Which means that a penetration tester showing me the tools of his trade is a pretty good insight into how a script kiddie working with hacker collective like Anonymous goes about their business.
It also neatly answers the question of a Guardian editor who found out I was attending a ‘’hacking master class’’: Yes, it was legal, because we were only accessing systems with the permission of their owners. It’s when you start accessing everyone else’s that the problems begin.
1. We started with Linux
Once I arrived at our hacking venue, where Belton was going to demonstrate how to “own” a computer in just a couple of minutes, I was handed a USB stick with an installation of Kali Linux on it.
Linux is an open source operating system, a collectively-created free alternative to Mac OS or Windows, and Kali is a version of it designed specifically for penetration testers. It comes pre-installed with all the software necessary to take control of unsecured computers (and a good few secured ones as well), as well as all the standard productivity tools a team of testers would need to work together. Most importantly, it can be shrunk down small enough to fit on one thumbdrive — and can be booted straight from it.
That’s crucial for hackers, because although the temptation is to focus on their tools, the job is as much art as science. If you can get physical access to a network, there’s no need to bother trying to bypass firewalls from the outside.
Faking your way into a system
So penetration testers have been known to dress up as outside contractors, tail employees from smoking breaks, and even picking locks to get in the building. The Ethical Hackers Handbook, a guide for penetration testers, recommends practicing ahead of time the answers to common questions like ‘’I don’t think we’ve met; are you new?’’ and ‘’Who are you working for?’’
The same shortcuts apply elsewhere. If you’re trying to get hold of someone’s password, it’s far simpler to just get them to tell you than it is to crack their computer and read it from the memory.
These days, people tend to be more suspicious about unexpected phone calls asking for passwords. But there are other ways to achieve the same ends. Belton showed me software Rapid7 has produced which can easily fire off an email to every employee in a company, asking them to log in to a fake version of their own website. The program automatically strips all the assets from the real site, sets up a temporary server, and waits for people to input their passwords.