Your NPR news source

Chicago School Trains Ethical Hackers

SHARE Chicago School Trains Ethical Hackers
Chicago School Trains Ethical Hackers

Most computer hackers fall into one of two categories: black-hat hackers are the bad guys. They’re trying to get information they’re not supposed to have.

And then there are white-hat hackers. They do a lot of the same things – but they’re hacking systems in order to improve them, by sniffing out security flaws.

Now a school in Chicago offers training and certification as a so-called “ethical hacker.” Chicago Public Radio’s Gabriel Spitzer reports.

Hacking is not all codes and keys and computer viruses. Sometimes, it starts with a good old-fashioned con.

Ralph Echinmendia says he can’t name the company he was working for, but he got an assignment from the board of directors. A secret assignment.

ECHIMENDIA: This was my task: physically get into a very large financial corporation based in Chicago, get on their network, get into their executives’ offices and see if there’s any paperwork on their desks, and get in to find where their data center is.

Echimendia called employees’ voicemails late at night, until he found one belonging to an executive that said he was out of the country. Later he called the guy’s assistant, pretending to be him.

ECHIMENDIA: She was like, oh yes sir, how can I help you? I was like, as you know I’m overseas right now. I have an engineer coming from our other location, and I’ll need you to give him directions, when gets there I need you to sit him at a cubicle, he needs to upload some very important business process reports. Hell if I know what that is, but it sounds good, right? And she was like, absolutely, sir.

Then he showed up at the door, playing the engineer. With the rails suitably greased, the assistant ushered him right in.

From there he could peer into the company’s network, snoop around desks, and generally do as he pleased.

ECHIMENDIA: I’m just walking around. And there’s a door that’s just slightly open, and the door has a sign on it that says, keep this door closed. And I hear hmmmmm … the whirling and hum of computers. And I open the door, and it’s the data center. What could you have done in that data center if you were nefarious? I could have done anything. I could have done a lot of different damage.

The lesson: all the fancy security software in the world doesn’t mean anything if you’re not thinking like a hacker. Get into the right mindset, he says, and you start seeing all sorts of cracks in security.

(ambi up)

Echimendia wears black clothes and a long goatee. He says he started hacking at age 14. Now he’s 35, and he’s using his experience to guide eight students, mostly I-T consultants, through the certified-ethical-hacker course.

The class takes five days and costs about three grand.

Students get technology briefings and hack fictional companies.

STUDENTS: You guys wanna start from the outside in, or the inside out? I say we start with our routers … (fade under)

Students here say it’s a struggle to keep up with the black-hat hackers.

James Ruffer works at a network consulting firm called Unixbox. He says the Hacker Academy saves him all the time he’d normally spend figuring out the latest scams and intrigues.

RUFFER: This is kind of like someone has collected all that data and information, done all the research for you, compresses it and shoots it at you over five days.

And where do the instructors get their information? Academy founder Aaron Cohen says they still occasionally haunt the internet netherworld.

COHEN: Our instructors are people that have, kind of, one foot in each side. They figure out what’s going on in the black hat world, and they bring that to the white hat world, because they’re respected on both sides.

ECHIMENDIA: The human right to privacy goes beyond corporate policy and even regional laws. So you have to keep in mind protection to personal privacy when doing this.

These days Echimendia, at least, has come over to the light.

But plenty of hackers have less pure motives. And few companies, he says, are as secure as they think.

ECHIMENDIA: Most large organizations spend more money on coffee than they do on security. We have major identity theft problems, major problems when it comes to credit card fraud, and so on and so forth. These companies only deal with it when we’re hacked. That’s way too late, you know, when 40 million credit cards have been stolen.

Echimendia says the real object of the school is shoring up trust – and that begins with understanding your own vulnerability.

I’m Gabriel Spitzer, Chicago Public Radio.

The Latest