Tech by VICE

I Spent a Day Learning How to Hack Alongside Wall Street's Financial Consultants

The best way to keep yourself safe from hackers is to learn how to hack yourself.

by Jason Koebler
Apr 29 2015, 6:10pm

Amadeus Stevenson. Image: Author

I'm hacking the Komodo Bank of Asia. I'm actively taking money from its clients and transferring it into my account. My victim's password sucked, his security question was laughable and easily Googleable. My balance soars; I watch his approach zero. The whole thing was too easy.

I'm not in my parents' basement, I'm not in a Chinese cyberarmy barracks or compound, I'm not even using Tor. I'm sitting in the modern offices of Capco, a financial consultancy a couple blocks off Wall Street.

If I squint out the window, past the helipad corporate CEOs regularly fly into, I can see the Statue of Liberty. If I had to guess, with the information stored on these computers, some of Capco's employees could definitely help me pull off some sort of large-scale digital heist.

But they aren't helping me—instead, they're my adversaries in what is, as far as I can tell, the first corporate-backed class on how to hack.

"We're going to teach you how to use a crowbar," Decoded's John Ridpath, one of my hacking gurus tells the class. "You know the divide between what's legal and illegal is there—how you use it is up to you."

Komodo Bank of Asia, of course, isn't a real bank. We aren't stealing real money, and Ridpath and his partner Amadeus Stevenson have built in specific backdoors into the surprisingly professional-looking bank's website. But the tactics we use to hack it—a mix of social engineering and MySql injections—are the same ones regularly used in the real world.

To hack into Komodo, we first pinged the site to see how it was hosted and what database it was using. We found Komodo was using a slightly outdated database server based on the popular MySql database management system to store its customers' data. We then Googled specific vulnerabilities associated with that version of MySql. The search showed that it was vulnerable to injections, a very standard hack in which hackers ask for more information from the database than it's supposed to give.

Testing the code on a fake server we set up, before trying it out on the bank's website.

With Stevenson's help, we asked the bank to give us its entire database of customer names and usernames, and, thanks to the vulnerability, it did. The passwords were encrypted.

Thing is, most people don't remember their passwords anyway. So we used the bank's password recovery feature and were prompted with a security question. After Googling some poor sap's name, and using my LinkedIn account to snag the name of the first app he ever developed, I was in, and I transferred $10,000 to my bank account. Voila.

It was a fake hack, a setup, and we had our hands held through much of the process. In the real world, the fact that hacked accounts primarily transferred large sums of money to my account would have given me away in a second. But, thing is, some mix of MySql injections, password recovery phrases, and general social engineering are how many—if not most—hacks actually go down.

HBGary, a federal contractor and computer security company that threatened to unmask Anonymous back in 2010 was itself owned thanks to a simple MySql injection that eventually was used to leak sensitive data and, essentially, end the company. A Sql injection was used by the hacking collective LulzSec to own Sony and the Playstation Network back in 2011.

The transfer money page of Komodo Bank.

The Chinese government has fallen victim to Sql injections, too. Tech reporter Mat Honan infamously had his entire online life compromised thanks to some social engineering. The list goes on and on and on.

Ridpath told us that, before actually doing any hack, you're going to want to gather plenty of intel. To pull off a good heist, you can't just walk in the front door without a plan. You've got to spend time figuring out the weak points. That's why we Googled for specific vulnerabilities before actually attacking the bank's website, that's why we didn't start randomly guessing passwords or trying to brute force our way into someones fake bank account.

No one in the class (including me) seemed to have the technical knowhow to become a major hacker. But to call up a couple companies and gather intel? To do a bit of Googling about a potential target to guess what their password might be? Piece of cake, if you know what to look for.

Executing the virus we wrote.

There's not a lot of hacking involved in most hacking, Ridpath and Stevenson tell us.

And that, really, is the entire point of the Hacker in a Day. It's become passé to say that everyone should learn how to code—but should everyone learn how to hack? Probably not, of course. But everyone should know how hacks work, which is why the dozen-or-so Capco employees in the class generally weren't IT professionals. Instead, they were secretaries, junior employees, and consultants.

"The mission is to break down the divides between the hacker world and your world," Ridpath said.

By the end of the class, we had written a piece of malware—a virus—using a Mac's Terminal and a program we downloaded off of GitHub.

An image automatically taken of the author when the malware was opened.

The virus, if opened, took a photo using the computer's built in webcam and played a message to the person who was getting owned. It was easy. Getting that image to automatically upload to Imgur or any other file repository was the matter of adding a couple more lines of code that I easily Googled myself once I got home.

We then embedded that virus in an email and had to design an email that one of our friends might like to open—a spearfishing attack like the ones that have helped so many hackers breach so many companies.

At the beginning of the class, we had to decide if we were "White Hat" or "Black Hat" hackers—whether we'd use these tools for good or evil. At the end, we had to decide who we'd send our virus-laden email to—our boss, maybe? Some celebrity? Or did we just want to forget the whole thing and not email anyone at all?

Corporate America is betting that its employees are going to opt to use this knowledge for good, and it's hoping that bet is going to make their companies safer.