BUSHKILL, Pa. -- Five computer engineers specializing in information security are gathered around flat-panel personal-computer screens in a resort hotel room here in the Pocono Mountains and listening to their instructions.
Hack into the credit-card accounts of Juggy Bank, a fictitious financial institution represented by a working computer server in the back of the room, and steal the account data, they are told. "Extra credit every time you crash the server," jokes Andrew Whitaker, who has been instructing the group in hacking techniques for three days.
A few years ago, hacking was a way for teenagers and hobbyists to show off their computer skills by unleashing viruses and worms online. Though some caused significant financial losses, such as the "I LoveYou" virus that spread to an estimated 45 million email accounts in a single day, most passed without causing lasting damage.
Now chief information officers responsible for protecting corporate data are more worried about malicious hackers looking for profits rather than kicks. These hackers, including some associated with organized-crime rings, try to gain access to information -- usually personal financial data about customers that they can use to run credit-card charges, take out loans and otherwise take advantage of the identity theft.
That has given rise to "hacker camps," programs to train network-security professionals in the same techniques used by the hackers they are trying to thwart. Some 30,000 technology professionals around the world have received training as part of a "certified ethical hacker" program set up in late 2001 by the International Council of Electronic Commerce Consultants, an organization for e-business professionals.
Hacker camp doesn't dwell on theory. Richard Van Luvender, president of InfoSec Academy, which runs a program offered in the Poconos and in several other locations, says the aim of teaching actual hacking techniques -- thinking and acting "dirty," as he calls it -- is to instill the malicious mindset into students. The approach, says Mr. Van Luvender, a U.S. Marine Corps veteran, is drawn from Sun Tzu's "The Art of War": "If you know the enemy and know yourself, you need not fear the results of a hundred battles."
"Hacking can be unbelievably easy these days," says Mr. Van Luvender, noting that hacking tools have become widely available.
Not everybody is eligible to receive the five-day intensive training. Potential students enrolling in a certified hacker program need a minimum of two years of information-security-related work experience. Attendees also sign an agreement promising they won't misuse the knowledge acquired from the program. Mr. Van Luvender accepts only applicants sponsored by their employers for fear that trainees might abuse the hacking skills once out of camp. The instruction costs about $3,500.
In the exercise involving Juggy Bank -- a pseudonym for an actual East Asian bank whose online-banking system was successfully attacked three years ago -- InfoSec's Mr. Whitaker walks around the room checking on progress, giving students hints if they are headed in the wrong direction. "Remember, there are many ways of hacking," he says during the session held last fall. "Try to think out of box."
Hackers attacking Juggy Bank found that they could use a technique called sequel injection to gain access to customer account information. Sequel injection allows a hacker to deliver a malicious command to a server through a Web browser in a remote place and hijack the server.
One of the hacker students, Troy Lilly, a 32-year-old information-security officer at City Holding Company Inc. in Charleston, W. Va., sees hundreds of automatically programmed attempts to breach the regional bank's network every day. Now trying to hack into Juggy's system, he knew that the first thing he should do was to scan for vulnerabilities.
Within minutes, he found four ports, or entrances, to the computer network that weren't protected by a firewall.Using the sequel-injection technique and tools he downloaded from the Internet, Mr. Lilly was able to write a command that posted an unauthorized message on Juggy's Web page.
But a second part of the mission -- downloading credit-card account information -- proved harder. Mr. Lilly spent almost three hours trying various hacking techniques without success. "I have never done that before, and am not familiar with it," he said of trying to penetrate the database.
Classmate David Moured, a security engineer at information-security company G2 Inc., of Columbia, Md., brought firsthand hacker experience to the effort. Mr. Moured, 27, conducts security testing for private and public institutions, requiring him to work as a legal hacker.
Still, it took Mr. Moured 2 1/2 hours to break into Juggy's database and download a list of cardholder names, account numbers and expiration dates. He used sequel injection to find an open port on the server, then sent a computer-program command through a tunnel he created between the server and his own PC. On the command, the server sent all credit-card information to him.
Before long, Mr. Whitaker and Mr. Van Luvender found that two students were trying to break into the instructors' files to find the answer to the competition.
That wasn't part of the game they planned. But the instructors were delighted. "They've learned to think dirty," Mr. Whitaker says of the students.
First Published: March 23, 2006, 5:00 a.m.
