Hackers: If You Can't Beat 'em, Recruit 'em
January 15, 2006Sebastian Schreiber's face lights up with a mischievous grin and his eyes gleam with excitement as he talks about computer hack attacks.
"Cross side scripting or SQL injection attacks -- these are really clever," said the man some describe as one of Germany's leading hired hackers. "It's fascinating to cheat computer systems, to break into systems to identify security holes and to demonstrate to our customers that we're able to compromise their systems."
The 34-year-old is not a criminal hacker, but a so-called hired hacker. And he's been breaking into computer systems for the better part of 20 years. At the age of 11, he got his first computer. One year later, he started writing his first hacker scripts -- all of that long before the advent of the Internet.
Ironically, his father is a judge - and maybe that's what tipped Schreiber towards hacking within the boundaries of the law.
Hacking into client servers
Today he heads Syss - one of Germany's top IT security firms. He created the business seven years ago while still a computer science student. These days, his clients include some of the world's biggest companies, including DaimlerChrysler, SAP, Deutsche Bank, IBM, the European Central Bank and the European Commission.
"They want to protect their systems against attacks from spies, against espionage, against those who break into the system and sell information, for example, to competitors," he said. "And they want to protect their systems against Internet worms or viruses."
To protect his clients from the murky cyber world of hackers, Schreiber and his team conduct penetration tests - or so-called pen tests. This means they actually try to attack the Internet sites and the computer systems of their clients.
Find weaknesses
The first part of their mission is to identify weaknesses on the clients' Web page. Then it gets more hands on. With the help of their hacker laptops, they go to the company, log in to their network and check how easily they can access secret corporate information.
"Sometimes we don't know where the servers are located, for example when we do the pen tests for SAP -- we attack all the systems they have in the Internet -- we attack dozens of countries," Schreiber said.
Sometimes they hack attack more than 1,000 servers at the same time -- and he says those attacks can get really complicated. Off-the-shelf software simply can't do the job.
"These attacks are really clever," said Schreiber. "We can't do them with software. We have to do them manually. We have to write our own attack scripts and every attack is different. We have to write attacks for only one use."
And like anything in the IT world, a hack attack doesn't come cheap. Schreiber charges 1,300 euros a day, and an attack can last anywhere between two days and two months.
Not average 9 to 5 job
It's also definitely not an average 9 to 5 job. Coffee as you'd imagine keeps many of the hired hackers fuelled; adrenaline does the rest.
"Usually my employees who are about to get into a system won't go home at five o'clock in the afternoon but will stay until they crack the system."
Schreiber calls it "Jagdtrieb," or the hunting instinct. It's an amazing feeling he says and it never wears off because every hack is different - not to mention the information they find.
"All kinds of information, for example bank account information, lists of passwords, health information, confidential information in research and development," he said. "We can get all the company secrets that you can imagine."
And what do they do with this information?
"Of course we don't take a close look at the data -- we only take a few lines in order to demonstrate that we have been able to download the information," he said. "We stop reading when we find out that the information is really confidential."
That's also why the office has a special shredder for all this top-secret information, a good thing for his customers and their clients. One of Schreiber's biggest hacker successes was penetrating one of Germany's biggest banks.
"We were able to get into the accounting system of the bank," he said. "So we could see all the customer data, all account data, we saw everything, the transactions, that was really interesting and from a technical point of view it was quite clever to get into the system."
Mixing with the low
In order to keep up-to-date, Schreiber and his team regularly join hacker conventions, Internet chats and go underground for the latest tips, tricks and tactics. But to what extent should hired hackers like them mingle with those on the wrong side of information highway?
"That's a conflict. On the one hand our customers don't want us to have contact to the dark side, on the other hand our customers want us to have all the latest information before it's published on the Internet and that's not possible," Schreiber said. "It's a dangerous situation. We need the contact, but we don't want the contact."
So what is the solution? Contact, but not friendship, he says.
Despite all the efforts, the dark side remains a step ahead most of the time. After all, there are thousands of hackers all over the world with loads of time on their hands to hack as a hobby.
Hired hackers however are very much in demand - as long as they don't have a criminal record. Schreiber is even running a competition called "capture the job" in which he asks young hackers to attack one of their systems at www.syss.de
Although now Schreiber is a master corporate hacker, that doesn't mean he's not interesting in future challenges.
"Maybe I'd like to do a project for the National Security Agency in the United States. That would be a real challenge," he said.