Hackers Courted by Government for Cyber Security Jobs – Rolling Stone
Inside a darkened conference room in the Miami Beach Holiday Inn, America’s most badass hackers are going to war – working their laptops between swigs of Bawls energy drink as Bassnectar booms in the background. A black guy with a soul patch crashes a power grid in North Korea. A stocky jock beside him storms a database of stolen credit cards in Russia. And a gangly geek in a black T-shirt busts into the Chinese Ministry of Information, represented by a glowing red star on his laptop screen. “Is the data secured?” his buddy asks him. “No,” he replies with a grin. They’re in.
Fortunately for the enemies, however, the attacks aren’t real. They’re part of a war game at HackMiami, a weekend gathering of underground hackers in South Beach. While meatheads and models jog obliviously outside, 150 code warriors hunker inside the hotel for a three-day bender of booze, break-ins and brainstorming. Some are felons. Some are con artists. But they’re all here for the same mission: to show off their skills and perhaps attract the attention of government and corporate recruiters. Scouts are here looking for a new breed of soldier to win the war raging in the online shadows. This explains the balding guy prowling the room with an “I’m Hiring Security Engineers. Interested?” button pinned to his polo shirt.
Hackers like these aren’t the outlaws of the Internet anymore. A 29-year-old who goes by the name th3_e5c@p15t says he’s ready to fight the good fight against the real-life bad guys. “If they topple our government, it could have disastrous results,” he says. “We’d be the front line, and the future of warfare would be us.”
Related: Sex, Drugs and the Biggest Cybercrime of All Time
After decades of seeming like a sci-fi fantasy, the cyberwar is on. China, Iran and other countries reportedly have armies of state-sponsored hackers infiltrating our critical infrastructure. The threats are the stuff of a Michael Bay blockbuster: downed power grids, derailed trains, nuclear meltdowns. Or, as then-Defense Secretary Leon Panetta put it last year, a “cyber-Pearl Harbor… an attack that would cause physical destruction and the loss of life, paralyze and shock the nation and create a profound new sense of vulnerability.” In his 2013 State of the Union address, President Obama said that “America must also face the rapidly growing threat from cyberattacks.…We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy.”
The pixelated mushroom cloud first materialized in 2010 with the discovery of Stuxnet, a computer worm said to be designed by the Israeli and U.S. governments, which targeted uranium-enrichment facilities in Iran. Last fall, Iranian hackers reportedly erased 30,000 computers at a Middle Eastern oil company. In February, security researchers released a report that traced what was estimated to be hundreds of terabytes of stolen data from Fortune 500 companies and others by hackers in Shanghai. A leaked report from the Department of Homeland Security in May found “increasing hostility” aimed online against “U.S. critical infrastructure organizations” – power grids, water supplies, banks and so on.
Dave Marcus, director of threat intelligence and advance research at McAfee Federal Advanced Programs Groups, part of McAfee Labs, a leading computer-security firm, says the effects would be devastating. “If you shut off large portions of power, you’re not bringing people back to 1960, you’re bringing them back to 1860,” he says. “Shut off an interconnected society’s power for three weeks in this country, you will have chaos.”
Related: Meet the Legendary Hacker the Government Set Out to Destroy
Hence, events like HackMiami, where the competition to hire cyberwarriors is increasingly intense. “There’s too much demand and not enough talent,” says Jeff “The Dark Tangent” Moss, founder of the largest hacker convention, DefCon, held annually in Las Vegas. Despite the threats, a report by the Commission on the Theft of American Intellectual Property, a group comprised of former U.S. government, corporate and academic officials, recently concluded that so far the feds have been “utterly inadequate [in dealing] with the problem.” While Uncle Sam is jockeying for the Internet’s best troops, private security firms are offering way more pay and way less hassle. Charlie Miller, a famous hacker who exposed vulnerabilities in the MacBook Air and iPhone, spent five years with the National Security Agency before joining Twitter’s security team. Earlier this year, the DHS lost four top cybersecurity officials. In April, Peiter “Mudge” Zatko, a renowned member of the pioneering hacker collective Cult of the Dead Cow who was working at the DOD’s Defense Advanced Research Projects Agency, split for Silicon Valley to join his former DARPA boss, Regina Dugan. “Goodbye DARPA,” he tweeted. “Hello Google!”
As a result, there’s a metawar taking place: one between government and industry to score the country’s toughest geeks – like the ones here this weekend – to join their front lines before it’s too late. “We need hackers,” Janet Napolitano, secretary of the Department of Homeland Security, told Rolling Stone in June, “because this is the fastest-growing and fastest-changing area of threat that we’re confronting.” A month later, however, she announced that she was leaving DHS too – stepping down from her post to head the University of California system.
Hey, dude!” says David Bonvillain. “Let me buy you a mojito!” It’s not even noon at the Holiday Inn bar, but Bonvillain, head of the Denver-based Accuvant LABS, one of the most elite and flashiest computer-security firms, is already working the crowd because, as he puts it, the competition is “feverish.”
A brash, Ferrari-driving 40-year-old who chain-puffs an e-cigarette and is sleeved with tattoos, Bonvillain is among the country’s top hacker scouts. While the feds try to recruit hackers on the glory of public service, Accuvant has honed a sexier pitch. “We built an environment that allows people to legally do the things that would put them in jail,” Bonvillain says, exhaling vapor, “and we have a great time and make a good living doing it.”
Accuvant represents an upside to cyberwar: a booming market. Corporations spent $60 billion worldwide on information-security services last year, according to a report by Gartner, a technology-research firm, and are expected to shell out a whopping $86 billion in 2016. To the consternation of businesses around the world, entrepreneurial hackers hunt for security flaws, then sell the technical info to governments from Russia to North Korea, as well as the National Security Agency here. Google and Microsoft are among those who pony up as well, hoping to improve their products. Technical details on a single vulnerability go for as much as $150,000.
Accuvant specializes in attack and penetration, or “attack and pen” for short, infiltrating their clients’ computer systems to expose and improve weaknesses. Their clients include everyone from banks and hotels to federal agencies, which can pay upward of $100,000 for a single test of their services. To maintain integrity during a penetration test, the client’s underlings aren’t told they’re being targeted. A Minnesota casino hired Accuvant to try to break into its computer room and access its most sensitive data. Not only did the team succeed – convincing workers they were tech-support staff – they walked out the door carrying the casino’s computer servers. They then posed with their bounty by the slot machines, flipping off the camera for a picture they sent to the casino’s boss. Another time, they hacked a Department of Defense contractor by parking a rental car outside a warehouse and scanning the wireless network with laptops and antennas. “It’s sad, honestly, how vulnerable they are,” Bonvillain says.
Accuvant understands the talent better than most, because they rose from the hacker underground themselves. Bonvillain, a metal guitarist who spent a night in jail in high school after getting busted riding his motorcycle over 100 mph, started hacking computers and phone phreaking while at James Madison University in Virginia in the mid-Nineties. “I wanted to break into stuff,” he says. “I thought it was the coolest thing.” Inspired by the movie War Games but eager to stay out of trouble, he eventually put his skills to use as a professional hacker testing security for companies that paid him. “As soon as I found out that information security was actually a job and, even better, a job you could make some good cash at, that was all I wanted to do,” he says.
Related: The Brilliant Life and Tragic Death of Web Pioneer Aaron Swartz
Jon “Humperdink” Miller, a hulking, goateed 31-year-old in a backward baseball cap and shorts, who, as head of research and development, oversees Accuvant’s military clients, is like a supersmart Chris Farley. He started attending hacker conventions at age 13 and became notorious when he appeared at DefCon with no shirt and a vanity license plate of his nickname around his neck. He jokes that his greatest hacker skill is “drinking,” for which he has an award named after himself at the Vegas confab. When he was in high school in San Diego, he says, he made $80,000 a year doing his own attack-and-pen operations. At 17, the National Security Agency offered him a college education, a company car and a substantial stipend if he agreed to work for them after graduation. But he passed on the offer. “Guys like me refuse to get clearance,” he says, gulping a beer. “You have to be professional. You have to be reserved. Here, like, if you’re a loud asshole and you’re smart, sweet! We know a lot of loud assholes.”
Bonvillain balks over security clearance too. “If you’ve smoked pot more than six times, you can’t join the FBI,” he says. “When they interviewed me, I asked, ‘In one day?’” The drug test is no small issue. A three-year no-use policy eliminates a huge slice of the young hackers coming out of school into the workforce. “That disqualifies a bunch of people that would be perfectly skilled and trustworthy,” says Moss, “just because they smoked pot in college.”
Attracting and keeping cyberwarriors is as much about marketing a lifestyle as it is offering big bucks. (The money is good, though, with salaries for top contractors at firms like Accuvant easily topping $200,000 a year.) “Look at Alex,” Bonvillain says, pointing at Accuvant’s head of security architecture, Alex Kah, a tatted-up Kentuckian with a slacker drawl. “Could you imagine him trying to go into the NSA with ‘Louisville’ tattooed across his neck?” Accuvant hires electronic-music duo the Crystal Method for its parties and makes the hippest swag in the business: bootleg Adidas tracksuits, stickers and T-shirts modeled after Iron Maiden’s “The Trooper.” To score one notorious hacker, they agreed to buy him his own gold-plated, $1,000 espresso machine. “The reason we’re successful is because we market this like a metal band,” Bonvillain says.
And they’re fired up by the enemy. Humperdink grows red in the face when he starts ranting about how China gives a pass to its rogue army of hackers. “If you’re a lone Chinese hacker not employed by the Chinese and you want to hack Charles Schwab, go for it,” Humperdink says. “Consequence-free. Do whatever you want. You’re fighting the great Satan. They’re completely covert about operational security. They don’t talk about active hacks against the U.S. That’s completely off the record. That shit happens every day.”
Related: Lone American Wikileaks Member Fights Repressive Regimes, Including His Own
Their outrage makes them even more patriotic. Humperdink comes from a family of Marines and law enforcement. Bonvillain draws inspiration from his dad, a retired lieutenant colonel in the Army, who now works as an intelligence officer for the Defense Intelligence Agency – serving posts in the Balkans, Afghanistan and Iraq – and has been nominated for the counterintelligence’s hall of fame. “I’m deeply patriotic,” Bonvillain says. It’s the same blend of working-class blues and American pride that fueled the old military. “Every serious hacker that I know came from very, very blue-collar or underprivileged backgrounds,” he says. “It made them hungry. They’re willing to do whatever it takes.”
Scenario: Hackers use a computer worm to take command of controls at a nuclear power plant, causing a Chernobyl-style meltdown.
Reality: Stuxnet, which targeted a uranium-enrichment facility in Iran in 2010, proved this possible. Though Iran has not confirmed whether the worm successfully damaged the centrifuges, one Iranian scientist later reported that a hack forced computers to play AC/DC’s “Thunderstruck” at full volume on random machines in the middle of the night – just to drive them nuts.
Scenario: A worker at a power plant clicks on an e-mail link, unleashing malicious software, which crashes electricity for an entire city.
Reality: A 2013 congressional report on Electric Grid Vulnerability found more than a dozen of utilities report “daily,” “constant,” or “frequent” attempted cyberattacks on their systems – one utility reported 10,000 in a month. “We know that foreign cyberactors are probing America’s critical infrastructure networks,” then-Defense Secretary Leon Panetta said in October 2012. “They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout the country…. We also know that they are seeking to create advanced tools to attack these systems and cause panic, destruction and even the loss of life.”
Scenario: Hackers take over train systems, derailing locomotives across America.
Reality: In 2008, a 14-year-old boy in Poland proved how easy this is to do. He built a device to control track points in the city of Lodz, causing four trams to jump tracks. “He treated it like any other schoolboy might a giant train set,” police said, “but it was lucky nobody was killed.” In December 2011, a rail company in the Pacific Northwest was attacked by hackers who disrupted train signals for two days. “Cyberattacks were not a major concern to most rail operators” until this time, the TSA stated in an internal memo obtained by Nextgov.com. “The conclusion that rail was [affected] by a cyberattack is very serious.”
Scenario: Attackers hack into a water utility system, shutting off the water supply for an entire city.
Reality: In 2011, hackers breached a water plant in Springfield, Illinois, toggling the system on and off until one water pump burned out completely. Later that year, a hacker claimed to have used a simple three-character password to access the infrastructure system for South Houston – posting screenshots online to prove it. “I’m sorry this ain’t a tale of advanced persistent threats and stuff,” he said, “but frankly most compromises I’ve seen have been a result of gross stupidity, not incredible technical skill on the part of the attacker. Sorry to disappoint.”
Scenario: Phone systems get disabled. Missile launches can’t be monitored. Radio distress signals go unnoticed.
Reality: In 2011, the annual report of the U.S.-China Economic and Security Review Commission revealed that two U.S. government satellites had been hacked in 2007 and 2008 by hackers believed to be in China. “Such interference has the potential to pose numerous threats, particularly if achieved against satellites with more sensitive functions,” according to the report. “Access to a satellite‘s controls could allow an attacker to damage or destroy the satellite.”
Scenario: Hackers take over social media, posting messages from news organizations on Twitter, Instagram and Facebook saying that Obama has been assassinated – causing Wall Street investors to panic and sell off their goods.
Reality: Something like this happened for real in April, when hackers hijacked the Associated Press Twitter feed, posting the phony message “Breaking: Two Explosions in the White House and Barack Obama is injured.” A group called the Syrian Electronic Army took credit for the hack, which caused a momentary $200 billion drop in the Dow.
To get a sense of just how weak our cyberdefenses are, I take a trip with Jayson Street, Chief Chaos Coordinator for another firm, Krypton Security, into the basement of a hotel in South Beach. We breeze past an open door with a taped sign that reads, “Doors must be closed at all times!!!” This is where the brains of the building live – the computer network, the alarm system, the hard drives of credit-card numbers – but, as Street tells a brawny security guard, he’s here on the job, “doing a Wi-Fi assessment.” Street, a paunchy, 45-year-old Oklahoman in a black T-shirt and jeans, flashes the hulk some indecipherable graphs on his tablet and says, “We’re good,” as he continues into another restricted room.
Related: Hackers, Leakers and Activists Are the New Political Prisoners
The doors aren’t locked. No one seems to be monitoring the security cameras. The wires for the burglar-alarm system are exposed, ready for an intruder to snip. We make our way to the unmanned computer room, where, in seconds, Street could install malware to swipe every credit-card number coming through the system if he wanted to. “They’re like every other hotel I’ve tried to go into,” he tells me. “They fail.”
Government agencies and corporations fly Street around the world to see if he can bullshit his way into their most sensitive data centers. He has scammed his way into a bank in Beirut, a financial center across from Ground Zero, a state treasury department. He usually records his infiltrations on a spy watch, a 16-gigabyte HD video recorder with infrared lights, then turns over the footage to his clients. When I ask Street the tricks of his trade, he tells me there are two keys to stealing data in person: act like you’re supposed to be there and carry a tablet PC, which convinces victims he’s a tech-support worker. “People see this thing,” he says, waving his tablet, “and think it’s magical.”
Street, who has authored a book about security flaws called Dissecting the Hack, is a highly sought-after speaker at hacker conventions from ones in China to this weekend’s in Miami, and has consulting gigs in Cyprus, Jamaica and Germany. “I am not an American hacker,” he says. “I am not a Oklahoma City hacker. I am a hacker. I don’t care what country you’re from. If you’re trying to defend yourself and you’re trying to work to better protect your company or your country, I’m all for it. I’m here trying to help secure the Internet.”
But there’s one job he’ll never take: working for the feds. “The American government has to understand that to get someone who thinks outside the box to work for you, you can’t immediately put them in a box,” he says. “And that’s the problem.”
Street is among the many who cite the legacy of the late hacktivist Aaron Swartz as a cautionary tale. A research fellow at Harvard, Swartz accessed the MIT computer system and downloaded millions of academic-journal articles. He was charged with violating the Computer Fraud and Abuse Act and, facing decades in prison and $1 million in fines, committed suicide in January. “The government says, ‘Hey, we really need your help, can you hack for us?’” Street says of Swartz. “And then, on the other hand, it’s like ‘Oh, you’re a hacker, you’re going to jail! We’re going to hound you until you kill yourself.’”
Gregory “Mobman” Hanis kicks back with his laptop on a florally upholstered couch in the Holiday Inn lobby, ready to annihilate another 45 million people. He’s not doing it in warfare, though: He’s hacking Candy Crush Saga, the most popular game on Facebook. As rows of sparkly treats fill his screen, he opens a second window, which contains a program he wrote. With a few deft strokes, he casually cranks his Candy Crush score to 10 million, earning the high score and swiftly crushing the dreams of players who devote hours a day – not to mention real money, which they use to buy extra lives – to the game. “It’s literally taking candy from babies,” he says, with a sigh.
There’s a reason he sounds so weary. Mobman is a 32-year-old wizard who can hack just about anything but has to settle for a job as a network admin for an online-poker company. That’s because he’s a convicted felon, a black hat who, because of one major fuck-up as a teen, can’t get hired directly by the feds or most private companies. His story represents another hitch in the cyber-recruitment race: the brilliant hackers who’ve crossed the line earlier in life. “I’ve been in there. I know it, and I’ve done it,” he says. “That’s what you would get from me.”
Related: Is This Man the Most Hated Person on the Internet?
Like Street and the others, Mobman fits Bonvillain’s bill of being damaged and hungry. The son of a U.S. Marshall mother and an absentee father, he got A’s in schoolwork but F’s in conduct. “I was bored,” he says. “They didn’t push me.” Instead he pushed himself, writing a program that let him cheat in his favorite game, Ultima Online. Mobman just wanted to steal virtual weapons and gold to get an edge. But when the program, Sub7, leaked onto the Net, black hats around the world discovered it could be used to steal all kinds of things, including AOL accounts and credit-card numbers. Sub7, the first hacking tool of its kind, went viral. “I was like, ‘Holy shit,’” he recalls, “‘I’m gonna get in trouble.’”
Sub7 itself wasn’t illegal; it was the criminal use of it that was a problem. But in 1999, when Mobman was 19, after getting pissed at AT&T for refusing to fix his overcharged cellphone bill, he hacked into the company to change it himself. Instead, he says, he accidentally took down the entire AT&T network in California and Nevada for almost two days. (An AT&T spokesperson won’t confirm or deny the attack.)
After pleading to a charge of “modification of intellectual property,” Mobman spent seven months in jail awaiting trial before receiving five years’ probation – and then spent months living on the streets after his mom refused to take him back in. The experience left him changed and determined to put his skills to good use. “That’s why I want a job,” he tells me. “So I can do it legally.”
The federal cyberforces, though, generally don’t hire felons. But private contractors like Accuvant are technically free to employ whomever they want. “For me – it depends on the felony :),” Bonvillain writes me in an e-mail. “There was a day (10 years back or so) that such a conviction would have prevented his employment. Today, that’s not as strict of an unwritten rule.” Though a felon would have trouble getting security clearance for more hands-on jobs, he could still contribute as part of the security team.
For now, this leaves guys like Mobman to hustle work on the private side, which he’s busy doing here this weekend. To help amp up his image, Mobman has been conducting his own security research at home, sometimes involving a bit of hacking. He gives companies the opportunity to fix bugs, then posts his findings in white papers online. One was about how hacking a single computer could take the entire country of Australia offline. Another one detailed security holes in the popular Web-page-programming software Joomla. However, a few days after he posted the former, he got a letter from the Department of Homeland Security. They weren’t impressed. They were informing him they’d taken the paper down.
The Biggest Military Hack Ever
For about a year, a single hacker had access to dozens of computers within the U.S. Army, Navy, Air Force, NASA and the Department of Defense. The hacker turned out to be Gary McKinnon, a man in London, later diagnosed with Aspergers, who claimed that he was merely looking for evidence of UFO technology. No matter, McKinnon’s hack exposed the absurd vulnerability of our military systems, which he accessed because they had miserably poor password protection. United States attorney Paul McNulty called McKinnon’s feat “the biggest military computer hack of all time.”
The cyberwar with China began with Titan Rain, the U.S.’s code name for a series of attacks on government agency computers at the Defense Department, Homeland Security, as well as the State and Energy departments. “This is an ongoing, organized attempt to siphon off information from our unclassified systems,” one U.S. official said. A 2007 Pentagon report concluded that the People’s Liberation Army was stepping up its cybergame. “The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks,” the report revealed. “In 2005, the PLA began to incorporate offensive [operations], primarily as first strikes against enemy networks.”
After the Estonian government dismantled a Soviet World War II memorial, all hell broke loose online. Banks, news media and even government websites crashed in the wake of the most crippling cyberattack a country has ever seen. For the U.S., it was a foreboding sign of hackers’ brutally effective tools like denial-of-service attacks and botnets. Nashi, a young activist group supported by the Kremlin, later claimed responsibility, which the Kremlin denies. The hack showed how one lone hacker has the power to take down a country’s critical infrastructure with relative ease. Live Free or Die Hard turned from a fantasy scenario to a looming reality.