US defence systems are like a baked Alaska - a hacker's tale

What makes a full-time IT professional spend hours every evening hacking into high-security computer systems? Bill Goodwin meets...

What makes a full-time IT professional spend hours every evening hacking into high-security computer systems? Bill Goodwin meets KP who explains how he was drawn into the shady world of the black hats

KP is a well-paid IT professional by day. By night he is a "black hat" computer hacker, a self-confessed computer criminal, who spends his free time roaming the Internet looking for challenging computer systems to crack.

His victims include the Scottish Parliament, numerous telephone companies and the US defence establishment - its security systems, KP discovered, were full of holes. "They give the impression of having amazing security. Systems administrators on the job 24 hours a day. But when you see behind the scenes, it is just complete and utter vomit, a complete mess" he says. "A good comparison would be baked Alaska - hard on the outside, but soft and squishy on the inside."

He once found plans of torpedoes, space suit designs and the performance data for strike fighter engines strewn across the network of a US defence supplier. "They were wide open. I went in their back door and stole as much as I could. Not military secrets. As many captures as I could just to prove I was there. And then I just got the fuck out of there," he says.

Telephone exchanges are KP's speciality. Looking at the subscriber lists of phone exchanges and seeing the names of military establishments flash by, or using the exchanges to make undetectable free phone calls, are a real turn-on for him.

KP claims to have secured himself full system administrator rights to a telephone exchange in the North of England. "If I had felt so inclined I could have shut it down and isolated business communications between the North and the South, between England and Scotland," he says.

KP spends most evenings hacking. His PC trawls the Internet 24 hours a day looking for likely targets. "After work I usually sit down, watch TV, have a beer, unwind. And then I check the haul for the day and just start ploughing through. If it is something interesting I will probably spend the rest of the evening on it."

These days KP is selective about what he hacks. Most systems are too easy and too dull to waste time looking at. He prefers the more difficult stuff. "Anything that is mainframe or legacy based, or that holds estate data is very interesting to me, particularly telephone systems," he says.

KP has little time for the script kiddies that spend their time defacing Web sites. "That's pretty trivial behaviour, just smoke and noise. No one is interested in the political movement, or the thinking behind it," he says. When KP hacks, he is careful to cover his tracks.

KP's interest in hacking began when he was at school. He researched the subject for a computing course assignment, and was soon in touch with other hackers and trying their techniques for himself. Not having a computer, he turned his attention to telephone networks. "As luck would have it, they left open the exchange door one night. So I just walked in and helped myself to documentation and paperwork - whatever I could carry," he says.

"I would also make a regular point of going into bins outside exchanges and collecting anything I could find. Even if they tore the documents up I would take them home and spend hours reconstructing them. Some of the most interesting stuff I got was from documents that were supposedly destroyed."

KP soon discovered that he could program telephone exchanges from a mobile phone keypad. "I could put calls through for free with very little difficulty at all. And having billed another person, I could put the switch into test mode and listen in on other people's calls. Although I did not have a computer, I still had control over some of the major functions of the switch," he says.

KP got his first computer two years later - a 4MHz SX25. He used his black hat connections to gain access to underground bulletin boards where he could learn techniques from other hackers. "It was like the first day of crime basically," he explains. "The first thing I did was get a mobile phone - a chipped P3 - so I could make free calls to London, Manchester and what have you. It was fairly easy getting hold of the codes because I had a snaffer, which is a device that scoops the airways and picks up code pairs as they are going backwards and forwards."

At university, the library was a goldmine of technical journals, containing everything that a budding hacker would want to know. KP helped himself. "They had cutting-edge books that you would never be able to afford on new switching methodologies and computer systems, and technical papers from telecoms companies that you would not normally have access to," he says. KP was soon too busy hacking to complete his degree.

KP admits that he has come close to being caught several times. His first successful hack, for instance, was a company in Florida that makes sealant rings for binary chemical weapons. "I had gone to sleep because the job had taken so long. The operator had come online and written 'who is this' 14 times on the screen and hung up. He tried to lock me out but I came back using his account and locked him out for three days before they got around to securing it," he recalls.

KP says he is not worried about either the police or the possibility of prosecution under the Computer Misuse Act. As far as he is concerned, the law does not apply to him. "It is all about acknowledging you are a computer criminal," he explains. "And when you make that acknowledgement you live with it. You sleep a lot better at night because you realise that specific parts of the law don't apply to you because you have chosen to step outside the various guidelines that keep normal people in tow.

"I just don't care, to be honest. As far as I am concerned, it does not affect me. I will continue to do what I want to do until the day I get caught or I am bored, I am not really bothered about the consequences.

"I have never intentionally hurt anyone. A lot of people would question my motives and I am certainly capable of inflicting great harm on a lot of people, but I choose not to."

Read more on IT risk management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.