My actions constituted pure hacking that resulted in relatively trivial expenses for the companies involved, despite the government's false claims.
Companies spend millions of dollars on firewalls, encryption, and secure access devices and it's money wasted because none of these measures address the weakest link in the security chain: the people who use, administer, operate and account for computer systems that contain protected information.
I can go into LinkedIn and search for network engineers and come up with a list of great spear-phishing targets because they usually have administrator rights over the network. Then I go onto Twitter or Facebook and trick them into doing something, and I have privileged access.
My hacking was all about becoming the best at circumventing security. So when I was a fugitive, I worked systems administrator jobs to make money. I wasn't stealing money or using other people's credit cards. I was doing a 9-to-5 job.
What happens with smaller businesses is that they give in to the misconception that their site is secure because the system administrator deployed standard security products - firewalls, intrusion detection systems, or stronger authentication devices such as time-based tokens or biometric smart cards. But those things can be exploited.
New security loopholes are constantly popping up because of wireless networking. The cat-and-mouse game between hackers and system administrators is still in full swing.
Nine out of every 10 large corporations and government agencies have been attacked by computer intruders.
One of my all-time favorite pranks was gaining unauthorized access to the telephone switch and changing the class of service of a fellow phone phreak. When he'd attempt to make a call from home, he'd get a message telling him to deposit a dime, because the telephone company switch received input that indicated he was calling from a pay phone.
I'm an expert witness in a case that's in appeal about a guy who allegedly misappropriated source code from a major, major company - he actually worked there and then apparently they found it on his laptop later.
The explosion of companies deploying wireless networks insecurely is creating vulnerabilities, as they think it's limited to the office - then they have Johnny Hacker in the parking lot with an 802.11 antenna using the network to send threatening emails to the president!
For the average home-user, anti-virus software is a must.
For the average home-user, anti-virus software is a must. A personal firewall such as Zone Alarm and running a program like HFNetcheck, which is a free download for personal users. It checks your system to see if anything needs to be patched. I'd also recommend a program such as SpyCop to periodically check for any spyware on your system.
People are prone to taking mental shortcuts. They may know that they shouldn't give out certain information, but the fear of not being nice, the fear of appearing ignorant, the fear of a perceived authority figure - all these are triggers, which can be used by a social engineer to convince a person to override established security procedures.
I characterize myself as a retired hacker. I'm applying what I know to improve security at companies.
I use Spam Arrest because of the amount of junk mail I get. Any legitimate person who wants to send me a message has to jump through hoops before they can be added to my opt-in list.
I think it goes back to my high school days. In computer class, the first assignment was to write a program to print the first 100 Fibonacci numbers. Instead, I wrote a program that would steal passwords of students. My teacher gave me an A.
The first programming assignment I had in high school was to find the first 100 Fibonacci numbers. Instead, I thought it would be cooler to write a program to get the teacher's password and all the other students' passwords. And the teacher gave me an A and told the class how smart I was.
Social engineering is using deception, manipulation and influence to convince a human who has access to a computer system to do something, like click on an attachment in an e-mail.
No way, no how did I break into NORAD. That's a complete myth. And I never attempted to access anything considered to be classified government systems.
I'm still a hacker. I get paid for it now. I never received any monetary gain from the hacking I did before. The main difference in what I do now compared to what I did then is that I now do it with authorization.
