Behind the code: a conversation with an ethical hacker

When most people think of hackers they think of movie tropes; hooded teens stood on street corners uttering "I'm in" in hushed tones before taking down the evil corporation. Or maybe we've just watched Hackers too many times. 

In the real world, hackers are a blight, stealing sensitive information and shutting down essential services. Thankfully, there are also ethical hackers, known as 'white hats', who basically do everything that illegal hackers do, but then helpfully explain how they've done it after.

For this edition of Talk Radar we're talking to Tim Varkalis, who worked as an ethical hacker for cyber security firms Portcullis and PwC.

First things first, how much is hacking like the 90s film Hackers?

Hacking is much cooler. It’s like a combination of Swordfish and Star Trek

Really?

No, not really. After eight years together my partner was still unable to tell when I was working because to an external observer it just looks like somebody staring at lines of text on a screen. It would probably be the worst spectator sport in the world. 

But it is fascinating, it is exciting; because when you do understand it, it’s the fingerprint of the world that you’re looking at, trying to figure out how it all works, how to manipulate it to your will, [uncovering] the steps you need to use to confuse this thing and get it to do your bidding. It’s a challenge.

How do you get the job of being a hacker?

There are now degrees in hacking. You can do an entire degree dedicated to hacking at Royal Holloway. Sometimes people study it and they come out and they know nothing. They’re not as good as the intern sat next to them that studied classics. That stuff happens. 

Brains work in all different funky ways, and it’s a case of looking for people that can understand how a system works, and then how it breaks. It’s an advanced version of that thing that inquisitive kids do with a Hoover where they take it apart to figure out how it works. 

I was intrigued because some of my friends were going for this career, and I imagined it would be like Girl With the Dragon Tattoo...super geek stuff. But that was really inconsistent with the technical skill level of my friends, so I thought maybe this is realistic for me. 

And that’s when I found out that loads of things connected to my childhood went into this hacking thing; bashing about with bits of code. Making things work. Making things break. I had a degree in physics and no computer qualifications, and I just sent out a lot of CV’s. 

On the nature of code:

It’s the fingerprint of the world that you’re looking at.

How challenging is being a hacker?

Not very. It depends what kind of defence they’ve got.  

Sometimes it’s about finding cool vulnerabilities. But most of the time, you only need very basic skill and publicly available videos on YouTube. A bit of time to test things out. And then pretty much anyone can get into pretty much anywhere. 

There are lots of organizations that you’d imagine would be pretty good in terms of their security, and they are pretty good on the scale of things, but that doesn’t mean they're good enough to keep out a 15 year old. 

Not literally a 15 year old?

Yeah. I had a client once who was resistant to fixing his system because he didn’t think an ‘average’ hacker could do what I could do. I didn’t want to undermine the marketing spiel but I’m definitely not the world’s best hacker. 

I ended up saying 'It’s actually really easy, four steps and you’re done'. By this stage I was getting quite frustrated with him so I found YouTube videos that were each less than ten minutes each, that were of prepubescent children explaining the four steps. The whole conversation changed after that. 

The difference between a hacker and a cybercriminal:

The majority of people called hackers have absolutely no technical skill whatsoever. Not even the blindest understanding.

The problem is that the hackable surface for most organizations is huge. They have this huge estate to look after, which is so complex and convoluted and so there are all these possible pathways that are in there. The hacker only has to find one hole, but the organization has to find all of them and plug them. It’s like playing whack-a-mole. 

And meanwhile, the hacker community is amazing at sharing tools and ideas with each other.

What do you mean by tools?

Most of the tools that are of value are things called exploits. So they are the things that will get you into the system, or get you your first foothold. They are basically when any administrator hasn’t checked that something’s up to date. 

The NHS attack is a good example. The exploit was MS17-010 which was stolen by the Russian secret services from the American secret services and then published on the internet. A month before it was published on the internet, Microsoft released a patch. People didn’t patch, then the vulnerability was released, then a few people patched but a lot of people were left open.

Over the course of the month after it had been released somebody beavered away making another tool which instead of just getting in, runs this thing that encrypts all your files and demands money for them. And then also runs a thing to try and connect to every other computer that it can to see if it can run the exploit again.

The whole toolkit is complicated to talk about, but really you can just think about them as tools. It’s like having a hammer or a spanner lying around. You can usually either cobble one together from things you find on the internet if you’ve got some skill. 

If you didn’t have the skills, could you buy all the tools necessary?

Yeah. The majority of people called hackers have absolutely no technical skill whatsoever. Not even the blindest understanding. Most of the ransomware that’s going around, they don’t have any clue what it’s doing technically. You don’t need it. 

There are people selling full services, you go on there and they have bronze, silver, and gold subscriptions. They have 24 hour support lines. They’re proper businesses.

Should I be afraid?

How much do general people have to fear from hackers?

That depends largely on how much they’ve got to lose. It depends how much their life is tied up online. It depends on a lot of things. 

But really, fear is relative. I know someone who refuses to use online banking because they’re afraid of hackers. So they cancelled online banking and only did in-branch banking. And they lost all their money because they’d been done by in-branch fraud. And actually in-branch fraud is much more common. You can’t do rigorous un-crackable encryption on bits of paper in an office. 

What can people do to protect themselves?

All the good practices. Don’t click on dodgy links, go on reputable websites. That kind of stuff. Sometimes, vulnerabilities will be a vulnerability in your web browser, so if you’re running a certain version and you play a certain kind of video, then that’s it, they’ve taken control of your computer.

So there is updating, but also antivirus. If you’ve got an antivirus installed, hopefully by the time I get to you with my tools, the tool will have already been used somewhere else and then there will be a signature added to your antivirus that will protect against my tools. 

The general things are obvious: Don’t use s****y passwords, don’t use the same password in loads of different places, do use antivirus. Disable things you don’t use. Don’t go on dodgy websites. Don’t click on links from people you don’t know. If something pops up and says ‘Run me, Run me, Run me’, maybe try googling it first rather than just taking a gamble. 

Sorry to return to (the Angelina Jolie masterpiece) Hackers, but there’s the bit about people being easy to hack because they are using common passwords. Is that a real thing?

Yeah, it’s amazing. It’s incredible that ‘password’ used to be the most common password. Then Windows changed its complexity requirements so you had to have a capital letter, a lowercase letter and a number, then that’s when it became ‘Password1’. 

‘Blank’ is also an incredibly common password. As is Admin. You can find lists online of common passwords. The common thing you do when you compromise a domain is you grab all the passwords, then you do statistics on them to see how many people use which passwords.

Usually if your password gets taken, it’ll be in a bunch of hundreds of thousands of passwords that will be farmed across to see where they work elsewhere. Unless they are specifically going after you, it won’t matter that your passwords are very closely related. So it’s much better to have lots of similar passwords with one complicated bit than use the same password everywhere. 

So then you only have to remember one complicated bit. But with your email I would say it’s very important to just have a completely unique password that only lives in your head, and you just deal with it.

Fighting fire

So it's actually a pretty dull job?

I wouldn't say that. One time I had to test an installation where they handled high pressure gas. When I was testing I had to go out and buy a full fireproof suit, armour, all that. I was like ‘Why do I need to test in this?’ I was in the control room with all the computers hooked up to the industrial valves. And they said, ‘Whatever you do, don’t f**k up’.

  • Andrew London has always been fascinated by the amazing things that people do that shape the way we live our lives. In his regular TalkRadar column, he will be interviewing people from across the world of tech to discover what they do, and why they do it.
Andrew London

Andrew London is a writer at Velocity Partners. Prior to Velocity Partners, he was a staff writer at Future plc.