Featured Posts
Recent Posts

November 17, 2019

October 20, 2019

September 8, 2019

Please reload

The White Hat

November 17, 2019

Ernest Neap shuffled forward in the queue. He didn't feel conspicuous in his raincoat and white roll necked shirt. In fact, he'd dressed like that to blend in; to merge into the crowd.
Shouts of, 'Tickets please?' galvanised the people ahead of him into action; reaching into pockets, producing iPhones and holding them up to be scanned. Ernest's ticket had cost him fifteen pounds. It was a lot of money for a pensioner like Ernest to pay but, and this was why he'd bought it, the ticket was a means of escape from his mundane life for a couple of days. The cyber security conference promised entertainment, a chance to get out of the house and perhaps even find a new career.
Since retiring, Ernest had tried working as a security guard in the shopping mall but he'd been fired after three days. 
     'You're too old to chase shoplifters and teenage yobs around shops Neap,' said his supervisor, 'and you should have told us about your knee replacement. Go home old man and put your slippers on.'
Cyber security, that was the answer; sitting in front of a computer would suit him fine. It never occurred to Ernest that computer programming was involved.
     'Ticket!' demanded a kid in a green t-shirt on the door.
     Ernest fumbled in his pocket, producing a handkerchief and a crumpled slip of paper. The bar code was a faded lemon yellow. 'My printer needs a new ink cartridge,' he explained.
The kid grinned, nudged his companion, then tried and failed to scan Ernest's paper ticket. He shrugged and gave up. The second youth handed Ernest a ribbon with a security badge and shoved a plastic bag at him.
     'What's this?' asked Ernest.
     'Goody bag,' replied the youth. 'Your t-shirt, programme and stuff.'
     Propelled forward by the queue, Ernest stopped at a table in the atrium and rifled through the bag: A pen, chocolate bar, the programme, leaflets and a grey t-shirt. He unfolded the shirt, held it up and read, 'CyberX 2018.' Around him visitors were undressing and slipping on their grey t-shirts. It was easy for them. Most had arrived dressed in shirt and jeans. Ernest removed his coat and was about to take of his white roll necked shirt when he changed his mind. Instead he pulled the grey t-shirt on, over his white shirt and put his coat back on.

     

'So there it is, we're in,' said the speaker. The lecture hall was brightly lit and full. A dribble of cold sweat ran down Ernest's back. He wanted to remove his coat but there was no room to move. Tier upon tier of watchers followed the green dot as the laser light danced across the screen. Some made notes. Others used their phones to photograph the images of computer code. The auditorium buzzed with excitement. Eager to see, Ernest peered over the shoulder of the cameraman, standing in front of him.
The speaker, a young man wearing a black t-shirt with long hair wound in a bun, turned off his laser pen. 'I'm happy to take a few questions.'
     Several hands shot up. The speaker scanned the sea of faces and pointed to the back of the lecture hall to a youth with large glasses. 'Brains in Thunderbirds, he'll do,' thought the speaker. The audience waited while a helper hurried up the stairs with a microphone.
     'So are you saying the programme you've written will penetrate any firewall?' asked Brains.
     'Yes I am,' answered the speaker, 'and, as I've just demonstrated with Mcabbey and DogGuard the firewalls are totally unaware they've been compromised.'
     'What about Thornton?'
     'Just as useless.' The speaker scrolled back to an earlier slide of a dozen leading firewall logos. 'They all are. If it's a computer connected to the internet no firewall is impenetrable and the claims they all make in their advertising blurb are ALL bullshit.'
     In less than an hour, Ernest had watched the speaker penetrate different firewalls, undetected by the systems supposed to protect the computers. He'd exfiltrated data, installed malicious software, taken control of a network operating system, encrypted data and sent a ransom demand.
     'That's about it guys. Don't worry; I'm a white hat,' said the speaker. 'What you have just seen is real but no harm has been done. Now, if I was a black hat, a hacker with evil intent, you can see how easy it would be for me to do real damage. I'll be sharing all the programme code on my website after the presentation and if you want to see it again there will also be a podcast. Feel free to use the code I've written and you're welcome to improve it but remember, we're all red team members here, our job is to test organisations defences not to break in and steal stuff.' He smiled, acknowledging the applause signalling the end of his presentation.
     Ernest sat and waited while the lecture hall cleared. Young, long haired computer geeks, unshaven, some in shredded jeans, shuffled down the stairs, past the speaker's desk and out of the hall. A few lingered to ask the speaker questions, to congratulate him and thank him for sharing the secrets that would unlock the back-door of any computer.
     A podcast, available on the internet, giving away a programme, written to break into computers, struck Ernest as ridiculous; like handing out lock-picks to burglars - a hackers bonanza. Get your free crook's kit here!
     He thought back to when things were simpler, when thieves used a brick or a jemmy to break in, a fishing rod through a letterbox to hook keys from a hall table, a time when real villains used sawn-offs to rob banks, a time when his mates called him Nipper Neap, a time when he had mates.

     The speaker was drinking coffee in the atrium, apparently listening to a lanky kid dressed in a grey t-shirt, when Ernest approached. In fact the speaker was only half listening. The other half of his cortex was comparing the kid with Shaggy Rogers and wondering if he had a dog called Scooby Doo.
     'Last year I was in the team that pen tested Buy and Save,' said the kid. 'You know, the supermarket chain.'
     'Cool,' said the speaker.
     'We probed with a Neutrino Exploit Kit and then did some manual stuff. It was easy. I got in through the finance director's personal laptop. Imagine that. The finance director, what a twat. His password was a joke and got me straight past the firewall and into Buy and Save's head office network. I left a little present, just to prove the hack.'
     'Present, what do you mean?'
     'I changed the purchasing algorithm.' The kid rubbed the stud in his nose. 'Yeah, to wind them up - ten tons of baked beans randomly ordered to different stores. It'll take them months to find out why.' He giggled nervously, waiting for a reaction; to see if we enjoyed his joke.
     A convoy of lorries loaded with baked beans, thundering along a motorway, flashed though Ernest's mind.
     The speaker raised his eyebrow and turned to Ernest.
Realising he'd said a stupid thing and over-stepped the mark, the kid, backed away and melted into the crowd.
     'Why did you do it?' Ernest asked quietly.
     'Do what?'
     'You say you're a white hat but you're giving these kids the tools to hack into computers.'
     The speaker placed his cup on a table and motioned for Ernest to follow. He stumbled after the speaker, pushing through the crowded foyer and out to the plaza.
     The speaker turned and faced Ernest, holding his hand up to shade his eyes from the sun. 'You don't look like a programmer. Who are you?'
     'I'm a security expert,' said Ernest. 'A white hat.'
     'You a white hat!' said the speaker. 'Do you even know what it means?'
     Ernest felt the barb. The cheeky young sod was insulting him.
     'How old are you?' asked Ernest. 'Twenty, twenty-five? When you were a kid didn't you go to Saturday morning pictures?'
     The speaker looked blank, as if he was listening politely but he wasn't. His cortex was thinking, 'Who is this old man? I think he looks like Uncle George.'
     It occurred to Ernest that multiplex cinemas might not show Saturday morning pictures any longer.  'Every week they would show a short cowboy film and the good guy always wore a white hat....'
     'Of course, we all know and guess what, Uncle George?' interrupted the speaker. 'The bad guys wore black hats.' He grinned. 'So you're telling me you were a sheriff, you tamed a town, put the bad guys in jail. I bet you even got the girl in the white dress. Don't tell me.' He put a finger to his forehead. 'She was the school teacher.'
     Ernest took a small involuntary step towards him. 'I was a copper, Nipper Neap of the Yard. You might have heard of me.'
     'Nipper Neap of the Yard. Well Mr. Policeman or should I say Mr. Ex Policemen, you ask a very good question. Why do I do it? I'll tell you why. This is a cyber security conference. We're here to talk about how to beat the black hats and to do that we have to learn about the tools they use, to follow them down the rabbit hole. That's why, to share the knowledge.' He checked his watch. 'I have to go. A talk I want to hear on side stepping data leak protection with just a browser is about to start... Look Columbo, if you're serious about understanding what I'm doing, check out the code. You'll find the answer there.'
     'Who's Uncle George?' called Ernest but there was no reply. The speaker had gone, back into the conference centre.

 

Ernest spent hours looking at the programme's code but it told him nothing. He simply wasn't good enough to understand. Like an old dog, he was struggling with a new trick. The speaker had said the answer was in the code but the jumble of numbers, letters and symbols was beyond Ernest. He wasn't clever enough to unlock it, to reveal its secret.
     Then, one evening, he decided to test the code, to see if it really worked, to prove the speaker's presentation wasn't fake and perhaps learn what he would not tell.
     Ernest switched on his computer and ran the speaker's programme. It stopped and asked for a target. Ernest thought for a moment and then typed Goldpower.com. He wasn't sure why he chose his electricity supplier as the guinea pig. Any large company would have been suitable.
     The screen went black, then, after a few seconds, it turned dark blue. Letters and numbers started to flash across the screen as if someone was typing furiously.
     'What's happening,' muttered Ernest. The typing accelerated and became a blur of characters. Unsure what he was supposed to do next Ernest went to make a cup of tea. He returned, carefully placed his cup and saucer beside the keyboard and munched on a digestive biscuit. The typing had stopped. The screen had changed. The speaker's programme had worked its magic. Ernest was in and, what's more, he had domain admin. He could go anywhere he pleased in Gold Power's computer network; customer details, suppliers records, bank accounts, policy documents, emails, nothing was hidden. Gold Power's inner secrets were his to explore.
     Ernest grinned. He felt rather pleased with himself. He'd hacked into a big company. 'Cyber security isn't that hard,' he said to no one in particular.
     Of course, getting in was one thing but what should he do now? Ernest didn't know. He'd not really been paying attention during that part of the speaker's presentation. Ernest wasn't a thief, he didn't want to hurt Gold Power or blackmail the company but it wouldn't do any harm to have a look around, would it?
     

Ernest spent more than an hour exploring. He read boring emails, minutes of meetings agreeing price increases, personnel records and then, almost by accident, he found himself looking at his own electricity account. Mr. Ernest P. Neap - estimated meter reading 16th November 268,456Kwh - units consumed 1,243Kwh balance outstanding £218.56. The paper bill had arrived from Gold Power in the post that very morning. Ernest held the invoice up against the screen and compared the amounts, half expecting them to be different. They were the same. Then, he had an idea. Why not issue himself with a credit note? No one would know. He wouldn't be greedy; a couple of hundred pounds. Gold Power could afford that. Ernest raised the credit note for two hundred pounds and waited for his account update. Minutes passed. Nothing happened.
     'Oh well! Must have done something wrong. Probably for the best,' muttered Ernest and closed the programme. He was tired and it was past his bed-time.

 

A loud bang woke Ernest. It was dark. Someone was breaking in. He fumbled for his glasses on the bedside table and peered at the alarm. It was five o'clock. Loud voices. Men were yelling inside the house. Heavy footsteps pounded up the stairs. The bedroom door burst open. A torch beam blinded Ernest. Strong hands pulled him up and forced his arms back. He was handcuffed and dragged from the room.
     'Find his computer,' ordered a voice.
     'It's here,' shouted another.
     'Bring it along.'

 

Ernest sat in the interview room. A naked light bulb glared down. Wearing just the boxer shorts he wore in bed, he was cold and tired. The canvas chair hurt his back. Lunchtime had passed but there was no food. His stomach was growling. Ernest scratched the stubble on his chin and yawned.
     'Are we boring you,' said the inspector.
     Ernest stared at the inspector's bulbous red nose. He knew the type from his time in the force; beer belly bruisers who enjoyed celebrating in the police social club after a good collar.
     'I'm tired.'
     'Gold Power's security team knew, as soon as you were in their network. They watched you poking about, saw everything you did,' said the inspector. He smiled. Nipper Neap of the yard, a crooked cop, what a great case to crack. He'd dine out on this one. 'Thought you were clever, did you Neap, hacking their system?'
     'I told you, I was testing a programme from the cyber security conference in Manchester. For God's sake, you know I'm a retired copper. I haven't done any damage. You can check.'
     The inspector sat back in his chair. He was enjoying the interview, enjoying putting Nipper Neap in his place. 'You were probably scouting and planned to come back later.' He got up and went to the window. 'Do you want to know how their security knew who you were?'
     'Was it because I looked at my electricity account?'
     'Did you? I didn't know that,' said the inspector and sat down again. '...There was an alarm in the programme code you used. It warned them you were hacking their network and,' he pointed at Ernest, 'it did something else. The code unlocked an executable file which laid a breadcrumb trail straight back to your computer. You see, while you were hacking their network, snooping around in Gold Power's system their security team was exploring your computer. Ingenious, don't you think?'
     'So what happens now? What are you going to do with me?'
     'I'm going to charge you and, you'll be pleased to know, the courts are cracking down on cyber crime. Ernest Neep, an ex copper hacking into a major utilitie's computer network. They'll love that. You might not have stolen anything but you'll get a custodial sentence. Three to five years, I should say,' said the inspector.
     Three to five! Ernest felt sick.
     'You're not the first,' smirked the inspector.
     'What do you mean I'm not the first?'
     'Honey-pot has caught other black hats with their hands in the till.'
     'Honey-pot, what's honey-pot?' asked Ernest but he already knew the answer; it was in the code. Then he remembered, honey-pot was the name of the speaker's programme.

 

Ernest Neap was home on bail, waiting for a trial date, when there was a knock at the front door.
     'Looks official,' said the postman and handed him a brown envelope together with a second, white envelope. Ernest recognised the Crown Prosecution Service Crest on the corner of the brown envelope. His heart sank as he signed for the letter. He took the letters into the kitchen, carefully slit the brown envelope open, read the contents and did a little dance around the kitchen table.
     Because of his exemplary record as a decorated police officer with many years of service and because no harm had been done the CPS had decided to drop all charges against him. 'His activity, penetration testing Gold Power Limited, was considered by the CPS to be the action of a White Hat,' said the letter.
     In the excitement he forgot the white envelope was there. Later that morning while he was preparing a celebration lunch, a sausage sandwich with brown sauce, he found it on the table.
     The envelope was from Gold Power Limited. In it was a single sheet of paper, a credit note issued by their accounts department for two hundred pounds.

 

Please reload

Orielton Banqueting Tower - Doesn't everyone need one?

October 6, 2019

1/9
Please reload

Click here

for the latest

news and

stories