'Ethical hackers' train to safeguard online world

Keatron Evans teaches his students to build hacking tools that can invade the computers of unsuspecting users, stealing information, freezing programs and infecting them with invisible viruses.But only if they pledge to use their supercomputing powers for good.Eight corporate and government employees signed the pact, ponied up $3,795 and spent last week in a Redwood City, Calif., classroom trying to get one over on one another -- and a visiting reporter.Soon enough, my computer inexplicably went out of my control. The CD drive spontaneously opened, the browser switched Web sites and a message popped up on the desktop: "We own the world!"Students who pass this class will be certified "ethical hackers," or white-hat hackers. With more training, they can become "pen testers" -- people who penetrate corporate and government networks to look for flaws. Most students won't learn enough in a week to acquire the skills of professional hackers, Evans said. His goal is to get them to think like hackers. The best ones never stop looking for new ways to penetrate and exploit machines. Whenever the students tried something, Evans challenged them to think how else they could have accomplished it. He also warned them whenever they were about to try something that's illegal outside of class. "You can construct a tool that can tunnel inside anything, guys," he said. "That's the whole point here."Demand for the class is growing, said Evans, a security consultant who teaches it on behalf of Training Camp in Philadelphia. But, he said, students are coming in with fewer skills than they did six years ago when he started teaching. That's because companies -- some now compelled by federal and state regulations -- recognize cyber-security as a problem. Meanwhile, the slow economy has led companies to curtail spending, so information technology staffs don't have the luxury of specializing in security.So far, black-hat hackers have the advantage. The number of serious flaws in software grows every year, up 28 percent from 2006 to 2007, according to IBM's Internet Security Systems. The time it takes antivirus vendors to come up with software patches to protect against attacks also is growing because new viruses and worms are being created so fast. More than 5.5 million pieces of malware -- malicious software code -- were loosed on the Internet last year, reports AV Test Labs in Germany. That's more than five times the number released in 2006 and 16 times the number released in 2005. Hacking for profit has become an industry that mirrors the legitimate software industry. Anything needed to commit a cybercrime -- viruses and worms or the toolkits to make them, software flaws, infected computers to relay spam -- can be bought online.The boot camp's star student, a young woman forbidden from revealing her name or employer, created an infected version of Google's home page. With a click of her mouse, she grabbed Google's source code and embedded a Trojan horse so that anyone who visited the page and clicked on the Google search button got infected. It's a common hack with many variations. Thousands of Web pages are compromised every day, according to Steve Munford, CEO of Sophos, which sells antivirus software. In fact, over the past two weeks, tens of thousands of high-traffic Web sites -- including MSNBC Sports, Wired.com and ZDNet.com -- were infected through a carefully planned SQL Server attack, reported Websense, which filters Web pages for corporations. SQL Server attacks trick Web pages into revealing the contents of any SQL Server databases that power them.The young woman then turned her infected Google page into a drive-by attack. Now, anyone who visited her page was infected automatically, without having to click on anything. "Look at what (students) are able to do with Google in just a couple hours," said Andrew Whitaker, another instructor. "Now imagine a bunch of experts."Tips for businesses on the Web:Three of four Web sites run by businesses are vulnerable to attack, according to SANS, a group of security researchers in Bethesda, Md. To protect yourself:-- Don't run software you don't need.-- Use a firewall.-- Don't load disks or peripheral devices if you don't know what's on them. -- Don't click on links or attachments in e-mails or instant messages. -- Keep your antivirus software up to date. AV Test Labs in Germany recently graded antivirus tools. See links.sfgate.com/ZCVB.(E-mail Deborah Gage at dgage(at)sfchronicle.com.) (Distributed by Scripps Howard News Service, www.scrippsnews.com.)