Hackers are among us: shopping at the same grocery stores, sharing buses with us, even working in our offices. As you read this, your son or daughter may be experimenting with basic computer coding and tinkering with Arduino electronics. Just a hobby, you say naively? Wake up, Utah. When you least expect it, hackers can own you.
In a quiet, nondescript office suite in downtown Salt Lake City, a group of hackers have gathered to delight in the latest developments in Wi-Fi hacking. The clutch of code wizards each has his or her own moniker—special online handles—like Metacortex, Nemus, Lean, Grifter and Dr. Unicorn. The group looks as harmless as a bunch of college students at an off-campus study session. Nothing appears out of the ordinary—well, except for Dr. Unicorn, who silently listens to the evening’s hacking presentation wearing a rubber unicorn mask.
The first item of mischief under discussion is a Wi-Fi “pineapple,” a small device that’s used to mimic unsecured—and in some cases secured—wireless hotspots. When a person clicks on what they think is a Wi-Fi network they’ve used in the past, they’re actually joining the hacker’s network.
Testing out the devious pineapple, Metacortex (editor’s note: hacker handles, which involve a mix of letters, numbers and characters, have been translated into plain English in this story) shows how clicking on the dummy network allows the hapless victim’s computer to be mercilessly “Rick-rolled,” as the computer screen is taken over by a video of British pop singer Rick Astley singing “Never Gonna Give You Up.”
Another tool discussed by the hackers, still in the early stages of development, is a kind of Bluetooth “sniffer” that allows hackers to take over the audio inside of a moving vehicle.
“If there is like a Beemer or Mercedes tailgating you, you can associate with their car and say, ‘Get the fuck off my ass,’ through their speakers,” Metacortex says. The possibilities, which might be terrifying to some, are hilarious to the group gathered in the DC801 Salt Lake City hackerspace club.
While they may laugh maniacally, the reality is that this is not a conspiracy of evil scientists bent on digital destruction but just a social get-together of people who work in information security. They hack so that they can help, learning what new threats are out there and how to stop them before it’s too late.
To some extent, these hackers are simply tinkerers who understand their computers from code to circuit boards, the same way motorheads understand their cars from axles to engines. The club members revel in the creative problem-solving, and their zeal for securing data and networks has practically gone viral through Utah’s budding cybersecurity industry.
Cybersecurity companies are flocking to Utah to support the state’s budding tech industry and prominent data centers that have come to Utah, thanks in part to the state’s relatively inexpensive electricity. As Utah’s cybersecurity presence grows, it’s nourished by two unique areas: the academic world, where the University of Utah and Utah Valley University are known for their solid cybersecurity research and education, and the “hackerspaces,” informal clubs where hackers practice their art free from the constraints of classrooms and curriculums.
These creative tech addicts are working not just to improve private cybersecurity, but, in some cases, to even sharpen the country’s cyber-readiness. The next greatest threat to global security may not be a terrorist hijacking a plane, but a network of cyberterrorists hijacking the country’s sensitive infrastructure—shutting down power grids and military installations with a fusillade of code launched from the other side of the world.
The term “hacker” seems like a throwback to the ’80s and ’90s, when the Internet and home computing were new technologies. The Internet and personal computers took a sudden turn into a rebellious adolescence as a generation of hackers mastered the technology in leaps and bounds ahead of average users. Their seemingly magical prowess over the intricacies of computers and other electronics spawned the image of the recluse lurking in a dimly lit room, face awash in the green glow of a monitor, mashing keyboards and wreaking havoc.
Criminal hackers haven’t diminished in number, but they have become stealthier. For the average criminal or “black hat” hacker, penetrating a vulnerable system to find information is the goal. Many computers become infiltrated when people click on bad links and/or are not religious about updating their software. “Injection” attacks go beyond that; you could simply be looking at—not even clicking on—a post on your Facebook wall to have your computer compromised.
These hackers seek to control your computer to send spam e-mails to your contacts, pitching them on porn sites, pharmaceuticals and other illicit goods. While a few years ago, users would suddenly discover that everyone in their e-mail contacts list had been sent a message asking them to click on a link, most current hacking methods are much more subtle. Instead of bombing all your contacts with spam, your computer may be sending out only four or five spam e-mails a day.
But it goes further than embarrassing spam e-mails for Viagra and Russian girls. People now worry about hackers from countries like China or North Korea seeking to carpet-bomb the code that runs America’s digital defenses and infrastructure.
In February 2013, The New York Times broke a story about the possibility of a Chinese army unit leading high-level cyberattacks in the United States. The Times got the story the hard way, having discovered that the paper had been hacked after journalists there reported on China’s wealthy power elite. In April, hackers got their digital mitts on the Associated Press’ Twitter feed and tweeted to the wire service’s millions of followers that there had been explosions in the White House. In the few short minutes the fake tweet was left uncorrected, it became a trending topic and caused the Dow Jones to fall more than 100 points.
While state-sponsored cyberwarfare represents one of the biggest tectonic shifts in foreign policy since the terrorist attacks of Sept. 11, cybercriminals have also perfected a means of bleeding vulnerable systems for pure profit.
On the local front, in 2012, criminals were able to access the personal information of three-quarters of a million of Utah Medicaid clients, exposing them to identity theft. In the wake of the breach, the state reportedly spent $9 million to help those whose Social Security numbers were compromised, running a security assessment of state servers, upgrading existing security and creating the Office of Health Information & Data Security.
While the breach was a black eye for Utah, the state is becoming a hotspot for the cybersecurity industry. By fall 2013, the National Security Agency will have completed a $2 billion “spy center” in Bluffdale. In March 2013, cybersecurity company FireEye announced a major expansion to Utah that will bring 250 new jobs to the area.
University administrators, gearing up their own tech programs to adapt to growth in the field, say that Utah’s relatively inexpensive power and skilled workforce are what’s attracting major data centers like the NSA, as well as mega-techie companies like Omniture and Domo. As Utah’s mini Silicon Valley—far south in the Salt Lake Valley and through Utah County—grows in reputation, the Governor’s Office of Economic Development has recognized the need to keep it secure. The 2013 Governor’s Utah Economic Summit was the first this year to provide intensive training on cybersecurity needs for local companies.
In September 2012, Utah Valley University was awarded a $3 million cybersecurity grant from the U.S. Department of Labor. The university already has popular associates and bachelor’s degree programs in information security, but Keith Mulbery, chairman of UVU’s information systems & technology department, says the grant will now help provide post-baccalaureate degrees to help students land advanced management-level cybersecurity certifications.
“A lot of employers right now are desperate for cybersecurity professionals, both in the private sector and the public sector,” says Robert Jorgensen, a UVU senior faculty professional in residence who was brought on to develop the new courses.
The grant will also fund a new 18-credit certification to help people acquire a basic IT certification.
“It will help people who have lost jobs due to maybe the recession ... and get them the job skills ready for an entry-level position in these industries that have a lot of job potential,” Mulbery says.