- Walter Novak
- With just a can of Pringles, this man can break into your company.
John Bradbury wasn't surprised when Ohio University revealed that hackers had breached its computers, stealing the personal information of more than 100,000 people. Colleges, after all, offer thieving at its easiest.
It wasn't long ago that Bradbury was summoned to a Big Ten school, where French hackers had commandeered student, staff, and payroll records. They'd also swiped info on sensitive government and corporate research projects. "They wanted a quarter of a million so they wouldn't publish the information on the internet," he says.
The university president balked, but it took Bradbury a month to isolate the attack and repel the hackers. Meanwhile, the Social Security numbers and payroll records for some 30,000 people are still out there, likely being traded on the identity theft market, where personal IDs sell for five bucks a pop.
It could have happened at any school, says Bradbury. "They tend to be extremely liberal, thinking that information should be open and shared." That just makes it easier for people like him.
He says it would take "maybe a day, probably less than a day" to hack into Case. He'd simply walk into the library pretending to be a student who forgot to pay his dues for that semester, then ask to borrow someone's computer password. A few hours later, he could steal or sabotage anything he pleased.
Fortunately, Bradbury is with the good guys. He's a vice president at IntelliNet, a Cleveland technology management company. But he's well aware of how easy it is to hack virtually any system. He does it for a living.
He tells the story of a multinational food company that believed it "had pretty much built Fort Knox." It took him just six hours to hack in. Then he told company officials to look at their website. He showed them how he had taken control of their price lists, sales orders, credit card numbers -- everything.
With news of recent breaches at the FBI, the Federal Trade Commission, and the VA, common wisdom suggests that government agencies are the identity theft market's leading supplier. True, institutional ineptitude and unskilled IT workers make them akin to grandmas in the mugger industry. (Ohio Secretary of State Ken Blackwell even posted Social Security numbers on the internet. Can you say "moron," boys and girls?)
But corporations aren't much harder. They're just not telling you about it. "Over 90 percent of all hacks go unreported because of the embarrassment to the company," says Bradbury. "If I'm Ford, and some 14-year-old in Indonesia hacked into my system, people aren't going to be willing to invest in companies that are easily compromised."
As part of his sales pitch, he shows companies how easily he can break into their systems. In one case, he had a picnic 150 yards from a manufacturer's building, then used the foil from a can of Pringles as an antenna to get access to the company's wireless network. A few hours later, he'd cracked the encryption system. "There hasn't been one that we haven't gotten into."
And if the system itself proves difficult, there are other methods. He's been known to call secretaries, pretending to be from IT, and ask for the boss' password, saying he doesn't want to bother the big man. They'll readily hand it over.
He tells of how easy it would be to pretend to be a technician and show up in the middle of the night at the 911 emergency services center, located in IntelliNet's building on Euclid. Who asks for credentials when the inconspicuous geek arrives?
And even if this fails, the city's caverns are littered with cable, underground wiring accessible from basements and sewers. It would take little effort to tap in and connect to a program that mines for valuable data. He could sell it, or blackmail companies into buying it back. That's how the game is played.
Of course, Bradbury isn't just any geek. The former Army Ranger's father was an engineer at Dell and IBM. At age eight, Bradbury was already breaking into his hometown police station's system, checking for the parking tickets and misdemeanors of his parents' dinner guests. He speaks with a relish for busting into places he isn't supposed to be. Here is a man clearly at one with the hunt.
The problem is that there are so many others like him. They may lack his skill, but they compensate with malicious intent. Hackers, he says, are no longer middle school kids fueled by mischief and Mountain Dew. "I equate them to the Mafia, how organized they are."
Some are the techno version of jewel thieves: They're simply after the money. Others have far darker motives.
It's now estimated that 50 percent of all commercial attacks come from China -- encouraged by the Chinese government. And though cave-dwelling terrorists may lack the smarts to beat sophisticated encryption, their money can buy someone who can.
It would take little effort to wreak wholesale damage on the U.S. economy. In the case of the Big Ten school, it's the loss of millions of dollars for sensitive research, sold to a foreign rival. In the case of terrorism, it's the ease with which one could shut down a company like Global Crossings, the Cleveland firm that provides a backbone to the internet.
According to Bradbury, it would take but a few hours to break off internet traffic flowing through cables in downtown Cleveland, knocking out perhaps 20-30 percent of U.S. traffic. And there is nothing anyone could do to stop him.
"Global Crossings could spend billions on assets," he says, "but they can't protect that manhole on East 14th."
The only defense is to unplug their modems.