Within two hours of walking into the Dublin offices of a well-known financial institution, Patrick Hynes had stolen 15,000 credit card details. Using a laptop computer, a few lines of software code and a phone line, he bypassed the firm's security and hacked into its customer database. For Hynes it was almost too easy but for the institution this "hack" could have cost it thousands of pounds and, more importantly, its reputation.
Luckily Hynes is not a computer hacker bent on fraud. He is a member of the security and technology team at the the consultancy firm, Ernst and Young. So, instead of posting the company's credit card details on the Internet, as one cheeky hacker did last month with porn website playboy.com, Hynes spent this week teaching a class of Irish executives the black arts of how to hack into computer systems and extract information.
"You need to know your enemy to find out how to stop him," says Hynes, who developed the concept of an "eXtreme hacking" course while working in Chicago. "We teach all the hacking skills so executives can defend their systems and put in place counter-measures."
The 20 executives who took the first Irish version of the course this week at Trinity College included Information Technology experts from leading Irish firms and members of the Garda's fraud unit. Firms paid £2,000 per participant for the two-day course, which promises to teach executives how to hack to avoid becoming the latest victims of Internet fraud.
The hacking bias in the course is reflected in modules which have outlandish titles such as "hijacking a user's desktop" and "exploiting information leakage." On the first day participants are taught 15 easy hacking steps to break into networks based on the most commonly used software, Microsoft Windows NT. Successful lab work ultimately means course participants have managed to circumvent security features to break into a particular system.
"IT security is something you need to be kept up to date with," says Brian, an IT expert working with a major bank who joined the class to become more aware of the tactics employed by hackers. "One of the most important things I'm learning is just how surprisingly easy it is to break into company websites. It can be done in minutes."
With more and more companies choosing to do business over the Internet, the risk of electronic fraud is steadily increasing. Although just 10 per cent of hackers write the software code which enables them to break into systems, they often make their "hacking tools" freely available on the web. This encourages other less advanced hackers, or so called "scriptkiddies", to have a go at hacking.
"Our computer logs show that someone was trying to hack into my company's site last night," says one course participant who doesn't want to be named for security reasons. The real issue for his company is being brought into disrepute by a hacker, he says.
Analysing computer log files is a type of forensics which can be used to track hackers who leave complex trails that can ultimately be used as evidence in courts. But arrests and successful convictions of hackers are rare, often because firms are unwilling to report fraud, says Dan Quealy, Ernst and Young's director of security.
"I know people are hacked here in Ireland but just don't report it. They just act to stop the fraud but don't bring it to the attention of the Garda in case it leaks out. For financial institutions it's their reputation that is at stake."
Quealy, an American lecturer who specialises in developing programmes to manage the risks of clients' e-commerce initiatives, believes a newer and more dangerous type of hacking is becoming more prevalent.
"We are seeing a more concerted effort from big business who are using it for competition reasons," says Quealy. "There is a growth in information brokers who are very willing to share information about companies and use different means to get that."
The type of security required by firms is also changing as companies connect their internal systems to suppliers and other vendors to streamline their distribution networks.
"It's no longer good enough to have a firewall protecting your internal systems. Now the security of the internal network must be at the same level," he says.
This is one of the reasons that "eXtreme hacking" courses are proving popular. But they are also creating a human security chain.
"We are developing a community here and that's important because hackers have their own community and share their ideas publicly on the Internet. Traditionally security experts haven't done that and a course like this enables them to come together and learn from each other."
Ernst and Young is planning a second eXtreme hacking course dedicated to another popular software standard called Unix. And with the prevalence of computer networks growing rapidly, there will probably be no shortage of candidates. But getting on to the course isn't as easy as you may think.
"We only accept firms which have a relationship with Ernst and Young," says Quealy. "We don't accept individual consultants, we just can't take the risk of someone learning these skills and using them to hack properly."
