Why Johnny Long Hacks Stuff

The Christian hacker talks about how he wrote No Tech Hacking, why he thinks social engineering is easier than hacking software, and how hes trying to get the hacking community to do charity work

Johnny Long has been hacking stuff for as long as he can remember. But Long, a professional hacker and security researcher at Computer Sciences Corporation, doesn’t fit the stigma. As a self-described Christian hacker who created an organization for the hacking community to do charity work, he says is goal is to improve the security of computer networks by exposing their vulnerabilities. He became the authority on search-engine hacking in 2005 when he wrote Google Hacking for Penetration Testers, the first book exploring how malicious hackers use Google features to unlock security flaws. In his new book, No Tech Hacking (which CSO has excerpted, LINK TK), he explains how hackers are using their curiosity and sense of perception to compromise security without the use of technology, and what security professionals need to know to get ahead of the game.

CSO: Explain the concept of “no-tech hacking.”

Johnny Long: Security is a race between the good guys and the bad guys. Everybody tried to get more technically advanced and smarter about what it is that they are doing. After being a professional hacker for a number of years, breaking into computer networks and breaking into physical buildings to get access to computer networks and data, I learned that the things I was able to do most successfully often had very little to do with technology. I could spend a week, a month or three months pounding on an Internet-connected network for some agency trying to sneak past their firewall, or in a matter of two days I could actually be inside the building through social engineeringmaybe by creating a fake badge that looked like an employee badge, pretending to be a telephone repairman, or even by entering through the smokers’ entrance. There’s a whole pile of stuff that doesn’t involve technology. (See CSO’s excerpt of No Tech Hacking for more on the problems with employee badges, LINK TK.)

CSO: Why does a good “no-tech hacker” also have to be a good social engineer?

Long: It’s all about being comfortable where you are. A lot of people assume it’s like acting, where you have to play a part, but really it’s just about coming across as someone who’s not up to something. Really good social engineers can pick up the phone and change their voice or their age. These days, you don’t even have to do thatyou just have to be comfortable and convince yourself that you’re in a place you belong, that you’re having a conversation that’s completely normal.

CSO: What was the writing process like? Did you find that you learned new things as you went along?

Long: This was slow in coming. Many projects I work on are three to six months from beginning to end. The writing process for “No Tech” was very similar to that in duration, but the research, stories and photos behind it are years in the making. I got to the point where I saw so many things in public that I started carrying a camera with me all the time. I started pulling together years worth of pictures and war stories, and then came to the realization that it was practical stuff that a wide audience could understand. “No Tech” gets to the heart and soul of what we’re up against, not just for corporations trying to protect their data, but for individuals trying to protect their privacy.

CSO: Talk about your relationship with your work partner Vince, who you describe in the beginning pages of the book. What’s the most valuable lesson about no-tech hacking that you learned from him?

Long: Vince was instrumental. He was a mentor in many different ways. He didn’t just give me practical advice; he literally shifted my perspective to focus on things most people wouldn’t think about. In our working relationship, I was always considered the hacker because I broke into the systems and the networks, but Vince really personified what it is that makes hackers special. It’s that mentality of seeing life from a different perspective. Even though Vince isn’t highly technicalhe’s excellent with things like communications and physical securityhis skills plunge right into the heart of the technical world. He could find a way into a building and walk out with an arm-full of sensitive documents, a process would have taken us months from a purely technical angle. It was incredibly eye opening.

CSO: What is the most important aspect of no-tech hacking?

Long: It’s definitely awareness. No-tech hackers are definitely more aware than the standard person. They notice details; they’re very perceptive. It’s definitely something that can be learned, but it comes much easier if you have an instinct for it. The awareness associated with no-tech hacking goes along way for preventing it as well. If you’re walking into work and you notice there is a bag full of un-shredded paper sitting outside the dumpster, or you notice a door that is supposed to be locked and isn’tit’s noticing that and being willing to do something about it. There is a fine line. I don’t want to create a society of completely paranoid people. But at the same time, I have been able to walk around airports, past the security gates, taking pictures of people’s baggage or taking video footage of pilots pushing the combination into a door lock. In this day and age, in that environment, someone should be noticing. In my experience, right now, they are not.

CSO: Your actions make sites more secure. Was that your intent when you got into hacking?

Long: No, I had no clue. I’ve always had a passion for technology. Security and hacking was a really fun sideline. It’s similar to a child who takes to puzzles or math. Hacking for me was like figuring out this really cool puzzle. But even as a kid, I wasn’t doing anything malicious. I was just infinitely curious. It was a new territory to explore. When I got into college, I followed traditional advice and took typing classes. I thought I wanted to be a systems administrator because that’s what I was told my skills lined up as. I never imagined I’d be doing security work. I fell into it almost accidentally. Most of it was through Computer Sciences Corporation, where I work now. They hired me as a systems administrator, but they also had a security team. When I realized they got paid to break into networks and things like that, I was insanely curious. At first, members of that team were very skeptical of me. I was a little too interested, and I was young. I had an image of liking to buck the system and disliking the corporate world. Eventually I ended up founding a penetration testing team within CSC.

CSO: Are you disturbed by the vulnerabilities you detect as part of your work? Excited by it? A little of both?

Long: I think it’s like every other profession. After awhile you get used to it. Doctors see grizzly accidents and pull people back from the brink everyday. It can be such an incredible rush, but when you do it hundreds of times, it gets to the point where you push it off to the peripheral and it becomes hard to be surprised. I’m at the stage where I am rarely surprised anymore. I think I just have a sense of humor about it now more than anything.

CSO: You’ve created an organization enabling the hacking community to charity work. Do people have trouble understanding how hacking can actually be good?

Long: There is a definite stigma around who hackers are. There are a lot of people out there who really are just criminals using computers, and they are called hackers because they are doing all these malicious things. But the vast majority of people who actually fit the term hacker are more curious. They have unbelievable skills. We want them to apply those skills to areas where they are needed the most. In the case of AOET (an organization dedicated to helping poor orphans whose parents have died of AIDS in countries like Uganda) we are literally saving lives and getting supplies to where they are needed. We take the skills the hacking community is willing to offer us, run them through a rigorous vetting process, and the result is that we help not only charities, but hackers who are looking to get into the legitimate world and get a real job.

CSO: What are some examples of how hacking skills can be applied to charities?

Long: There is more to hacking than offensive security. One byproduct is that you learn good defense. So one thing we do is to lock down sites that are already installed. We’ll look at them and see that software packages are out of date, or there’s a problem with the code. We also have Web design skills. Understanding HTML and the languages of the Web gives you a leg up in design. Programming is another skill that many hackers are very good at. For AOET, we put a child sponsorship program online where people can come in and sponsor children for $30 a month and pay for their schooling and clothes and medical supplies. We’ve automated that system, transforming it from a very slow laborious thing to a point and click pay online effort. It literally saves kids because it gets more kids into the program. It was written by a programmer in a week and a half with no budget. It’s really just about applying these peripheral skills and making sure everything is on the up and up.

CSO: You describe yourself as a Christian hacker. What do you mean by that?

Long: Hacking is a job. It’s what I do to pay the bills, and it just so happens I’m also one of the good guys. So that term is really just taking my job and my beliefs and combining them. It’s really not that strange of a thing. It boils down to me living life to a higher standardnot just plugging through and doing the 9-5.

CSO: You’ve also said that the religious establishment could learn a lot from the hacking community. Explain that.

Long: It’s amazing because the hacking community is so accepting. Many times you’re working with people that operate under completely different beliefs than you do; they believe in different religions, and are of different ethnicities. All of that vanishes in a chat room. All of the things we get so hung up on in this society disappear. I’ve been able to be who I am with no apologies in this community.                             

CSO: What’s the most important piece of advice you would give to someone who wants to become a professional hacker?

Long: You have to remember trust is everything. Whether or not you decide to get into this as a profession, if you do things you’re not supposed to, it’s really going to hurt you in many different ways. But if you have incredible passion that you want to take to the next level and make a career out of it, you really have to set your path early on and be aware that if not done right, this stuff can come back to bite you.

Copyright © 2007 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)