Confessions of a reformed black hat hacker
When I was about 15 years old, I co-founded LulzSec, a hacking group that made headlines for its hacks on Fortune 500 companies and governments."
This was the word from Mustafa Al-Bassam, information security advisor at London-based Secure Trading and Cognosec, speaking at the ITWeb Security Summit this week.
Al-Bassam is an Iraqi-born reformed black hat hacker who was sentenced to 20 months in prison for computer misuse, and was later offered a job at the payment processing firm. He shared his story as a teenage hacker who was one of the six core members of LulzSec during its spree of attacks in the spring of 2011.
"My first experience of hacking was when I was 11 years old. I was doing my maths homework using a poorly designed online calculator, which was developed by a professor. I realised the calculator had some vulnerabilities, so I used the input box to type in code and was able to hack into a university Web site through the calculator," he revealed.
At the age of 15, Al-Bassam got involved with Anonymous, a network of activist and hacktivist entities. At the time, Anonymous was involved in online protests against companies that refused to do business with whistle-blower Web site Wikileaks.
"Through Anonymous, I co-founded LulzSec, together with five other people I trusted. When we came across security flaws in systems of reputable companies, we reported those vulnerabilities; however, organisations didn't seem to pay much attention. So we decided to expose the poor Internet security that we came across. We hacked into many systems, including FBI affiliate Infragard, and Sony. The Sony PlayStation massive data breach in 2011 was hacked 21 times, seven of those incidents were by LulzSec and two were insider attacks."
Sony, he continued, was a great example of how not to do security. They had many different Web sites from their network and most of them were vulnerable to simple attacks.
"This was a large Fortune 500 company that had millions to spend on security, but, as with many organisations, they didn't see it as a priority, which, as a result, cost them a fortune.
"The larger the organisation is, the easier it is to attack, because the more systems you have, the bigger the attack vector. In my experience, the most challenging system to hack into was of the small Westbury Baptist Church as its system had little room for unauthorised access. It took us many days just to find a zero-day vulnerability."
Leaving his past behind, Al-Bassam now also works as a doctoral researcher at the University College London, with a focus on crypto currency and distributed ledger technology. Last year, he was included in the Forbes 30 under 30 list for his work on state-sponsored malware.