Features / Reportage
Cyber crime fighters descend on Aztec West
In a hacker’s bedroom, surrounded by dirty clothes and used tissues, a team of young men are forensically picking through the unsavoury detritus that litters the floor.
As they overturn mattresses and raid drawers full of weed for clues, supervisor Oliver Sealey explains that following a huge data breach at a company where highly sensitive client information has been posted online, law enforcement have drafted in a crack team of Cyber crime fighters to help find the culprit.
The hacker, Ken Bolton (an employee) has been named in the media as a suspect and it’s the team’s job to prove whether Ken dunnit or not.
is needed now More than ever
Except Ken’s not real. He’s just one part of a test being held at the world’s first Cyber Academy in Aztec West to pluck the best up-and-coming super geeks to fill the widening cyber skills gap. High-profile breaches at companies like Ashley Madison, Sony and Talk Talk have stepped up the need for the void to be filled.
team raids hacker room from Jess Winteringham on Vimeo.
I’m met by Jim Wheeler, director of cyber operations. He’s not what I’m expecting from a cyber security expert. It sounds judgemental, but he’s approachable and funny.
He takes me for a coffee in the break-out area, where a group of young men who match my preconceived ideas of what techy types might look like (Beatles haircuts, glasses and ill-fitting clothes), are sitting quietly drinking cups of tea, composing themselves for the competition.
I buy a Curly Wurly from the vending machine. Something’s up. Where are the women? I ask myself. I spot a young blonde lady sitting in a booth in the corner and perhaps over-enthusiastically stride up to her. It turns out she’s PR. She tells me there’s one female candidate.
We all get together in the Academy’s main room where the 24 candidates are split in to four teams of six who will be under the watchful eye of Oliver, who has devised today’s challenge.
Jim throws down the gauntlet: the candidates have the run of a £5 million playground and the only one of its kind outside of the US, where they can hack, crack and smash everything they want.
A team of expert assessors and recruiters at the top of their game from PGI, who run the cyber academy in Bristol, and big cheeses from prestigious organisations like BT, Hewlett Packard and GCHQ (who I’m not allowed to interview for security reasons), score the candidates on skills such as team-work, attack and defence strategies and ethics.
In a room filled with computers, one of the challenge’s youngest contestants, college student Dan, 17, is breaking into a USB stick, part of the evidence gathered from Ken’s bedroom.
Using specialist software that allows him to read down to the binary of the stick’s chip, he’s able to probe hidden areas for secret files. He uses a technique known as “raking” to unpick the lock of a filing cabinet searching for additional evidence. “There’s got to be a physical sport, away from the computer,” he tells me.
Dr Bob Nowill, the challenge’s chairman joins us. “For some reason we find people who are good at pen testing are always interested in lock-picking as well.”
What is pen testing? Er… hacking? Lock-picking? Are these really skills kids should be learning?
“Penetration testing is essentially people who can get into IT systems. But from the viewpoint of the Cyber Security Challenge, we’re looking for people to do that wearing a white hat for good” (helping businesses identify potential problems).
“Rather than a black hat for bad (those who illegally hack companies and individuals for personal gain). We give them a safe environment to demonstrate those skills and see that they can make money doing that.”
He nods to Dan. “He’s a good guy. But we have people in the challenge who are hackers and are wavering. Especially when you see them at school; the temptation for kids to break in to the teacher’s laptop if they can. It’s about making sure they have another view of life.”
It’s a concern reiterated by PGI’s director Brian Lord OBE. “Living online is where most people live. But where are the checks and balances? Your parents know what’s safe and what’s not, and what’s good behaviour?
“Police? Not really. Teachers? Not really. Peer groups stop being 10 or 15 people and becomes 200-300,000 people. Most of whom you’ve never met.
“So when they’re teaching kids how to hack – ‘non-sexual grooming’ I call it; and there are league tables, who’s done the coolest hack this week – all that kind of thing that turns teenagers on.
“They start off saying: ‘Let’s get into your friend’s Facebook account. Don’t like him anyway.’ And before they do it, there’s nothing that comes up on the screen that says you’re about to break the Computer Misuse Act.
“So they have no idea that what they’re doing is actually illegal. And they’re probably not going to get caught either. So there’s no immediate consequence. Even if someone said that it’s okay to shoplift and you went in thinking it was okay to shoplift.
“Very quickly, you’d find out it wasn’t. You look at how many people have been successfully prosecuted under the Computer Misuse Act since it was since it was brought in, you’ll only just get over the amount of digits you have on a single human body. You have to teach children, we have to normalise it.”
Brian, who has spent 21 years working at GCHQ, plays down the hyperbole that comes from the media’s portrayal of cyber crime. He says the vast majority of cyber attacks amount to the online equivalent of throwing a brick through a window.
But there are an estimated one million cyber security jobs currently up for grabs globally, a figure expected to reach 1.5 million by 2020.
He launches into an impassioned, expletive-filled speech on why you should choose a career in cyber security. He’s a man on a mission. “This industry is so much fun.
“And if you’re at school or university, legally breaking into stuff, modern investigations. And at the moment there are very few careers where you’ve got absolutely 100 per cent employment.
“And not only that the salaries are f***ing good as well. Because you’re still in a growing market. And it’s cool. What’s not to like?”
After successfully learning how to pick a lock, being offered a tour of the dark web and a day of hacking, it’s hard to disagree.
Back in mission control, candidate Dan has found an image that he’ll forensically examine to geo-locate the hacker at the time of the breach and absolve or condemn Ken.
As a self-professed maths dunce in what seems to be a male-skewed environment, I ask if I stand a chance in this field. Bob is quick to respond. “In Cyber Security there are lots of disciplines.
“You can see there’s a diversity problem. But there’s sort of an image problem that it’s all nerdy guys who spend all night long playing with a computer. You don’t necessarily have to be brilliant at maths or computing. If you think about the skills you need for fraud or the insider threat? Tailgating, talking your way past security. That’s psychology.”
Intrigued, I go to find Oliver to fill me in on the investigative side of PGI’s cyber operations. Oliver’s meteoric rise in the field of Cyber Security saw him go from a competitor in last year’s challenge where he was talent-spotted, to becoming one of PGI’s newest Security Consultants in less than 12 months.
He’s involved in Red Teaming, which involves physically breaking into everything from peoples’ homes, critical national infrastructures, weapons facilities to army barracks, at the behest of the organisation’s management, to test cyber security vulnerabilities.
“Tailgating almost always works. You get a big adrenaline rush. A cup of tea is always good. And talk to people, you’d be amazed what people tell you if you just ask them nicely.
“Once you’re in, it’s just a case of looking busy.” Once embedded, the Red Team launches a multi-pronged assault that would rival Jason Bourne. They might plant a dodgy-looking individual to divert suspicion, while another logs on to company networks, lifting sensitive documents left lying around on printers and planting USB sticks with malware for unwitting employees to release into the wilds of the office computer systems.
Meanwhile, the guys in ops team at PGI’s cyber HQ are busy attacking the company networks and phishing emails trying to find any way to get in.
Pen test complete, the team will brief the management on their findings. Effective communication is crucial to closing the knowledge gap. The final stage of today’s challenge simulates this scenario.
In PGI’s slick executive board room, a face-to-face roasting is underway. PGI staff are firing questions at the contestants as they present their findings. It turns out that Ken has been framed by his aggrieved colleague Martha who’s really responsible for the breach. Ken will be livid when he sees what Martha’s done to his bedroom.