Information security professionals are all too familiar with the work of black hat hackers. These individuals seek to gain unauthorized access to enterprises’ computer networks by exploiting security vulnerabilities – malicious activity which frequently threatens the personal and/or financial information of millions of customers.
But what motivates an individual to become a black hat hacker? And how do they go about planning each of their attacks?
In an attempt to answer these questions, we recently conducted an interview with Matthew Beddoes, a former black hat hacker. In 2013, Beddoes, who went by the online alias “Black Dragon,” was arrested and sent to jail for attempting to steal £6.5million worth of carbon credits from the United Nations’ computer systems.
He has since formed his own IT security firm, Red Dragon Security, after being released from prison last year.
Our interview with Beddoes is presented below.
David Bisson: What interested you about computers as a child?
Matthew Beddoes: I was first drawn to computers for the gaming. When I was about five years old, I began gaming on a Commodore 64 and eventually upgraded to a PC. “Gunship” and “Operation Wolf” were some of my favorites but on the PC, I began to explore other things like databases, Microsoft Word-type software and basic programming using QBasic (I was self-taught.) My love of computers eventually led me to start doing IT in secondary school.
DB: What motivated you to channel your talents into becoming a black hat hacker?
MB: I got into hacking because of how I spent my teenage years. First on dial-up and then on broadband, I would call up 800 numbers, look for fax machines and other systems, and try out various passwords. More often than not, I would type in “root,” and I’d be in. See, back then you didn’t need to know programming. You just needed to know where to look and understand what resources you could use to view companies’ files.
For a while, after finding these security holes, I would contact the affected company and let them know of their vulnerabilities but they didn’t care. They essentially told me to jump off of a high building, which led me to think about how I could exploit their vulnerabilities.
Did I act out of retaliation? Possibly.
It’s never a good idea to mess with a 16-year-old, especially one who can use a computer to cause chaos. Honestly, if they had said “Thank you,” things might have turned out differently. But they didn’t.
Sadly, that’s not a unique reaction in today’s industry. In fact, I find that IT staffs generally do not want their managers to know of a vulnerability for fear of looking bad at their jobs. This creates an unhealthy environment where no one wants to hear about vulnerabilities. If you talk to the staff, they will just ignore you, and if you contact the manager, they will take it personally and think you’re criticizing their staff. You’re blocked either way.
This problem is found all over the place but it usually changes after a company has been hacked. And that’s where I came in.
DB: What kinds of communities did you associate with as a black hat hacker?
MB: When I was first starting off as a black hat, I didn’t know anyone who was doing what I was doing, so I looked up some communities online that could put me in touch with people who shared my interests. These forums were readily accessible online via public search engines.
Back then, most of the people who I came into contact with were hobbyists. They were people with a genuine interest in gaining access, and they were more than willing to share information with everyone. These forums eventually put me in touch with some folks who invited me to a few IRC chat rooms that weren’t so public, where I met even more people. Everything just evolved from there.
By about 2003 or 2004, however, I found myself quickly outgrowing communities, so I migrated my presence fully to IRC rooms. I was very interested in network devices back then; I’d spend my time playing around with routers and switches and looking for old industrial systems on networks.
Well, one day, I tried to bring up the topic of networks on an IRC channel but the channel was full of newbies and trolls, and they flamed me. They essentially told me that there was no point messing around with networks and that I was better off giving it up.
Their negative comments really got to me, so I dropped a bomb on them and dumped a ton of CCTV footage. That shut all of them up. Still, I had lost all respect for IRC channels by then, and I decided at that point to stop visiting my regular channels.
The negativity I saw some 10 years ago has just escalated from there. In today’s world, black hats are all about ripping each other off – about flame wars and trolling. It’s counterproductive, if you ask me.
DB: Did you ever think you would get caught?
MB: No. I was not thinking that long-term, and frankly, I didn’t care. I really had nothing to lose. I was making good money, and I was doing everything I wanted to do. Plus, my family was used to me traveling, so it’s not like they would have missed me or anything.
Besides, the police were always looking for me. There were many times that I felt the authorities were nearby. But I was lucky in that I had many friends, some of whom would give me a heads-up now and then. They would tell me to avoid certain contacts, chat rooms, or websites. They would sometimes even tell me to get out of my house.
In the meantime, I was able to pull several great heists. Let’s just say at one point I owned half of the customer infrastructure at Telewest – access which allowed me to control about half of the company’s available customer devices. This amounted to a few million in the UK alone. I also secured access to a laptop shop at one point, enabling me to steal 144,000 credit cards in the process. And then there were warehouses, stock markets, and other targets.
Even today, I still know of a few systems that are still vulnerable but I could never tell the companies about them because it is illegal to test a computer system without the company’s permission. I could get arrested, and I really don’t want to go back to prison.
So yeah, I was never worried about getting caught, and I didn’t get caught, that is, until 2013.
DB: How did you prepare for your attack against the UN and the EU?
MB: Two people approached me about the job. I had worked with one of the guys a few years before, but I still hardly knew anything about him. We had never met in person. We didn’t know each others’ names or nationalities or even what the other looked like, and there was no point in doing so. It was a transaction, so we didn’t bother disclosing things superfluous to the job.
Anyway, a guy contacted me through another guy and paid me to hear him and to consider the project. In a short matter of time, I agreed to participate, and it just took off from there.
I had only one objective: to secure access to the carbon credit mechanisms at both the United Nations and the European Union.
Shortly after I agreed to help, the guy in charge sent me a list of a few carbon credit traders and asked me to take a look at them. The list was rubbish; there was nothing we could use. So, I created my own lists and infiltrated a few sites for him. We then looked at malware attacks to broaden our reach.
To do this, I crafted up a package with a malicious payload, which he in turn distributed to businesses and other entities, including the Indian government and another big site in the UK that shall go unnamed. Eventually, by the magic of the World Wide Web, we had successfully penetrated the UN.
DB: What went wrong?
MB: At the time, we had unlimited access to the United Nations’ carbon credit mechanism—over 500 million credits were in our control but it all went wrong because of a foolish mistake: the guy I was working with put in the wrong account number when it came time to transfer the stolen credits.
In a short while, the guy contacted me, stressing and screaming his head off. He begged me to sort things out, so I logged in to see if I could do anything but it was too late. The system wouldn’t let me process anything.
It was concerning but I didn’t feel the need to keep my guard up any more than I usually did. The guy and I just forged ahead and hit the EU, from which we stole 8,000 carbon credits at a value of around £89,000.
DB: Under what circumstances did the authorities arrest you?
MB: After the job was over, I went back to the Midlands to stay with my mom for a few days. Well, one morning I woke up, and there were 30 police officers in the house. They told me I was under arrest for suspicion of money laundering and for breaching the Computer Misuse Act.
I was sent to the police station but I never saw the police. No, I only saw agents who worked for the Serious Organized Crime Agency (SOCA). They interviewed me for 8-16 hours, two days in a row. On the third day, they sent me to court, where I was remanded.
They arrested me on six charges. These eventually swelled to 44, but shortly after that, they quickly began dropping off. I ultimately pled guilty to 18 charges, and I was sentenced for only four.
In total, I spent around 20 months in prison. I never felt like I belonged there but at the same time, it wasn’t the end of the world. I just kept my head down for the most part. On the side, I took a few web design, business and networking courses.
DB: What made you decide to set up your own IT security firm, Red Dragon Security?
MB: When I got out of prison, I encountered no resistance in getting on with the rest of my life. In fact, within a week of my release, I was receiving calls from Amsterdam, India and other locations all over the world asking if I was available for work. However, I was on probation (and still am until May of this year), so I couldn’t leave the country. I had to do something in the UK until that time.
To be honest, I’ve always had a problem with big businesses.
I know of corporations who pay hackers to infiltrate smaller companies in order to destroy their economic competition. It’s disgusting.
I hate when people are exploited. I, therefore, came up with the idea of protecting smaller businesses from these types of security incidents in order to level the economic playing field. This led me to create Red Dragon Security.
DB: In what ways does your past influence how you approach security today?
MB: My skills have always been offensive-based, so when I approach security, I am able to do so from the perspective of the attacker. However, that doesn’t convey the whole picture. My methods are unique, you see. I’ve been told that I operate differently than hackers. Even the SOCA agents who interviewed me said as much. They said I am more of a planner, like a mastermind who oversees his bank robbers.
I’m a big picture kind of guy. Therefore, when I look at how I can help secure a business, I assume the mindset of an attacker but I do not wonder how I can penetrate the business. Instead, I think, “What can I do with my target once I’ve gained access?” Using this method, I am able to understand how different sections of a company might be valuable to an attacker, knowledge which I then use to build a targeted security strategy for that particular company.
DB: Are you ever tempted to return to your work as a black hat hacker?
MB: No, not really. Don’t get me wrong. I loved hacking. I love how it works and operates but it was the people who made things intolerable near the end.
Just as an example, say you hack into a business and steal 100,000 credit card numbers. Stealing the credit cards is the easy part. Getting rid of them is another matter entirely. After all, you can’t sell them to a hacker because they have their own cards they’re trying to make a profit off of. That leaves you with selling the cards to a criminal, which is more hassle than it’s worth. These guys are always coming back and complaining that the cards don’t work, which they use as an excuse to demand more cards. It’s dishonest.
With all that in mind, I was honestly getting bored of hacking. When you hit your first 10 or 20 websites, there’s a rush but after 100-200 sites, it just becomes laborious. You have so many credit cards you need to sell, and you’re working with people who are constantly pulling out or who are trying to get out of paying you. You’re better off doing things alone.
Looking back, I’m glad the police caught me when they did.
At least I can now invoice a company via PayPal if they hire me to sort out their network.
But then again, Red Dragon Security is only temporary. Over next year, I’d like to pursue my broader passions for science and technology and begin sorting out the logistics to create another business. This will involve gathering the necessary security, marketing, finance and business intelligence to do so.
For more information about Beddoes and his work, visit http://www.red-dragon-security.com.
Editor’s Note: The opinions expressed in this article are solely those of the interviewee, and do not necessarily reflect those of Tripwire, Inc.