Very few people are aware of the presence of highly skilled hackers in the country and even when they come out about some of their exploits, we hardly take their word for it. Often most of these hackers contact their targets about the vulnerabilities in their systems but they hardly do anything about it.
In an exclusive interview with the hacker only known as D3V1LS CH1LD, we take a look into the high level of vulnerability of websites in the country and the journey of the man who has gained access a to high number of these sites.
Disclaimer: To validate the general nature of D3V1LS CH1LD’s statements, evidence of most of the hacks mentioned in this interview were provided upon request but Techpreneur Magazine does not in any way condone any illegal or unethical activity.
T: What class of hackers would you say you belong to and do you mind sharing your hacker-handle with us?
DC: Well, I classify myself as a grey hat. You have the typical white hats who are the good guys, black hats who are often labelled as the bad guys and for grey hats we do stuff on both ends. Think of it as a hacker for hire. My handle is D3V1LS CH1LD.
T: When did you start using computers?
DC: I believe 2001 thereabout. I was in my senior year in high school at Winneba and internet cafes had just become popular at the time. I often just followed a friend and observed what he was doing until one day I saw someone change his screen saver and shared something on the network. That blew my mind at the time. I picked that up as a challenge and decided to learn how to replicate the same act. That got me started with computers.
T: When did you develop the interest in hacking?
DC: Actually, it was to impress a lady I met online. I met this white girl on one of these chat forums, I think it was myjoyonline. You know, we weren’t too familiar with most of the big forums by then so we usually sneaked into sites like ghanaweb, myjoyonline and I think facepeak. I often exchanged unpleasant words online with this girl (whom I didn’t know was white at the time) and for some reason she wanted to meet me. When we did, we both discovered we had a shared interest in computers.
However, the real turnaround came right after I had finished high school. I started working in an internet café where I had access to the internet most of the time. Then I met a couple of Indians and Pakistanis online. It was a typical IRC forum (Internet Relay Chat) where we had a moderator and we used that platform to share our knowledge of computers and networking systems.
One Pakistani took a special interest in me when he discovered I was from Ghana and he became somewhat like my handler. I think his ID was ‘LamersEnemy’. He introduced me to a couple of sites like progeneic.com (which is no longer online by the way). I printed everything I found on the sites because I didn’t have a computer at home and he’d often quiz me on what I had learnt so I took it pretty seriously. That’s how I got into hacking.
T: What was your first hack and how did it feel like?
DC: I sent out a Trojan (which was basically a script I attached to a picture) to a coach in America and that opened a backdoor which gave me access to his IP address and port number. I configured the client side of the Trojan to gain access to his computer, I could literally see all that he was doing on his desktop and remotely control his PC from where I was. I would randomly just open his CD-ROM to mess with him and it felt kind of cool. The Trojan I used for that particular attack is known as sub7. The smallest Trojan is called ‘the thing’ which is just 8kb in size and that’s how small a file used to cause your doom can be.
I remember one time I had to travel to Koforidua so I installed a key logger and a Trojan on the PC’s in the café just to monitor what people were doing when I wasn’t around. You know things like these were somewhat created for legitimate uses, like monitoring the PC’s on your network as an administrator. They are often referred to as RAT (Remote Administration Tools) and there are quite a number of them.
T: Can you share with us some of the institutions you’ve hacked?
DC: I can’t mention any names but I can show you a few screenshots. For instance, I hacked the largest financial institution in Ghana (I have the evidence here) and I approached them about some of the vulnerabilities I found because my Dad used to work there. They promised a settlement but unfortunately, they didn’t go by their word. I plan to visit them again. They have since then updated their system but even with that I still know a few exploits which I plan to test and this time around I’ll go about it differently.
I’ve also hacked a couple of media websites in the country. I recently almost posted something controversial on behalf of one of them during the elections but upon second thoughts I decided to let it pass.
There’s been the normal credit card hacks. I once hacked a printing firm in the UK by manipulating the code of an SQL injection and extracted all the cards from their website.
There’s this day where I hacked the central AC system of a company in the US and I was able to change the temperatures from here. I did same with the security system of a school where I had access to their security cameras and positioned them as I wanted.
There are several of them but it all boils down to how skilful you are and most of the hacks I’ve done are on web applications. I’ve created several botnets over the years and it’s easy to channel the resources of these machines for most of the attacks I do.
T: Who is your favourite hacker of all time?
DC: Definitely, Kevin Mitnick. I used to follow his exploits a lot when I started out. His hacks were mainly social engineering exploits where he played with human intelligence and vulnerabilities to gain access to systems and that fascinated me. I also followed his friend Dave Kennedy who wrote SET (Social engineering toolkit). These were guys who did amazing things.
Those days you had to use a lot of commands but today there’s software for every kind of hack and mind you, there are several intrusion detection software as well to counter these hacks. So again, skills are very important.
T: What kind of communities do you associate with as a hacker?
DC: I’m currently a member of Anonymous. I used to be part of several communities but you know some of these hacker societies and forums don’t last. People either get arrested or simply just grow up and move on. I used to be in a lot of Indian forums but today with Facebook and Twitter it’s easy to just IM people and talk about whatever you want to.
T: Do you hack for Profit or its just about intellectual curiosity and pursuit of Knowledge and thrill?
DC: Well a bit of both but for now most of the things I do are just for the fun of it and as a challenge to myself. I often hear about some kid in the west hacking some large corporation and these things come as a challenge to me as I believe I’m in the same position to do even better. Most of the hacks I read about, I also try to do the same thing. Where I don’t get the needed results, I consult a few hacker friends who help me out. My Pakistani friend now works for a big tech firm in South Africa and he’s one of the best coders I’ve come across till date. He can even write drivers for devices to make them perform specific functions. There’s also my Indian friend ‘Anukin’ who has also written a number of books on hacking and these guys are unimaginably clever.
I also keep in touch with guys like ‘Vivek’ who taught me wireless security. He’s also an extremely great hacker, if there’s ever a question he can’t answer then that’s where the hack ends for me I would say.
T: How do you get prepared for a typical hack?
DC: I first do some information gathering as its key to identifying what’s possible in the attack. I normally don’t set out to hack certain sites but the kind of error messages I get when browsing these sites opens up what kind of vulnerabilities they have. The easiest way of vulnerability detection is by using (xss) cross-site scripting. I spend two hours each day behind the computer just researching and studying new trends and I’ve been doing this for years.
T: Have you ever been caught on a network?
DC: Not really, but there’s been a couple of times where I’ve had to advise myself because I realized someone was countering my actions.
T: How do you hack without a trace?
DC: There are proxy interceptors like bebsuit that can be used to test the client-server relationship. Per the response, you might know if someone or an application is countering your work. I also usually do my hacks on the tor network which usually provides some sort of anonymity.
T: Currently there’s been lots of reports on cyberattacks against countries. Do you think Ghana has the skilled resources to combat a cyberwar?
DC: I know there are a few good cybersecurity experts and hackers in the country but I don’t think we are ready for a cyberwar. It has to do with the African mentality, we tend to believe if something is not broken, there’s no need trying to fix it. I’ve pointed out several system vulnerabilities over the years to some institutions but very few seemed to be concerned.
T: How vulnerable are most of the banking and corporate systems here in Ghana?
DC: Very vulnerable! The truth of the matter is if you go digging for dirt you’ll definitely find some, but it all depends on how deep you want to dig. I would admit most do put in place some form of security layers but at the same time they often run outdated software. It is quite easy to get through such systems because there are already tons of loop holes made public on hacking sites. And as a matter of fact, no software or system is full-proof. I recently found a loop hole in one of the tertiary intuitions, I wrote to the webmaster only for the mail to be bounced back to me. A couple of weeks later I heard they were hacked. If a whole webmaster’s email address is inactive, then how serious are we?
T: With all this knowledge, you’ve garnered, do you plan on setting up a cybersecurity agency in the near future?
DC: Yes, I’m currently working on that. I do a lot of penetration testing for developers now so I would say yeah, it’s in the pipeline.