{"id":36715,"date":"2022-06-16T05:44:00","date_gmt":"2022-06-16T05:44:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/archives\/36715"},"modified":"2022-06-16T05:44:00","modified_gmt":"2022-06-16T05:44:00","slug":"talktalk-hacker-daniel-kelley-gives-up-his-black-hat-for-good","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=36715","title":{"rendered":"TalkTalk hacker Daniel Kelley gives up his black hat for good"},"content":{"rendered":"

Donning a navy T-shirt and smiling at the camera, Daniel Kelley looks every bit a typical young person. But he\u2019s actually one of Britain\u2019s most prolific cyber criminals, having served four years behind bars for his involvement in the infamous TalkTalk cyber attack<\/a>. <\/p>\n

The cyber breach cost the telecoms giant around \u00a377m and compromised the personal information of more than 150,000 customers<\/a>. Everything from bank account details to email addresses was stolen as a result of the incident.<\/p>\n

In addition to the TalkTalk hit, Kelley racked up a slew of other serious cyber offences that landed him in jail \u2013 he also hacked the Llanelli-based college he attended in 2015, Coleg Sir Gar, along with many other organisations. <\/p>\n

Kelley has a black hat<\/a> resume that many budding cyber criminals<\/a> can only dream of, but the truth is that he never intended to pursue a career as a hacker, let alone play a role in a famous attack. In fact, he fell into it. \u201cI didn\u2019t choose to get into computer hacking or cyber security \u2013 it just happened when I was a teenager, around 13 years old,\u201d he says.<\/p>\n

\u201cIt was more like an undesired transition. I used to play an online game when I was younger, and ended up cheating on it, and the forums I found the cheats on also gave me exposure to more criminal stuff. It wasn\u2019t like a logical leap internally, it was more like a thing that I ended up falling into. I didn\u2019t wake up and make a rational decision.\u201d<\/p>\n

\n

<\/i>Learning the tricks of the trade<\/h3>\n

Like many other black hats, Kelley didn\u2019t study cyber security<\/a> in college or at university \u2013 he acquired all his technical knowledge and skills online. \u201cThe majority of the information I needed to learn, concepts and methodology, came from online forums. I eventually joined groups on these online forums and began associating myself with various IRC and Jabber chat rooms (XMPP),\u201d he says.<\/p>\n

\n
<\/div>\n

\u201cI didn\u2019t choose to get into computer hacking or cyber security \u2013 it just happened when I was a teenager. I didn\u2019t wake up and make a rational decision\u201d<\/span><\/strong><\/span><\/p>\n

Daniel Kelley, ex-black hat hacker<\/span><\/em><\/p>\n<\/blockquote>\n

Kelley got his first real taste of hacking as a young teenager, when he used his newfound cyber know-how to unearth a web application vulnerability<\/a> on a Microsoft subdomain. \u201cIt was in 2011, I was 13 years old, and the vulnerability allowed me to essentially inject code into a webpage,\u201d he recalls. \u201cI reported it to Microsoft\u2019s bug bounty programme<\/a> and, in turn, they listed my credentials on their hall of fame. My credentials remain on their website to this day.\u201d<\/p>\n

Kelley didn\u2019t purposely set out to use his skills as a hacker to conduct serious acts of cyber crime. But, as can often be the case, he got so absorbed in his craft that he didn\u2019t stay on the straight and narrow path for very long. <\/p>\n

\u201cI started out with good intentions, but as time went on, the responses I received from using the responsible disclosure model became increasingly negative. I\u2019d find web application vulnerabilities in large websites and try to notify the appropriate security team, but I\u2019d get no response,\u201d he says.<\/p>\n

\u201cI ultimately accumulated all of these vulnerabilities, gained access to these forums where people weren\u2019t really the most ethical, and things began to spiral out of control. So it wasn\u2019t a conscious decision, but something I fell into with relevant exposure.\u201d<\/p>\n

Reflecting on his experiences as a black hat, Kelley finds it hard to list all the nefarious actions he\u2019s taken. He says his criminal career \u201cspanned several years\u201d, during which he \u201cracked up charges ranging from unauthorised access to blackmail\u201d. <\/p>\n

He continues: \u201cIt\u2019s difficult to summarise my experience because I\u2019ve probably been involved in every aspect of criminality that comes with the nature of my offending. I suppose the method of exfiltrating data and then demanding ransom payments was what eventually got me caught and what I regret the most.\u201d<\/p>\n<\/section>\n

\n

<\/i>The golden ticket <\/h3>\n

Many people would think hacking into a major corporation such as TalkTalk is a difficult undertaking. However, Kelley explains that such companies often have the worst cyber security and can be easier \u2013 and somewhat less rewarding \u2013 to hack. Meanwhile, companies that invest heavily in cyber security are much harder to breach, and the process involves \u201cchaining multiple vulnerabilities together\u201d.<\/p>\n

\n

\u201cI suppose exfiltrating data and demanding ransom payments was what eventually got me caught and what I regret the most\u201d <\/figure>
Daniel Kelley, ex-black hat hacker<\/strong> <\/figcaption><\/i> <\/p>\n<\/blockquote>\n

He says it took the perpetrators of the TalkTalk breach just a few hours, rather than days, to discover and exploit a security vulnerability that enabled them to hack into the firm\u2019s website. This, he says, was straightforward.<\/p>\n

He tells Computer Weekly: \u201cIt was a simple web application vulnerability that allowed you to pull data from databases through a web page. You didn\u2019t need any special skills to exploit it \u2013 it would have taken less than an hour to teach anyone with a computer how to do it.\u201d<\/p>\n

While the TalkTalk hack was surprisingly simple to pull off, Kelley wasn\u2019t prepared for the publicity that would follow. \u201cI recall sitting in front of my computer watching the national news when the CEO of TalkTalk announced that she had received a blackmail demand, and for some reason, despite the fact that the link was transparent, it just seemed opaque to me,\u201d he recalls. \u201cIt was like I couldn\u2019t register the realism and severity of what I had done. I just sort of continued going about my day.\u201d<\/p>\n<\/section>\n

\n

<\/i>Law catches up <\/h3>\n

Most people who break the law eventually get caught and must face the consequences of their actions, and it wasn\u2019t long until Kelley attracted the interest of the police, first when he was arrested on suspicion of hacking his college, then again on suspicion of blackmailing two companies, including TalkTalk.<\/p>\n

\u201cI wasn\u2019t expecting the first arrest, but it was over in less than five hours. The second arrest was much more serious<\/a>, and it felt like something out of a film. There were several agencies waiting for me at my house,\u201d he says.<\/p>\n

\u201cI was escorted to my local police station by two police cars while sitting in the back of an unmarked police van. Because of the high-profile nature of the case at the time, they evacuated the custody suite and processed me quickly.\u201d<\/p>\n

As someone on the autistic spectrum<\/a>, Kelley believes he was misunderstood in prison. \u201cFor example, because I posed a security risk to a particular prison, they decided to cut off my phone calls. What they don\u2019t realise is that on the outside, I wouldn\u2019t go a day without talking to my family, so you\u2019re now putting me in that environment and cutting off my family contact.\u201d<\/p>\n

Prisons are rife with people with a variety of mental health issues and, subsequently, prison staff often treat all inmates the same, Kelley explains. This can and does result in vulnerable people \u2013 whose disabilities may not be obvious \u2013 being neglected. <\/p>\n

\u201cWhen you tell staff you\u2019re on the spectrum, they simply take one look at you and don\u2019t see anything wrong with you, so they simply assume that you\u2019re attempting to take advantage of the system,\u201d he says. \u201cWhen I arrived in one prison, my record had all of these notes about my ASD [Autism Spectrum Disorder<\/span><\/span>] diagnosis. I told the nurses, who said they understood, but the senior officer in reception simply came up to me and said, \u2018Look, you\u2019ve done Belmarsh, I don\u2019t give a fuck about your history\u2019. This is just an example.\u201d<\/p>\n

Although Kelley found many aspects of prison life difficult due to his disorder, not everything was bad. In fact, he describes the \u201cstrict routine\u201d of prison as a good thing and says he enjoyed doing the same things daily. <\/p>\n<\/section>\n

\n

<\/i>Tech in prison <\/h3>\n

It\u2019s easy to assume that a hacker sent to prison wouldn\u2019t be exposed to computers, but on the inside, Kelley found he wasn\u2019t away from a PC for very long \u2013 entering the system, he had to complete numeracy and literacy tests on a computer. <\/p>\n

\u201cI was called up to the classroom and seated in front of a computer, where I recall sitting for 10 minutes, contemplating whether it was a good idea to use the computer in front of me. I had an SCPO [serious crime prevention order] that required me to register all of the devices I used, but it did not go into effect until I was released from prison.\u201d<\/p>\n

Even though Kelley didn\u2019t use the prison computers to conduct any serious hacking offences, he did cause some cyber mischief. \u201cIt was clear that the teacher had no idea who I was or what I\u2019d done,\u201d he says.<\/p>\n

\u201cThey had an application on all of the computers that consisted of a 20-question exam [and] when you\u2019re finished, you simply press save, and it saves the web page containing the results as an HTML file. So, in Notepad, I opened the HTML file and changed both exam results to level four. The teacher came over and just stared at me, amazed. A month later, I found out that the highest mark you could get for these two exams was a level three, which gave me a good laugh.\u201d<\/p>\n

Kelley didn\u2019t just use his technical skills to tweak test results in prison. He also spotted an opportunity to modify his television and get more channels. \u201cAfter a few months of being bored of watching the same things over and over, I looked at the television one evening and realised that the aerial was just some copper. As a result, I had this brilliant idea of making my own aerial. I was working in recycling at the time and came across a spare radio in the trash,\u201d he says. <\/p>\n

\u201cI took all of the copper out of it and brought it back to my cell, where I built a large aerial that I forced into the back of the television. I pointed it out of the window and I took the make and model of the television, looked up the unlock code, and retuned my television. My jaw dropped when it began to pick up over 200 Freeview channels, which improved my time.\u201d<\/p>\n<\/section>\n

\n

<\/i>A reformed hacker  <\/h3>\n

One could argue that these acts pale in comparison to the TalkTalk hack \u2013 and are pretty ironic. The reality is that Kelley didn\u2019t run the risk of committing serious computing offences behind bars, like breaching prison networks, and genuinely seems to have learnt his lesson. <\/p>\n

Since leaving prison, Kelley describes himself as a reformed hacker and doesn\u2019t plan on returning to the world of cyber crime. He says his \u201cperspective on life has shifted dramatically\u201d and he does not \u201csee the point in committing crimes\u201d.<\/p>\n

\u201cThe motivation I used to have for it has waned to the point where I no longer find it appealing,\u201d he says. \u201cI blackmailed people for money, albeit a small amount of money, and it has become clear to me that I could have earned more money through legal means in a shorter period of time than I did through criminal activity.\u201d<\/p>\n

\n

\u201cThe motivation I used to have for [hacking] has waned to the point where I no longer find it appealing. I blackmailed people for money, albeit a small amount of money, and it has become clear to me that I could have earned more through legal means\u201d <\/figure>
Daniel Kelly, ex-black hat hacker<\/strong> <\/figcaption><\/i> <\/p>\n<\/blockquote>\n

Kelley is now putting his cyber security skills to good use and building a credible career in the industry, instead of hacking and blackmailing companies. When he was on bail, he teamed up with computer incident response teams<\/a>, system administrators, website developers and government bodies to address more than 3,000 cyber security vulnerabilities<\/a>, and even ranked 11th place on a major bug bounty service.<\/p>\n

You could say that Kelley has hung up his black hat forever. \u201cTo put it bluntly, but cynically, I don\u2019t think the burden of criminality is worth it to me. Sure, you can make a lot of money, but what good is money if you\u2019re always paranoid and don\u2019t know whether you\u2019ll be arrested tomorrow? People rarely think about the consequences of a criminal lifestyle,\u201d he says.<\/p>\n

\u201cIf you want to make a lot of money and build a life with it, you must consider the possibility of losing it all in 20 or 30 years. If you stop committing crimes one day, that doesn\u2019t mean all of your previous offences are no longer valid. It\u2019s a more significant decision than most people realise.\u201d<\/p>\n

Given that Kelley now has a serious crime prevention order against his name, building a genuine career in the cyber security industry hasn\u2019t been easy for him. \u201cIt\u2019s not so much probation that\u2019s the problem \u2013 the probation team in charge of me is fantastic to work with, and I\u2019ll be off probation next year. The main problem is the SCPO,\u201d he reveals.<\/p>\n

\u201cIt has a number of limitations that prevent me from using basic technology, and it won\u2019t expire until 2026. If an employer wants to hire me, they must accept the responsibility that comes with it. It\u2019s not like I can just apply for a regular job and follow the established procedures.\u201d<\/p>\n

But regardless of these challenges, Kelley is enthusiastic about his future in the cyber security industry and remains laser-focused. \u201cI\u2019ve been looking for work and will continue to do so, but it\u2019s all about making the best of the situation.\u201d<\/p>\n

The only thing he doesn\u2019t regret about his black hat career is that it enabled him to acquire \u201creal-world offensive computer hacking experience\u201d that cannot be achieved \u201coutside of a job\u201d. He adds: \u201cOf course, CTFs [capture the flag] and emulated environments exist, but they aren\u2019t the same as illicit computer hacking.\u201d<\/p>\n

When asked to provide advice for young people looking to pursue a career in the cyber security industry and stay out of trouble, he says: \u201cIf you want a career in cyber security, find what it is you want to do and then start to look at the requirements for that specific role. There\u2019s material available now that wasn\u2019t available 10 years ago, and plenty of people in the industry that are willing to help.\u201d<\/p>\n

\n

Learn more about Daniel Kelley\u2019s story on his personal website<\/a> and keep up with him via social media on Twitter<\/a> or LinkedIn<\/a>.<\/em><\/p>\n

 <\/strong><\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

Donning a navy T-shirt and smiling at the camera, Daniel Kelley looks every bit a typical young person. But he\u2019s actually one of Britain\u2019s most prolific cyber criminals, having served four years behind bars for his involvement in the infamous TalkTalk cyber attack.  The cyber breach cost the telecoms giant around \u00a377m and compromised the […]<\/p>\n","protected":false},"author":1,"featured_media":36716,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-36715","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36715","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=36715"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/36715\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/36716"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=36715"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=36715"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=36715"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}