The white hat brigade
The fight against cybercriminals involves a whole range of different offensive and defensive measures, from devices with built-in smart security to intelligent analytics tools that can watch the network for aberrant behaviour. Who might suspect, however, that one of the strongest weapons in the battle against hackers might be, well, other hackers? Whether they’re expert security professionals with a deep understand of how hacking works, or reformed ‘bad’ hackers who now use their powers for good, the white hat brigade is here to stay.
Some prefer the phrase ‘ethical hacker’ while others use the more business-like ‘Penetration Tester’, but white hat hackers differentiate themselves from black hat hackers by using their talents to search for vulnerabilities in an organisation’s products or IT solutions, then advising the organisation on how to fix them. What hat hackers might be called in to consult with a company on its information security and protective measures, or to trace the means and impact of an attack in the event of a security breach. The old saying that it takes a thief to catch a thief holds true here, though the poacher turned gamekeeper analogy also works, as part of the white hat hacker’s job is to prevent an attack happening at all.
In between the white hats and the black hats come the grey hats; hackers who still work to improve network and system security, but work without the permission of the companies concerned, often on the boundaries of the law. Grey hats still do good, but not everyone likes the way they do it, or their tendency to publicise a flaw, embarrassing large corporations and giving less ethical hackers a way in before patches and fixes are properly rolled out.
What do White Hat Hackers do?
White hat hackers use the same tools as their black hat brethren to hack into networks and systems and find the weak points other hackers might exploit. They’ll scan for open ports, look for software with known vulnerabilities, attempt to foil authentication systems and gain access to systems and data that should be safely out of reach. They might also work for companies launching a new software or hardware product, again looking for ways to compromise the application or device. White hat hackers spend their time attacking websites, financial systems, online services, company email, corporate databases and a range of business systems, but they may also hit smartphone apps, online gaming services, printers and even driverless cars. The big difference is that they’re doing so with their target’s permission, and reporting back so that those security flaws can be fixed.
Their use is widespread throughout nearly every industry, most obviously those involved in technology, online services and finance, but also in shipping, transport, construction and a whole lot more – not to mention police, security and military forces, where their expertise is vital in the fight against cybercriminals and state-sponsored cyberattacks.
Some white hat hackers have formed their own information security or penetration testing companies, advising some of the biggest and most powerful organisations in the world. Others work freelance, dealing with the needs of smaller businesses or trying to earn ‘bug bounties’, paid out by the big technology firms when someone finds a vulnerability or a potentially serious flaw in application code. Google, for example, will pay anything between $100 and $31,000 for discovery of a vulnerability in its domains, apps, extensions and hardware products. Some big names even sponsor Hackathons, where companies knowingly expose code or systems to attackers, so that the hackers can find security flaws in them and win a substantial prize.
Some of the world’s most notorious ‘black hat’ hackers have joined the white hat brigade. Kevin Mitnick, once America’s most famous hacker, came out of five years imprisonment reinvented as a security consultant, who as founder of Mitnick Security Consulting, has advised some of the biggest brands in technology, media, finance and education. Hector Monsegur, co-founder of LulzSec, went from being chased by the FBI to working with them, and now handles vulnerability research at the labs of Rhino Security. Michael Caice, a.k.a MafiaBoy, attacked eBay and Amazon in the early 2000s, but is now the president of Optimal Secure, a Montreal-based security firm.
Other White hat hackers don’t have such a dark past. Driven by curiosity and the challenge of hacking, they develop tools and exploits in the hope of warning companies or stopping such exploits in their tracks. Robert ‘RSnake’ Hansen is a good example, developing tools like Fierce and Slowloris that are still in use by penetration testers, while continuing research at security firms like SecTheory and WhiteHat Labs.
The rise of the white hats
White hat hacking is now an acceptable – even desirable – career choice. Would-be Ws have their own must-have credential: a Certified Ethical Hacker certification from the International Council of E-Commerce Consultants. This ensures that companies can have the services of a skilled professional with real expertise, who will check for weaknesses and vulnerabilities in a lawful and legitimate fashion. For work with governments and larger corporations, White hat hackers are also often vetted. The Communications Electronics Security Group (CESG) handles this role in the UK.
This is a growing industry. A 2016 report by Research and Markets predicted that the size of the penetration testing market will grow from $94.7million in 2016 to over $1.7billon by 2021. Beyond the growth of independent consultants and security consultancies, many large corporations are building their own in-house security teams to help them develop stronger, more resilient products, check their own defences or respond to attacks. Inevitably, some of these teams are being drawn from the white hat community.
For the white hat hackers, it’s not hard to understand why they’re in demand. In an excellent short-form documentary, Rivolta: Inside the Mind of Canada’s Most Notorious Hacker, Michael ‘MafiaBoy’ Caice makes a comparison to banks. ‘Hiring an ex-bank robber might be beneficial to you, simply because you hire a security team, you’re a bank owner, you bring them to your vault and they’re all like ‘let’s barricade the walls here, make sure the vault has the craziest lock mechanism, and we’re good.’ Whereas you hire an ex-bank robber and he comes in and he’s like ‘that’s great. I don’t care about this vault. I don’t care about these walls. I’m coming in through the floor.’’ By knowing how hackers think – even thinking as a hacker thinks – the white hat brigade are better equipped to spot the less obvious weak points, like a publicly accessible computer or an unsecured printer, that a regular security professional wouldn’t spot.
There will always be concerns about white hat hackers – are they too close to the hacker community and mindset? Is there a danger that they could go bad? – and the recent kerfuffle over WannaCry hero Marcus Hutchins and his prior activities shows that law enforcement officials don’t always get the difference. In general, though, we should be thankful for the white hat brigade. As the threats and the stakes keep rising, we need them on our side.