Can we learn from white-hat hackers?
The proliferation of ever-increasing connection facilitated by technology means that the threats posed to information security by malicious online actors simultaneously become more serious. Often referred to in the parlance of public- and private-sector infosec as “black-hat hackers,” according to Wired magazine, these cyber criminals not only access privileged and private information but use it to commit or facilitate fraud on a massive scale, steal money directly, and sell secrets to the highest bidder on the black market. Those aren’t the only hackers, however. There are also “white-hat hackers” whose intentions are more ethical. More than a few have been preternaturally skilled computer users who were curious to see what they could do. And on more than a few occasions, they’ve broken into government databases at the highest levels and corporate networks containing private info. But for these computer prodigies, criminal activity isn’t their goal. “White-hat” hackers break into systems with the express purposes of informing organizations what their digital weaknesses are – and, in many cases, developing techniques for mitigating such vulnerabilities. Those interested in earning a master’s in cybersecurity degree shouldn’t necessarily emulate these hackers, but they can certainly learn a lot from them.
The 414s and Early White-Hat Hacking
For example, in 1983, a group called the 414s infiltrated the Los Alamos nuclear weapons research facility in New Mexico, but they didn’t misuse or sell any privileged information. As explained to CNN by one of their members, Timothy Winslow, the 414s were merely mischievous, bored and talented teenagers. The FBI caught them, but judges exercised leniency due to the hackers’ lack of criminal intent, and they received no jail time. Winslow eventually became a network engineer, working in part to bolster cybersecurity standards. The 414s’ crimes committed prompted lawmakers to develop concrete stipulations regarding computer crime, which hadn’t existed in the early 1980s. But perhaps more notably, Winslow can be considered a – if not the – progenitor of white-hat hacking. It’s not clear who first used the terms “white hat” and black hat,” though the cultural allusion to early Western movies and their blatant evocation of good versus evil is obvious. But the idea of sanctioned hacking existed before Winslow: According to a 1981 piece by The New York Times, the timesharing firm National CSS Inc. encouraged employees to meddle around in its systems to find weaknesses or bugs. In a 2001 piece for IBM Systems Journal, infosec expert C.C. Palmer defined white-hat work as “ethical hacking” and explained that the U.S. military often engaged in it to know its own data vulnerabilities.
Prominent White-Hats of Today
Wired noted that while white-hat hackers weren’t always compensated for their efforts by the organizations they aimed to assist, that’s no longer the case: Companies may offer freelance payments as high as $100,000 and up for information on how to stop certain bugs or cyber attacks. Also, quite a few of the most skilled white hats eventually take on full-time salaried positions as security consultants, IT department heads, chief technology officers, and members of the intelligence community. Kevin Mitnick, once nicknamed “Condor” and considered one of the world’s best hackers, became a white hat after being caught by federal law enforcement agents and serving five years in prison. According to TechWorld, he now conducts freelance penetration testing operations for companies all over the world and leads seminars about cybersecurity. The man who helped the FBI catch Mitnick, computer science researcher Tsutomu Shimomua, eventually became one of the National Security Agency’s sanctioned white-hat hackers. And another NSA white hat, Dr. Charlie Miller, showed how numerous Apple products – once believed to be hack- and virus-proof, which is patently false – could be compromised and helped the computing giant patch up its issues. Somewhat comically, the biggest gathering of known white-hat hackers is called the Black Hat conference. Reporting on the July 2017 edition of this convention, CNBC noted that some attendees expressed concern about the possibility of cyber warfare between governments. Regarding the private sector, others stated that companies needed CTOs or chief information security officers with appropriately sized teams and enough resources to combat talented cyber criminals.
Dangers of White-Hat Hacking
Although most white-hat hacks are sanctioned by businesses, governments and other organizations, those perpetrating them can still draw the negative attention of law enforcement. Another piece from Wired reported that Marcus Hutchins, a white hat from the U.K., was arrested in August 2017 and accused of creating a trojan used for bank-system incursions. The FBI alleges that Hutchins made the exploit, called Kronos, in 2014 – three years before he helped bring down the WannaCry malware attack that rocked England and the U.K. The tech magazine reported that those who know Hutchins doubt he deliberately contributed to the trojan. However, code he wrote could’ve been appropriated and modified by black-hat hackers for criminal ends. This can easily happen to white hats who must enter private “dark web” servers, the domain of black hats and even more nefarious criminals, when conducting research to defeat malware. All told, white-hat hacking has proven its value, but it remains misunderstood by some, including certain law enforcement personnel.
Sources
CNBC – At Black Hat Conference, good guy hackers have a bleak view of US cybersecurity
Identity Theft Resource Center
CNN – I hacked into a nuclear facility in the ’80s. You’re welcome.
Wired – Hacker Lexicon: What Are White Hat, Gray Hat, and Black Hat Hackers?
NY Times – Case of the Purloined Password
Ethical Hacking by C.C. Palmer
Tech World – 7 White Hat Hackers You Should Know
Info Security – License to hack? – Ethical hacking
Wired – Protect the White Hat Hackers Who Are Just Doing Their Jobs