White hat hackers: Inside the world of ethical hacking
Matt Jakubowski’s journey from hacker hobbyist to cybersecurity specialist began during adolescence, when he spent countless hours digitally dissecting and rejiggering video games. At one point he succeeded in giving Mario of "Super Mario Bros." new jumping heights. Wahoo!
Later on, and far more important to his professional development, he began hacking friends. But they were fine with it and hacked him right back. It was 2008 and they’d all entered into what Jakubowski (aka “Jaku”) calls a “gentleman’s agreement" that permitted them to invade each other’s computers whenever and however they chose. The group even gave a presentation about it at the Washington, D.C. hacker convention ShmooCon.
In most cases, Jakubowski and his mates exploited known security vulnerabilities to gain initial access to each other’s machines. And since nothing can happen prior to access (he compares accessing a company's network, for instance, to being "almost like a kid in a candy shop — everything's there"), the looming threat of that possibility prompted each participant to make sure his system was always “patched” and shielded from attacks.
“A lot of times a computer system can be un-patched and vulnerable to something and not get hacked until it becomes a target,” explains Jakubowski, who for three years has led cybersecurity operations at the Chicago-based industrial analytics company Uptake. “We were constantly targeting each other, so we couldn't play it safe and hope that those systems just went unnoticed.”
Sitting in a small meeting room at Uptake’s corporate headquarters, Jakubowski recalls how he and his fellow gentlemen also built phishing sites with the goal of baiting each other to open destructive web links (e.g., Hey, check out this tweet) during the course of otherwise run-of-the-mill email and chat exchanges. The exercise kept them on their toes while also teaching them to notice minor — sometimes almost imperceptible — differences between legitimate sites and malicious ones. As you might know from personal experience, the web is rife with booby traps.
“We learned how to secure ourselves better, but we also learned new tricks that really helped us advance in a completely legal way,” Jakubowski says.
A tech “unicorn,” Uptake employs hundreds of people and is valued at more than $2 billion, so it’s a theoretically high-profile target for cyber intruders bent on causing mayhem one way or another. Jakubowski’s job, in concert with his crew, is to prevent or at least mitigate that mayhem. He credits his deeply formative days of friendly hacking with giving him a solid foundation from which to learn and grow.
“A bunch of us are now off doing much bigger roles in security than back then, and I think a lot of us owe it to that,” Jakubowski says. “Without those few years of us learning off each other, I don’t know where we would’ve gotten that knowledge.”
During that period, Jakubowski notes, breaching corporate networks in the same way he and his pals breached each other’s personal computers was an illegal act that could land violators in lawsuit hell or worse.
"There was a line that I didn't want to cross, because I don't like prison. I've never been, but I assume I don't like it."
What Is Ethical Hacking?
These days, intruders around the world have permission to infiltrate networks. It's called ethical hacking, and those who practice it are growing in number. Just as vaccines guard against diseases by introducing a weakened form of the offending biological agent, companies and government organizations invite these non-malicious hackers to penetrate their systems in order to pinpoint security gaps and develop stronger defenses.
While ethical hacker types had begun to emerge (the New York Times wrote about some “mischievous but perversely positive” ones in 1981), they were still viewed as anomalies and outlaws of a sort.
Now, nearly a decade later, as cybercrime costs companies billions of dollars and is predicted to exceed $6 trillion worldwide by 2021 (the worst cyber attack in history, a particularly nasty strain of malware dubbed NotPetya, cost FedEx alone at least $300 million), ethical hacking is catching on in a bigger way than ever before. Within two years, U.S. companies are expected to spend $1 trillion annually on proactive cybersecurity procedures to safeguard their valuable data.
Going Hunting: 'Bug bounty programs' and the Expansion of ethical hacking
While lots of businesses — especially big ones like Uptake — have in-house security staffs, they’ve also begun to rely more on outsiders who make money by participating in what are known as “bug bounty” programs (Uptake partners with a few) that offer ethical hackers monetary rewards for finding and reporting — rather than illegally exploiting — cybersecurity issues.
Stanford University freshman Jack Cable has carved out a lucrative niche in the bug bounty racket, placing first in a 2017 program called "Hack the Air Force" that paid out $130,000 for more than 200 vulnerabilities that were ultimately uncovered. He now has a global reputation.
Cable became interested in ethical hacking during his sophomore year of high school. While exploring a financial website, he discovered a potential cyber hazard: users could send negative amounts of money to anyone else on the platform, effectively lowering or depleting balances. Fortunately for Cable — and even more fortunately for the company — a bug bounty program allowed him to report the vulnerability and get paid for doing so. His interest and involvement grew from there, and he even helped launch a program at Stanford.
Though many businesses remain skittish about publicly divulging, or giving strangers free reign to uncover, their cybersecurity flaws for fear of exposing sensitive data to the wrong eyeballs, an increasing number of them see the value in doing so through vulnerability disclosure policies that provide guidelines for those in the bug bounty business. There are even Congressional bills in the works that would require American federal agencies, including the Pentagon and the State Department, to hop on the bug bounty bandwagon.
“Companies are seeing that everyone is vulnerable and the only way you can become more secure is by first acknowledging where you are vulnerable and looking for a way to improve,” Cable says.
But improving from the outside in requires an extraordinary amount of trust. That’s becoming less of a sticking point than it once was, but it’s still a significant impediment to progress.
“Security companies have a battle for themselves to prove that they are a valuable asset,” Jakubowski says of firms that provide services such as penetration testing and vulnerability assessments. “They’re going to have to show that they’re capable of preventing attacks and will be secure with your data. Because at the end of the day, that’s what’s really important.”
Phishing, vishing and the UPS guy: ‘Social engineering’ trickery
Though still somewhat shackled by its pejorative past, the term “hacker” is nonetheless applied both to those who perform sanctioned services and those who wreak havoc. The former are often referred to as “white hats,” the latter as “black hats” — handles that harken to Old West cowboy days and mean exactly what they appear to mean: good and bad. There are also “gray hats” who hack at will but usually without malicious intent.
Besides technical prowess, the best black hats have well-honed “soft” skills that allow them to “socially engineer” people over the phone, online or in person. In other words, they’re practiced manipulators with a solid understanding of human psychology who trick targets into unwittingly divulging private information that’s then leveraged to inflict trauma of one kind or another. Cases involving techniques like phishing, vishing and on-site shenanigans are reportedly on the rise.
“You can have the most robust online system, spend all that money on encryption and a firewall,” says Jennifer Arcuri, CEO and co-founder of Hacker House. “But if I dress up as a UPS delivery dude, come to the front door and talk to your receptionist, I can very easily socially engineer my way in.”
“There is,” she emphasizes, “always a way in.”
Social engineering has become such a problem, in fact, that some white hats specialize in preventing it. Here’s how one of them, SocialProofSecurity CEO Rachel Tobac, has explained her process:
“Before I do any type of social engineering, I have to collect a lot of information about how I would want to penetrate that system. This is called ‘OSINT collection’ – Open Source INTelligence collection. I choose my targets based on how much information I can find on them online. If I know who they are, who their friends are, who their bosses are, what their job is, what type of language or verbiage they use in their everyday life, it makes it more likely for me to choose them as a target because I can create a believable pretext and when I give them a call, it would be easier for me to build trust with them and get them to do what I need them to do.”
Can Hacking Be Ethical? the black-to-white transformation
Regardless of team affiliation, experts say, the best hackers are hyper-curious, eager to show off their technological talents, at least borderline obsessive and employ many of the same techniques – including SQL injection and spear phishing, among others. Their goals, however, are vastly different.
And though there are plenty of top-notch ethical hackers who’ve come by their skills legally, insiders say, having dabbled in the dark arts can be beneficial — assuming, of course, the transformation from devious to virtuous is genuine not simply a ruse. Infamous former black hat Kevin “Condor” Mitnick donned a lighter-colored lid after spending five years in prison on federal offenses that included computer and wire fraud. Others have broken good, or good-ish, as well.
“If you’re a black hat that becomes a gray or white hat, you’re probably going to be better than someone who has been a white hat the whole time,” says veteran cybersecurity specialist and ethical hacking instructor Dean Pompilio. “Because you know what it’s like to break all the rules without caring, and now that you have to play by all the rules, it changes your outlook and it changes your knowledge of tactics, techniques and procedures of your adversary. If you were a black hat who became a white hat, I would think you would have a much deeper understanding of what black hats are capable of because you have been there and done it.”
“Most of them have never committed actual crimes. They were just the kid who smoked pot and wore hoodies and thought it was cool to be on servers and break code. They didn’t actually think this was a career.”
While Jakubowski thinks it’s possible to learn black hat methods without having gone all Darth Maul, the ethical angle is more challenging.
“There’s definitely a disadvantage to the white hat side, because we will always [have] a different approach [to hacking],” he says of his white hat ilk. “We want to prevent it. So we’re going to think in a more defensive way, and they’re going to think more offensively.”
Asked if he has ever dabbled in the dark arts, Jakubowski says doing so never appealed to him.
"There was a line that I didn't want to cross, because I don't like prison," he says. "I've never been, but I assume I don't like it."
Vocal white hat though she is, Arcuri says that possessing black hat know-how is undoubtedly advantageous.
“It’s all about, How does your adversary think? You want somebody who is not going to just run a few scans and check all of your ports and tell you what needs to be patched. You actually need somebody who is going to sit there and [study] your security landscape, who will actually take the time to penetrate each and every attack vector into your organization.”
That’s the value of disinterested third parties. Companies can run automated tools and implement basics like port scanning on their own, but those defense mechanisms aren’t nearly enough to thwart inevitable and potentially catastrophic intrusions. Fresh eyes and unbiased minds are key.
“Our team has a really good idea of how our stuff works,” Jakubowski says, “but having an outsider that has no idea how our stuff works is invaluable.”
Unswayed by internal politics, prejudices or complacency born of comfort, outsiders focus solely on the task at hand and on pouring over minute but critical details that might otherwise be overlooked. Not that they’re always allowed inside.
When Hacker House launched four years ago, Arcuri says, companies were far more reluctant to trust sensitive information to her ragtag crew of “miscreants” despite their legitimate skills and knack for spotting suspicious patterns in online activity.
“Most of them have never committed actual crimes,” she says, singling out a hacker (charged in the U.S., alleged in the U.K.) named Lauri Love as the exception. “They were just the kid who smoked pot and wore hoodies and thought it was cool to be on servers and break code. They didn’t actually think this was a career.”
Teach the children (to hack) well
That has more than a little to do with the fact that formal educational programs for hackers have until recently been scarce. And while today there are ample opportunities to learn ethical hacking and become officially certified in the field, doing so requires a good amount of hands-on experience. Which is to say it’s still not kid-conducive. Many think it should be.
Schooling young kids in the basics of ethical hacking, proponents argue, is the best way to ensure a more cyber-secure future — especially considering a projected shortage of cybersecurity professionals by 2022. The U.S. Army has even taught white hat methods to children as young as toddlers at the yearly hacker conference Def Con.
“There is a critical national shortage of hackers, and it’s because we’re failing to attract students early on to the field,” David Brumley, a computer science professor at Carnegie Mellon University, wrote in 2017. “More than four in five organizations lack sufficient computer security skills within their organization to protect themselves, according to a recent study by Intel. That means four in five organizations that want to secure their computers simply cannot find the talent to do so.”
Among several things that can help meet that “critical shortfall,” Brumley added, is the promotion of hacking from kindergarten through high school.
“Think about it: teenagers are picking passwords, agreeing to privacy policies, and sharing information online. Cybersecurity and privacy education are as essential as basic math today.”
But it’s one thing to learn hacking techniques and another to use them responsibly — ethically.
“In middle school and high school, you’re going to have students that want to break the boundaries,” Jakubowski says. “Teenagers are rebellious. You teach someone how to do something as a teenager and their first thought might be, ‘How can I have some fun with this?’ So you want to be careful. Even more than [cyber]security, we need to teach them how to be ethical with knowledge.”
After all, knowledge is power.
And the power to do good, as a wise man once cautioned, is also the power to do harm.