Often stereotyped as dubious, hooded characters hunched over keyboards in dank basements, hackers historically have had a pretty bad rep. But with every good villain comes a hero. In this case, the white hat hackers using their skills as a force for good to identify security vulnerabilities before their counterparts.
White hat hackers have the knowledge and tenacity to find the vulnerabilities in your IT infrastructure that others can’t and pinpoint holes in your physical security before they’re exploited, saving you time, money and reputational damage in the process.
We interviewed a seasoned white hat to find out more about hacking as a career path, what you can learn from the X factor hacks, and why not all hackers wear hoods.
White hat hackers have an inherent interest in understanding how things work and in pulling things apart, which very often starts at a young age. As you grow up you quickly find the same applies. Looking at large IT teams, pulling things apart is intriguing at any age.
When you think of kids getting into security, it often starts with gaming, modifying games and finding ways to break the system.
The college students who created the Mirai botnet in 2016 initially just set out to crash Minecraft servers. Instead, they built a botnet that infected more than 200,000 devices and inadvertently unleashed a DDoS attack of unprecedented size that took down half of the internet!
For me, it was an interest in how devices communicate. When you scratch the surface, you realise that the systems we use regularly are often vulnerable. Take email, for example. Many of us understand that most systems don’t encrypt our emails, making it inherently insecure. Yet we continue to use it regularly, potentially handing criminals ample opportunity to intercept our information!
When you start to realise the disconnect that exists between email adoption and its vulnerabilities, it entices you to play around with the boundaries; it’s addictive. Being a hacker allows me to pursue tasks like this in a way that helps others.
A lot of the technologies the internet is built upon have been around for decades. When you dig deeper, you quickly realise that this stuff wasn’t built with security in mind, and it certainly wasn’t built to defend against the modern attacks we see now.
It was constructed at a time when threats were different, but this model has been so widely adopted and is so intrinsic in the way we use the internet that it’s difficult to move to a more secure model. You’d have to take it all right back to the drawing board.
Large companies are targeted by hackers for many reasons, one of which is their large attack surface area owing to the many interconnected systems they use. This makes the likelihood of a determined group of hackers finding their way in much higher.
I would say the most shocking thing to anyone would be how easy it is to launch an attack. The barrier to entry can be really low.
An SQL injection attack is one such method that can be performed with minimal knowledge as they can be entirely automated. There are tools like ‘SQL Map’ freely available to download that do the hacking for you.
These types of attacks allow hackers to steal data directly from a database and have been responsible for several severe breaches, including that suffered by TalkTalk, all without the attackers needing to know how it all works.
There are several instances of hackers receiving sentences of twenty years or longer in the US for ‘computer crimes’. There’s sometimes a bit of a disconnect between the actor and the end result though. If you’re crashing a Minecraft server to gain an advantage in a casual game, you might feel like that’s not much of a crime. But a court might argue that you’ve intended to impair a computer system, which is considered a crime.
A lot of penetration testing work is limited to technical attacks, but when briefs require physical involvement, this is known as red teaming. These briefs are often more extensive and could involve social engineering, coercing staff members, physically breaking into a building or watching someone’s screen in public.
Often physical access happens as a result of inadequate processes rather than through the use of James Bond-style grappling hooks. Companies throw out computers or hard drives, and they’re intercepted between the building and the bin or staff members travel by public transport and allow people to view their screens while they work.
The series of attacks by LulzSec, called ‘50 days of Lulz‘ was undoubtedly impressive in terms of its scope and impact. In the space of 50 days, the group announced hacks on Fox, The Sun, Sony, PBS, AOL, AT&T, the NHS and even The X Factor contestants! LulzSec became infamous for their announcements on Twitter, as they revealed who would be the next unfortunate victim. They had a sustained and severe impact on organisations that we’re powerless to prevent it.
Too many businesses still rely on passwords when they could use two-factor authentication. This is particularly true for anyone who has remote access to business resources as two-factor authentication makes it so much harder for hackers to strike.
Physical access remains an issue for businesses too. If I can plug a device into your network by just walking into your building and connecting, that’s an inherent weakness. There’s technology you can implement to prevent unknown devices connecting to your network, but it’s amazing how often businesses don’t take this kind of simple action to protect themselves.
To find out more about keeping your business secure with our free, comprehensive security scan for all new customers, talk to our experts today on 0800 093 3901 or request a call back.