As polls show, hackers are most often looking not for benefits and easy money, but want to test their strengths, to solve the puzzle in the form of protecting some company. At the same time, not everyone wants to break the law and take risks. Fortunately, in recent years, a community of white hackers has been actively forming, and the demand for their services is growing, especially among large companies. In this article, with the help of experts, we will figure out who white hackers are, what hats have to do with it, how to become a white hacker and why it might be necessary.
1. What does a white hacker do?
It’s important to remember that hacking companies that didn’t ask for it can get you sued, even if you didn’t use their information in any way. The same goes for Wi-Fi hacking .
White hackers try not to cause disruptions in the company with their activities – for example, they will not test resistance to DDoS attacks in the middle of the working day.
2 . Who are “white hat” and “black hat”?
White hackers are often referred to as white hats, and malevolent hackers are often referred to as black hats. These names come from Westerns where the good guys wore white hats and the bad guys black.
The main motivation for white hats is to develop their skills and use them for the benefit of the companies for which they work. The main motivation for black hats is to get profit no matter what.
In addition to white and black, gray hats are often found – gray hats. Such hackers usually do not have the malicious intent to hack, but they can hack the products of companies that have not published a verification request, and if they get their hands on data that can be sold, they can take advantage of this opportunity.
3 .Who are “blue hat”, “green hat”, “red hat”?
While everything is generally clear with black, white and gray hats, colored names are much less common. However, they are sometimes used.
Blue hat is essentially the same white hat, but in Microsoft terminology. This company actively promotes the audit of the product by hackers before release to the market. They also founded the Microsoft BlueHat Conference , which focuses on white-hat hacking and information security. You can get there only by invitation.
Interestingly, in some circles, blue hats are people who, due to some events in their lives, decided to hack someone out of revenge. At the same time, they are not interested in the rest of the art of hacking. A prime example is the main character in the Watchdogs game.
Green hat – newbie hackers who do not have enough experience and skills, but who are actively learning and practicing hacking with the help of special resources.
Red hat is a hacker whose main goal is to fight black hats. But if white hackers are trying to prevent attacks and strengthen protection, red hats want to punish the hackers-intruders and, upon finding one of them, can launch a full-scale attack against him.
4. Where do white hackers find orders?
Orders from companies are mostly published on dedicated platforms such as HackerOne, Bugcrowd, SafeHats, and Synack. Bug bounty programs are also supported by large companies – Google, Instagram, Facebook, Apple, Paypal and many others.
5. How much does a white hacker make?
White hacker income depends on many factors, from their skills to simple luck. For many, ethical hacking is a hobby or occasional job rather than a full-time job. However, in a 2019 poll, the HackerOne platform found that already 7 people, mainly engaged in hacking, have earned more than $ 1,000,000, another 13 – $ 500,000, and another 146 – $ 100,000. The BBC writes in its article that the most successful white hats are hackers who can receive more than $ 350,000 (~ 25,600,000 rubles) per year, and within the framework of bug bounty programs, companies pay up to $ 50,000 (~ 3,600,000 rubles) monthly.
6. How to become a white hacker?
Most of the time, hackers learn on their own from the information they find on the Internet, but ethical hacking courses, such as Hacker101 from HackerOne , have begun to appear lately.
Also, it is not uncommon for white hackers to become people with education in Computer Science and information security.
7 . Information security specialist = hacker?
Not really, because an information security specialist primarily designs protection, and a hacker, even an ethical one, tries to find vulnerabilities in it.
There is no need to equate hackers, albeit “white” ones, and information security specialists. This is a common stereotype: if security, then necessarily a hacker. In fact, there are a lot of areas in information security: these are specialists in the organization and methodology of security, whose tasks include maintaining the necessary documentation and supporting the IT infrastructure within the framework of the legislation, and analysts, whose duties do not include hacking skills at all 🙂
8. Who is cooler, cyber security specialists or hackers?
Of course, it all depends on the people and the situation. An information security professional and a hacker have different tasks and different difficulties. But in general, defending against possible threats is more difficult than looking for vulnerabilities, because a hacker only needs to know one loophole to achieve a goal, and an information security specialist needs to create a system that will be protected from many vulnerabilities.
To be a good information security expert, you need to know all the hacking techniques that you will be “tested” with. To hack a network, you only need to know one working technique.
Therefore, security specialists spend a lot of time learning hacking techniques and they are usually more professional than the people attacking them.
What all people have in common is shared access to public hacking tools like the free Metasploit or Kali Linux exploit kit, or paid tools like Core Impact. These are ready-made sets of attacking techniques and all you need
is to learn how to launch them. There are many tutorial videos on youtube for this. It doesn’t matter if you play the role of a red team or you are a hacker – you use the same utilities and techniques.
What distinguishes a criminal favorably is that he can buy completely new hacking techniques on the black market that are still unknown to defenders and remain unnoticed within your network for a long time. This makes it easier for an attacker to penetrate and poses a difficult task: how to defend against an unknown attack. For example, according to information from Group-IB , the Anunak criminal group was on average 42 days in the bank’s network before the money was withdrawn.
And here the defender has an advantage: one hacker’s mistake is enough and he will be noticed. Therefore, the more different defense techniques you use, the less chances the attacker has. If you have only one defense technique, then, most likely, it has already been
9. How often developers are to blame for vulnerabilities?
It is believed that the principle of Security by design should be the basis of any modern development. Everyone talks about this, but in practice it is rarely used. The reason is trivial – a competitive race of developers. Products need to be brought to market as quickly as possible. As a result, vendors first release software in order to make money more quickly, so that they can deal with security later.
A striking example of recent times is Zoom. While it was little known, the developers did not consider it necessary to deal with vulnerabilities. As soon as the interest of the public, and with it the hackers, grew in him, many holes were immediately discovered. The developers were forced to react urgently to this and these holes were patched up. Could they have done this before? Yes. But other tasks were of top priority – to expand the functionality, “bring beauty”, to increase the client base. From the point of view of the market, this turns out to be justified, since users will not appreciate the “improved security of the application”, but will appreciate “we made new cool emoticons.”
There are three types of vulnerabilities: design, implementation, and configuration. Often, developers are, in principle, unable to solve problems that were laid down at the design stage. For example, the SMTP protocol, which transfers mail between mail servers, was originally created without identity verification, so we are still being attacked by spammers and we receive phishing emails. Simply because anyone can send a letter by signing with any address, even the address of the president. Yes, during implementation there are attempts to protect against this, but the problem was still at the root.
Of course, programmers themselves introduce vulnerabilities. There are, perhaps, two main problems here: huge amounts of code and reuse of someone else’s code. When a software product is released, the code is usually tested to ensure that it works with standard inputs. And it is almost never tested when the input is specially modified to carry out an attack. Professional companies are introducing secure coding practices called SDLCs, but they are not perfect either. For example, Microsoft has been practicing and promoting secure coding for many years, but nevertheless releases patches for newly discovered vulnerabilities every month. On average, our laboratory receives 80 reports of new vulnerabilities per day in products of various companies.
Reuse of someone else’s code is used everywhere: no one writes ready-made algorithms and libraries from scratch. All programmers buy or borrow ready-made public libraries. Remember how hard the vulnerability in the OpenSSL library hit the world – after all, it was used by the whole world to control devices and to encrypt control and data transmission channels. And I had to urgently release patches and update. And updating networking equipment and sites in production environments is not easy. According to statistics, the vulnerability Heartbleedwas on 17% of public websites. And there are dozens of such public and paid libraries in any product, for example, libraries for managing external devices, internal ones, for example, video cards, network adapters, etc. And from time to time they find vulnerabilities. And if you look at the situation with the vulnerabilities of the Internet of Things, no one even changes the default passwords there. There is no need for vulnerabilities at all – come whoever you want, turn off and turn on all the devices that you want.
Today, the scourge of information security in organizations is containers. They allow you to very quickly and efficiently deploy applications that your business needs, but you can immediately consider any ready-made container vulnerable, and many companies urgently start using products to protect Docker, Kubernetes and their runtime environments, such as OpenShift. And many of the latest hacks and leaks of personal data were caused precisely by the use of vulnerable containers.
If we talk about the problems associated with the fault not only of developers, but, by the way, of other employees of IT departments, I would like to say about the numerous vulnerabilities in databases. Yes, no one has canceled numerous errors in the design of systems, unsafe code, but, according to our observations, the weakest link is the database: excessive access rights to objects, database administrators’ access to “sensitive data” (card numbers, phone numbers, emails) What to hide, often easy-to-guess passwords like password1234 are used to connect to productive databases. Only every 5th IT specialist remembers the recommendations of database vendors. The human factor has not been canceled either: data leakage can be not only accidental, but also deliberate: after all, up to 90% of all databases that are present on the “black” markets are stolen by company employees, not hackers. And yes, unfortunately, representatives of IT departments, who see all the data in the database and understand their value, most often sell this data.
1O. What tools do white hackers use?
“White” hackers work on the principle of “thinking like a criminal” so that when searching for vulnerabilities, penetration testing, etc. understand the logic of attackers. Therefore, they use the same methods as “black” hackers.
From the point of view of the tools used, there is also migration, but here it is the opposite: from the dark side to the light side. The point is that it is unprofitable for “black hats” to use “copyright” malware. It will be easier for protection systems to identify it by a number of signs. Therefore, the trend has long been ripe for the use of “potentially unsafe” programs. This is what antivirus solutions are called. As a result, the tools in the hands of both categories of hackers are essentially dual-use. They can be used not only by hackers, but also by “white hats”, so antivirus programs do not block such software, but warn of risks. Hacker magazine gives a small list of such software: ScanSSH, Intercepter-NG, NLBrute, UBrute, RDP Brute, sqlmap, Netsparker, SQLi Dumper, Router Scan, Private Keeper, Havij, Metasploit, Armitage, DUBrute, Lamescan, Fast RDP Brute, njRAT, Acunetix.
For example, Intercepter-NG was created by a Russian programmer, and he wrote about it as a software for a penetration test. He does not hide, maintains his own blog, i.e. acts in the legal field. But some experts consider such software to be hacker and not without reason, since it can really be used to solve their problems.
The selection of the necessary attack tools depends on the target infrastructure and the technologies used. Both unstable scripts for the latest vulnerabilities and quality tools for common security issues are used.
Among the many tools, I would single out a few basic ones:
- the Metasploit framework, which includes about 3.5 thousand modules for exploiting various vulnerabilities;
- Burp Suite web proxy, which allows you to intercept requests to websites and modify their content, which is necessary to check for vulnerabilities;
- Hashcat tool, with which you can recover passwords by enumerating possible values using hashed or encrypted data.
To conduct an information security audit or penetration testing, there are many different tools designed to check the security of various types of resources, such as WiFi networks, local networks, databases, operating systems, websites, etc. There are entire assemblies of such software, which are used by “white” and “black” hackers. Examples include distributions Kali LInux, BlackArch, Commando VM. In addition to the standard set of utilities included in such distributions, these can be public utilities from github.com or other resources, as well as self-written scripts that automate a process, for example, password guessing. However, possession of a set of utilities for full testing is not enough; it is necessary to understand the principles of operation of the systems under test.
Here are the results for HackerOne in the 2019 survey :