Every week, a new data breach makes headlines. Target, Yahoo, Equifax, JP Morgan Chase, and many more have all been subject to massive information data breaches compromising the personal information of millions of customers.
Even as phishing has grown as a threat in recent years, one of the simple ways to break into a target’s data is through a software vulnerability. The Equifax data breach is a clear example of a company using an outdated and vulnerable open source library and not fixing it. In the past decade, we are starting to see more companies implement internal security teams to guard their company’s information against such threats. Unfortunately, these security teams aren’t enough as hackers seem to find their way through our system and sensitive information.
When we think of the word hacker, we instantly think of the classic stereotype is that these people are malicious, shady, talented, and criminals. While there are those out there who are up to no good, the truth is that hackers are essential to making the internet a safer place. Always in search of a good puzzle, hackers are intellectually curious, driven by transparency, and motivated to find weaknesses within systems.
Within this community, there are those who seek out vulnerabilities so that others don’t exploit them. Working for the public good, white hat hackers have traded in their hoodies to fight for the light side of the force.
To get a better in-depth understanding of what makes hackers switch to become a white hat hacker, we interviewed Len Noe of CyberArk.
If you ask real hacking aficionados, many will tell you that they were drawn in at a young age. Behind the keyboard, these youngsters love the idea of being adventurous and breaking into things.
In Noe’s case, he says that his love for computers started at a very young age,“ Growing up I was one of those guys who needed all the new electronics and computers, so I was introduced to computers at a young age.”
Noe’s initial introduction to the idea of hacking was helped by coding newsletters. “It was back in the Commodore 64 days when they would send a monthly or weekly newsletter where they would give you actual code to write small programs. I remember coding these programs and after making a mistake, a system malfunction would occur. He says that these malfunctions opened his mind to the idea that he held the keys to the device, giving him the power to alter the system in unintended ways.
“It changed my way of thinking,” he says, explaining that instead of thinking what is this device, I started to think what can I turn this into.”
As a young troublemaker in the Detroit area, Noe says that he needed to garner some street cred, making a name for himself War Games style. “I started off by hacking into my school by modifying grades and stealing and changing test papers.”
Along the way, Noe figured out that soft skills could be even more important that strong technical talents, especially when it came to the art of social engineering. He says that social engineering is the easiest kind of hack to pull off a beginner, “Social engineering has always been one of my hobbies. It’s like telling someone to go to hell and them asking you for the directions there.”
Back in the mid-1980s, there weren’t many options for aspiring hackers to learn the trade, with no how-to guides or the dark web to learn the techniques and methods. However, Noe says that as a young hacker he was a key member of the community, helping to provide information for fellow hackers. “I actually ran a bulletin board system for a while and was very active in the system early on,” he says, noting that, “After the Pacific Bell breach which was initiated Kevin Mitnick was announced it presented a validation of my hacking skills and talent.”
Similar to most hackers Noe mainly learned through experience. “I am very technical but not mechanical,” he says, adding that, “If you want I can make your computer do anything you want but if you see me with a hammer and screwdriver you may want to run something is about to break. Actually, all my early experience came from trial and error. If you succeeded to do something you kept that close to you like it was a national secret.”
There is no denying that life as a black hat hacker has its thrills. From hacking government systems to enterprise applications, making off with valuable data without leaving your digital fingerprints, being a black hat is like an addictive game of cat and mouse. However, at some point the risks may overtake the rewards, leading to more and more black hat hackers changing sides. every hacker has their own reasons why they choose to go legit.
In Noe’s case, he says that his turn to the light side was for legal reasons.
“Before 9/11 it was a different world,” he explains, noting that if you got caught the FBI would show up at your house and maybe your punishment would be you couldn't use a computer for a certain amount of time.”
However, he says that there was a serious crackdown on hackers following 9/11 that raised the costs of breaking into servers. “It wasn’t worth it,” he says, explaining that he began looking to take his talents elsewhere.
“I love to be able to use my skill set to do things that I love in a way that I don't have to worry about the consequences,” he explains, noting that the idea of helping people along the way appealed to him.
Still, making the transition had its challenges. Noe says that it was tough to leave the lifestyle, although not for the reason that one might expect.
“I never was the stereotypical hacker that is portrayed in the movies who steal your data and holds it for ransom,” he says. “For me, it’s always about the puzzle.
Noe says that the fun in the game was about showing his targets that their defenses weren’t as good as they thought they were. Often, he says that he would come across a target who had mistakenly put all of their eggs in one basket, utilizing inadequate defenses to try and protect their product. Part of his personal mission was to prove that he could do the impossible, beating them in their own backyard and undermining their sense of security.
“Security is a state of mind,” he remarks, “Not a state of being.”
While your typical security expert will go on how it’s important to follow best practices, having the right experience will beat out best practices any day of the week according to Noe. White Hat Hackers have the years of experience of breaking into company’s systems and applications, teaching them to think like their adversaries. As they say, it takes a thief to catch a thief.
“I am coming at it as a realistic standpoint,” Noe states, adding that, “It allows me to tell my customers the truth behind the attackers’ thought process.”
“In most attacks, it’s like a puzzle without getting the picture on the box so you have no idea on the reasoning behind the attack,” he says. “That's why being a former Black Hat helps me to think about every step that was made to get to these results. It gives me more credibility than other security professionals because I know from experience where an attack could be headed and how to deal with it, not just what is listed as best practices. I am gonna tell you why they did this attack and how it was done. It provides comfort to my customers, knowing that I was one of the bad guys. I used to think like them and run in their circles and know how they think and how they operate. This provides me a full picture of the attack over your standard Blue Hat defenders.”
Over the past few years, we are starting to see organizations take more of an initiative when it comes to the security of their applications. While this a positive direction, it is worth asking if they are doing enough to leverage white hat hackers in their organization’s security strategy?
“Internal teams find different results than external ones,” explains Noe. Having a white hat hacker on staff provides the opportunity for an internal, trusted team to look for those holes. White hats are those people on Hacker News posts and on the forums and on the darknet. If this was an army, white hats are your special forces. They are the employees that know all the information that hackers are looking for and pass the data to the internal security teams.
In the security industry, every day we are seeing new security tools that help us in the struggle against the black hats. While automation and other innovations in the security space are helping to close the chasm, Noe says that we still need to take into account the human element of security.
From Noe’s perspective, perhaps unsurprisingly, he strongly recommends implementing a white hat program as an integral part of an organization ’s security strategy.
“The fundamentals of hackers are the same,” he says.” In the end, the main target is the human being. To stay ahead of the curve, get involved. If it’s taking part in your local OWASP chapter or learning from security communities, just getting involved it will help your company financially in the long run.”