The Necessity of Hackers

In July 2017, Equifax, one of the largest credit reporting agencies in the United States, announced that it had discovered a data breach. The personal information of more than 143 million American consumers was compromised, including names, addresses, and Social Security numbers, putting a massive portion of American identities at risk. This breach was made possible by a group of hackers exploiting a vulnerability on the Equifax credit dispute website to gain access to data records. This hacking was one of the largest in recent history and had significant financial and legal consequences for Equifax as well as the individuals whose information was stolen.

Now, you may be wondering, after detailing such negative consequences of hacking, why is the title of the article The Necessity of Hackers? It turns out that there are actually several different types of hacking, each with its own purpose. Let me introduce you to the concept of white hat hacking. The term white hat hacking refers to the practice of ethical hacking, where an individual or group attacks a technological system with the intention of strengthening the system’s security. While it is true that malicious hackers are always out to exploit weaknesses and gain information from different technological systems, white hat hacking is essential to preventing these hostile hackers from successfully breaching our data each and every day and ensuring that the systems we use are designed with user safety as a priority.

Now, a little bit of background on white hat hacking. White hat hackers, commonly referred to as ethical hackers, are experts in computer security who focus on penetration testing. Penetration testing is a simulated cyberattack on a computer system to evaluate the security of the system, and a white hat hacker’s primary job is to utilize their skills to perform these attacks on computer systems, networks, and applications to discover and notify the owners of the systems of each vulnerability. This is done with the permission of the system owners in a controlled environment with the purpose of identifying weaknesses in the system that need to be patched. While hacking in itself has a negative connotation, the idea of white hat hacking is in the name of protection. If weaknesses exist within a system, an attacker will search for them in the hope to exploit them. Thus it would make sense to have someone with no ill intent attempt to break the system first to test its security and expose any deficiencies. White hat hacking is also crucial to ensure that technology is developed and implemented with the security and safety of users in mind. Unfortunately, technology companies tend to prioritize the aspects of speed and creativity in development over security, resulting in users being susceptible to cyber attacks. Ethical hacking displays the holes in their systems, pushing these companies to scrutinize their security practices more closely.

As discussed in the article “Ethical Issues in Information Technology (IT)”, actions that intentionally result in the loss of user information are deemed unethical. An entity not properly testing its system’s security is essentially negligence of its users’ data, as this leaves plenty of opportunity for hostile parties to obtain information through vulnerabilities. Ethical hacking directly counteracts this and demonstrates the prioritization of the user’s security. Had Equifax utilized white hat hacking, the breach could have been prevented as the vulnerability could have been mitigated before an attacker discovered it. A particular instance of utilizing white hat hacking to its fullest potential is the Code Red computer virus. The computer virus, also known as a worm, attacked Windows-based systems that ran with Microsoft IIS (Internet Information Services for Windows Server) installed. Researchers at the cybersecurity company eEye Digital Security were in the process of performing white hat hacking services, developing a system that would search for vulnerabilities in Microsoft IIS, when they discovered the worm. The result of the worm was the defacement of websites served by Microsoft IIS, with the words “Welcome to http://www.worm.com! Hacked By Chinese!” displayed on the screen instead of the website's usual content. While the worm still spread vastly throughout the world, affecting more than 300,000 servers, the early detection of the virus allowed Microsoft to patch the issue with its server and eventually weed the virus out as systems updated to a server version with the patch.

Along with white hat hacking, there also exist two other factions of hackers: black hat hackers and gray hat hackers. Black hat hackers are what most people think of when they hear the word “hacker”. Black hat hackers are criminals who attack systems with malicious intent, causing a wide multitude of damage, ranging from releasing malware into the system to destroying important files from the network to stealing personal information that can be used for fraud or used as blackmail. You may have encountered them yourself, whether it was from a spam phone call or from a suspicious link popping up on a website. These hackers can operate individually or as part of a wider organization, and typically act for financial gain. One of the most famous black hat hackers ever, Kevin Mitnick, was at one point the most wanted cybercriminal in the world, hacking into numerous major corporations, including IBM, Motorola, and even the United States National Defense warning system. Following Mitnick’s arrest in 1995 and release after five years in prison, Mitnick became a cybersecurity consultant and founded his company, Mitnick Security Consulting, which is a white hat hacking company that offers penetration testing and vulnerability assessment along with other security services. There still exists an enormous amount of black hat hackers in the world, so it is always a good idea to stay conscious of ways to protect yourself in the digital world. I myself am currently taking a computer security course, and I feel the methods of teaching within the course are unique, in that we are taught different security practices by being taught to exploit them. Our projects involve the attacking of different systems utilizing techniques taught in class to demonstrate what sort of vulnerabilities to look out for when designing our own systems. In a way, we are learning our own form of white hat hacking to become more aware the sort of weaknesses that appear in systems we use every day. Now more than ever, companies need to be aware of cybersecurity threats from hostile individuals and rigorously test their systems to keep themselves and their customers safe.

The more curious faction of hackers are the gray hat hackers. Gray hat hackers are somewhere in between white hat and black hat hackers, meaning they practice a mix of white hat and black hat hacking activities. Gray hat hackers often search for vulnerabilities within a system and report any issues they find to the owner, just like white hat hackers, sometimes requesting a fee to fix the issue they found. However, gray hat hackers will search for these vulnerabilities and probe the system without the owner’s permission, thus making this act illegal in many cases, which is like the activity of a black hat hacker. While the intentions of gray hat hackers appear to be good, violating laws and going against the wishes of the owners of these systems is viewed as unethical. You wouldn’t like it if someone trespassed on your property even if they meant well, right?

However, some companies that do not want to hire an outside entity to penetration test their system, wanting to rely on their own internal testing. These companies sometimes offer a bug bounty program to the public, meaning they will offer monetary incentives for those who are able to discover bugs in their program as a way to deter gray hat hackers from leaking any issues they found to the public. A famous occurrence of gray hat hacking would be the hacking of Facebook by Khalil Shreateh. Shreateh discovered a bug that allowed a user to post something on any other user’s page. Shreateh informed Facebook’s security team of this issue, only to be ignored and told that it wasn’t a bug, denying him any reward for discovering the issue. Shreateh then proceeded to hack into Facebook founder Mark Zuckerberg’s personal Facebook page and make a post to demonstrate the severity of the bug. Despite the methods of gray hat hackers being unethical, their practices still reveal holes in the defenses of systems and thus can contribute to making networks safer, further demonstrating the need for these types of hacking to strengthen cybersecurity.

While the concept of hacking appears to be unfavorable and even criminal, its applications in a controlled setting are essential to more complete cybersecurity. White hat hacking plays a critical role in ensuring technology is being developed and implemented with user safety and security in mind. Organizations must incorporate ethical hacking into their overall cybersecurity strategy to safeguard themselves and their users from the growing threat of cyberattacks.