By Inbal Aharoni
It’s late one evening and a group of penetration testers are gathered around a computer, trying to write the perfect phishing email – the one which will get the secretary to the CEO of a leading global firm to click and open an attached Word file.
All part of a day’s work for security consultants – the ethical hackers who daily walk a line between hacking for the good mankind and crossing over into the murky, blurred world of what would otherwise be illegal hacking activity. Of course, when the secretary opened the attachment (which she did), nothing bad happened.
But if these had been the bad guys – the damage could have rocked the foundation of said company. A CISO and his IT security team most certainly would have been in for some sleepless nights; stocks could have fallen; a pr damage control blitz would have been whipped into action and customers would have been left trying to understand what, if anything, the breach meant to them.
Hacking – for good and for bad – has been glamorized since Matthew Broderick starred in War Games, Angelina Jolie in Hackers, River Phoenix in Sneakers, Keanu Reeves in the Matrix…. and on and on. The hacker with the eternal conflict of good versus bad – is a character interesting enough to carry a Hollywood screenplay, or, as we have seen over the past few days – front page headlines all over the world.
If you follow the news, you know that Marcus Hutchins, our WannaCry hero, discoverer of the famous kill-switch, has fallen from grace. Hutchins was reportedly picked up by federal authorities in Las Vegas after attending Defcon, accused by US officials of writing parts of the Kronos banking Trojan and selling it. Reports say that while in custody, Hutchins admitted to writing the code without actually admitting to its distribution. After a few days in jail, he was released on bond, pending court appearance.
Whatever the outcome with Hutchins, insiders of the security industry are questioning the motives and wisdom of US authorities, saying these actions breach trust and endanger potentially vital cooperation between security researchers and authorities in cases of future attacks.
Every white hat-er started somewhere. Before they worked for the good guys, they were hacking independently – looking for a challenge – that curiosity is what makes them good at what they do and capable of beating an attacker. And many of these white hat-ers, obviously, still hack on their own, even when working on the ‘good side.’
The question we have to ask is: when do the means justify the ends? And should we view every black hat-er as a potential Kevin Mitnick – the conflicted Hollywood movie bad guy with a hidden heart of gold – balanced on the verge of becoming a legitimate security consultant?
Inbal Aharoni is Cynet’s Marketing Manager