Tagging someone as a "hacker" has a pejorative tang to it these days, but there's a class of code warrior who embraces the label as a badge of honor. Known as white hats — a reference to the good guys in old westerns — these bug ferrets give hacking a good name by alerting software makers to flaws in their code.
A white hat hacker, also known as an ethical hacker, can have a variety of skills in his or her toolbox, including programming and network penetration skills. Some can even have their skillset certified by the NSA, which, through CNSS 4011, has established a baseline for infosec professionals.
Why They Do It
Not only do white hats have a variety of skills, but they have a variety of backgrounds too: students, professional security consultants, professors and software developers. And while white hats can make money by collecting "bug bounties" — payments from companies hiring them to find a flaw in their system — most do what they do for higher reasons.
"We have a couple of hackers that have made over $200,000 a year," says Michiel Prins, cofounder of HackerOne, a vulnerability coordination and bug bounty platform. "That's a pretty good salary for a hacker, but in most cases a hacker has a day job or they're a student ... hacking part-time or as a hobby."
One of the toughest problems facing a white hat hacker is communicating with a firm after they discover a flaw. In fact, it was that problem that nudged Prins, Alex Rice, Jobert Abma and Merjin Terheggen to found HackerOne.
The quartet performed an experiment, attempting to find vulnerabilities on the websites of a list of 100 blue-chip tech companies in Silicon Valley. "We'd spend some time on each of their websites — probably around 15 minutes — to see if we could find a vulnerability," Prins explains. "In every case, we found something."
Of the 100 companies contacted by the hackers, one third never responded, a third thanked them and fixed the vulnerability and another third wanted to work with them to find more.
The Hacker Gotham Deserves
Even after a company is contacted, white hat hackers risk being labeled a black hat (criminal hacker). White hat Chris Vickery recently alerted uKnowKids about a flaw in its MongoDB database, which exposed 6.8 million private messages, nearly 2 million images and 1,700 child profiles. uKnowKids "rewarded" Vickery for his efforts by exposing two of his IP addresses.
"You're going to run into that from time to time, but I think the public good overall is worth the risk," Vickery says. "I'm not going to let a few bad apples persuade me to stay away [from being a white hat]."
Vickery's specialty is finding MongoDB databases that face the Internet and are open to the public. He uses a public search engine called Shodan to find servers that require no authentication and are open to external connections.
In some cases these databases become exposed due to an oversight in configuration. Others, though, appear to be deliberate. "It's people not knowing what they're doing," he observes. "These companies are making things accessible to the public that shouldn't be."
Before the release of MongoDB 3.0 the miscues could be caused by a failure to change the software's configuration settings, which, by default, opened the database to anyone.
"After version 3.0, though, the default configuration is not that way. So anybody that's doing it these days seems to be doing it on purpose."
Hack Without Looking Back
Some flaws discovered by white hat hackers could fetch a handsome amount on the Dark Web. An iCloud vulnerability, for example, was reportedly selling for $17,000. Offers for iOS exploits have ranged from $250,000 to $1 million.
Yet many white hats turn their backs on the dark side. According to a recent survey in Network World, nearly three out of four white hats (74 percent) say they wouldn't turn to the Dark Side for any amount of money.
"The group of hackers that is helpful to companies," Prins said, "will always be much, much larger than the number of criminals that exist on Earth."