CLOUDY podcast | #21 When a hacker helps, not harms
- News
So who is this hacker?
As you rightly said, it's a somewhat mystified term. Whenever we hear the word hacker, we imagine some guy down in the basement in a hoodie, who's tapping something and always has bad intentions. Hacking something, stealing something, etc.
Hacker is not always a negative term, but rather it's a designation of some type of thinking, a tool. We all know the term "life-hack", that I hacked something, I invented something well. It's more of a procedure, a type of thinking.
Are hackers good and bad?
They are good and bad, and there are those in between. The good ones are called "white" hackers, the bad ones are called "black" hackers, and the ones in between are called "grey" hackers. The difference between them is the ethical dimension.
An ethical hacker does his work with the legal consent of the company in question. He does it to improve the security of the company that orders him and its system. However, the legal consent occurs before the actual hacking. It is an agreement between the company and the hacker – it defines exactly what will be the subject of testing. At the end, the ethical hacker hands over the results to the company so that it can incorporate the potential problems found and receives an agreed reward for it.
And the bad guys, black hat hackers, do basically the same thing, but there is no legal consent and of course the motivation of such hackers is, for example, some financial gain or achieving other, e.g. political goals. Furthermore, they have no ethical principles and use any tools that they can find, steal, etc. An ethical hacker still works only with the available tools within a budget that is designated for that, etc.
Nowadays, we don't have to talk only about individuals, there are entire hacker groups that are organized, have their own hiring, recruitment centers... We can be happy that these groups often compete with each other and attack each other.
And somewhere in the middle of this is the "gray" hacker, who moves in that gray zone. He usually works by trying and looking for technical flaws and then trying to report them to the company, but he does it without their consent. He lacks the legal consent to do such "hacking".
Many large companies have so-called bug bounty programs that they publicly announce - in the sense that if you find something, report it to us and we will give you a reward for it. Then the company itself declares the legal consent and hackers can try. Those rewards, especially for big players, can climb to hundreds, thousands or tens of thousands of euros, depending on how big the vulnerability the hacker finds.
How does one become a hacker?
I think that every hacker starts by having fun and trying. There are certainly certified courses that a person can take, etc., but they must have the attitude that they want to understand it, they want to know how things work in the background, and that takes hours to years of testing, getting to know each other.
In the company, they are actually security experts who partially do the work of hackers, so to speak. We also provide a wide range of services that we provide to customers, starting from risks, legal approvals, deployment of technologies such as firewalls (protection against unauthorized access), multi-factor authentication, etc. And some of our colleagues are dedicated to penetration testing of websites, applications, etc.
Attacks happen here too. The last time the biggest one was probably the attack on the cadastre. Can you find out where the attacks were directed from? Who is behind the hacker attacks?
It's called attack attribution, and it's not a trivial scientific discipline. Evidence is actually being collected about what hacked, whether it was this IP address, this hash file, the procedures and tactics that were used are being examined, and investigators are trying to find out which hacker group may be using the given tactics and is behind the attack, etc. Sometimes this attribution is successful and sometimes it is not, or only after a period of time.
What could be the motivation of hackers? Is it just financial gain or data gain?
In addition to the above, other things are stolen, such as patents, technologies that companies use, what customers the company has, who it invoices how much...
Should we be worried about hacker attacks?
Definitely. Hacker attacks are not just a bright exception, we only see the tip of the iceberg that becomes public. It is still true that the majority of these attacks are unreported or are not resolved.
There is a different spectrum of attacks, for example, there was recently an attack on the Nymburk Hospital, which was operating in shutdown mode, then an attack on a dam in Norway, there are known major attacks such as Stuxnet (an attack by a computer virus from 2009 on computers that controlled an Iranian nuclear facility), where the American secret services disabled a uranium enrichment centrifuge in Iran, etc.
What are the most common mistakes that companies make?
For me, these are mainly two situations – the first is that the company ignores detected or reported flaws in the mistaken belief that “it can’t happen to us anyway”. Because we need to realize that there is a big asymmetry between the discovery of errors and their correction. Hacking can take, say, a month, but correcting those errors can easily take six months.
The second thing is that the company decides to fix the problem, but it is only a quick, insufficient fix, which is ultimately not enough.
And what about the role of AI in hacking?
AI speeds up the process of the two camps catching up (hackers vs. security technicians). Attacks are more targeted, it is necessary to react faster, etc. In my opinion, AI is not yet so far gone that it would write precise codes for vulnerabilities. It is not yet so sophisticated that it would be able to write code that hits exactly where the hacker wants. But it can definitely help, speed up the process, it is very advantageous in phishing, etc. So AI can erase the line between a beginner hacker and, say, a moderately good hacker. But it doesn't have the top hackers yet, humans still have the upper hand there.
You can listen to the entire podcast on Spotify, Apple podcasts, or watch it on YouTube.
