Advertisement

Ethical hackers: ‘Without us, no one will protect you’

Heartbleed bug
What does the term 'hacker' mean to you? Sometimes, they're the good guys. File/Getty Images

TORONTO – Hackers are everywhere.

They are leaking millions of stolen user credentials and passwords to online forums, breaching celebrities’ iCloud accounts to steal nude photos, and installing malicious software designed to steal credit and debit card information from unsuspecting retail customers.

But hackers can also be found sitting in the offices of some of the most trusted security companies, conducting experiments for the same companies who may be targets.

The latter, however, are the good guys.

They call themselves ethical or “white hat” hackers, and work to find vulnerabilities either online or in business systems and responsibly disclose them to those in charge.

READ MORE: Ethical hackers say government regulations put information at risk

In recent months, Canadians have heard about the Heartbleed bug, which resulted in the theft of roughly 900 social insurance numbers from the Canada Revenue Agency, to widespread breaches at popular retailers, including Target and Home Depot.

Story continues below advertisement

And ethical hackers are playing an increasingly important role in helping to find these vulnerabilities before the bad guys get to them.

Earlier this month, security firm Trustwave opened a state-of-the-art ethical hacking lab at its headquarters in Chicago, so its in-house hackers could perform tests on commonly exploited technologies at the request of businesses.

Global News spoke with Trustwave hacker Matthew Jakubowski to get a better idea of what an ethical hacker really does.

What is an ethical hacker?

“An ethical hacker is a security professional, or someone that has a hobby in security, who is looking for [a] flaw in everyday systems, home products and computers. They are looking for the same flaws bad guys are looking for and trying to take advantage of,” said Jakubowski.
“They are going to find [the flaws] and get them fixed before anyone else uses them for bad.”

Hackers at Trustwave’s lab have arrangements with the companies whose systems they are testing, so the work is legal. These companies pay Trustwave to have its hackers comb through their critical systems to test for vulnerabilities.

Jakubowski and his team also test gadgets and retail equipment to better understand how thieves install malicious systems.

What do they test?

One of the biggest (and most commonly used) pieces of equipment that the Trustwave team works on are retail pin pads.

The team examines the devices to see where attackers could install skimming devices, which are usually installed thanks to exposed wiring from the device’s circuit board, according to Jakubowski.

Story continues below advertisement

“Some of the pin pads right now you are able to buy it off of an auction site, modify it yourself, and then go to a retail shop and swap it out. We’ve seen a lot of that in the last year or two,” he said.

WATCH: Jakubowski at work in Trustwave’s ethical hacking lab

The team also does a lot of testing on ATMs – which has led them to some surprising discoveries.

“A lot of ATM models use the same keys and we were able to purchase three ATM keys for about US$12 off an online auction site. There are typically two keys – one for the main unit where the computer is stored and another for the cash drawer,” said Jakubowski.

Story continues below advertisement
“Getting to that computer gives an attacker enough access [in some cases] to modify the system to take money out without a card, or install a skimmer.”

Why ‘hacker’ doesn’t have to be a scary word

Unfortunately, hackers often get a bad rap because the term is usually associated with cybercrime.

But ethical hackers have been responsible for discovering some major bugs, such as the massive OpenSSL vulnerability – dubbed the Heartbleed Bug. It was discovered by a team of researchers at Finnish security firm Codenomicon, with the help of a Google researcher.

READ MORE: Ethical hacking field grows as companies fear hackers

In 2008, hacker Dan Kaminsky made a name for himself after discovering a flaw in the Domain Name System (DNS) protocol. His findings led to an industry-wide patching effort that included software giants like Microsoft and Cisco.

“I identify as a hacker – an ethical hacker – it shouldn’t be a bad term. There are a lot of people out there called tinkerers or hackers that are doing good,” he said.

“It’s just the only ones you hear about are the ones who are doing bad.”

But more companies are jumping on the ethical hacking bandwagon, including Microsoft and Facebook, who teamed up in 2013 to start a “bug bounty” program aimed at rewarding security researchers for finding and reporting vulnerabilities.

Story continues below advertisement

And the more the merrier, said Jakubowski, who added, “Without us, there is not going to be anyone to protect you.”