After my school days, I was researching about different information technology career paths. In an article, I read that Information Security has a very wide scope in future and will have many opportunities. This is one area where the companies wont be able to compromise. They can cease a software development project, it wont impact their business so much. But if they compromise on security, that can wipe out their entire business operations and reputation. So every year, the demand for information security will increase. Eventually I started reading information security articles and found that most of the information security magazines and websites were talking about hackers, breaches etc.
Hacker – I still don’t remember when I first heard this term. But whenever I read or hear it from other people, it used to give me a wrong impression. So I was curious those days to know more about that. Some people told me that hacker is more of a modern robber utilizing the chances of Information Technology. Instead of stealing money physically, in the modern world, they use the digital technologies as their weapon for the evil acts. At that time, the first question that came to my mind was why we were not able to find those people and put them behind the bars. The answer was simple. They were not physically reachable and they operate from different countries. I knew little about Interpol and my next question was why we were not able to find those people with the help of them.
My uncle who used to listen to these questions started feeling different and in a positive note, he introduced me to his friend “Jim” who works in Information Security. After discussing my questions/doubts with Jim, he invited his friend, Rob, who works in Penetration Testing Team as a hacker. Ohh..I got confused. Hacker!! Sitting in an office and it is a designation as well!!
With a gentle smile Rob came to the room and with lot of confusion and fear I introduced myself. My first question was “Rob, are you a robber?” “Why are you stealing money from innocent people?” They both started to laugh and they were not able to stop their laughter. I became embarrassed.
Once they were done with their laughter, they looked at me with a smile and Rob patted on my shoulder and said, “Nice, honest question. I will explain about it. But before that shall we have a coffee break?” Rob, Jim and I went for tea. On the way he started to explain more about hackers, hacking, penetration testing etc.
“Mainly there are three types of hackers, first with a White Hat, second with a Grey Hat and the last with a Black hat. The White Hat hackers are good like me and hence known as Ethical hackers. Our abilities wont be used to for any bad, unethical or criminal activities, it would be used for good, ethical and legal purposes. We normally get recruited to companies and they use us to test their infrastructure, find flaws and thereby strengthen their infrastructure. We won’t steal any information. We report to the organization about our findings so that before a hacker finds a loophole, the organization would be able to fix those issues.
This is what we call as Penetration Testing. Tell me now, do I look like a robber?” I simply smiled with respect. “What you heard about hackers is partially correct. If there is good, there will be evil too. Those evil hackers are the Black Hat Hackers.” We reached the coffee shop and ordered coffee and some snacks.
Rob started explaining more about black hats. “They hack for their personal gains. They will crack your credit card numbers, transfer money from your accounts; they will make business interruptions for no reason. Those guys are called Black hat hackers or criminal hackers and our fight is against them. Good Vs Evil...!!”
“There are another set of hackers, who sits between black and white. They are called Grey Hats. I would still rate them as black hats because of their nature of activities. Consider a person, who is not related to the company, informs the company management that he has identified a major threat in their network, infrastructure or an application. If it is not fixed, it may result in business interruption and that will result in a loss of billion dollars and reputation. He offers a fix for the threat and in turn charges some million dollars. This is a sort of blackmailing and I feel is unethical. If the organization is not willing to pay the money, these grey hats will publish that vulnerability publically and those black hat hackers will exploit them. This is all about type of hackers.”
“Then there are other types of hackers like script kiddies. There are different types of hacking tutorials and tools available over the internet. So those who are not expert in hacking may use these tools or scripts to launch attacks. I would rate this also as an unethical practice. Script kiddies has less knowledge about hacking and their main motive is fun. But they don’t know the extent of the damage that can be caused based on these activities. I talked about black hats before. Not for money, there may be other reasons for them to launch attacks, it can be because of political reasons, revenge, or they want to harass people or organization for their entertainment. Really bad..!! Such people are called Hacktivists.” We finished our coffee and started to walk back.
“Finally there is another type of hacker called Spy hackers. These Spy hackers are employed by organizations to steal information or trade secrets about their competitors. Sometimes these spy hackers will get employed in the latter organization and will passively work for the former organization.”
I asked Rob about their hacking strategies, how he gets updated about the latest threats. I felt that Rob was very happy about the enthusiasm I was showing. “Yes, that is very important in this field. We do have different strategies, but wont be able to disclose them. Let me give you an example. There are groups over the internet where all the hackers are member of. These groups are anonymous thereby making sure that their identities wont get revealed. They’ll have discussions about the various threats, attacks and vulnerabilities. This will help us understand about the attacks that can occur in the coming days. So I will work with our Security team to have a proper risk assessment and make sure that our infrastructure is well protected. But these things will help to some extent only. A real hacker wont be revealing about his plans.”
I was so happy with the discussion which I had with Rob. I met him in the morning, but our discussions went till evening. It was a memorable coffee break too. During the talk he ensured that I should get the right information about hackers and more importantly I should get to know the after effects of doing these attacks. He gave me an example of a guy who brought down couple of web servers and lost almost 10 years, 2 years behind the bars and rest of the years for legal battle.
The above scenario is an imaginary one, but I wanted to point out some important things here.
The reason behind writing something like this is mainly because of an event happened in my state. One movie (regional) got released couple of months back and it was becoming an all time blockbuster. After a month, the pirated version of the movie got released over the torrent websites.
And as part of investigation, three students (age group 15-17) got arrested for uploading the movie to those torrent websites. They have used tools to spoof the IP, but the cyber security wing was good enough to find this. The statement I wanted to make here is that most of the script kiddies or teenagers are over confident when they do these sorts of activities. They blindly believe that these spoofing tools protect them from identification. Most of these people do not know the extent of damage these activities may result in. In my opinion, proper law suites must be in place so that such cases shall be handled globally.
Views by Aju Nair