Many famous black hat hackers have gone on to successful, legitimate careers. In 2008, then 18-year-old Owen Walker was charged as a ringleader of an international hacking group that caused more than $20 million in damages. He went on to work in the security division at telecommunications company Telstra. Jeff Moss, founder of Black Hat and DEF CON computer hacking conferences, ran an underground network of hackers ranging from the curious to the criminal. In 2009, he joined the U.S. Homeland Security Advisory Council, and in 2011 was named CSO for ICANN, the agency that oversees domain names. Kevin Mitnick is now Chief Hacking Officer at security awareness training site KnowBe4. He was once on the FBI's Most Wanted list for hacking into 40 major corporations.
Shades of gray
The vast majority of hackers are not felons or criminals, Rice says. “They fully intend to leverage their skills for good. These people could choose to be criminals if they want to be, but they decided not to -- the same goes for any other type of profession.”
But between the white hats and black hats, how can companies vet all the shades of gray hackers in between? “One man’s hacker is another man’s security researcher,” says Stu Sjouwerman, founder and CEO of KnowBe4. “Just as one man’s freedom fighter is another man’s terrorist.”
One man’s hacker is another man’s security researcher.
Stu Sjouwerman, founder and CEO of KnowBe4
On the vendor side, companies usually hire ethical hackers, Oltsik says. “Maybe they’ve skirted with the law, but usually it’s not someone who’s got a long rap sheet or has been convicted of a crime.”
KnowBe4 employs four white- and gray-hat security researchers. Occasionally, the firm has skirted the law in its efforts to stop attacks – most recently a CEO fraud attack on Sjouwerman himself.
Someone impersonating Sjouwerman sent an email to his comptroller requesting a wire transfer of $40,000. Recognizing the scam immediately, his team went to work to identify the thief and turn the tables in a reverse social engineering scheme.
“We sent him a phishing email to his AOL account that read, ‘there have been too many logins and your AOL is temporarily blocked. Please log in to unblock your account.’ He fell for it in a flash,” Sjouwerman recalls.
Five minutes later, Sjouwerman’s team had the attacker’s user name and password of his AOL account. Once inside, they emptied out his AOL account into their own PSD file and examined his work. The operation was netting the scammer about $250,000 a month.
“We knew that we weren’t allowed to do it, but we did anyway,” Sjouwerman says. When it comes to hiring hackers, “this is the kind of thing that you are easily tempted into if you’re a white hat or gray hat.”
Sign up for Computerworld eNewsletters.