Rehabilitating Black Hats

Written by

If you color outside the lines today, will you toe the line tomorrow? Danny Bradbury explores whether those on the cyber ‘dark side’ can turn to the light

"Banks and financial institutions are very worried about who performs these audits for them."

When Rob Schifreen gives the elevator pitch for his business, he knows that one of two things will happen. He will either be told that he shouldn’t have mentioned that time when he hacked Prince Philip’s email inbox, or that he should have mentioned it more.

Schifreen runs a cybersecurity training service called SecuritySmart. He always uses his history to make the point that if anyone can teach employees about security, it’s him. The mixed response he gets highlights a common dilemma; is it smart to hire a reformed hacker, or not?

You can’t technically call Schifreen a black hat. In 1985, when he gained system manager privileges on BT’s Prestel system and read the Duke of Edinburgh’s email, there wasn’t a hacking law to break. He was a journalist at the time, and hacked the system with Steve Gold, who later went on to become Infosecurity Magazine’s technical editor and died in 2015. 

Prestel called the police. The courts fined the pair under the Forgery Act but an appeals court overturned the sentence. Prosecutors took it to the House of Lords, which decided that they had used the Forgery Act inappropriately. So legislators made a new one: the 1990 Computer Misuse Act. 

It isn’t every day that your government makes a shiny new law dedicated to you, but all Schifreen wanted to do was to point out holes in the firm’s system. 

“I suppose there was the hope of being offered a job,” he adds. He’d heard of young hackers getting recognition and employment in the US, and wanted the same. “It never seemed to happen over here, though. It was very much a US thing.”

Ian Glover, president of the Council of Registered Ethical Security Testers (CREST), agrees. “[In the US] We have had people who have been dabbling on the dark side who have then got good jobs in large corporations,” he explains. “I don’t see that in the UK marketplace as much, and I definitely don’t see it in large financial institutions. I fundamentally don’t see it in government.”

Canadian Michael Calce, who did time for several DDoS attacks when operating as ‘Mafiaboy’ in 2000, certainly didn’t walk from his eight-month stint in a youth detention center into any high-end banking security jobs. He lay low for a while after his release. There was a book, and some press interviews, but he mostly just did freelance work and penetration testing in collaboration with a cybersecurity consultant who mentored him.

Notoriety is a mixed blessing, as it turns out. “It put me on the map and that was good for marketing, but then I had to show my work and earn respect and credibility in this industry,” Calce says. “Banks and financial institutions are very worried about who performs these audits for them.”

He had to start modestly, with smaller companies, working his way up. More recently, he has launched his own security consulting business, and partnered with HP on a 20-minute movie about cybersecurity dangers.

"People with a hacking background have a mindset to think outside the box and find vulnerabilities in ways that wouldn't necessarily be taught by doing certifications like CISSP or CEH or whatnot."

Turning Over a New Leaf
Still, the cybersecurity world has some good examples of hackers who operated outside the law, were caught, and then went legitimate with their skills. Kevin Mitnick, who began hacking in the late 70s and finally served five years in prison, later started his own security consulting firm and security awareness training business. Kevin Poulsen, jailed for hacking into federal systems, is now senior editor at WIRED. 

Other reformed black hats believe that hackers have a lot to offer legitimate employers. Mustafa Al-Bassam, arrested at 16 as a member of the Lulzsec hacking group, is now a security advisor at Secure Trading, and speaks regularly at security conferences.

“People with a hacking background have a mindset to think outside the box and find vulnerabilities in ways that wouldn’t necessarily be taught by doing certifications like CISSP or CEH or whatnot,” he says.

Not all young hackers have purely intellectual motives. Many of them follow financial or social rewards that can lead them down an increasingly dark path, warns Glover.

Along with the UK National Crime Agency’s National Cyber Crime Unit, CREST conducted a workshop with several young hackers and produced a report analyzing black hat career arcs.
“The route we’re seeing most is that people are being gradually groomed into it”, Glover says. 

Going Underground
Youngsters, especially those hacking and modifying videogames, begin participating in underground forums. Recruiters for organized crime groups spot and nurture them, encouraging them to cut their social ties by offering them appealing alternatives.

These recruiters gradually give them more egregious criminal tasks until they eventually become serious cyber-criminals, developing malware for organized criminals.

The key to ‘turning’ black hats isn’t to pick them up after they’ve been caught red handed. Instead, catch them earlier along that path, argues Glover. The CREST report recommends that law enforcement “identify, intervene and inspire” young tech enthusiasts, turning them away from the dark side before they get sucked into something they can’t escape from.

What does that look like? Simple authoritarian finger-wagging won’t do the trick. “It’s not about trying to prevent them from doing things. It’s about trying to deal with that kind of behavior”, says Al-Bassam. 

Channeling young tech skills into challenging, rewarding pursuits is a good start. Al-Bassam suggests finding young hackers who are flirting with illegal behavior and sending them to cybersecurity training camps as one idea.

“There are schemes where we catch these people young and divert them,” says Schifreen. An example is last year’s AcornHack2016 in the UK. In the US, The National Collegiate Cyber Defense Competition (CCDC) and the US Air Force’s CyberPatriot youth cyber education program are two good examples. Online tools and challenges like HackTheBox are fantastic places for young hackers to safely apply their skills. Schifreen himself mentored children in a cybersecurity summer camp while working at Brighton University.

It’s Good to Talk
Engaging young tech enthusiasts begins with a mixture of good parental and educator role models, points out the CREST report. There’s another part of that puzzle that can help people switch paths early on, though: communication and the exchange of ideas.

Unfortunately, when it comes to communication, hacking culture is moving in the wrong direction, warns Dug Song. The co-founder of Duo Security laments an earlier time when the white hat side of the industry was less inclined to blame, shame and name those that intrude first and ask questions later.

Song finds his talent in strange places, including the local Starbucks. He met Jon Oberheide, his co-founder at Duo, while working at Arbor Networks. Song noticed the 17 year-old wirelessly hacking an Arbor honeypot from the local WLAN – and getting way further into the network than most people. Song ran down to the Starbucks underneath Arbor’s office to find him, and instead of reporting him, he hired him. 

Song’s non-judgmental ethos comes in part from his membership of the delightfully-named W00w00. It was a loosely-coupled online group of hackers that operated in the late 90s and numbered several company founders with Napster’s Shawn Fanning and WhatsApp’s Jan Koum among its members

The W00w00 community invited people to join based on their technical knowledge. It was low on judgement and high on intellect, recalls Song. Consequently, it included hackers with different motivations. That was a valuable blend he sorely misses.

“It’s harder to find that Switzerland of security where you had attackers, defenders, white and black hats comfortable collaborating,” he says. “That’s the only way that you make progress. This need to take sides has resulted in missed opportunities to find transitions between them.”

Instead of a collegial atmosphere in which all sides exchange information, he now sees a polarization in the cybersecurity community. “The only culture that existed in cybersecurity was hacker culture,” he says, but adds that this has changed. “The black hats have been driven underground. The white hats are on Twitter but nowhere else. The communication design of our community has now gone away.”

Shades of Grey?
What happens when you blend a bit of black and a bit of white? In the old days, the community was more inclined to allow for the many shades of grey hat activity in the middle; the community that happily poked around systems finding flaws to tell people about them, and perhaps leaving the odd humorous message on a server somewhere.

Instead, we’ve somehow stumbled into a cyber-version of the red and blue state, in which opinions and practices have settled at either end of a spectrum and there is no opportunity for a healthy exchange of ideas in the middle. “The way I look at that is the same as what happened politically”, Song says. There’s not much middle ground anymore.

This may be due in large part to a whole new structure that has changed the black hat community. As organized crime takes on a more significant role, the motives are becoming more financial and the power structures more predatory. That raises the stakes and creates a more urgent need to redirect energy early in the game.

What might a more collegial, inclusive interface between hackers of all creeds look like? Online, it might look like W00w00, or any of the myriad BBS systems that existed back in the day. In person, it might look like the cordial relationship between Schifreen and John Austen, the detective inspector who collared him. 

The pair even ended up speaking at conferences together, Schifreen concludes proudly. “He told my parents at the trial that I was the nicest hacker he’d ever arrested.” 

"The black hats have been driven underground. The white hats are on Twitter but nowhere else. The communication design of our community has now gone away."

What’s hot on Infosecurity Magazine?