The past few months have seen malicious hackers triumph over governments and humiliate and plunder large corporations with regularity and daunting success.
Among the victims were Sony Pictures, Citibank and the retail giant Target, which leached 40 million credit card numbers in the biggest retail hack in US history.
The intellectual challenge of such attacks, and the lucrative rewards, make it easy to understand why hacking is a flourishing business. What's harder to understand, perhaps, is why some people with the ability to breach computer systems and flood out a deluge of valuable information prefer to use their skills for good.
It's the hero factor, you realise after listening to Israeli cyber security researcher Keren Elazari. Far from condemning hackers, Elazari urges companies and governments to work with them and use their in inside information to better protect their own data and IT infrastructures.
Elazari has wonderful examples of hackers who tried to highlight vulnerabilities and were shunned by the companies they offered to help - leading to disastrous consequences. Like Khalil Shreateh, a spurned hacker who posted a message directly onto Facebook founder Mark Zuckerberg's wall after Facebook ignored his efforts to highlight a vulnerability.
Creating conversation
It's Elazari's aim to get corporations, governments and hackers communicating and collaborating more freely, so flaws can be repaired rather than exploited. Creating a conversation between those vastly different communities is challenging but necessary, she believes.
"One special challenge is in securing technologies we all rely on, and to do that, there has to be a continuous dialogue between them," she says. "The internet is part of our lives and the people who can manipulate it have a lot of power and can use it for all kinds of causes, but the ones who do it for good have a lasting impact on the world and not just on their own bank account."
Elazari is an analyst for Gigaom Research and consults for leading security firms, Fortune 500 companies and governments. She is also a researcher at Tel Aviv University, focusing on Bug Bounty Programmes. Many companies, particularly software and IT companies, have a vulnerability reward programme to reward people who point out flaws. The reward may be cash, but it's often some form of recognition, appealing to the quest for glory that motivates some hackers more than money. Her research should hone these programmes to make them safer for companies, and attractive enough for hackers to expose rather than exploit any flaws they find.
Combined wisdom
"I think it's a win-win. Researchers have the incentive and motivation to tell the companies what they've found. For the companies, it's a fantastic opportunity to tap into the combined wisdom and technology of hundreds or thousands of hackers, in a much more cost-effective and safe way than opening up their networks or actually employing hackers, which is not always possible or safe."
Elazari was drawn to the good side after being captivated by the 1995 movie Hackers. It stars Angelina Jolie, who plays a hacker who is also a hero. "They were the ones exposing corruption and moving technology ahead and it very much resonated and gave me a direction to follow," Elazari says. "I started attending hacker conferences and saw a community of very creative, innovative people who can use their powers and capabilities for good or bad. I guess I want to be a hero."
She has certainly made it pay, with global speaking engagements, heaps of respect and no doubt a decent income that is legitimate, not illegal.
Viewing all hackers as bad guys is doing society a disservice by ostracising those who do important work by exposing government corruption or pointing out vulnerabilities in the technologies we rely on. Hackers were key players in the Egyptian revolution, with the group Telecomix providing citizens with dial-up access to the internet after the government shut down all Egyptian ISPs.
Snooping prowess
At one stage, our interview via Skype is interrupted by a helicopter flying over Tel Aviv University. That reminds me to ask Elazari whether she still works for the Israeli government, which is globally and often grudgingly acknowledged for its significant snooping prowess.
A moment later, my electric fence alarm triggers, and I have to explain why a security company is phoning to check if I need some armed guards sending. Elazari tells me she hasn't heard of South Africa's security and crime issues. We both live in countries where the locals just get on with life in circumstances that foreigners may find unthinkable, she says.
No company is too big or too sophisticated to be hit by motivated attackers.
With my alarm silenced, we return to Elazari's role with the government. "I served in the Israeli military as all Israeli women do and I'm a captain in the Reserve Service. I helped my country. I served for quite some time as a security officer looking at cyber defensive issues and strategies. It's important to make it clear I have always been only on the defensive side for the government."
She urges companies to talk to hackers and find out how they can help. It's a topic she addressed at DefCon, the world's largest conference for hackers, and a theme she has presented to some of Europe's largest internet service providers and Japan's most powerful corporations.
Optimistic approach
"There are several major problems in cyber security and for each of those problems, there are particular things that hackers and security professionals can do right now to start mitigating," she says. "A lot of it is about working with hackers and the research community and collaborating and sharing to help organisations deal with the growing threat of cyber attacks. Those are some of the strategies I suggest."
Last year was a dramatic and traumatic period for cyber security, with major organisations hit on a scale never seen before, huge companies brought down and new malware and botnets unleashed. Vulnerabilities were also exposed in some core technologies that people have relied on for a decade more, she says.
"Such events could lead to despair or weaken the resolve of security professionals, but I suggest the optimistic approach of saying we can learn and adapt so that we can all be more resilient in future. No company is too big or too sophisticated to be hit by motivated attackers."
Elazari believes the reasons why 2014 was so bad are manifold. One is that the economic incentives for cyber criminals have grown, allowing them to make more money more easily than by any other scam. Another is that hackers and their technologies have become more adroit. Yet their old techniques still work because known flaws haven't been fixed, and they've devised new business models for online fraud.
"The bottom line is that there are still a lot of incentives for the bad guys, whether they're spies or foreign countries or criminals that want to make a quick buck. The incentives are there and they're growing, so that should be a key motivation for the security industry and technology companies to address it more seriously," she says.
This article was first published inITWeb Brainstorm March 2015 issue of the magazine. Click here to read the complete article at the Brainstorm website.
Share