BBC Russian

White and black hats, crackers, carders, and script kiddies – if you don’t know any of these words, this is the article for you. Together with Nikolay Panchenko, a lead expert at T-Bank’s (formerly Tinkoff) infrastructure security department, we’re looking into the core concepts of hacking: why hackers are more than just hooded figures from movies, why they need “hats,” and how to make money legally as a hacker. The article is based on a talk recently given at Positive Hack Days Fest 2.

What are hackers?

The word “hacker” appeared long before the first computer: it takes its roots from the English verb “to hack,” as in, “to cut.” Historically, hackers were lumberjacks or carpenters who could, for instance, chop down a tree in one swing. However, in the 1960s, the word acquired a new meaning – it began to be used for people who worked with computer architecture, which was then a highly complex science. Two decades later, the word came to mean what it means today.

In today’s world, hackers are nearly never the criminals who steal data from banks and major companies, as they are usually portrayed in movies; these are, in fact, experts with impeccable knowledge and out-of-the-box thinking who can identify flaws in systems and take action to achieve their goals.

Positive Hack Days Fest 2. Credit: vk.com/bit.itmo

Hacker ethic

Like other specialists, hackers have their own code of beliefs. For one, there is the Hacker Manifesto, written in 1986 by Loyd Blankenship aka The Mentor. The manifesto was written after his arrest by the FBI. Loyd Blankenship faced multiple criminal charges; he pled guilty – but stressed that his only crime was that of curiosity. The manifesto asserts that hacking shouldn’t harm people nor serve selfish desires; its main goal – to expand one’s horizons.

Another text is Hackers: Heroes of the Computer Revolution by the American journalist and writer Steven Levy. In short, its tenets are:

access to computers should be unlimited and total;
all information should be free;
mistrust authority – promote decentralization (information should be exchanged freely across all continents);
hackers should be judged by their hacking, not bogus criteria such as degrees, age, race, or position;
one can create art and beauty on a computer;
computers can change your life for the better.

Types of hackers

The hat symbology came to IT from 1920s Western movies, in which protagonists often wore white hats, and antagonists – black hats; this division was needed to make up for poor image and sound quality.

The only difference is that the hacker community grew to have not two “hats” but an entire collection that includes:

White hats, aka ethical hackers, observe the hackers’ code. These are most commonly cybersecurity specialists whose job involves managing information systems, finding vulnerabilities, and preventing cyberattacks. Ethical hackers are required to take the Certified Ethical Hacker (CEH) exams.

Black hats break into information systems for their own personal gain. Their activities are illegal and aren’t approved by white hats.

Gray hats are somewhere in the middle; they adhere to the code and laws, but can violate them if needed. For instance, they can sell data on the black market if they don’t get paid enough.

Red hats, state-sponsored hackers, or vigilantes ensure their country’s information security by tackling cyberterrorists, black hats, and other criminals.

There are also some other groups of hackers:

Script kiddies are cybersecurity experts who hack computer systems for fun and self-assertion. They are rather chatty about their activities, unlike experienced hackers.

Crackers hack web services for the sake of it.

Carders work solely in the banking sector; they collect data about cards, withdraw money from accounts, conduct transactions through several servers, and collect money from offshore accounts.

Cyberterrorists are the most dangerous type of hackers: these are the ones who hack power plants and traffic systems or steal critical databases.

How-to for ethical hacking

Cyberattacks can be unauthorized (if done by cyberterrorists) but also authorized (by ethical hackers). The latter is also called penetration testing.

A penetration test is a set of events that launches a mock cyberattack on a network or app to investigate whether a potential attacker may break through its defense and get into the system. For this purpose, testers try to, for instance, gain control of stored data or shut down the system (a denial-of-service attack). They search for and analyze flaws that can disrupt the system and give hackers access to confidential data. In this case, they act like real hackers.

All attackers follow a series of similar steps:

reconnaissance (incl. OSINT techniques);
scanning (collection of additional data and their analysis);
gaining access;
mantaining access;
clearning tracks (also performed by pentesters as they need to know whether an attacker can leave unnoticed).

The procedures can be repeated; hackers can employ varied methods to attack and collect information about the system.

Essential hacking terms

At the core of any cyberattack is a violator model. This is a list of the initial rights and access points of a potential attacker – be it a black hat or a cyberterrorist – that serves as a starting point for cyberattacks.

A threat is an adverse effect (e.g., a data leak followed by financial or reputational losses for the company) that attackers aim to achieve immediately or after their attack.

Threads are caused by attacks, which are a sequence of actions aimed at using system vulnerabilities to achieve a goal and a set of ways to bypass security.

A payload is generated based on collected data. One example is software code that exploits a flaw to hack into a system.

The most common types of cyberattacks are malware, phishing (incl. fake newsletters that allow hackers access to administration systems), insider threats (employees selling confidential data), and attacks on software or hardware that shut down devices or particular apps.

How to practice ethical hacking legally

Come up with and solve your own tasks. Creating tasks on your own is more difficult than working with ready-made materials; it also boosts your skills more efficiently.

Solve ready-made tasks. You can find them on open platforms such as Hack The Box, PortSwigger, Blue Team Labs, and CyberDefenders.

Participate in CTF competitions and case championships. Such events are often hosted by IT companies and universities. To stay up to date, check the websites and social media pages of relevant organizations and universities. More information about CTF contests can be found here.

Capture bug bounties. Major companies often pay hackers a bounty for finding bugs in their software. Do note that this should be a pre-agreed deal, otherwise it turns into extortion and therefore gray hacking.

Run penetration tests. You can either find a job as a tester at a company or run tests as a freelancer. You should, however, be careful about making sure that each assignment is definitely legal.

Nikolay Panchenko. Credit: vk.com/bit.itmo

The talk was given as part of Positive Hack Days Fest 2. The event brought together experts from Avito, T-Bank (formerly Tinkoff), MTS, and many other companies who spoke about how to start a career in information security and find your niche, as well as where to look for internships and jobs. The festival was co-organized by ITMO’s Faculty of Secure Information Technologies.

Hack Me If You Can: Computer Hackers and Why They Need Hats

Contents

What are hackers?

Hacker ethic

Types of hackers

How-to for ethical hacking

Essential hacking terms

How to practice ethical hacking legally

Ksenya Desyatkova

Marina Belyaeva

Related news

What Is a Threat Researcher and How To Become One

ITMO University and Positive Technologies To Train All-Round Cybersecurity Experts

ITMO University Scientists Propose Methods of Detecting DoS Attacks on IoT Networks