Hackers all have different intentions. Some work to making computer networks more secure, while others develop malware and exploit software vulnerabilities.
Of the latter group, there is a special subclass of criminals: those who make the FBI’s Cyber’s Most Wanted list. These individuals give a whole new meaning to black-hat hacking. The nature of their crimes is such that all U.S. law enforcement agencies have mobilized against them under a shared commitment to bring these bad actors to justice.
Related: Famous White Hat Hackers Across The Globe. Below you will find our collection of the black hat as well as white hat inspirational, wise, and humorous hacker quotes, hacker sayings, and hacker proverbs, collected over the years from a variety of sources. Check it out, One-Liner ‘Hacking Quotes and Sayings’. Famous white-hat hackers include the likes of Apple’s Steve Wozniak and Jeff Moss, founder of the Defcon and Black Hat conferences.
Well before the hacks that put him in the public eye, he was famous in hacker circles working under the moniker M4G, who was a regular in hacker communities and even ran a semi-popular blog on hacking, albeit one that didn't detail his more illicit activities. According to Bugcrowd, the average yearly payout of the top 50 white hat hackers in 2018 was $145,000. White hat hackers tend to be young, digital natives who consider screens as essential as food and water. So, we turned to two of the most well known teen white hat hackers to learn more about their work. Tsutomu Shimomura is a White-Hat hacker credited with capturing Kevin Mitnick. In 1994, Mitnick stole some of Shimomura's personal files and distributed them online.
For the next few weeks, we will be counting down 10 of the most wanted black-hat hackers by the FBI. This week, we begin with number 10.
Behzad Mesri
In May 2017, Iran-based black-hat hacker Behzad Mesri began conducting reconnaissance of the networks and employees at Home Box Office (HBO), a premium cable and satellite television network. He spent the next two months compromising employees’ accounts so that he could access corporate servers and exfiltrate sensitive data. Some of the information he stole included footage from upcoming episodes of popular HBO shows like “Curb Your Enthusiasm.”
Three weeks before OurMine hacked the network’s Facebook and Twitter accounts, Mesri sent an email to multiple HBO executives and employees claiming he had stolen 1.5 terabytes of HBO’s data. A follow-up email alleged that he had lifted full scripts and cast lists for “Game of Thrones” as well as “precious data” for unaired shows.
Mesri, who previously worked for the Iranian military, issued his ultimatum to HBO on 23 July 2017: pay $5.5 million in Bitcoin or suffer the public release of its stolen data. The member of the Turk Black Hat hacking group upped his demands to $6 million three days later.
After HBO refused to meet the ransom, Mesri publicly released some of the stolen data beginning on 30 July 2017 and throughout August. He helped promote the data dumps by creating a Twitter profile that announced the leaks and by sending emails to the media about the disclosures, reveals a statement published by the Department of Justice.
It didn’t take long for law enforcement to catch wind of what Mesri was doing. Such interest begot an investigation that culminated in a grand jury indictment on the black-hat hacker on 8 November 2017. Filed in the United States District Court, Southern District of New York, those court documents charged Mesri with one count of wire fraud, a crime which carries a maximum sentence of 20 years in prison; one count of computer hacking, which carries a maximum sentence of five years in prison; three counts of attempting to undermine information’s confidentiality, each of which bear a maximum prison stay of five years; and one count each of both aggravated identity theft and the interstate transmission of extortion-based threats, crimes which both carry a maximum sentence of two years in prison.
It was at that time that law enforcement filed a federal arrest warrant against Mesri.
There has been no news of Mesri since the U.S. District Court filed the indictment against him. In all likelihood, he’s holed up in his native country. Unfortunately, the lack of an American-Iranian extradition treaty means Mesri will likely never stand trial in the United States if he’s located and unmasked in Iran.
But it’s not impossible. For more information on Mesri and how you can help bring him justice, check out the FBI’s poster on this computer criminal.
You can read about some other black-hat hackers wanted by the FBI below:
- The FBI’s 10 Most-Wanted Black-Hat Hackers – #10
Red Hat Vs Black Hat
This article is part of a series on |
Computer hacking |
---|
History |
Hacker culture & ethic |
Conferences |
Computer crime |
Hacking tools |
Practice sites |
Malware |
Computer security |
Groups |
|
Publications |
The term 'white hat' in Internet slang refers to an ethical computer hacker, or a computer security expert, who specializes in penetration testing and in other testing methodologies that ensures the security of an organization's information systems.[1]Ethical hacking is a term meant to imply a broader category than just penetration testing.[2][3] Contrasted with black hat, a malicious hacker, the name comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat respectively.[4] While a white hat hacker hacks under good intentions with permission, and a black hat hacker, most often unauthorized, has malicious intent, there is a third kind known as a grey hat hacker who hacks with good intentions but at times without permission.[Symantec Group 1]
White hat hackers may also work in teams called 'sneakers and/or hacker clubs',[5]red teams, or tiger teams.[6]
History[edit]
One of the first instances of an ethical hack being used was a 'security evaluation' conducted by the United States Air Force, in which the Multics operating systems was tested for 'potential use as a two-level (secret/top secret) system.' The evaluation determined that while Multics was 'significantly better than other conventional systems,' it also had '... vulnerabilities in hardware security, software security and procedural security' that could be uncovered with 'a relatively low level of effort.'[7] The authors performed their tests under a guideline of realism, so their results would accurately represent the kinds of access an intruder could potentially achieve. They performed tests involving simple information-gathering exercises, as well as outright attacks upon the system that might damage its integrity; both results were of interest to the target audience. There are several other now unclassified reports describing ethical hacking activities within the US military.
By 1981 The New York Times described white hat activities as part of a 'mischievous but perversely positive 'hacker' tradition'. When a National CSS employee revealed the existence of his password cracker, which he had used on customer accounts, the company chastised him not for writing the software but for not disclosing it sooner. The letter of reprimand stated 'The Company realizes the benefit to NCSS and in fact encourages the efforts of employees to identify security weaknesses to the VP, the directory, and other sensitive software in files'.[8]
The idea to bring this tactic of ethical hacking to assess security of systems was formulated by Dan Farmer and Wietse Venema. With the goal of raising the overall level of security on the Internet and intranets, they proceeded to describe how they were able to gather enough information about their targets to have been able to compromise security if they had chosen to do so. They provided several specific examples of how this information could be gathered and exploited to gain control of the target, and how such an attack could be prevented. They gathered up all the tools they had used during their work, packaged them in a single, easy-to-use application, and gave it away to anyone who chose to download it. Their program, called Security Administrator Tool for Analyzing Networks, or SATAN, was met with a great amount of media attention around the world in 1992.[6]
Tactics[edit]
While penetration testing concentrates on attacking software and computer systems from the start – scanning ports, examining known defects in protocols and applications running on the system and patch installations, for example – ethical hacking may include other things. A full-blown ethical hack might include emailing staff to ask for password details, rummaging through executive's dustbins and usually breaking and entering, without the knowledge and consent of the targets. Only the owners, CEOs and Board Members (stake holders) who asked for such a security review of this magnitude are aware. To try to replicate some of the destructive techniques a real attack might employ, ethical hackers may arrange for cloned test systems, or organize a hack late at night while systems are less critical.[3] In most recent cases these hacks perpetuate for the long-term con (days, if not weeks, of long-term human infiltration into an organization). Some examples include leaving USB/flash key drives with hidden auto-start software in a public area as if someone lost the small drive and an unsuspecting employee found it and took it.
Some other methods of carrying out these include:
- Social engineering tactics
- Security scanners such as:
- Frameworks such as:
- Training Platforms
These methods identify and exploit known security vulnerabilities and attempt to evade security to gain entry into secured areas. They are able to do this by hiding software and system 'back-doors' that can be used as a link to information or access that a non-ethical hacker, also known as 'black-hat' or 'grey-hat', may want to reach.
Legality in the UK[edit]
Struan Robertson, legal director at Pinsent Masons LLP, and editor of OUT-LAW.com, says 'Broadly speaking, if the access to a system is authorized, the hacking is ethical and legal. If it isn't, there's an offence under the Computer Misuse Act. The unauthorized access offence covers everything from guessing the password, to accessing someone's webmail account, to cracking the security of a bank. The maximum penalty for unauthorized access to a computer is two years in prison and a fine. There are higher penalties – up to 10 years in prison – when the hacker also modifies data'. Unauthorized access even to expose vulnerabilities for the benefit of many is not legal, says Robertson. 'There's no defense in our hacking laws that your behavior is for the greater good. Even if it's what you believe.'[3]
Employment[edit]
The United States National Security Agency offers certifications such as the CNSS 4011. Such a certification covers orderly, ethical hacking techniques and team-management. Aggressor teams are called 'red' teams. Defender teams are called 'blue' teams.[5] When the agency recruited at DEF CON in 2012, it promised applicants that 'If you have a few, shall we say, indiscretions in your past, don't be alarmed. You shouldn't automatically assume you won't be hired'.[9]
A good “White Hat” is a competitive skillful employee for an enterprise since they can be countermeasure to find the bugs to protect the enterprise network environment. Therefore, a good “White Hat” could bring unexpected benefits in reducing the risk across systems, applications, and endpoints for an enterprise[10].
See also[edit]
Notes[edit]
- ^'What is the difference between black, white, and grey hackers'. Norton.com. Norton Security. Retrieved 2 October 2018.
References[edit]
- ^'What is white hat? - a definition from Whatis.com'. Searchsecurity.techtarget.com. Retrieved 2012-06-06.
- ^Ward, Mark (14 September 1996). 'Sabotage in cyberspace'. New Scientist. 151 (2047).
- ^ abcKnight, William (16 October 2009). 'License to Hack'. InfoSecurity. 6 (6): 38–41. doi:10.1016/s1742-6847(09)70019-9.
- ^Wilhelm, Thomas; Andress, Jason (2010). Ninja Hacking: Unconventional Penetration Testing Tactics and Techniques. Elsevier. pp. 26–7. ISBN9781597495899.
- ^ ab'What is a White Hat?'. Secpoint.com. 2012-03-20. Retrieved 2012-06-06.
- ^ abPalmer, C.C. (2001). 'Ethical Hacking'(PDF). IBM Systems Journal. 40 (3): 769. doi:10.1147/sj.403.0769.
- ^Paul A. Karger, Roger R. Scherr (June 1974). MULTICS SECURITY EVALUATION: VULNERABILITY ANALYSIS(PDF) (Report). Retrieved 12 Nov 2017.CS1 maint: uses authors parameter (link)
- ^McLellan, Vin (1981-07-26). 'Case of the Purloined Password'. The New York Times. Retrieved 11 August 2015.
- ^'Attention DEF CON® 20 attendees'. National Security Agency. 2012. Archived from the original on 2012-07-30.
- ^Caldwell, Tracey (2011). 'Ethical hackers: putting on the white hat'. Network Security. 2011 (7): 10–13. doi:10.1016/s1353-4858(11)70075-7. ISSN1353-4858.
Comments are closed.