“We can no longer just talk about cyber security, but we need to take action and prevent actual cyber wars that can affect both companies and governments.” Inti The Ceukelaire, the Belgian ethical hacker who published a piece on how he gained access to companies through their helpdesk, explains why organizations can no longer afford not to cooperate with ethical hackers.
If you’ve just followed it from the sideline: unlike malicious hackers – often called blackhat hackers – ethical hackers (or simply whitehat hackers) tracks leaks by testing systems against potential violations. De Ceukelaire is one of them, and has already found leaks within some of the largest tech companies, among which are Facebook, Yahoo, Google and recently business communications app Slack. Noteworthy is that, with this very last one, the leak is not located within the software itself, but in integration with other software. De Ceukelaire managed to access the Slack channel of some big players like Vimeo. The twenty-something hacker has immediately started to inform the affected companies, one by one. Sometimes, De Ceukelaire gets paid for this even though he claims to ‘just want to make an impact’. Although that doesn’t seem to be easy as beans. “One of the software parties that integrates Slack took 2 weeks to respond to my email”, he says. “That’s just unacceptable, as they don’t even seem to care it’s their users suffering from it.”
But the real challenge remains to settle down ethical hacking as ‘the new normal’. In order for that to happen, De Ceukelaire believes we need to iron out a few misunderstandings. “As long as you continue to believe that your business is completely protected from any kind of hack you’re in trouble,” he says. “There is no such thing as ‘safe code’ – even my own codes aren’t error-prone. The craziest blackhat hackers out there will always find new ways to get in. It’s like fighting a losing battle, but every hit that can be avoided counts.”
This is exactly why privacy is a mindset rather than a matter of safe passwords. This also entails that, as a company, you need to be fully ready or technologically prepared to take ethical hackers on board. Or how De Ceukelaire states: “I often see start-ups enthusiastically jump on the bandwagon and taking the backfire afterwards. Often times, their technology is just not ready for sudden spikes in network traffic that ethical hackers cause. I’d recommend those companies to not have their entire website reviewed at once, but a certain scope to start with. One by one. Because when the website is all of a sudden down, shit hits the fan for both the company and the hackers – resulting in a wrong image for ethical hackers. And that’s some bad PR-talk. If you’re still in doubt about taking on an ethical hacker, think of it like this: only if you believe to have everything under control and 100% safe and protected, it’s time to work with an ethical hacker. We’re not talking about an ordinary security method, but it’s more like an additional protection layer. And please: start tackling/tightening your password policy first. Companies often forget that one.”
De Ceukelaire is one of the first on Belgian soil to sound the alarm for legal frameworks. “Hacking is a bit like rape – it’s not a complaint offense. But it is not because the victim doesn’t complain that it is not punishable. The Netherlands has already given that framework, while in the United States, it is less common. Here in Belgium new steps are being undertaken, and that makes me optimistic. The legislative proposal is ready to sign. ”
In the future, the Ceukelaire expects a more positive image of ethical hacking. He even expects more blackhat hackers to switch to “the good side”. But let’s not be naive here: there will always be malicious parties who are more than happy to send out stuff like the WannaCry ransomware. And not only do those affect the business landscape, the average citizen is also an indirect victim. “Well, if NSA had played it legitimately, instead of keeping the leak for their own purposes – we wouldn’t have a problem”, De Ceukelaire puts into perspective. “And those elections: it’s not the case that the counts were wrong. Hacks with bad intentions can affect opinions. But let’s get real: advertising does exactly the same. “