'Ethical' hacker tries to stay a step ahead of the bad guys
The internet is a tough neighborhood and Nikolas Behar is a hacker. He’s among the many who show up every year at DEFCON in Las Vegas, the hacker convention. But Niko, as everyone calls him, insists he’s on the right side of the firewall.
He considers himself an ethical hacker, and he works for groups that need protection from criminal hackers trying to break into their vaults of valued passwords and data.
“A lot of people, when they think about hackers, they think about people in hoodies,” Behar said. “But there’s a movement in the industry that’s trying to change that narrative and show that hackers aren’t necessarily bad.”
As an ethical hacker, Behar has to think like a criminal. When he works for a client, he tries to break into their system to spot vulnerabilities. One example, he was able to hack into the system of a hospital client.
“So what I was able to do was park across the street in my rental car with a special antenna. And I was able to connect to their Wi-Fi and communicate with a heart monitor on their network from across the street,” he said. “All because they didn’t configure their Wi-Fi correctly and it was leaking outside the building.”
Another time when he was working for a hedge fund, he got into their building after hours and jumped over a cubicle wall to find two unlocked computers.
“So we demonstrated that we would have been able to make a $5 million trade without anybody really noticing because there’s a cubicle that’s supposed to be secure and the wall of the cubicle doesn’t go all the way to the ceiling. And the stuff in the cubicle is not locked or encrypted.”
So, who exactly are the unethical hackers? Sometimes, they work for national governments that want to pose a security threat to the U.S. Sometimes, they’re just looking for money, and that’s why they target people like us and your personal information.
“First name. Last name. Social security. Date of birth. And then you take all that data and you can sell in bulk to the highest bidder,” said Christian Dehoyos, a cybersecurity architect who leads San Diego’s chapter of the group the Open Worldwide Application Security Project (OWASP), which hosts cybersecurity trainings.
Whatever a hacker's motivation, there are a lot of them. Dehoyos cites a study that shows that on a global scale, we’re four million people short of having enough qualified cybersecurity professionals. That’s despite the fact that the workforce is growing by 10% every year.
“The takeaway is that the defense side is not growing at the pace that the offensive side’s capabilities are growing,” Dehoyos said.
Passing it to a younger generation
In a classroom at the University of San Diego, Niko Behar lectures to students in a class on cybersecurity, presenting a series of steps to contain and eradicate a cyberattack.
Students here tell their own stories of being hacked, sometimes seeing unknown charges placed on their credit cards. Maya Morales, a masters student in cybersecurity engineering, said she had to counsel her grandmother after her online accounts were hacked.
“So I’m like, 'okay, here’s what happened,'” Morales said, laughing at the memory. “You clicked on something. You answered a call. You put in your bank information. You put in your password on a fake website that you thought was your bank or you thought maybe was Facebook.”
Ironically, I was a victim of a cyberattack, while working on this story.
I was using my laptop when a window with a Microsoft logo appeared, locked my computer and repeatedly ran an audio file saying, “The computer lock is meant to stop illegal activity. Please call our support immediately. Important security message.”
They claimed to be a Microsoft support team, but it was a scam, fishing for personal or workplace data. Thankfully, the KPBS IT department examined my device, and I was able to return to work.
Behar said many of the things that underpin our society are run on computer systems that are “archaic, arcane and are still online,” adding that they are quite vulnerable to cyberattacks.
“So airport. Train station. Factory. At any one of the big industries you’re going to have old systems that are running the show,” he said.
Behar added that if you want to be good at stopping hackers, it helps if you’re into it; the kind of person who wants to get together with your buddies and talk about the latest hacks, and have the date of the upcoming DEFCON conference on your calendar.
And if you are like that, cybersecurity almost certainly has got a job waiting for you.