More from The Economist Subscription Log in or register

World politics Business & finance Economics Science & technology Culture Blogs Debate Multimedia Print edition

Our cookie policy has changed. Review our cookies policy for more details and to change your cookie preferences. By continuing to browse this site you are agreeing toour use of cookies.

Feb 22nd 2014 | SAN FRANCISCO | From the print edition

In this section

Getting the messages

White hats to the rescue

Here, there and everywhere

The great X-it

Chattanooga shoo-shoo

Tuk-tuking the world bystorm

The wolves of the web

Cyber-security

White hats to the rescueLaw-abiding hackers are helping businesses to fight off the bad guys

ANDREW WHITAKER has made a career out of breaking into things. A “white hat”hacker in techie jargon, Mr Whitaker leads a team of security specialists at KnowledgeConsulting Group who spend their days trying to worm their way into clients’ computersystems to see how vulnerable they are to cyber-criminals, spies and other nefarious“black hats”. The team’s record is both impressive and alarming. Some of the firm’sclients are utilities, and Mr Whitaker and his colleagues often target software that controlscritical infrastructure, such as water and power supplies. “We’re getting in pretty muchevery single time,” he says.

Crooks and spooks are still finding plenty of chinks in digital armour too. On February15th Kickstarter, a crowdfunding site that lets users send cash to entrepreneurspromoting novel projects, said hackers had stolen usernames, encrypted passwords ande-mail addresses from it. A few days later a security researcher claimed to have foundevidence that Snecma, a French aerospace firm, had been attacked by hackers, though itis not clear if they got into its systems. Kaspersky Lab, a security firm, recently said it haddiscovered a global spying operation, dubbed “The Mask”, which had been running since2007 and which targeted everything from governments to activists and energycompanies.

The effects of a hacking attack can be devastating for acompany’s reputation and its bottom line, as Target isdiscovering to its cost. At the end of last year the giantAmerican retailer was hit by hackers who swiped the detailsof credit and debit cards held by 40m of its customers byplacing malicious software on thousands of the registers inits stores. In total, intruders gained access to 70m recordsthat contained partial names and e-mail and postaladdresses of customers.

TweetTweet 178 Advertisement

Follow The Economist

Comment (7)

E-mail

Print

Reprints & permissions

Sign Up

Recent Activity

Create an account or Log In to see whatyour friends are doing.

The IRS errs472 people recommend this.

The 51st state?3,045 people recommend this.

Not so fragrant140 people recommend this.

The view from Maine streets185 people recommend this.

Facebook social plugin

159LikeLike

Cyber-security: White hats to the rescue | The Economist http://www.economist.com/news/business/21596984-law-abiding-hackers-are-he...

1 of 4 26/02/2014 08:59

Reprints

Related topics

Target’s catastrophic breach may come to be seen as thedigital equivalent of BP’s disastrous Deepwater Horizon oilspill. The retailer faces a whopping bill for cleaning up themess the massive data leak has caused. Jefferies, aninvestment bank, estimates that it may have to pay up to$1.1 billion to the payment-card industry because of thebreach. Target is also spending a fortune on such things asfree identity-theft insurance for customers.

As more business shifts online, hackers have plenty oftargets to aim at. Last year a report published by an arm ofSymantec, a security firm, estimated that cybercrime costs the world $113 billion a year; itput the number of victims at 378m. The Ponemon Institute, another research outfit,reckons that in 2012 malicious attacks cost American companies $277 for eachcustomer’s or user’s account put at risk, a lot more than the cost of leaks caused bytechnical glitches or mistakes by employees. Other countries are not far behind (seechart).

Since Edward Snowden’s leaks about theNSA’s activities, much ink has been spilledabout the threat to cyber-security fromrogue employees. Yet most breaches arestill caused by outsiders. And businessesare struggling to match the wiles of theunknown intruders trying to pinch theirdata. Hikmet Ersek, the boss of WesternUnion, said financial-services firms like hisare in a “street fight” with hackers.

The threat posed by determined cyber-invaders explains why companies that offerto mimic them and test the vulnerabilities ofclients’ systems—a practice known as“penetration testing”—are in demand.Some businesses, such as banks and outfits handling electronic payments, are requiredby regulators or industry bodies to conduct regular “pentests”. Others hire pentestersbecause they think outsiders may spot things that internal security teams miss. “You tendto get tunnel vision in-house,” says Charles Henderson of Trustwave, an internet-securityfirm whose SpiderLabs arm conducts pentests.

Like Mr Whitaker, other white-hat hackers find it a doddle to bust into clients’ systems.Jim O’Gorman of Offensive Security says that his team was asked by an executive at alarge electronics manufacturer to test its security. They were stunned by how quickly theybroke into its networking and manufacturing systems. “I told him you’ve spent 20 yearsbuilding up your firm’s reputation and in 20 hours we’ve got control of your company,”boasts Mr O’Gorman. Technology firms, which might be expected to know better, suffermore data breaches than those in other industries, or even the government.

A popular trick used by black-hat and white-hat hackers alike is to send fake “phishing”e-mails, which seem to come from legitimate sources and ask a firm’s employees to entertheir usernames and passwords. Mr Whitaker says about a fifth of employees whoreceive these e-mails are fooled by them. Once inside a network, his team takes anaverage of four hours to take control of it.

Critics of pentesting say cheap software that automatically scans for vulnerabilities in afirm’s systems can automate much of the work pentesters do. They also claim that testscan create a false sense of security inside companies. Michael Borohovski of TinfoilSecurity, which makes software that hunts for security flaws, says firms often make bigchanges to their systems between pentests, which can accidentally create newvulnerabilities. Moreover, some pentesters may simply lack the skills and ruthlessness tospot weaknesses that cyber-crooks will find.

Executives who have used pentestersacknowledge that clients should choosethem carefully, and call them back

BP

Energy industry

Fossil fuels

Software

Crime and law

Recommended Commented

Latest blog posts - All times are GMT

Most popular

Advertisement

India's Congress party and the Gandhis:A bizarre fixationBanyan - 2 hours 26 mins ago

The Economist explains: What othercountries are copying from Britain'...The Economist explains - Feb 25th, 23:50

Stalled on the social ladder: InheritingstatusProspero - Feb 25th, 21:11

Religious education: More knowledgeplease, we're BritishErasmus - Feb 25th, 20:16

Ukraine: Slideshow: Opulence at theYanukovych residenceEastern approaches - Feb 25th, 17:54

Bitcoin’s woes: Mt GoneSchumpeter - Feb 25th, 17:53

New theatre: "All the Way": What Bryandid nextProspero - Feb 25th, 17:24

More from our blogs »

The Economist/FTsurveyGlobal businessbarometer

Ukraine in flames: Putin’s infernoUkraine's new dawn: Shots called, now what?Letters: On deporting immigrants, handsomecyclists, the EU, Ecuador, Canada, sex andmarriagePolitics this week

1

234

5

Cyber-security: White hats to the rescue | The Economist http://www.economist.com/news/business/21596984-law-abiding-hackers-are-he...

2 of 4 26/02/2014 08:59

whenever big changes are made tocomputer systems. But they reject thenotion that they can be replaced withsoftware. “They’re not just testing securitytools, but also exploiting vulnerabilities toprobe deeper inside companies’ systems,”says Richard Moore of New York Life, aninsurer.

To convince sceptical clients that theirsystems are vulnerable, Trustwave records videos of its hackers breaking into them, toprove that they really did get in. Some white hats go even further, pinching a confidentialdocument from their clients’ servers and then presenting it to them with a flourish. “Thismakes the threat much more real,” says Deke George of NetSPI, another pentesting firm.When shocked bosses are presented with this sort of evidence, they usually reach fortheir chequebooks fast to fix the problem.

Still, even a robust pentesting strategy combined with other security measures may notbe able to foil dogged intruders. In Target’s case, it appears that the initial breach throughwhich black hats secured access to its systems took place at a heating and ventilationcompany that was one of Target’s suppliers. More details about how the theft worked willno doubt emerge as investigations proceed.

New risks are constantly emerging, notably in the field of mobile apps. Companies arerolling out lots of these, so that their employees can work on tablets and smartphones asthey travel. But pentesters who have begun probing them say that the quality of thesecurity associated with them is years behind that of other corporate apps. So is anyonesafe? Knowledge Group’s Mr Whitaker says that only one utility was able to frustrate hishackers’ attempts to break in. Its secret? The engineer whose data they wanted still keptit on old-fashioned floppy disks that he simply took out of his computer every night.

From the print edition: Business

20

View all comments (7) Add your comment

Related items

Recommend TweetTweet 178 ShareShare 92 5

More from The Economist

North Korea: Humanity atits very worst

Figure skating at theOlympics: Justice served

The Economist explains:Why airlines make suchmeagre…

The tragedy of Argentina: A century ofdecline

Mobile phones on planes: Cell hell

Detroit's bankruptcy: Revenge of the99%

Governing the oceans: The tragedy ofthe high seas

Climate change: Jet set

India's Congress party and theGandhis: A bizarre fixation

TOPIC: »BP

BP: A shrunken giant

Commodity prices: Fixing the fix

Schumpeter: The butterfly effect

TOPIC: »Energy industry

OPEC and oil prices: Leaky barrels

Geopolitics: The petrostate of America

Gas prices: Fuel on the fire

TOPIC: »Fossil fuels TOPIC: »Software

Products & events

Stay informed today and every dayGet e-mail newslettersSubscribe to The Economist's free e-mailnewsletters and alerts.

Follow The Economist on TwitterSubscribe to The Economist's latest articlepostings on Twitter

Follow The Economist on FacebookSee a selection of The Economist's articles,events, topical videos and debates on Facebook.

Advertisement

› Best Online Colleges 2013

› Best Savings Account Rates

› High Yield Savings Account

› Top 10 MBA Colleges

› Top Mutual Funds to Invest

› Best Annuity Funds

159LikeLike

Cyber-security: White hats to the rescue | The Economist http://www.economist.com/news/business/21596984-law-abiding-hackers-are-he...

3 of 4 26/02/2014 08:59