Black hats can benefit firms, but precautions needed

Reformed hackers bring another dimension of expertise to organizations, according to a security professional, but necessary precautions must be taken in hiring black hats as corporate reputation and sensitive information are at stake.

Experience or knowing "the tricks of the trade", and low cost are key reasons why organizations would hire black hats--or hackers who exploit vulnerabilities in software and systems--to combat cybercrime, said Eric Chan, regional technical manager for Southeast Asia and Hong Kong at Fortinet.

"A good hacker loves the challenge of finding vulnerabilities in networks and systems, and spends countless hours perfecting his craft and is hence competent at this role," Chan explained in an e-mail interview. "They could also be cheap to hire [compared to] computer science PhD holders."

According to Chan, a black hat is a hacker who breaks into systems for malicious and personal gains, such as using a computer to attack systems for profit or fun, or as part of a social cause. Black hats, he added, may also be driven by political motivations.

Facebook, for one, hired George Hotz, who as a 17-year-old unlocked Apple's iPhone in 2007 and early this year released a jailbreak for Sony's Playstation 3 firmware version 3.55, which prompted the Japanese electronics giant to sue him although a settlement was later reached. Hotz began working at the popular social networking platform as a software engineer on May 9, according to ReadWriteWeb.

Trust, company ethics at stake
While it may make sense to hire hackers who do not practise responsible disclosure, recruiting black hats, especially those with criminal records, may damage the company's reputation and relationship with their clients, Chan pointed out.

The issue of trust would arise as well, in terms of whether the hacker can be trusted with confidential and sensitive information or relied on to protect bank account information, he explained.

Chan stressed the importance of performing background checks on black hats before putting them on the payroll. The information gathering may include the potential employee's criminal history and whether his intent had revolved around profit, politics or curiosity. His motivation for his previous hackings would indicate whether he was suitable for the organization, he said.

In addition, a probation period should be imposed. Chan said: "Keep a close watch on the black hat during his early days with the company. This may include having a manager monitor his every move and implementing restricted access to system information."

"Hiring black hats carry significant risk and companies should proceed with caution," he warned."There is no way firms can be sure that black hats won't act against their interests."

Sophos' Asia-Pacific head of technology Paul Ducklin disagrees however. Defining a black hat as one who "deliberately or through a casual or negligent attitude breaks the law in furthering his or her online pursuits", he pointed out that organizations should instead find someone whom they can trust and who "isn't tainted by criminality".

"I think the question is not 'what complications could arise' but 'why would I want to bother in the first place'," he argued. The security expert likened organizations paying for a black hat to secure their environment, to consumers getting prescriptions from a drug dealer or people buying foreign exchange from a known currency counterfeiter.

Ducklin noted that organizations seem to be "deluded" by the notoriety surrounding criminals and are "willing to rub shoulders with them" because they mistakenly think that black hat hacking is a victimless crime.

In addition, there is the misconception that being a criminal hacker is more difficult and therefore requires a higher level of skill and ability, than being a non-law-breaking penetration tester or white hat hacker, he said.

Richard George, technical director of the U.S. National Security Agency's (NSA) information assurance directorate, drew a distinction between "hackers with skills and computer criminals" in a Reuters report this month, which highlighted NSA's plans to recruit hackers. The agency announced that it would hire 1,500 people in the fiscal year ending Sep. 30, 2011 and another 1,500 next year, most of whom will be cyber experts.

The NSA director pointed out that it is possible for hackers to learn the same skills without breaking the law. The agency, he told Reuters, was an environment "where the hacker mindset [fitted] right in to work with a critical mass of people that were just like them and NSA needed employees with the hacker skill set and hacker mind-set.