In the modern world, there are many payment systems, social networks and sites that require users to register for personal data, including payment card numbers, phone numbers and E-mail. Many scammers take advantage of this, hacking and stealing money from accounts, looking for data for spam and phishing. Therefore, to protect account data, it is required to regularly test the security systems of a site or service for a certain level to protect accounts.
For this, “white” or ethical hacking was created. Cybersecurity experts in this area are looking for gaps in systems that ensure site security, download data. In this case, the administration and site owners organize contests for hackers who try to crack their service for a fee. Therefore, ethical hacking (CEH - a popular resource for studying it) has become popular.
Bug hunting
Ethical hacking is a form of hacking approved by law that searches for vulnerable areas in systems. This is done to find "gaps" and draw the attention of developers to them. Thus, the level of protection is significantly increased. White hackers, who in the English countries are called white hat, are engaged in this. By type of activity, they are opposed to crackers looking for the opportunity to compromise and sell data or to "merge" competitors. The slang term for these hackers is black hat. This type of activity is prohibited by law and is punishable.
Activities
According to the specifics of the activities of "white" hackers, there are closed and open competitions. They differ among themselves in payment, number and skill level of participants. In the first case, a large number of young specialists are involved, who are allowed on the basis of studying the received certificates. In the second case, the administration of the structure selects a team of hackers from professionals.
The most common way to make money for cybersecurity professionals is with bug bounty. It is a system for finding errors in code that reduce the maximum level of security. This allows developers to find and fix code errors in products in advance. Thus, criminals who earn by hacking and distributing compromising data about sites and services and their users will not have a chance.
This is achieved through the official publication of data from developers on the announcement of a tender for finding bugs and vulnerabilities in the system. Most often, this is associated with a cash reward announcement. Depending on the level of complexity of the system, the cash prize, accordingly, is growing. Then, the structure presented in open access begins to be studied by programmers and hackers for code bugs and the ability to extract encrypted data. With an open program, all data on the system is posted on the Internet.
Closed competition
However, there is a closed type of testing. In this case, the development team selects a specific set of contestants for breaking into a structure or system. The recruitment of cybersecurity specialists is based on resumes and competitive selection. An invitation is sent to each participant. Often such a profession is a concomitant of the main occupation. This work is often done by programmers who develop antiviruses and other protection software. Ethical hacking and penetration testing are an additional income for many programmers. There are large contests that allow you to earn up to a million for hacking high-level systems.
Platforms
There are platforms for contact between crackers and software developers. The two most popular ones are HackerOne and Bugcrowd. In fact, these systems are a place where developers and cyber security experts can contact. Thus, they are the place of aggregation of IT-environment. Registered and certified employees can find the desired level of structure.
The programs involved several hundred thousand specialists from all over the world. In addition to private companies engaged in the development of custom software, such orders are published by government organizations. So, the US Pentagon Defense Headquarters launched on the HackerOne platform "Hack The Pentagon" for its own program.
Payment
High fees are paid to search for vulnerabilities in their systems. Depending on the complexity and level of the protective structure, payment may exceed several thousand dollars. According to HackerOne's global statistics, the average payment for a bug or weakness found exceeded $ 1800. In recent years, developer companies have paid more than $ 20 million for white hackers.
Story
The first Bug Bounty model was introduced by the American company Netscape Communications Corporations. This was the appearance in the early 1990s of a service that paid for searching their network browser for vulnerable areas and critical bugs. The corporation found that with the help of third-party specialists who are attracted from all over the world, it is possible to find problems in the code much faster than with long-term testing and using a limited staff of cybersecurity workers. This idea quickly spread and by the 2000s, many IT corporations began to apply it.
In Russia and the CIS countries, this model is also used. Large companies and government agencies often turn to cybersecurity experts and crackers for help. A program was launched to search for bugs and critical errors in government IT systems. The estimated budget for the centralized program should be 800 million rubles. According to statistical studies, ethical hacking has become more profitable than hacking.
When the occupation may be criminally punishable
If the corporation or service does not have a Bug Bounty program, it is undesirable to hack the system. There were cases when a “white” hacker, finding a mistake and informing the company about it, received a summons to the police instead of an award. In this case, programmers more than once ended up in prison. Therefore, it is undesirable to look for bugs in services that do not have the official Bug program.
Ethical hacking and testing can also be dangerous. But only in case of improper use or exceeding the conditions of the Bug Bounty program. So, for a specialist in ethical hacking, finding several critical mistakes in the Instagram system that allowed users to access these data and utilities was an unpleasant surprise. Company officials accused of violating the principles of the bug search program. The “white” hacker was explained that he had no right to affect confidential information and system data. As a result, only a part of the work done was paid, and if not for the intervention of the media, the specialist would be sent to jail.
Therefore, before starting work, it is advisable to familiarize yourself with the terms of the license agreement. If these are not observed, a criminal case may be instituted.
Ethical Hacking Training
Hacking security systems in recent years has become a profitable business. Thus, more and more programmers, system administrators, and cybersecurity specialists are doing this. A large number of courses, online trainings and sites for practice have appeared. Below are a few sites where you can learn and practice cracker skills. Largely due to the popularity of ethical hacking, torrents and social networks can be safely used.
Google gruyere
The site is intended for beginners. It specially added a large number of security holes, so you can learn about:
- how to find problems in the protection system of the site and application;
- how scammers use various web utilities;
- how to provide protection from criminals who want to get to the site data and users.
Hack this
The site was developed specifically for training beginners in the "white" hack. Training courses on the resource will be able to teach dumping, difeysu and protection against hackers. There is a progressive scale of difficulty. There is also a forum and chat for communication between specialists and beginners. This makes the service one of the best for sending out new methods and mailing.
Hellbound hackers
The service is designed to practice a practical approach. It was created to solve a large number of exploit problems. This resource is trained in their identification and elimination. Hellbound Hackers is considered the best training site provided on the Internet. The number of registered accounts exceeds 100 thousand. In this way, you can hone your skills and become an ethical hacking specialist.