By James Lawrence - Knowledge - 2 months ago

White Hats and Hackathons

Security can be a pretty interesting subject for me, I’ve been known to watch 50 min Youtube videos on the attacking and defending of doors, but maybe attending my first hackathon at the NEO Black Sea Hackathon, I’ve delved more deeply into ‘white hat’ cybersecurity. I guess we can maybe blame Hollywood, or my ignorance, for the allure of the malicious hacker, when in reality, we should have been paying way more attention to ethical computer hackers this whole time.

The hackers we're used to seeing in movies and television are nefarious actors called ‘black hat’ hackers. These individuals use their skills for criminal ends, but a ‘white hat’ hacker, they’re the heroes. A white hat hacker, or just white hats (to save the tongue-twister), is a researcher that upon discovering a vulnerability or weakness in software, doesn’t exploit it, but notifies the vendor so that the hole can be patched. That being said, a white hat hacker shouldn’t be considered as your standard cybersecurity employee, these individuals still hack, they utilize their prowess to probe websites, to attempt to penetrate and ultimately attack in the same way a malicious hacker would. It should also be noted that a true white hat will always seek permission before performing any sort of pen test, to perform unpermissioned tests can cost a white hat their credentials, result in refusal of access to conferences and loss of future employment.

Wired notes that it used to be that white hats were rewarded with an acknowledgment in the patch release or maybe some merchandise from the company, but nowadays white hats are earning serious money for their exploits, “anywhere from $500 to more than $100,000… by selling information about a vulnerability to companies that have bug bounty programs.”

White hats use a variety of methodologies to assess software but tend to specialize in penetration, or pen tests. A pen test is a simulated attack on a platform, be it a website, an operating system, or in the crypto sphere, a blockchain or smart contract code. The test is performed to identify both weaknesses and strengths, potential vulnerabilities for unauthorized parties to gain access to the system’s features and data are pointed out, as well as the strengths of a system, resulting in a risk assessment to assess potential impacts to an organization and the ways to reduce those risks.

One example of a pen test is a process called ‘fuzzing’. Fuzzing means to submit random, invalid or unexpected data inputs to a piece of software, to see if it results in some form of crash. The process is analogous to a doctor testing for allergens. If a doctor thinks a patient is allergic to something but doesn’t know what, they may test nuts, dairy, seafood, pollen - any number of potentials to see which gives a reaction or is exploitable in your body. These exploits or errors are useful to hackers because they either expose more information about a software or are directly used to compromise the software.

Fuzzing tests originated from a research paper published in 1990, where it reported fuzzing was “able to crash 25-33% of the utility programs on any version of UNIX that was tested.” The team then went on to perform two more studies producing similar results over a period of ten years. Using the same inexpensive and quick methods, the researchers were able to continue to crash software over a period of a decade.

The NEO Black Sea Community Hackathon was a three-day event that was set to tackle issues facing Georgia and possible smart economy solutions such as smart contracts and blockchain technology. Programmers competed and developed their own projects deployed on the NEO blockchain. Many projects had a security orient such as the project from Golden Fleece mining, who developed a university diploma authenticator with the immutability of the blockchain. Participants competed and developed smart contracts to address existing problems thought unpursuable before crypto solutions.

An event coming up that is just a skip across the Black Sea is HackIt 4.0, hosted in Kiev, Ukraine from October 8 to 11. Hackit is made possible by Hacken, a market leader in cybersecurity. The forum will bring hackers and the crypto community together, provide networking opportunities for stakeholders. Participants will learn practical information and experience, with the last two days of the forum dubbed, ‘attack and defense’ days. This is where white hats will go on marathon hunts and subsequent attacks of bugs and exploits, while defenders will attempt to stop them and secure software. HackIt 4.0 will give insight into general cybersecurity, and security specific to blockchain tech such as hot and cold wallets, blockchain protocols and token smart contracts.

Hackathons are where skills are shared and honed between hackers, cybersecurity experts and other stakeholders in the sphere. The events also provide great insight into the world of cybersecurity for the general public and highlight the vital role of white hats in the field. Both the NEO Black Sea Hackathon and HackIt allow ethical hackers to excel while networking these individuals with potential applications, whether it be a cryptocurrency, blockchain or general tech projects. White hats play an essential role in keeping our digital systems online, utilization of their work can mean a crucial step forward for a project in cybersecurity.