White-Hat Hackers: Meet the geeks who make computing safer by exposing its flaws

White-Hat Hackers: Meet the geeks who make computing safer by exposing its flaws
Chris Whetzel

For his next trick, Wayne Burke will demonstrate how to begin hacking NATO. Theoretically, of course. If one were into that sort of thing. But first, a mic check.

"Are there any government guys in the audience?" asks Burke as he scans the dozens of computer geeks assembled in a conference room at the Ameristar Casino in St. Charles last month.

Staring back are Polo-and-Dockers middle- management types and surly looking hackers in black T-shirts who've traveled from around the country for TakeDownCon, the St. Louis area's first-ever cybersecurity convention.

As one of the superstars in the field, Burke has just spent the past half-hour regaling the crowd with the intensity of a late-night TV pitchman.

His thesis: Hacking is no longer just for basement-dwelling obsessives. Already he has shown off a pair of cheap, miniaturized supercomputers that can launch attacks for the industrious, on-the-go hackers of today. Now he's demonstrating a suite of automated tools that go out and scour the Internet for data, providing breadcrumbs that can lead to a successful exploit. The North Atlantic Treaty Organization is next on his hit list.

Thankfully, there are no self-identified government agents in the room. Burke, the founder of the international security consulting firm Sequrit CSi, continues.

He's using a program called "FOCA," which when filtered through Burke's outrageous South African-Dutch-Texan accent sounds like a barroom insult.

FOCA uses Google and Bing to search through all the documents hosted on a given website. Each one of these documents is rich with "metadata," or the kind of mundane stuff that a computer logs whenever someone creates or modifies a document, such as when it was created, the last user who touched it and so forth.

That same metadata can point a hacker on the hunt to some real treats: IP addresses, e-mails, even data on printers can become a potential point of entry. This treasure trove of data takes only a few select clicks to uncover. As several members of the audience would undoubtedly joke, even Mac users with their style-over-substance computers could figure most of this stuff out.

"This is not rocket science anymore," Burke declares. "I didn't even have to go down to the zeroes and ones!"

Despite his apparent cavalier attitude toward rifling through NATO documents via a rather public wireless network, Burke keeps this phase of his presentation brief. He runs FOCA just long enough to demonstrate that it is actually harvesting metadata from the mighty political and military alliance (a few NATO e-mails and usernames flash across the screen), before ending with a disclaimer for those government guys who are surely not in the room:

"Did I mention that I'm a Dutch resident?"

As daring as this little demonstration might seem, it's not a how-to guide. Burke is play-acting like a bad guy so as to bring his colleagues inside the mind of a malicious attacker.

With an increasingly easy-to-use arsenal of tools at their disposal, hooligan hackers don't have to be experts to make bad things happen. But the people in this room have to be.

They are a breed apart: "ethical hackers."

For a lay public weaned on trashy cyber-punk films and scare pieces on TV, hackers make for convenient boogeymen. They can dive into the great digital ocean of data that underpins everyday order and create ripples that grow into tsunamis of chaos: crashed systems, stolen identities, blank checks. And it's not just governments and multinational firms that can find themselves within a hacker's cross hairs.

Earlier this year, St. Louis' own Schnucks grocery chain announced that a cyber attack may have compromised the bank and credit-card accounts of some 2.4 million customers.

In a post-WikiLeaks, post-Edward Snowden world, it can sometimes seem like personal privacy is nothing more than collateral damage in a greater war. Everything is fair game. And even with the government cracking down on whatever offenders it can collar, technology is allowing hackers to become more nimble and evasive than ever.

While these nefarious hackers tend to be the ones who capture media attention, there's a growing class of strait-laced professionals who have built hacking into an upright industry. Instead of adopting colorful pseudonyms and congregating on message boards, they exchange business cards and wolf down buffet lunches at events like TakeDownCon.

These "white-hat" hackers, as they bill themselves, still have a spiritual kinship with their less scrupulous cousins. All of them get a similar rush from digital trespassing, like kids with flashlights breaking into the old haunted mansion at the end of block. The harder it is to get in, the greater the joy of discovery. The only difference: Once ethical hackers are in position to pull the trigger — to bring a business or government organization to its knees — they disengage and then report the vulnerabilities they've discovered to the proper authorities.

To walk that line, it takes a tremendous amount of discipline. In more ways than one, ethical hackers gotta have a code. And in St. Louis, perhaps no one wears his white hat more proudly than Dave Chronister of Parameter Security.

It's Chronister who brought TakeDownCon to town after the roving convention made previous pit stops in Dallas and Las Vegas. And while the St. Louis region isn't necessarily seen as a tech hub, the Schnucks case demonstrates that there's a growing need for guys like Chronister everywhere, including flyover country.

Next Page »