White hats and bug bounty wins: ethical hacker Zaid Sabih shines a light on his craft
As if the pandemic wasn’t bad enough, last year was also a cyber security disaster. Banks experienced a 238% rise in hacking attempts. In its role as arbiter of the Covid-19 response, the World Health Organisation reported a five-fold escalation of cyberattacks on its staff and systems. With so many workers everywhere operating remotely, the digital world was a far more precarious place.
A catastrophic year ended with the fitting revelation that major IT software provider SolarWinds — which boasts some of the biggest companies in the world as its clients — had been compromised by hackers. This was a profound and far-reaching supply chain attack that touched thousands of client companies, as well as some departments in the United States government.
Even now, the clean-up is on-going.
The white hat
“It’s not the first time we get a supply chain hack,” says Zaid Sabih — “these are the trickier ones, because you are getting software from its legit publisher, and it’s the publisher that got hacked.”
Ethical hacker and CTO of cybersecurity company zSecurity, based in Dublin, Zaid admits that he would have expected a software provider or the NSA to be a little more careful.
“More information got exposed in the wild again,” he says.
Like the people who carry out these kinds of attacks, Zaid is himself a hacker. In the world of cyber-wizardry, the term is white hat: someone who uses their cyber expertise to help rather than hinder.
For companies, hiring a white hat hacker is like hiring a bank robber to test how robbable your vault is. They use the same techniques and identify the same vulnerabilities in your computer systems as malign black hat hackers would.
Only if Zaid does it, you get an invoice rather than a ransom letter.
While zSecurity provides security consultation, penetration testing (as above), and computer code review, its main area of business is providing online courses on ethical hacking. Zaid shows other people how to break into computer networks or commandeer a target’s computer in order to use it remotely.
Teaching and responsibility
The hacker, who moved to Ireland from Iraq in his teens, uniquely combines high-level industry skills with social media fluency. As a result, he has generated a sizeable online following through videos on his more playful hacking exploits.
Whether infiltrating his friends’ computers and web cams or demonstrating the role social engineering plays in cyberattacks — having duped members of a conference audience days prior — his content makes for fascinating and sobering viewing. These days, we’re all pretty vulnerable.
With more than 650,000 students, between his courses on Udemy and other teaching platforms, as well as his own output on the zSecurity website, Zaid has made waves as a provider of hacker content.
The security expert and mischief-maker explains that he is, however, well aware of the duty he has in his role. “I do feel that I have a big responsibility in making sure that whoever gets my course knows what’s legal and what’s illegal, and what’s right and what’s wrong,” he says.
Though he admits there will always be outliers, mostly his students are people who take cyber security seriously and are looking to upskill.
A problem that needs addressing
Zaid uses the analogy of martial arts: it is possible for someone to learn martial arts, pick a fight with someone in the street, and leave their victim with broken arms. “That goes down to you as a person,” he says, adding that it can just as easily be used for self-defence.
It is not surprising that humans will use the internet to commit crimes. After all, people have been killing, robbing, and kidnapping for a long time. But as far as Zaid is concerned, there is an imperative to teach these hacking techniques.
“The black hat hackers, the guys that use these things to steal and to break systems — whatever they do, if we don’t talk about it, it becomes more effective,” he says, as people will not understand how to defend against the criminals’ methods.
Crucially, Zaid assures people that these kinds of hackers are not customers of his, nor are they likely to come to his content for ideas. “And even if they did,” he explains with a smile, “they would clearly be downloading it illegally.”
Penetration testing and cyber security are well-established fields founded on highly sought-after skills. In fact, many of Zaid’s students are already security professionals. They might have been hacked and want to understand how to better avoid it in the future, or perhaps they are looking to become penetration testers themselves and need some structured curriculum.
Whatever their reasons, Zaid wants as many people as possible to know that they can make good money using these techniques legally.
As a white hat, one common way to build your skills and fill your bank balance is to pursue bug bounties. Essentially, this is where a company puts out notice that it wants well-intentioned hackers to test its systems for security issues. If hackers find vulnerabilities, they will be paid by the company.
“They basically tell you which ones you can touch from the website, which ones you can’t, with a minimum and maximum bounty that they would pay,” Zaid explains.
The system is attractive for both parties. Companies lose less money, as vulnerabilities are not exploited maliciously, and reputations are left intact. And the hackers get to practice and make money legally once they discover something.
The top earners can enjoy a comfortable lifestyle.
“There are people who do it full time and they would be earning about $300k a year […] You could live very well off finding bugs,” Zaid explains. The highest pay-out Facebook made in 2019 was reportedly a $65,000 bounty award for a vulnerability which had potential to become a nasty data breach.
“Big websites like Google and Facebook don’t need to use a bug bounty platform because they already have huge reach,” Zaid explains. For smaller companies, it can be more difficult to plug these security holes without signing on with a platform.
“So, we’re actually launching our own platform — bug-bounty.com — where we allow people to list their websites and allow other hackers to test them,” Zaid explains.
The goal is to have a far more affordable version of what already exists with other providers. Companies are able to support their own bug bounty programs by listing with the platform.
Zaid believes that with the reach of zSecurity’s existing students and social media presence, there are plenty of budding hackers who would be more than happy to infiltrate some systems and get paid for doing so.