A lucky few hackers are showered with cash and prestige for piercing digital fortresses.
One spring day in 2010, a hacker named Kevin Finisterre knew he had hit the jackpot. A network he had been casing finally broadcast the live video and audio feed of a police cruiser belonging to a US-based municipal government. His jaw dropped as a computer in his home office in Columbus, Ohio showed the vehicle—with flashing blue lights on and siren blaring—charging down a road of the unnamed city.
A burly 31-year-old with glasses and pork-chop sideburns, Finisterre has spent more than a decade applying his combination of street smarts and technical skills to pierce digital fortresses. For instance, he once accessed the work account of an engineer for a large utility company. Finisterre used a pilfered profile from Hotjewishgirls.com to trick the engineer into thinking he was interacting with a flirtatious 26-year-old woman, until the engineer finally coughed up enough personal information to make an attack on his corporate account successful.
It’s not a bad way to earn a living.
Thrill of the hunt
Finisterre is one of the “good guys.” He works as a penetration tester who gets paid to hack into Fortune 1000 casinos, banks, and energy companies; exploits like these are all in a day’s work.
“I really, really love it,” he says of his job—currently senior research consultant at security firm Accuvant Labs. “I’ve been able to get exposed to a lot of things that I wouldn’t get exposed to unless I was trying to get myself arrested. What other opportunity are you going to get to try to hack into a bank?”
It’s a common sentiment.
“There is a thrill,” agreed Billy Rios, the 33-year-old leader of a team at Google acting as the company’s front line of defense. “You’re going up against some of the largest organizations in the world. They’re basically hiring you to thwart them and circumvent all their security mechanisms.”
Alex Lanstein at Interpol headquarters Credit: Alex Lanstein
Rios’ team at Google has an inauspicious name—Web or Other Product Security—but he and his colleagues review every advisory sent to the security@google.com e-mail address. They analyze reported bugs throughout the entire range of Google software and services, from the Chrome browser to Google+ and Gmail. When they determine the validity of a given bug report, they often exploit the flaw so they can assess its severity. Finally, Rios’s group will repair the flaw or assign the fix to an engineering team.
Alex Lanstein also knows the feeling of adrenaline surging through his veins when chasing down malicious hackers. But the 26-year-old also enjoys the satisfaction of knowing his work has made a difference to literally hundreds of millions of Internet users. Over the past four years, he’s been instrumental in taking down botnets pumping out tens of billions of spam e-mails each day.
It all started in 2008. Lanstein and his colleagues at security firm FireEye reverse engineered a botnet dubbed Srizbi, which used a date-based algorithm to periodically generate new sets of domains from which the botnet’s shadowy controllers could issue new orders to their network. Lanstein soon discovered that when the Internet names used to host one of Srizbi’s command and control channels were severed—as would later happen with the November 2008 shutdown of a notorious Web hosting company called McColo—the malware was programmed to dynamically produce new names with pseudo-random strings. It then instructed all infected machines to begin taking orders from servers located at these addresses. By dynamically changing the command and control domains, the Srizbi operators planned to stay one step ahead of those trying to disrupt their botnet.
Recognizing that Srizbi differed from most of the other botnets hosted by McColo, Lanstein took his findings to one of his contacts at VeriSign (one of the gatekeepers for the .com addresses used exclusively by Srizbi’s domain generation algorithm). Verisign set aside the names that the botnet would generate for the next year or two, and the 500,000 machines that belonged to the botnet became orphans, no longer under the influence of the botnet’s operators. The result: Srizbi was incapacitated, with the exception of a brief resurrection attempt that ultimately proved futile.
“Even though the other bots that were at McColo—Rustock and Pushdo—were able to come back up, we were holding Srizbi down,” Lanstein said. “That showed as long as you really understand the way the malware works, you can hold it off pretty effectively.”
In the coming years, Lanstein’s analysis and contacts proved crucial in taking down other prolific spam botnets. His victories included Mega-D and Rustock, which at their height were among the Internet’s biggest sources of junk messages. When he was unable to convince several domain registrars to suspend Mega-D domain names that violated their terms of service, Lanstein relied on webhost contacts who agreed to turn off the botnets’ servers. The FireEye research was cited in legal papers filed against operators of both botnets.
“I got to go to court with Microsoft and the Justice Department and go in front of a federal judge and say those are bad guys doing bad things,” Lanstein said. “It’s pretty cool to be a part of that.”
For 38-year-old Arian Evans, the satisfaction of being vice president of operations at WhiteHat Security lies in the opportunity to deliberately break the applications that banks, social media providers, and other businesses use to deliver online services.
“I was the kid who would take apart the VCR and figure out how to put it back together,” Evans said. “Taking it apart was for me just as fun, if not more fun, than putting it back together.”
His team of 82 inflicts daily pain on Web apps used by more than 7,000 sites. He compares this grueling hacker brutality to the rigorous series of collision tests car manufacturers inflict on their automobiles to make sure they’re safe.
“We’re building the modern crash test dummies for the Internet,” he says. “We’re trying to simulate the accident to help [customers] build more robust software before the bad guys can cause a crash.”
Arian Evans likens the hacking of Web apps to building “crash test dummies for the Internet.” Credit: Arian Evans
Education of a hacker
Like the other three hired hackers profiled here, Evans was an unusually curious kid who came of age just as the Internet was morphing from a hobby to a platform for delivering advanced content and services. In the mid 1990s, he took computer science courses at a community college and briefly at the University of Kansas. He dropped out, he says, when he “couldn’t map computer science to reality.”
Then, in 1997, everything changed with the advent of Web cookies. They made it easier to deliver content and services customized for individual users by allowing websites to keep state.
“You started to see grownup business platforms, and that’s when I started to dig in,” Evans said. At the time, “you could get away with hacking into things because nobody knew. Nobody was monitoring anything. There were things you could simply do out of curiosity that today would probably be logged and set off alarms.”
He eventually found himself working as an application architect for US Central, a large corporate credit union. Then he spent a few years building an application security and assessment team at Fishnet Security. He ultimately joined WhiteHat in 2006.
Kevin Finisterre and son Credit: Kevin Finisterre
Finisterre also eschewed formal computer training, preferring instead to teach himself by hanging out with other hackers. The son of a nuclear engineer who also designed and built race cars, he and a friend chipped in on a subscription to a service that delivered a variety of Linux distributions. After mastering the administration of Red Hat, Free BSD, and other variants, Finisterre eventually turned his attention to code analysis before he fully appreciated what a C compiler was.
“I can vividly remember a buddy of mine that was trying to teach me about security vulnerabilities and was frustrated with the stupid questions of mine,” Finisterre recalls. “He said: ‘Look at the stupid source code.’ He actually gave me one of the biggest hints in my life about what I should be doing with regards to looking for more vulnerabilities.”
In the late 1990s, he took a job with a company called Checkfree to help large banks prepare their back-end systems for the transition to Y2K. The work was largely menial, requiring him to log into machines running SCO Unix, check the BIOS firmware, and make sure the operating system had a patch installed. But it also involved converting the systems to Linux. The experience proved invaluable when around the same time IBM started promoting Linux as an enterprise-ready OS. In his spare time, Finisterre established his own penetration-testing firm called Digital Munition that specialized in locking down systems running the open-source OS.
Rios’ path to becoming a hacker and security consultant began as an undergraduate majoring in business at the University of Washington during the second half of the 1990s. During his free time, he played video games such as Champions of Krynn and Airborne Ranger. Before long, he found himself peeling back the games’ exteriors to figure out how their scoring and network protocols worked.
“We put our names at the top of the scoring table with ridiculous scores that no one could ever achieve,” he says. “Some of our friends who weren’t so technical would show up and they would try and try and try to achieve these scores. They were just impossible.”
He graduated with a concentration in information systems and was commissioned as an officer in the US Marine Corps. There he was put into a signals intelligence battalion. During his four years as a Marine, Rios gained experience in operations security, physical security, and the protection of classified data. He also earned a masters’ degree in information systems.
Rios spent the next few years at the Defense Information Systems Agency and then as a consultant for Ernst & Young, doing penetration testing for banks and Fortune 500 companies.
“In those days, they gave you free reign,” he said. “Sometimes it would be with a computer remotely from a security center. Other times, it would be trying to walk into their building and plug into an Ethernet jack inside one of their conference rooms and hope you didn’t get caught. That’s what made it a lot of fun.”
Billy Rios at Google Credit: Billy Rios
In 2007, during his first week on the job as a security engineer for Microsoft, Rios thought it would be fun to remotely take control of his boss’s computer. He spent a week exploiting a vulnerability that allowed him to leave a text message addressing the boss and recommending he change his passwords. “I thought we’d have a chuckle or two, but he wasn’t very happy about it,” he said.
Rios spent three years at Microsoft in a variety of positions—first in the company’s online services division and then for its Office Communicator. He eventually became the security program manager for Internet Explorer. In 2010, he moved to Google.
Lanstein, meanwhile, managed to have a job waiting for him at FireEye in the spring of 2007, just a few days after graduating from Connecticut College. He landed it after demonstrating some software tools he had developed, improving the college’s network access controls used to identify file-sharing and other prohibited behavior.
He was supposed to start at FireEye as a network administrator, but “what it said in my offer sheet was nothing of what I ended up doing,” Lanstein said. With a full-time network admin already in place at the firm, Lanstein ended up being the “go-to tools guy” for the next few years, gradually spending more and more of his time hunting down botnets.
A job and a hobby
Top security consultants happen to have some of the best job security in IT. In 2011 alone, hacking breaches exposed more than 174 million records, according to a Verizon report (PDF) published last week. Over the past five years, the list of companies known to have suffered serious breaches that exposed source code and other sensitive data reads like a who’s who of the Fortune 1000 roster.
Add to that the litany of critical bugs discovered almost non-stop in popular software from Microsoft, Adobe, Apple and others—then consider how the boom in social networking exposes people’s pictures, locations, and friends to unprecedented attention. No wonder ethical hackers with elite skills are in high demand.
But for all four of the security professionals profiled here, the job offers far more than a paycheck. “I spend probably half my weekend looking at attacks coming out of China targeting major organizations or targeting Tibetan organizations or human rights people,” said Lanstein. “When your hobby is also your day job, you tend to be pretty good at it.”
Dan Goodin is Senior Security Editor at Ars Technica, where he oversees coverage of malware, computer espionage, botnets, hardware hacking, encryption, and passwords. In his spare time, he enjoys gardening, cooking, and following the independent music scene. Dan is based in San Francisco. Follow him at here on Mastodon and here on Bluesky. Contact him on Signal at DanArs.82.
