“My laptop’s webcam suddenly turned on for no apparent reason, probably due to some malware or hacking,” Jedrek (II, CS-CSE) recalls a creepy hacking incident he experienced one night, comparing it to the 2011 thriller film Abduction. Panicking, Jedrek quickly disconnected his laptop from the internet, scanned his computer for potential malware, and disabled his webcam to prevent a Trojan virus from recording his keystrokes.
His case serves as another compelling warning about the perils of the World Wide Web. However, the ease and convenience that ‘cloud’-based systems provide always makes it easy to dismiss the terrifying fact that every bit of information divulged into our ‘personal’ cyberspace—Facebook, Twitter, even professional emails—brings us closer to the threat of data breach, identity theft, and privacy invasion.
Yet, when the Panama Papers—financial documents that exposed the offshore wealth of almost 140 corrupt politicians around the world—were hacked and leaked by an anonymous source earlier this year, the world once again began debating about the criminal and moral ramifications of hacking.
In an age where the concept of ‘privacy’ is constantly redefined by the hacker collective, where do we draw the line between the wrong and the ethical?
Cybercriminals
You’ve seen them in movies or TV shows, typing quickly to unlock doors, or decrypting long lines of code. You might have heard of Anonymous trying to make online life difficult for wrongdoers. But it’s the news about stolen bank accounts and tarnished reputations that hints at a war against hackers using their skills for more sinister purposes.
In the world of cybercriminals, information is power. Black hats—hackers who use their capabilities offensively for their own personal gain—are the people you don’t want knowing your personal information. Flaws in software, malware attacks, or identity theft, a hacker will use anything at their disposal to get what they need.
There are those who do it for money. On February 2016, hackers took advantage of the SWIFT network to issue instructions to steal money from the central bank of Bangladesh. A few of the transactions succeeded, with $81 million of dirty money traced back to the Philippines, an amount which has not yet been recovered.
Others do it to sabotage competitors or enemies. On February 2014, a hacker group known as the Guardians of Peace demanded that Sony not release The Interview, a comedy about a plot to assassinate Kim Jong-un. The group used malware to steal information, including personal details of employees, private emails, and copies of unreleased Sony films. To make matters worse, the data was also deleted from Sony’s servers. The biggest blow was to Sony’s reputation, with incriminating details revealed from emails released to the public.
But no matter how these cybercriminals vilify the hacking culture, Professor Marnel Peradilla, a professor teaching Ethical Hacking in the College of Computer Studies (CCS), shares that “other hackers are just doing it for fun, or to validate their coding capabilities to invade network systems or websites.” Thankfully, there are also hackers that work to stop cybercriminals.
Ethical hackers
A system’s main line of defense against unauthorized access and information theft are the white hats, or ethical hackers. Peradilla defines them as professionals who use their knowledge of how to bypass defenses and how black hats think in order to improve the security of a network. These are hackers who are paid to hack a system and reveal how they did it.
Peradilla notes that it’s important for students of CCS to take courses on Ethical Hacking in order to prepare them before they enter the industry. “It is important to know the behavior of hackers or black hats. If we’re going to a war, you have to improve your defense.”
One way to improve a system’s defense is to know the enemy’s capabilities. He shares that every year, companies like Google and Facebook conduct events for professional ethical hackers. “They present problems and networks, and then a group of hackers or students have to penetrate the network.” It’s the information they gain about how the network was infiltrated that lets them discover where the holes or vulnerabilities are.
Ergo* (V, CS-CSE), a self-admitted white hat, shares that there are also competitions held for professional ethical hackers. “The objective of the competition is to protect yourself from other hackers while hacking other players for 24 hours.” While anonymity makes the game challenging, it also secures the ‘safety’ of players involved. “Even competition is not a safe place to say that you know how to hack,” adds Ergo.
Despite all these defenses, there is one vulnerability that can’t be fixed by software patches or stronger firewalls. “Humans are the weakest link in a security infrastructure. Humans can be fooled. Deceived,” says Peradilla. The professor teaches his class the importance of keeping personal information private because of social engineering, another method hackers use to get what they want.
When someone picks up a flash drive, they might try putting it in their computer out of sheer curiosity, unwittingly infecting their machine with viruses. Otherwise, it could be as easy as contacting the network administrator and pretending to be the owner of an account asking for a password reset. Social engineering takes advantage of human weaknesses. No matter how few technical vulnerabilities a computer system has, it’s the user’s responsibility to make sure they don’t give keys to cybercriminals.
On ‘hacktivism’
Despite the notorious cyber-attacks they are infamously known for, not all hackers intend to invade network systems for personal interests. Peradilla explains that there are hackers who “use their abilities to protest for political issues.”
Cyber activists, or ‘hacktivists’, usually penetrate government websites to warn the public or expose the susceptibility of systems and databases. Take the case of the Comelec website, which was hacked months before the May 9 election, and which led to the biggest leak of personal information in Philippine history. Hacktivist groups Anonymous PH and LulzSec Pilipinas have both taken credit for the cyber-attacks, with the aim of challenging the Philippine government to strengthen its security features, and ensuring the integrity of the elections.
Peradilla posits that while the intention is ‘good’, defacing and intruding a government website without any authorization is still wrong in the legal sense. Aside from tarnishing the reputation of the Comelec, he explains that there are lots of ways to use the leaked personal information of voters for illegals pursuits. “Sensitive information can be used for identity theft or for getting loans from the bank,” he shares.
Ergo shares that Anonymous PH might not be actually related to the global hacking collective Anonymous that declared war against Donald Trump last March of this year. “Anonymous is just a branding hackers use,” he shares, explaining that the real organization transcends national boundaries.
As ‘secure’ as the Internet seems, there’s a constant war going on right under our noses. It pays to skim through the ‘Terms of Agreements’ we often disregard, to verify the identity of the person on the other end of the phone line, and to think twice before disclosing sensitive information to our social media spheres. Knowing that the most private people could still be affected by a hack thanks to the smallest flaw in security, it’s no wonder even a billionaire like Mark Zuckerberg tapes over his webcam.
*Names with asterisks (*) are pseudonyms.