Who is a hacker? Most people who are far from programming are a vicious criminal who breaks into bank security systems in order to steal money. Something like Hugh Jackman's character from Swordfish Password, who breaks the Vernam cipher to steal $ 9.5 billion from the government fund.
You can be a hacker legally. Such specialists are called pentesters, or "ethical hackers". You just need to know well what can be done during penetration testing, and what not. Otherwise, you can get quite real problems with the law. We recently launched the Ethical Hacker course , and in this article we will talk about how to hack, make good money, and still have no problems with the law. Go.
What threatens a hacker under the law of the Russian Federation
First, let's talk about the problems a hacker can face. Almost all offenses related to breaking into systems and gaining access to them relate to three laws:
- On personal data (No. 152-FZ).
- On information, information technology and information protection (No. 149-FZ).
- On copyright and related rights (No. 5351-1).
Violation of these laws may face administrative and criminal liability.
According to Art. 13. Administrative Code of the Russian Federation (Administrative offenses in the field of communications and information), for disclosing information with limited access, violation of the procedure for storing, using and distributing personal data may face a fine of 300 to 20,000 rubles. This is for individuals. For legal entities, the amount of the fine is much higher.
It mainly concerns people who have access to such information, and organizations that collect personal data from customers.
For example, an online store collects a customer base with names, phone numbers and emails. And the cunning manager decides to collect the database and copy it for further sale to the side.
If such an action did not cause serious damage, and the manager did not receive complaints to law enforcement agencies, then the offense may be qualified under Art. 13.11, clause 8 of the Administrative Code of the Russian Federation. The punishment for him is a fine of 30,000 to 60,000 rubles.
As for the criminal law, the following articles of the Criminal Code of the Russian Federation in most cases threaten a hacker-malefactor:
- . 146 « ». . , , .
- . 272 « ». , . — .
- . 273 «, ». «» — , 273.
. . , , , . , .
- . 274 « , - ». , . 2010 20 .
- Art. 274.1 of the Criminal Code of the Russian Federation "Unlawful influence on the critical information infrastructure of the Russian Federation." The situation is absolutely the same as with Art. 274. There is simply no court practice on it.
According to Art. 272 and 273 you can get up to 500,000 rubles in fines and a real term of up to 5 years. And in special cases - up to 7 years. Moreover, formally, to initiate a case, find a vulnerability and try to use it even without criminal intent.
Pentester: differences from a hacker
A pentester is a hacker who works completely legally and within the framework of the law. The essence of his work is to search for vulnerabilities in security systems.
But there are some major differences:
- The developers are aware of the actions of the pentester. All actions to search for vulnerabilities are carried out either under a special agreement or using Bug Bounty programs. We'll talk about them a little later.
- , . . — k. , , — . , , .
- — . Bug Bounty . .
Essentially, a pentester is distinguished from a hacker by a set of rules that he follows.
Pentester works exclusively on Bug Bounty programs or after signing a contract with the company. Due to the fact that the process of penetration testing itself is associated with breaking the protection, the procedure is very formalized.
You can't just find a security vulnerability and point it out to its owner. Because for this you can get a very real charge.
2017 18- BKK. — , (20 30 ). , , .
, . , . «» . .
The story ended well. It received a great response in the media, users simply brought down the company's Facebook rating. And with the company allegedly spending over a million dollars on data protection every year, finding such a stupid bug that anyone could exploit just destroyed its reputation.
The guy had noble intentions - he wanted to point out the hole in the ticket sales system, clearly demonstrating it. But at the same time, his actions can still be qualified as a security breach. And this is a criminal case.
Technically, the company was completely correct in bringing the charges against him. Whatever the guy's intentions, he broke the law. And only public resonance saved him from the real term.
Bug Bounty: how to participate correctly
Most large companies run Bug Bounty - special programs in which software or website companies offer rewards for vulnerabilities found. It is more profitable for companies to pay for the bugs they find than to deal with the consequences of exploits and vulnerabilities.
Most of these programs are hosted on HackerOne and BugCrowd .
For example, here are Bug Bounty programs from Google API , Nginx , PayPal , GitHub , Valve . The average premium for each bug found in these programs is $ 1,000. There are a huge number of smaller companies that offer $ 50- $ 100 per error.
Even the Pentagon launched Bug Bounty! It's just a dream for a hacker to hack into the Pentagon's security system, and even get money for it from the US government.
But even the published Bug Bounty does not mean that you can break and look for holes anywhere. In the description of the program, the owners prescribe which vulnerabilities will be considered.
For example, Uber gives a very detailed explanation of what is included in their Bug Bounty program and what is not.
The company wants to find vulnerabilities in data access and storage systems, phishing, payment and billing opportunities, unauthorized actions by the user and company employees. But the program does not include general application bugs, fraud reports, bugs in working with social networks and email newsletters.
However, with a sense of humor, everything is fine with them. Because among the unpaid actions there are the following:
Entering the Uber offices, throwing crisps everywhere , unleashing a bunch of hungry raccoons, and hijacking an abandoned terminal on an unlocked workstation while staff are distracted
Entry into Uber office, scattering everywhere chips, releasing the bunch hungry raccoons and seizure free terminal or workstation, while employees are confused.
The more detailed Bug bounty is described, the easier it is for a pentester to understand what can be “tried and tested” and what is not worth doing.
At the same time, there are general rules that cannot be violated. For example, if vulnerabilities are found in user databases, you cannot try to download any personal data. Even if you participate in the program, this can be considered a violation of the law. Because here the rights of users are violated, to whom Bug bounty has nothing to do.
The Russian penetration testing market is also actively developing. It already has a number of major players working with large corporations. For example, Digital Security, STC Vulkan, Group-IB, BI.ZONE, Kaspersky Lab. But the competition in the market is still quite low, so you can work quite comfortably and individually.
Some large companies like Gazprom or banking organizations create separate internal divisions of pentesters in order not to disclose confidential data to third parties.
Therefore, there are several possibilities for a pentester:
- Join one of these big companies. The main plus is a stable salary and the absence of even hypothetical problems with the law. But at the same time, making a lot of money, as many pentesters strive, will not work.
- Open an individual entrepreneur or work under a contract. The main plus is that the specialist sets the price himself. But at the same time, you will have to work closely with lawyers in the framework of labor relations in order to insure from the legal side. And the competitors are not asleep.
- Bug Bounty. — . , . , , Bug Bounty.
It's easy to participate in Bug Bounty. Indeed, in fact, a message about the start of a program is an open offer that any user can accept. You can start working right away - no additional consent is required for your participation.
To hedge against dishonest companies, we recommend working through the sites HackerOne and BugCrowd. Just register and submit bug reports through them.
The only rule is to read the program description in great detail. If a company writes that it pays for database vulnerabilities, then you only need to search there. Even if you find a bug somewhere else, you won't get paid for it. On the contrary, problems may begin.
2015 Instagram. Ruby-, .
, PostgreSQL. 60 Instagram Facebook. , — — «password» «instagram».
Amazon Web Services, 82 S3. : Instagram, SSL-, API-, email-, iOS Android. , Instagram.
Facebook. 2500 . , Bug bounty Facebook . , .
So following the prescribed Bug bounty points is just a must. Otherwise, you can get not a bonus, but an accusation.
What a pentester should be able to do
A pentester is both a "universal soldier" and a highly specialized specialist. He needs to have broad knowledge in many areas of programming and at the same time deep skills in one or more areas.
In general, it is believed that the Junior Penetrator should have the following knowledge:
- administration of Windows, Linux;
- knowledge of one or more programming: Python, php, Perl, Ruby, JavaScript, Bash;
- knowledge of HTML;
- basic network protocols (TCP / IP, ICMP) / network services (Proxy, VPN, Samba, AD);
- protocols: HTTP, FTP, DNS, SSH;
- SQL databases (DDL, DML, etc.), MySQL, SQL Server, PostgreSQL, Oracle.
It is not necessary to know everything perfectly, but you need to have at least basic knowledge of the above PL, protocols and databases.
You also need to learn how to use penetration testing programs like BurpSuite, SqlMap, Nmap, IP Tools, and Acunetix.
Actually, this is why it is recommended to go to penetration testing for those specialists who already have a certain background in development or testing. Because even for the Junior level, the amount of knowledge required is simply enormous.
Where to study as a pentester
And finally, we have collected several popular resources where you can get all the information you need for the pentester profession:
- Hackaday. , , . , .
- EC-Council CEH. , CEH. .
- Cybrary. . , .
- Profession Ethical hacker from Skillfactory . We ourselves have recently launched a large-scale 10-month comprehensive course, where we teach all the intricacies and tricks of penetration testing. Real pentesters share their experience and, in practice, help to find vulnerabilities in software and web projects.
And a few more sites where you can improve your practical skills:
- HackThis !! - here you can upgrade your hacking skills in game mode and learn how to do it at the same time.
- Root me - over 380 practical tasks for the pentester: from beginner to pro.
- Try2Hack is one of the oldest resources for pentesting practice. For the basic level - the very thing.
- Webgoat is a realistic lesson -based environment where you can learn the basics of penetration testing and immediately put the knowledge into practice.
- Google Gruyere — , . , .
- OverTheWire — . 50 , .
According to Inside the mind of a hacker research, penetration testing is now considered even more profitable than malicious hacking. Companies pay well to those who find vulnerabilities in their systems - many hackers simply do not need to dive into the Darknet if officially and quite legally they can earn no less.
If you want to become a pentester, the way is open. But becoming a good pentester who makes tens of thousands of dollars a month is much more difficult. It looks more like an art than a craft. Are you ready for this? Then go ahead!
And the HABR promo code will give you an additional 10% to the discount indicated on the banner.
- Profession Ethical Hacker by Skillfactory
- Online bootcamp for Data Science
- Training the Data Analyst profession from scratch
- Data Analytics Online Bootcamp
- Data Science
- «Python -»
E