Of all the traits Ted Harrington has experienced in hackers over the years, one stands out as a true marker: non-conformity. Hackers think differently about things. How about the organizations wanting to fight them?
“This is how we build better, more secure systems,” said ethical hacker Harrington, a consultant, podcast host and author of “Hackable: How to Do Application Security Right,” at NRF PROTECT 2024.
Harrington, who is also executive partner, Independent Security Evaluators, said it comes down to challenging assumptions, asking “What if … ?” and finding different ways of doing things.
“This is how we can think differently about anti-fraud, asset protection, loss prevention, you name it,” he said. “By applying these concepts, we’re going to be able to think differently about the opponent that’s on the other side of the dynamic that we’re working on, of the thing that we’re trying to protect.”
Prevailing traits
Over time, Harrington has identified four prevailing traits about how hackers think. First, they’re curious, “almost without exception.” Second, there’s that non-conforming piece. “Hackers are even willing to deviate from the tribe at risk of being ostracized from the tribe, if they think what the tribe is doing is nonsensical,” he said.
Third, hackers are committed. They are, he said, relentless, tenacious, persistent and “willing to invest the time, the money, the effort and the resources in order to pursue their targets.” Companies often “grotesquely underestimate” how committed hackers are, and as a result, may not spend enough on security testing.
Finally, hackers are creative. “In fact, hackers are amongst the most creative people that I know. Hackers are original. They’re innovators. They are inventors. Hackers are coming up with elegant solutions to problems, old and new.”
These characteristics surface whether the hacker is malicious or someone ethical looking for vulnerabilities in order to improve a system, he said. The difference is in motivation.
Common misconceptions
Harrington ran through a list of misconceptions, such as the idea that people will do what’s expected and/or interact with a system in the way that was intended. Fields for username and password provide an example; a hacker might be curious what would happen if a command was entered there instead.
The antidote to this, he said, is to challenge our assumptions.
He and his researchers took a closer look at dating apps, for example, and believe that the developers must have “assumed that no one would be malicious, and no one would attack these systems.” His team found several security flaws; a breach might involve signing on for the free version but gaining access to premium paid benefits, or being able to change the vote data in terms of a potential match. Further, though, it might mean a hacker could geolocate someone they come across on the app.
Read NRF’s latest articles on cybersecurity in retail.
Another misconception, meanwhile, is that things will work the way they’re supposed to, but hackers can chain vulnerabilities together in ways that others might not imagine.
A third misconception is that “no one would think to do that.” He hears this at least once a year verbatim, he said, often in response to a question he asks like, “Well, what if a hacker did x?” If Harrington could think of it, why not a hacker? He considers the use of “What if … ?” a superpower.
‘Think like a hacker’
The hacker mindset can be applied anywhere. Harrington questioned the use of ski poles, for instance, asking others about their importance. Unconvinced by any of the responses — and finding the poles just something extraneous to carry — he tried skiing without them.
“And let me tell you, my life in terms of skiing changed that day,” he said. “I was so much freer, so much more in tune with my body.” That freedom and sense of discovery have continued: By challenging an assumption, he said, he has experienced profound joy and mental clarity; skiing is when he often discovers the best business decisions.
“It’s where I have therapeutic breakthroughs for my mental health,” he said. “It’s everything for me. And if you can apply the hacker mindset to something like that, you can certainly apply it to your job, and you can apply it to anything else, too. So that’s what we’ve got to do: We’ve got to think like a hacker.”