BackA millionaire hacker’s lessons for corporate America
Santiago Lopez, a 21-year-old ethical hacker who shows corporations their cybersecurity fails, expects to keep going for years to come
PremiumSantiago Lopez started invading corporate computer systems at age 16, after he learned to hack from YouTube videos and like-minded friends.
Now 21, he says he never wanted to commit crimes. Rather, he is a bounty hunter, invited by companies to find holes in their business networks and burrow into their vulnerable data. The idea is that a company will then fix what’s wrong to harden itself against bad actors—“black-hat" hackers—looking to steal data, conduct espionage and disrupt business operations. Like others in a stable of “white-hat" attack experts associated with bug-bounty firm HackerOne, Mr. Lopez gets paid commensurate with the severity of the weaknesses he identifies. He and other members swarm applications and websites to look for security holes missed by customers that contract with the San Francisco-based firm. Big problems pay big money.
Mr. Lopez is good at his job: Last year, he reached $1 million in bounties since he started and is now closing in on $2 million in total, he says. Recently, he has found bugs for Airbnb Inc. and Verizon Media Group.
In a video chat from Buenos Aires, where Mr. Lopez has hunkered down with his family for the coronavirus pandemic, he talked with The Future of Everything about how corporate leaders can up their cybersecurity game.
It’s 5 p.m. and you said you’ve just finished breakfast. Nighttime must be the best time to hack U.S. companies because fewer security teams are awake.
A bit in the afternoon and evening, but preferably at night. I see hacking as a normal job, so I tend to hack between six and seven hours per day.
One large company gave you $10,000 for finding a way to manipulate one of its servers to access data it shouldn’t have been able to. Was that challenging?
It took me a full day to close that bug and prepare my report. It wasn’t long to identify the area [that was] vulnerable. It took much longer to see what kind of secret information I could access. That can be the most difficult task at times, being able to identify how much information you can access with that failure. And it is what gives the most reward.
Hacking has surged during the Covid-19 pandemic, as the Journal has reported. What effects will that have in the future?
Employees are online and information is more vulnerable. Hackers are trying to get those employees to click to load malicious software. Hackers are learning a lot, some new ways to get people’s money. It’s getting worse. I have not yet experienced any company where I have not been able to find a bug, no matter how minimal. Even if there is a company where you feel like you can’t find a bug, it doesn’t mean that someone else can’t find it. Without a doubt, companies are struggling to protect themselves. Cybersecurity is advancing year after year, so even if they manage to create a new type of protection or evolve in some way, bad hackers will always be running the race and they will be discovering and preparing different new ways to make companies vulnerable.
You’re really effective at what you do. What does this say about corporate cybersecurity?
They’re not investing money or time or work in trying to grow their cybersecurity team. A lot of companies, if you report bugs to them, they don’t have the expertise to fix them. Software that they build themselves has more bugs but software generally is vulnerable, always. If software has access to important data, then encrypt it.
How do different industries compare?
Banks and companies that are all digital are good. Universities don’t care about security because maybe they don’t have sensitivity to customers. Health care? They’re not investing so much in cybersecurity, but they should. They have private information. Overall, cybersecurity teams need more money.
What kinds of technology changes are coming that will create cybersecurity problems?
Artificial intelligence has helped us a lot to optimize tasks, process data and make decisions much faster than a human being could. However, new technologies, including artificial intelligence, create big cybersecurity risks, as potential vulnerabilities are not fully understood when they are found. This means that with more organizations relying on machine learning to perform business-critical actions, AI systems are sure to become a major target for hackers.
Should companies be worried?
If an attacker had the opportunity to control an AI algorithm, it would be a huge problem since physical objects could be controlled for the first time. An AI attack can transform a stop sign into a green light in the eyes of an autonomous car. The data could also be controlled so that the way it is collected, stored and used can be changed. Imagine an AI attack could control the way that Google or Facebook collects your personal data and the hacker could save or manipulate the data as he pleased.
What about quantum computing, which experts say will be able to crack today’s encryption?
That’s way in the future. It’s not easy to crack encryption code, so for now, that’s a good guard against hackers. The larger problem is that people are not being cautioned about cybersecurity. Are all employees having training in cybersecurity? It doesn’t seem like it. Employees, when they click on links, make a big hole for a hacker to enter. If you’re not training people well, no matter what technology you have, you’re only creating future problems. Customers aren’t happy when their data is hacked. They will go to a competitor. Make the investment.
This interview has been condensed and edited.
Write to Kim S. Nash at kim.nash@wsj.com
Milestone Alert!Livemint tops charts as the fastest growing news website in the world 🌏 Click here to know more.
