The word “hacking” in mainstream culture can conjure up some pretty silly images. The illegible green code on a screen in The Matrix, or the absurdity of Hugh Jackman hacking a government website in under 60 seconds in Swordfish. 1995’s Hackers was filled with so much hilarious techno-gibberish, it became a cult movie among real hackers!
Real-life hacking is a lot more boring than Hollywood makes it out to be. In the movies, hackers pound their keyboards and brute-force their way into top-secret databases. In real life, brute-forcing a 10-character password, even with the help of sophisticated hacking software, can take up to 11 years. That’s a long time to get into somebody’s Gmail account.
How do hackers operate?
Blackhats (criminal hackers) tend to rely on social engineering - a fancy way of saying that they exploit basic human errors. For example, when unknown Russians planted bugged USB drives in kiosks outside a NATO headquarters. And of course, somebody bought one and connected it to a secure computer. The infected USB then automatically ran its script, and who knows what sensitive information was stolen? The situation would’ve easily been avoided by probing the USB drive with tools found on antivirusrankings.com/ - or maybe just not connecting random USB sticks bought from a street vendor into government computers.
Of course, that’s not to say hackers don’t use fancy tools and scripts. Many hacker tools are designed around sniffing out and exploiting critical vulnerabilities in target systems. In fact, there are entire operating systems for hackers like Kali Linux, which comes loaded with software specifically for penetration testing. Penetration testing is where many ethical hackers earn their income.
In layman’s terms, penetration testing is typically when a network operator allows hackers to test the security of their network, by simulating cyber-attacks on it. If security vulnerabilities are found, the (ethical) hackers disclose their findings. Blackhats may also engage in penetration testing, but they’re typically not invited, and use it as a way to extort companies.
Some companies may utilize in-house security specialists, while other companies will hire outside consultants. There are pros and cons for both in-house and outside consultancy penetration testing.
How much do hackers earn?
Here’s where it gets confusing. For blackhat hackers, it’s really quite difficult to estimate their illicit profits. BusinessInsider ran a report where they interviewed various underground hacker groups. The report shows several examples of how criminal hackers are able to earn up to six figures monthly, through selling viruses, hacking toolkits, and other exploits to buyers. Criminal hackers also tend to target large financial institutions. Forbes reported that SWIFT, the leading global network for financial transactions, lost around $1.8 billion to cyber-attacks in 2018.
Of course, blackhat hackers may not always be honest about their earnings. They have a certain “reputation” to uphold. Case in point, the infamous hacker / troll Andrew Auernheimer (online handle ‘weev’) convinced a New York Times reporter he was a multi-millionaire, part of an elitist group of rich hackers, and showed up for the interview in a Rolls Royce Phantom (it was a rental). It was later discovered that Auernheimer had been homeless several times prior to being arrested for his AT&T data breach.
For ethical hackers, annual salary estimates tend to fall between $50,000 to $99,000. They can of course earn performance bonuses, and independent consultants may earn even more than those figures. Ethical hackers can also take part in bounty programs offered by large companies. Facebook, for example, offers large cash prizes to hackers who discover and report security flaws to the social networking giant - up to $40,000 depending on the severity of security risk.
At the end of the day, it’s a highly skill-based field, where earnings depend on just how good you really are.