No, that cyber security professional you tried to hire is not going to hack someone back for you
An introduction to the cyber security professional, the law and what ethical hacking is for those who aren't in the community.
I get some version of this request a lot, and I’m sure I’m not alone, so I hope this article will be a useful thing that you can send to people when they make some form of this request.
What is a cyber security professional and what do they do?
This is quite a broad question because cyber security encompasses a lot of different skills, jobs and can range from deeply technical to crafting policies. So we often think about categories of jobs based on defence, building and attack.
Defence jobs are usually based at a non-security company and will focus on installing technical controls like virus scanners, but also shape policies, procedures and other security activity.
Building is about making more secure software, these jobs are usually at companies who make software like websites, apps, games, etc, their job is often to help support developers write secure code.
Finally we have attack, these jobs focus on actually exploiting a system to demonstrate if an attack is possible and how bad it would be, then working with the relevant teams to get these holes patched.
Each of these is a unique job with their own challenges, skills and experience, however anyone who works one of these jobs will have some experience in the others.
Hacking and the law
In most counties people who work in attack jobs like ethical hackers, security researchers, penetration testers don’t even think about the law or police, we’re not worried about being arrested or ending up in court. Why not? Well what criminalises hacking in most countries is not hacking itself but doing it without prior authorisation. We work for companies, we have an employment contract, we will have plans on what to test which will be approved by senior members of staff. Some of us work for ourselves or work as contractors, we are working with customers under a contract to provide a service, we have a strict rules of engagement, a strict time, and work with a customer to understand what they need. Some of us do freelance “Bug bounty hunting”, this is where companies will create a program that accepts reports and pays out for findings, the scope of these is specifically chosen based on what the team can support, it’s done with a budget set by management teams. All of these are not done without any knowledge by the customer, we are fundamentally providing a service.
A lot of people will reply to this by saying well it’s my account on Instagram and I am giving you permission and want to hire you, that’s okay right? You do not own the underlying software of Instagram you cannot give permission to hack Instagram, only Instagram can do that and they certainly wouldn’t allow you to hack back an account. If you need to recover an account on an app or website that is a customer service issue not something a cyber security professional will help you with. To put it bluntly, your Instagram account with 8 followers and 3 photos of your dog is not worth prison to us, which by the way if we were found guilty would also bar us from ever working in our industry ever again.
Now in some cases we may perform security research, this is an investigation into a product that we perform even though we know it’s illegal, we do this because we worry about a greater risk. For example, if you have a pacemaker you'd hope that the device that keeps you alive every day would be free from security bugs and someone couldn’t turn it off or create malware that ultimately kills you. However, that is not always the case and third party security researchers will test devices to ensure that they are safe. This is something we know is risky but we weigh that risk against the greater risk of thousands of people being at risk. We will report these security issues to the manufacturer or creator of the device or software and work with them to resolve it. This is not the same as recovering a Facebook account using your photos and identity, that is a customer support problem you need to flag with Facebook.
I’ll pay you so much money you can’t say no
Cyber security is a well paid job with junior salaries starting around £30k in the UK and potentially rising to north of £100k as someone becomes more experienced, this will vary in countries of course but with the UK median salary being £35k you can see that we are not short of funds. If we wanted additional money there is a booming cyber security freelance business in bug bounty hunting where bounties for a single vulnerability with be thousands of dollars or in consulting where cyber security specialists often attract fees of around £800 a day. Even those who are happy to risk jail time malware operator Conti offer a salary of between $5,000-$10,000 per month for those who have specialist skills. We are not interested in money, we enjoy our jobs and considering an offence under the computer misuse act would cost our entire career, realistically I don’t think
Okay but can you at least offer some advice?
Yes
My Facebook account was cloned and has added a lot of my friends and sent them a message
You should contact Facebook support to report the account, and lock down your Facebook visibility, you can see what’s default by going to your Facebook profile, clicking the three dots and pressing “view as” this will show you what non-friends can see, you can change your privacy settings in the privacy checkup
You can see what other people see by using the View as tool
I can’t recover a social media account
You should contact the platform directly as they all have different requirements for recovering accounts, if they can’t help you, you should create a new account and wait for your old account to be deleted
I’m a victim of a sophisticated hacker!
I’ve been hacked!
You should recover the account using forgotten password as soon as you can, usually valid username and password combinations are sold on the dark web after a company has been breached. The valid usernames/password are then tried on other websites, this is why password reuse is so bad. You should use a third party password manager or a built in one like Apple’s. You also usually add another step to most websites called “multi factor authentication” or “MFA”. You can also see how many times your email has been compromised using haveibeenpwned, they also have a password testing tool as well which I promise is safe.
