Iiro, a white hat hacker
A white hat hacker searches for vulnerabilities so that these vulnerabilities can be patched. Iiro Uusitalo is this kind of a hacker with security as a way of life: it is his work, hobby and learning something new. After graduating from SAMK with a Bachelor´s degree in Information Technology in 2010, he has managed to achieve a lot.
At the award ceremony of Finnish Security Awards Iiro Uusitalo was recently selected as a Security Consultant of Year 2019 by Finnish magazine Turvallisuus ja riskienhallinta (Security, Safety and Risk Management Magazine). There was a comment on Twitter: “Bull´s-eye!”
- It´s always nice to be awarded but it didn´t turn my everyday life upside down, Iiro answers when asked “how does it feel now”.
The award is not the first one for Uusitalo. In 2018 the Finnish Ministry of Transport and Communications awarded his white hat activities with a Pioneer in Data Security Award in 2018. In 2017 Team ROT formed by Uusitalo and his friends was awarded the Security Action of the Year in #municipalitychallenge event.
With all the awards, invitations to give lectures keep coming. On average, Uusitalo lectures on security once a week. Invitations might keep coming anyway: Iiro is “the good guy” wanted in job advertisements: highly skilled and devoted, but also equipped with a good sense of humour, wishing to share his knowledge and being equally friendly to all.
Studying the attack surface
Iiro Uusitalo works as a Cloud and Security Specialist at Solita Oy. Nowadays he does a lot of investigative work: he collects “snippets of information” of the target organization available on the internet and combines them – he does research on the information that is available on the company and tries to identify possible threats related to it. At the moment Uusitalo´s work is connected to automated data security testing that Uusitalo´s employer has launched https://www.solita.fi/en/whitehat-cyber-security-service/
If the data security in your own organization or community makes you think, you can do manual investigation yourself. Making Google searches is a legal thing to do.
- Sometimes organizations themselves do not know what is available on the net about them. Client database has been found five times on the internet, Uusitalo tells us.
Data leaks and information security incidents are sometimes found accidentally. Uusitalo feels that it is his responsibility to tell about them for the parties concerned.
Hacking as a hobby
Iiro Uusitalo started his career as a programmer. Then, he got interested in hacking and in his free time started doing bug bounty programs, i.e. vulnerability reward programs, where organizations allow the hackers to research the data security of their applications.
Uusitalo has belonged for five years to a six-person Team ROT that participates in different security events where e.g. companies ask the hackers to hack their data systems. The hackers get a reward of the reported vulnerabilities and the companies fix them.
For example the awarded #municipalitychallenge event was carried out by Team ROT as voluntary work. Three municipalities of those who signed up for the event were chosen, but the other municipalities had a chance to benefit from the challenge: the vulnerabilities found were reported to Traficom, Finnish Transport and Communication Agency National Cyber Security Centre, who informed the municipalities and organizations that use the same systems. After the municipality challenge, the focus shifted to upper secondary education and higher education in a corresponding #schoolchallenge event.
Uusitalo and two other white hat hackers are also known of Yle´s document series “Team Whack – everything is hackable”, which was aired on Finnish TV in March 2019. The series can be found on Yle Areena with the name Team Whack https://areena.yle.fi/1-4664681
In addition, Uusitalo is active in hackers´ security communities. He is one of the founders of TallinnSec community – he went to Tallinn, Estonia because of work to establish Solita´s Tallinn office.
Is there time for anything else? At least for living in the countryside and seasonal exercise: jogging, ice-hockey and swimming.
Tips: This is what everybody should know and do
- Passwords: There should be a unique password for each service: if service provider leaks the passwords in data breach, the passwords cannot be used to sign in other services, for example to work email. It is advisable to use password management tool for managing the passwords.
- Multi factor authentication, MFA is a six-number random series of numbers, which is asked after entering the password in services. It is usually not a default setting (e.g. Facebook, Google) but has to be turned on.
- Updates: Keep the software up-to-date.
An additional tip about open networks when the interviewer asked about it:
- Use VPN (virtual private network). It is usually available in major companies and workplaces, but e.g. F-Secure´s Freedome can be purchased individually. If you use open network, do not use “connect automatically” setting.
Hacking means for example studying data systems and their security.
A white hat hacker hacks only after receiving a permit or consent from the target. The aim is to find possible data security loopholes and patch them.
A black hat hacker searches for data security loopholes as well but uses the skills for malicious purposes.
A grey hat hacker does not mean any harm but has not asked for a permit to hack.