UAE’s ‘ethical hacker’ helped tighten IT security at companies across country
DUBAI // David Michaux has hacked into the IT systems of banks, leading corporations and oil and gas providers.
He has even created fake Facebook profiles of seductive women to dupe senior executives into revealing sensitive information about their companies.
All very unethical and illegal. But Mr Michaux has never been charged with a crime, because he is the UAE’s definitive “ethical hacker”.
In the 13 years he has been in the country, he has helped hundreds of key government and private institutions radically improve their IT security by performing “stress tests” on their infrastructure.
His work has helped foster a climate in which the UAE has gone from lagging behind Europe and the US in terms of internet security, to overtaking some countries.
Mr Michaux was working in Brussels for technology company Scan IT when he was drafted to Abu Dhabi to help improve internet security for Etisalat.
The provider had been hacked by a 22-year-old Briton, Lee Ashurst, which disrupted internet service across most of the country for almost a month.
The hack had exposed glaring security weaknesses in Etisalat’s security infrastructure, something which, at the time, was common across most major corporations in the country.
“People here didn’t really understand the internet so much,” said Mr Michaux. “The country is so safe; if you left your laptop in the back of the car, no one would steal it. Because of that, people sometimes have a false sense of security. Back then, they applied that same sense of security to their IT.”
The Etisalat job was intended to be a one-off. However, shortly after 9/11 happened and many US individuals and companies left the region. This sparked more business for Scan IT.
An IT security conference at the time suddenly lacked presenters and sponsors, and Mr Michaux was asked to speak at the conference without having to pay sponsorship fees.
Soon after, the contracts started to roll in and the company decided to set up a more permanent presence in the Emirates.
By 2003, 80 per cent of the company’s revenue was from the UAE, rather than from Belgium. However, because Scan IT’s UAE operations were also a source of significant expense, the company wanted to close the Dubai office.
In 2004, Mr Michaux bought out Scan IT Middle East and established it as his own company.
He said among the first contracts he had were from banks. Many members of boards in local banks did not trust their own IT departments, Mr Michaux said, so he was hired to conduct “penetration tests” to assess their security infrastructure.
“I was 27 years old and I was running a company over here that was responsible for breaking into banks,” said Mr Michaux, who is now 38. “It’s every kid’s dream.
“That was when IT security started coming into play here. Now things are far more advanced, you don’t get those assignments any more. But back then it was all about building awareness. Now they’ve overtaken Europe and the US, to a certain extent.”
By the time Mr Michaux sold his company, in 2007, it was one of the largest security firms in the region.
He retired to Malaysia in 2009 but managed to stay only for a year before getting “bored”.
He was invited back to Dubai to establish a new company called Whispering Bell, specialising in physical and IT security.
He still owns a house in Kuala Lumpur and spends a week there every month but has no plan to retire again.
“The way the country is going here, they’re investing very heavily into security,” he said. “You get to play with toys and new devices that you would never get to use anywhere else in the world, unless you worked for the NSA or the CIA.”
Despite his expertise, it has never been a temptation to work at a government level. “I’ve never wanted to go that way, although I’ve been accused of it many times,” he said.