Ethical Hacking
Each week we are introduced to or further informed about emerging technologies that are drastically creating or revolutionizing industries. This week however, Dr Stephen Herrod discussed how with each innovation new and varied cyber security concerns are being raised. As technology plays a larger role in our lives and becomes increasingly more pervasive, so too do the potential ramifications of nefarious hackers. It should be noted however that not all hackers have bad intentions, and as Dr Herrod said the hacking skill set in the hands of one devoid of malintent is in high demand as the need to repel malicious attackers increases.
Who’s Who ?
Hackers are generally categorized into three types, white hat, black hat, and gray hat (the etymology is derived from tendencies in old western movies for the color of an actor’s hat to correspond to their role).
Black hat hackers are the “bad guys” who find security holes in systems and either exploit them personally, or sell the information to other criminals with questionable intentions.
White hat hackers are the “good guys”, hackers or security researchers to find these security holes but notify the vendors without actually exploiting them. This encompasses a broad spectrum of individuals or firms who do this for reasons ranging from recognition or fun to as a nine to five job at a firm.
Gray hat hackers, as the name implies, work somewhere in the middle of the spectrum. These hackers identify security holes and then sell them to law enforcement or intelligence agencies. The moral implications of this type of work are hotly debated. More reputable firms like “Vupen and Zerodium, two French companies who are in the business of finding or brokering the sale of zero-days to law enforcement and intelligence agencies”[1] make the argument that the agencies they sell to will use them for the common good. Less reputable firms such as Hacking Team provide evidence for a contrary view as they are” known for selling (their) espionage tools and zero days to repressive regimes”[1].
All three terms are used to describe both individuals as well as groups or firms of hackers. A recent well known example of a solo / freelance white hat hacker would be Marcus Hutchins aka MalwareTech who (admittedly somewhat inadvertently) halted the WannCrypt / WannaCry virus in its tracks.[11]
Why Should We Care ?
While the lines separating white, black, and gray hat hackers can be surprisingly thin, the implications of all of their actions are increasingly relevant as technology becomes more pervasive in our lives. According to a 2016 report by Cybersecurity Ventures “annual cybercrime costs will grow from $3 trillion in 2015 to $6 trillion annually by 2021, which includes damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, and reputational harm.”[2] According to Herjavec Group founder and CEO Robert Herjavec, this may be the least of our problems as more integrated technologies mean “there is a very real potential cybercrime will lead to the loss of human life” because, as the report puts it, “cyber threats have evolved from targeting and harming computers, networks, and smartphones — to people, cars, railways, planes, power grids and anything with a heartbeat or an electronic pulse.”[2]
Why Wear White (or Black)?
Influenced by many idealized battles between good and evil one might expect that black and white hat hackers struggle against each other, with the white hat hackers predominantly prevailing. Unfortunately, this is not the opinion of industry experts like Atif Ghuari (CTO of Herjavec group and professor of cybersecurity at Drexel University) who claims that black hat hackers have the upper hand and “have advanced hacking skills compared to that of most white-hats”[2]. Growing demand and advanced black hat hackers mean that “every year in the U.S., 40,000 jobs for information security analysts go unfilled, and employers are struggling to fill 200,000 other cyber-security related roles” according to CyberSeek this year[3].The question of why the black hats seem to have the upper hand is also debated, especially when one considers that some white hat hackers were once impressive black hat hackers themselves, but generally boils down to two main theories.
The first theory is that white hat hackers are handcuffed, forced to follow more rules and are therefore less daring and force them to work slower[4]. According to Dr. Anita D’Amico of Code Dx “The attackers work nimbly and without rules. The attackers, by nature, abhor rules and will break them.The defenders, by contrast, often are encumbered by rules of engagement and permissions, and so the defensive response is slow, measured in hours or days”[4]; Furthermore, Rob Knake the previous director of cybersecurity at the white house claims the nature of the work favors the black hats, who are able to attempt attacks on large numbers of targets at once in the hopes of one success, while defenders “need to protect massive attack surfaces, being right every time”[4].
The second theory is much more straightforward, the black hat hackers have more incentive than white hat hackers. The market for this kind of information is enormous, and even the low hanging fruit can be tempting. According to one source, while headlines broadcast a small number of enormous one time payouts like the 1.5 million dollar reward offered by Apple[5] white hat hacking just doesn’t pay enough to stay competitive. White hat hackers claim that these payouts are rare and more often they “do research for hours then get paid 50 or 100 bucks or so”[6]. These same sources claim that even hackers they know who consider themselves white hat have found themselves resorting to “shadier” activities like selling credit card information on the side to supplement their income[6].
How Do We Turn the Tide?
To turn the tide, white hat hacking must become more lucrative and attractive as a profession. While it is true that a number of white hat hackers like Kevin Mitnick (who was once the FBIs most wanted hacker) have come over from the dark side this can be for more practical reasons like avoiding federal charges[7]. In attempts to address the complaints from white hack hackers of being hamstrung firms and institutions have started to adopt new policies to free up do gooders. An example would be the Hack the Pentagon challenge opened by the DoD allowing a legal route for anyone to look for holes in any public facing DoD services[8]. However even this system has rules that white hat hackers must be careful not to trip over, and offers only recognition as a reward.
Acknowledging the need to promote white hat hacking, HackerOne received large investments to act as a bounty platform, and other other companies have private incentive programs[10]. The problem, as referenced above is that these prizes may not be enough to sustain the entire community. Worse yet, companies sometimes don’t take kindly to white hat hackers, afraid that freelancers will hurt confidentiality or cause issues while identifying or trying to fix bugs (intentionally or by accident). In short, companies are scared and their distrust (or even disdain) can turn white hat hackers off. An example would be Yosi Dahan who claims that he alerted United Airlines to a security flaw, only to be ignored[9]. Other well intentioned hackers like Allan Dumanhug claim that they have reported bugs only to be accused of hacking with mal intent by the company they tried to help[9].
The march of technology into more and more aspects of our lives is inevitable, and unfortunately so is the fact that black hat hackers will attempt to take advantage for one reason or another (Like the Willie Sutton quote from lecture “I rob banks because that’s where the money is”). As cyber security threats become more serious and targets become more plentiful industries needs to take note of how they treat and incentive the “good guys” whether they are professional firms or well intentioned freelancers, or we risk watching the already insufficient number of white hats dwindle.
An aside for anyone interested, I enjoyed the autobiography of Kevin Mitnick “Ghost in the Wires”. While the technology referenced is outdated it provides some insight into some effective forms of hacking that are not what most envision.
https://www.amazon.com/Ghost-Wires-Adventures-Worlds-Wanted/dp/0316037729
http://dilbert.com/search_results?terms=Hack
[1]https://www.wired.com/2016/04/hacker-lexicon-white-hat-gray-hat-black-hat-hackers/
[2]http://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
[5]https://www.wired.com/2016/09/top-shelf-iphone-hack-now-goes-1-5-million/
[7]http://www.techworld.com/picture-gallery/security/7-white-hat-hackers-you-should-know-3220909/
[8]https://federalnewsradio.com/defense/2016/11/pentagon-expands-white-hat-hacker-challenge-comers/
[9]http://www.cnbc.com/2015/06/17/are-companies-still-scared-of-white-hat-hackers.html
[11]https://www.thesun.co.uk/news/3563598/marcus-hutchins-malwaretech-wannacry-nhs-cyber-attack/
6 comments on “Ethical Hacking”
Comments are closed.
Great analysis of the different camps involved in the space, and the incentives that motivate each group. Perhaps another solution is also to lessen the incentive (monetary payout) that is received by the Black Hat hackers. A good case study would be the recent WannaCry Ransomware attack – despite hitting up to 200,000 devices, they were only able to scrape around $50k of Bitcoin (http://www.cnbc.com/2017/05/15/wannacry-ransomware-hackers-have-only-made-50000-worth-of-bitcoin.html), as of 15 May 2017. In this particular case, something as simple as backing up one’s data to a secure and separate data-store would greatly lessen the leverage such hackers have.
That is a great point Aaron, there are definitely a number of ways to address the problem and I don’t think they are all exclusive.
I would point out though that the wannacry ransomware attacks could have done much more damage had it not been thwarted relatively early on almost by accident, though the eventual numbers are definitely surprising given the scope of the attack. I certainly agree that limiting the incentive for black market hackers would have a positive impact on the space and there are a number of ways to go about this. Unfortunately while I support this tactic I think it must be used in parallel with others as it seems there will always be careless users, and the rate at which technology is advancing means that opening are inevitable. As alluded to in the guest lecture it seems like to combat these attacks many different and evolving methods will have to be employed (including the methods you propose) and I am interested to see what current research projects produce in the near future. Thanks for the comment and the link, I had never looked into what the wannacry attackers actually got for their efforts.
Thank you for posting this interesting article Kyle. I had no idea that grey hat hackers was a thing. If I understand you well, white hat hackers must become a common profession and both public and private investments in cyber security should foster this profession (high salary…). Do you think, however, that grey hat hackers should still exist to highlight the security holes in our system. The example of data collection from private organizations and governments shows how corruption can come from the upper reaches of power. In this case, white hat hackers would be contractually obliged to remain silent as they would work for these specific companies.
Thank you.
Hey Victor,
the main point of my post was to say that the industry seems to have a stigma when it comes to hackers, regardless of their motives and I think that is only helpful the “bad guys”. white hack hackers often work for firms and tend to make good money, but for some of the reasons in this article they are still considered to be less effective than many black hat hackers. I think history has shown that innovation comes from many, often unexpected, areas so if we aren’t careful to foster an environment around ehtical hacking then that innovation will end up bolstering the wrong side.
The gray hat hacker question you pose is an interesting, possibly more philosophical one. It kind of depends on how you view the role of government. Do you believe that the government should have the right to listen in through your phone if it meant they could thwart an ongoing terrorist attack ? or do you believe that the risk of an abuse of power is too great to condone something like that. While I won’t bother with my personal opinion I will say that there isn’t one answer, and the discussion bleeds into many others about the role of government in our lives that I think will continue to be debated for a long time.
Hi Kyle,
With regard to what you cited in your Blog post:
Why Wear White (or Black)?
“Influenced by many idealized battles between good and evil one might expect that black and white hat hackers struggle against each other, with the white hat hackers predominantly prevailing. Unfortunately, this is not the opinion of industry experts like Atif Ghuari (CTO of Herjavec group and professor of cybersecurity at Drexel University) who claims that black hat hackers have the upper hand and “have advanced hacking skills compared to that of most white-hats.”
The truth of the matter is; you cannot be successful within the security industry as an Ethical Hacker unless you understand both sides of the coin well and can articulate the importance of both sides.
In my opinion, there is a delicate balance, “a harmony” of sorts between the Yin and Yang.
If you try only to be a Black Hat Hacker (Yang) and only focus on trying to exploit vulnerabilities without understanding countermeasures deployed by White Hat (Yin) professionals, you’re not likely to know your opponents next move or be able to plan multiple moves ahead and vice versa. Another common problem these days with hacking is the evolution of people used canned tools on Linux distributions like Kali to perform active or passive reconnaissance against a target.
I have met several security engineers at Black Hat and Defcon conferences that know how to execute prefabricated scripts to perform active or passive reconnaissance on a target. Most of these “script kiddies” are only versed in certain aspects of how to execute tools like (dmitry, goofile, fping, arping, maltego, nmap, metasploit, nessus, meterpreter), but don’t know how to extrapolate the data returned. I have also met several security professionals that also don’t understand fundamental networking (OSI Model) or cannot read a packet trace using TCP dump or Wireshark. Understanding communication at a protocol level (L2-4, and 7) is a very important skill for a security engineer to have.
It’s also important to understand that running some tools outside of a sandbox might be considered illegal, for example, nmap can be used for active or passive reconnaissance. When you actively scan a host, you send packets in an attempt to obtain information about the host, whereas, passive is where you’re only listening for traffic.
NMAP and other enumeration tools have been known to crash some hardware platforms. IN closing, I also thing it’s important for both White and Black Hat hackers to write at least one programming language. My language of choice is Python.
Hi Christian,
thanks for the insight, I have not been to any black hat or def con conferences and know only a few people in the industry. It is interesting to hear about the levels of proficiency you have found in your experience.
Your comment about how running some tools might be illegal is very relevant, this seems to be the type of thing that the DoD is trying to allow people to safely gain experience with, with their new programs allowing for malicious probing of certain kinds but it doesn’t encompass everything definitely poses a problem for those on the “right” side of things trying to learn the skills and tools of malicious attackers.
It does seem that, as you mentioned, “you cannot be successful within the security industry as an Ethical Hacker unless you understand both sides of the coin well and can articulate the importance of both sides.” One thing I found frequently during my research for this post was the mentality that in order to beat black hat hackers, you have to be one / work with one to understand what you are facing.
Users who have LIKED this comment: