A black hat is a hacker who "violates computer security for little reason beyond maliciousness or for personal gain", a definition attributed to Robert Moore in 2005. A white hat has been called an ethical computer hacker and/or a computer security expert who strives to ensure the security of an organization's information systems. A gray hat is something in between; a hacker that tests systems to find security holes. This involves penetration testing, “pentesting” for short, which is basically initiating a black hat offensive against a company as a test of their systems.
According to those definitions, which of the following articles would be posted on a black hat website?
- “Harnessing GP²Us - Building Better Browser Based Botnets”
- “Hybrid Defense: How to Protect Yourself From Polymorphic 0-days”
Actually, both articles have been posted to blackhat.com. This is an example of the muddiness in the world of computer security. Who is good and who is bad depends on whom you ask.
Who has the right to be called a hacker?
Real hackers have deep systems knowledge. This does not come from using Microsoft Word to write college papers. It is the result of study and research and a great deal of poking and prodding networks and network devices. In a PC World article, Eric Geier outlines the steps he believes are needed to become an ethical hacker :
- Pass A+ certification and get a tech support position.
- Pass Network+ or CCNA certification and work as a network support or admin, then network security engineer
- Pass Security+, CISSP, or TICSA certification and work in information security
- Get hands-on experience with penetration testing, then pass the Certified Ethical Hacker (CEH) certification
“At that point, you can start marketing yourself as an ethical hacker,” says Geier. And all this training is in addition to earning a university degree.
The psychology of hacking
But, as they say, with great knowledge comes great responsibility. If you are capable of breaking into the Pentagon network, would you do it? If so, why? The answer to that question could be any of the following:
- It’s like Mount Everest – it’s there.
- To brag about the accomplishment to friends.
- To find vulnerabilities in the system.
- To take or extort money.
An adolescent often finds the first two answers convincing. He or she knows it is illegal and wrong, but that network is an irresistible target. Hacking into a computer system is like joyriding with a network instead of a Maserati. And the Internet makes kiddie scripts and more complex hacks available to all, including adolescents (or adults) without fully-developed moral compasses. As these kind of hackers mature, they find employment involving computers, especially in the high-paying security field.
Hacking a system to find vulnerabilities, the third answer above, is not black and white (pardon the pun). This is exactly what gray hats do for a living. Since more companies such as Google and Microsoft are offering “bug bounties”, some people are attracted to the challenge and the money involved. In fact, in an article called “Hacking for Good”, Bloomberg Business exults, “Hats off to the white hats. These hackers, who break into computer networks and digital devices to find holes before the bad guys do”. They point to Barnaby Jack as one of these heros. At Black Hat in 2010, Jack showed how to hack an ATM to disburse cash. This shocking demonstration led to measures to enhance ATM security.
Without a doubt, hacking the Pentagon network to take or extort money, the fourth answer above, is just plain illegal. Criminals use whatever means available for their ends, and the computer is another tool in their arsenal.
Why hacking matters
The debate over different-colored hats would be academic were it not for the paramount role that computers play in our lives. Nefarious hacking of financial institutions, governments, and power grids is terrifying for two reasons. Of course, there is the resulting damage, but also the fact that we don’t entirely know how to avoid the incidents. This is where “good hacking”, white or gray hat, is critical. Without the deep system knowledge gained from hacking, our institutions stand no chance of being protected from adolescent mayhem, criminals, or terrorists.
Most education for security professionals has focused on defensive measures. This is not enough to beat the bad guys at their game. EC-Council declares that its Certified Ethical Hacker (CEH) certification deals with “hacking techniques and technology from an offensive perspective.” http://www.eccouncil.org/Certification/certified-ethical-hacker . To emphasize this point, the title of their next step of certification is called Licensed Penetration Tester (LPT).
To take the CEH course or certification test with EC-Council, a candidate is required to have at least two years of “security related experience” and must sign an agreement to not misuse the knowledge in any way. However, because the CEH certification is much sought after, other organziations have created courses for preparation. These courses are available to whomever is willing to pay.
Should offensive hacking techniques be taught by EC-Council and other public entities such as universities? A growing number of people, however, are adamant that hacking is a way to arm IT personnel to deal with attacks.