Security Hats: Black Hats or White Hats, There's No Grayscale

The media and the public remain star struck over crackers. Adrian Lamo pleas guilty to felony charges, breaking into New York Times computers, but he and fellow crackers are heroes, and the FBI, goats.

Prior to the plea, reporters slammed the Feds for bungling media subpoenas, based on the comments of a Justice official who remains anonymous. 

 Blackhathacker

Daniel Baas, the Acxiom hacker, is busted, but according to one reporter, "was only caught because he helped out a friend in the hacker community," implying he'd never have been caught by those knuckle-dragging, fumbling Feds.

Whitehatsecurityguy

Public fascination with cracking is tainting even professional security conferences. At InfoSec World, the "International leader in audit and information security training" will present, as a keynote event, an uncensored interview with controversial hacker (and convicted felon), Kevin Mitnick. 

The bio in the advanced program bio is a masterpiece of spin: "expert in exposing vulnerabilities of complex operating systems and telecom devices" is cleverly substituted for, "criminal who plead guilty to four counts of wire fraud, two counts of computer fraud and one count of illegally intercepting a wire communication". Cloning phones, social engineering, stealing software, and compromising computers is described as "technical and non-technical means to obtain the source code to operating systems and telecom devices", a euphemism one might expect in Scott Adams' Dilbert series, alongside "involuntary separation from payroll".

Keeping Score

Whether the verdicts are popular or lamentable is irrelevant: the official score in these cases is Feds 3, crackers, 0. There are of course, losses in the FBI's record, but the game stats associated with their wins are really sobering. Lamo awaits sentencing and faces a between six and twelve months in prison. Baas faces the minimum 46 months served by Mitnick, perhaps more. In both cases pending, there's also the matter of compensatory damages (Mitnick's obliged to make restitution as part of his plea agreement).

These guys chose black hats. They broke the law. Folks wearing white hats caught them. Their sentences include prison time. Black Hats versus White Hats. Simple concept, right?

Not Exactly

Somewhere along the timeline of hacking and cracking, someone, possibly the L0pht, substituted a gray scale palette for classic black and white. The gray hat became the ambiguous icon of hacktivism, the sometimes questionable practice of non-malicious probing of computers and networks for vulnerabilitiesm for entertainment, occasional fame, or notoriety.

Gray-hat hacktivists claim they are "doing good" because they disclose vulnerabilities that might otherwise be exploited by (ahem) persons of lesser integrity, that they are independent researchers who occasionally make political statements; and that they don't harm anything or anyone.

What gray hats fail to appreciate is that they don't own the definition of harmless.

Suppose a gray hat discloses he accessed a medical database, but claims he didn't actually study or copy it. Perhaps he did A Good Thing by notifying the medical practice, but patients of that practice will not consider the act "harmless". What is fact here is obvious: the same individual would not have been employed to perform this penetration test; in doing so on his own, he broke the law, perhaps several; and he expects attention rather than detention, so he hides behind a wooly moniker.

Gray hats are also insensitive to the emotional damage a victim associates with an attack. If someone were to break into your home, you would feel violated, uncertain of what transpired, what personal items were touched, abused, or stolen. Everything would seem creepy and tainted. You might even move. The emotions are no different with computer break-ins. What did the attacker see, take,... leave?

Gray scale obscures true color

Gray hat motivations are ambiguous at best, and this calls character into question. Suppose someone were to appear at your front door one morning and inform you that he broke into your bedroom the night prior. He shows you how he bypassed the alarm, and compromised the lockset, and shows you a letter he left in your dresser to corroborate his claim. How warmly would you receive this interloper? What cause would you have to believe he revealed everything he did, or saw? Given his behavior, how could you trust him?

Five Reasons to Avoid Hiring Crackers, (convicted or admitted):

1. Breaking doesn't imply building.

It's not a given that a cracker has competency in any security discipline but penetration testing. Crackers may be good at compromising computers, but they may not be capable of designing complex, multi-tiered, multi-organizational security systems.

2. No assurance of full disclosure.

Are you prepared to trust that a former gray- or black hat will reveal everything discovered during a penetration test? Consider the possibility that he'll withhold or copy sensitive information and use it for personal gain.

3. Is the cracker "out of the business"?

What assurances do you have that the cracker you hire or employ isn't still probing systems without authorization? Could your company be complicit in a criminal act?

4.Who else is affected by your hiring decision?

Your decision to employ crackers may not be acceptable to business partners, insurers, shareholders, and regulators. If your business partner has a strict policy regarding the employment of convicted computer felons, how will that company react to your decision?

5. Plays well with others?

Crackers are notorious loners. Many have quick tempers and lack social and team skills. Evaluate a cracker using the same hiring criteria you apply to any other job description.

The problem with shades of gray is that color distinctions can be conveniently blurred. You can't have gray when you evaluate hacking in an ethical context: only black hats benefit from being perceived as gray. A recent CNET news column claims that "most security specialists classify hackers as white hats or black hats, but in reality, most hackers fall somewhere in between".

I contend this claim is entirely false. As my colleague and respected security expert, Marcus Ranum, points out, "the mere existence of a $13 billion/year security industry is a fairly strong statement about how mature enterprises feel regarding hackers. That the FORTUNE 500 spent billions last year to keep hackers out should tell the hackers, and the media, that their "curiosity" is neither harmless nor welcome."

Morally, and increasingly, legally, you either wear white, or you wear black.

 

If you enjoyed this article, you may enjoy Ethical Hacking Could Be So Much More Than An Oxymoron

Find me on Mastodon and Facebook

Spotlight Posts

  • New study: Cybercrime Supply Chain 2023
    Today, my Interisle colleagues and I released a study, Cybercrime Supply Chain 2023: Measurements and Assessments of Cyber Attack Resources and Where Criminals Acquire Them. Criminals who perpetrate malware, spam, phishing and other serious cybercrimes enjoy an enormous economic advantage over defenders and responders. They can acquire resources from an online cybercrime supply chain where everything from phishing kits and malicious software, email lists and mobile numbers, domain names and Internet addresses, and places to host attacks are all readily and cheaply available. Our report examines these supply chains. We examined over 10M reports collected at the Cybercrime Information Center...
  • Interisle study reveals that phishing attacks have tripled since May 2020, situation worsening each year
    My colleagues at Interisle Consulting Group and I today announced the publication of an industry report, Phishing Landscape 2023, A Study of the Scope and Distribution of Phishing. We analyzed more than 11 million phishing reports collected from 1 May 2020 to 30 April 2023 to provide annual and triennial measurements of phishing. Our study identifies distinct, persistent exploitation and abuse of Internet resources, reveals that criminals can trivially acquire everything they need to phish. Among the major findings in the study, Interisle reports that: The number of phishing attacks has tripled since May 2020, and has increased 65% over...
  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.

Search

My Photo

Categories