Saturday, May 8, 2021

Fine Line Between a White Hat and Black Hat

I have a confession to make. I do not consider myself a ‘white hat’ in

the common sense of the word within the technology community. Although, I

am certainly not a ‘black hat’. I consider myself just a hat — maybe a grey hat — because I don’t

believe my security work never strays from the ethical path.

I say this because it is my job to know how the hacker thinks and works.

It is incumbent on me to look at my working environment with the eyes of

a hacker. In order to do this, I must look for openings and other

opportunities to gain a foothold, or do damage in a more immediate sense.

Sometimes I find situations or applications that I need to explore more

fully. This is where my ‘grey hat’ comes into play. I may set up an

experimental network to determine what type of behavior specific

equipment exhibits. I may need to find out what happens under the load of

normal network traffic.

To do this, I might go to a public network and sample traffic to

determine standard characteristics of traffic to and from that piece of

equipment.

I could argue that it’s a public network and therefore I am not behaving

inappropriately. However, I also could argue that if I were to

unintentionally bring down that public network, I would have been

responsible for a Denial-of-Service (DoS) attack — intentional or not.

It’s a fine line.

Sometimes it’s necessary to actually conduct the exercise. That’s why

Computer Science classes have lab sessions. It’s not enough to be

satisfied with a thought experiment or theoretical speculation about the

results of given actions.

To be clear, it is well known that throwing a huge number of packets at a

switch or host will eventually make it unreachable in the flood. This

does not require a real-life example. Stealing usernames, passwords, and

credit cards off the wireless network at a nationally known coffee chain,

also is trivial work, and does not require practical application

examples.

However, what about the ability of an individual to locate, identify, and

crack the proprietary encryption system of a piece of lab gear? The

question is whether it be done in an amount of time a professional hacker

would consider acceptable. Even if a vendor touts his product as

‘unbreakable’, we all know that ‘given an infinite number of monkeys and

infinite amount of time’ anything can be cracked.

Hacker or Cracker?

Let’s digress for just a moment.

There are three basic hacker types. (They should really be referred to as

crackers, but I’ll get to that distinction in a moment).

First off, there are those who do it for money. They steal credit cards,

identity information, corporate secrets… whatever they think they can

use to turn a profit.

Secondly, there are those who do it for political purposes. These hackers

break into and deface the Websites of corporations and organizations they

wish to embarrass publicly, or to gain other political advantage.

Sometimes they use their skills to cause financial harm ‘for the good of

the cause’.

Finally, you have crackers who do it for the thrill, the recognition and

the entertainment value they derive from ‘owning’ a box with an address

like EnormousStateUniv.edu or GiganticCorp.com. They use these cracked

boxes for Distributed Denial-of-Service (DDoS) attacks, as launching

points for new cracking activity, and as repositories for their ‘Warez’.

(Warez generally consist of movies, music, software and packages of

hacker tools to be traded like bubble-gum cards. On average, these are

your script kiddies or teenagers with exceptional skills who are just

living for the moment.)

Historically, hackers have been people who just want to understand the

way things work, by taking them apart and putting them back together

again. The top rule of hackerdom is: First, do no harm.

Crackers on the other hand, don’t really care one way or the other who

they hurt, because it’s all about the game, whether the game is for

money, or for reputation. Some crackers believe all information should be

free.

The script kiddie might seem to be the least of your problems, but they

are not the least of your problems. The one commodity they have is time.

They have the luxury of being able to mount an attack that in military

terms comes in low and slow, or under the radar of your intrusion

detection tools. The more skill they have, the better able they are to

identify and exploit weakness in your corporate infrastructure.

Unbreakable?

So, where were we? Oh, yes. Is my vendor’s encryption technique

sufficient to ward off an attack?

Well, am I doing it live and on the fly? One defense recently suggested

to me was that there was no way the ‘bad guys’ would have time to break

the encryption and get into the system. I have to put my not-so-white hat

on now, and ask myself not can it be done, but how can it be done. And is

it likely to be done by a professional, or political cracker, or some

kid.

In this instance, the answer is almost assuredly — some kid. I suggested

to the vendor his likely attacker had Mondays, Wednesdays and Fridays

from 2 to 4 p.m. to collect data points in the encryption scheme. He also

had all the lab hours necessary to run an encryption-cracking program on

a couple of parallel-processor machines. I reminded the salesman that the

ability to brag to friends would be sufficient reward for the hours of

work invested.

I carry my little gray hat across the way to where the vendor’s equipment

is online. I sit down in the back of the class with my laptop. I collect

data points for two hours. I run a shareware cracking program I

downloaded from the Internet on my desktop machine. The next day, I send

the vendor his proprietary encryption scheme in plaintext packets.

Does that make me a white hat? I am helping the guy sell a better

product.

Does it make me a black hat? I was snooping traffic on a network that

might have revealed sensitive data.

It really doesn’t make me either. I am utilizing my skills to further the

good of the network I am hired to protect. I’m also attempting to educate

and improve the awareness of those who work with us. I do not take

advantage of my position and ability for personal gain… even at my

local branch of a nationally known coffee chain.

Similar articles

Latest Articles

Top 10 Professional Services...

These are some of the best PSA tools for organizations of all sizes. What Is Professional Services Automation Software? Professional services automation (PSA) software aims to...

What is Data Aggregation?

Data aggregation is the process where raw data is gathered and presented in a summarized format for statistical analysis. The data may be gathered...

Dell APEX: Our...

One of the missteps IBM made last century was collapsing their sales model, which was services based, to generate a short-term revenue spike. Up...

Companies that Scaled Technology...

NEW YORK — Companies that “doubled down” on their investment in mostly data-heavy technology during the COVID-19 pandemic have seen their revenue grow five...