Differentiate white hat, gray hat and black hat hackers
A hacker is generally understood to be someone who breaks into computer systems with malicious intent. But is that always the case, or are some hackers different from others? Is there perhaps even something like a hacker code?
There are big differences, especially when dealing with disclosures, i.e. the disclosure of vulnerabilities.
Hackers deal with security mechanisms and their vulnerabilities. The term includes people who look for security gaps in order to point them out or correct them. However, it also means people who exploit such loopholes and break into foreign systems without permission. These actions are based on different motivations, such as money, revenge, or fun. Depending on the ethics and loyalty to the law, a distinction is made between white hats, gray hats, and black hats.
Penetration testers currently often operate in undefined legal situations, which is why we then speak of gray hat hacking. Specifically, this means that a hack can be “unethical”, but there is no legal regulation and you actually act in accordance with the law. The synonym of the Wild West is therefore used in the scene.
Disclosure of vulnerabilities
Once a security vulnerability has become known, the discoverer has various options for dealing with it: Disclosure can be done in a variety of ways. Ethical hackers, for example, choose primarily coordinated disclosures, in which the goal is a responsible disclosure of the security vulnerability.
The discoverer informs the vendor about his findings and initially gives little or no information to the public. Usually, only the existence and, if applicable, the nature of a vulnerability in a product is pointed out. Ethical hackers always use this type of disclosure.
In addition to coordinated disclosure, there is also the option of non-disclosure, in which the vulnerability is not made public. These disclosures are used, for example, by secret services. An example of this disclosure is the security gap “Eternalblue “, which was used by the NSA for a long time without being known to the public. It was later published in the form of a full disclosure by a hacking group that previously hacked the NSA, with all the details and proof of concept, and was named WannaCry known.
Application for a CVE number
Regardless of which method of public disclosure the discoverer of the vulnerability relies on, an essential step is to apply for a CVE number. Vulnerabilities are calculated with a CVSS, currently in version 3. Depending on the level of the score, the vulnerability is classified as high (10.0 to 7.5), middle (7.4 – 5.0), and low (4.9-1). Exploitability and impact are the main factors assessed. If the affected manufacturer does not provide a patch after a period of time, an ethical decision must be made as to how to deal with the security vulnerability.
If the manufacturer does not react after several attempts to contact him, the ethical hacker makes all findings available to the public. He thus warns the manufacturer.
If the vulnerability is disclosed (to the public), ethical hackers will try to minimize the damage. Therefore, with the help of the manufacturer, they will try to provide a patch or a solution as quickly as possible. Ethical hackers are thus in a constant state of flux between grey-hat and white-hat guidelines.
A bug bounty is an initiative run by a company or interest groups to identify, fix and publicize errors in software with non-cash or cash prizes for the discoverers.
It is of course the first approach to improve IT security in the company. The ethical compatibility of these programs is still questionable. Untrained people attempt to attack the systems through such programs, often without an explicit instruction from the operator. The possibility of data damage or failure of the service (Denial of Service) is definitely given here. Personal data is also at risk because, in contrast to commissioned hacking (penetration testing), the owners of the data have usually not given their consent.
This can also have further consequences because for the company or institution in the SOC it is not possible to determine whether it is a“ malicious ”attack or a“ well-intentioned ”investigation. This question of distinction should not arise either, since any attack can basically constitute a criminal offense. The consequences for a company that is well-positioned in IT security could therefore even result in charges being filed since as mentioned above no real distinction can be made, which is why attacks that were not communicated and commissioned by penetration testing are often reported to the police.
Other difficulties are mainly to determine the budget of the program. If several vulnerabilities are found, it can certainly exceed the budget. There is often no regulation on this in current bug bounty programs.
While it is mainly large companies or corporations that issue bug bounties, it is certainly not easy to finance for a medium-sized business, as the costs are usually difficult to calculate. Despite all this, bug bounty programs are certainly a good approach to support those who find vulnerabilities and reward them with public recognition for their contributions. This creates an alternative to the black market for researchers. Zero-day exploits tend to be traded less on the black market because there is the possibility of a material reward from the manufacturer.
Ethical behavior in the penetration test
During penetration testing (the commissioned hacking), which is carried out by the professional penetration testers, it often happens that data is captured that is ethically reprehensible or legally possibly punishable or constitutes administrative offenses.
Thus, in case of doubt, every penetration tester should consult a lawyer to determine whether something should be reported. It is also important to consider when criminal offenses and administrative offenses should be reported to the client or brought to the attention of the police. In the case of sensitive and private topics, each penetration tester must consider whether the emotional damage to an affected person is greater than the importance of the finding.
“During a penetration test, only one finding was found: The log-in data of an executive’s email account. For a penetration tester it is obvious to search the mailbox for further log-in data. In doing so, the pentester then finds information about a legal dispute with the ex-wife and custody issues – in other words, a sensitive topic. In the presentation, the managing director cheerfully said, “That is not a problem at all, there would be nothing sensitive in his e-mail inbox, it would be in a different account.” The question that every penetration tester should ask himself is how he addresses this issue.