My last blog post went into detail over “ethical hacking”, otherwise known as penetration testing or White Hat Hacking. Basically, the term describes a professional hacker (or a team of hackers) being employed by a company to hack its own systems, with the intent of determining where the company is open to external cyber vulnerabilities. An easy way to think about this is hiring a security consultant to attempt to break into your own home, so that you know exactly which windows, doors, and locks you need to upgrade to keep actual criminals from entering your home.
For this post, I’d like to delve into the concepts of Black Hat and Grey Hat hacking.
Black Hat hacking is probably what most people think of when they hear the term “hacker”. Contrary to White Hat hacking, it is an illegal activity that involves a hacker attempting to bypass a company’s cybersecurity and enter their virtual networks in order to cause harm — by stealing private data on the company and/or its customers; by vandalizing or incapacitating the company’s systems or by locking down and holding the company hostage until it pays some sort of ransom for the return of its own systems.
One of many examples that show what damage a black hat hacker could inflict is the attack on Hancock Regional Hospital during flu season while a winter snowstorm was moving through Greenfield, Indiana, where Hancock Regional Hospital is located. The president and CEO, Chubb Long, of the hospital paid hackers to make sure his patients were safe.
Since the attack, Long said he has held four or five talks with various health-care groups and IT organizations about some of the best ways to prepare.
According to Long, over the past decade the health-care field has had far more computer security incidents than any other industry, accounting for 38 percent of incidents versus 16 percent for professional services and 11 percent for retail, driven by the fact that health information is approximately 10 times more valuable on the black market than data obtained elsewhere, like from retailers for example.
Unlike personal identifiable information (PII) — which might include a name, email address, password, credit card numbers or Social Security number — health information offers a wealth of additional data, including medical records. Health insurance ID numbers may also be tied to driver’s license numbers or financial information. Personal health information hacks can also go on for years. A consumer can shut down her credit card quickly if it has been compromised however she can’t cancel her Social Security number or birth date.
If White Hat hacking is the equivalent of hiring a security consultant to help you find your home’s vulnerabilities, then Black Hat hacking is the equivalent of an actual robber entering your home to steal your belongings.
These two types of hacking are fairly straightforward in terms of what is considered ethical and what is not. White Hat: Good. Black Hat: Bad.
But what about Grey Hat hacking?
Grey Hat hacking is actually harder to define as a number of different activities are said to fall in this category.
In Grey Hat hacking, a computer hacker generally tries to find vulnerabilities in a company’s cybersecurity in a manner similar to Black Hat hacking. Unlike in White Hat hacking, there generally is no consent obtained directly from the victim company prior to these attacks.
The difference, however, between a Grey Hat hacker and a Black Hat hacker is the intentions of the hacker themselves. Grey Hat hackers are defined by their lack of desire to cause harm to their intended targets; they may simply be testing their own abilities as hackers or be Good Samaritans who simply don’t feel the need to follow the letter of the law in order to fulfill their mission.
Once a Grey Hat hacker has successfully obtained access to a company’s network, by definition they generally will either let the system administrators know, or they will keep the information to themselves. Any threats or attempts to extort the company would mean that they are no longer Grey Hat hackers, but have become a dreaded Black Hat hacker.
Going back to our example of our home’s security, a Grey Hat hacker breaking in to your home would be the equivalent of you entering your home one day to find a note left on your bed saying that someone broke in, and that you should really upgrade the locks on your front door.
As you can see, Grey Hat hackers are fairly controversial people. I would personally feel very violated if someone left a note like that on my bed, and I would be paranoid about the security of my home and my own personal safety after that.
That said, I would also follow the note’s advice, and upgrade the locks on my door. And probably put bars over my windows.
Companies like Google and Facebook pride themselves on their cybersecurity, and if a hacker is able to find a vulnerability in their systems, the companies actually have reward programs for paying the hackers for the information and will not press charges (assuming they did not perform any activities that would fall into Black Hat hacking). Google will pay anywhere from $100 — $31,337 for this information, for example, depending on the scale of the exploit identified.
The idea behind these rewards programs is to incentivize hackers to do the “right thing” as the substantial rewards (along with a lack of punishment) may prevent all but the most malicious hackers from attempting to hurt the companies. The rewards are also appropriately small, likely to prevent large numbers of sophisticated hackers from coming together simply to target the companies.
In a way though, this type of rewards program also gives a sense of legitimacy to Grey Hat hackers. If Google is paying you a reward for breaking into their systems without prior formal consent, then it would seem that the company is actually giving an implied consent — so long as you don’t get caught first. This type of rewards program may have long term implications for the hacker community as it seems to expand the list of what falls in to the Grey Hat world. At some point, if the company says it is okay with these activities happening, is it still considered to be “unethical”?
What do you think?
- If you would like to know about white hat hacking , here is link to my previous blog:
https://medium.com/@pamyk.ch/what-is-ethical-hacking-676ec58931b3
- Sources:
https://www.thesslstore.com/blog/mysterious-russian-grey-hat-vigilante-patched-over-100000-routers/
