Beruflich Dokumente
Kultur Dokumente
Abstract
Malicious hackers can cause a multitude of problems for a company. However, white hat hackers, or ethical hackers, can be used to protect a network against them. Some IT specialists are taught how hackers can get into a system. However malicious hackers have real world experience hacking networks and looking for ways to break into them and finding vulnerabilities that they can exploit. That can make them better prepared to protect a network if they reform. There are many different kinds of hackers, but unlike popular thought, most hackers are not malicious. White hat hackers are the reason networks are secure at all.
Origins of Hackers
Hackers are well-known to nearly everyone and yet understood by very few. The media has given us our image of what hackers are. There are some popular books, and numerous hit movies, about hackers who will guess a password within three tries, or hack a government website and take over nuclear weapons deployment. This is a very limited, and some would argue incorrect, view of what hackers are. The most popular early use of the term hacker initiated at MIT. Hackers were students who would pull clever or hard to pull off pranks, or 'hacks', often times either involving the Great Dome on their campus or the annual Yale-Harvard football game. It became popular in the computer industry in the 1960's. At that time, a hacker was often someone who would create a computer program in some nonstandard way. That could by through changing the code in a program until the desired output was delivered, with little regard to design or actually determining what problems there are in the code. It could also mean crudely changing your program to work with the limited constraints of computers at the time, perhaps by removing (hacking) code so that your program is not too large, and then
doing whatever you have to in order to get your program functional again. However, it could include things such as efficiently solving a problem in a way that it had not been solved before, which would have a much more positive connotation than the previous uses [1]. Until the 1980's, even when the term hacker was used with a negative connotation, it was still nowhere close to being as negative as it is in modern times. Hackers were not doing anything illegal, and the general public would often be unable to distinguish the work of a hacker from the work of a non-hacker. Modern media has now twisted the meaning of the word hacker for most people. Many people are not even aware that there could be a positive connotation for the term.
Types of Hackers
In the programming industry the term hacker can still be used to refer to someone who solves a problem in an unconventional manner. Indeed the term can be used as a sign of the highest praise. Stephen Wozniak, the co-founder of Apple, may be thought of as a hacker. He made blue boxes which allowed him to bypass telephone switching mechanisms, enabling him to make free long-distance telephone calls. It was through that sort of innovation that the first Apple computers were created. Hacktivists are hackers with a political agenda. They may have virtual sit-ins, deface websites that promote actions or stand for ideas that are against their own, display controversial information as a promotion of free speech, or use denial of service attacks to protest certain websites. Recently, in August 2009, the Melbourne International Film Festival was attacked by Chinese hackers because of a film that was proclaimed as antiChinese by the Chinese state media. The Chinese had previously been on the other side of a hacktivist attack when Bronc Buster disabled firewalls so that the Chinese public could have uncensored access to the internet. Blue hat hackers are security professionals that are brought in to bug test a system prior to launch. The term is most frequently applied to security professionals that Microsoft has invited to an annual conference to find vulnerabilities in Windows. Crackers, or black hat hackers, are what the media has gotten people to believe all hackers are. They are the self-serving criminals. They care only for personal gain, whether that be turning a profit by stealing sensitive data, or just satisfaction in the knowledge that they caused problems for some individual or company. These are the people you hear about in the news that steal credit card information or social security numbers, or who shut down websites. Black hat hackers can employ a varied set of tools in order to accomplish their crimes.
Script kiddies are crackers who have no real knowledge of programming or network security, but find tools that more knowledgeable people have created and use them in the hopes that they do not get caught and they get something out of it. The more advanced black hat hackers will find vulnerabilities in websites or databases and exploit the vulnerabilities to gain unauthorized access to sensitive data. They can use vulnerability scanners, packet sniffers, password crackers, and the like to cause harm. There are also black hat hackers who rely on little network security flaws or cracking software. They use social engineering techniques to gain physical access to areas they should not be allowed to get to or to learn passwords. There are a number of different social engineering techniques. A black hat hacker might make an imitation of a uniform for some company. Then they could walk up to a keycard access door with a group of people and hope that one person will let the entire group in. Or even if they just go up to the door with one other person, they can act as though they can't find their keycard, and hope that the other person is sympathetic, as many people would be, and allow them in. Once inside they can look for passwords taped to monitors, something that occurs frequently because of strict requirements on what a password can contain and also the frequency at which passwords must be changed. They might also talk up the receptionist in a friendly manner to try to glean some information from him or her. They also might just try to find out where employees like to hang out outside of work, so that they can run into them later and perhaps get them talking over a few beers. If the black hat hacker is a female, or knows a female that he can trust, they can oftentimes more easily get information out of people. Many do not think that women would be crackers, so they may be less guarded with what they talk about [3]. A black hat also could fairly easily get administrative passwords in the right situation. If they know how usernames are determined, for instance by using the last name and then the first two letters of the first name, then they could find the username of an administrator, and then call the help desk asking to reset his password. The help desk could then call them right back with the new administrative password. White hat hackers are ethical hackers. They may be employed as ethical hackers, so their motives could be self-serving and for profit, but they will never do any hacking illegally or maliciously. A white hat hacker might notice a vulnerability on a business' website, contact that business, and then work with them to fix the vulnerability. They may also be hired by a company for the sole purpose of attempting to break into a system so that any vulnerabilities could be brought to light and hopefully fixed. White hats can be former black or grey hats, or they can simply be network security specialists. Black hats may become white hats for a number of reasons. They may have dreams of getting rich, but realize that money is hard to come by as a black hat. White hats can get a steady paycheck with steady hours. As a black hat, you live your real life in secret, and have to attempt to live two lives. As a white hat, you can be proud of your accomplishments and can share that pride with those around you. They may also simply mature out of their self-serving habits. It is believed that the majority of black hat hackers
are under the age of forty [1] Grey hat hackers are people who do not act maliciously, and in fact oftentimes do things that white hat hackers do, but they may do so illegally. Other times grey hats may break into a system for the simple joy of knowing that they are able to, and then leave the system without doing anything at all. Others may leave their signature on the system somewhere, but not do anything malicious. A popular example of an act that demonstrates exactly how a grey hat hacker can work is self-described in the article "How we defaced www.apache.org" written by two hackers who go by {} and Hardbeat. The introduction to the article follows: This paper does _not_ uncover any new vulnerabilities. It points out common (and slightly less common) configuration errors, which even the people at apache.org made. This is a general warning. Learn from it. Fix your systems, so we won't have to :) This paper describes how, over the course of a week, we succeeded in getting root access to the machine running www.apache.org, and changed the main page to show a 'Powered by Microsoft BackOffice' logo instead of the default 'Powered by Apache' logo (the feather). No other changes were made, except to prevent other (possibly malicious) people getting in. [5] They broke into a computer, but other than the mostly harmless change of the logo on main page, they did no harm, and in fact fixed the problem that they exploited. They even wrote up that entire article so that other people who had the same vulnerabilities could fix them. As extra incentive for the company to fix the problem, and to make others aware of what they might need to fix on their own networks, grey hats may threaten to disclose the vulnerability to the public after a set period of time. However {} and Hardbeat just fixed the problem themselves, and then publicly disclosed the information afterward so that others would be able to fix their own systems. What they did was technically illegal; however Apache appreciated the fix and did not prosecute them. People are not always so lucky, however. Eric McCarty found a vulnerability on the University of Southern California's online application system when he was allegedly registering for a class. He was able to access USC's database, and he copied a small number of records. He then worked with a computer security website to notify USC of the problem and to help them fix it, but he was charged with computer intrusion under the U.S. Patriot Act.
Origin of Terms
The terms white and blat hat hacker were based on old western movies. In the black and white fast moving chase scenes, it could be hard for viewers to distinguish between the good guys and the bad guys. That led to the common practice of having the good guys wear white hats and the bad guys wear black hats. So the ethical hackers were labeled white hats and the crackers were labeled black hats. Grey is a mixture of white and black,
and so the middle ground hackers were labeled grey hats. The blue hats were called such to follow suit in the using of the term hat, and the color was used because of the blue employee badges that are worn at their annual security conferences mentioned above.
stolen (the flag), a new round begins. Black hats are assumed to attend, but they are not the intended audience, and in fact the hosts of DEFCON allow federal agents to be on premises without displaying their badges.
Web Security
The Whitehat Website Security statistics report shows that 82% of websites have had, at one point or another, a high, critical, or urgent issue. The issues are rated as such based on the Payment Card Industry Standards Council's rating. The PCISC was founded by American Express, Discover Card, Visa, MasterCard, and JCB, a Japanese credit card company. The council determined how vulnerabilities would be classified, and they say that if a website has a single high, critical, or urgent issue, they are not in compliance with the standards that they have established. And yet 63% of websites currently have a high, critical, or urgent issue. The report also shows that only 60% of the almost 18000 historical vulnerabilities have been resolved, leaving over 7000 unresolved vulnerabilities. It says that vulnerabilities are still taking weeks or months to be resolved. It lists the average number of inputs (attack surfaces) per website as 227, and the average ratio of vulnerability count/number of inputs is 2.58%. This all shows itself in the average number of serious, unresolved vulnerabilities per website, which is seven - seven vulnerabilities per website that could lead to a loss of pertinent information or the takeover of the site. Those aren't good numbers. It's up to the white hat hackers to improve them.
References
[1] Barber, Richard. 2001. Hackers Profiled Who Are They and What Are Their Motivations? Computer Fraud & Security 2001 (2):14-17.
[2] Kizza, Joseph Migga. Computer Network Security and Cyber Ethics. Jefferson: McFarland & Company, 2002.
[3] McClure, Stuart; Scambray, Joel; Kurtz, George. Hacking Exposed: Network Security Secrets & Solutions. Berkeley: McGraw-Hill. 2003.
[4] Conti, Gregory. 2005. Why Computer Scientists Should Attend Hacker Conferences. Communications of the ACM 48(3):23-24. [5] {}, Hardbeat. How We Ddefaced www.apache.org. 2000.