Where Are the Ethics in Hacking?
You may have heard about Australian security researcher Christian Heinrich, who hacked live into Facebook's privacy controls at an IT security conference and accessed private photographs of rival security professional Chris Gatford and his family, including the image of a child. The incident led to a journalist being arrested and having his iPad seized after he published some of the images online.
Following the event, detective superintendent Brian Hay, head of the Fraud and Corporate Crime Group of the Queensland Police Service, criticized the demonstration of a so-called ethical hacking. "I think cultures have built up where hacking, in the past, has been a part of a competition, and you have black-hat conferences around the world. The technical reality is that on those occasions crimes may well have been committed."
A lot of people don't understand the difference between hacking and ethical hacking.
This latest incident has left many questioning what role ethics play in ethical hacking, and what this activity really is about.
"The reason ethical hacking exists is because somebody less ethical in a different country will hack your systems and not tell you - that is going to happen no matter what," says Jeremiah Grossman, Founder and CTO of WhiteHat Security. "So, ethical hacking is conducted to hack yourself first and fix the issues and vulnerabilities that remain to avoid being a headline like Sony."
Ethical hackers, then, attempt to exploit the IT security of a system on behalf of its owners by following certain polite rules, like getting a written or verbal consent from the owner of the system before the professional conducts the test.
"What the Australian researcher did is not ethical hacking," says Jay Bavisi, President of EC-Council, a global certification and training organization for ethical hackers. "A lot of people don't understand the difference between hacking and ethical hacking."
Terms like penetration testing, ethical hacking and hacking are interchangeably used, and Bavisi defines each:
- Hacker: simply a person who invades or interferes with another system with the intent to cause harm, without having any permission from the system owner.
- Ethical hacker: a professional hired by an organization to review its security posture from the eyes of the hacker. Ethical hackers test vulnerabilities of the systems.
- Penetration tester: a professional who goes a step beyond the ethical hacker and provides an active analysis of the system for any potential vulnerabilities that could result from poor or improper system configuration, either known and unknown hardware or software flaws, or operational weaknesses. These professionals are largely involved in remediation. The whole process involves a written consent and rules of engagement from the client, which clearly spell what they can or cannot do, "This is basically our 'get out of jail free' card," Bavisi says.
Still, Ian Glover, president of the UK's Council of Registered Ethical Security Testers (CREST) , a global organization that assesses the skill and competence of professionals working in the penetration testing industry, says, "I don't like the term ethical hacking." According to him, the term is misleading as hacking immediately presents a negative view of people mounting unsolicited illegal attacks.
The professional penetration industry provides an invaluable service to government and business validating security controls. While individuals who believe they can work illegally still exist, the professional penetration testing industry acts in a responsible manner within a strict legal and ethical framework.
"In the past there was the opportunity to be a hacker, to do inappropriate things and then people would employ you. In the future that is not going to be the case, as neither the industry nor the buying community will accept individuals who have operated illegally," Glover says.
The industry has matured, he says, and because of that the bar of entry is much higher for prospective testers. In this case, he adds that if Heinrich were to be a member of a professional organization like CREST, he would be immediately removed for his actions.
There are ethics and morals involved when ethical hackers take up such contracts or positions. They clearly understand their limits dictated by the letter of authorization where the client specifies the scope of engagement. For instance, the servers that can or cannot be tested, the IP range ethical hackers can use etc. These professionals are aware of the legal framework and understand the requirement for full disclosure to the client. "Without permission, no ethical hacker will touch the job and go beyond the scope in any form. This is standard security practice," Bavisi says.
The latest incident is just an example of a bad hacker, adds Grossman. "The researcher made a rather common mistake of demonstrating a live vulnerability on stage without permission. Would I have done it? No!"
One of the key lessons in this case is the need for better education within the industry to highlight the differences among hackers, ethical hackers and penetration testers.
"People must understand the difference between a cop and a thief," Bavisi says.