By Will Sturgeon on 2 May 2007 14:56
Security experts have hit out at the notion that there are benefits to be had from engaging with cyber criminals in order to better understand emerging threats.
However, many are calling on the industry and media to recognise the work of so-called 'ethical hackers' and to acknowledge that not all hackers are criminals.
Bruce Schneier, CTO at BT Counterpane, told silicon.com: "Hackers are not criminals. Hackers are individuals who know how to subvert systems. I don't think we open a dialogue with the criminals, like we don't open a dialogue with the mafia but the techniques that hackers understand are very important for us to understand."
However, the line between ethical hacking and the more common notion that hacking is related to criminal activity is blurred for many people and creates considerable grey areas. But for one lawyer it is pretty clear-cut. Ethical hackers - to be considered as such - must have been authorised by the rightful owner or administrator to test a system or application.
Check out the silicon.com InfoSec podcast
Featuring lively discussion on phishing, spam and the criminal fraternity. Listen now.
John Fell, partner at law firm Pinsent and Masons, said the issue of authorisation is critical. "Lawyers love definitions," said Fell. "'Black hat', 'white hat', 'ethical hacker'. But when you talk about ethical hacking there has to be some authorisation."
Those working on their own initiative fall outside the legal definition, said Fell.
'White hat' hackers
Graham Cluley, senior technology consultant at Sophos, said the actions of some 'white hat' hackers who find and disclose vulnerabilities can be as damaging as criminal activity if disclosure is handled irresponsibly.
Peter Wood from First Base Technologies is a well-established ethical hacker - or penetration tester - and says he must tread very carefully in his line of work. Wood normally only begins his attempts to breach the defences at companies hiring his services once HR and IT departments have given him sign-off.
However, beyond that, he said: "We try to take the same approach as people who attempt to break in with malicious intent."
The question of whether criminally motivated hackers can deliver value to businesses and help understand emerging threats also divided experts speaking to silicon.com (see the video above).
But First Base's Wood said many attackers now need no specialist knowledge due to the vast amounts of tools made available on the internet. As such, the notion that hackers possess a gift for complex code is far from the truth.
Sounding a warning to businesses, Wood added: "Attacks are getting easier and easier for people who may not be that technical."
Comments
There are 4 comments. Join the discussion
1. Nick Azazel
As per usual the term hacker is being used incorrectly. Hackers are experts in a field and it doesn't have to be computing. A hacker is someone who knows how to take a system apart and push it beyond its original design parameters.
(Ed note. The article makes this pretty clear from the offset. See the Schneier quote)
The people we talk about when we're discussing breaching security systems are crackers, like the old term of safe crackers. The big metal box with the combination lock may have changed to become a corporate server and the combination lock is now a user name and password but the principals are the same.
Do not confuse hackers with crackers.
2. anonymous
Let's just stop clouding the issue with iffy terminolgy.
Hacker = criminal
Penitration tester = qualified techy who can be trusted
we don't reffer to Security (intruder alarm) Consultants as "Ethical burglers" do we?
3. Cluley Fan
I am so looking forward to the first article on security that DOESN'T have a gratuitous quote from Graham Cluley! Sometime in 2011, perhaps?
(Ed note. Check the silicon.com archives - you'll find hundreds hundreds of security stories where Graham isn't quoted, though we concede he does normally make for good copy.)
4. Russell Henley
Dodgy terminology aside, the principle is the same:
People who have permission to crack/hack/whatever their way in are a Good Thing(tm).
People who don't are breaking the law.
I've done the former for some of my customers and it's shocking how easily I've gained access to networks using limited knowledge and freely available tools - (I've even parked in a customers car park and gained console access to their server in under 10 minutes - with no prior info and freely available tools (netcat, nbtenum etc)).
Pointing out these kinds of security flaws before someone less reputable exploits them can only be a good thing.