Grey hat

Last updated

A grey hat (greyhat or gray hat) is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

Contents

The term came into use in the late 1990s, and was derived from the concepts of "white hat" and "black hat" hackers. [1] When a white hat hacker discovers a vulnerability, they will exploit it only with permission and not divulge its existence until it has been fixed, whereas the black hat will illegally exploit it and/or tell others how to do so. The grey hat will neither illegally exploit it, nor tell others how to do so. [2]

A further difference among these types of hacker lies in their methods of discovering vulnerabilities. The white hat breaks into systems and networks at the request of their employer or with explicit permission for the purpose of determining how secure it is against hackers, whereas the black hat will break into any system or network in order to uncover sensitive information for personal gain. The grey hat generally has the skills and intent of the white hat but may break into any system or network without permission. [3] [4]

According to one definition of a grey-hat hacker, when they discover a vulnerability, instead of telling the vendor how the exploit works, they may offer to repair it for a small fee. When one gains illegal access to a system or network, they may suggest to the system administrator that one of their friends be hired to fix the problem; however, this practice has been declining due to the increasing willingness of businesses to prosecute. Another definition of grey hat maintains that grey hat hackers only arguably violate the law in an effort to research and improve security: legality being set according to the particular ramifications of any hacks they participate in. [5]

In the search engine optimization (SEO) community, grey hat hackers are those who manipulate websites' search engine rankings using improper or unethical means but that are not considered search engine spam. [6]

A recent research study looked into the psychological characteristics of individuals that participate in hacking in the workforce. The findings indicate that grey hat hackers typically go against authority, black hat hackers have a strong tendency toward thrill-seeking, and white hat hackers often exhibit narcissistic traits. [7]

History

The phrase grey hat was first publicly used in the computer security context when DEF CON announced the first scheduled Black Hat Briefings in 1996, although it may have been used by smaller groups prior to this time. [1] [8] Moreover, at this conference a presentation was given in which Mudge, a key member of the hacking group L0pht, discussed their intent as grey hat hackers to provide Microsoft with vulnerability discoveries in order to protect the vast number of users of its operating system. [9] Finally, Mike Nash, Director of Microsoft's server group, stated that grey hat hackers are much like technical people in the independent software industry in that "they are valuable in giving us feedback to make our products better". [10]

The phrase grey hat was used by the hacker group L0pht in a 1999 interview with The New York Times [11] to describe their hacking activities.

The phrase was used to describe hackers who support the ethical reporting of vulnerabilities directly to the software vendor in contrast to the full disclosure practices that were prevalent in the white hat community that vulnerabilities not be disclosed outside of their group. [2]

In 2002, however, the Anti-Sec community published use of the term to refer to people who work in the security industry by day, but engage in black hat activities by night. [12] The irony was that for black hats, this interpretation was seen as a derogatory term; whereas amongst white hats it was a term that lent a sense of popular notoriety.

Following the rise and eventual decline of the full disclosure vs. anti-sec "golden era"—and the subsequent growth of an "ethical hacking" philosophy—the term grey hat began to take on all sorts of diverse meanings. The prosecution in the U.S. of Dmitry Sklyarov for activities which were legal in his home country changed the attitudes of many security researchers. As the Internet became used for more critical functions, and concerns about terrorism grew, the term "white hat" started referring to corporate security experts who did not support full disclosure. [13]

In 2008, the EFF defined grey hats as ethical security researchers who inadvertently or arguably violate the law in an effort to research and improve security. They advocate for computer offense laws that are clearer and more narrowly drawn. [14]

Examples

In April 2000, hackers known as "{}" and "Hardbeat" gained unauthorized access to Apache.org. [15] They chose to alert Apache crew of the problems rather than try to damage the Apache.org servers. [16]

In June 2010, a group of computer experts known as Goatse Security exposed a flaw in AT&T security which allowed the e-mail addresses of iPad users to be revealed. [17] The group revealed the security flaw to the media soon after notifying AT&T. Since then, the FBI opened an investigation into the incident and raided the house of weev, the new group's most prominent member. [18]

In April 2011, a group of experts discovered that the Apple iPhone and 3G iPads were "logging where the user visits". Apple released a statement saying that the iPad and iPhone were only logging the towers that the phone could access. [19] There have been numerous articles on the matter and it has been viewed as a minor security issue. This instance would be classified as "grey hat" because although the experts could have used this for malicious intent, the issue was nonetheless reported. [20]

In August 2013, Khalil Shreateh, an unemployed computer security researcher, hacked the Facebook page of Mark Zuckerberg in order to force action to correct a bug he discovered which allowed him to post to any user's page without their consent. He had tried repeatedly to inform Facebook of this bug only to be told by Facebook that the issue was not a bug. After this incident, Facebook corrected this vulnerability which could have been a powerful weapon in the hands of professional spammers. Shreateh was not compensated by Facebook's White Hat program as he violated their policies, thus making this a grey hat incident. [21]

See also

Related Research Articles

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

A white hat is an ethical security hacker. Ethical hacking is a term meant to imply a broader category than just penetration testing. Under the owner's consent, white-hat hackers aim to identify any vulnerabilities or security issues the current system has. The white hat is contrasted with the black hat, a malicious hacker; this definitional dichotomy comes from Western films, where heroic and antagonistic cowboys might traditionally wear a white and a black hat, respectively. There is a third kind of hacker known as a grey hat who hacks with good intentions but at times without permission.

A black hat is a computer hacker who violates laws or ethical standards for nefarious purposes, such as cybercrime, cyberwarfare, or malice. These acts can range from piracy to identify theft. A Black hat is often referred to as a "cracker".

Vulnerabilities are flaws in a computer system that weaken the overall security of the device/system. Vulnerabilities can be weaknesses in either the hardware itself, or the software that runs on the hardware. Vulnerabilities can be exploited by a threat actor, such as an attacker, to cross privilege boundaries within a computer system. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerabilities are also known as the attack surface. Constructs in programming languages that are difficult to use properly can also manifest large numbers of vulnerabilities.

<span class="mw-page-title-main">Peiter Zatko</span> American computer security expert

Peiter C. Zatko, better known as Mudge, is an American network security expert, open source programmer, writer, and hacker. He was the most prominent member of the high-profile hacker think tank the L0pht as well as the computer and culture hacking cooperative the Cult of the Dead Cow.

<span class="mw-page-title-main">Chris Wysopal</span> American computer security expert

Chris Wysopal is an entrepreneur, computer security expert and co-founder and CTO of Veracode. He was a member of the high-profile hacker think tank the L0pht where he was a vulnerability researcher.

Black Hat Briefings is a computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat brings together a variety of people interested in information security ranging from non-technical individuals, executives, hackers, and security professionals. The conference takes place regularly in Las Vegas, Barcelona, London and Riyadh. The conference has also been hosted in Amsterdam, Tokyo, and Washington, D.C. in the past.

A security hacker is someone who explores methods for breaching defenses and exploiting weaknesses in a computer system or network. Hackers may be motivated by a multitude of reasons, such as profit, protest, information gathering, challenge, recreation, or evaluation of a system weaknesses to assist in formulating defenses against potential hackers.

Black hat, blackhats, or black-hat refers to:

In computer security, coordinated vulnerability disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "full disclosure" model.

BlueHat is a term used to refer to outside computer security consulting firms that are employed to bug test a system prior to its launch, looking for exploits so they can be closed. Their role involves searching for weaknesses or security gaps that could be exploited, and their aim is to rectify and close these potential vulnerabilities prior to a product or system launch. In particular, Microsoft uses the term to refer to the computer security professionals they invited to find the vulnerability of their products, such as Windows.

<span class="mw-page-title-main">Goatse Security</span> Hacker group

Goatse Security (GoatSec) was a loose-knit, nine-person grey hat hacker group that specialized in uncovering security flaws. It was a division of the anti-blogging Internet trolling organization known as the Gay Nigger Association of America (GNAA). The group derives its name from the Goatse.cx shock site, and it chose "Gaping Holes Exposed" as its slogan. The website has been abandoned without an update since May 2014.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

<span class="mw-page-title-main">Juice jacking</span> Mobile security risk

Juice jacking is a theoretical type of compromise of devices like smartphones and tablets which use the same cable for charging and data transfer, typically a USB cable. The goal of the attack is to either install malware on the device, or to surreptitiously copy potentially sensitive data. As of April 2023 there have been no credible reported cases of juice jacking outside of research efforts.

Offensive Security is an American international company working in information security, penetration testing and digital forensics. Operating from around 2007, the company created open source projects, advanced security courses, the ExploitDB vulnerability database, and the Kali Linux distribution. The company was started by Mati Aharoni, and employs security professionals with experience in security penetration testing and system security evaluation. The company has provided security counseling and training to many technology companies.

<span class="mw-page-title-main">Cris Thomas</span> American cybersecurity researcher and hacker

Cris Thomas is an American cybersecurity researcher, white hat hacker, and award winning best selling author. A founding member and researcher at the high-profile hacker security think tank L0pht Heavy Industries, Thomas was one of seven L0pht members who testified before the U.S. Senate Committee on Governmental Affairs (1998) on the topic of government and homeland computer security, specifically warning of internet vulnerabilities and claiming that the group could "take down the internet within 30 minutes".

<span class="mw-page-title-main">Rafay Baloch</span> Pakistani ethical hacker

Rafay Baloch is a Pakistani ethical hacker and security researcher. He has been featured and known by both national and international media and publications like Forbes, BBC, The Wall Street Journal, and The Express Tribune. He has been listed among the "Top 5 Ethical Hackers of 2014" by CheckMarx. Subsequently he was listed as one of "The 15 Most Successful Ethical Hackers WorldWide" and among "Top 25 Threat Seekers" by SCmagazine. Baloch has also been added in TechJuice 25 under 25 list for the year 2016 and got 13th rank in the list of high achievers. Reflectiz, a cyber security company, released the list of "Top-21 Cybersecurity Experts You Must Follow on Twitter in 2021" recognizing Rafay Baloch as the top influencer. On 23 March 2022, ISPR recognized Rafay Baloch's contribution in the field of Cyber Security with Pride for Pakistan award.

Sam Curry is an American ethical hacker, bug bounty hunter, and founder. He is best known for his contributions to web application security through participation in bug bounty programs, most notably finding critical vulnerabilities in 20 different auto manufacturers including Porsche, Mercedes-Benz, Ferrari, and Toyota. In 2018, Curry began working as a security consultant through his company Palisade where he disclosed vulnerability publications for security findings in Apple, Starbucks, Jira, and Tesla.

<span class="mw-page-title-main">Sakura Samurai (group)</span> Hacker group

Sakura Samurai was a white hat hacking and security research group that was founded in 2020. The group is responsible for multiple vulnerability disclosures involving governmental groups and various corporations.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

References

  1. 1 2 De, Chu (2002). "White Hat? Black Hat? Grey Hat?". ddth.com. Jelsoft Enterprises. Retrieved 19 February 2015.
  2. 1 2 Regalado; et al. (2015). Grey Hat Hacking: The Ethical Hacker's Handbook (4th ed.). New York: McGraw-Hill Education. p. 18.
  3. Fuller, Johnray; Ha, John; Fox, Tammy (2003). "Red Hat Enterprise Linux 3 Security Guide". Product Documentation. Red Hat. Section (2.1.1). Archived from the original on 29 July 2012. Retrieved 16 February 2015.
  4. Cliff, A. "Intrusion Systems Detection Terminology, Part one: A-H". Symantec Connect. Symantec. Retrieved 16 February 2015.
  5. Moore, Robert (2011). Cybercrime: investigating high-technology computer crime (2nd ed.). Burlington, MA: Anderson Publishing. p. 25.
  6. A E (2014). Grey Hat SEO 2014: The Most Effective and Safest Techniques of 10 Web Developers. Secrets to Rank High including the Fastest Penalty Recoveries. Research & Co. ASIN   B0C83N8B8B.
  7. "Dark Traits and Hacking Potential". Journal of Organizational Psychology. 21 (3). 9 July 2021. doi:10.33423/jop.v21i3.4307. ISSN   2158-3609.
  8. "Def Con Communications Presents The Black Hat Briefings". blackhat.com. blackhat.com. 1996.
  9. Lange, Larry (15 July 1997). "Microsoft Opens Dialogue With NT Hackers". blackhat.com. Retrieved 31 March 2015.
  10. Lange, Larry (22 September 1997). "The Rise of the Underground Engineer". blackhat.com. Retrieved 31 March 2015.
  11. "HacK, CouNterHaCk". New York Times Magazine. 3 October 1999. Retrieved 6 January 2011.
  12. Digitalsec.net Archived 26 December 2017 at the Wayback Machine #Phrack High Council. 20 August 2002. "The greyhat-IS-whitehat List"
  13. "The thin gray line". CNET News . 23 September 2002. Retrieved 6 January 2011.
  14. EFF.org Electronic Frontier Foundation (EFF). 20 August 2008. "A 'Grey Hat' Guide"
  15. Michelle Finley (28 March 2013). "Wired.com". Wired. Wired.com. Retrieved 1 November 2013.
  16. "Textfiles.com" . Retrieved 1 November 2013.
  17. FBI Opens Probe of iPad Breach Wall Street Journal, Spencer Ante and Ben Worthen. 11 June 2010.
  18. Tate, Ryan (9 June 2010). "Apple's Worst Security Breach: 114,000 iPad Owners Exposed". Gawker.com . Gawker Media. Archived from the original on 12 June 2010. Retrieved 13 June 2010.
  19. Harrison, Natalie; Kerris, Natalie (27 April 2011). "Apple Q&A on Location Data". Apple Press Info. Apple, Inc.
  20. "Is Apple Tracking You?". hackfile.org. Archived from the original on 23 March 2012.
  21. Gross, Doug (20 August 2013). "Zuckerberg's Facebook page hacked to prove security flaw". CNN. Retrieved 4 April 2015.

Further reading

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.