The White Hat Hacker
The “good guys,” often security professionals, are called White Hat hackers.They stay entirely within the law, only access systems with permission, and work to identify and fix security flaws. If they find security problems of a particular product, they inform the vendor so that it can be fixed. They do not publicize the problem.
White Hat hackers often work as security professionals, using the hacker tools to test the security on their own systems. They also closely monitor Internet resources that discuss hacking, vulnerabilities, and attacks. They may also attend hacker conventions and subscribe to hacker publications. Like an undercover police officer, they sometimes walk a fine line.
Samurai hackers are White Hat hackers that consult as security professionals. They are usually privy to the highest level of access and have an in-depth knowledge of a company’s security vulnerabilities, and consequently, they must have extremely high ethical standards. Some companies hire reformed hackers who gained their knowledge in less reputable activities. This is the equivalent of hiring an ex-burglar as a physical security expert and is a risky practice.
THE ETHICAL OR GRAY HAT HACKER
Hackers who find security holes and report them are known as Ethical or Gray Hat hackers. Sometimes they give the company a chance to fix the problem before publicly posting it. Others do not; they immediately publish the problem, allowing malicious hackers the opportunity to exploit it. Many also break into systems without permission. They believe they are providing a service to consumers by forcing companies to provide better security and products.
Tom Cervenka considers himself an Ethical hacker. He discovered a weakness in eBay’s security that allows the theft of users’ identities. He claims he notified their tech support and that they failed to act.He then publicly posted a step-by-step guide to exploiting the weakness on the Internet. He feels his actions are justifiable because it forced the company to act. eBay feels differently about this being an “ethical” act.
An attack by an Ethical hacker is obviously better than one by someone with malicious intent. However, when you are under attack it is impossible to tell the intent until it is too late. Therefore, the IT resources must scramble to protect information and record the attack as if it was malicious. If the press reports the attack, public confidence is undermined, especially if the organization deals with financial or confidential information. The public may be relieved the attack was benign but this may not stop them from moving their business to a company with a better security record.
The Script Kiddy
Unskilled hackers who use tools written by more experienced hackers are called Script Kiddies. They are typically teenagers seeking the thrill of publicity. They may gain access to systems, disrupt systems, or deface web pages. They are easier to detect and catch but their attacks can still be very damaging. It can be very embarrassing for a company to have their security thwarted by a 14-year-old boy on his Dad’s old 486 PC. Script Kiddies have a great deal of free time, often work in groups, and make great headlines.
In the first quarter of 2000, major online companies including CNN, Amazon, Yahoo!, Excite, and eBay experienced Denial of Service attacks. These attacks sent huge amounts of traffic to the websites until they could no longer handle the volume. Regular customers experienced a denial of service when they attempted to conduct legitimate business on the website. Ironically, the alleged perpetrator, alias Mafiaboy, was a 15-year-old Canadian Script Kiddy.
