Hacking

The term hacking can mean several things. Hacking can mean tinkering. Early computer enthusiasts were hackers because they tinkered with computers. Today, the term hacker often means an unauthorized person who breaks into computer systems.

Learning Objectives

You should be able to describe:

  • Authorized (white hat) hackers
  • Semi-authorized (gray hat) hackers
  • Unauthorized (black hat) hackers

Hats

Authorized Hackers

Some people love hacking. If you are the kind of person who ever took apart a toaster to see how it worked, you might make a great computer hacker. You can make a legal career out of hacking as an authorized hacker. Authorized hackers are commonly referred to as white hat hackers. Authorized hackers have been given explicit permission to test the security of computer systems. These hackers might have job titles such as penetration tester.

Permission is the key to what makes a hacker an authorized hacker. Permission must be granted in writing before a penetration testing engagement. Failure to abide by the scope of services defined in the agreement can land a hacker in hot water.

In 2019, security testers were arrested while performing an authorized penetration test. The penetration testers had worked with government officials to create the scope of engagement which included physical testing and lock picking. But when the testers successfully broke into a courthouse one night, they ended up leaving the courthouse in handcuffs. It was claimed that they had exceeded the scope of work by trying to enter the courthouse after normal operating hours. Also, it was unclear if the person who authorized the penetration test had the authority to approve the penetration test. It didn't help that one member of the security team had been drinking alcohol. The engagement and subsequent prosecution became a huge fiasco.

Semi-authorized Hackers

Semi-authorized hackers are often experts who like pushing the boundaries of what might be acceptable. They are commonly referred to as gray hats. They do not have malicious intent. They also lack authorization. A gray hat hacker might spend hours seeing if they can break into a system. If they are successful, they will tell the company the weaknesses they found. Sometimes they will ask for a bug bounty, but often they report their findings without any expectation of reward.

Gray hat hackers face a huge risk--they never know how the target organization will react. One company might thank the gray hat hacker for disclosing the weakness in their system, and some companies even offer to hire them as security consultants. Other organizations react as if their systems have been corrupted and try to get the gray hat hacker prosecuted.

Ultimately, gray hat hacking is illegal because authorization to perform hacking activities has not been explicitly granted. Cybersecurity professionals (or cyber-curious citizens) should not engage in gray hat hacking.

Unauthorized Hackers

Unauthorized hackers (black hats) lack authorization and good intentions. Black hat hackers can have different motivations. They might want to hack for the thrill, to bring down a company, to cause embarrassment, or for hacker peer respect.

The hacking group LulzSec picked major targets including the FBI and the CIA. They clearly did not have permission. They were able to take down some FBI sites, but some members of the team were found and arrested. Be careful which bears you poke.

Was It Hacking?

A journalist in Missouri discovered that a state government website was disclosing the social security numbers of state educators. The reporter disclosed the flaw, and the governor of Missouri decided to prosecute him for hacking. All the journalist did was look at the website source code--something that does not take a tremendous amount of skills, and not something that anybody with a brain larger than a walnut should consider hacking. If awards were granted for Cybersecurity Idiot of the Year, Missouri's Governor Mike Parson would be a top contender for 2022.

There are a few questions to consider.

  • Was the reporter engaged in "hacking"?
  • If so, was the reporter authorized, semi-authorized, or unauthorized?

Reflection

  • Should companies invite responsible hackers to find vulnerabilities in their systems?
  • What makes a good hacker?

Key Terms

  • Authorized Hackers: Hackers who have been given explicit permission to assess system security.
  • White Hat Hackers: Legacy term for authorized hackers--hackers who have explicit permission to assess security.
  • Semi-authorized Hackers: Hackers who have some level of permission or responsibility to assess system security, but their actions may sometimes exceed the scope of their authorization.
  • Gray Hat Hackers: Legacy term for semi-authorized hackers--hackers who have some cybersecurity responsibilities, but may go beyond the scope of authorization.
  • Unauthorized Hackers: Hackers who engage in malicious activities without any authorization. They exploit vulnerabilities for personal gain, financial profit, or to cause harm.
  • Black Hat Hackers: Legacy term for hackers who perform malicious actions without authorization. The current preferred term is unauthorized hackers.
  • Penetration Tester: A cybersecurity professional who is authorized to simulate cyber attacks on a system, network, or application to identify and exploit vulnerabilities. Their goal is to improve security by finding and addressing weaknesses before malicious hackers can exploit them. Penetration testers are authorized hackers.