Hackers don’t enjoy a good reputation. Type the word “hacker” into a Google search and you immediately discover that hackers are scary, dangerous, and male. They prefer to sit hunched over a laptop in an undefined space. Because of their sinister activities, they like to remain anonymous. They work alone, and like to wear a mask or balaclava as they sit at the keyboard, though apparently on occasion this goes a little too far, and a hoody will do instead.
We all know this stereotype of a hacker is false, though it is to be expected that the word “hacker” has negative connotations.
I recently went to the Cybercrime Security Forum and attended a lecture by Edwin van Andel, Chief Evangelist and hacker at Zerocopter. I am thrilled that I was able to listen to the arguments presented by this personable man. In his session “Hug a Hacker” he made it clear not only that the stereotypes are wrong, but that hackers can even be put to very good use. Thanks to Edwin, I now know why we should aspire to exactly that, and how to put it into practice.
For starters: not all hackers have evil intentions. There is a difference between “black hat hackers” and “white hat hackers”.
Black Hat Hacking
Black hat hackers are the bad guys. They are the ones who break into computers and gain unauthorized access to your information systems in order to shut them down, change data, or delete information. They are the ones who spread viruses and internet worms, set up botnets and send phishing emails. Most often the goal is financial gain, but sometimes political objectives play a part.
White Hat Hacking
White hat hackers are so-called “ethical hackers”. These hackers use their knowledge and experience to make organizations more resilient against cyber criminals. In other words, they are security specialists who are often hired to take security to a higher level.
But what makes ethical hackers ethically responsible? If you have not been hired for the purpose, isn’t it still a crime? In the first place, white hat hackers work with the intention of improving security. It is true that in the past, hackers were liable when they hacked into a system, even if they did so to help an organization and informed it of their actions. However, businesses did use the information that was provided to their advantage, because they used it to improve their own IT security. In order to remove the risk of prosecution for hackers with good intentions, something called a “responsible disclosure policy” is now in place. Organizations with responsible disclosure policies can be hacked within those terms without risk of prosecution.
The manner in which breaches are handled has consequences for what happens next. Three common methods exist for reporting weak spots.
- Full disclosure: The hacker informs the entire world about the vulnerabilities. This forces an organization to resolve the problem quickly, though it usually takes at least some time. This plays into the hands of black hat hackers, because they are able to capitalize on the information immediately, with potentially damaging consequences.
- Non-disclosure: In this case, the hacker does not inform anybody, not even the organization in question. This means people are unaware of the issue, and therefore cannot resolve it. In other words, vulnerability to an attack remains.
- Responsible disclosure: Vulnerabilities are made public in collaboration with the organization. The process happens according to policies the organization has in place regarding responsible disclosure. This means organizations can resolve the issue before it is known. Responsible disclosure is a safe way to make vulnerabilities known.
If you want to implement a responsible disclosure policy, place a notice on your website in which you explain the regulations on which activities must be based, and indicate that prosecution will not happen as long as the regulations are complied with. Such a statement is more or less an invitation to the hacking community to try to find a weak spot. This will allow you to be prepared and improve security where necessary. ING bank, for example, has such a statement. The announcement lists the rules which must be adhered to, how to submit discoveries, and that a reward might be in order. It also clearly states which aspects the statement covers, and which it does not.