White Hat Hacking

Tyler Schumacher Department of Computer Science University of Wisconsin, Platteville schumacherty@uwplatt.edu

Abstract
Malicious hackers can cause a multitude of problems for a company. However, white hat hackers, or ethical hackers, can be used to protect a network against them. Some IT specialists are taught how hackers can get into a system. However malicious hackers have real world experience hacking networks and looking for ways to break into them and finding vulnerabilities that they can exploit. That can make them better prepared to protect a network if they reform. There are many different kinds of hackers, but unlike popular thought, most hackers are not malicious. White hat hackers are the reason networks are secure at all.

Origins of Hackers
Hackers are well-known to nearly everyone and yet understood by very few. The media has given us our image of what hackers are. There are some popular books, and numerous hit movies, about hackers who will guess a password within three tries, or hack a government website and take over nuclear weapons deployment. This is a very limited, and some would argue incorrect, view of what hackers are. The most popular early use of the term hacker initiated at MIT. Hackers were students who would pull clever or hard to pull off pranks, or 'hacks', often times either involving the Great Dome on their campus or the annual Yale-Harvard football game. It became popular in the computer industry in the 1960's. At that time, a hacker was often someone who would create a computer program in some nonstandard way. That could by through changing the code in a program until the desired output was delivered, with little regard to design or actually determining what problems there are in the code. It could also mean crudely changing your program to work with the limited constraints of computers at the time, perhaps by removing (hacking) code so that your program is not too large, and then

doing whatever you have to in order to get your program functional again. However, it could include things such as efficiently solving a problem in a way that it had not been solved before, which would have a much more positive connotation than the previous uses [1]. Until the 1980's, even when the term hacker was used with a negative connotation, it was still nowhere close to being as negative as it is in modern times. Hackers were not doing anything illegal, and the general public would often be unable to distinguish the work of a hacker from the work of a non-hacker. Modern media has now twisted the meaning of the word hacker for most people. Many people are not even aware that there could be a positive connotation for the term.

Types of Hackers
In the programming industry the term hacker can still be used to refer to someone who solves a problem in an unconventional manner. Indeed the term can be used as a sign of the highest praise. Stephen Wozniak, the co-founder of Apple, may be thought of as a hacker. He made blue boxes which allowed him to bypass telephone switching mechanisms, enabling him to make free long-distance telephone calls. It was through that sort of innovation that the first Apple computers were created. Hacktivists are hackers with a political agenda. They may have virtual sit-ins, deface websites that promote actions or stand for ideas that are against their own, display controversial information as a promotion of free speech, or use denial of service attacks to protest certain websites. Recently, in August 2009, the Melbourne International Film Festival was attacked by Chinese hackers because of a film that was proclaimed as antiChinese by the Chinese state media. The Chinese had previously been on the other side of a hacktivist attack when Bronc Buster disabled firewalls so that the Chinese public could have uncensored access to the internet. Blue hat hackers are security professionals that are brought in to bug test a system prior to launch. The term is most frequently applied to security professionals that Microsoft has invited to an annual conference to find vulnerabilities in Windows. Crackers, or black hat hackers, are what the media has gotten people to believe all hackers are. They are the self-serving criminals. They care only for personal gain, whether that be turning a profit by stealing sensitive data, or just satisfaction in the knowledge that they caused problems for some individual or company. These are the people you hear about in the news that steal credit card information or social security numbers, or who shut down websites. Black hat hackers can employ a varied set of tools in order to accomplish their crimes.

Script kiddies are crackers who have no real knowledge of programming or network security, but find tools that more knowledgeable people have created and use them in the hopes that they do not get caught and they get something out of it. The more advanced black hat hackers will find vulnerabilities in websites or databases and exploit the vulnerabilities to gain unauthorized access to sensitive data. They can use vulnerability scanners, packet sniffers, password crackers, and the like to cause harm. There are also black hat hackers who rely on little network security flaws or cracking software. They use social engineering techniques to gain physical access to areas they should not be allowed to get to or to learn passwords. There are a number of different social engineering techniques. A black hat hacker might make an imitation of a uniform for some company. Then they could walk up to a keycard access door with a group of people and hope that one person will let the entire group in. Or even if they just go up to the door with one other person, they can act as though they can't find their keycard, and hope that the other person is sympathetic, as many people would be, and allow them in. Once inside they can look for passwords taped to monitors, something that occurs frequently because of strict requirements on what a password can contain and also the frequency at which passwords must be changed. They might also talk up the receptionist in a friendly manner to try to glean some information from him or her. They also might just try to find out where employees like to hang out outside of work, so that they can run into them later and perhaps get them talking over a few beers. If the black hat hacker is a female, or knows a female that he can trust, they can oftentimes more easily get information out of people. Many do not think that women would be crackers, so they may be less guarded with what they talk about [3]. A black hat also could fairly easily get administrative passwords in the right situation. If they know how usernames are determined, for instance by using the last name and then the first two letters of the first name, then they could find the username of an administrator, and then call the help desk asking to reset his password. The help desk could then call them right back with the new administrative password. White hat hackers are ethical hackers. They may be employed as ethical hackers, so their motives could be self-serving and for profit, but they will never do any hacking illegally or maliciously. A white hat hacker might notice a vulnerability on a business' website, contact that business, and then work with them to fix the vulnerability. They may also be hired by a company for the sole purpose of attempting to break into a system so that any vulnerabilities could be brought to light and hopefully fixed. White hats can be former black or grey hats, or they can simply be network security specialists. Black hats may become white hats for a number of reasons. They may have dreams of getting rich, but realize that money is hard to come by as a black hat. White hats can get a steady paycheck with steady hours. As a black hat, you live your real life in secret, and have to attempt to live two lives. As a white hat, you can be proud of your accomplishments and can share that pride with those around you. They may also simply mature out of their self-serving habits. It is believed that the majority of black hat hackers

are under the age of forty [1] Grey hat hackers are people who do not act maliciously, and in fact oftentimes do things that white hat hackers do, but they may do so illegally. Other times grey hats may break into a system for the simple joy of knowing that they are able to, and then leave the system without doing anything at all. Others may leave their signature on the system somewhere, but not do anything malicious. A popular example of an act that demonstrates exactly how a grey hat hacker can work is self-described in the article "How we defaced www.apache.org" written by two hackers who go by {} and Hardbeat. The introduction to the article follows: This paper does _not_ uncover any new vulnerabilities. It points out common (and slightly less common) configuration errors, which even the people at apache.org made. This is a general warning. Learn from it. Fix your systems, so we won't have to :) This paper describes how, over the course of a week, we succeeded in getting root access to the machine running www.apache.org, and changed the main page to show a 'Powered by Microsoft BackOffice' logo instead of the default 'Powered by Apache' logo (the feather). No other changes were made, except to prevent other (possibly malicious) people getting in. [5] They broke into a computer, but other than the mostly harmless change of the logo on main page, they did no harm, and in fact fixed the problem that they exploited. They even wrote up that entire article so that other people who had the same vulnerabilities could fix them. As extra incentive for the company to fix the problem, and to make others aware of what they might need to fix on their own networks, grey hats may threaten to disclose the vulnerability to the public after a set period of time. However {} and Hardbeat just fixed the problem themselves, and then publicly disclosed the information afterward so that others would be able to fix their own systems. What they did was technically illegal; however Apache appreciated the fix and did not prosecute them. People are not always so lucky, however. Eric McCarty found a vulnerability on the University of Southern California's online application system when he was allegedly registering for a class. He was able to access USC's database, and he copied a small number of records. He then worked with a computer security website to notify USC of the problem and to help them fix it, but he was charged with computer intrusion under the U.S. Patriot Act.

Origin of Terms
The terms white and blat hat hacker were based on old western movies. In the black and white fast moving chase scenes, it could be hard for viewers to distinguish between the good guys and the bad guys. That led to the common practice of having the good guys wear white hats and the bad guys wear black hats. So the ethical hackers were labeled white hats and the crackers were labeled black hats. Grey is a mixture of white and black,

and so the middle ground hackers were labeled grey hats. The blue hats were called such to follow suit in the using of the term hat, and the color was used because of the blue employee badges that are worn at their annual security conferences mentioned above.

Hackers in the Public Eye

Some hackers, and their activities, are well-known to the public. This happens for various reasons, such as media coverage or problems that personally affect them. This can also be a cause for change. The government of United Kingdom fell prey to hackers and lost large amounts of their citizen's data. They are now, along with other measures, employing white hats in order to earn back the trust of the citizens. Daniel Cuthbert, the "tsunami hacker," was found guilty under the United Kingdom's Computer Misuse Act. Cuthbert had made an online donation to a web site that was accepting money for victims of the 2004 Asian tsunami. Cuthbert was concerned that he may have been phished because he did not receive a thank you or a confirmation after he donated. He then illegally gained access to the site to test it, and was later arrested. This sort of prosecution of someone without malicious intentions can be a deterrent for white hats looking to find and fix problems without prior consent of a company [2]. Some companies see that as a good thing, but all black hats do. Tsutomu Shimomura is a famous white hat. He was hacked himself, and then worked with the FBI to catch the black hat hacker, who was the most wanted cyber-criminal in the US at the time. He hacked a cell phone (possibly illegally, but under FBI supervision) to monitor calls, and was able to narrow the search down to an apartment complex, where the hacker was arrested. There are a number of contests and conferences for hackers. There are contests where computers or devices running various operating systems are put up as prizes for the first person able to hack into them. On the first day the hackers are only allowed to use software that comes preinstalled on the computer, but the longer the computers hold up against the hackers, the more third party applications they are allowed to install and attempt to exploit. This allows the sponsors of the contest to fix their products before they are shipped [4]. The most notable conference for hackers is the annual DEFCON. Along with many lectures, contests, movies, and much more, DEFCON sets up their own private network that they do not recommend using your primary computer on. The network is for general hacking and security testing, so anything hooked up to the network is fair game to be broken into. They also have a specific game, capture the flag, where teams work together to attempt to hack, and preventing the hacking of, systems. If a certain file is

stolen (the flag), a new round begins. Black hats are assumed to attend, but they are not the intended audience, and in fact the hosts of DEFCON allow federal agents to be on premises without displaying their badges.

Uses of Former Black Hats in Industry

There are some problems when attempting to hire a former black hat to protect your system. First of all, you will rarely be able to check up on their claims. They will not want to give the details of the crimes they have committed, as it could lead to their arrest. If they have already served time for their crimes, then you would have very good references for their work, but they could also be barred by the courts from working in certain industries. And if they were formerly black hats, what is to stop them from returning to their criminal ways, greatly hurting your company in the process? There was a white hat working for the secret service which was hunting down hackers who had stolen millions of credit card numbers from various companies including 7-Eleven. It turns out that the 'white hat' was leaking investigation information to the hackers, and had helped them run tests to ensure that their intrusion would go undetected. There are some major benefits to hiring former black hats, despite the risks. They have real world experience, they aren't just taught in a classroom. Criminals think outside of the narrow classroom view, which is why convicted criminals are often used to prevent the crimes that they committed. Protective measures against counterfeiting US currency were aided greatly by a convicted counterfeiter, and the same holds true for network security. Former black hats can train your security specialists in many of the ways that black hats are attacking networks, including gaining information through social engineering. The former black hats will know all about these sorts of techniques, and will be able to prepare your company to avoid falling prey to them. Former black hats would be more likely to be proactive about fixing problems instead of reactive. Some IT specialists, more so in the past, would be called in to fix a problem. Former black hats can be utilized to find and fix the problem before it hurts the company. There are security consultants who do similar things, but it would be quite possible that the founders of those companies were black hat hackers themselves at one point. And if you hire a consulting group temporarily, they may try to scare you into buying more of their time and services then you really need. Former black hats are much more easily able to see potential problems in a network, but, they might also still think like criminals and try to exploit the vulnerabilities themselves.

Uses of White Hats

As temporary employees to a company, white hats could be used to test the system in multiple ways. First they may be asked to attempt to hack the network while only having access to information that outsiders would have easy access to. They might then be asked to attempt to break in using information that most employees would have access to and see how much damage they can do as a disgruntled employee [3]. A different example of a great use of a white hat hacker is the case of a private company funding a white hat to attempt to clone the new RFID passports. He drove around San Francisco with an RFID reader and was quickly able to log data from a couple of passports. He is hoping that his work will discourage the use of RFIDs for personal information as he does not believe it is very secure. As full time employees of a company, white hats, such as network security specialists, can work full time on actively searching for vulnerabilities that could be exploited, as well as reacting to fix problems if an unknown vulnerability is exploited. They can be in charge of data encryption, managing the hardware or software based firewall, protecting the database, and physically protecting the network from intruders.

Web Security
The Whitehat Website Security statistics report shows that 82% of websites have had, at one point or another, a high, critical, or urgent issue. The issues are rated as such based on the Payment Card Industry Standards Council's rating. The PCISC was founded by American Express, Discover Card, Visa, MasterCard, and JCB, a Japanese credit card company. The council determined how vulnerabilities would be classified, and they say that if a website has a single high, critical, or urgent issue, they are not in compliance with the standards that they have established. And yet 63% of websites currently have a high, critical, or urgent issue. The report also shows that only 60% of the almost 18000 historical vulnerabilities have been resolved, leaving over 7000 unresolved vulnerabilities. It says that vulnerabilities are still taking weeks or months to be resolved. It lists the average number of inputs (attack surfaces) per website as 227, and the average ratio of vulnerability count/number of inputs is 2.58%. This all shows itself in the average number of serious, unresolved vulnerabilities per website, which is seven - seven vulnerabilities per website that could lead to a loss of pertinent information or the takeover of the site. Those aren't good numbers. It's up to the white hat hackers to improve them.

References
[1] Barber, Richard. 2001. Hackers Profiled Who Are They and What Are Their Motivations? Computer Fraud & Security 2001 (2):14-17.

[2] Kizza, Joseph Migga. Computer Network Security and Cyber Ethics. Jefferson: McFarland & Company, 2002.

[3] McClure, Stuart; Scambray, Joel; Kurtz, George. Hacking Exposed: Network Security Secrets & Solutions. Berkeley: McGraw-Hill. 2003.

[4] Conti, Gregory. 2005. Why Computer Scientists Should Attend Hacker Conferences. Communications of the ACM 48(3):23-24. [5] {}, Hardbeat. How We Ddefaced www.apache.org. 2000.