Is a hacker still a hacker even if he's called an "ethical" hacker? After all, a rose by any other name would surely...
smell as sweet.
There are numerous types of hackers: the good guys (aka "white hats"), who do it in the name of security and the bad guys (aka "black hats"), who do it for the profit or the fun of it. Then there are the somewhat hard-to-label gray hat hackers, script kiddies and hacktivists. All of them hack, but does it mean they're all malicious?
The ethical hacking debate has been burning for years. Adding fuel to the fire are the colleges across the United States that are offering courses in "cyberoffense" -- aka hacking. A recent Washington Post article raised several questions about the ethics of teaching offensive hacking courses. And while the teachers in the article stated that required ethical lessons are taught during these courses, it's impossible to know whether those ethical safeguards will be ingrained into the minds of students -- nor is it possible to know students' true intentions for taking the course in the first place. The skills taught in these courses are required to land some of today's best information security jobs -- and to fill the growing number of cybersecurity positions open in the government, military and business sector alike. One of the teachers even told the Washington Post that he will not accept students into his class if they don't promise to work for the NSA, Department of Energy or other U.S. government agency (if hired) and promise not to work for the private sector. Yet, as the adage goes, promises are made to be broken; no one would put broken promises and lying past a malicious hacker.
However, a side debate is brewing on what exactly offensive hacking is, and what the end result of offensive courses should be. In an impromptu Twitter discussion this week, noted security researcher and author Dino A. Dai Zovi and John Hopkins University professor Matthew Green offered their opinions on the matter.
Instead of teaching students cyber-offense, we should teach them how to build defenses for how attackers don't actually compromise targets.— Dino A. Dai Zovi (@dinodaizovi) October 9, 2014
@dinodaizovi We should be debating about whether we run programs whose primary goal is to train 'offensive' NSA mathematicians.— Matthew Green (@matthew_d_green) October 9, 2014
As Dai Zovi noted, and attackers have proven time and again, the same old defenses don't work. Green retorted, questioning whether the training of students for the exclusivity of the NSA and other government work is in fact ethical, yet Dai Zovi asked if this was why offensive hacking courses were offered, and wondered whether exclusionary courses were the answer.
The issues raised by Dai Zovi and Green on the ethics of teaching offensive hacking are indicative of the debate that's gone on for years. Yet, even the task of defining offensive hacking -- including who should be trained it and why it is needed -- makes it a difficult debate for even the most knowledgeable in the security industry to settle conclusively. Beyond those points, should said courses be open at universities and colleges to potential black hats and white hats alike, or should they be offered to only those vying for particular jobs in a particular business? Is that ethical?
When used in an ethical manner, offensive hacking can save many businesses from experiences serious threats; in fact, it already has and it will continue to do so. However, as new ethical hacking concerns arise -- such as the need and potential exclusivity of offensive hacking courses, or even defining offensive security in the first place -- the debate will continue to rage on.
In other news
- After last week's "war of words" between Palo Alto Networks Inc. and NSS Labs Inc., this week it appears that amends were made. NSS Labs' Founder and Chief Research Officer Bob Walder and Palo Alto's Senior Vice President of Product Management Lee Klarich both posted blogs yesterday about the companies working together to rectify the issues that led to dismal ratings for Palo Alto's PA-3020 next-generation firewall in NSS Labs' recent NGFW tests, saying that a fix for the flaws was distributed Thursday morning. "Through our own testing efforts and through working with NSS," Klarich wrote, "we were able to replicate the two issues and focused immediately on a fix, which has been completed and is now available." Walder noted, "A FULL test of the product is now underway to ensure that these fixes have not adversely affected the product in other ways, and a new Product Analysis Report (PAR) will be published in due course."
- A report from Europol released this week alludes that the first "online murder" may happen sooner rather than later -- possibly by the end of the year. In its annual Internet Organised Crime Threat Assessment, the European Union's law enforcement agency highlighted the security issues surrounding the Internet of Things and claimed, "With more objects being connected to the Internet and the creation of new types of critical infrastructure, we can expect to see (more) targeted attacks on existing and emerging infrastructures, including new forms of blackmailing and extortion schemes (e.g. ransomware for smart cars or smart homes), data theft, physical injury and possible death." Europol referenced a 2013 IID report that predicted the first online murder occurring before the end of 2014. In its report, IID cited former Vice President Dick Cheney's pacemaker hacking concerns, FDA reports of vulnerabilities in Internet-connected devices, and the conspiracy surrounding the death of journalist Michael Hastings last year in what some consider to be the fault of an automobile cyberattack.
- A joint report from Kaspersky Lab and INTERPOL released this week revealed that Android devices -- which make up about 85% of all mobile devices -- saw a spike in mobile malware in 2014, receiving nearly 98% of all existing threats. Research also showed that 175,442 new, unique malicious programs were designed for Android in the first half of 2014 -- 18% more than in all of 2013. In other Android news, security researchers from Lookout Inc. claim that the two Web browser security vulnerabilities discovered by researcher Rafay Baloch in September are much bigger than initially reported, affecting more than just the AOSP browsers on Androids to include other browsers based on AOSP code. In a blog post, Lookout predicted that 45% of Android users run a vulnerable browser and could potentially be exposed to data theft or worse. The vulnerability, Lookout found, also varied greatly depending on country. Eight-one percent of users in Japan were vulnerable and 73% in Spain; the number dropped to 51% in the U.K. and 34% in the U.S.
In this excerpt from Hacking for Dummies, author Kevin Beaver discusses how malicious users think and work to help enterprise security administrators defend their systems.