CASE: Ethical Hacking

Some people have legitimate jobs in which they are paid to break into systems by the people who own
the systems. These people are sometimes called “white-hat hackers”, their goal is to seek out
vulnerabilities so they can be removed before a malicious intruder discovers them and launches an attack.
The team of people involved in this activity are sometimes called a “tiger team” or a “red team.” This
activity raises some ethical and legal issues:

 Hiring a team of hackers is always a risk, because it’s possible that, despite the team’s
supposedly legitimate intentions, some or all members of the team may actually have
illegitimate goals. If the hired hackers get caught doing something that appears unethical,
they can claim they were merely “doing their jobs.” Particularly problematic are cases
where the ethical hacker is, in fact, a person who was previously convicted of illegal
hacking who has been hired because of his or her ability to gain unauthorized entry into
private systems.
 Sometimes even legitimate hacking necessarily violates the law. For example, in one case,
a bank employee who had transferred away from his tiger team decided to check that the
security measures instituted by his group were still sound. They appeared to be
inadequate. He broke into the system and immediately notified the tiger team of the
vulnerability. However, new security measures had identified him as an intruder, and
because he no longer had legal authority to crack the system, he had broken the law. He
was arrested and spent some time in jail before eventually being released. Although there
are generally exceptions for hacking with permission of the system owners, networks
today cross state boundaries and even national boundaries, making the legal issues murky
at best.
 The education and training of ethical hackers is controversial. The proponents of teaching
ethical hacking argue that learning the techniques of hacking better equips a person for
preventing hacking. Opponents argue that teaching hacking skills is in effect teaching
someone how to be a criminal. They also argue that teaching people to hack does not
make them good at preventing hacking, any more that teaching people to bat makes them
better pitchers.

The methods employed by white hat hackers are the same as those employed by other hackers.
Their methods sometimes rely on technical expertise, sometimes on exploitation of human weaknesses,
sometimes on trickery similar to that employed by con artists, and sometimes on direct physical force.

Frequently, when a potential vulnerability is discovered, the person who discovers it does not
actually exploit the vulnerability but instead makes the information public. There are even Web sites
devoted to providing such information so that would-be hackers can attempt to devise a way to exploit
known vulnerabilities. Similarly, when companies discover vulnerabilities in their computer systems, they
naturally want to keep that information secret until they can remove the vulnerabilities. Each day that
goes by after the vulnerability is discovered increases the probability that it will be exploited. Most often,
when hackers attack, they exploit vulnerabilities that have been previously discovered . An attack that
exploits a previously unidentified vulnerability is known as a day zero attack or a zero day attack. Zero day
attacks are commonly the most dangerous and unexpected.
 One of the most common ways of exploiting human weaknesses is a phishing scam which
attempts to fool or frighten a person into revealing key information. For example, one such scam that is
very common occurs on college campuses each fall shortly after the arrival of new students. The scam is
an email that claims to be from the school’s IT department indicating that something is wrong with the
student’s email account. Usually some sort of error code, regulation, or security hazard. The student is
instructed to click a web link, which opens a web page that requests the email address and password.
Students who comply, of course, give the hacker access to their account. More sophisticated schemes
mimic the web site of a bank or some other well-known business. For example, an email might suggest a
problem with an account and the provide a link to the phony site. When the victim logs into the bogus
site, the password and user identification are stored for future use by the criminal. The victim is then
asked to verify some minor matter and given a message that everything has been properly reconciled.
Frequently the victim will leave the site without ever realizing the he or she has just been scammed.

Sometimes a hack is simply human trickery. For example, as respectable-looking person might
show up at the reception area of a corporation with a flash drive that he claims to have found in the
parking lot. In such a case, a receptionist might think nothing of inserting the flash drive in her computer
to review the file list, so she could figure out to whom the flash drive belongs. If the perpetrator loaded
the flash drive with temptingly name files (such as “Upcoming Layoffs” or “Salary Comparisons”) it’s very
likely that receptionist might be unable to resist the urge to open at least one. If the file she opens contains
a virus, the company’s computing environment might become infected.

Physical attacks may involve breaking and entering or may be associated with some sort of
listening device or camera. For example, in one case, a cable to a server was accessed in an elevator shaft
and the electronic traffic was recorded, resulting in many stolen passwords. In an even more
straightforward case, intruders used a crowbar to pry open office doors and steal the computers and all
the information the contained.

Reflection Questions:

1. Another group of hackers, who consider themselves ethical, write worms or viruses that perform
some kind of beneficial task. For example, such a hacker may write a worm that will seek out a
particular vulnerability in an operating system, fix the problem, and then destroy itself. Are these
hackers really acting in an ethical manner? Explain.
2. Suppose your school was considering offering a course on ethical hacking. Under what
circumstances, if any, would you consider that appropriate for your university?
3. Hackers sometimes take over systems that are not properly maintained and therefore lack
security safeguards. Unknown to the system’s owner, the hacker’s software takes up residence
on the system. Such infiltrated systems are called zombies. Zombies are useful to hackers who are
distributing malware because it makes it hard to trace the malware back to the hackers. Suppose
your machine became a zombie and a hacker used your machine as a launch site for malware.
What is your moral responsibility for the harm cause by that malware?