Ethical Hackers and Crackers - who are they?
The term "hacker" has a dual usage in the computer industry today. Originally, the term was defined as:
HACKER noun 1. A person who enjoys learning the details of computer
systems and how to stretch their capabilities--as opposed to most
users of computers, who prefer to learn only the minimum amount
necessary. 2. One who programs enthusiastically or who enjoys
programming rather than just theorizing about programming.
This complimentary description led to the verb form "hacking" that describes the rapid development of extraordinary new programs or the reverse engineering and altering of already existing software to make the code better, more efficient. Thus, in the original sense of the word, Hackers change the world by hacking away at things. They value rough consensus and smooth code.
Now governments and companies with electronic concerns want to be able to take advantage of the Internet for electronic commerce and advertising - but they have issues regarding the increasing danger of being "hacked". Not enough, the potential customers of these services are worried about maintaining control of personal information that varies from credit card numbers to social security numbers and home addresses. Approaching the issues step by step, organizations figured out that independent security professionals that attempt to break into their computer systems would be the best way to evaluate the intruder threat to their interests. These hackers would employ the same tools and techniques as the intruders, but they would neither damage the target systems nor steal information. Instead, they would check the system's security completely and report back to the owners with the vulnerabilities they found and instructions for how to remedy them. this means that there is a pre-determined goal and the test has the knowledge and consent of the owner of the system. Such tests can be done either by internal or external people. If external people are hired then they are so-called authorised ethical hackers. There will be legal contracts to tie down the work and provide the trust between management and the hired penetration testers. Lateron, we will discuss the methods an ethical hacker employs referring to such a "hired hacker". However, there are also other forms of ethical hacking:
Self-proclaimed Ethical Hacking:
If you call yourself an ethical hacker, you don't have to be hired by microsoft to deface their new test page for test purposes, but you could rather find any (rather important) security holes and report back to the system administrator volunteeringly and without any intent to make profit. This category of self-proclaimed ethical crackers are out to make a point. This can be to highlight some security problems in a product/service or just to educate the victim so that she can secure her system properly. They are simply doing their "victims" a favour. If some weakness is discovered in a service offered by a bank, for instance, they will be doing the bank a favour by informing and giving them a chance to rectify the vulnerability.
"Like a modern day Robin Hood, ethical Hackers take from the info-rich and give to the info-poor."
Hacking for a Cause (Hacktivism):
These are crackers with a social or political agenda. Their aim is to put across some message and gain publicity. The victims are usually governments or large corporations or groups whose activities are viewed by them as being "wrong" or "bad". Whether these activities do more harm than good is debatable. So for example, if a hacktivist were to gain access to the identities of members of a child pornography group by cracking their server, is he doing society a favour? (Out of the three categories described, ethical hacking is normally associated with hired ethical hackers evaluating a system, as described at first. Thus, from here on, we assume that ethical hacking refers to such penetration testers.)
To be an ethical hacker, what skills would you need? Obviously, you have to be an adepted computer expert, like any hacker. This means: programming, profound skills concerning computer and networking issues (oh yeah, you just fund the best place on the web to learn that ) and of course, detailed knowledge about potential target systems such as Windows NT, Windows 2000, Unix and Unix-based systems and their security. These base skills also include knowledge about the hardware and software provided by the more popular computer and networking hardware vendors. Note that an additional specialization in security is not always necessary, as strong skills in the other areas imply a very good understanding of how the security on various systems is maintained. This sort of management skills is necessary for the actual vulnerability testing and also for the report that has to be handed out to the sys admin lateron. These are the very basic skills of any computer expert, and hackers have to be a bit more than that sometimes. As a hacker you need an immense patience and the capability of continous concentration. Unlike the way someone breaks into a computer in the movies, the work that ethical hackers do demands a lot of time and persistence: A typical evaluation may require several days, perhaps even weeks of analysis and the actual testing itself. When an ethical hacker encounters a system with which they are unfamiliar, he will most likely spend a lot of time to learn everything about the system and try to find its weaknesses. Finally, keeping up with the ever-changing world of computer and network security requires continuous education and review. As another important "skill" I would add creativity. A hacker is not the kind of person who learns according to the learning standarts. Neither he works according to strict rules. Hackers are individuals who think "out of the box" (quote from a blacksun IRC chat session with RaveN). I like this description pretty much. During this chat session, somebody said that the man or woman who invented the wheel was a hacker. This is the very point, discover new facts and innovate new methods.
However, all the skills I mentioned are also essential skills of the criminal hacker. Those are known to be extremely patient and willing to monitor systems for days or weeks while waiting for an opportunity to intrude it, as well as they are extremely creative when searching for vulnerabilities. This is not as strange as you might think. Just as in sports or warfare, knowledge of the skills and techniques of your opponent is vital to your success. In fact, the very slight difference between an ethical and a criminal hacker is only their mentality. I will try to explain this unbiased, because terms like "bad" and "good" are subjective and do not really fit here. An ethical hacker is the sort of hacker that believes in freedom of information, that believes in improving the world by "debugging" it. An ethical hacker will use different methods than the criminal hacker - he will never act destructive but always constructive. He wants to repair a system, to fix every single error. An ethical hacker is convinced that he can change something my means of constructively using his skills. He is relieable and trustworthy since he might discover information about the client that should remain secret. In many cases, this information, if published, could lead to real intruders breaking into the systems, obviously.
In contrast to that, a criminal hacker acts destructive. He breaks into a system to steal information and probably spread secret data to the net. He might also sell it for his own profit or just delete everything. I would also assign defacements to the cracker-typical actions because they can fast become a heavy problem for organizations that provide services via Internet. A defacement is always a destructive work because it shows that an error has not been fixed but exploited for whatever reason. Besides that, a defacement does not afford any important skills and is not considered hacking. Crackers and criminal hackers act like that either for the thrill of it and to show all their friends how skilled they are (script kiddies) or because they think this could make others realize their security issues. I consider this a bad excuse for acting violent, since the system administrator could be informed about security problems more conveniently by sending him an email, I guess. There might be other reasons ... however, I don't know much about the criminal hacking community and their big aims.
There are many types of crackers in the world but basically they can be broadly classified into the categories described below.
Script-kiddie: In this group are mainly the people with either little technical know-how and/or people who do not want to invest the time in researching and developing vulnerabilities and exploits. They rely mainly on publicised semi-automated scripts or programs exploiting known vulnerabilities, hence the name "script-kiddie". They have low skills and low resources. However, they can be just as effective if the target system has not been patched against the automated scripts that they deploy.
Small group of competent crackers: These people usually have good skills and technical knowledge but low-to-medium resources. They either operate alone or in small groups and like to address people in their group not by their real names but by so-called aliases or handles with exotic sounding names. Because they have good technical skills, they can discover intricate weaknesses or develop small bugs into big security holes. These groups do have some degree of organisation and they keep in contact with one another using underground IRC channels and private websites. Many of them are motivated by egoistical exploits rather than monetary or material gains and so many of these groups do seek publicity.
Highly motivated crackers: These people have medium to good skills and have access to resources in terms of equipment and funds. They are well organised and are motivated mainly by financial and material gains. Invariably some of them can have ties with organised crime. They try to keep a low profile so as not to attract too much attention.
Also those computer experts who are (potential) Ethical Hackers can be classified into categories:
Former black hats: These are reformed crackers. They should know the business since they have first-hand experience in it. However, many organisations do not trust them and are afraid they can divulge the information gained from the test to other black hats.
White hats: These are independent security consultants working either individually or as a group. They profess to have knowledge of and are supposed to be up-to-date with black hat activities. In fact, I consider these people the "real" ethical hackers, those who act according to ethical hacking ideals because they always believed in them.
Consulting firms: Many of the major ICT consulting services nowadays have a security service which could act like an ethical hacker. These firms have good credentials and and impressive resumes of their professional staff. However, this category might include former black hats, and eventually also script kiddies and crackers who do what they do only for their own profit.
Note: The terms white and black hats are also used frequently by the popular press. Black hats essentially refer to the bad guys, those people who break into computer systems to do harm. White hats obviously refer to the so-called good guys - but I would like to introduce another term, "Grey Hats". These are the people who study security vulnerabilities in systems and publicise them because they believe in full disclosure. So they are neither black nor white hats, they just provide the information and it is up to you to decide what you want to do with it, either beef up your own defences or exploit other people's defences based on the information.
--------------------------------------------------------------------------------
What do ethical hackers do?
In one early ethical hack, the United States Air Force conducted a "security evaluation" of the Multics operating systems for "potential use as a two-level (secret/top secret) system." Their evaluation found that while Multics was "significantly better than other conventional systems" it also had "vulnerabilities in hardware security, software security, and procedural security" that could be uncovered with "a relatively low level of effort." The authors performed the tests due to "a guideline of realism", so that their results would actually represent the kinds of access that an intruder could really achieve. The performed tests were simple information-gathering exercises, others were outright attacks upon the system that might damage its integrity. Obviously, their audience wanted to know both results. There are further unclassified reports that describe ethical hacking activities within the U.S. military, I couldn't find any more relieable and detailed reports though.