| certifications | security - Matt McClure
White vs Gray vs Black Hat Hacking (with Examples)
Pentesters wear lots of different hats. Network and web application assessor. Trusted infosec advisor. Cryptology cracker. Kali master. Writer of reports. There are other hats though in the wide world of information security that we’re going to take a look at today, and those are the white, gray, and black hats.
So what’s the difference between these three monotone monikers? Which are legal, which are not, and which operate in more of a gray area (spoiler alert…). And most importantly, do they actually wear hats while hacking? Or just ski masks? Are there also white and gray ski masks? And why do hackers need so much headgear? Let’s answer, maybe just the first, of these many important questions.
Who are White Hat Hackers?
We’ll start within the camp of legality with white hat hackers. Hacker is a misleading term in this case, as it carries the implication of operating outside the bounds of the law. White hats, however, always operate strictly within the bounds of computer access laws. To help enforce this they are sometimes referred to as ethical hackers to make a distinction between what they do and activity that isn’t legal.
Pentesters are great examples of white hat hackers. They have an engagement with a customer with clear, explicit permission. They have a scope of work to operate within that defines the targets they are attacking, what techniques that are allowed or not, what time of day they may run tests and attacks, and the duration of the engagement.
Most importantly, their goal is to help a client’s security posture by strengthening their systems. As part of this, they will disclose every issue, vulnerability, and concern they find while testing a network, while maintaining strict confidentiality.
Besides paid pentest engagements, white hat hackers might also be found participating in bug bounty programs. Companies hosting bug bounties invite anyone to attempt hacks against their systems. In return for disclosing any discovered vulnerabilities, the companies pay a cash bounty to the white hat.
Take Facebook’s bug bounty program for example. There are many things on this page worth pointing out, starting with “If we pay a bounty, the minimum reward is $500.” Not a bad pay day, but Facebook’s bounties have gotten as high as $50,000. The average payout is more like $1,500 however, so don’t start dreaming of hacking Facebook to earn a new Tesla quite yet.
Such programs usually spell out the scope of permitted attacks, such as specific sites and disallowing specific techniques. From Facebook: “We consider these terms to provide you authorization, including under the Computer Fraud and Abuse Act (CFAA), to test the security of the products and systems identified as in-scope…” Basically free reign to test any systems within scope with the promise of safe harbor. What you don’t get however is their blessing to access user’s accounts or Facebook systems if a vuln is discovered. They do except you to stop short of such access and provide immediate disclosure.
Companies like Facebook value these programs as it incentivizes getting extra sets of well-trained eyes on their code and sites. While Facebook recently has paid out over $1 million per year on bounties, that more than covers for the legal fees and reputation hits they might face if a bad actor finds those vulnerabilities first.
Who are Black Hat Hackers?
It’s no surprise that the opposite of white hats are black hats. While white hats’ end goals are helping their clients, a black’s goal is only malice. The motivation might be for financial gain, stealing usernames and passwords, nabbing corporate or state secrets, or generally just causing chaos for their own enjoyment.
Let’s take a moment for a little review of computer law, at least for the U.S. Since we are not lawyers, nor do we play them on TV, don’t take any of this as legal advice but instead as a guidepost to how strict the law can be and what might bring the FBI knocking on (or knocking down) your door.
Facebook already made mention of it, but the main laws against hacking in the US come from the Computer Fraud and Abuse Act. Signed way back in 1986, the bill originally was targeted towards unauthorized access of systems of financial institutions or government agencies. Further amendments though have broadened the protection, now generally covering any internet-connected device.
The meat of the act is to define illegal computer access as “without authorization and as a result of such conduct, caus[ing] damage.” While this is the protection the white hat pentesters hang their hats on, the broadness has caused a lot of controversy which we’ll come back to. The key for black hats though is causing damage, whether by taking down systems or stealing data.
Any kind of data breach you hear about on the news, these are black hats at work. Stealing credit card numbers, passwords, and other personal information to resell is the bread and butter of the average black hat hacker. Another common tactic is spreading ransomware, which encrypts files until a ransom is paid up within a given time frame.
Who are Gray Hat Hackers?
In the middle of white hats and black hats, you have the gray hat hackers. Not out to cause malice or steal your passwords, but not necessarily on the right side of the law either.
A typical gray hat might be on the prowl scanning sites or web apps looking for vulnerabilities, not with permission as part of an engagement, but also not necessarily not to break in. Their game instead might be to contact the owner of a vulnerable site, report that they found some problems, and ask for payment in return for information about a fix. If the company doesn’t cooperate, they might post what they found publicly, causing downtime or embarrassment for the company targeted.
Back now to the Computer Fraud and Abuse Act and the controversial definition around any activity done “without authorization and as a result of such conduct, causes damage.” gray hats definitely check the box for the “without authorization” part, but what about “causing damage?”
One such controversy came from security researcher David Levin who reported a SQL injection vulnerability on a Florida county elections website. With no ill intent, he reported to the state how the injection granted access to plain text credentials and other database records. Levin was soon arrested on three counts of unauthorized access and released on a $15,000 bond.
There are two very polarizing sides to argue on stories like this. One is that he did no damage, stole no information, and did no public disclosure, but instead reported a serious issue on a public facing system to prevent bad actors from finding and exploiting the same issue. On the other hand, he had no permission or authorization to scan the systems and did in fact gain unauthorized access.
By the letter of the law Levin’s guilty, but by the spirit of the law he’s acting on the best intentions to protect a vulnerable piece of public infrastructure.
One argument against Levin was that he didn’t just stop at finding the vulnerability, but also reported on accessing data as a part of his disclosure to simply demonstrate the damage the exploit could cause. Would stopping at discovering the SQL injection have been a sufficient report and avoided his arrest? Or would the letter of the law prevailed, saying even attempting such attacks violates the law?
Such is the quandary facing both the practice and defense of gray hat hacking. It’s easy to call out the state and say a bad actor wouldn’t have stopped where Levin did. A bad actor would have stolen all the data, sold what was valuable, changed records to tamper with the election, or any number of malicious activities. A bad actor wouldn’t have practiced anything close to responsible disclosure.
An attack even more innocuous than running SQL injections though is the humble port scan. A simple knock-knock on TCP ports, just to see what’s open and what’s closed on a given host. This alone is such a sticky legal subject that the maker’s of Nmap have a page devoted to it. While port scanning is generally not considered illegal, there have been cases of legal action. It might be fair to question what “damage” was done, again quoting from the Computer Fraud and Abuse Act. The answer in one case: “time spent investigating the port scan and related activity.” Ugh.
What is more common though are ISPs banning you as a customer when hacking-esque behavior like port scanning is detected. Other service providers frown upon it as well; AWS specifically calls it out in their security docs, saying “Unauthorized port scans by Amazon EC2 customers are a violation of the AWS Acceptable Use Policy.”
There is one key characteristic we’ve seen that will firmly plant you on one side or the other when it comes to the legality of your security activities and that is authorization. Good intentions without authorization? That will put you literally in a gray area, maybe with unfortunate consequences. Any activity you do against a host that you don’t own or have permission to enumerate, take a second to consider if it’s worth straying from the way of the white hat.