How to fend off aggressive white-hat hackers

Recently, a former student of mine wrote me asking how to handle an overzealous white-hat hacker. In this case, the hacker had probed the publically exposed computer networks and assets of my friend’s company, then left multiple copies of a document describing the weaknesses he found — and asked to be hired to close the holes and locate more weaknesses.

Large companies find themselves on the receiving end of such aggressive solicitations on a regular basis. My friend asked if I thought the hacker’s actions were unethical. My answer: Any security probing of a computer or network without the express permission of the owners is an ethical violation.

[ Also on InfoWorld: No honeypot? Don’t bother calling yourself a security pro | Keep up with key security issues with InfoWorld’s Security Central newsletter. ]

This particular white hat (better defined as a gray hat) listed his computer security certifications and accomplishments. I told my friend he should tell the hacker to contact the various certification agencies and ask them how they felt about his unrequested services. They, too, will tell him that his actions were unethical. In many cases they would be illegal, as well. Whitehat hackers have been arrested and convicted for doing the same.

Between white hat and black hat is gray hat

Nonetheless, although I consider what the white-hat hacker did in this scenario to be unethical, I don’t consider him to be all bad. Simply hacking your network and doing devious things would be all bad. This is more of a gray area — hence the gray-hat designation. I’m sure the hacker’s intent was simply to get a job using his skills in a “good” way. I mean, what harm could there be in identifying weaknesses and telling people about them — and possibly drumming up money along the way?

Let me repeat: It’s unethical and possibly illegal.

But in the interest of full disclosure, I confess that I’ve been that guy. Two decades ago when I was first starting out in computer security, I too was looking to drum up business. I think nearly every independent hacker considers the same simple plan: Scan lots of businesses, find weaknesses, and offer fix-it or find-it services. Every website and computer network on the Internet has existing, publicly accessible weaknesses and flaws. Hey, we’re just highlighting them to the owners. It’s a proactive service for the good of the community.

Except it stinks from an ethics standpoint. Thankfully, although I considered it, I didn’t follow my urges. I realized that the only way to build a good reputation was to do white-hat hacking when invited by the owners or custodians.

It’s like driving by a business or home at night and checking to see if the doors are locked and the alarms are engaged — then notifying the owner that they aren’t and offering your services to make sure the locks are automatically secured from now on. I think I know how most people would respond to that offer, and I doubt the local constabulary would hesitate to oblige.

A measured response

With the online equivalent, it’s a little trickier. If you respond harshly, you risk offending the hacker; the next time they explore your network you might not know about it. The Internet is full of stories of spurned, previously “good guy” hackers who move over to the dark side because someone (or a bunch of someones) pissed them off. Or because they decide there’s easier, faster money to be made.

On the other hand, I would never hire hackers making such a solicitation. While a big part of me would want to pay them for services my company obviously needed, paying them anything is somewhat like paying hostage takers. It would only encourage them to engage in future unethical behavior.

Instead, I would graciously thank them for their notification and let them know I’m already working on rectifying the found issues (hopefully, you’re really doing this). Second, I would let them know that while I appreciated being notified about weaknesses, such unrequested probes are unethical, at the very least. I’d recommend the hackers read their certification bodies’ (if they have certifications) ethical statements. Most likely they signed one of these when they obtained their skills and/or certification.

If the hacker responded in a hostile manner, I would kick it up a notch and report the violation to law enforcement authorities — if only to start a legal paper trail. I would notify the hacker and the certification body (if applicable) about the ethical violations. I would then make darn sure I’m monitoring my network better and have fixed all the weaknesses the hacker found and the ones they may be likely to uncover in the future.

If it were me, I’d be gentle at first. After all, the intentions are not necessarily evil. Your reply should be the same: businesslike, but denying services or employment and pointing out the ethical problem.

Had I ventured into gray-hat areas, I would have been lucky if someone had firmly, but nicely, helped me get on the straight and narrow. Think of it as a rare opportunity to make the world a better place.

This story, “How to fend off aggressive white-hat hackers,” was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.