Is Ethical Hacking Actually Ethical or even Legal?

There are three main generally accepted categories of hacker, each represented by a hat of a different colour: white, grey and black. All of them exploit weaknesses in computer systems and networks. The differences between them are their motivations. The most infamous are the black hat hackers, computer criminals epitomised by Hollywood, whose malicious activities serve their own ends ranging from financial gain to simply causing chaos. White hat hackers are usually those that carry out their craft with no apparent criminal intention in mind. And grey hats sit somewhere in the middle, often hacking into a system just to prove they can, but afterwards usually notifying the vendor or owner of the weakness.

white-hat-hacker-1White hat hackers, also known as ethical hackers, are the ones hired by companies to carry out penetration testing, a technique that helps to determine how secure the company’s systems are. It’s a necessary business service. Without a penetration testing carried out by ethical hackers how else would a business identify their weaknesses and shore up their defences against the real criminals?

But is ethical hacking actually ethical? Or, more importantly, is ethical hacking even legal?

Most organisations believe that the act of authorising an ethical hacker to test a company’s defences is enough legal protection to justify both sets of actions: firstly, the action of hiring an ethical hacker and secondly, to provide necessary cover for the questionable activities of the hacker, who in turn believes they are justified by the fact that they are acting in the best interests of the company who hired them.

And the answer to this dilemma is, of course, that it depends.

In writing my novel, Invasion of Privacy, where the main protagonist is a so-called ethical hacker, it became apparent to me how grey their world really is. In the interests of dramatic fiction, it was fun to take things to extremes; to have the character go beyond the call of duty in order to get the job done. But in doing so, I began to wonder how far ethical hackers stray outside of the law.

Obviously, it depends on how far the hacker is willing to go to test the systems. Or worse, to switch into grey hat mode, determined to break in just to prove they can.

Social engineering is one technique used by hackers to trick people into giving up confidential information. White hat hackers employ it to help test a company’s defences. After all, under a real attack a black hat hacker may well do the same. This often means that the ethical hacker ends up logging into systems using someone else’s credentials, obtained using illicit methods. At this point laws are being broken as they they then have access to confidential information. If this is customer or employee information, then the hacker and the company may be in breach of the various data protection legislations in force.

A common technique to test a company’s systems is to obtain access via their business partners. Large corporate organisations often have strong security measures in place and so it is natural to focus on the weakest elements in the supply chain, their suppliers or customers. These may be smaller companies with limited protections in place, but who have privileged access to systems provided by the large corporate. Therefore, an ethical hacker may hack (in whatever way makes sense) into a business partner’s systems first in order to then be able to hop over to the intended target via this privileged back door. Unless the business partner has been included in the scope of the penetration test, the ethical hacker has strayed outside the boundaries of the law to achieve their aims.

And so it goes on.

Companies hire ethical hackers because they need to test their security. By granting their permission to the pentest, they effectively cover their corporate eyes and ears while these tests are carried out. See no evil, hear no evil. And at the end, the ethical hacker presents a nicely polished report pointing out the weaknesses and associated recommendations. What the company has no idea about is how many laws they have enticed the ethical hacker to break to get to this point. The ethical hacker may not know or, more importantly, may not care about the laws that have been broken.

What’s the moral of this story? Perhaps it’s that there really is no such thing as a white hat hacker in the real world. The world is very grey indeed.

6 Responses to Is Ethical Hacking Actually Ethical or even Legal?

  1. Larry says:

    No laws have been broken if conducted properly. Many security researchers provide a penetration test as a professional service where specific goals are established, agreed upon, documented, and followed in a detail-oriented assessment plan. Everything is above the table and the customers understand that this type of service is essential to expose well-hidden vulnerabilities and accurately determine their impact.

    If you accidentally lock your keys in the car and hire a professional locksmith to recover them, they would confirm your identity and require you to sign a waiver indicating that you agree upon the service. Do you also believe they are breaking the law too?

    • I’m sure that there are many professional pentest agencies that aim to do everything above board. My point is that it comes down to the individual security consultant on the project and how far they choose to go. Some consultants will unwittingly stray outside the bounds of the law in order to prove their own competence. They know that real black hat hackers will use every trick in the book, many of which are illegal, and so to prove there own worth may adopt similar approaches. Which is where the dilemma arises.
      But you’re right, the professionality of the pentest firm is a major driving factor in the legality of the approach agreed with the client. But then, how effective is the pentest without attempting all the illegal approaches? And even if the client provides some level of indemnity, they do not have the right to authorise someone to break laws like data protection, and so there is no cover provided if the pentest consultant strays into such territories.

  2. Tanmay says:

    Hacking is of course illegal, but when you use ethical word with hacking it become legal aspect. here is simple definition of Ethical hacking: Ethical Hacking is when the trained security professionals hack into systems by the permission of system owners to test security weaknesses. Ethical hacking is completely legal and can only be done under the permission of system owners or administrators. It is the part of an overall security program. Ethical hacking is also called as Penetration Testing.
    I wrote small article about ‘what is ethical hacking and who are ethical hackers’ in my blog post:

    • Tanmay, I agree to a point. Even with permission to test, it depends on how far the ethical hacker goes to carry out the test. If they break a country’s data protection laws or come in via a business partner’s site (not within the remit of the company providing permission), then they have technically broken the law regardless. However, the odds on any repercussions as a result are very small as there is no one to press charges.

  3. US Council says:

    Cyber Security Certification and Training, CEH Training, Online Ethical Hacking Certification, EHCE Certification, Certified Ethical Hacking Training, Ethical Hacking and Counter Measure Expert, etc. US Council Certification and Training offers them all to you at affordable prices.

  4. Frank Bean says:

    “Some consultants will unwittingly stray outside the bounds of the law in order to prove their own competence.”

    Eh, attributing motive to anyone other than oneself is poor basis for an argument. Legal, not legal, really makes no difference once a company gets popped. If a company, or worse, busy bodies in the tech world are concerned this much with pen testers being duddly doright, than its a fair assumption they’ve missed the entire purpose of a pen tester.

Comments . . .

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: