Hacking has taken a distinctly commercial turn as entrepreneurial outfits of contractors throughout the world are hiring themselves out to business and Government sites to highlight their security flaws.
One such contractor, Dean Bell, MD for the Middle East office of the Brussels-based ScanIT security company, explains the growing trend of 'ethical hacking'...
Hackers and crackers are often referred to across the world as THE big menace for e-business and the e-society. They are often painted with the same broad brush as several other groups, like virus writers, as waging a cyber war on the internet. Is this threat real or do we need more differentiation when talking about hacking?
From our point of view hackers are the people who break into computer systems and crackers are something that you eat! In the good old days a cracker was someone who broke software copy protection code, and a hacker was someone who found holes in systems that would allow him/ her to explore other peoples systems. Since then things have changed as the use of computer systems has grown and the material kept on machines has become more valuable. The people attacking the systems have also changed.
It is for this reason that we break down the types of 'hackers' into the following categories:
Individuals and organisations that conduct security audits and research and publishing their findings for the common good of the security industry. The people who find vulnerabilities and help fix them, and the people who develop security tools and techniques to counteract such acts in the future.
Companies such as ourselves who test security implementations to make sure that they are true and complete and as secure as can be at any given time. This is done by examining the systems and examining software that is known to have security weaknesses, then informing the customer so that they can close the hole. Advising on new solutions and techniques that can minimize the work and effort of an hacker in the future.
People who break into computer systems for criminal financial gain, espionage or politically motivated reasons. Despite what people think this does exist, and there are examples that can be found such as the famous City bank hack and the UK cash-point hack that was successfully nipped in the bud before any substantial harm was caused.
The Ugly (the script kiddies)
Misguided individuals, kids who have nothing better to do with their time than to take advantage of security weaknesses in order to boost their reputation. This is usually done using tools that are available on the internet. A good example of these types of people are website defacers.
Once they have compromised the security of a site they work like graffiti artists, painting the website with their logo and publishing their achievements on websites like www.attrition.org. Alternatively the simple redirecting of the website to that of their competitors has the same effect.
The Council of Europe has drafted the first international convention against cyber crime. One of the goals is to make hacking a crime and to allow the use of 'hacker tools' only for legitimate purposes. Will this provision foster security on the Internet?
The simple answer is 'No'.
Guns don't kill people, people kill people. The internet is out of control and people who want to hack into a system will always find a way. Currently, the most up-to-date mailing list for security problems is 'Bugtrack' which is mailed freely to subscribers on a daily basis (usually over 200 mails a day).
If the type of legislation proposed by the Council of Europe were to be passed then it would make services like 'Bugtrack' illegal- this in turn would spell disaster for the whole security industry. This type of legislation is what is required in the Middle East region where most countries do not have appropriate laws in place to address cyber crime and fall back on laws such as the stealing or misuse of information which simply is not enough to prevent hackers from 'having a little fun' at all our expenses.
Outlawing hacking tools will make it difficult for IT professionals to secure their systems. If you cannot try out the hack you cannot know if you are protected from it. It will also make education in security nearly impossible.
Using hacking tools or anything at all to break into other peoples computers is already illegal. Making the tools themselves illegal will actually prevent people from using them legitimately.