Pentesters can wear many hats. Network and web application assessor. Trusted infosec advisor. Cryptology cracker. Kali master. Writer of reports. We’ll also be looking at other hats in the vast world of information security. These are the black, gray, and white hats.
What’s the difference between these three monochrome monikers? Which are legal, which ones aren’t, and which operate in a grayer area (spoiler alert …).). Do they actually wear hats while hacking? Or are they just wearing ski masks? Are there white and gray ski masks available? Why do hackers need so many headgear? Let’s try to answer the first of these important questions.
Who are White Hat Hackers, you ask?
We’ll begin within the legality camp with white-hat hackers. Hacker is misleading because it implies that hackers operate outside the laws. However, white hats operate within the limits of computer access laws. They are sometimes called ethical hackers to help distinguish between legal and illegal activity.
Pentesters are a great example of white-hat hackers. They have an agreement with a customer that is clear and explicit. They have a scope that defines their work, the targets they will attack, the techniques they can use and the time they can run attacks and tests.
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Start training They will share every vulnerability, concern, and issue they find while testing a network while keeping strict confidentiality.
White hat hackers may also be participating in bug bounty programs. Companies that host bug bounty programs invite hackers to try hacking their systems. The companies offer a cash bounty to anyone who discloses vulnerabilities.
Take Facebook’s bug bounty program. This page has many interesting things to point out. It starts with “If you pay a bounty, $500 is the minimum reward.” Although this is a good pay day, Facebook’s bounties have reached as high as $50,000. However, the average payout is closer to $1,500 so don’t get too excited about hacking Facebook to win a new Tesla.
These programs often specify the permissible attacks, including specific sites and disallowing certain techniques. Facebook: “We consider this to be authorization, including under Computer Fraud and Abuse Act(CFAA), to test security of the products and system identified as in-scope …”. This basically gives you free rein to test any system within the scope with the promise to safe harbor. However, they don’t grant permission to access user accounts or Facebook systems in the event of a vuln. They will allow you to refuse access and give immediate disclosure.
These programs are valued by companies like Facebook because it encourages additional sets of well-trained eyes to look at their code and sites. Facebook has recently paid over $1 million annually in bounties. However, this is not enough to cover the legal fees and reputation damage they may face if a bad actor discovers those vulnerabilities first.
Who are Black Hat Hackers, you ask?
It’s not surprising that black hats are the opposite of white. While white hats are focused on helping clients, black hats are motivated only by malice. They might be motivated by financial gain, stealing passwords and usernames, or stealing corporate or state secrets. Or they may just want to cause chaos for their own enjoyment.
Let’s briefly review computer law in the United States. We are not lawyers and we don’t play them on TV so this is not legal advice.
Comments are closed