A hacker who finds a method of exploiting a security loophole in a program, and who tries to publish or make known the vulnerability, is called a white hat hacker. If, however, a hacker finds a security loophole and chooses to use it against unsuspecting victims for personal gain, that hacker wears a black hat. A grey hat hacker is someone who is a “white hat by day, black hat by night.” In other words, hackers who are usually employed as legitimate security consultants, but continue their illegal activity on their own time.
Let’s look at an example of someone who might be considered a grey hat. Imagine Jane, a security consultant who finds an insecure back door to an operating system. Although Jane does not use the exploit to attack unsuspecting victims, she does charge a healthy fee in order to secure her client’s systems against this attack. In other words, Jane is not exploiting the deficiency per se, but she is using this deficiency for her own personalgain. In effect, she is extorting money from organizations in order to prevent them from being left vulnerable. Jane does not work with the manufacturer towards creating a public fix for this problem, because it is clearly within her best interests to insure that the manufacturer does not release a free patch.
To cloud the issue even further, many people mistake the motivation of those who post the details of known bugs to public forums. People often assume that these individuals are announcing such vulnerabilities in order to educate other attackers. This could not be further from the truth—releasing vulnerability information to the public alerts vendors and system administrators to a problem and the need to address it. Many times, publicly announcing a vulnerability is done out of frustration or necessity.
For example, back when the Pentium was the newest Intel chip in town, users found a bug that caused computation errors in the math coprocessor portion of the chip. When this problem was first discovered, a number of people did try to contact Intel directly in order to report the problem. I spoke with a few, and all stated that their claims were met with denial or indifference.
It was not until details of the bug were broadcast throughout the Internet and discussed in open forums that Intel took steps to rectify the problem. While Intel did finally stand by its product with a free chip replacement program, people had to air Intel’s dirty laundry in public to get the problem fixed. Making bugs and deficiencies public
knowledge can be a great way to force a resolution. It is proper etiquette to inform a product’s vendor of a problem first and not make a public announcement until a patch has been created. The general guideline is to give a vendor at least two weeks to create a patch before announcing a vulnerability in a public forum.
Most manufacturers have become quite responsive to this type of reporting. For example, Microsoft will typically issue fixes to security-related problems within a few days of their initial announcement. Once the deficiency is public knowledge, most vendors will want to rectify the problem as quickly as possible.
Public airing of such problems has given some observers the wrong idea. When someone finds a security-related problem and reports it to the community at large, others may think that the reporter is an attacker who is exploiting the security deficiency for personal gain. This openness in discussing security-related issues, however, has led to an increase in software integrity.
Let’s look at an example of someone who might be considered a grey hat. Imagine Jane, a security consultant who finds an insecure back door to an operating system. Although Jane does not use the exploit to attack unsuspecting victims, she does charge a healthy fee in order to secure her client’s systems against this attack. In other words, Jane is not exploiting the deficiency per se, but she is using this deficiency for her own personalgain. In effect, she is extorting money from organizations in order to prevent them from being left vulnerable. Jane does not work with the manufacturer towards creating a public fix for this problem, because it is clearly within her best interests to insure that the manufacturer does not release a free patch.
To cloud the issue even further, many people mistake the motivation of those who post the details of known bugs to public forums. People often assume that these individuals are announcing such vulnerabilities in order to educate other attackers. This could not be further from the truth—releasing vulnerability information to the public alerts vendors and system administrators to a problem and the need to address it. Many times, publicly announcing a vulnerability is done out of frustration or necessity.
For example, back when the Pentium was the newest Intel chip in town, users found a bug that caused computation errors in the math coprocessor portion of the chip. When this problem was first discovered, a number of people did try to contact Intel directly in order to report the problem. I spoke with a few, and all stated that their claims were met with denial or indifference.
It was not until details of the bug were broadcast throughout the Internet and discussed in open forums that Intel took steps to rectify the problem. While Intel did finally stand by its product with a free chip replacement program, people had to air Intel’s dirty laundry in public to get the problem fixed. Making bugs and deficiencies public
knowledge can be a great way to force a resolution. It is proper etiquette to inform a product’s vendor of a problem first and not make a public announcement until a patch has been created. The general guideline is to give a vendor at least two weeks to create a patch before announcing a vulnerability in a public forum.
Most manufacturers have become quite responsive to this type of reporting. For example, Microsoft will typically issue fixes to security-related problems within a few days of their initial announcement. Once the deficiency is public knowledge, most vendors will want to rectify the problem as quickly as possible.
Public airing of such problems has given some observers the wrong idea. When someone finds a security-related problem and reports it to the community at large, others may think that the reporter is an attacker who is exploiting the security deficiency for personal gain. This openness in discussing security-related issues, however, has led to an increase in software integrity.
Source: Active Defense, Chris Brenton & Camerun Hunt