Grey Hat Hacker
   HOME

TheInfoList



OR:

A grey hat (greyhat or gray hat) is a
computer hacker A hacker is a person skilled in information technology who achieves goals and solves problems by non-standard means. The term has become associated in popular culture with a security hackersomeone with knowledge of bug (computing), bugs or exp ...
or
computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
expert who may sometimes violate laws or typical
ethical standards Ethics is the philosophical study of moral phenomena. Also called moral philosophy, it investigates normative questions about what people ought to do or which behavior is morally right. Its main branches include normative ethics, applied ethics ...
, but usually does not have the malicious intent typical of a black hat hacker. The term came into use in the late 1990s, and was derived from the concepts of " white hat" and "black hat" hackers. When a white hat hacker discovers a
vulnerability Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." The understanding of social and environmental vulnerability, as a methodological approach, involves ...
, they will exploit it only with permission and not divulge its existence until it has been fixed, whereas the black hat will illegally exploit it and/or tell others how to do so. The grey hat will neither illegally exploit it, nor tell others how to do so. A further difference among these types of hacker lies in their methods of discovering vulnerabilities. The white hat breaks into systems and networks at the request of their employer or with explicit permission for the purpose of determining how secure it is against hackers, whereas the black hat will break into any system or network in order to uncover sensitive information for personal gain. The grey hat generally has the skills and intent of the white hat but may break into any system or network without permission. According to one definition of a grey-hat hacker, when they discover a vulnerability, instead of telling the vendor how the exploit works, they may offer to repair it for a small fee. When one gains illegal access to a system or network, they may suggest to the system administrator that one of their friends be hired to fix the problem; however, this practice has been declining due to the increasing willingness of businesses to prosecute. Another definition of grey hat maintains that grey hat hackers only arguably violate the law in an effort to research and improve security: legality being set according to the particular ramifications of any hacks they participate in. In the
search engine optimization Search engine optimization (SEO) is the process of improving the quality and quantity of Web traffic, website traffic to a website or a web page from web search engine, search engines. SEO targets unpaid search traffic (usually referred to as ...
(SEO) community, grey hat hackers are those who manipulate websites' search engine rankings using improper or unethical means but that are not considered search engine spam. A 2021 research study looked into the
psychological Psychology is the scientific study of mind and behavior. Its subject matter includes the behavior of humans and nonhumans, both consciousness, conscious and Unconscious mind, unconscious phenomena, and mental processes such as thoughts, feel ...
characteristics of individuals that participate in hacking in the workforce. The findings indicate that grey hat hackers typically go against authority, black hat hackers have a strong tendency toward thrill-seeking, and white hat hackers often exhibit
narcissistic Narcissism is a self-centered personality style characterized as having an excessive preoccupation with oneself and one's own needs, often at the expense of others. Narcissism, named after the Greek mythological figure ''Narcissus'', has evolv ...
traits.


History

The phrase ''grey hat'' was first publicly used in the computer security context when
DEF CON DEF CON (also written as DEFCON, Defcon, or DC) is a Computer security conference, hacker convention held annually in Las Vegas Valley, Las Vegas, Nevada. The first DEF CON took place in June 1993 and today many attendees at DEF CON include comp ...
announced the first scheduled
Black Hat Briefings Black Hat Briefings (commonly referred to as Black Hat) is a computer security conference that provides security consulting, training, and briefings to hackers, corporations, and government agencies around the world. Black Hat brings together ...
in 1996, although it may have been used by smaller groups prior to this time. Moreover, at this conference a presentation was given in which Mudge, a key member of the hacking group L0pht, discussed their intent as grey hat hackers to provide Microsoft with vulnerability discoveries in order to protect the vast number of users of its operating system. Finally, Mike Nash, Director of Microsoft's server group, stated that grey hat hackers are much like technical people in the independent software industry in that "they are valuable in giving us feedback to make our products better". The phrase ''grey hat'' was used by the hacker group L0pht in a 1999 interview with ''
The New York Times ''The New York Times'' (''NYT'') is an American daily newspaper based in New York City. ''The New York Times'' covers domestic, national, and international news, and publishes opinion pieces, investigative reports, and reviews. As one of ...
'' to describe their hacking activities. The phrase was used to describe hackers who support the ethical reporting of
vulnerabilities Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." The understanding of social and environmental vulnerability, as a methodological approach, involves ...
directly to the software vendor in contrast to the full disclosure practices that were prevalent in the white hat community that vulnerabilities not be disclosed outside of their group. In 2002, however, the Anti-Sec community published use of the term to refer to people who work in the security industry by day, but engage in black hat activities by night. The irony was that for black hats, this interpretation was seen as a derogatory term; whereas amongst white hats it was a term that lent a sense of popular notoriety. Following the rise and eventual decline of the full disclosure vs. anti-sec "golden era"—and the subsequent growth of an "ethical hacking" philosophy—the term ''grey hat'' began to take on all sorts of diverse meanings. The prosecution in the U.S. of Dmitry Sklyarov for activities which were legal in his home country changed the attitudes of many security researchers. As the Internet became used for more critical functions, and concerns about terrorism grew, the term "white hat" started referring to corporate security experts who did not support full disclosure. In 2008, the EFF defined grey hats as ethical security researchers who inadvertently or arguably violate the law in an effort to research and improve security. They advocate for computer offense laws that are clearer and more narrowly drawn.


Examples

In April 2000, hackers known as "" and "Hardbeat" gained unauthorized access to Apache.org. They chose to alert Apache crew of the problems rather than try to damage the Apache.org servers. In June 2010, a group of computer experts known as Goatse Security exposed a flaw in
AT&T AT&T Inc., an abbreviation for its predecessor's former name, the American Telephone and Telegraph Company, is an American multinational telecommunications holding company headquartered at Whitacre Tower in Downtown Dallas, Texas. It is the w ...
security which allowed the e-mail addresses of
iPad The iPad is a brand of tablet computers developed and marketed by Apple Inc., Apple that run the company's mobile operating systems iOS and later iPadOS. The IPad (1st generation), first-generation iPad was introduced on January 27, 2010. ...
users to be revealed. The group revealed the security flaw to the media soon after notifying AT&T. Since then, the
FBI The Federal Bureau of Investigation (FBI) is the domestic Intelligence agency, intelligence and Security agency, security service of the United States and Federal law enforcement in the United States, its principal federal law enforcement ag ...
opened an investigation into the incident and raided the house of weev, the new group's most prominent member. In April 2011, a group of experts discovered that the Apple iPhone and 3G iPads were "logging where the user visits". Apple released a statement saying that the iPad and iPhone were only logging the towers that the phone could access. There have been numerous articles on the matter and it has been viewed as a minor security issue. This instance would be classified as "grey hat" because although the experts could have used this for malicious intent, the issue was nonetheless reported. In August 2013, Khalil Shreateh, an unemployed computer security researcher, hacked the Facebook page of
Mark Zuckerberg Mark Elliot Zuckerberg (; born May 14, 1984) is an American businessman who co-founded the social media service Facebook and its parent company Meta Platforms, of which he is the chairman, chief executive officer, and controlling sharehold ...
in order to force action to correct a bug he discovered which allowed him to post to any user's page without their consent. He had tried repeatedly to inform Facebook of this bug only to be told by Facebook that the issue was not a bug. After this incident, Facebook corrected this vulnerability which could have been a powerful weapon in the hands of professional spammers. Shreateh was not compensated by Facebook's White Hat program as he violated their policies, thus making this a grey hat incident.


See also

* Anonymous (hacker group) *
Cybercrime Cybercrime encompasses a wide range of criminal activities that are carried out using digital devices and/or Computer network, networks. It has been variously defined as "a crime committed on a computer network, especially the Internet"; Cyberc ...
*
Cyberwarfare Cyberwarfare is the use of cyberattack, cyber attacks against an enemy State (polity), state, causing comparable harm to actual warfare and/or disrupting vital computer systems. Some intended outcomes could be espionage, sabotage, propaganda, ...
*
Hacktivism Hacktivism (or hactivism; a portmanteau of ''hack'' and ''activism''), is the use of computer-based techniques such as hacking as a form of civil disobedience to promote a political agenda or social change. A form of Internet activism with roots ...
*
IT risk It or IT may refer to: * It (pronoun), in English * Information technology Arts and media Film and television * ''It'' (1927 film), a film starring Clara Bow * '' It! The Terror from Beyond Space'', a 1958 science fiction film * ''It!'' (1967 ...
* Metasploit * Mischief *
Penetration test A penetration test, colloquially known as a pentest, is an authorized simulated cyberattack on a computer system, performed to evaluate the security of the system; this is not to be confused with a vulnerability assessment. The test is perform ...


References


Further reading

* * {{DEFAULTSORT:Grey Hat Hacking (computer security)