Ethical or Unethical Hacker?

Tuesday, May 01, 2012

Marc Quibell


You know, in light of events that occurred just yesterday, I'm a little confused.

What exactly is an ethical hacker? Who's ethics are we going by and what are the standards of ethical hackers? Is there a creed or a motto or something?

"Do no harm unless asked, and don't be dissin' my white hat" ? (There are actual mottos out there if you Google for them). How do I know you're ethical? Just because you said so? Is there a badge you can show me? (hmmm, that actually sounds like a good idea, maybe it's time for credentials and/or vetted Ethical Hackers?)

Maybe you're a poser! Maybe your hat is black on the inside and you just flip it inside-out when you get a wild hair!

Yesterday I came into work early, turned on my LinkedIn home page and started browsing the IT news. It's that morning rigmarole all of us IT people go thru, coffee mug in one hand, mouse in the other. Different scenario for different folks; could be an iPad in one hand, cappuccino in the other, or a galaxy pad 7 and a red bull.

Whatever it is, the end result is the same. Anyways, right there in front of me as a top IT News article was an article on how to pwn a Hotmail account. It was a 0-day exploit, which meant no one at Microsoft was notified of the exploit.

The article was written by a person who's name I shall not mention, and this person apparently lives in Egypt from what I could tell; a self-described ethical hacker. Naturally my first reaction was, "Ya right" (cuz I'm skeptical that way, it’s how I roll).

I went on to the link to read the guy's blog and there were all the steps in black-and-white, a way to reset a Hotmail account's password, using the Windows Live password change or reset page. All you needed was someone's Hotmail address.

There were also some comments at the bottom with people trying to do it but having difficulties and then down further, the author comments that Microsoft must have caught on and must be working on it because now the page is unavailable. Now I was thinking this is serious and it might actually work, judging by the methodology and the comments.

I also saw some of the author's tweets and he was posting stuff like "Wait for my HOW-TO Compromise any Hotmail, Yahoo or AOL Account... Very Soon!" I was immediately alarmed by the fact that this stuff was posted, first by a so-called ethical hacker, and second, on LinkedIn as a news article.

I contacted LinkedIn and a group owner who was also displaying the article. I also reported the article as inappropriate. I had great responses from both, the group owner first and then LinkedIn staff (Thanks Traycee).

Both took down the article as soon as they could.

This whole incident brings me back to my questions concerning Ethical Hackers. How could a real "Ethical Hacker" post this kind of malicious content? I'm really trying to understand this - help me out here, maybe it's something I'm missing. Maybe it's a cultural difference.

Maybe, in Egypt, this is acceptable practice? Is this just a cultural misunderstanding? Or maybe this guy is posing as being ethical? If I'm missing something, please let me know.

Otherwise, I'm assuming this is anything but ethical hacking. This is just downright irresponsible.

Possibly Related Articles:
Information Security
Zero Day Disclosure Vulnerabilities Exploits hackers Black Hat White Hat Ethics
Post Rating I Like this!
Michael Hooper Mike Hooper, CISSP, C|EH - Clearly unethical. The difference between an ethical hacker and an unethical hacker is the subscription to and adherence of a prescribed code of ethics governed by a certifying body. The CISSP and the C|EH both require strict adherence to their defined code of ethics, lest your certifications be revoked. An individual is not credible when said individual self-describes him or herself as something or someone they are not. A certifying body has to be involved for that person to be credible.

Michael Hooper Mike Hooper, CISSP, C|EH - In relation to the article, the difference between ethical vs. unethical is an ethical hacker, upon suspecting that the zero-day exploit would work, would have contacted microsoft immediately, reported the problem, and possibly offer licensed pen-testing services to verify. An unethical hacker, as in this case, would attempt to exploit the zero-day and then tell everyone in the world about it except microsoft so that script kiddies and everyone else can compromise said email accounts. In the U.S. I believe this would have been a crime.
Michael Johnson A hacker understands the technologies, and constantly builds on that understanding.
An 'ethical hacker' understands penetration testing.

The smartest and most creative hackers I know aren't bothering with CISSP, C|EH, et. al. They got head-hunted for lucrative programming jobs long ago.
I'd also add that proper ethics are self-developed over time, not instilled through a CISSP rule book.
Michael Hooper I agree that some of the smartest hackers are turned off by certifications. However, ethics are viewed through the eye of the beholder. What one person believes is ethical may not be to another. That is where a code of ethics comes into play. It sets left and right limits, as guidelines, not a rule book per se. Our friend in Egypt acted unethically.
Christine Stagnetto-Sarmiento Hi Michael,
I agree with you. Others hackers work for government
Marc Quibell And the FBI. . .Just goes to show that where there is a lack of ethics....well don't expect ethical behaviors such as loyalty, honesty...etc. It's a dog-eat-dog situation and doomed to fail where there is a group effort involved.
Christine Stagnetto-Sarmiento Marc,

I liked your point of view, "a dog-eat-dog..."
Michael Johnson Certainly, and my belief is that most genuine hackers develop their ethics over time as they gain understanding of the technologies, methods and implications. They understand that certain standards must be upheld in order to maintain security, privacy and freedom on the Internet in the long run.
If we act 'unethically', we set a dangerous precedent, and make it easier for the less skilled to abuse their powers to the detriment of everyone.

Then we have a subset of very talented hackers who can't afford the certifications, the degrees or the opportunities to make a decent income through legitimate means, and then it becomes dog-eat-dog.
Michael Hooper @Michael, Christine, Marc - Agreed. Marc, its a good article. A source told me the person actually holds CEH; at least that it is listed on his resume.
Marc Quibell Well, I suppose after all, the point with the guy having a CEH is exactly what I was talking about: just because they have a CEH, does not make them ethical. There may be some expectations of them when they sign up for the program and pass the test, but there really is no "ethics police" from orgs like ISC2 or CompTIA who will be there to revoke your certification based upon some comment you made online. Even IF someone tattled on you, I doubt they even have the time or the resources to start an "investigating" against someone for unethical behavior. I don't think you could even begin to enforce expected bahaviors.

I don't believe that ethics really change at all. Now, behaviors may change or your point of view may change, as you become enlightened that there are actually other sides of the story, but ethics is something you mostly are born with get from your family as you mature. Ethics rarely change; they are a set of 'core' beliefs. This is a whole new topic in of itself however, so, back to the point.

You're right, 'hackers' don't get certifications, and why would they? I'd be surprised if they had the discipline to finish high school. I think in this situation, what we have here is someone who just ignorantly reposted someone elses' code for the purpose of gaining an audience.
Michael Hooper Yes, the lack of a strong enforcement body could be problematic for EC-Council in the long-term. Reputation is very important in all circles, whether it's a black hat hacker, an "ethical hacker", or a security professional. Very interesting...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.