Grey hat
Encyclopedia
A grey hat, in the hacking community, refers to a skilled hacker
whose activities fall somewhere between white and black hat
hackers on a variety of spectra. It may relate to whether they sometimes arguably act illegally, though in good will, or to show how they disclose vulnerabilities. They usually do not hack for personal gain or have malicious intentions, but may be prepared to technically commit crimes during the course of their technological exploits in order to achieve better security. Whereas white hat hackers will tend to advise companies of security exploits quietly, grey hat hackers are prone to "advise the hacker community as well as the vendors and then watch the fallout".
in 1998. The group references it in an interview with the NY Times
from 1999 describing their "gray-hat" behavior. The earliest known use of the term Grey Hat, in the context of computer security literature, may be traced back to 2001. The phrase was used to describe hackers who support the ethical reporting
of vulnerabilities
directly to the software vendor. He contrasted this with the full disclosure
practices that were prevalent in the white hat community at the time; and the principles of the black hat
, whereby no one should be made aware of security holes.
In 2002, however, the Anti-Sec
community published use of the term to refer to people who work in the security industry by day, but engage in black hat activities by night. The irony was that for black hats, this interpretation was seen as a derogatory term; whereas amongst white hats it was a term that lent a sense of popular notoriety.
Following the rise and eventual decline of the Full Disclosure vs Anti-Sec "golden era" - and the subsequent growth of Ethical Hacking philosophy—the term grey hat began to take on all sorts of diverse meanings. The prosecution in the US of Dmitry Sklyarov
for activities which were legal in his home country changed the attitudes of many security researchers. As the Internet became used for more critical functions, and concerns about terrorism grew, the term white hat started referring to corporate security experts who did not support full disclosure.
Nevertheless, in 2004, Harris (et al.) published a book on grey hat methodologies. This built upon the idea that black hats have malicious intentions and do not disclose their secrets; whereas white hats always engaged in public full disclosure, freely publicising security flaws in the hope that they will be fixed. The authors espoused that grey hats fall somewhere between, in that they derive income from notifying the vendor of what needs to be fixed after they have penetrated a system.
In 2006, the term was used to describe freelance hackers who browse the internet in search of security holes, and then seek to charge the host a fee for fixing the issue.
In 2008, the EFF
defined grey hats as ethical security researchers who inadvertently or arguably violate the law in an effort to research and improve security. They advocate for computer offense laws that are clearer and more narrowly drawn.
{} " and "Hardbeat" gained unauthorized access to apache.org
. They chose to alert Apache crew of the problems rather than try to damage the apache.org servers.
In June 2010, a group of computer experts known as Goatse Security
exposed a flaw in AT&T
security which allowed the e-mail addresses of iPad
users to be revealed. The group revealed the security flaw to the media after AT&T had been notified. Since then, the FBI
has opened an investigation into the incident and raided the house of weev
, the group's most prominent member.
In April 2011, a group of experts discovered that the Apple iPhone and 3G iPads were 'logging where the user visits'. Apple released a statement saying that the iPad and iPhones were only logging the towers that the phone could access. There have been numerous articles on the matter and it has been viewed as a minor security issue. This instance would be classified as "grey hat" because although the experts could have used this for malicious intent, the issue was reported.
Computer hacking
Hacker (computer security)
In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
whose activities fall somewhere between white and black hat
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
hackers on a variety of spectra. It may relate to whether they sometimes arguably act illegally, though in good will, or to show how they disclose vulnerabilities. They usually do not hack for personal gain or have malicious intentions, but may be prepared to technically commit crimes during the course of their technological exploits in order to achieve better security. Whereas white hat hackers will tend to advise companies of security exploits quietly, grey hat hackers are prone to "advise the hacker community as well as the vendors and then watch the fallout".
History
The term Grey Hat was coined by a hacker group called L0phtL0pht
L0pht Heavy Industries was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area.-Name:The second character in its name was originally a slashed zero, a symbol used by old teletypewriters and some character mode operating systems to mean zero...
in 1998. The group references it in an interview with the NY Times
from 1999 describing their "gray-hat" behavior. The earliest known use of the term Grey Hat, in the context of computer security literature, may be traced back to 2001. The phrase was used to describe hackers who support the ethical reporting
Security through obscurity
Security through obscurity is a pejorative referring to a principle in security engineering, which attempts to use secrecy of design or implementation to provide security...
of vulnerabilities
Vulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
directly to the software vendor. He contrasted this with the full disclosure
Full disclosure
In computer security, full disclosure means to disclose all the details of a security problem which are known. It is a philosophy of security management completely opposed to the idea of security through obscurity...
practices that were prevalent in the white hat community at the time; and the principles of the black hat
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
, whereby no one should be made aware of security holes.
In 2002, however, the Anti-Sec
Antisec Movement
The Anti Security Movement is a movement opposed to the computer security industry. Antisec is against full disclosure of information relating to but not limited to: software vulnerabilities, exploits, exploitation techniques, hacking tools, attacking public outlets and distribution points of that...
community published use of the term to refer to people who work in the security industry by day, but engage in black hat activities by night. The irony was that for black hats, this interpretation was seen as a derogatory term; whereas amongst white hats it was a term that lent a sense of popular notoriety.
Following the rise and eventual decline of the Full Disclosure vs Anti-Sec "golden era" - and the subsequent growth of Ethical Hacking philosophy—the term grey hat began to take on all sorts of diverse meanings. The prosecution in the US of Dmitry Sklyarov
Dmitry Sklyarov
Dmitry Vitalevich Sklyarov is a Russian computer programmer known for his 2001 arrest by American law enforcement over software copyright restrictions under the DMCA anti-circumvention provision...
for activities which were legal in his home country changed the attitudes of many security researchers. As the Internet became used for more critical functions, and concerns about terrorism grew, the term white hat started referring to corporate security experts who did not support full disclosure.
Nevertheless, in 2004, Harris (et al.) published a book on grey hat methodologies. This built upon the idea that black hats have malicious intentions and do not disclose their secrets; whereas white hats always engaged in public full disclosure, freely publicising security flaws in the hope that they will be fixed. The authors espoused that grey hats fall somewhere between, in that they derive income from notifying the vendor of what needs to be fixed after they have penetrated a system.
In 2006, the term was used to describe freelance hackers who browse the internet in search of security holes, and then seek to charge the host a fee for fixing the issue.
In 2008, the EFF
Electronic Frontier Foundation
The Electronic Frontier Foundation is an international non-profit digital rights advocacy and legal organization based in the United States...
defined grey hats as ethical security researchers who inadvertently or arguably violate the law in an effort to research and improve security. They advocate for computer offense laws that are clearer and more narrowly drawn.
Summary
In summary, the term grey hat may refer to a hacker who:- Engages in security research with the intention to secure rather than exploit
- Grapples with questions of ethics and law in the line of their work
- Does not support full disclosure of vulnerabilities
- Usually reports the vulnerability to the product vendor.
Examples
In April 2000, hackers known as "Apache HTTP Server
The Apache HTTP Server, commonly referred to as Apache , is web server software notable for playing a key role in the initial growth of the World Wide Web. In 2009 it became the first web server software to surpass the 100 million website milestone...
. They chose to alert Apache crew of the problems rather than try to damage the apache.org servers.
In June 2010, a group of computer experts known as Goatse Security
Goatse Security
Goatse Security is a loose-knit, nine-person grey hat hacker group that specializes in uncovering security flaws. It is a division of the anti-blogging Internet trolling organization known as the Gay Nigger Association of America . The group derives its name from the Goatse.cx shock site, and it...
exposed a flaw in AT&T
AT&T
AT&T Inc. is an American multinational telecommunications corporation headquartered in Whitacre Tower, Dallas, Texas, United States. It is the largest provider of mobile telephony and fixed telephony in the United States, and is also a provider of broadband and subscription television services...
security which allowed the e-mail addresses of iPad
IPad
The iPad is a line of tablet computers designed, developed and marketed by Apple Inc., primarily as a platform for audio-visual media including books, periodicals, movies, music, games, and web content. The iPad was introduced on January 27, 2010 by Apple's then-CEO Steve Jobs. Its size and...
users to be revealed. The group revealed the security flaw to the media after AT&T had been notified. Since then, the FBI
Federal Bureau of Investigation
The Federal Bureau of Investigation is an agency of the United States Department of Justice that serves as both a federal criminal investigative body and an internal intelligence agency . The FBI has investigative jurisdiction over violations of more than 200 categories of federal crime...
has opened an investigation into the incident and raided the house of weev
Weev
Andrew Alan Escher Auernheimer 1 September 1985), also known by his pseudonym weev, is an American grey hat hacker and self-described Internet troll who has been linked to several attacks on Internet sites...
, the group's most prominent member.
In April 2011, a group of experts discovered that the Apple iPhone and 3G iPads were 'logging where the user visits'. Apple released a statement saying that the iPad and iPhones were only logging the towers that the phone could access. There have been numerous articles on the matter and it has been viewed as a minor security issue. This instance would be classified as "grey hat" because although the experts could have used this for malicious intent, the issue was reported.
See also
- Black hatBlack hatA black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
- Exploit (computer security)Exploit (computer security)An exploit is a piece of software, a chunk of data, or sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic...
- Computer crimeComputer crimeComputer crime, or cybercrime, refers to any crime that involves a computer and a network. The computer may have been used in the commission of a crime, or it may be the target. Netcrime refers to criminal exploitation of the Internet. Such crimes may threaten a nation’s security and financial health...
Computer hacking
- Cyber warfare
- Hacker (computer security)Hacker (computer security)In computer security and everyday language, a hacker is someone who breaks into computers and computer networks. Hackers may be motivated by a multitude of reasons, including profit, protest, or because of the challenge...
- Hacker EthicHacker ethicHacker ethic is the generic phrase which describes the moral values and philosophy that are standard in the hacker community. The early hacker culture and resulting philosophy originated at the Massachusetts Institute of Technology in the 1950s and 1960s...
- HacktivismHacktivismHacktivism is the use of computers and computer networks as a means of protest to promote political ends. The term was first coined in 1994 by a member of the Cult of the Dead Cow hacker collective named Omega...
- IT riskIT riskInformation technology risk, or IT risk, IT-related risk, is a risk related to information technology. This relatively new term due to an increasing awareness that information security is simply one facet of a multitude of risks that are relevant to IT and the real world processes it...
- Metasploit
- Operation AntiSecOperation AntiSecOperation Anti-Security, also referred to as Operation AntiSec or #AntiSec, is a series of hacking attacks performed by members of hacking group LulzSec, the group Anonymous, and others inspired by the announcement of the operation. LulzSec performed the earliest attacks of the operation, with the...
- Penetration testPenetration testA penetration test, occasionally pentest, is a method of evaluating the security of a computer system or network by simulating an attack from malicious outsiders and malicious insiders...
- Vulnerability (computing)Vulnerability (computing)In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
- White hat