Saturday, November 29, 2008

Ethical Hacking vs. Malicious Hacking

Ask any developer if he has ever hacked. Ask yourself if you ever been a hacker. The answers will probably be yes. We have all hacked, at one time or another, for one reason or another. Administrators hack to find shortcuts around configuration obstacles. Security professionals attempt to wiggle their way into an application/database through unintentional (or even intentional) backdoors; they may even attempt to bring systems down in various ways. Security professionals hack into networks and applications because they are asked to; they are asked to find any weakness that they can and then disclose them to their employers. They are performing ethical hacking in which they have agreed to disclose all findings back to the employer, and they may have signed nondisclosure agreements to verify that they will NOT disclose this information to anyone else. But you don’t have to be a hired security professional to perform ethical hacking. Ethical hacking occurs anytime you are “testing the limits” of the code you have written or the code that has been written by a co-worker. Ethical hacking is done in an attempt to prevent malicious attacks from being successful. Malicious hacking, on the other hand, is completed with no intention of disclosing weaknesses that have been discovered and are exploitable. Malicious hackers are more likely to exploit a weakness than they are to report the weakness to the necessary people, thus avoiding having a patch/fix created for the weakness. Their intrusions could lead to theft, a DDoS attack, defacing of a Web site, or any of the other attack forms that are listed throughout this chapter. Simply put, malicious hacking is done with the intent to cause harm. Somewhere in between the definition of an ethical hacker and a malicious hacker lies the argument of legal issues concerning any form of hacking. Is it ever truly okay for someone to scan your ports or poke around in some manner in search of an exploitable weakness? Whether the intent is to report the findings or to exploit them. If a company hasn’t directly requested attempts at an intrusion, then the “assistance” is unwelcome.