Security Sense: The Paradox of Grey Hat Hackers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://windowsitpro.com/troy-hunts-security-sense/security-sense-paradox-grey-hat-hackers

The theory goes that you have your “white hats” who are the good guys, your
“black hats” who are the bad guys and somewhere in between – potentially
swinging both ways – you’ve got your “grey hats”. Whilst the white hats are
theoretically always on the side of good and walk a pretty straight line,
the grey hats may step beyond that line into the murky territory that is
more about breaking into things than what it is protecting things. Whilst
they can actually be enormously useful at highlighting security
shortcomings, they can also make quite a mess of things.

It got me thinking recently in relation to the VTech data breach, the one
with the millions of kids’ details leaked as a result of them capturing
info via tablets designed for children. I worked pretty closely with the
reporter who was passed the data by the individual who siphoned it out of
VTech’s system and naturally one of the questions we both wanted answered
was “why?” – why suck out that much information?

This is where things start going from grey to black; the motive was
(allegedly) to help VTech understand that there was a serious security risk
in their systems. Now on the whiter end of the scale, you’d privately
contact the company involved and say “Hey, I just happened upon a SQL
injection risk on your site you might want to get sorted out”. A little
greyer and you might provide a small piece of data as a proof. But by the
time you start pulling millions of records, chat logs and kids photos,
you’re well and truly out of the grey and into the black.

But here’s the paradox of it all – the individual was worried that if he
privately disclosed the security issue, he wouldn’t be taken seriously and
many times, that’s exactly what happens. Either that or VTech wouldn’t act
promptly or comprehensively review their systems (they had a heap of issues
across many different assets). As much as the attacker (and that’s a fair
word under the circumstances) did the wrong thing in the way he went about
this, nothing gets an organisation to sit up and pay attention faster than
an incident like this.

Here’s where it gets even greyer: if he did indeed only share the data with
the reporter and he in turn only shared it with me, are we as a society
actually now better off? Think about it – the airtime this incident
received has caused millions of parents to think twice about putting their
kids’ data online. It must have as the story has been splashed all over the
mainstream media for weeks now. Parents should think twice about where they
share their kids’ identities, but without this incident going public in the
way it did, their views would be no different to what they were before it
hit the news.

A 21 year old man has now been picked up in the UK in relation to hacking
VTech. Assuming he’s the guy, he’ll almost certainly face some pretty stiff
penalties and possibly get himself a record and even a custodial sentence.
And he should suffer some form of penalty too, but I can’t help feeling
that as a result of his actions and assuming the data never did actually go
beyond the three of us, we may just be a little better off now than we were
before. It’s all a bit grey.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!